lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 10:16:29 -0500
From: Benjamin Kreuter <>
Subject: Re: Student expelled from Montreal college after
 finding vulnerability that compromised security of 250, 000

Hash: SHA512

On Tue, 22 Jan 2013 08:32:11 +0000
Benji <> wrote:

> Someone please explain to me why he had to run a vulnerability
> scanner to check one vulnerability, and again, how are we still
> arguing about this? Whether you think he had a 'right' to test this
> or not, he was either too dumb or too naive to know it was against
> the law.

I do not think the issue is whether or not he broke the law; rather,
the issue is whether or not the law serves the people's interest.  I am
not a Canadian, so maybe I do not really have a say, but given that
this kid did not cause any measurable damage, it seems hard to make the
case that he should have been punished for his actions.  Throwing a
student out of school because he used a pen-testing tool is more
damaging to the school and to society as a whole than what the student
actually did.

There is also the matter of the school itself.  They were presented
with a student who had found a vulnerability, reported it, and then
checked to see if there were still problems.  Does expulsion really
sound like a reasonable punishment to you?  Does any punishment seem in
order, given that the student made no attempt to maliciously exploit
his discoveries?  It seems to me that a much better approach would have
been to offer the student a chance to present the vulnerability in a
computer security class.  The school's mission is, theoretically, to
teach its students -- why, then, would they remove from the student
body someone who could do just that?

Sure, maybe the school has a policy of expulsion for any student who
breaks the law -- but why would the school expel a student
preemptively, before he was even found guilty by a court (or even
charged with a crime)?  If he had been arrested, it would have made
sense for the school to put him on academic suspension until the
conclusion of his criminal case, at which point a guilty verdict might
mean expulsion.

- -- Ben

- -- 
Benjamin R Kreuter
UVA Computer Science

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
Version: GnuPG v2.0.14 (GNU/Linux)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists