lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 10:30:09 -0500
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Student expelled from Montreal college after
 finding vulnerability that compromised security of 250, 000

The real funny part is where 15 teachers voted .. you mean there are 15
teachers at Dawson that understand the implications of a pen test tool?
I am in Montreal and I know Dawson, they are usually much saner than that!

Let's see if they now have the guts to do a Mea Culpa and fix this
injustice.

Gary Baribault
Courriel: gary@...ibault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 01/24/2013 10:16 AM, Benjamin Kreuter wrote:
> On Tue, 22 Jan 2013 08:32:11 +0000
> Benji <me@...ji.com> wrote:
>
> > Someone please explain to me why he had to run a vulnerability
> > scanner to check one vulnerability, and again, how are we still
> > arguing about this? Whether you think he had a 'right' to test this
> > or not, he was either too dumb or too naive to know it was against
> > the law.
>
> I do not think the issue is whether or not he broke the law; rather,
> the issue is whether or not the law serves the people's interest.  I am
> not a Canadian, so maybe I do not really have a say, but given that
> this kid did not cause any measurable damage, it seems hard to make the
> case that he should have been punished for his actions.  Throwing a
> student out of school because he used a pen-testing tool is more
> damaging to the school and to society as a whole than what the student
> actually did.
>
> There is also the matter of the school itself.  They were presented
> with a student who had found a vulnerability, reported it, and then
> checked to see if there were still problems.  Does expulsion really
> sound like a reasonable punishment to you?  Does any punishment seem in
> order, given that the student made no attempt to maliciously exploit
> his discoveries?  It seems to me that a much better approach would have
> been to offer the student a chance to present the vulnerability in a
> computer security class.  The school's mission is, theoretically, to
> teach its students -- why, then, would they remove from the student
> body someone who could do just that?
>
> Sure, maybe the school has a policy of expulsion for any student who
> breaks the law -- but why would the school expel a student
> preemptively, before he was even found guilty by a court (or even
> charged with a crime)?  If he had been arrested, it would have made
> sense for the school to put him on academic suspension until the
> conclusion of his criminal case, at which point a guilty verdict might
> mean expulsion.
>
> -- Ben
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists