There is a link to the national news that describes an incident that presents some interesting conflicts: http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/
A student was expelled according to the article because he found poorly written code while working on a project. Finding and reporting the vulnerability was not however the issue for which he was punished. Rather it was his activity following reporting the incident that got him into trouble. This student wanted to validate that his report had been taken seriously and that the vulnerability had been corrected so he ran a vulnerability tool against the schools network without their permission rather than checking in with those responsible for managing the network. Though he may not have had malicious intent he crossed the line by probing a network without permission of the owner of the network.
What would you recommend have been done in this situation? Should the student have been expelled or would you have recommended a less aggressive punishment? Do you agree that this activity crosses the line and is worthy of punishment at all? Share your thoughts…
2 Comments
I think each case should involve a thorough investigation. If no malicious intent was involved, and he had not downloaded information from the website, then I think he should not have been expelled. He is, after all, still a student, and still learning. If the situation warrants, then some form of discipline or remediation should be used.
I agree with the actions of the university for a number of reasons. First of all, I am assuming that there are policies in place that justify their actions on the matter. If the student clearly violated university policy, and the policy clearly states the consequences of such violations then they merely are exercising their duty to uphold the policy. Secondly the school must consider risk in this equation. If the school pardons the student and just brushed the actions off as if nothing happened because his intentions were good, then you set up a situation where you invite the same behavior fro other students. This greatly increases the risk of other student “hacking” and “penetration testing” the network and devices. Risk takes into account perceived threats and one effective way to mitigate this is through policy. Not enacting policy removes a layer from defense in depth strategy and the university has to rely on strictly technical mitigation strategies do defend against the threat of internal users “students” because they don’t enforce their policy. The university acted accordingly with swift and decisive actions to make their stance known on this issue and other issues surrounding policy violations. The students intentions were aligned with “good” but he took it too far when he decided to test the schools network to see if the vulnerability had been patched. He has received a lesson in policy and enforcement.