4

Computer Genius: Looking for a new school


 

Carleton’s overreaction to a student pointing out their computer security flaws has resulted in the students withdrawing from the university.

Nevermind the fact the university is using an anvil to swat a fly; they are losing the opportunity to engage a brillant student in a positive manner.

Clearly, this student is extremely talented in Computer Science. Yes, he did violate the student code of conduct.

That said, I very much doubt the university would be punishing him so severely if it were not for the embarassment they suffered when he finally made the institutions flaws public.

If I were the head of a major computer science program; I’d be actively recruiting this student.


 
Filed under:

Computer Genius: Looking for a new school

  1. Not necessarily. If a student’s behaviour was sufficiently unethical, no school should want him or her, regardless of the potential genius. The same is true in Computer Science as it is in Medicine – should a school recruit a brilliant doctor known to conduct experiments on live patients without their consent? Of course not.

    I make no judgment on whether this student’s behaviour was ethical or not – there are simply not enough details available. I do know that he captured people’s passwords without their consent, and that he alerted the public before alerting the school, bot of which are no-nos in the world of security disclosure.

    I also make no judgment on his genius, but I will say that it does not require a genius to discover most security vulnerabilities. Academic institutions are notorious for patchwork security, and, again, though I know few details the vulnerability in question seems quite simplistic – not exactly genius-calibre.

    Where I do heartily agree with what you’ve said is on how the University has overreacted to the disclosure of security vulnerabilities. I do wonder if it’s only so bad because a handful of semi-important people’s pride has been hurt by he student’s pointing out the flaws in their work. Lazy and unqualified sysadmins and older administrators still superstitious about these magical computers can do.

    At my own school, the University of Manitoba, I know of several security vulnerabilities, of which I am not the only person aware of, that remain undisclosed because most of us simply can’t be bothered to run the gauntlet and risk expulsion, overreactions, and the time it takes to sort such nonsense out.

  2. Joey, look up the Slashdot article on this subject, the comment thread was actually interesting to read. Less than half the commenters there support this kid getting off easily. He broke campus policies twice, and possibly made the entire network less secure. That his (second set of) actions were allegedly benevolent does not matter. Want to improve campus network security? Go to ITS and explain what you see is wrong, a good system administrator will get your assistance to figure out how to fix it. You can’t break and enter and then claim you were just showing them the flaws in the security system. Or that it’s okay because you didn’t steal anything after looking around. Maybe he’ll get an opportunity at another school, or he might join the ranks of hugely rich people that dropped out of school. But he got caught hacking into a network he shouldn’t have been, and there’s no acceptable reason to do that. That said, a possible Ten years in prison? That I disagree entirely with.

    p.s. I wouldn’t recruit him, he’s broken the rules twice and has shown no interest in wanting to help the admin fix the problem, just to expose them, that’s not a good attitude, that’s a problem.

  3. I’m not sure I agree with you, Mikael. Scanning the /. thread (http://news.slashdot.org/article.pl?sid=08/09/13/0236248) , I don’t come to same conclusion about the consensus. And aside from that being a textbook ad populum fallacy, ‘the majority of slashdot comments’ is kind of like ‘Oprah’s Book Club’ – not exactly a glowing endorsement :).

    In my humble experience, approaching a sysadmin with information on a security vulnerability is either a quick way to get ignored, or will land you in the exact same pot as having acted on that vulnerability with a proof of exploit.

  4. I strongly feel that if this individuals talents are directed in a positive manner; he can be an asset to any organization.

    There was an opportunity here to teach the student a valuable lesson and direct his energy into improving the network at Carleton.

    Yes, he broke network policies numerous times; but the response is disportionate to the crime.

Sign in to comment.