The 20-year-old student that allegedly hacked Carleton University's e-mail system refused last week to agree to penalties and, instead, quit school and now awaits his trial on computer-intrusion charges, according to a local news report.
The student -- identified as Ottawa, Ontario, resident Mansour Moufid -- faces criminal charges after he allegedly breached the security of the school's network and then sent a 16-page report detailing the security issues and potential solutions to network administrators and other students. In a letter obtained by the Ottawa Citizen, the university required last week that Moufid admit that he did not alert the school to the problems before distributing the report. Moufid told the Citizen that such an admission would be a lie.
University officials received a report on August 29 from Moufid that explained the breach and the security vulnerabilities exploited by the hacker, Carleton University officials said earlier this month in a statement.
The hacking charges are the latest incident to underscore that security researchers who poke around other people's systems to test their security -- frequently referred to as gray-hat hackers -- should be ready to face the legal consequences. In 2005, a prospective student at the University of Southern California (USC) used simple database injection techniques to retrieve the names and Social Security numbers of seven prospective students to demonstrate the flaw to the university and contacted SecurityFocus, which acted to relay information to the university. The student, Eric McCarty, was later prosecuted and plead guilty. He received six months of home detention and a felony on his record.
In the latest case, Moufid reportedly had gotten the passwords for the accounts of 32 users. The university has maintained that the breach was extremely limited.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos