Student expelled from College for running a vulnerability scanner following his discovery of a secur - Polidicks

The exact same thing would happen in an office environment as well, you can't just start looking for network vulnerabilities because you feel like it. If you did this at work and you weren't a system administrator you'd be shown the door pretty damn quick. I know it sounds like I'm siding with the bad guys here but by doing the scanning, especially without written permission and supervision by a system administrator, he violated the terms he signed when joining the College. As a system admin myself I understand their point of view. Yes he was trying to do good, but you can't have anyone running vulnerability software on the network whenever they please. The administrators don't know what kind of software he's using and they don't know if it is an actual attack on the system. If you're going to run software like that you can't start running it on live mission critical databases and systems, a test environment would be setup using a similar configuration instead to prevent potential downtime. That being said I don't know exactly what the schools policies are and I don't know what kind of discussion happened with those fifteen professors and if I was one of those fifteen that were asked to decide on this young mans fate I don't know what my decision would be. What I do know is this guy was playing with fire and ended up getting burned. Being as smart as the article made him out to be he should've known what he was getting himself into.

I found lots of vulnerabilities in my high school system and reported them, when I finished my exams in the last year they gave me a job.

I found ways to access all students' and teachers' personal files from when I was 12 to 14 in my secondary school, and had the school patch up the holes instead of doing harm. Then one gaping hole went unpatched and someone else found their way in and deleted someone's files, and I was suspended for a week and when I came back I was banned from the school's network for 6 months. I wouldn't be surprised if another school would punish a student who proves their staff are incompetent like mine did.

[QUOTE=Jamsponge;39299448]That's absolutely fucking atrocious. This kid's obviously pretty tech-savvy, and just because some fucking CEO threw a bitch-fit he's been failed in everything? How is this even legal? [B]Edit:[/B] Nope, still can't believe this. How can a corporation have the power to ruin somebody's life? This kid was doing them a fucking favour, and they reward him by ensuring he will never ever get a job?[/QUOTE] This is actually somewhat usual. People who find security flaws, usually in the process of learn by doing hacking, get reported to the police instead of thanked for reporting the flaw. Sometimes people also handle this well, i know a friend who just got thanked.

It's not like most likely you have signed to not do things like this and what will happen if you do before being allowed to touch a school computer these days.

Signed the petition, all of you should too.

I really hope since his story is out more colleges will be inclined to accept him.

You're doing something wrong if metasploit crashes your server.

[QUOTE=-Flapadar;39301962]You're doing something wrong if metasploit crashes your server.[/QUOTE] I guess it's easier to set your legal team on people than it is to fix things.

my community college would praise someone for doing this what on earth is the dean thinking there expelled for doing what he's aiming for in a major?

The thing is, Acunetix is not intended to be used on Live websites, as it uses actual XSS & MySQL injections in order to check for vulnerabilities, by the fire (AKA if you're website has a MySQL vulnerability, Acunetix will use it and clear the database, insert info or w/e). Without knowing if they had a database backup, he ran the software which could have essentially cleared their entire database or any other number of things (I assume this probably did happen if the vulnerability wasn't in fact patched up). To use Acunetix, you're supposed to have a locally hosted version to test with, with dummy info.

[QUOTE=SCopE5000;39302273]The thing is, Acunetix is not intended to be used on Live websites, as it uses actual XSS & MySQL injections in order to check for vulnerabilities, by the fire (AKA if you're website has a MySQL vulnerability, Acunetix will use it and clear the database, insert info or w/e). Without knowing if they had a database backup, he ran the software which could have essentially cleared their entire database or any other number of things (I assume this probably did happen if the vulnerability wasn't in fact patched up). To use Acunetix, you're supposed to have a locally hosted version to test with, with dummy info.[/QUOTE] This. It's not just a probe to see if the vulnerability is there, it's a simulated attack that he decided to conduct without permission. When your target is a major corporation, that's a serious issue and a major breach of both ethics and the law. Also, the fact that 14 out of 15 professors in the department voted to expel him makes me think there's something more going on. For all we know he may have had a previous history.

[QUOTE] "I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.” [/QUOTE] Now you fucked up. Whitehat or not, the laws still gonna shaft you.

[QUOTE=SCopE5000;39302273]The thing is, Acunetix is not intended to be used on Live websites, as it uses actual XSS & MySQL injections in order to check for vulnerabilities, by the fire (AKA if you're website has a MySQL vulnerability, Acunetix will use it and clear the database, insert info or w/e). Without knowing if they had a database backup, he ran the software which could have essentially cleared their entire database or any other number of things (I assume this probably did happen if the vulnerability wasn't in fact patched up). To use Acunetix, you're supposed to have a locally hosted version to test with, with dummy info.[/QUOTE] .. I'm fairly sure it doesn't just clear the database because it can. It's a scanner, not an actual attack tool unless he chooses to use it that way. And I'm pretty sure he didn't intend to destroy the database. This sentence alone shows how much bullshit you're tossing [quote][B](AKA if you're website has a MySQL vulnerability, Acunetix will use it and clear the database, insert info or w/e)[/B][/quote] "or w/e"

This could backfire on him big time if he had a past record.

[QUOTE=catbarf;39302355]This. It's not just a probe to see if the vulnerability is there, it's a simulated attack that he decided to conduct without permission. When your target is a major corporation, that's a serious issue and a major breach of both ethics and the law. Also, the fact that 14 out of 15 professors in the department voted to expel him makes me think there's something more going on. For all we know he may have had a previous history.[/QUOTE] I agree, but obviously the professors should firstly assume that he was only simulating the attack rather than committing a crime before they go ruining his academic career. If he has a history of that kind of thing though, then it's definitely understandable why fourteen of the fifteen would vote against him.

I can see how unjustified it is for him to be expelled for finding the exploit and addressing it, but all credibility was thrown out the window when the kid ran an "acunetix" test against the server. Using the school api to create an app and accidentally stumbling over a serious exploit is reasonable, but why should you run a whole system check on the entire framework without permission?

I told my college there was a security flaw in some of their machines. I didnt get suspended other than told to check the rest of the systems. All day. Why do some college workers become assholes to the students who find this out? It's like they're hiding something.

[QUOTE=digigamer17;39302821]I didnt get suspended other than told to check the rest of the systems. All day. Why do some college workers become assholes to the students who find this out? It's like they're hiding something.[/QUOTE] You had permission to.

When they fuck you for being a white hat, come to the dark side.

[QUOTE=Woovie;39302968]When they fuck you for being a white hat, come to the dark side.[/QUOTE] lol what if this was the origin-story to greatest hacker in the world "I tried to help them, but they ruined my life."

I'm glad that this situation isn't what every school/college does when faced with this situation. I was worried when I wanted to report to my highschool that all the lunch pin numbers and named were available on a publicly accessible network drive in on every school PC with Windows 7. Luckily, they just thanked me and I didn't get yelled at for discovering the drive. But you never know what people are going to do to you for trying to help.

What, this is just stupid on the college's side.

This is terrible, not because he got punished, I'd say he would deserve some punishment for not talking to the administrators or someone to tell them that he has found a security flaw, blah blah blah, as it is I understand why they'd be wary and punish him, but not that hard. They could have ruined his life, and that's really fucked up, especially since apparently all he was doing was trying to help.

While what the student was doing was admirable, I'm having a hard time defending him. Illegally trying to break into a system, even if for noble causes, is still illegal. You just don't do things like this without first going to the school and letting them know in advance "Hey guys, can I have permission to try to break into your security?" I can't get behind this kid in the same way I can't get behind someone who breaks into a bank's vault and then says to the cops "I just wanted to make sure the bank's security was sufficient." Well, no, you still aren't allowed to break into a bank.

[QUOTE=Profanwolf;39302725].. I'm fairly sure it doesn't just clear the database because it can. It's a scanner, not an actual attack tool unless he chooses to use it that way. And I'm pretty sure he didn't intend to destroy the database. This sentence alone shows how much bullshit you're tossing "or w/e"[/QUOTE] Welp if that was the case Acunetix themselves wouldn't have a blog post telling you to use a simulated environment, as the chance of records being deleted are 'indeed very high' [QUOTE=Acunetix Blog]If the automated scanner is configured to access a database-driven CMS administrator interface, the chances of garbage data being injected into the database or -- even worse -- records being deleted and damaging a live web application, are indeed very high.[/QUOTE] [url]http://www.acunetix.com/blog/docs/invasive-vs-non-invasive-web-application-security-scan/[/url] So yeah, why don't you stop tossing bullshit.

Thank god at my uni all this information is made public (sans social number) They have a public database that students can access that shows students full name, email, address, phone number, home address, parents full names and their addresses, among other things You have to manually opt out and they don't tell you about it at all. Great school

[I]Ahmed Al-Khabaz[/I]

okay yeah, he was trying to do the right thing but you know those forms you sign to access information services at any university "pls do no hack, crack, exploit, or otherwise undermine the security of our networks" report the exploit, don't touch it after. if you want a update, ask IT, don't go trying to see if it still works i'm both sorry for him and not sorry for him

[QUOTE=LordCrypto;39305820]okay yeah, he was trying to do the right thing but you know those forms you sign to access information services at any university "pls do no hack, crack, exploit, or otherwise undermine the security of our networks" report the exploit, don't touch it after. if you want a update, ask IT, don't go trying to see if it still works i'm both sorry for him and not sorry for him[/QUOTE] okay then fine give him a slap on the wrist so he gets the message. not ruin his entire fucking academic career and possibly his life when it was clear he has no malicious intent.