Carleton University ‘Cypherpunk Posse’ report
p2pnet news view Freedom | Security | P2P:- Authorities at a Canadian university decided to take matters into their own hands against an undergraduate because they were concerned the police wouldn’t, a p2pnet reader says in an email.
However, their fears were unjustified and the undergraduate, Mansour Moufid, studying mathematics and statistics at the University, based in Ottawa, Ontario, now faces up to 10 years in jail for his 16-page report on what he says is the the poor state of information security at the school.
He gives chapter-and-verse of what he says could result in large-scale identity theft, in the process including the full names, usernames and passwords of 32 other students chosen, he states, at random as examples of the way in which he was able to compromise their Connect accounts.
“We received an email saying the University is going to take action against him because they are unsure if the police would,” said the p2pnet reader.
Writing as Kasper Holberg, Moufid has been charged under the Criminal Code with mischief to data and unauthorized use of a computer.
Both charges carry jail sentences of up to 10 years and Moufid will also have to answer to a university disciplinary hearing.
“Sure, it sounds like the student had academic intend and this shouldn’t call for a criminal record,” says Tony in a Reader’s Write, “but all of this could have been demonstrated in a more responsible manner.”
But, “Sounds more like he was doing them a favour by exposing their lack of network security!”says another comment post, going on, “This is a problem on campuses across the country… most people are far too careless with their personal information.
“Wouldn’t be surprised if a major bank comes calling Moufid in the not too distant future. Lucrative business, stopping this sort of thing.
“10 years in prison and he didn’t (allegedly anyway) use any of the information for profit. Laughable.”
Says Moufid/Holmberg in Appeal for a Carleton Cypherpunk Posse, published by Wikileaks, the author, “hereby wishes to elicit a response from the reader and the community leading to greater awareness of the issues of privacy and security (or lack thereof) affecting students.
“Some technical and non-technical information relating to the Carleton University Campus Card and Connect e-mail system and their relevance is first provided, followed by a brief explanation of the attack used to obtain private identity information, and finally some example results are presented followed by a brief conclusion.”
Under Proposed Remediation, “The author simply recommends the discontinuation of use of the Campus Card in its present form, says Moufid, summarising, “the current Carleton University information systems infrastructure provides inadequate safeguards against information leakage, potentially leading to identity or financial fraud.
“It has been proven that identity theft and fraud on a large scale are possible, and it is likely that this is merely the tip of the iceberg.”
p2pnet – Carleton U hacker faces 10 years, September 13, 2008
Use free p2pnet newsfeeds for your site. It’s really easy!Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
September 15th, 2008 at 8:22 am
His counter parts in the state got an A+ from their math teacher for discovering the transit system hack the same as this.
This guy exposed an even greater risk to students and Carleton U wants him in jail
Carleton U should thank this guy not seek to punish him to the full extent of the law.
Carleton U and the students owe this guy and they should also petition Carleton U to drop this case.
Funny how carleton U censored this report that proves how each student is a potential target for fraud.
September 15th, 2008 at 7:26 pm
As a Carleton U graduate I am appalled at the reaction of the University to this security ‘revelation’. The CTO of the University is the one who should be on the carpet. This fellow revealed, in detail, how he was able to break their security using already published information (sic tranist system hack)… Carleton should be ashamed of itself for this knee jerk reaction. They should replace the CTO with this guy – at least he understands the security that is implemented (or not) at Carleton U.
September 20th, 2008 at 10:42 am
“His counter parts in the state got an A+ from their math teacher for discovering the transit system hack the same as this.
This guy exposed an even greater risk to students and Carleton U wants him in jail
Carleton U should thank this guy not seek to punish him to the full extent of the law.”
Here in Canada we have different mentality and different culture,in the States they encourage people to contribute,search and discover,here our history is different,our mentality is different.
September 29th, 2008 at 4:09 pm
“Moufid escapes jail …”
Not necessarily. Remember, Moufid still has to deal with the criminal charges.
They wanted him to pay them for their weak security, all the while trying to send him to jail. What a joke!