Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

Either way, you still need to have either a cookie or a hidden form [...]

This article may be of interest:

Update: Canadian student expelled for playing security “white hat” | Ars Technica

Basically, a Montreal student, developping mobile software to interface
with schools system found a bug. Reported it. And when he tested to see
if the bug had been fixed, got caugh and was expelled.

I the context of this thread, they found a vulnerability in the web
site's archutecture that allowed the to access any student's records.

This is the perfect type of incident you can bring to your boss to
justify proper architecture/security for your web site. "How would you
react if it was your company's name in the headline ?"

That article doesn't justify security review, it justifies not being a
complete knob when someone reports a security hole in your site. There are
so many site vulnerabilities these days that they're not news. What *is*
news is when the vulnerable organisation goes off the deep end and massively
overreacts to the situation.

See Also: First State Superannuation.

- Matt

Report - yes. What this kid seems to have done is - reported it, got
thanked for it. Then went ahead and pentested the site to see for himself
whether the bug was fixed or not. Which justifies the company asking him
to stop I guess - and it definitely justifies the kid's prof chewing him

Expulsion, maybe not, though the article I read said 14 out of 15 profs in
his college voted to boot the kid out.



    (Mind the English, like my French, its awful)

    Going from, what seems to be, a non-service impacting XSS scan to
expulsion is a bit of a trek. I'm sure there is a big chunk of story
missing. Beside, a 20yo is rarely aware of the proper etiquette when it
comes to scanning websites and the worst he should have got is a sit
down with security experts to explain to him how to go about it in the

    Hopefully, stories like this will provide more incentive to 3rd
party software providers to add this type of scan to their Q&A. And
train their developers into the art of internet security when it comes
to XSS/SQL Injection (see OWAPS/etc).

    PS: Being in Montreal, too bad someone already offered him a job :frowning:
I may have some part-time work for a bright kid soon.

The interesting part is where the same people who were totally unaware
that they had a major security hole until it was pointed out to them
were also able to issue a very fast blanket denial that any student's
information was in fact compromised. Sure, you can check your logs for
the footprint of the attack - but apparently this wasn't actually being
done before the student mentioned it to them.

What the article may not tell us is, what the applicable College's
technology policies would be, or what sort of contacts between
student and university staff were taking place.
I see this as more as a press relations failure in the College's part;
  as they failed to have a plausible explanation for their choice
published, instead deciding to cite student privacy concerns.

Apparently, they bother to have students agree to certain professional
codes, but fail also, to require students agree if they reveal
disciplinary action against them to the media, they waive the privacy
rights over the matter.

It's possible there was a warning received or ignored; the first
time, that the student chose to ignore.
Or the first event was allowed to slide only because of the
circumstances: or enforcement of policy was ignored because 1st
offense is excused. But after a very blatant and 2nd occurence, or
1st offense actually formally reported to the school, it was just too

  Or the student did not engage properly, or with proper attitude.
For example, by failing to mention/discuss any offer or intent to
re-test or rescan or help verify the vulnerability was indeed closed.

Such institutions often have bureaucratic rules, and internal
politics/requirements to be seen enforcing their rules: and enforcing
their rules equally (not necessarily fairly, or with any reasonable
sort of logic).

I believe the same to be true of governments and other large
organizations -- intent doesn't always matter, when allowed
behaviors are dictated by written rules. The actor may intend to do
good, and have in fact done 200x as much good than harm in action,
but the rules are clear, and demand action.

Violation of security policies often specify expulsion specifically,
and choice of rigid enforcement might be part of their defined
security plan.

The college could very well have a rule to cite; that was reported
to them as broken, and therefore their hands were tied, as soon as
the 14 profs agreed that yes, this was a breach, and yes,
Expulsion required by the policy in that case.

Report - yes. What this kid seems to have done is - reported it, got
thanked for it. Then went ahead and pentested the site to see for himself

Yeah... about that. So he didn't just "test" if the vulnerability
previously found still existed; the article suggests he ran an
in-depth scanning suite against the site a 2nd time. This certainly
differentiates the behavior, from the normal malware probing activity
-- because it's a return attacker; which may result in escalation of
a previously recorded security incident.

Discovering a vulnerability by chance, when interfacing with a
website, and reporting are one thing. Deliberately running
invasive high-impact scanning tools (tools that contain warnings
against use on production sites), spidering an entire site, with
numerous very obvious attack attempts, potentially generating
significant load and setting off many security monitoring alarms --
attempting to exploit a previously found, or find new
vulnerabilities, on someone else's server on someone else's network,
without permission from the network/server operator is for sure not
so a White Hat move.

It may be a Gray hat move; however, as far as a security incident
response team, would be concerned -- the assumption has to be that any
unauthorized obvious protracted intrusion attempt is malicious;
therefore, recovery and recourse processes should be initiated, upon
detection. The student's word that he wouldn't steal
anything, isn't very credible after launching two attack attempts.

Indeed... the school's description of violation of professional
standards would be accurate. A professional security auditor or white
had would generally not be running high volume invasive exploit
attempts against foreign networks without securing permission.

Expulsion, maybe not, though the article I read said 14 out of 15 profs in
his college voted to boot the kid out.

It didn't say under what circumstances they make that decision though.

It may be standard procedure, that its a thing done in private, and
the de-facto
rule is one person makes a recommendation, and everyone almost always

Or "default is Yes"; unless someone can raises a specific objection.
So there's a lot of things that could mean <g>

This kid is not a hacker. Changing a url to point to
profile.php?id=45 instead or profile.php?id=44 don't require anything
special. Downloading a tool only requiere knowing how to click
"download". This is level basic of computer useage. Kids these days
host modded Minecraft servers at 11 years old.

The claim that he got expelled because he has run a tool that could
have, maybe, made the website slower (the duration of the scan) is
weak. A more realistic reason is moral panic // he is making us look
bad. Making stupid people look stupid should not be a crime.