Carleton University has been in the news lately for being the victim of a hacking attack. Erm, more accurately, Carleton has been in the news for having a student, Mansour Moufid, identify a serious security flaw in the Carleton Campus Card, which enabled him access to the email passwords of 32 of his fellow students. Moufid then wrote a report on how he was able to breach the school’s security, and snail mailed it to the school’s security department, who ignored him (says Moufid).
Ten days after mailing the physical copy of the report to Carleton, Moufid emailed the 32 students whose accounts had been completely compromised, and informed them that the school had been made aware of the attack on security, and had decided to ignore it. One of the students happened to be an intern at a CBC newsroom, and her supervisor found the story to be interesting — it grew from there. Carleton said that they only received the package the same day that Moufid emailed the 32 students, leaving them with no time to do anything at all.
Moufid’s attack came from recognizing a substantial logical flaw in Carleton’s user authentication system: that once someone has access to a compromised email account, they have direct access to just about everything else. After seeing this design flaw, Moufid worked backwards, using what he knew about the Carleton systems, to figure out his point of attack, which turned out to relate to the Campus ID cards.
Once word was out that Carleton was looking for the hacker, Moufid promptly turned himself in. Carleton did not elect to expell him, but instead made it a condition of his continued presence at school that he claim to have lied about alerting the school to the security issue, among several other punishments.
While my heart goes out to Mouffid, I think he could have handled the situation in a much more delicate manner, Universities are built on reputation, and don’t respond well to students taking direct, public attacks on their reputations.
Since I’m still a student, this story hits home for me. Not because I intend to break into my school’s security system, but because someone else may have already, and my school could be sweeping it under the carpet. As the two links to wikileaks above point out, once the information is out there, it’s out there, and there won’t be a broom large enough to clean up the mess so that no one finds out.
As for how a university expects to have a population comprised almost entirely of the leaders of tomorrow, and be able to repress information that that population has access to, I’m not sure — I don’t see it happening. By ignoring Moufid, and then trying to discredit him (assuming that Moufid had given them plenty of notice), Carleton has set a precedent that will deter future students from bringing forth security issues: it paints their options as either allowing the insecurities to remain (by being ignored when hilighted), or receiving harsh penalties for trying to bring those security flaws to light.
I don’t mean to be hard on Carleton, it just happens to be the school where this incident happened, but it could just have easily been anywhere else. Universities need to make sure that they’re properly prepared for, or at least open to the idea of, uncomfortable situations such as these when the powers that be aren’t the ones with all of the answers.
Members of the net generation will scrutinize everything to make sure that it meets their standards, including especially the security systems that their universities provide. When you’ve got the architects of the security systems of tomorrow on hand, and they’re happy to find the holes in your current security system for you, it seems only prudent to seriously entertain their suggestions.