Let's take a hypothetical situation. Not really hypothetical, but bear with me.
Let's say I'm exploring the school's online system, looking for something I can do. At some point, it occurs to me how cool it would be if I found a security hole and helped the adults fix it. Using a bit of ingenuity, I figure out how to get to the blank page of a course that I'm not taking (I simply look at the address bar, find where it says "courseid=[numbers]", and enter a different number). I click around and find there is indeed something I can use without logging in. Specifically, a sort of private message board (called the "blackboard"), which only I and the teacher can see. I write something to the effect of "You got hacked! Well, not really. You'll be glad to know that a) I'm not trying to do anything bad, and b) your system is good enough that I (and everyone else) actually CAN'T do anything bad."
As an aside, I'm not even accessing anyone's accounts. I don't KNOW how to hack into people's accounts. (What, use mind-reading skillz to get their password?) I'm using my own account to get to where they didn't put up any security. So, arguably, I haven't technically broken a rule. Anyway, back to the story.
I then discover that leaving that post adds myself as a guest to that course. Not, you understand, to the actual class; just on the list shown on my student page. I try this a few more times, confirming this. Then I tell a few friends about it. They advise me to stop doing the above, because schools don't take kindly to hacking, even when it's harmless and/or done to help them. I use Google to find several instances of something like this happening: a kid finds a security hole, does a bit of tinkering to be sure about the details, tells the school, and gets suspended or something. Therefore, I conclude, I shouldn't even tell them about this little "hack" (if it can be called that, which I doubt), and I delete the message I wrote. However, I can't get the course off my course list. Since this "damage" has already been done - I can't fix that part of what I did - I decide it won't make a difference if I continue doing more of the same (in retrospect, that was probably a misjudgment).
Eventually, the school finds out. I'm called in to the principal's office, along with the webmaster. I immediately tell them everything I've done and why, and actually a bit more: where the hole hasn't been completely filled up. See, they've blocked my account from getting to those courses, but anyone else could still get there (in fact, I myself could log in as a guest and do that). So I help them fix that little bit as well.
So, here's the effect of my actions: My student page looks weird, because I suddenly have a bunch of extra courses; the administrators got temporarily freaked out, afraid I had actually gotten into their system (which, of course, I hadn't, couldn't, and wouldn't anyway); and their system, with a bit of help from me, has been improved.
Now, you decide: What punishment, if any, do you think I should get? I vote for the punishment "Getting a ten-minute lecture on why I shouldn't mess with stuff."
By the way, if you think I should be banned from the computers for a time, you should factor this into your decision: Both of my electives are computer classes. If, say, I get banned for a month, then I'll have to either make up a month's work at home (a total of 32 hours of class time), or change classes halfway through the semester.
Post your opinion in the comments page, if possible. Then examine part II, in which I tell you what they decided to do.
Subscribe to:
Post Comments (Atom)
8 comments:
I vote for a commendation for helping them fix a security hole.
Get a 5 minute lecture on why you did the right thing, and next time don't be scared to show bugs to the webmaster
I think that it is possible to fix the security hole, as those "guest courses" were blocked from him.
And it isn't even a security hole.
Uh, they DID fix it. Due in part to my helpful advice. Sorry if that wasn't clear. (Not sorry if you just weren't paying attention. :-)
A two-week ban from computers at school and a lecture ought to do it, I think. They don't need to fix any security hole (there is none, like deranged_physicist said) because you're not supposed to BE there in the first place. You're not supposed to even be trying to find ways to GET there. Not the thing you did that's bad; it's the fact that you're not supposed to even attempt that things. That trust comes along with your InClass account, methinks.
So, no commendation. Just a two-week ban, and a lecture.
security hole? what hole? all the holes i see are the holes in swiss cheese that they were spouting.
I think that a month will do. That's usually the average punishment. But really, your school must be really f***ed up.
Well,
I'm posting again.
They thought 1337 was hacker's code?
HAHAHAAAAA! HAHAAAAAAAAAAAA!
Oh, I'm sorry. I just think I appreciate the funniness of that now.
HAAAAAAAAAAAAAAAAAHAHAHA!!! lol
h4xx0r1n9 is "hacker's code"?
hahahahAHAHAHAH@H@HA@H@HAH@H!!!!
That's so funny. I'm sorry, but it really is.
Post a Comment