A third-year math student at Carleton University has been charged with mischief to data and unauthorized use of a computer, and could face up to 10 years in prison after exposing security flaws in the university’s computer system.
Mansour Moufid, 20, used a key logging program to breach the school’s card-reading software and exposed the confidential information of 32 students. His case is renewing the debate over whether hacking can ever be ethical.
Moufid claims that he wrote the software to reveal flaws in Carleton’s card-reader software, and sent a 16-page report to the University Secretary’s Office explaining his actions. With the students’ user names and passwords, he had access to students’ e-mail, library records and card balances. Moufid made mistakes when covering his tracks, however, and his identity was exposed and given to the police.
Moufid’s report, available online, explains that “the author hereby wishes to elicit a response from the reader and the community leading to greater awareness of the issues of privacy and security (or lack thereof) affecting students.” Moufid goes on to say that the Campus Card, like U of T’s T-Card, does not store passwords, and is a “weak link” when combined with rudimentary key-logging hacks. He claims that in its current form the card could be exploited for financial fraud “on a large scale, and it is likely that this is merely the tip of the iceberg.”
It is not known whether Moufid will remain a student at the university, but spokesperson Steve Blais said the matter was taken to police before the student was identified. “The [administration was] deeply concerned about the nature of the breach, and the university believed that it was a criminal act, so we called the police because it was appropriate.”
Bruce Lee-Shanok, a law student at Dalhousie and a Waterloo graduate in computer science, has started a Facebook group called “Leave Mansour Moufid Alone.”
“Ultimately,” he said, “what Mansour did was a public service. Imagine the harm that someone with his knowledge could have done. Thanks to him, Carleton is aware that a problem exists. The fact that he’s being treated like a criminal should be making people angry.”
Carleton’s Campus Card is similar to U of T’s T-Card. A magnetic stripe on the back contains a student’s username, linking it to the university database, and on the front is a bar code with library information. The main difference, according to Adam Wunker, a help desk advisor at Robart’s Information Commons, is that U of T stores student data differently. Access to one account, such as UTORid, does not lead to ROSI access. U of T students also use their T-Cards for fewer things, whereas Carleton gives discounts to students who use their card to purchase goods on campus, including textbooks.
“Keylogging is the biggest vulnerability,” said Wunker, but there are very few ways to install such software on U of T’s computers. “There have only been a couple cases of circumvention in the last few years,” he said, and those didn’t endanger the information of multiple students.
Moufid’s case is spurring intense debate on tech websites.
“The university should spend money hiring admins with better computer and teaching skills rather than paying lawyers,” wrote Aqui, one user on the popular site Slashdot.
Others disagreed. “If you steal something and decide to bring it back, it doesn’t mean you didn’t steal it,” said a representative for the High Tech Crime Unit at the Ottawa Police Department. “This was a serious breach of [the students’] data. If we don’t prosecute these things, it leaves the door open for other people to do the same thing.”
Moufid will appear at an Ottawa court on October 15.