According to this article from Network World, a student at the University of Portland was suspended after having discovered a weakness and exploited it to bypass Cisco’s NAC software agent to get onto the university’s network. The suspension seems to be a harsh punishment and the popular defense seems to be that the act was not malicious and no one got hurt. I run a university network too, so let me shed a different light on this matter.
Ok, I’m not here to say whether or not the suspension was justifiable or not. He violated policies (I presume UP did not stretch the limits of their policies), so let’s not try to glorify his actions or make them justifiable.
The matter is not about whether malicious intent was there, or whether anyone got hurt. When you beat a traffic light, you don’t expect to present a case that no malice was intended or that no one got hurt.
You can do many things with computers and you can do many things with the Internet. Not everything is desirable. Hence you establish rules and regulations, policies, etc. For example, piracy is disallowed. But not everything is easily enforcible. Sometimes we develop new technologies to help enforce policies, but when the technology breaks, it doesn’t mean the policy has been set aside.
The UP student was said to have wanted to report the vulnerability to Cisco. Ok, but if he had continued to exploit that vulnerability for 7 months and even passed it on to others to use, I’d say that defense isn’t going to hold any water.
Perhaps the trouble with many Acceptable Use Policies is that users don’t regard them seriously. Already many users don’t take piracy seriously (at least in my part of the world), let alone network specific policies — things like not faking MAC addresses, not hijacking IP addresses, submitting to vulnerability assessments, etc. Many of these policies have come about to address legitimate problems so that the overall community can enjoy a safe and reliable computing environment. But some users see them as inconvenient stumbling blocks and try ways to overcome.
The UP student’s suspension is unfortunate. I wonder, if this is common penalty for similar violations at UP?
View Comment Policy