Re: Student arrested for allegedly hacking university computers to derail election

[InfoSec News <isn () c4i org>]

Forwarded from: Dragos Ruiu <dr () kyx net>

I find this troubling.

There is no reason I can see that this should have come in to the
criminal justice system. (drug possession issues aside)

I have seen much more potentially harmful and dangerous school pranks
go virtually ignored during my University career, but since this
involved a computer it seems to have evoked an over-reaction that is
disturbing. There is no reason this prank should not have been dealt
with in the confines of the school's disciplinary system. Surely
negating his university career and chances at a degree is harsh enough
punishment for what was ostensibly a prank (albeit a stupid one) - and
a relatively victimless one at that.

The real fiscal and monetary damages for disturbing a small *student*
election would be trivial at best. At my university with 30k
undergraduate students the budget for student elections was under
$5,000. An 800 vote election cannot be very expensive even in the most
inflated estimates.  There was no fiscal theft, property damage, nor
dangerous liability that could have brought physical injury to anyone,
unlike some cases of computer meddling, which would seem to require
intervention by the criminal law enforcement system.

It used to be that over-reaction in crime and mischief cases involving
computers and networks were justified by the lack of case-law and the
need to set an example - but I would argue that time has passed. If
this poor misguided student would have merely exploited a flaw in
procedure and had physically stuffed the ballot boxes with 800 slips
of paper bearing "American Ninja" would he also be facing three years
in jail?

Put him up before his school's disciplinary comittee, fine. But to
push this into criminal law, and to make a hardened criminal of him,
seems, well, criminal.

I postulate the problem we are currently seeing is poor
differentiation between real crime and harm done to people via
computers (theft, risking physical harm or injury to people) versus
childish pranks and stupid meddling. This seems partially motivated by
the the much over-hyped and over-inflated damages estimates some
people have been putting on computer errors as a way to cover up for
other, real, negligence in planning.

It appears that we are heading towards classifying wrongdoing
involving computers as more serious than crimes involving lethal
weapons (which arguably computers can sometimes be).  But I fear we
are somehow being blinded by damages overestimation and driven by fear
and confusion surrounding this relatively new technology.  Let's
maintain some common sense here - it is after all one of the most
important tenets of the judicial system.

Law enforcement has a hard enough job and has a large enough work load
as it is without troubling them with trivial mischief cases like this.
I sincerely hope a larger sense of perspective and justice will
prevail in this case and lament that I am reading about a stupid
school prank in national media merely because it involves a computer.

--dr

On June 23, 2003 12:58 am, InfoSec News wrote:
> http://cbs11tv.com/national/HackerArrested-aa/resources_news_html
>
> Saturday June 21, 2003
>
> RIVERSIDE, Calif. (AP) A 21-year-old student was arrested for
> allegedly hacking into a university computer system during student
> elections to cast hundreds of votes for a made-up candidate he named
> American Ninja.
>
> Shawn Nematbakhsh, a computer science major at the University of
> California, Riverside, was arrested Friday for investigation of drug
> possession and altering computer data without permission.
>
> If convicted, he could face up to three years in prison and a
> $10,000 fine. He was being held Saturday on $10,000 bail.
> Arraignment was set for Tuesday.
>
> School officials said Nematbakhsh cast the 800 votes in April,
> forcing the university to scrap the election results and hold a new
> student government election the following month.
>
> Nematbakhsh told police he did it to show the university network was
> vulnerable, said university spokesman Ricardo Duran.
>
> ``I think he made his point, but you might say he went about it in
> the wrong way,'' Duran said. ``An e-mail to the webmaster might have
> sufficed.''
>
> Nematbakhsh, who was expected to graduate this year, will be
> required to appear before a university judicial review board which
> could expel him, suspend him, require restitution or require him to
> repeat an academic quarter.



-- 
pgpkey http://dragos.com/ kyxpgp



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.