I found something like this at my school. The administration reacted similarly. But fortunately, I was taking djb's Unix Security Holes at the time, and a harshly-worded note from djb to the Computer Center folks ended up getting me a thank you.
Next semester, though, I refused to sign the new AUP (which included a clause allowing the computer center staff to seize any computer I was using, even at my off-campus home), and they kicked me out of school. (Actually what happened was they locked my course registration account, and wouldn't reinstate it until I signed the policy in their presence. I refused.)
(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted it to my blog, which I deleted after being threatened by school administrators. Oh well. That was 9 years ago!)
These expulsion stories sound really weird. I mean you pay for all of your studies and still could get axed on a whim? Whereas in my country I get paid to study and have zero chance of being expelled for these kinds of events.
Even countries in Scandanivia will expell people who break college rules. And if you pay for and go on a train in finland and break their rules, you can be kicked off.
It all depends on what rules there are, and how they are enforced/interpreted.
Maybe it's because all of our schools are public?
For example higher ed. providers are funded based on enrollment and rate of graduation. If someone does not graduate, significant chunk (20-30%) of money won't be paid at all. This creates some incentive for the institution to actually guide and see that people don't fall through all kinds of cracks. I guess it's necessary when there is no ordinary paying customer relationship involved.
My experience in the U.S. is that public universities aren't much different from private universities (at least the nonprofit ones) on these kinds of policies. They might be better in other respects, such as lower tuition, but they're run by similar kinds of administrators. Often literally the same administrators: there's a lot of churn as people hop between institutions.
The main problem, in my view, is the professionalization of this institution-hopping class of university administrators. It used to be made up of senior faculty who got promoted to Dean, but now it's made up of an entirely separate group of people, often people who come from business management backgrounds, and who have little grounding in a particular institution's traditions or culture. They tend to think rather differently, in a more locked-down, policy-driven way, and apply broad "best practices" without much regard for how things are done in a particular place. Universities end up getting managed like a corporation, with similar kinds of policies.
Things are a bit better at small colleges (Rose-Hulman, Olin, Harvey Mudd, Wesleyan, Pomona, Colgate, etc.), which typically have much lighter-weight administration and a more pro-student, pro-experimentation attitude, as well as more success in en-culturating their administrators so they "get" the local culture and work with it. But they don't scale very well (I say this despite having gone to one and being a big fan of the undergraduate-college model).
How do you prevent the schools from just lowering graduation requirements in order to artificially boost the percent of graduates and get a better payout?
Since they are either fully government funded or jointly funded with municipalities, there are no incentives to search short term profits by running diploma mills.
Ministry of Education controls the money and conducts yearly performance target negotiations bilaterally with each higher education institution. You actually need a permit from the ministry to run any kind of school. Even our few "private" primary and secondary schools are publicly funded and regulated accordingly.
Independent expert body FINHEEC audits universities quality management schemes regularly. Some European countries use accreditation-based evaluation (for single degree programs) instead of system wide audits. At least one Finnish university has also acquired ISO 9001 cert, but it was seen as more labor intensive and not providing the same benefits (benchmarking, benchlearning) as the required peer-based audits.
Well, that is a problem. But universities also doesn't want to be known for poor quality. And then there is pretty strong government oversight. In Sweden the National Agency for Higher Education do regular audits and have the right to remove a schools privilege to award degrees.
> Maybe it's because all of our schools are public?
There are Asian countries where this model has failed. Perhaps because of population pressure or other social factors. But I truly like the Nordic way of life.
I'm wondering these days if you can be any sort of hacker at all without finding some kind of vulnerability in your college's network.
For me, it was a way to steal the AFS space of the previous user (basically, they didn't expire the token... oops). I actually found the initial vulnerability by accident (something crashed due to network problems, reconnected and went, "WTF, those aren't my files!"), but I did find a good way to reproduce it on demand (yank Ethernet cord at proper time). Thankfully, I had read enough stories like this way back then and submitted the bug anonymously. This was ~2000 or around then, mind you.
I also tried to get university management to switch people over to using SSH way back in 1998, but it was something like 4-5 years before they eventually did so. I'm guessing they had no idea what I was talking about or why it even mattered back then, even though anyone could see everyone's passwords going over the wire with all the people who had to telnet for various reasons. Maybe they assumed that log file they were writing our activity to would catch anybody doing anything weird? It was cleverly named "resugol"--read that backwards if you're confused.
I got a B. The homework was to find and write an exploit for 10 security holes in deployed software, but I only found 2. (3 including the one above, which I must have found the week or so after exams. The holes I found were in nasm and in some amateur open-source smtpd.)
FWIW, the exams are quite thought-provoking nearly 10 years later, here's a link to them: http://cr.yp.to/2004-494.html
I remember reading the course syllabus online and being jealous despite already having worked in professional vulnerability research for a few years. You're lucky to have been at the class! Was he a good lecturer?
What did you think of the course textbook ("Exploiting Software", Hoglund & McGraw)? Is there a more modern alternative that you (or anyone) can recommend?
Reading stories/incidents like these makes me believe that education as a whole is stapled for reinvention. As they say: competition doesn't kill your business; attitude kills it.
Agreed. The vendor involved with the security problem was quite pleasant to deal with, of course. It was just the bureaucrats that were worried/afraid/stupid/whatever.
Next semester, though, I refused to sign the new AUP (which included a clause allowing the computer center staff to seize any computer I was using, even at my off-campus home), and they kicked me out of school. (Actually what happened was they locked my course registration account, and wouldn't reinstate it until I signed the policy in their presence. I refused.)
(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted it to my blog, which I deleted after being threatened by school administrators. Oh well. That was 9 years ago!)