Puzzle for January 7, 2002

A student suspects there is a vulnerability on a system in a university public access laboratory. She tests this by trying to exploit the vulnerability. She succeeds, and obtains privileges that she would not normally have. She reports both the hole and her exploiting it to the system staff, who in turn report it to the manager of the laboratory. The manager files charges of breaking into a computer system against the student. The student is promptly hauled before the Student Judicial Authority.

  1. Did the student act ethically by testing the system for the security hole before reporting it?
  2. Did the manager act ethically by filing charges against the student?
  3. The manager told the system staff not to bother fixing the hole, because the action taken by the SJA would deter any future break-ins through that hole. Was the manager's action appropriate?

ECS 153, Introduction to Computer Security
Winter Quarter 2002
Email: cs153@cs.ucdavis.edu