gordon.dewis.ca - Random musings from Gordon

Subscribe

Kasper Holmberg is not a hero

September 11, 2008 @ 13:04 By: gordon Category: Current affairs

You might be asking yourself is “Who is Kasper Holmberg?” and “What did he do?”.

Kasper Holmberg is the alias used by a Carleton University student who broke into a number of systems at Carleton.  He stole data from the campus identification cards of 32 students and then used this information to gain access to their email accounts and financial information.  He claims he did it to demonstrate that the cards are not secure and wrote a paper that he distributed “pretty widely” according to a university spokesman in a story on CBC’s website.  (And another story here.)

He has since been caught by campus security and is going to appear before a campus disciplinary committee who could do anything from assigning him community service to expelling him.  And the police are looking into whether criminal charges should be laid.

The student is by no means the first hacker to break into a computer system for altruistic purposes and he won’t be the last.  People have been breaking into computer systems to which they have no legitimate access to expose security holes for years.  In many cases, these individuals are glorified as “heroes” or likened to Robin Hood.  In rare instances, they have been hired by the companies whose computers they broke into as “security consultants”.  They then become role models for up and coming hackers who want their share of the fame, glory and prestige.

This is wrong.

These people are not heroes and their behaviour should be discouraged rather than encouraged.  In the case of Kasper Holmberg, the university would be well within their rights if they simply expelled him for gross violations of their network security policies.  (He used computers in one of the computer labs on campus in the course of breaking into the systems.  Such activities are almost certainly against their acceptable use policies.)  And if he ends up being charged by the police that’s unfortunate, but not unwarranted.  He should have known that what he did was wrong and that there were risks associated with it.

Now, this shouldn’t be interpreted as my saying that Carleton is without responsibility in this situation.  Clearly there are some weaknesses in the campus identification card system.  Better protection obviously needs to be in place to safeguard student information and I assume that there they will be addressing this as soon as possible.  In this day and age of identity theft, any personal information can be used for malicious purposes.

This incident is probably going to haunt Kasper Holmberg for years to come.  If he is expelled, he won’t be able to finish his degree and he’ll probably find it difficult to pursue post-graduate studies if that was his intent.  He may have a difficult time travelling abroad, especially to the United States, particularly if he ends up with a criminal record.  And if he wants to work for the government, either as an employee or a contractor, he may be out of luck there because he might not be able to get a security clearance.

I hope he thinks it was worth it.

43 Responses to “Kasper Holmberg is not a hero”


  1. Ellison says:

    he has not \\"been caught by campus security\\"
    He went by himself and explained every details of the security flaw thay have and show them how to fix the problem.
    All the students of Carleton know this fact,he has sent them a report on August 29 hoping that they will fix the problem and no student will be hurt this year like last year.
    Last year a femal student has been raped in a computer lab on the campus.

  2. gordon says:

    So? He installed a keystroke logging software and cardreader software on the machines in one of the labs and basically collected private information belonging to students. He used this information to illegally access sensitive systems and information at Carleton. The fact that he told people does not change anything — he still broke into sensitive computer systems and stole personal information from them and that is illegal. He should be convicted and punished.

    This is not to say that Carleton is without responsibility: they need to take action to secure their systems and minimize the risk of something like this happening again.

  3. williams says:

    what is missing from the story is that he sent a report to the university disclosing everything from how he was able to hack their system easily to how to fix the problem, the university choose to ignore the report so he sent it again(weeks later)to the students affected(he presumed that at least the university will let the students know and tell them to change their passwords) .He was not caught or brought in:these are LIES,he went by himself and explain them everything,the safety staff want him to be expeled as soon as possible from the university and they gave erroneous and misleading facts to the university decision makers in order to cover up their failure and ruine the life of the student,the truth will surface in the court of lawwhere and judges,lawyers and security specialists will discuss the case,this is a link to what other people in the USA think about Carleton safety staff:

    http://securitywatch.eweek.com/vulnerability_research/carleton_university_home_of_the_asinine_administrators.html.

    Full text of the article removed.

  4. gordon says:

    So, if I break into your house, take some pictures to prove I was there but don’t actually take anything, leave and then send you a report saying how I was able to break in that includes the pictures you’ll thank me nicely rather than call the police to say I broke into your house?

    It is immaterial whether he sent a report or not.

    The fact of the matter is that he wasn’t authorized to test the security of their systems, nor was he allowed to install software on a computer in one of the labs to capture keystrokes and information from cards swiped through a magstripe reader. I wrote about what he was charged with in a follow-on entry.

    It appears that this is not the first time he’s run afoul of the IT security people at Carleton, so you can’t convince me he didn’t know what he was doing was wrong. Being cognisant of this, he should only have proceeded if he was prepared to accept the consequences.

    As I’ve said in this entry, this does not absolve Carleton of their responsibility to run their systems in a secure manner, but that is separate from the fact that student’s have a responsibility to respect the policies and rules of the university, and the laws of Canada.

  5. williams says:

    "It appears that this is not the first time he’s run afoul of the IT security people at Carleton"

    This is another LIE,sorry I did not find any other word to qulify yhis statment

  6. gordon says:

    Why do you say this?

    The following is from a CBC story:

    Det. Michel Villeneuve said the accused has not been co-operating with police and could face penalties ranging from fines to 10 years in jail.

    He added that Holmberg made a number of mistakes that helped investigators. For example, his account log-in was embedded in the electronic document he sent out.

    “He’s pretty smart with respect to his programming, but in terms of his hacking abilities, I think he’s a novice in that area because he left many trails behind.”

    Villeneuve said Moufid had received a warning from the university for other computer-related incidents in the past.

    There is no reason to believe that the detective quoted in the story would lie to the press.

  7. williams says:

    This is absolutely false,he has never had any problem at the university of any kind,the university decision maker know that it’s false
    What I want you to understand is that without him talking to the media,they would have denied even the fact that he sent them a report,the Carleton safety were giving the University decision maker and the public erroneous and false statements.

  8. gordon says:

    If Carleton has, as you allege, given the police false or inaccurate information concerning Moufid’s past behaviour, that’s an issue for the police to address with the university, and possibly Moufid’s lawyer to address, too. However, it does not have any bearing on whether Moufid should be charged with what he’s been charged with (i.e. “Mischief to data and Unauthorized use of a computer”).

    Ask yourself these questions:

    1. Regardless of motivation, was Moufid authorized to use Carleton’s computers in the manner he did?
    2. Did he gain access to sensitive information as a result that he was not authorized to have?
    3. Did he use this information in any way, shape or form (including putting it in a “report”)?

    The answers are No, Yes and Yes. Not “no, but…” or “yes, but…”.

  9. williams says:

    I don’t know if ” Carleton has given the police false or inaccurate information concerning Moufid’s past or not but the statement that he has been involved in other incidents is false and it’s not based on any fact.
    And that’s we have court,judges and lawyers,it’s not up to you to condemn or approve,it’s up to the judges.

  10. gordon says:

    Yes, I get that you believe this is the first time he’s done something wrong at Carleton (or at least gotten caught doing something wrong), though you haven’t offered anything other than “it’s not based on any fact”. Until the police or the university release information that contradicts/corrects the statement by the detective in the CBC article, I see no reason to believe Moufid hasn’t been warned by the university in the past.

    So, what are your answers to the three questions I posed above?

  11. williams says:

    you know he has never done anything wrong in Carleton and elsewhere,you don’t know anything about him,except his name.
    Mansour in a true altruist individual,he wrote plenty of software and dedicated them to the Public, People who know him can confirm that.
    He is not interested in money in any way,he worked full time job during the summer:that’s the way he make money.
    I tell you a secret:what has disappointed the most people who have charged him is that they did not find any fraud or any theft.
    remember : people are innocent until proven guilty in the court of law.

  12. gordon says:

    I’m sure that he is an altruistic individual and that he did this for altruistic purposes. Regardless of the motivation, it was against the law. As a result, he is having face the consequences.

    He could have set up a demonstration in a captive environment or he could have demonstrated it using his own card to a reporter from the Charlatan. But he didn’t.

    Oh, and you still haven’t answered the three questions.

  13. williams says:

    I can’t answer your questions because,I am not Mansour moufid and I don’t know about the facts..
    But I know Mansour since middle school when he was allowed to take high school math because he was ahead on us in everything.
    And despite the fact that he is a true gifted genius he was always helping out the other students with their math problems.
    I remember when I went to see him for math problem, he would always smile in my face,explain me the problem than tell me a joke.
    By the way:His preferred reading are cartoons.

  14. gordon says:

    Ok, I think you can answer the questions based on the fact that Carleton and the police are taking action against him, but in case you still claim you can’t, here they are:

    1. Regardless of motivation, was Moufid authorized to use Carleton’s computers in the manner he did?

    Answer: No, otherwise he would not have been charged by the police.

    2. Did he gain access to sensitive information as a result that he was not authorized to have?

    Answer: Yes (assuming he was the author of the infamous “report”, which he has not denied).

    3. Did he use this information in any way, shape or form (including putting it in a “report”)?

    Answer: Yes (assuming he was the author of the “report”).

  15. williams says:

    don’t forget that he had never had any intent to do any harm to any body,the law article you are referring to

    342.1(1) say: use/possess COMMIT COMPUTER OFFENCE(the fact to possess or use passwords on itself is not an offence)

    430(1.1)d MISCHIEF/DATA USER OBSTRUCTION

    does not apply here,but his lawyer may give you more details and he will.

  16. gordon says:

    I wrote about 342.1 in my other entry, but 342.1 says:

    342.1 (1) Every one who, fraudulently and without colour of right,

    (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

    Section 430 says:

    (5) Every one who commits mischief in relation to data

    (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or

    (b) is guilty of an offence punishable on summary conviction.

    Whether he intended to do any harm to anyone doesn’t matter. (Besides, it can be argued that he did harm to the students whose personal information he included in his paper, even if he did disassociate the names from the other pieces of information.)

    Disclaimer: I am not a lawyer.

  17. gordon says:

    A comment by williams has been moderated.

  18. Squid says:

    The “report” that Moufid put together violates 342.1 (1) d, clearly and unequivocally. I hope I am free if/when this goes to trial because I will want to attend. I have *GOT* to see how he defends that. It seems that the basic facts are not in dispute, fraudulently and without colour of right he accessed a computer system, possessed, trafficked in and permitted other persons to have access to computer passwords that would enable a person to commit offences under those other paragraphs.

    I’ve never seen a case that is so cut and dry.

    All the rest is non-sequiturs. The university denied receiving an earlier report? So what. Not relevant, although there’s a good chance that fact, if true, would be used by the Crown to establish that Moufid did not have permission to conduct his research.

    Didn’t steal any money? Irrelevant. He’s not being charged with stealing money, he’s charged with unauthorized access.

    Altruistic individual? Irrelevant as far as the action goes, although that might mitigate the punishment.

    And I agree with Gordon. I’ll trust the CBC over some random blog poster who claims to be a friend of the accused.

  19. Squid says:

    I think the 430 charge is a bit weak. From what I’ve seen so far, I would think it difficult to make that stick. The 342.1 charge looks rock solid to me, though.

  20. gordon says:

    If they’re charging him with “mischief in relation to data”, it’s a bit weak, though it’s likely that he interfered with the lawful use of data 430(1.1)(c) and it probably involved altering data 430(1.1)(a). On the other hand, depending on how the judge interprets “property”, there might be parts of 431(1)(b) or (c) that would kick in.

    The police media release says that he’s next in court on October 15th.

  21. williams says:

    Let’s thank Carleton hacker
    The Ottawa Citizen
    Published: Sunday, September 21, 2008

    Re: Neither friend nor foe, Sept. 13.

    The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students’ information and use of its on-line campus cards.

    The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.

    The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

    The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

    A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

    Wouldn’t any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

    If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

    Thank him, enlist his help in correcting the situation, and drop the charges.

    Sylvia Parent, Gloucester

  22. gordon says:

    The hacker could have chosen to ask for permission before testing the weakness of the systems: yet he did not.

    This is the crux of whole matter.

    A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

    On what basis should it be re-evaluated?

    An individual has been arrested and charged under sections 342.1 and 430 of the Criminal Code of Canada. If it is determined that he broke the law, why should he not face the consequences of his actions?

    Personally, if I was one of the students whose information he illegally accessed, I would be upset by the incident and would have reported it as an identity theft. It doesn’t matter whether he used the information, merely that he had the information.

    Oh, and the fact that someone had a Letter to the Editor published does not mean that it is right. It simply means that the editor thought it was interesting, would provoke dialogue or would fill some whitespace on the page of their newspaper.

  23. Allison says:

    check this Ottawa citizen article about Mansour Moufid:

    http://www.canada.com/ottawacitizen/news/story.html?id=ce863a37-9fb9-46d6-b90b-40be380084e6

    One of Carleton administrators(Mrs. Blanchard) is asking him to deny that he ever sent a report to the university,
    I can’t believe it but the letter has been sent to the media and Mansour’s lawyer.

  24. Allison says:

    We want to hear from “Gordon” about the administrator Suzanne Blanchard letter where she asked the student to write that he did not sent the university a report,even if the university said to the media that they have received the report.
    Mr.Gordon you seems to know the law better than me and I want to know if the police should charge Mrs.Blanchard for her letter where she ordred the student to commit a perjury?
    and if the RCMP should investigate what’s going on here?

  25. gordon says:

    As I’ve stated before, I am not a lawyer, “Allison” (or perhaps you’d prefer “williams” since you are using the same computer), but based on what’s been reported Ms. Blanchard has not “ordred [sic] the student to commit a perjury”.

    The Criminal Code of Canada says that “every one commits perjury who, with intent to mislead, makes before a person who is authorized by law to permit it to be made before him a false statement under oath or solemn affirmation, by affidavit, solemn declaration or deposition or orally, knowing that the statement is false.” So, to commit perjury someone has to have taken an oath, or made an affirmation, to tell the truth.

    He would be making this statement in letters of apology, so he wouldn’t be committing perjury if you accept his version of the story as being true.

    And, no, I don’t think the RCMP needs to investigate.

  26. Allison says:

    My be it’s not a perjury but she wanted him to make false declaration by saying that he did not sent them the report.
    Even if Mrs.Blanchard is not charged,the judge and his lawyer may would want to interrogate her about this letter,Mansour’s lawyer will certainly “supinae” Mr.s Blanchard so she will explain to the cort why she signed a letter asking Mansour to lie

  27. Allison says:

    you can be sure that Mansour’s lawyer will ask the court to issue a subpoena against Mrs.Blanchard in order to explain to the court why she ordered the student to lie,and if she fail to attend or remain in attendance as required by the subpoena, a warrant may be issued for her arrest.

  28. gordon says:

    The lawyer can ask, but I wouldn’t be surprised if the judge says it’s not relevant to the criminal charges and disallows it.

  29. Allison says:

    I think the letter Suzanne Blachard sent to the student asking him to lie is relevant to how the charges has brought against the student in the first place,because thoses charges are based on a document that the university safety obtained from him through intimidation and threats of expulsion.
    His lawyer will discuss if those so called “confessions” obtained by the university safety director Mr. Boudreault can be used in court.
    And by sending him a letter and asking him to deny he sent a letter to the university,Mrs Blanchard is just showing the entire world her collusion with Mr Boudreault:the director of the safety staff of Carleton,we will see how the judge will deal with these facts.

  30. gordon says:

    The chronology seems to indicate that the charges were laid quite a bit in advance of the letter with the sanctions, so it’s doubtful it’s relevant to the charges. I wrote about my feelings on the sanctions in a entry earlier this evening, so I’m not going to repeat them here. Suffice it to say I think the university erred in the requirement to say he lied in the letters, but that’s it. I think the rest of the sanctions were completely reasonable, just and in line with the Student Rights and Responsibilities Policy.

    As far as the court case goes, the question is whether he did what he is being charged with and as Squid commented above, the case is very cut and dry.

    Regardless of whether you think there’s some big conspiracy (or even if there is a conspiracy, which I don’t believe there is), the questioning in court will probably run something like this:

    Crown: “Did you access computers at Carleton to which you did not have permission to access?”

    Defendant: “Yes, but…”

    C: “Did you retrieve information from those computers and publish that information in a report?”

    D: “Yes, but…”

    C: “Thank you.”

    D: “…”

    Judge: “You may return to your seat.”

    It has been well-reported that he has not denied doing what he is charged with doing. In fact, he basically admitted it in the article in Thursday’s Citizen. I think the wisest thing he can do is answer “Guilty, your Honour” when the asked how he pleads after the charges are read in court.

  31. The defence to a 342.1 charge is to produce a document or other convicing evidence that demonstrates the accused had permission to access the computer system in that way. Doing this is rock solid and leads directly to an acquital.

    In the absence of that, the defence will pretty much have to establish that a reasonable person would have believed that they were authorized to make such an attack.

    The Crown need only produce evidence from the university that such uses of their computers by Mr. Moufid were not permitted. A copy of the university’s acceptable use policy would pretty much get that job done.

    Right now, Moufid’s lawyer is almost certainly working toward some kind of settlement or plea bargain. I say this because Gordon’s synopsis of the line of questioning pretty accurately reflects how it will go. If this goes to trial, the only winner will be the lawyers who will collect fees.

    Whether or not a report was sent to the university is absolutely, utterly, completely irrelevant. To beat the 342.1 charge, he needs to show that he had permission. Moufid hasn’t been charged with not sending a report to the university, he’s charged with unauthorized access. That he posted the report outside the authorized channels (i.e. it’s available on the internet, that’s where I read the report) nails the lid closed on a 342.1 charge.

    As long as he continues to insist that he has done nothing illegal, he increases the chance that the proverbial book will be thrown at him.

  32. Allison says:

    you can be sure my friend that his lawyer is not working toward any kind of settlement or plea bargain,Mansour, and his new lawyer,(,because Mr. Israel Gensher’s service has been terminated) want to go to trial where they have plenty of security experts from Canada and USA who have already contacted them letting them know that they are ready to testify in court,this IT security specialists will explain everything to the court .

  33. Georges Duhamel says:

    The lawyer of Mansour will to cross examine both Mr.Boudreaul(about the way he obtained the so called "confessions" and Mr.s Blanchard about her letter to Mansour asking him to lie and may find out that there is collusion between Mr.Boudreault(the Carleton safety staff director) and Mrs. Blanchard(the associate vice president)who was trying to validate the confessions obtained by Mr. Boudreault in illegal and questionable way

  34. Squid says:

    All that collusion stuff is not relevant. 342.1 isn’t about being asked to lie about anything. 342.1 says, in short, "did the accused do this, and do it without authorization". If the answer is yes to both, then the accused is guilty. There’s nothing in the charge about an unseen cabal, or mysterious forces conspiring against the accused. The courts look at facts, not conjecture and fantasy.

    Any mysterious conspiracy bollocks from Boudreau and Blanchard, etc. is simply not material to the charge. The situation might mitigate the resulting punishment, but if you’re looking at mitigating the punishment already… well…

    I am a security expert too, with more experience than Mansour has years. No security expert can add any testimony to this case that would help Mansour. He broke the law, and if he thinks that his defence can be worked up by all these non-sequiturs, he’s in the hurt locker. What, exactly, do you expect a security expert to say that would indicate that Mansour was operating with authorization on the system, and that he did not illegally publish a report containing passwords in direct violation of 342.1?

    If this was 1986, one might explain about "white hat" hackers or make some lame story like that. The law was new then and it might be reasonable to expect that there would be a few people with genuine intent to help who simply didn’t know any better. But that was 22 years ago – the law has been on the books for over 2 decades. Acceptable white-hat hacking is done with authorization.

    Add to that the fact that there were legal alternatives for Mansour to follow to prove his point and he is not going to come away from this all cuddles and smiles. No expert testimony can wiggle around these facts.

    So good luck… I hope to be in the gallery for this one. I expect it to be quite a show.

  35. Georges Duhamel says:

    There is one reason that a high ranking administrator as Mrs. Blanchard would sign a letter asking the student to deny that he sent a letter to university when everybody in Ottawa and in Canada heard in the news the spooks man of the University saying that University did receive a report
    I think that Mrs.Blanchard was blinded By Hatred when she signed a letter telling him to lie about sending a report to University,and she may have broke the criminal code too,I am not a judge ,but I think that Mrs Blanchard should start looking for a good lawyer.

  36. gordon says:

    “Hatred”??? That’s a pretty strong word to be tossing around so lightly. On what do you make this accusation?

  37. geo8ges Duhamel says:

    given the way this story has started,the way the are handling it(i.e they alerted the police AFTER the guy explained them everything,before that they had no clue what was happening)the way they forced him to write the so called \"confessions\" through threats of expelling him from the university and intimidation,they show the entire world that they are doing everything to ruin his life ,is that\’s not hatred?
    if that is not hatred,the hatred does not exist and you know Mr.s Gordon that it does exist.Now this is backfiring on them and it\’s far from over,remember,it\’s not over,in the next days we will heard new developments.

  38. gordon says:

    They alerted the police because they suspected a crime was committed, namely the illegal access of sensitive systems and information at the university. Their responsibility to those students whose information was compromised meant they had no option in this matter.

    As for the “hatred”, I reject your thesis. Mansour Moufid almost certainly knew that what he was doing was wrong, particularly as he had been warned in the past for doing things that were against the rules. But he did it anyways. Now he is having to face the consequences of his actions. Just because you or him do not like those consequences does not make it hatred.

    His life is far from “ruined”, though this incident will haunt him for years to come. That’s what happens when you break the law.

  39. Squid says:

    All the hatred in the world doesn’t change the fact that a report he wrote and published to the internet contained usernames and passwords – in direct violation of 342.1 (d) I believe.

    So his defence is… he’s subject to racism? With all due respect, please engage in an act of self-copulation rather than waste the court’s time with that.

    I think we’ve beaten this dead horse enough.

  40. Duhamel says:

    I promised to let you know about any new development,here is a new development:
    Mr. Boudreault: Carleton safety staff director and Mrs. Blanchard "student support" director did COMMIT A CRIME and will certainly be charged in the next few days with extortion.

    Carleton administrators who signed the letter sent to Mansour will certainly be charged for extortion of falses confessions in the next few days.

    In Canada, the 2008 version of the Criminal Code prohibits extortion as set out at §346(1):

    "Every one commits extortion who, without reasonable justification or excuse and with intent to obtain anything, by threats, accusations, menaces or violence induces or attempts to induce any person, whether or not he is the person threatened, accused or menaced or to whom violence is shown, to do anything or cause anything to be done."

    In R v Davis, Chief Justice lamer of Canada’s Supreme Court wrote, in 1999:

  41. gordon says:

    Wow… Talk about being bitter and vengeful. You of course realize that it won’t have any bearing on the charges Moufid is facing, right?

    I wouldn’t be surprised if the judge says that the proper procedure would have been to go through the appeal process afforded under the Student Rights and Responsibilities Process and dismisses the case.

  42. williams says:

    If the case is dismissed he can appeal it to the court of appeal then to the supreme court of Canada,I think he has the right to do that even if his name is Mansour.

    This case is FAR from over

  43. gordon says:

    No one is saying he doesn’t have the right to do that and no one has implicitly or explicitly said “his name” has anything to do with it, other than you.

    Hopefully you don’t waste too much of the court’s time that could be better spent on more urgent cases.


Trackbacks/Pingbacks

  1. gordon.dewis.ca (September 11, 2008 @ 17:21)