[fduran]

Malicious definition: "motivated by wrongful, vicious, or mischievous purposes", so it doesn't look that what he did was malicious. Also, unlawful? please quote the Canadian law that he broke, even in the US IANAL but the law mentions a vague "unauthorized access", has anyone ever been charged or convicted for running a vulnerability scanner like Nessus?

Not that I disagree with you: always ask for permission in writing from an authorized person before performing any kind of scan or security testing.

[puerto]

I explained my point below in more detail regarding the equation and why I think it should be remembered.

When someone is scanning your system and you haven't authorized it, you will definitively treat it as malicious. In a given moment, you don't care about attacker's inside motives, because your system is under attack and you better act accordingly.

I know a story about a guy who lost his job because of the unauthorized Nessus scanning in his company. Every story with a convicted hacker has some kind of a scanning tool (at least nmap) that was used in scanning phase, you can bet on it. Every scanning tool is an attack tool. In fact, scanners are most useful tools for any kind of attack, because they minimize amount of manual effort needed.

I don't know much about Canadian law, but most current laws forbid unauthorized access and _atempts_ of doing it.

[crpatino]

I think what the GP meant was something along the lines of "Unauthorized security testing is indistiguishable from Malicious attack", in the sense that you cannot but expect the administrators of the system in question will react in alignment with their own goals. And you really have no control whether they perceive you as an ally or a threat.

Orthogonal to this fact is the question of what happens when an authority is brought in to solve the conflict. And something young hackers need to learn as early as possible is that you are not entitled to a due process in every possible context. It would be unlawful if you were not given the chance of a just trial in the context of a criminal or civil lawsuit, but this does not translate well into private institutions.

In particular case of a student unauthorized access within a university, this problem is compounded by the fact that such University and its representatives play the rules of prosecution, judge, jury and (sometimes) defense. You also have to consider that the people doing this are not professionals of law procurement but are pulled out of their real jobs to sort out some random mess, thus the only constrain is their common sense. I've even heard the first hand report of a case in my university where the faculty member supposedly playing "defense" was the most gung-ho about giving the boot to the guy in question (who ended up getting a one term suspension, but got to keep his scholarship, so it could have gone much worse).

This is probably not "fair", but it is the way it is and nobody seems interested enough to make it change. Education has a number of stakeholders with sometimes conflicting preferences and goals, so this is not a trivial problem.

But the point is that once your actions put you in the harms way, the abstract concepts of "fairness" and "proportionality of the punishment" are academic at best. My opinion is that legality is the bare minimum standard society imposes to keep barbarism at bay, but it is pretty rough itself. So it is in your best interest to conduct yourself in such a way that appeals to "the rules" happen as little as possible.

[Dylan16807]

>"Unauthorized security testing is indistiguishable from Malicious attack"

Of course it's distinguishable. Testing comes before attacking, to provide information. The two are otherwise completely unrelated. It'd dead-easy to distinguish between someone poking your fence and someone stealing your jewelery, for example.

[Confusion]

If your test to see if you can pick a lock is actually trying to pick the lock, then the test can of course be indistinguishable from attempted burglary. If you were caught in the act, any defense will be suspicious. However, if you confessed of your own free will, there is usually no reason to suspect criminal intent.

[Dylan16807]

If you're caught in the act, sure. But they called him about it well after the actual actions. That's solid evidence then that he left after entering and logically did not use the entering to commit a crime.

[crpatino]

You are willingly missing the point here. It is human nature to assume malicious intention, even if it is wrong. And if there's no a strong motive to provide a due process and investigate, malicious intention will will be assumed.

If a random male servant is found to have gained unauthorized access to the princess' chamber, torture comes first and beheading comes last. In-between questioning regarding his intentions and the degree of fulfillment is optional.

[Dylan16807]

You don't do that if you have video evidence of him entering, standing there for 15 seconds, and leaving.

There is a huge difference between catching someone in the act of breaking in, where it's reasonable to assume malicious intention, and noticing that someone entered and left, where you can see that they didn't do anything malicious.