Student hacker drops out of Carleton

A Carleton University student has quit school after being hit with a fine and other sanctions for hacking into a university computer to steal identification and financial data from 32 student cards, then sending a report to the victims and the university detailing how he did it.

Mansour Moufid, 20, a second-year math student who used the alias Kasper Holmberg in his report, said he made his decision Thursday after receiving a letter from the university detailing his punishment.

The university's letter, dated Sept. 23 states that the incident is not a first offence, placed students at risk, and was not perpetrated to protect students — contrary to Moufid's claim that he was trying to be helpful by exposing security flaws in the university's student card system. The letter was signed by Suzanne Blanchard, associate vice-president of student support services.

The university identification card contains data such as the student's identification number, computer and e-mail log-in name and password, and library card number. It can also be used to unlock doors for three campus buildings, including two residences, and can be loaded with money to buy food, books and computer equipment on campus.

Moufid said he was particularly upset about the requirement that he write a letter of apology to the university that notes "you lied about alerting the university earlier and the details of what you actually did."

Moufid alleges he was telling the truth.

"That's the thing that really bothers me.…They want me to say that I lied about alerting the university earlier, which just isn't true," he said from his mother's home in Mississauga Friday morning.

It's not clear exactly what the university means, but a university spokesman did tell CBC earlier in September that Carleton had received the document on Aug. 29, more than a week before students received it.

Moufid won't appeal

Moufid said he could appeal the punishment, but doesn't think that would improve his situation.

"The meetings I've had with them so far are just completely bogus," he said. "I'm just done."

He added that he's looking into other universities and may apply to the University of Toronto.

The university's letter states that Moufid's punishment is to:

• Pay fines worth a total of $2,768 to cover the costs of replacing the 32 student cards of the victims and paying for extra security at residence buildings that are accessed using the cards, "due to the unknown risk" posed by the breach of the card system.
• Write letters of apology to the 32 victims, the university and the "university community."
• Perform seven hours of community service per week at a local food bank for the entire school year.
• Successfully complete a post-secondary level ethics course by the end of the academic year.
• Sign an agreement to allow Carleton's computing and communication services to monitor his online activity for as long as he is at the university.

In addition, the letter states that he will face immediate expulsion and a ban from the university if he is involved in any other incidents that are in violation of student rights.

It states that Moufid can appeal, and encourages him to contact the university's ombudsman for "advice and support in this matter."

Moufid is also due in court Oct. 15 to face criminal charges in relation to the incident.

Moufid gained access to the student card data by installing software that he wrote on a terminal in a computer lab that was attached to a card reader. The software recorded keystrokes made on the computer and included magnetic stripe card reader software.

In the 16-page document sent by Moufid to the university and the victims disclosing his method, he concluded that the cards were not secure and should not be used.