University Cyber Rights [cr-95/9/28]


Sender: "Michael R. Widner" <•••@••.•••>

   I'll try to make this brief.  Last March I was expelled from the
University of Chicago Graduate School of Business for reasons that were
only specified as 'computing abuse'.  I was found guilty of vaguely
defined crimes though a judicial process in which I was not allowed
to hear the testimony of my accusors.  This made it difficult to respond.

  Since then I have enlisted the help of a law firm, filed an appeal with
the University, and got the expulsion overturned on the grounds that
the former proceedings were unfair and did not follow the rules outlined
in the University policy guidelines.

  Now the Business School wants to initiate new proceeding.  After
speaking with a the Business School dean of students I am left with the
impression that they will be sure to expel me in a fair and proper manner
this time.

  The whole story of my 'offenses' is rather long, but I'll try to
summarize briefly.  I'm 27 years old, and have a professional background
in computer security.  Upon entering the university I was given unix
accounts on several systems.  I spotted major security hole, and informed
the proper people.  I began e-mail correspondance with 'Bob', the
university's head of network security.  Over the course of Oct. '94
through March '95 we discussed security topics, and he asked me to run
security scans (SATAN and such) of various campus systems.

  On February 27th I created an exploit program that utilized the
sendmail/ident hole described in a CERT advisory issued eariler that
week.  I also created an exploit program that abused a similar hole
locally (as opposed to the remotely, as the other program did).  I posted
both of these programs to the Firewalls mailing list.

  About a month later it was discovered that somebody broke into some
university system and tried to penetrate other systems from there.  He
left behind a group of exploit programs, including one that I wrote and
had posted to Firewalls.  Nobody alleges that I had anything to do with
this breakin, but I became the target of an investigation nonetheless.

  In the ensuing 'hearing' (they will not call it a trial) with the
Business school evidence was presented against me, claiming that I had
made 'repeated attempts to gain unauthorized access to faculty and other
university computers'.  The evidence consisted of logs of my security
scans of a few university systems.  Given that I had saved email with
'Bob' asking me to perform scans and thanking me for it afterward, I
thought I was ok.  But it turns out that Bob elected to characterize
me as a system cracker that he allowed a few freedoms so that he could
'observe how system crackers' penetrate systems.

  Thus far this case has generated over 200 pages of documentation with
the university, so what I have given here is the very brief version.
I am presently working with my lawyers to prepare some type of defense
for my next 'hearing', which will be comming up in the next few weeks.
What I am seeking here is advice or suggestions.

  I have already spoken and worked with the EFF.  They have been very
helpful so far, and hopefully they will continue to be.  Of course their
time is quite limited and this is not the type of case they get very
involved in.  I have also obtained 'expert opinions' on the evidence
from Dr. Fred Cohen (who I can't thank enough) and am expecting a letter
soon from Dan Farmer (who I also can't thank enough).

  Again, I am seeking advice.  If anybody desires further information
about this case, I'd be happy to tell you anything I can.  Unfortunately
all of the documentation is only in paper form.

  I thank you for your time.

-Mike Widner

 Posted by --  Andrew Oram  --  •••@••.••• --  Cambridge, Mass., USA
                 Moderator:  CYBER-RIGHTS (CPSR)

    World Wide Web:

You are encouraged to forward and cross-post messages and online materials,
pursuant to any contained copyright & redistribution restrictions.