I just read an interesting article in the Technique (Georgia Tech's student newspaper, which is online if you want to see it) about a student that figured out some very easy ways to hack in to the BuzzCard system they use. It's basically a combination ID card and debit card, and a competent hacker can use the holes in security this student found to reap great rewards of information. It's a situation only a hacker or a criminal could love (notice how I distinguish between hackers and criminals). Anyway, it seems that after the student published his findings, with the hope that Tech would do something to solve the problems, the administration instead accused him of embarassing the school, of hurting the company that created the system, and basically of being an evil, disrespectful child that needs a stern talking to. This is typical of the establishment when faced with ideas that threaten their systems. Instead of thanking him for pointing out problems, they try to make him the problem, while ignoring the real issue. Instead of attacking him, they should ask the company why they made a device that is so easy to hack in to. They should get their own IT people to work on solutions. Instead, they allow the security holes to continue. The company that made the devices, Blackboard, Inc, put a gag order on the student so that he could not present his findings at a conference. This is simply ridiculous! Georgia Tech, of all institutions, should realize that if one benign hacker finds a hole, ten malicious hackers will exploit it for their own gain. Of course Tech's response to that would be, "The malicious hackers wouldn't have gotten in the system if so-and-so hadn't told them how." My response to that is that if this one guy found these holes, smarter people could find them on their own and probably already have. Fix the system, don't kill the messenger. And don't wait until 2000 students have had their BuzzCard funds stolen before you do anything about it.