From the Guardian comes the story of Patrick Foster and Roger Waite, two Oxford students who are in trouble because they discovered serious vulnerabilities in their university's network which allowed for access to students' e-mail accounts, instant messaging conversations, and CCTV broadcasts. This discovered them in the course of writing an article for their college newspaper. From the Oxford Student article:

Access to the video-streaming of CCTV footage of College A was easily available, pictured right, and cameras across the College could be taken down at the touch of a button. One student who appeared in security footage accessed said: "As well as understanding the security implications, it was personally shocking and especially worrying."

What was the administration's response to such news? Legal proceedings. The two are looking at possible "rustification" - being banned from Oxford grounds for a year.

While it is true that what they did was technically illegal, it was done with the best of intents. They did not explain the methods they used in their newspaper article, nor did they keep the fact that the network was insecure secret from the university administration. If the two students were security researchers looking for holes in a major software program, they would be thanked, not discliplined.

Alas, on the vast majority of university networks, the policy is far more restrictive. For example, Harvard's "Computer Rules & Responsibilities" notes:

Students may not attempt to circumvent security systems or to exploit or probe for security holes in any Harvard network or system, nor may students attempt any such activity against other systems accessed through Harvard's facilities. Execution or compilation of programs designed to breach system security is prohibited unless authorized in advanced.

While there are obviously reasons for universities to have such policies (students who commit malicious actions are unable to claim that they were simply probing for security holes), students who find security holes innocuously should not be punished. In the Oxford case, where the probing was part of a journalistic investigation, I do not think any misdeeds were committed, and I hope the two are exonerated.