I saw this on Slashdot today: A computer science student was expelled from a Canadian university for practicing what most people would call white-hat hacking.

Their reasoning: “Schools are supposed to teach best practice, which includes ethics and adherence to reasonable laws.” But there is such thing as ethical hacking.There are also security laws on the books, in multiple countries. This week the United Kingdom fined Sony $395K for not securing its systems and allowing it to get hacked. I’m actually surprised that the fine was that low.

The laws may be different in Canada, but in the United States there are laws that corporations and citizens must obey, including the Federal Sentencing Guidelines of 1991, which puts executives on the hook for up to $290 million if they don’t observe reasonable security practices.

Yes, that date is correct–these guidelines are more than 20 years old. The enforcement definitely appears to be selective at best, but the risk is there. It’s one of the first things a CISSP candidate learns.

The article is right, that people in the real world expect software architects to deal with a hostile environment, the same way building architects deal with hurricanes and earthquakes.

Schools that realize this and teach its software architects to deal with this hostile environment stand to do well in these troubled times. Schools that stay stuck in 1982 will eventually be left behind. Indeed, there’s pressure to teach hacking in school.

Here’s a true story from my world. When a potential client or employer interviews me, I pretty much expect the interviewer to ask, “Have you ever hacked into anything?” Of course the interviewer expects me to say yes.

I expect that question to soon evolve into, “Tell me about the last time you hacked into something.” And I expect the person with the best story to get the job. White-hat hacking isn’t just acceptable, it’s expected. I’ve even heard fellow CISSPs say white-hat hacking doesn’t go far enough. One went so far as to call white hats “useless,” and say you need someone who crosses a line from time to time–but stops short of doing any harm–to have someone who really knows something. This particular student may have strayed into gray-hat territory, but one colleague I respect greatly would argue there’s absolutely nothing wrong with that.

That’s the world college graduates are going to have to live and work in. Universities can’t wish it away, just like they can’t wish away earthquakes and tornadoes and hurricanes.