Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Cheers!
Erick
http://www.busyweather.com/
The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
The dangers of knowledge trigger emotional distress in human beings.
Move on. How many stories have there been on slashdot of this exact same thing happening?
A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.
Your hair look like poop, Bob! - Wanker.
.. has to be having the police handle a situation that they don't understand.
What do I have to do to get a sig around here?! www.bearscanfly.org
Comment removed based on user account deletion
They will be punished and fined for embarassing the school, not because they broke the law.
ogg
Black cat, searing pain, flames...? I must be in Heaven! - Homer Simpson
Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
And when that permission is denied because they know their security is worthless?
Give me Classic Slashdot or give me death!
Really, they broke the law for a sensational story for which they could have written a less interesting story without the privacy violations. I don't consider them to have a "journalistic duty to society" justification.
... the admins should get chewed out), would have gotten their story, and so forth. Oh, and this assumes that they notified the admins far enough in advance of their publish date that the problem could be *fixed* before all the students at the university were told about it -- unlike the Manhattan Project, where a couple more guards can just be rolled out or reassigned from another location temporarily, it may take a bit to test software changes before a rollout is appropriate.
I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.
On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree
Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.
May we never see th
>>were able to easily hack into the university's internal network
So what? It is always as easy especially if you are some kind of insider. But normally you do not hack your university for good reasons:
a) It is yours.
b) You will get a lot of trouble / lose accounts.
Really, I did some ARP sniffing in a University of Michigan dorm. I made a slight boo-boo when forwarding the packets to the gateway, so the cisco router somewhat exploded and began to actually physically kill the ports in the rooms, IE, no green light when you plugged your comp into it. I thought it was funny that I somewhat destroyed the network completely on accident, absolutely no security, an ARP proxy would have solved the issue.
I think the university officials need to thank the students for their work in exploiting the security vulnerabilities.
/.
MAYBE, if their exploit didn't involve publishing the vulnerability to the general populace. Worst case scenario, it gets picked up by the BBC and/or
It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same.
They've publicly invited every literate/malicious individual to do so. Getting a killer scoop at the expense of the school's security comes close enough to malicious in my book. In the real world, few (statistic pulled out of my ass based on number of companies/organizations who plug in/install and go, not size or profitability) have "adequately" secure systems, be it the refusal or inability to spend the time or money do so, let alone keep up. Anonymity IS part of a system's security. By publishing this article they've opend up the schools network to attention it wouldn't have received othewise. Mabe the Admins will be able to make necessary adjustments before backdoors are added. Maybe they didn't even have the staff to secure it properly. Point is, the consequence of their actions is that students are more vulnerable than they were before the story was published. Intentions be damned, they f^@%ed up.
Michalangelo Progr
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I wonder if it's something as simple as unencrypted passwords going a wireless network or some nonsense like that.
I design user interfaces for a free network management application,
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.
Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.
Not Meta-modding due to apathy.
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"[Fuck Beta]
o0t!
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."
Somebody fire this person.
Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.
Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
HaXXXor.com - Naked Chicks Teach You How To Ha
I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
This was just a couple of punk-ass script kiddies trying to make the school administration look bad. Seriously, what did they think was going to happen? It's one thing to do serious research in an ethical manner, and another to play 31337 h@xor script kiddie under the guise of journalism. They aren't even good script kiddies -- they got caught way to easily.
Why would they have changed the pass to this honeypot then? Maybe they made it r00t just to toss things up.
If everybody broke into a network would it still be unlawful.
Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").
Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.
I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.
I hope the two students in question counter sue the university for lapse protection of their student records.
Reminds me of when a professor of mine explained the term "hutzpah" to me...
A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
That is hutzpah, and those two would be exhibiting quite a bit to sue the university.
I've audited everything from banks to schools and I must say that a College campus network environment is by far the most unique environment that I've ever audited.
Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.
I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)
That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.
Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.
The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.
Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.
From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.
I say that they should make an example of these script kiddies.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
The Oxford student newspaper guys are angling to get a nice job on Fleet street after graduation, and are trying to come up with attention getting scoops. If their real intention was to help the network sysadmins, they should have brought this up privately (since the article doesn't mention it, I assume they didn't.)
Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?
If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?
They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.
Protect your liberties. Donate to the ACLU
Don't be ignorant just because your stupid..Crappy assed retard windows sys admins. I told them to use linux..loosers.
Girls must love you.
No, really, people. I knew more about stupid computers than my teachers too back in the days, but I wasn't an arrogant prick. It's just fucking computers, man. It's not astrophysics or anything. Get over yourself.
That's exactly what they did. Sniff traffic. That's it. They didn't actively crack the system. Nor is this easy at all to defend from. It seems incredibly overblown, because all you need to do is use SSL to defeat this. They probably uses switches already, but that doesn't stop ettercap.
Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.
Tired of legitimate data sources? Try UNCYCLOPEDIA
You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.
I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.
Religion is a gateway psychosis. -- Dave Foley
That kind of damage is unlikely if this uni network was as brain dead simpleas most, but it could, and the guys "just looking around"probably don't know enough to even realize the possibility.
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
Friends don't help friends install M$ junk.
What I find really scary is the feeble " we bought cheap systems, we can't secure it " excuses the systems admins are giving.
If they had used free software it would have been pretty secure out of the box (or whatever the eqivalent is for downloading).
Most of the places I have worked recently are using the famously secure and "trusted" software from "honest" Bill Gates, and, they have reasonably secure networks, it just takes a some actual admin from the sysadmins.
What software are they using that stores passwords in plain text? In the 21st century ? This is just plain neglegent, I think the students involved should pursue the college through the data protection act. In the UK anyone holding somebody elses personal information on thier computer system has a duty to secure that data and prevent access from unauthorised users. Clearly asking the student body to "please obey the rules and not look" falls short of "reasonable measures to protect ".
Old COBOL programmers never die. They just code in C.
You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?
Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.
What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
1. The fallacy here is assuming that the laws *must* be correct, and failing to consider what the purpose and the origin of the laws are. The laws are presumably there to protect the everyone's rights. If everyone's breaking the law, what's the purpose of the law? Obviously either everyone has a double standard or thinks the law is silly. These "fundamental moral principles" you mention had better be supported by the masses, or they're elitist and don't belong in a social contract.
2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.
3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?
That's true, but what about when an intranet is left open and someone, exploring the network, stumbles upon it?
My friend's wife once found the answers to all the homework and exams during a class on computer administration, while viewing the intranet from her workstation. The files were not password protected and there was nothing indicating that this was supposed to be private (before opening it).
She realized this wasn't right, and told the teacher. Unfortunately, the professor was not pleased, and the school tried to expel her on grounds of illegally cracking into the network! In the end, she was forced to drop the class even though my friend's wife knew more than the teacher himself! (I think the college's lawyers realized they could be sued if they expelled her.)
She wasn't the only one. A while back, I heard about a case where the New York Times sued a hacker when he found a security hole in their network and told them about it (and didn't do anything else). In both cases nothing was damaged at all, nothing was really seen and nobody was hurt. It's like someone notices that your back door's lock is broken, sends you a letter about it, and you sue them for trespassing.
What I'm saying is that we need some kind of legal protection for these kind of accidental "hacking."
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
Well done for the first sensible post on this thread.
Anyone reading the article properly/knowing anything at all about any university network would realise that's exactly what happened.
Everything students & staff need to know about email & other computer security is up on the university's site (oucs.ox.ac.uk). IT staff at all unis (not just Oxford) do their damndest to educate them about what is and what isn't secure. Some people just don't listen though.
No servers were hacked. What they did (packet sniffing) wasn't particularly clever. A monkey could do it with the right software. The only thing which was actually down to the Uni, as mentioned above, was the availability of CCTV footage from one location. This has now presumably been rectified, and certainly doesn't deserve all the press coverage it's getting.
Nothing? He was blackmailing the company. Even if it was justified (sounds like it was), that's hardly "nothing."
I think your post demonstrates a limit of the slashdot modding system... Should get a +10 Insightful, as far as I am concerned... and be moved up to the top of everyone's reply list. This is exactly where the students failed in their investigation.
This is definitely not a case where it's "easier to ask forgiviness than permission."
The emperor is naked.
Im sure this kind of stuff is commonplace in Universities. I myself knew people who had or could get root access on machines from where (anything goes) in fact we had a room of NeXT stations that were mysteriously taken offline after someone I knew ran the unix "crack" password cracking tool on them. Another friend of mine had similar experiences at his uni.
Generally speaking it must be very difficult to ensure a secure network at a uni. The sheer variety of different machines and operating systems, and the ad-hoc nature of the network will invariably leave gaps in the security.
However i'd like to hope that most students are just excersizing their enquisitive nature and doing little harm in the process, after all University is "yours" just as much as it is the people who run or own it. It is a seat of learning after all!
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
Many young men are so naive about social power hierarchy.
Please, all future kiddie hackers, realise that people at power are *always* more concerned about their power than about technology flaws or productivity/effectiveness of systems they control. And showing their failure in public makes them very angry, because it can endanger their image of power control the most.
Next time, if you do it for sport, do it quiet. Make yourself an outer image of a complete moron. Enjoy your insight. A fame is without purpose for you.
There you are, staring at me again.
Since you obviously aren't very well versed on security, I will help you.
this is not a security hole
Any unfettered access to ports that aren't being used IS a security disaster, period. Do some reading as I don't feel like teaching you all about it.
I get an unfirewalled, public IP from my ISP.
This practice by ISP's is one of the biggest reasons beyond Microsoft for the spread of Code Red, Blaster and all the other IP scanning worms/viruses out there.
It is up to the student to make sure they're protected. If they can't do that (or pay someone to do it for them), then they shouldn't be online.
The first sentence is rediculous. I won't even delve into how rediculous. But they DO in fact pay someone--the University. Every university I know of removes viruses and such from students computers. They pay for that in their "technology fee" or whatever their school calls it.
Um, firewalled servers with private IPs aren't exactly very useful.
Here is a cluestick for you--NAT. Go look it up. Any network security admin worth one cent knows there is no reason to give the outside (or inside) world access to port 7754 or any other random unused port. There is no reason a web server should allow anythying other than port 80 access and maybe a few others.
Professors and students who live off campus might want to do work from home.
Cluestick #2--VPN.
How many people were running servers before that now couldn't?
I bet dollars to doughnuts most schools out there specifically forbid that due to porn and all the other crap people would use it for. My school had a clause that the Internet was to be used for academic purposes only and any violations were grounds for revoking the priveledge to use it. It is THEIR pipe and they can dictate how people use it.
Putting up a firewall solves nothing
I pray you are trolling and you don't really believe any of what you just said.
"Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat."
Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.
Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.
(disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)