Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Cheers!
Erick
http://www.busyweather.com/
The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
The dangers of knowledge trigger emotional distress in human beings.
Move on. How many stories have there been on slashdot of this exact same thing happening?
A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.
Your hair look like poop, Bob! - Wanker.
.. has to be having the police handle a situation that they don't understand.
What do I have to do to get a sig around here?! www.bearscanfly.org
Comment removed based on user account deletion
Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.
Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.
Not Meta-modding due to apathy.
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"[Fuck Beta]
o0t!
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."
Somebody fire this person.
Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.
Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
HaXXXor.com - Naked Chicks Teach You How To Ha
I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
If everybody broke into a network would it still be unlawful.
Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").
Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.
I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.
I hope the two students in question counter sue the university for lapse protection of their student records.
Reminds me of when a professor of mine explained the term "hutzpah" to me...
A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
That is hutzpah, and those two would be exhibiting quite a bit to sue the university.
I've audited everything from banks to schools and I must say that a College campus network environment is by far the most unique environment that I've ever audited.
Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.
I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)
That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.
Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.
The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.
Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.
From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.
I say that they should make an example of these script kiddies.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
That's exactly what they did. Sniff traffic. That's it. They didn't actively crack the system. Nor is this easy at all to defend from. It seems incredibly overblown, because all you need to do is use SSL to defeat this. They probably uses switches already, but that doesn't stop ettercap.
Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.
Tired of legitimate data sources? Try UNCYCLOPEDIA
You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.
I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.
Religion is a gateway psychosis. -- Dave Foley
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
Friends don't help friends install M$ junk.
You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?
Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.
What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
1. The fallacy here is assuming that the laws *must* be correct, and failing to consider what the purpose and the origin of the laws are. The laws are presumably there to protect the everyone's rights. If everyone's breaking the law, what's the purpose of the law? Obviously either everyone has a double standard or thinks the law is silly. These "fundamental moral principles" you mention had better be supported by the masses, or they're elitist and don't belong in a social contract.
2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.
3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?
I think your post demonstrates a limit of the slashdot modding system... Should get a +10 Insightful, as far as I am concerned... and be moved up to the top of everyone's reply list. This is exactly where the students failed in their investigation.
This is definitely not a case where it's "easier to ask forgiviness than permission."
The emperor is naked.
Since you obviously aren't very well versed on security, I will help you.
this is not a security hole
Any unfettered access to ports that aren't being used IS a security disaster, period. Do some reading as I don't feel like teaching you all about it.
I get an unfirewalled, public IP from my ISP.
This practice by ISP's is one of the biggest reasons beyond Microsoft for the spread of Code Red, Blaster and all the other IP scanning worms/viruses out there.
It is up to the student to make sure they're protected. If they can't do that (or pay someone to do it for them), then they shouldn't be online.
The first sentence is rediculous. I won't even delve into how rediculous. But they DO in fact pay someone--the University. Every university I know of removes viruses and such from students computers. They pay for that in their "technology fee" or whatever their school calls it.
Um, firewalled servers with private IPs aren't exactly very useful.
Here is a cluestick for you--NAT. Go look it up. Any network security admin worth one cent knows there is no reason to give the outside (or inside) world access to port 7754 or any other random unused port. There is no reason a web server should allow anythying other than port 80 access and maybe a few others.
Professors and students who live off campus might want to do work from home.
Cluestick #2--VPN.
How many people were running servers before that now couldn't?
I bet dollars to doughnuts most schools out there specifically forbid that due to porn and all the other crap people would use it for. My school had a clause that the Internet was to be used for academic purposes only and any violations were grounds for revoking the priveledge to use it. It is THEIR pipe and they can dictate how people use it.
Putting up a firewall solves nothing
I pray you are trolling and you don't really believe any of what you just said.
"Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat."
Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.
Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.
(disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)