Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oxford Students Hack University Network

Posted by CowboyNeal on from the unintentional-online-services dept.

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

25 of 662 comments (clear)

  1. Are there any adults in the house? by erick99 · · Score: 5, Insightful
    If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration. They could have taken the information to the school and if the school ignored it they could have then published an article. They did call the school for comment but it was clear they were going to publish so that didn't afford the school a chance to remedy the problem. I think they were more interested in an article that would generate a lot of excitment and make them look good. I don't buy their arguments about doing all of this in the best interests of the school. I believe they had their own best interests at heart. I can't say I think much more of the administration in their handling of the matter either. There is a lot of ass-covering going on here and I don't see anybody handling this like adults except for the police who acted quickly and appropriately. Jeeze, what a mess.

    Cheers!

    Erick

    --
    http://www.busyweather.com/
    1. Re:Are there any adults in the house? by gooman · · Score: 4, Insightful

      I completely agree.
      But the administration should get past the embarassment and call off the cops.
      In the BIG picture, they have been done a favor.

      --
      "Kittens give Morbo gas!"
    2. Re:Are there any adults in the house? by erick99 · · Score: 5, Insightful
      The police referred it back to school as an matter that should be handled "internally." I do agree with you though, they did not need to involve the police. While I think the students were very misguided and out to make a name for themselves, they did not need to involve the police. The students were not malicious, simply self-serving.

      Cheers!

      Erick

      --
      http://www.busyweather.com/
    3. Re:Are there any adults in the house? by DrMrLordX · · Score: 5, Insightful

      I can't say that I agree completely. This reminds me all too much of a small "controversy" that went on in my highschool alma mater here in the States. Several members of the school's newspaper staff uncovered information regarding the existance of a peculiar group within the school known as the "Cotton Club"(as I recall) whose purpose was unclear, but which contained members from both the student body, alumni, and supposedly trustees who were all male, white, and rather racist. The only known function of the group that I can recall was that there was a great deal of consumption of alcohol involved. They probably did some other dull things.

      Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.

      In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).

      The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.

      What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:

      1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".

      2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.

      Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.

      Or maybe not. Hard to tell with the details in the linked articles.

    4. Re:Are there any adults in the house? by cavebear42 · · Score: 4, Insightful

      The budget is a very valid claim. The most expensive part of running a successful network is not good hardware, it's competent professionals. Hell, even a slacker who just came outta high school and has no experience cost more in 1 year than a server which you will use for 3-5 years.

      Budget is the primary reason on all networks for failed security practices.

  2. Oxford Loses Out by mfh · · Score: 5, Insightful

    The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

    From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?

    These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.

    Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Oxford Loses Out by cmallinson · · Score: 5, Insightful
      They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

      I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?

    2. Re:Oxford Loses Out by Usquebaugh · · Score: 4, Insightful

      ILLEGAL is that bad or just ILLEGAL?

      For christ sakes it's just a law, you know those man made things. Usually written to protect the people with money. It's not like there's anything special about them. In fact every so often they get changed what was legal is now ILLEGAL and what was ILLEGAL is now legal.

      But I guess writng ILLEGAL in big letters makes it in some way important.

      The only problem with my view point is that the people who write and enforce the law know it's a pile of shit but they get really ticked off if anybody outside the club explains this to them, they get doubly annoyed if said person is addressed as the accused and happens to be explaining as to why he should not have to pay a fine for drunk and disorderly. They usually start shouting about contempt and 30 days and stuff like that. I find it best to shut up in those situations.

  3. The worst part... by oiper · · Score: 4, Insightful

    .. has to be having the police handle a situation that they don't understand.

    --
    What do I have to do to get a sig around here?! www.bearscanfly.org
  4. Rule of Law by konekoniku · · Score: 5, Insightful

    Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
    What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
    Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.

  5. Yeah, they should have kept their mouths shut by warm+sushi · · Score: 5, Insightful

    Imagine never failing another subject.

    Imagine being able to push your enemies down a grade.

    Imagine making some extra cash selling exam information.

    Imagine trashing the occasional file to irk a disliked professor.

    Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.

    Imagine how much easier life would be not doing the right thing.

    Just imagine...

    Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.

  6. Re:Yeah... and? by gilrain · · Score: 5, Insightful

    Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.

  7. Re:Yeah... and? by TeraCo · · Score: 5, Insightful
    Well.. this might seem obvious.. but it's because it's still illegal to break into other peoples networks.

    Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.

    --
    Not Meta-modding due to apathy.
  8. Well, maybe there is something worth protecting by TubeSteak · · Score: 4, Insightful
    Like social security numbers, health information, whether the student is seeing the school shrink, grades (any teacher's temp internet files), scholarship information...

    What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.

    As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?

    maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.

    Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites
    And why is this? Maybe we have different ideas about what constitutes "information worth stealing"
    --
    [Fuck Beta]
    o0t!
  9. little we can do? by blazen1 · · Score: 5, Insightful

    An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."

    Somebody fire this person.

    1. Re:little we can do? by mritunjai · · Score: 4, Insightful

      Fire the IT Officer ?? Apparantly you haven't been to a school and never had chance to administer a network.

      I personally was responsible for a hostel network with 450 odd users... and tell you, the ONLY way you can sleep soundly is by making things assuming everybody has the root password! Students have way much time on their hands, are creative and generally up-to-date with security issues. ONE person cannot spend THAT much time... at 3AM you'd be sleeping while some sleepless fellows will be looking over a just released security advisory! By the time you wake up and check your mailing list mails, they'd have already broken into the system! (most of the time without any damage, but just to "see" if its indeed true).

      Sorry man... a network/system administrator in a school/college is probably the worst IT admin job you'd be looking at!

      --
      - mritunjai
  10. The Point Most Will Miss... by severed · · Score: 4, Insightful

    Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:

    This was an action of the press.

    Let me repeat myself, because it's important.

    This was an action of the press.

    It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.

    This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."

    These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.

    * Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?

    --

    HaXXXor.com - Naked Chicks Teach You How To Ha

  11. Proud of the students... by LibrePensador · · Score: 4, Insightful

    I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?

    Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.

    As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?

    I don't think so!

    --
    Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
  12. Re:Yeah... and? by cynic10508 · · Score: 4, Insightful

    If everybody broke into a network would it still be unlawful.

    Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").

    Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.

    I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.

    I hope the two students in question counter sue the university for lapse protection of their student records.

    Reminds me of when a professor of mine explained the term "hutzpah" to me...
    A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
    That is hutzpah, and those two would be exhibiting quite a bit to sue the university.

  13. Re:Yeah... and? by darc · · Score: 4, Insightful

    That's exactly what they did. Sniff traffic. That's it. They didn't actively crack the system. Nor is this easy at all to defend from. It seems incredibly overblown, because all you need to do is use SSL to defeat this. They probably uses switches already, but that doesn't stop ettercap.

    Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.

    --
    Tired of legitimate data sources? Try UNCYCLOPEDIA
  14. Re:Yeah... and? by Monkelectric · · Score: 4, Insightful
    "The police referred the matter back to the university, saying it was best dealt with internally."

    You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.

    I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.

    --

    Religion is a gateway psychosis. -- Dave Foley

  15. no shit. by twitter · · Score: 4, Insightful
    ... most of the shit is just because people are not security conscious.

    Obviously, now. Before hand, how could they have shown it?

    White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

    I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.

    Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.

    We shall see what happens to them.

    --

    Friends don't help friends install M$ junk.

  16. Re:Yeah... and? by boaworm · · Score: 5, Insightful

    You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?

    Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.

    What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.

    --
    Probable impossibilities are to be preferred to improbable possibilities.
    Aristotele
  17. Re:Yeah... and? by Chitinid · · Score: 5, Insightful

    1. The fallacy here is assuming that the laws *must* be correct, and failing to consider what the purpose and the origin of the laws are. The laws are presumably there to protect the everyone's rights. If everyone's breaking the law, what's the purpose of the law? Obviously either everyone has a double standard or thinks the law is silly. These "fundamental moral principles" you mention had better be supported by the masses, or they're elitist and don't belong in a social contract.

    2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.

    3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?

  18. Re:Yeah... and? by mpk · · Score: 4, Insightful

    "Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat."

    Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.

    Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.

    (disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)