Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.
This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.
Its Uni - not a top secret government agency.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.
Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.
The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.
I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
--
The last digit of pi is four.
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.
As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.
E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....
:-)
:-)
I was just curious at the time
A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.
Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do
.... ... }
int main (void) {
It's only maladministration if the administration is warned of a potential exploit, and does nothing. However, the recent legal climate makes it MANDATORY that this warning be done in an anonymous manner. Quite simply, because it's a crime to find an exploit on someone else's network, but choosing NOT to fix a bug is not a punishable crime(that's defensible, in a way: some bugfixes have been known to the worse than what they cured before). The only problem is that if a) the network handles YOUR sensitive private confidential or financial information, and you know it's being mishandled, you have one choice, to leave the institution, since:
1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued
But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.
Anyone notice how badly this deck is stacked yet?
The thing is, university campuses tend to almost have their own legal systems. At least, on the campuses I've been on, certain things are more legal than in the real world, and others are less legal. In general, unless it gets out of hand, problems on campus are handled by the university administration. For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?
That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...
What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.
This is the proper way. But making the unprotected network and call police... it's a degradation.
This is the exact same reason why I love my provider. From their general conditions:
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.
Disclaimer: This opinion was created without the use of any facts