Oxford Students Hack University Network

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

Yeah... and?

What appropriately aged Slashdotter hasn't hacked into their university or college's network?

Re:Yeah... and?

I got a two day suspension for it! (highschool)

All I got was this stupid t-shirt.

Re:Yeah... and?

Really, I did some ARP sniffing in a University of Michigan dorm. I made a slight boo-boo when forwarding the packets to the gateway, so the cisco router somewhat exploded and began to actually physically kill the ports in the rooms, IE, no green light when you plugged your comp into it. I thought it was funny that I somewhat destroyed the network completely on accident, absolutely no security, an ARP proxy would have solved the issue.

Re:Yeah... and?

[gilrain]

Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.

Re:Yeah... and?

[TeraCo]

Well.. this might seem obvious.. but it's because it's still illegal to break into other peoples networks.

Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.

Re:Yeah... and?

[stor]

Heh.

I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.

At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".

Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...

We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.

Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.

What were these two plonkers trying to prove? The bleedingly obvious?

Cheers
Stor

Re:Yeah... and?

[gilrain]

The thing is, university campuses tend to almost have their own legal systems. At least, on the campuses I've been on, certain things are more legal than in the real world, and others are less legal. In general, unless it gets out of hand, problems on campus are handled by the university administration. For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?

That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...

Re:Yeah... and?

[cynic10508]

If everybody broke into a network would it still be unlawful.

Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").

Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.

I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.

I hope the two students in question counter sue the university for lapse protection of their student records.

Reminds me of when a professor of mine explained the term "hutzpah" to me...
A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
That is hutzpah, and those two would be exhibiting quite a bit to sue the university.

Re:Yeah... and?

[ZzzzSleep]

Quoth gilrain

That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...

I'm pretty sure they're not going to be prosecuted.
From the Guardian article:
"The police referred the matter back to the university, saying it was best dealt with internally."

Re:Yeah... and?

[darc]

That's exactly what they did. Sniff traffic. That's it. They didn't actively crack the system. Nor is this easy at all to defend from. It seems incredibly overblown, because all you need to do is use SSL to defeat this. They probably uses switches already, but that doesn't stop ettercap.

Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.

Re:Yeah... and?

[Monkelectric]

"The police referred the matter back to the university, saying it was best dealt with internally."

You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.

I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.

Re:Yeah... and?

[ScouseMouse]

Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat.

When i was at collage, i remember a friend of mine came over, but needed to do some work. Now the work was a document on a server in Preston Polytechnic, so we tried to FTP it over to the local VAX. Eventually we just gave up because it wasnt working

Now we dont know exactly what happened, but next day i got an email from a very annoyed SYSadmin for this system because we had caused some form of system failiure by our actions. I think he called it a "Network breakthrough event" or something. Apparently somehow we had cacked their system in some way (I dont think it was permement, or particularly serious). They were Threataning to sue me and the guy involved.

I send them an email saying we only wanted to get some work off the server and promising never to go near their crappy system again.

From what i found out later, the reason he was threatening me was because the Poly had recently promised someone doing some research that their system was safe and secure, and apparently something died (Probably the FTP daemon) when the guy was in the room. Very embarrasing. So of course it all got blamed on them nasty hackers. :-)

I later found out exacly now flaky a default PrimeOs installation was in person, it always surprised me after that how anyone would ever dream of using it in a production system, but then again, being braught up on VMS and UNIX, i seem to have got the strange impression that more than 10 hours uptime in one stretch is my god-given right :-).

Re:Yeah... and?

[sotonboy]

"For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?
"

-- Well since you asked, we have some cretin in the UK who is suing his university after they kicked him out for plagiarising his entire coursework. He says the university wasnt clear enough that plagiarism wasnt allowed. It just goes to show what happens when your education system lets idiots go to university. And when your legal system allows idiots to sue.

Re:Yeah... and?

[shadowmatter]

Oh yeah, in University in 1995 we sent fake email between professors...

Heh, speaking of forging e-mails from professors and university justice... That reminds me of a funny story:

A friend of mine was teased relentlessly by a student in one of her classes about the professor liking her. The professor wasn't exactly young or attractive, and he was obviously doing this just to spite her, although it wasn't always in good fun. Anyway, in a move-gone-too-far, he decided to set up his Outlook e-mail client so that his name and reply-to address were those of the professor. He then proceeded to type her an e-mail, saying how he had the hots for her and whatnot.

The problem was, he didn't type in her e-mail address correctly. And so her SMTP server bounced the e-mail back... To the real professor.

Anyway, the prof contacted the University IT department, and I don't think that relentlessly teasing student goes here anymore.

- sm

Re:Yeah... and?

[boaworm]

You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?

Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.

What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.

Re:Yeah... and?

[Chitinid]

1. The fallacy here is assuming that the laws *must* be correct, and failing to consider what the purpose and the origin of the laws are. The laws are presumably there to protect the everyone's rights. If everyone's breaking the law, what's the purpose of the law? Obviously either everyone has a double standard or thinks the law is silly. These "fundamental moral principles" you mention had better be supported by the masses, or they're elitist and don't belong in a social contract.

2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.

3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?

Re:Yeah... and?

[fucksl4shd0t]

My first school hack was a real hack. I was playing some BASIC game on the Commodore 64 in the library and I hit a bug that prevented me from winning the game. A real, live bug. So I listed the line, identified the bug, and started fixing it when the librarian walked up and asked what I was doing. She wound up calling my parents saying I was trying to rewrite the game so I could win, you know, cheating.

My parents were cool about it. When I got home my dad asked me what had happened, and since I had previously saved the game to my own disk (we weren't allowed to do that...) and brought it home I fired it up and reproduced the bug for him. Then he watched me fix it, called the librarian and bitched at her, because it was a real bug.

I got kicked off the computer in the library after that. No big loss, we had two of those machines at home and tons more stuff. ;) But I've had a severe prejudice against librarians every since then...

Re:Yeah... and?

[andy+landy]

I'm a sysadmin for a UK university and it's certainly true that we have our own rules. For example, our AUP forbids the use of peer-to-peer software as it's easier that way. Anyone using it is in breach of the AUP, clean and simple. That way we avoid having to deal with legalities of copyright infringement etc.

As for prosecuting students who hack the systems and networks, we take a different approach. Before I was a sysadmin, I was a student at the same University and certainly had a go at the systems (I found a way to get a setuid copy of bash), on telling the sysadmins, they fixed the security hole, but I got kudos and respect for finding the hole.

The general policy is that our Computer Science students should be smart enough to root the systems, and if they manage it, so long as they don't abuse it and they report it quickly, then we are happy!

Re:Yeah... and?

[olderchurch]

This is the exact same reason why I love my provider. From their general conditions:
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.

The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.

Re:Yeah... and?

[mikael]

That reminds me of an ultra-paranoid sys-admin we once had (the kind that makes Burt Gummer look like a Quaker).

The sys-admin set up our CompSci server to log every command every user had made (lastcomm services). So one night, one student is waiting for the others in the group project team to arrive. Rather than constantly running between labs, he simply writes a shell script:


while 1
do
who
sleep 10
done


Harmless enough? After about 2-3 hours of use, the entire /var partition has been completely filled, which now jams the /var/spool print queue. A postgrad student attempting to laser-print a section of his Ph.D project finds that he can't, and in order to gather evidence against this denial of service attack prints the entire contents of the 'acct' file.

Which burned up two large boxes of line printer paper. Needless to say, the sys-admin was furious and makes the student sign a form requiring him never to run an infinite-loop script without permission again.

Re:Yeah... and?

[ODD97]

I think your post demonstrates a limit of the slashdot modding system... Should get a +10 Insightful, as far as I am concerned... and be moved up to the top of everyone's reply list. This is exactly where the students failed in their investigation.

This is definitely not a case where it's "easier to ask forgiviness than permission."

Re:Yeah... and?

[tiled_rainbows]

Oxford University actually has its own magistrate's court which only tries students and fellows. And they have their own police. The Proctors, or something. I think they've got a few of their own laws, too. They're like some autonomous Burbclave in that Neal Stevenson book. They kick butt. In other words, don't mess with Oxford! I know this because a mate of mine was an undergraduate there and got fined for making prank calls.

Please note, I'm only saying what is. I'm making no comment, either way, on the way things should be. So don't complain to me if you think this sounds like some kind of evil conspiracy ore something.

Re:Yeah... and?

[Anonymous+Brave+Guy]

Well since you asked, we have some cretin in the UK who is suing his university after they kicked him out for plagiarising his entire coursework.

I thought the fantastic thing about that case -- assuming it's the same one I remember -- was that he was kicked out about two weeks before graduation, and was claiming that they should have detected his plagiarism earlier and thrown him out then, rather than ripping him off for three years' worth of fees first. Hey, at least if he flunks that course, with arguments like that he'll have a great career as lawyer.

Re:Yeah... and?

[julesh]

I got thrown out of the school library for taking the mice apart to clean the balls.

Of course, once people saw me doing that, everyone started taking the balls out and throwing them at each other...

Re:Yeah... and?

[div_2n]

I did almost the same thing for my college except I didn't admit to actually perform the hacking. I published HOW to hack the entire network, where to go and what software to get. For example, every Lexmark printer on campus was not password protected. By downloading the readily available Markvision management software, you could oh say change the LED display screen language to Mandarin.

Among the big security problems were:

-All students getting unfirewalled public IPs (I shit you not)

-All servers having unfirewalled public IPs

-E-mail hosted on old (probably unpatched) HP-Unix with the most basic of unshadowed DES passwords

-NT servers (see above) without the latest patches

When I contacted the IT department with comment on all of this prior to publishing, they said something like, "the average student doesn't know how to take advantage of all of those issues." That comment frosted me and prompted me to publish.

The result? A firewall was installed in a matter of days and public IPs went private. Yes, I could have run any kind of server I wanted unhindered (and did) but I was concerned for the welfare of the students who would have their computers molested by crackers.

Of course I later applied for a network admin job at the school upon graduating and didn't get the job so maybe that wasn't so smart. But I did get a better job instead. In fact, the job formerly held by the guy my alma matter chose instead of me. How's that for irony?

Re:Yeah... and?

[olderchurch]

But wait, there is more:
XS4ALL figths spam
and stands by their customer

Re:Yeah... and?

[The+Grassy+Knoll]

"When i was at collage"

Art collage, presumably? ;-)

Re:Yeah... and?

[Lumpy]

Good example, when I did freelance work I ALWAYS required 50% payment up front. and my expenses were split as product and labor. the up front pay's for labor only and the final payment at delivery was for the product (software, hardware, whatever) it was clearly written that way on the invoices.

Once I went to deliver a software app, they did not have my money so I uninstalled it grabbed my stuff and started to leave. He threatened to call the cops, at which point i said, "please do, I would like to file a fraud report against you for trying to steal my software without paying for it." after some arguing, I picked up my cellphone and said, "fine I'll call the cops." at which point the customer magically was able to produce a check for me (Check's over $1000.00 are fine to take, it's a nasty felony that will get you thrown in jail for writing a bad check over $1000.00)

I sat down and reinstalled, and gave them another invoice for 3 hours more labor to cover the BS they tried to pull.

I later forced the jerk to pay me in small claims court for the final labor invoice.

Never put in time-bombs. ALWAYS have them pay up front for labor and demand payment fo rthe product at delivery. If the company will not do that, then dont work for them, there are plenty of companies out there that are not scumbags.

BTW, after a few years of freelance, I learned that most companies in the area knew about the company that tried to screw me, they had a reputation of trying to steal from contractors.

Re:Yeah... and?

[div_2n]

Since you obviously aren't very well versed on security, I will help you.

this is not a security hole

Any unfettered access to ports that aren't being used IS a security disaster, period. Do some reading as I don't feel like teaching you all about it.

I get an unfirewalled, public IP from my ISP.

This practice by ISP's is one of the biggest reasons beyond Microsoft for the spread of Code Red, Blaster and all the other IP scanning worms/viruses out there.

It is up to the student to make sure they're protected. If they can't do that (or pay someone to do it for them), then they shouldn't be online.

The first sentence is rediculous. I won't even delve into how rediculous. But they DO in fact pay someone--the University. Every university I know of removes viruses and such from students computers. They pay for that in their "technology fee" or whatever their school calls it.

Um, firewalled servers with private IPs aren't exactly very useful.

Here is a cluestick for you--NAT. Go look it up. Any network security admin worth one cent knows there is no reason to give the outside (or inside) world access to port 7754 or any other random unused port. There is no reason a web server should allow anythying other than port 80 access and maybe a few others.

Professors and students who live off campus might want to do work from home.

Cluestick #2--VPN.

How many people were running servers before that now couldn't?

I bet dollars to doughnuts most schools out there specifically forbid that due to porn and all the other crap people would use it for. My school had a clause that the Internet was to be used for academic purposes only and any violations were grounds for revoking the priveledge to use it. It is THEIR pipe and they can dictate how people use it.

Putting up a firewall solves nothing

I pray you are trolling and you don't really believe any of what you just said.

Re:Yeah... and?

[bfields]

-All students getting unfirewalled public IPs (I shit you not)

A firewall makes a lame attempt to divide the network into an inside and an outside, under the assumption that attacks will come from the outside. But all it takes is for one machine on the inside to be compromised and that assumption is no longer true. Unfortunately, these days virtually all networks of any size have compromised machines: email and web browsing are sources of compromises, and firewalls don't block those; and lots of people use laptops on other networks as well, where they may have picked up something nasty.

The advantages of firewalls are insufficient to outweigh the disadvantages of not having a real public IP.

--Bruce Fields

Re:Yeah... and?

[andy+landy]

So your computers do not "talk" to each other to any other computer...

Fine, be pedantic... To clarify things, our AUP has a blanket ban on "Peer to peer file transfer software, such as KaZaa, WinMX, eMule, BitTorrent etc...". Yes, perhaps you could claim that everything that runs on Ethernet is "Peer to peer", but that's just being difficult.

If you look at the Janet AUP (UK academic network), you'll see that "Non-academic use is not permitted", so technically our students aren't even allowed to email their folks! Of course, we don't enforce things to this level, but you started the pedantry :D

Re:Yeah... and?

[lordmage]

Hacking and geting a setuid bash is easy. Ahh the stories we can tell from our days.. keystroke loggers, replacing ls, intercepting Chats.. making GIF do what we need.

Darnit, got me all misty eyed.

The real trick was that one student hacked the system and his reward? He got to become System Administrator.

Universities encourage exploration. Thats the great thing.

Re:Yeah... and?

[div_2n]

Not true. A well designed firewall has multiple segments amongst which one should be where public servers and servers only are positioned. The access rules to them applies the same to the inside as well as the outside with the exception to network services which should be on their own segment and have only inside access with potentially its own firewall in case the public one is compromised.

Firewalling is not insufficient if done correctly.

Re:Yeah... and?

[mek2600]

I got an A for it. Not that the teacher was aware of the fact, though.

Re:Yeah... and?

[cynic10508]

You state that as if it were an easily proved result, rather than the subject of many of the most heated debates of modern philosophy.

Correct. I take a Kantian approach to ethics though.

The general concensus is that morality is at least partially subjective. It is certainly true that there are many different moral systems throughout the world and the question of who can say which are 'right' and which are 'wrong' with authority is at least a difficult one to answer convincingly.

An over-simplification of the argument would be that if you believe one absolute moral principle you're a moral absolutist. To be a relativist, everything has to be relative. Basically, yes, other cultures can be morally wrong. I don't remember the entire argument but I'll point to Peter Kreeft's "A Refutation of Moral Relativism".

You also assert that the laws against trespass are a fundamental moral principle, while many cultures do not in fact have such a principle. In fact, the closest there is to a fundamental moral principle is "don't kill your friends (unless they want you to)", and I believe that even that isn't universally applied.

It goes back to my support of Kant and his deontological moral theory. Again, to over-simplify, Kant asks, "Can you act in such a way that if everyone acted that way it'd still work?" For instance, take the ancient Inca-type cultures of South America. I think it's difficult to say that it was ok for them to commit human sacrifices.

That said, the law is absolute (at least in most respects). This means that it is an attempt to write regulations that enforce "moral" behaviour (for some particular value of "moral" that is quite hard to decide). Of course, it is imperfect, as all such attempts must be -- at the very least the people deciding what is "moral" will change, and with them the definition of morality that is being used as the guide. In any modern society there is a very wide range of different moral beliefs. The law cannot encompass all of them.

I just got done studying Levi's circularity of law idea. Laws can be based on either previous cases or fundamental principles. Those based on cases are circular and will break down over time while those based on principles are far more robust. And the law shouldn't be made to encompass everyone's moral beliefs because not everyone is morally right. I don't want the laws I live under to be accepting of the John Wayne Gaceys or Ted Bundys of the world.

Re:Yeah... and?

[NeonSpirit]

When I was at University, some time ago now we had two computing facilities, and therefore two policies.

Computing services was used by the entire campus, maths, engineering, chemestry etc. The security policy here was quite tight, you could do what you wanted, but if you found a hole report it. If you do any dammage you will be expelled. We have a very good relationship with the sysadmin, to the extent that he let us use and explore new systems before they were given to the general population. In this way we could find holes and expoits before any reliance was placed on the new facilities.

Comuter science had a much more slak security policy, only compter science based students had access. Here you could again do what you like, but if you caused any damage the syadmin would make it public and let your peers deal with you. This was incentive enough, believe me.

Re:Yeah... and?

[mpk]

"Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat."

Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.

Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.

(disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)

Are there any adults in the house?

[erick99]

If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration. They could have taken the information to the school and if the school ignored it they could have then published an article. They did call the school for comment but it was clear they were going to publish so that didn't afford the school a chance to remedy the problem. I think they were more interested in an article that would generate a lot of excitment and make them look good. I don't buy their arguments about doing all of this in the best interests of the school. I believe they had their own best interests at heart. I can't say I think much more of the administration in their handling of the matter either. There is a lot of ass-covering going on here and I don't see anybody handling this like adults except for the police who acted quickly and appropriately. Jeeze, what a mess.

Cheers!

Erick

Re:Are there any adults in the house?

[gooman]

I completely agree.
But the administration should get past the embarassment and call off the cops.
In the BIG picture, they have been done a favor.

Re:Are there any adults in the house?

[erick99]

The police referred it back to school as an matter that should be handled "internally." I do agree with you though, they did not need to involve the police. While I think the students were very misguided and out to make a name for themselves, they did not need to involve the police. The students were not malicious, simply self-serving.

Cheers!

Erick

Re:Are there any adults in the house?

Right, security by obscurity. What a great idea.

How many times do we have to go over this? The way to make things secure is NOT by hiding information, but by publicizing it as quickly as possible so that everyone can know that there is a problem and get on fixing it. These students are heroes, not criminals. They did the university a service and should be rewarded for what they did. Instead of hiring security consultants to figure out what's wrong with the network, these students did it for free. It's an indication of how the priorities of these places are reversed that the students are now in trouble. Embarrassing the administration is exactly the right thing to do. Don't want to be embarrassed? Then use open source software and publicize any security holes so they can be fixed.

"Adults" -- indeed. The only adults here are the students.

Re:Are there any adults in the house?

[erick99]

I will continue to teach my children how to be socially responsible as well as how to give people a chance to remedy a problem before publicly humiliating them. That's what adults do. I also understand that you have a differen point of view and while I don't agree with it, I certainly can allow room for it.

Erick

Re:Are there any adults in the house?

[pbox]

Well, it's still better than here in the US. This would most definitely end up being a clear-cut terrorism case. These two guys would already be working on their tan in Gitmo. In about 3-5 years after a lengthy legal process involving the US Superior Court, they will be allowed to proceed with their legal defense, which of course will be completely torpedoed by the fact that the prosecution will introduce any and all evidence as "top secret", so the defense team will not be able to counter any of them. They will serve 30 years, in solitary confinement.

Re:Are there any adults in the house?

[Goonie]

These people were investigative journalists (or playing at being investigative journalists, at least). Journalists don't sit on stories and wait for the powers that be to fix them on the quiet. It's not their job. Their job is to find stuff of concern out and publish it as widely as possible. And, generally, it is in everybody's interest to have maladministration reported widely. It tends to act as a strong disinctive to anybody else that might be tempted.

Re:Are there any adults in the house?

[DrMrLordX]

I can't say that I agree completely. This reminds me all too much of a small "controversy" that went on in my highschool alma mater here in the States. Several members of the school's newspaper staff uncovered information regarding the existance of a peculiar group within the school known as the "Cotton Club"(as I recall) whose purpose was unclear, but which contained members from both the student body, alumni, and supposedly trustees who were all male, white, and rather racist. The only known function of the group that I can recall was that there was a great deal of consumption of alcohol involved. They probably did some other dull things.

Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.

In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).

The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.

What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:

1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".

2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.

Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.

Or maybe not. Hard to tell with the details in the linked articles.

Re:Are there any adults in the house?

[perlchild]

It's only maladministration if the administration is warned of a potential exploit, and does nothing. However, the recent legal climate makes it MANDATORY that this warning be done in an anonymous manner. Quite simply, because it's a crime to find an exploit on someone else's network, but choosing NOT to fix a bug is not a punishable crime(that's defensible, in a way: some bugfixes have been known to the worse than what they cured before). The only problem is that if a) the network handles YOUR sensitive private confidential or financial information, and you know it's being mishandled, you have one choice, to leave the institution, since:

1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued

But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.

Anyone notice how badly this deck is stacked yet?

Re:Are there any adults in the house?

[_Sharp'r_]

I don't buy the "cheaper computer set-up" excuse.

They probably didn't even bother to turn on the security features of what they had. It's not likely a hardware problem.

I mean, passwords being sent in the clear. That sounds like a software issue to me and there aren't very many pieces of current software that you can turn on SSL at least for something like that.

Basically the budget excuse is being used to cover-up for some admins who didn't know (or care) what they were doing when they set the stuff up.

Re:Are there any adults in the house?

[cynic10508]

I completely agree. But the administration should get past the embarassment and call off the cops. In the BIG picture, they have been done a favor.

Even if you ignore the embarassment, what favor have the students done? They broke into the network and trespassed. Even if they had fixed the security holes that let them get in you've committed yourself to a slippery moral slope of where you do draw the line? Can everybody hack everybody else's computers without permission to fix whatever they deem to be a security hole?

Re:Are there any adults in the house?

[alstor]

If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration.

Best interest of the school, or of the students?

Have you ever happened to try reporting security issues to a school? I have--the grades database server at my old high school was insecure (no sa password on the sql server). After I reported the issue to the superintendent, the entire IT department, several teachers, and an assistant principal, it took the IT guys 4 months, just to set a password. A local malicious attacker was unlikely, but a worm or outside attack was surely possible. Sure, my high school isn't Oxford, but an increased time delay for such a simple fix at my school, in comparison to a more complicated for a larger institution like Oxford, could be understandable. If I had perhaps reported it to the school newspaper, the issue would probably have been resolved more timely because students grades were in jeopardy, and a larger community knew it. Groups create more action than a single person creates, just look at how well lobbying works.

Sure, the two students are probably in more trouble now than they would have been, but the issues are now probably being resolved more quickly.

Re:Are there any adults in the house?

[cavebear42]

The budget is a very valid claim. The most expensive part of running a successful network is not good hardware, it's competent professionals. Hell, even a slacker who just came outta high school and has no experience cost more in 1 year than a server which you will use for 3-5 years.

Budget is the primary reason on all networks for failed security practices.

Re:Are there any adults in the house?

[sunnytzu]

You're completely right. I was at Oxford when this incident occurred, and I'm appalled that the Guardian and BBC News have bought into this flagrant piece of self-promotion. From what I know of the story there was no attempt made to liaise with the University Computer Services to rectify this problem before they published the information in the paper. Unfortunately people involved in student journalism, particularly at Oxford in my experience, are only interested in bolstering their CV so that they can land a job at a British national newspaper. This means that they will do anything to promote themselves without any real thought for the consequences.

Re:Are there any adults in the house?

[pjt33]

At least it has some news content. Remember three or four years ago when a Cambridge student newspaper article whose content was essentially "Cambridge student gets drunk" made it to the national press?

Re:Are there any adults in the house?

[PybusJ]

Although it would be hard to judge from the way this has been reported in the media, student and national. Your speculation about the covering up of security flaws, known or unknown, is wide of the mark.

In fact, they didn't uncover any major security flaw which the University IT support were unaware of. As I understand it, some traffic was sniffed on an old unswitched hub. I believe, the last one in use at that college, and which was scheduled to be replaced with switched connections. Though that hadn't yet been implemented partly due to the budgetary constraints mentioned in the article. Even with a switched network people playing games with ARP can sniff traffic, though at least that's an active attck which can be detected by diligent admins.

Lo and behold, when the students looked at the traffic they found IM content being sent in the clear and a whole lot of Outlook users collecting their mail by POP/IMAP rather than IMAPS. This is no surprise to anyone in IT support though it may well have shocked some of the more clueless users,

This is certainly against the University's computer use policy, and as such they are being investigated by the Proctors. They do have the authority to suspend student's access to University buildings and facilities (or Rusticate them, in local terms), but as far as I know no decision on what sanction, if any, they will face has been reached.

IT staff at the University do try to keep users informed about network security, and students are told to use secure methods to access email servers, but obviously more education could always be done. Much effort has been needed recently in keeping Windows users up to date with security patches, and AV software. The more effort is spent on communicating these matters the less attention students have left to listen to more general security messages.

Re:Are there any adults in the house?

[Mr+Smidge]

Disclaimer: I am an Oxford student.

When I read this article for myself, my thoughts were "Ah, good. They are making it more apparent that every system can have flaws and weaknesses if not set up and maintained properly", but the article generally came over as making it rather sensationalist that such a thing would be possible on the Oxford network.

I was composing a letter to write in to the editor about similar weaknesses I had found but not ever dared to tell people about (almost entirely cases of not changing the default password), in which I pointed out that it's most likely that tons of networks are insecure in the same way, but people just don't find out that often.

However, I then saw a small article in Oxford's rival student newspaper (The Cherwell), saying that these two students who wrote the article were being investigated by the proctors. I quickly decided not to submit my letter, though on reflection, maybe an anonymous submission might have been worthwhile sending.

I agree with Pat Foster, who said: "I regret the fact that the university's priority seems to be pursuing Roger and myself, rather than addressing the issues we raised."

Re:Are there any adults in the house?

[bobbis.u]

This never would have happened at Cambridge.

We produce fine, upstanding journalists like Paxman.

Re:Are there any adults in the house?

[fulldecent]

And that's how it should be.

It's because $COMPANY shouldn't be getting sued due to a speculative case of neglect. Specifically they shouldn't be liable for damages that could happen because they chose to use $SECURITY_MEASURES instead of $PUBLICLY_ACCEPTED_SECURITY_MEASURES.

If your twisted world was the case, all companies using Linux would be sued when NETWORK($LARGE_COMPANY && $POLITICAL_BACKING) spends RAND(10)*10^RAND(4,5) dollars on a marketing campaign that "proves" by "independant study" that $POPULAR_SECURITY_METHOD is better than $LINUX_SECURITY_METHOD. All companies will be forced to use $POPULAR_SECURITY_METHOD in fear of getting sued.

Now, furthermore, if $LARGE_COMPANY decides to milk the fear FWIW then whenever $POPULAR_SECURITY_METHOD[DATE()] comes out and it is marketed, they [find someone] to sue a company using $POPULAR_SECURITY_METHOD[DATE()-1] and scare everyone else into upgrading.

Re:Are there any adults in the house?

[Anonymous+Brave+Guy]

You do know that the open source doesn't provide any extra guarantees, right? And that, for example, the recent Mozilla security weaknesses were known about (at least in a related form) two years ago but left unfixed? Get off your damn "Open Source R0x0rz" high horse and live in the real world, FFS. Mindless rants like yours do neither the OSS world nor the computer security world any favours.

I don't know what's sadder: the fact that you're posting a standard-yet-incorrect Slashbot cliche (as if security through obscurity doesn't help to protect vast amounts of information in numerous fields throughout the world); the fact that several people clearly bought it enough to mod you up; or the fact that you gave yourself away as a pro-OSS zealot right at the end there. I'd mod you (-1, Troll) if I weren't posting in this thread.

Re:Are there any adults in the house?

[Anonymous+Brave+Guy]

Anyone notice how badly this deck is stacked yet?

You obviously haven't.

Sending confidential information across any network unencrypted is idiotic, and if you choose to do it, that's your look out. That deals with the secure transmission of your data bit.

As for any information about you that should remain confidential, anyone in the UK holding personally identifiable information must take reasonable steps to ensure it is stored and processed securely under the Data Protection Acts (unless they are exempt, and there's no reason university administrations would be AFAICS). If that's not happening, the Information Commissioner can make their life very unpleasant on your behalf. This does not require the information actually to be compromised, only the steps taken to protect it not to be sufficient.

"How I Rooted Oxford University"

[aardvarko]

... a.k.a. A Beginner's Guide to tcpdump and ettercap

500 pound fine?

Now that is a heavy fine.

Re:500 pound fine?

[nacturation]

Now that is a heavy fine.

In Oxford, they call it the "Sisyphus Punishment".

Re:500 pound fine?

[Brandybuck]

In Oxford, they call it the "Sisyphus Punishment".

For those of you that want to Cambridge this is a reference to rolling a heavy stone uphill over and over.

Re:500 pound fine?

[martinX]

Once the UK goes REALLY metric, it will be a 226.7962 kg fine.

Re:500 pound fine?

Those of us who attended Cambridge can actually spell "went".

Re:500 pound fine?

[PedanticSpellingTrol]

Honest to god, I've seen a physics textbook in the Clemson University library that wanted the answer to an acceleration problem given in Angstroms per (Carbon-13 Halflife)^2. I can't recall the author, but it was in the "Physics is Fun!" series.

Nice work alluding to comments from an earlier story, BTW. I wonder who else noticed?

Re:500 pound fine?

[STFS]

Wouldn't the appropriate "punishment" for them be to sentence them to do "campus work"? That is, fix the security holes in the network or maybe rather write a HOWTO for the IT guys on the subject.

Oxford Loses Out

[mfh]

The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?

These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.

Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?

Re:Oxford Loses Out

[sirsnork]

The multiple-PHD Admin certainly knows it, and has likely been voicing his concerns for some time. Unfortuantly the way the word works is that if it ain't broke, don't fix it. I imagine said admin(s) will now get the money they require to resolve the problem properly, otherwise Oxford risk more students doing this in 12 months time and looking even more silly

Re:Oxford Loses Out

[jhunsake]

The only problem with allowing this behavior is that you open yourself to more cracking attempts, including more fierce ones. The crackers know that they could just say they were writing a newspaper article if they were caught.

Re:Oxford Loses Out

[cmallinson]

They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?

Re:Oxford Loses Out

[Klebz]

In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.'

Right, so when my billing information and network passwords are being stored, its ok to cheap out. Come on, its ok to use cheaper network equipment, but how many times do we need to stress the security of private information, often of which is vital. Now the students whos information would have been on that system was also violated and exposed. Why not just take the money to prosicute them and, I don't know, secure a few servers.

Re:Oxford Loses Out

They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

They have no legal right to do so. If they really wanted to do this, what they should have done is broken into each others accounts, with the other person's permission. That would bypass the "unauthorized access" issue as far as school policy goes, and possibly kept them out of a lot of trouble with the law too. It's still a grey enough area that they would take a lot of crap over it, but ultimately they would probably win out because it's a gray area.

Face it. These kids were beginning script kiddies who were just out to prove how much smarter they were than the IT staff at their University. Mostly what they managed to do was to piss of the higher ups who actually wield the power at the University. What a brilliant plan... Dumbasses.

Re:Oxford Loses Out

[Smitty825]

Maybe my memory is foggy, plus, I realize that the incident occurred at Oxford University, which is in the UK, not the US, but.... (Is that enough of a disclaimer?)

I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google :-)

Re:Oxford Loses Out

[0racle]

How is this insightful? Whether you're a student a journalist or a bum, if you do something illegal, you better be prepared for the consequences. If they thought they were going to get off scott-free, well its about time they entered the real world isn't it.

The student bode does have a right to take action on the insecurity of the network, but through official channels. The administration may not be forthcoming with the information or quick to act on it, but that still does not give the students to circumvent the law. Britain has some really paranoid privacy laws, so if Oxford is so reluctant to fix potential problems or even refuses an audit that the student body could request, chances are Oxford is now breaking some of those laws, and that will bring changes, and all of this still through legal official channels.

Calling someone or yourself a 'white-hat' hacker does not magically put you above the law.

Re:Oxford Loses Out

[Usquebaugh]

ILLEGAL is that bad or just ILLEGAL?

For christ sakes it's just a law, you know those man made things. Usually written to protect the people with money. It's not like there's anything special about them. In fact every so often they get changed what was legal is now ILLEGAL and what was ILLEGAL is now legal.

But I guess writng ILLEGAL in big letters makes it in some way important.

The only problem with my view point is that the people who write and enforce the law know it's a pile of shit but they get really ticked off if anybody outside the club explains this to them, they get doubly annoyed if said person is addressed as the accused and happens to be explaining as to why he should not have to pay a fine for drunk and disorderly. They usually start shouting about contempt and 30 days and stuff like that. I find it best to shut up in those situations.

Re:Oxford Loses Out

[FeloniousPunk]

I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

That sounds very dubious to me. Do you have a source for that?

Re:Oxford Loses Out

[rriven]

The school is feeling embarassed, and vengeful

After my so called friend told my high school that I had cracked the passwords for the school and district. (they used windows 2000 and the admin account password was the district admin password, how stupid) they expelled me and told the police who charged me with a felony "Unauthorized access to a protect computer network" Luckily it was my first offense so I was put on probation and had to pay 600 dollars, write a formal letter apologizing and write a 5 page paper on "Computer Crime and their cost to Society" All I did was get the passwords log on, log off. End of story, so yes they do tend to over react.

Re:Oxford Loses Out

[EvilTwinSkippy]

Actually, no. There is not such exemption. There never was such an exemption. A journalist reporting the event might try to claim the 5th admendment (right to not testify against oneself). If he got the gun past security, and was the sole witness to his crime, he would get off on a technicality. There was no crime since he would be the only person to testify for the prosecution (and anyone who read the account in the news would be insumbisable as heresay.)

If the airport screeners actually found the gun, he would be breaking rocks in a federal pen.

*Yawn*

[OverlordQ]

Move on. How many stories have there been on slashdot of this exact same thing happening?

A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.

Re:*Yawn*

[atlantis191]

Forgot one:

SCO sues B

The worst part...

[oiper]

.. has to be having the police handle a situation that they don't understand.

Comment removed

[account_deleted]

Comment removed based on user account deletion

couldn't the newspaper be anonomyous

[samot84aol.com]

Why did they use names in the paper--they could have used an anonomyous source.

kebabs and bon jovi

[lovecult]

...spurred on by Bon Jovi's Livin' on Prayer, they did more research

They should be damn well "rusticated" for their tast in music alone!

Aargh, again with the confusion.

[randyest]

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do :)

The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.

How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right? ;)

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."

Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.

Re:Aargh, again with the confusion.

[robolemon]

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."

It seems to me that unless his password changes every minute or so this tactic will prove useless!

I wonder if it's something as simple as unencrypted passwords going a wireless network or some nonsense like that.

Re:Aargh, again with the confusion.

[thesp]

Good lord, I can't read this thread any longer.

I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.

There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.

1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.

1a) same goes for the departments and faculties.

2) there is the OUCS network, linking the colleges and departments to each other and JANET

3) oucs also provides services, e.g. .ox.ac.uk DNS, herald email, HFS backup, site-license software, training, etc. etc. etc. OUCS also run the University level (ox.ac.uk) firewall. They also advise the colleges on network security.

Now, of the various problems observed here, three are pulled out as particularly noteworthy.

1) email passwords stolen.

Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).

2) msn messenger conversations listened to

MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!

3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.

Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad

So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.

Move along please, nothing to see..

Get permission!

[Sowelu]

This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.

Re:Get permission!

[Hatta]

And when that permission is denied because they know their security is worthless?

Re:Get permission!

[Artega+VH]

what university did you goto? my uni newspaper is hated by the administration.... so much so that there are now two.. the student one and the one put out by the administration :p

what they could have done...

[tisme]

They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.

Re:They shouldnt be punished..

[MrRTFM]

Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.

This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.

Its Uni - not a top secret government agency.

academic freedom

[havaloc]

While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.

..Well

[SinaSa]

Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.

The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.

I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.

Bullshit.

[Crasoum]

White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.

As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.

E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.

The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.

Rule of Law

[konekoniku]

Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.

Re:Rule of Law

[konekoniku]

And hacking is clearly a violation of the law. The police simply felt internal remedies was a better solution. That's something for them to recommend, but that doesn't change the fact that the law was broken.

They deserved it

[0x0d0a]

Really, they broke the law for a sensational story for which they could have written a less interesting story without the privacy violations. I don't consider them to have a "journalistic duty to society" justification.

I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.

On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree ... the admins should get chewed out), would have gotten their story, and so forth. Oh, and this assumes that they notified the admins far enough in advance of their publish date that the problem could be *fixed* before all the students at the university were told about it -- unlike the Manhattan Project, where a couple more guards can just be rolled out or reassigned from another location temporarily, it may take a bit to test software changes before a rollout is appropriate.

Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.

root/root

[codeonezero]

Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....

I was just curious at the time :-)

A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.

Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do :-)

Re:root/root

[TrevorB]

Are you sure that they didn't change the "root" user account to something else, and left the login id "root" as a honeypot to watch for hackers?

The fact that they responded the next day indicates they were watching rather closely. Log watching is not something you expect from sysadmins who don't change their passwords.

Gratuitous Karma Whoring ~or~ The Complete Article

University IT network wide open to hackers

Email passwords and MSN Messenger Conversations easily accessible.
CCTV networks can be compromised.
University says colleges' drive to cut costs could compromise security.

Computer networks across the University lie wide open to hackers, due to serious failings in IT security provision.

An investigation by The Oxford Student has learnt that CCTV cameras, email passwords and MSN Messenger conversations can be compromised with ease by members of the University with only a modicum of technical knowledge, jeapardising the privacy and safety of students and dons alike.

It is understood that by using software that is freely and easily accessible over the internet, every student has the power to snoop on the MSN Messenger conversations of others or infiltrate their Webmail account. More advanced users can even tap into college CCTV networks, with the possibility of disrupting the entire system, forcing colleges into total security blackouts.

A University spokesperson told The OxStu: "In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security." Just how low the security across the University has now become clear.

Access to the video-streaming of CCTV footage of College A was easily available, pictured right, and cameras across the College could be taken down at the touch of a button. One student who appeared in security footage accessed said: "As well as understanding the security implications, it was personally shocking and especially worrying."

As such networks are put in place to safeguard the security of College members, the fact that they can be easily bypassed should send a serious message to staff responsible for their upkeep.

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."

Likewise at College C a first year student's Webmail password was obtained. The student told The OxStu: "I'm outraged. I've personal as well as employment and academic related information in my account, which is private." College B's IT Officer said: "There is a rolling programme to upgrade [the network]...If students are abusing it, it is a concern."

Similarly, conversations held over instant messenging programmes can be easily intercepted. A Human Sciences student said it was "insane and quite disturbing...not something you want others to see." Her conversation was eavesdropped upon as she told another member of the same College about her essay crisis. One student at College D, who declined to be named, told The OxStu the problem was "shady", as we recounted her conversation to her. College D refused to comment, on the basis that it felt the law had been broken in relation to these activities.

A University spokesperson said: "Security measures are constantly reviewed in order to minimize the security risks. Of course, anyone found to have breached security with ill intent would be subject to punishment."

At the time of going to press, The OxStu was in the process of handing over all the data given to the investigation to both the police and the University.

Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 199

So What?

[xcomm]

>>were able to easily hack into the university's internal network

So what? It is always as easy especially if you are some kind of insider. But normally you do not hack your university for good reasons:
a) It is yours.
b) You will get a lot of trouble / lose accounts.

Re:On the contrary

[Donoho]

I think the university officials need to thank the students for their work in exploiting the security vulnerabilities.

MAYBE, if their exploit didn't involve publishing the vulnerability to the general populace. Worst case scenario, it gets picked up by the BBC and/or /.

It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same.

They've publicly invited every literate/malicious individual to do so. Getting a killer scoop at the expense of the school's security comes close enough to malicious in my book. In the real world, few (statistic pulled out of my ass based on number of companies/organizations who plug in/install and go, not size or profitability) have "adequately" secure systems, be it the refusal or inability to spend the time or money do so, let alone keep up. Anonymity IS part of a system's security. By publishing this article they've opend up the schools network to attention it wouldn't have received othewise. Mabe the Admins will be able to make necessary adjustments before backdoors are added. Maybe they didn't even have the staff to secure it properly. Point is, the consequence of their actions is that students are more vulnerable than they were before the story was published. Intentions be damned, they f^@%ed up.

Yes, do call the Coppers, but..

[saskboy]

But the police should be called, and when they see how lax the university was at keeping sensitive information private, they should file charges against Oxford too.

Then they can put Oxford Hack in the dictionary:
Someone who tattles, and gets in trouble too because of their guilt in the incident.

I'm a little surprised

[siliconbunny]

I studied at Oxford some years ago, and found the computing service (OUCS) to be one of the better and more competent computing services when it came to running and maintaining the networks.

Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).

Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.

If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.

I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)

Re:Good thing for then they're in England

[shanen]

If they were Americans they could be in Camp Xray already playing naked pile up with a hood over their head. Our 'Patriot' act would see to that. Did anyone else see that the Bush administration admitted the other day that the Patriot Act is being used for routine police investigations such as porn and kidnapping?

No, but I'm curious about the URL. On the actual topic of this thread, I think severe penalties are not appropriate, even though the school was embarrassed. However, it's more of a problem in that a university should be an open, trusting community, without a need for the kind of draconian security measures that would stop all hacking or exploration. This was not black hat phishing, but more of a learning experience, and learning is supposed to be the whole point of a university.

Re:Mod Parent Down

[erick99]

My gosh - the folks here who rabidly espouse the need for public outting of information all post anonymously.

Erick

Yeah, they should have kept their mouths shut

[warm+sushi]

Imagine never failing another subject.

Imagine being able to push your enemies down a grade.

Imagine making some extra cash selling exam information.

Imagine trashing the occasional file to irk a disliked professor.

Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.

Imagine how much easier life would be not doing the right thing.

Just imagine...

Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.

Well, maybe there is something worth protecting

[TubeSteak]

Like social security numbers, health information, whether the student is seeing the school shrink, grades (any teacher's temp internet files), scholarship information...

What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.

As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?

maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites

And why is this? Maybe we have different ideas about what constitutes "information worth stealing"

It's college, right?

[empaler]

They also have to learn that it doesn't pay to go against the system... ;p

little we can do?

[blazen1]

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."

Somebody fire this person.

Re:little we can do?

[mritunjai]

Fire the IT Officer ?? Apparantly you haven't been to a school and never had chance to administer a network.

I personally was responsible for a hostel network with 450 odd users... and tell you, the ONLY way you can sleep soundly is by making things assuming everybody has the root password! Students have way much time on their hands, are creative and generally up-to-date with security issues. ONE person cannot spend THAT much time... at 3AM you'd be sleeping while some sleepless fellows will be looking over a just released security advisory! By the time you wake up and check your mailing list mails, they'd have already broken into the system! (most of the time without any damage, but just to "see" if its indeed true).

Sorry man... a network/system administrator in a school/college is probably the worst IT admin job you'd be looking at!

He said what!?!?

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.

The only difference

[DarkMantle]

I made a deal with the school... Don't expel me... I'll help you fix it. Also admitting through an anonymouse hotmail account helped... especially since every time i logged in it was from the school IP address.

Not at all

[Sycraft-fu]

Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.

Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.

Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.

Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.

The Point Most Will Miss...

[severed]

Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:

This was an action of the press.

Let me repeat myself, because it's important.

This was an action of the press.

It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.

This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."

These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.

* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?

Re:The Point Most Will Miss...

A genuine chance for an informed post! Good lord.

I've worked in student journalism in the UK, and, in fact, for this newspaper; I'm also a student at Oxford. I'm posting anonymously because I don't want *too much* feedback.

This was not a case of "freedom of the press", nor was it a legitimate exposure of university behaviour, for two reasons: first, the story was run badly and irresponsibly; second, because the university was not really involved at all!

Oxford University is made up of independent colleges, lots of them. These colleges handle their own admissions, administration, accommodation, and, importantly in this case, IT networks. These networks are small, and are each handled by a separate IT officer and staff; there is a central IT network, but this wasn't involved in the story. All the students did, as far as anyone I know can gather, is use a sniffer on an ethernet network from inside the college, probably from a cable in someone's bedroom. The story is complaining about the weaknesses in college security setups, knowing full well a) how bloody easy it is to break them, b) how understaffed and short-handed the college IT staff are and, c) that there's not much the university can do to change this - colleges are, after all, independent.

Even with this in mind, the story was badly run. The Oxford Student doesn't have a year-round editor, students take it in turns to edit it for eight weeks at a time, and its staff are, by the slim standards of student journalism, very inexperienced. The story as it was published was a cheap scare story, boosted to the front page on a slow week. There was no consultation beforehand with those whose privacy was being violated, nor do they seem to care what they did while "looking around".

I've covered stories like this, and helped to get them ready for publication, and this was not the way to do it. Put bluntly, they wanted a cheap "splash" (front page lead), and heard from a couple of their mates that you could easily hack into the odd college network - boasting in a student bar, essentially - and decided to dress it up as an exposé.

There's no ethical justification for this. It wasn't seriously trying to hold anyone accountable. It wasn't even legitimately run: you DO NOT break the law by accessing other people's personal data and then say "but look, how easy it is!". To have done this properly would have taken more time, consultation with the proper authorities, demonstration in their presence of the possible exploits, suggestions for how security could be strengthened, and THEN challenging them to respond properly. A far stronger and well researched piece of writing would have been the result; strong enough to make a genuine case, and a genuine front page lead.

This was a bit of cheap, unethical, shitty reporting, not high-minded whistleblowing, and all they deserve is a kick in the bum.

Proud of the students...

[LibrePensador]

I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?

Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.

As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?

I don't think so!

Where this world moves ?

[nickol]

What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.

This is the proper way. But making the unprotected network and call police... it's a degradation.

Re:On the contrary

[awkScooby]

Hey, you're right. I think that I should:

1. break into your house to show you how easy it is. It will really help you out in the long run, and you should thank me.
2. show the pilot on the next flight I'm on how easy it is to get a gun through airport security
3. show the Secret Service (hey, this is sarcasm. I don't need you guys to visit) how easy it is to jump the fence at the whitehouse and run across the lawn
4. stick up the local bank to show them how bad their security is. I could write a really good article on that. Obviously I would give them their money back, so there isn't any harm in that. Right?

This was just a couple of punk-ass script kiddies trying to make the school administration look bad. Seriously, what did they think was going to happen? It's one thing to do serious research in an ethical manner, and another to play 31337 h@xor script kiddie under the guise of journalism. They aren't even good script kiddies -- they got caught way to easily.

I'm an info security auditor...

[JRHelgeson]

I've audited everything from banks to schools and I must say that a College campus network environment is by far the most unique environment that I've ever audited.

Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.

I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)

That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.

Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.

The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.

Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.

From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.

I say that they should make an example of these script kiddies.

not feeling too sorry for them...

[sdedeo]

The Oxford student newspaper guys are angling to get a nice job on Fleet street after graduation, and are trying to come up with attention getting scoops. If their real intention was to help the network sysadmins, they should have brought this up privately (since the article doesn't mention it, I assume they didn't.)

Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?

If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?

They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.

Re:Anonymous article, anyone?

[Triumph+The+Insult+C]

vlans are for performance. cisco has incorrectly convinced people they are for security

500 pound fine...

[the-build-chicken]

It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.

Couldn't figure out why they were snickering though?

Nope, sorry

[Sycraft-fu]

You don't have a right to try and break in to places you do bussiness at. Try it if you like, try and break in to your bank, but don't bitch when the cops haul you off to jail.

If they suspect a problem, they need to talk to the school about it and get permission. Just running off and doing it isn't acceptable.

You are free to test the security of things YOU OWN. You can break in to your house, you can hack your own computer. You can break the window of your own car. However you can't do any of those things to someone's property you just happen to use. Just because you have an account on a system I own doesn't give you permission to hack it. Just because I'm storing your bicicle for you doesn't give you permission to break in to my garage.

Look, I'll even entertain an argument that the law should be changed to make it legal, though I disagree, but you can't claim this isn't what the law is. Hence, they didn't have a right since they were breaking the law.

I understand why they decided to publish widely

[Dorktrix]

I accidentally hacked into the web site that my univeristy created for alumni (I went to a very respectable west coast university)... It turns out that the temporary password they used when you "reset" your password was a keyword followed by the current date (i.e., "keyword20040716"). So to break into someone's account, you would just "reset" their password and then log into their account with the password "keyword200407016". No joke.

This was the first email I got when I decided to go the route of notifying them directly rather than publishing my findings:

Hi Bret,

Thank you for your suggestion. This is the way the system was designed by our developers. If a temporary password is generated, an email is sent to the original user notifying him/her of the change. It is certainly a trade-off of convenience and security. Thanks for writing,

Adam

And this was my subsequent response:

The problem is that my own personal email and personal information is at risk for your convenience. The level of security of the site is unacceptable, and I am sure that all of the other users of the site would agree with me. I don't want to make this blatant security hole known to the public, but I will if that is what it will take for you to fix it. Any system that allows access to personal email should not be designed so hastily. If you give me a time frame in which your organization will fix the security hole, I will not publish any information on how to exploit the hole until it is fixed.

While it is true that the person receives an email when a temporary password is generated, the attacker can easily change the password before the "real" user has the opportunity to use the temporary password, effectively eliminating access to the account until a [snip] Alumni administrator comes in to fix the problem, which could take days.

I am disappointed that, when notified of a major security breach, the [snip] Alumni organization responds with an apology rather than an intention to fix the problem. It greatly reduces my confidence in the [snip] Alumni web services.

I look forward to a response,
Bret Taylor
btaylor@[snip]

Which finally resulted in this (I guess it was escalated):

Hello Bret,

Thank you for sharing your concern regarding the issuing of the passwords. I have passed on this information to our developers who will address the issue.

Please let me know if I can be of further assistance to you.

Pauline

I never heard back, but about three months later it was finally fixed. THREE MONTHS. Sometimes a little fire like an article is necessary to get bureaucracies moving.

no shit.

[twitter]

... most of the shit is just because people are not security conscious.

Obviously, now. Before hand, how could they have shown it?

White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.

Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.

We shall see what happens to them.

No Excuse

[supersnail]

What I find really scary is the feeble " we bought cheap systems, we can't secure it " excuses the systems admins are giving.

If they had used free software it would have been pretty secure out of the box (or whatever the eqivalent is for downloading).

Most of the places I have worked recently are using the famously secure and "trusted" software from "honest" Bill Gates, and, they have reasonably secure networks, it just takes a some actual admin from the sysadmins.

What software are they using that stores passwords in plain text? In the 21st century ? This is just plain neglegent, I think the students involved should pursue the college through the data protection act. In the UK anyone holding somebody elses personal information on thier computer system has a duty to secure that data and prevent access from unauthorised users. Clearly asking the student body to "please obey the rules and not look" falls short of "reasonable measures to protect ".

Some facts (and my opinion)

[hsenag]

I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.

The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).

What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.

This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.

They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches :-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.

An IT Officer's Perspective

[yamahito]

Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op No, that's not journalism. That's scare-mongering. I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did. The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford... Somebody fire this person (re: the comments by IT officer A) It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt. These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened. Have you heard of Whistleblowing Have you heard of Shit-stirring?

Unintentional Cracking

[Quantum+Jim]

If everybody broke into a network would it still be unlawful.

The underlying moral principle of "respect other people's property" still applies.

That's true, but what about when an intranet is left open and someone, exploring the network, stumbles upon it?

My friend's wife once found the answers to all the homework and exams during a class on computer administration, while viewing the intranet from her workstation. The files were not password protected and there was nothing indicating that this was supposed to be private (before opening it).

She realized this wasn't right, and told the teacher. Unfortunately, the professor was not pleased, and the school tried to expel her on grounds of illegally cracking into the network! In the end, she was forced to drop the class even though my friend's wife knew more than the teacher himself! (I think the college's lawyers realized they could be sued if they expelled her.)

She wasn't the only one. A while back, I heard about a case where the New York Times sued a hacker when he found a security hole in their network and told them about it (and didn't do anything else). In both cases nothing was damaged at all, nothing was really seen and nobody was hurt. It's like someone notices that your back door's lock is broken, sends you a letter about it, and you sue them for trespassing.

What I'm saying is that we need some kind of legal protection for these kind of accidental "hacking."

Actually...

[PsiPsiStar]

Actually, if everyone does a particular thing, sometimes it becomes legal.

If you don't have 'no trespassing' signs on your yard and kids walk through it every day for, say about 7 years (this is the usual) you can actually lose the right to stop them. The area becomes public domain for a particular purpose.

It would be interesting to see this applied to a network.

(IANAL, btw)

Over-blown and inaccurate

[Alnitak73]

Firstly, please let me clarify a few points about the article and the way stuff is run at Oxford:

1. the University provides the inter-building network infrastructure, but each College and Department is responsible for running its own internal network
2. there is no indication in the article that any University-maintained network infrastructure was penetrated.

My understanding of what has probably happened is that one or more colleges have skimped on network hardware and not installed the recommended switched network equipment with MAC address protection.

Alternatively the students may have found a way to defeat the security on the switch they're connected to that allowed them to mirror other ports' traffic down their port.

Although they did sniff passwords for a University provided e-mail service, it seems that everything they did was within a college network.

To say that the University network was hacked, as both the /. article and the student rag suggests is not accurate and vastly inflates the scale of what these students "achieved".

Alnitak - Oxford graduate and ex-staffer.

Quick Lesson in Oxford....

[LondonLawyer]

university campuses tend to almost have their own legal systems

But with the entire event being isolated to a university campus...

There is no single campus at Oxford, only a collection of Colleges, Libraries and Faculties.

The policing of Oxford students is dealt with mainly by the Colleges and the Proctors. The Proctors can be quite fierce if they fail to see the funny side. They are also quite old fashioned - most students hope only to encounter them at ceremonial occasions when they'll be wearing gowns and funny hats. There are also the 'Bulldogs' who are basically the heavies for the Proctors and go round in bowler hats and used to chase the students out of pubs in the old days.

In this instance, the fact that the story was splashed on the front page of a newspaper with circulation throughout Oxford (rather than just within a campus) probably caused a lot of embarassment. Added to which, I wouldn't be surprised if the Proctors have very little understanding of exactly what has been done or how. They will assume the worst. They probably just want to be seen to be taking the matter seriously and don't know exactly how serious it really is or what reaction is appropriate. In any case, rustication isn't so bad - you can come back to study once you've served your time away). They could have been 'sent down', in which case it'd be game over.

The nature of the hack

[Neil]

[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].

One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".

As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.

The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.

The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...

The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).

One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.

On the other hand, enabling it...

[FooAtWFU]

On the other hand, there are some very simple measures that certain sysadmins could take. For example, it would be nice if I could get to my campus email through a secure POP link. But the server doesn't have one enabled. Well then, say hello to PINE, via ssh! (mmm, PINE)...

And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad, and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!

(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)

Re:On the other hand, enabling it...

[LinuxHam]

For example, it would be nice if I could get to my campus email through a secure POP link. But the server doesn't have one enabled. Well then, say hello to PINE, via ssh

If you have a full shell account on the remote end (i.e. pine doesn't start automatically upon login, and you don't exit when exiting pine), read this to learn how to automatically pull down your email with pop3 over ssh without entering passwords. Works great.

Re:Yeah... and you miss the point

[wrf3]

Suppose in America the majority begins to infringe on the free speech or exercise of religion rights granted by the Constitution. Does that make it right?

At the heart, you're advocating a "might makes right" system. Do you really want to live under the "law of the jungle"?

Standard Practice?

[polyp2000]

Im sure this kind of stuff is commonplace in Universities. I myself knew people who had or could get root access on machines from where (anything goes) in fact we had a room of NeXT stations that were mysteriously taken offline after someone I knew ran the unix "crack" password cracking tool on them. Another friend of mine had similar experiences at his uni.

Generally speaking it must be very difficult to ensure a secure network at a uni. The sheer variety of different machines and operating systems, and the ad-hoc nature of the network will invariably leave gaps in the security.

However i'd like to hope that most students are just excersizing their enquisitive nature and doing little harm in the process, after all University is "yours" just as much as it is the people who run or own it. It is a seat of learning after all!

nick

English law: Accessory after the fact.

[MROD]

I believe that it is the law in England (and Wales) that if you know of a criminal act taking place then if you do not report it to the police then you are deemed to be an accessory after the fact and have hence committed a criminal act yourself.

Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.

When you were at what?

[Scratch-O-Matic]

When i was at collage...

And, um, which collage did you go to?

Public fame is of no use for hackers

[Maljin+Jolt]

Many young men are so naive about social power hierarchy.

Please, all future kiddie hackers, realise that people at power are *always* more concerned about their power than about technology flaws or productivity/effectiveness of systems they control. And showing their failure in public makes them very angry, because it can endanger their image of power control the most.

Next time, if you do it for sport, do it quiet. Make yourself an outer image of a complete moron. Enjoy your insight. A fame is without purpose for you.

Further quirks

[LondonLawyer]

If student rumour is correct, there's an unrepealed Oxford law by which Crusaders on their way to the Holy Land could stop by and pick up a degree. Apocryphally, students have tried to invoke this right and been turned down by the Proctors because they weren't wearing their swords when the claim was made.

There is also meant to be a law still in force by which you can request a glass of sherry be brought to you during Finals exams. I don't know if anyone has had the balls to try it - it's exactly the sort of thing the Proctors find unamusing.

Re:Why such high security at a college campus??

[cayenne8]

One thing that stood out to me in this article...the high security they have on campus. CCTV cameras everywhere? Having to swipe access cards to get in any building, etc...

Why all these intrusive and secure measures just for a college campus? Its not a military base or anything....

Re:Why such high security at a college campus??

[TheCarp]

Why? because we need it. (ok I work for a different univ. and not much for CCTV but we have swipe cards here and there).

The thing is Universities are great targets for small time criminals. Lots of people going in and out, many faces, unattended equipment. At least with swipe card access, you can be somewhat sure that people in the area are suposed to be there. It helps.

It doesn't stop door jacking of course, which was one of my favorite techniques at a previous job (wouldn't give me card access to some areas before 9 am, even though I started at 8 and often had jobs to do in there, so I would just door jack my way in, and get my work done)

Youd be amazed at the things that can go on on a campus. Some amount of security is important, theres basically 3 types of areas they need to secure. 1) places where people live (dorms... Frats are generally completly open and the U doesn't give a fuck), 2) places with lots of expensive computer equipment 3) Dangerous labs.

Just ask some student friends of mine who rented a house off campus last year. They threw some great parties, and had 11 people living in the house. There was so much in and out foot traffic that they had problems with people walking in off the street and stealing things.

Its easy for places with alot of people traffic to get a high profile and become a target.

-Steve

Heh.

[SatanicPuppy]

The first college I went to had this poorly secured novell network running on an old Vax cluster.

They had it set up so that, to use a computer, you logged in as the computer, instead of as a user. I found out that, if you logged a pc into the network, using a username meant for a Mac, and if that Mac were not already logged in, it would completely screw up your priviledges, and let you do many things normally reserved for "Administrator".

Friend of mine wrote a batch script to send out an amusing system message once an hour. Unfortunately he didn't count zero correctly, and so the first one was an hour, but the second through 1000000th were somewhat quicker.

The first I knew of it was when I walked into a computer lab and heard this symphony of "beepbeepbeepbeepbeep" and saw a couple lab techs ripping the cables and stuff off of this poor little Mac while screaming, "ITS UNPLUGGED! WHY IS IT STILL SENDING MESSAGES?!?!"

Re:Why such high security at a college campus??

[Timmmm]

One thing that stood out to me in this article...the high security they have on campus. CCTV cameras everywhere? Having to swipe access cards to get in any building, etc...


Cambridge, Oxford and Durham aren't campus universities.

The colleges and departments are spread throughout the city.