Oxford Students Hack University Network

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

Are there any adults in the house?

[erick99]

If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration. They could have taken the information to the school and if the school ignored it they could have then published an article. They did call the school for comment but it was clear they were going to publish so that didn't afford the school a chance to remedy the problem. I think they were more interested in an article that would generate a lot of excitment and make them look good. I don't buy their arguments about doing all of this in the best interests of the school. I believe they had their own best interests at heart. I can't say I think much more of the administration in their handling of the matter either. There is a lot of ass-covering going on here and I don't see anybody handling this like adults except for the police who acted quickly and appropriately. Jeeze, what a mess.

Cheers!

Erick

Re:Are there any adults in the house?

[erick99]

The police referred it back to school as an matter that should be handled "internally." I do agree with you though, they did not need to involve the police. While I think the students were very misguided and out to make a name for themselves, they did not need to involve the police. The students were not malicious, simply self-serving.

Cheers!

Erick

Re:Are there any adults in the house?

[pbox]

Well, it's still better than here in the US. This would most definitely end up being a clear-cut terrorism case. These two guys would already be working on their tan in Gitmo. In about 3-5 years after a lengthy legal process involving the US Superior Court, they will be allowed to proceed with their legal defense, which of course will be completely torpedoed by the fact that the prosecution will introduce any and all evidence as "top secret", so the defense team will not be able to counter any of them. They will serve 30 years, in solitary confinement.

Re:Are there any adults in the house?

[DrMrLordX]

I can't say that I agree completely. This reminds me all too much of a small "controversy" that went on in my highschool alma mater here in the States. Several members of the school's newspaper staff uncovered information regarding the existance of a peculiar group within the school known as the "Cotton Club"(as I recall) whose purpose was unclear, but which contained members from both the student body, alumni, and supposedly trustees who were all male, white, and rather racist. The only known function of the group that I can recall was that there was a great deal of consumption of alcohol involved. They probably did some other dull things.

Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.

In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).

The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.

What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:

1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".

2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.

Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.

Or maybe not. Hard to tell with the details in the linked articles.

Re:Are there any adults in the house?

[perlchild]

It's only maladministration if the administration is warned of a potential exploit, and does nothing. However, the recent legal climate makes it MANDATORY that this warning be done in an anonymous manner. Quite simply, because it's a crime to find an exploit on someone else's network, but choosing NOT to fix a bug is not a punishable crime(that's defensible, in a way: some bugfixes have been known to the worse than what they cured before). The only problem is that if a) the network handles YOUR sensitive private confidential or financial information, and you know it's being mishandled, you have one choice, to leave the institution, since:

1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued

But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.

Anyone notice how badly this deck is stacked yet?

Re:Are there any adults in the house?

[sunnytzu]

You're completely right. I was at Oxford when this incident occurred, and I'm appalled that the Guardian and BBC News have bought into this flagrant piece of self-promotion. From what I know of the story there was no attempt made to liaise with the University Computer Services to rectify this problem before they published the information in the paper. Unfortunately people involved in student journalism, particularly at Oxford in my experience, are only interested in bolstering their CV so that they can land a job at a British national newspaper. This means that they will do anything to promote themselves without any real thought for the consequences.

"How I Rooted Oxford University"

[aardvarko]

... a.k.a. A Beginner's Guide to tcpdump and ettercap

500 pound fine?

Now that is a heavy fine.

Re:500 pound fine?

[Brandybuck]

In Oxford, they call it the "Sisyphus Punishment".

For those of you that want to Cambridge this is a reference to rolling a heavy stone uphill over and over.

Re:500 pound fine?

[martinX]

Once the UK goes REALLY metric, it will be a 226.7962 kg fine.

Re:500 pound fine?

Those of us who attended Cambridge can actually spell "went".

Oxford Loses Out

[mfh]

The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?

These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.

Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?

Re:Oxford Loses Out

[cmallinson]

They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?

kebabs and bon jovi

[lovecult]

...spurred on by Bon Jovi's Livin' on Prayer, they did more research

They should be damn well "rusticated" for their tast in music alone!

Get permission!

[Sowelu]

This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.

what they could have done...

[tisme]

They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.

Re:They shouldnt be punished..

[MrRTFM]

Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.

This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.

Its Uni - not a top secret government agency.

..Well

[SinaSa]

Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.

The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.

I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.

Bullshit.

[Crasoum]

White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.

As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.

E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.

The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.

Rule of Law

[konekoniku]

Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.

Re:*Yawn*

[atlantis191]

Forgot one:

SCO sues B

root/root

[codeonezero]

Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....

I was just curious at the time :-)

A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.

Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do :-)

Re:Yeah... and?

I got a two day suspension for it! (highschool)

All I got was this stupid t-shirt.

I'm a little surprised

[siliconbunny]

I studied at Oxford some years ago, and found the computing service (OUCS) to be one of the better and more competent computing services when it came to running and maintaining the networks.

Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).

Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.

If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.

I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)

Yeah, they should have kept their mouths shut

[warm+sushi]

Imagine never failing another subject.

Imagine being able to push your enemies down a grade.

Imagine making some extra cash selling exam information.

Imagine trashing the occasional file to irk a disliked professor.

Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.

Imagine how much easier life would be not doing the right thing.

Just imagine...

Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.

Re:Yeah... and?

[gilrain]

Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.

Re:Yeah... and?

[TeraCo]

Well.. this might seem obvious.. but it's because it's still illegal to break into other peoples networks.

Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.

It's college, right?

[empaler]

They also have to learn that it doesn't pay to go against the system... ;p

little we can do?

[blazen1]

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."

Somebody fire this person.

Re:Yeah... and?

[stor]

Heh.

I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.

At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".

Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...

We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.

Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.

What were these two plonkers trying to prove? The bleedingly obvious?

Cheers
Stor

Re:Yeah... and?

[gilrain]

The thing is, university campuses tend to almost have their own legal systems. At least, on the campuses I've been on, certain things are more legal than in the real world, and others are less legal. In general, unless it gets out of hand, problems on campus are handled by the university administration. For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?

That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...

Where this world moves ?

[nickol]

What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.

This is the proper way. But making the unprotected network and call police... it's a degradation.

500 pound fine...

[the-build-chicken]

It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.

Couldn't figure out why they were snickering though?

Re:Aargh, again with the confusion.

[thesp]

Good lord, I can't read this thread any longer.

I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.

There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.

1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.

1a) same goes for the departments and faculties.

2) there is the OUCS network, linking the colleges and departments to each other and JANET

3) oucs also provides services, e.g. .ox.ac.uk DNS, herald email, HFS backup, site-license software, training, etc. etc. etc. OUCS also run the University level (ox.ac.uk) firewall. They also advise the colleges on network security.

Now, of the various problems observed here, three are pulled out as particularly noteworthy.

1) email passwords stolen.

Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).

2) msn messenger conversations listened to

MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!

3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.

Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad

So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.

Move along please, nothing to see..

Some facts (and my opinion)

[hsenag]

I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.

The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).

What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.

This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.

They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches :-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.

Re:Yeah... and?

[boaworm]

You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?

Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.

What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.

Re:Yeah... and?

[Chitinid]

1. The fallacy here is assuming that the laws *must* be correct, and failing to consider what the purpose and the origin of the laws are. The laws are presumably there to protect the everyone's rights. If everyone's breaking the law, what's the purpose of the law? Obviously either everyone has a double standard or thinks the law is silly. These "fundamental moral principles" you mention had better be supported by the masses, or they're elitist and don't belong in a social contract.

2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.

3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?

An IT Officer's Perspective

[yamahito]

Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op No, that's not journalism. That's scare-mongering. I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did. The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford... Somebody fire this person (re: the comments by IT officer A) It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt. These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened. Have you heard of Whistleblowing Have you heard of Shit-stirring?

The nature of the hack

[Neil]

[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].

One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".

As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.

The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.

The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...

The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).

One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.

Re:Yeah... and?

[olderchurch]

This is the exact same reason why I love my provider. From their general conditions:
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.

The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.

Re:Yeah... and?

[mikael]

That reminds me of an ultra-paranoid sys-admin we once had (the kind that makes Burt Gummer look like a Quaker).

The sys-admin set up our CompSci server to log every command every user had made (lastcomm services). So one night, one student is waiting for the others in the group project team to arrive. Rather than constantly running between labs, he simply writes a shell script:


while 1
do
who
sleep 10
done


Harmless enough? After about 2-3 hours of use, the entire /var partition has been completely filled, which now jams the /var/spool print queue. A postgrad student attempting to laser-print a section of his Ph.D project finds that he can't, and in order to gather evidence against this denial of service attack prints the entire contents of the 'acct' file.

Which burned up two large boxes of line printer paper. Needless to say, the sys-admin was furious and makes the student sign a form requiring him never to run an infinite-loop script without permission again.