EBay Hacker's Conviction Upheld

An anonymous reader writes "The 9th Circuit Court of Appeals has ruled in the case of Jerome Heckenkamp, the former University of Wisconsin student convicted of federal computer crime charges in 2004 after hacking into Qualcomm, Cygnus Solutions and other companies, and defacing eBay. Heckenkamp was caught after a system administrator at the university hacked into his Linux box to gather evidence that Heckenkamp had been attacking the college mail server. The court ruled today that such counter-hacks are allowable under the 'special needs' exception to the Fourth Amendment, and upheld the warrantless search."

Correct decision

[daveschroeder]

The University was not acting as law enforcement, as an agent of law enforcement, or at the behest of law enforcement, and thus is expressly and explicitly not covered by, or even related to, the Fourth Amendment.

The University acted to mitigate and prevent further intrusions, the scale of which were as yet unknown, into critical University servers and infrastructure upon which tens of thousands of people and many diverse University functions depend.

If you hack University servers from your computer (or even if the computer is being used a zombie), and then take steps to hide your identity or otherwise conceal your activities, your network access will be removed, such removal will be actively enforced and verified, and any immediate actions required to protect the security and integrity of the University network and computing resources will be taken.

Academic, legal, and possible criminal action will then follow, as warranted. These were exigent circumstances, and not done under the guise of law enforcement, but rather the protection of critical university resources from activities clearly and explicitly disallowed by numerous University information technology, housing, academic, and general policies (not to mention various federal and state laws).

Also, while we're on this topic, if the situation were reversed, I can imagine slashdotters would hardly call the equivalent situation a "hack" (i.e., "the university hacked into his Linux box"). Using the typical logic, he apparently didn't protect his machine well enough, so it's okay, right? Oh, but he's on the malicious side, so he's right, and the University trying to protect itself, from someone violating just about every University policy with no expectation of privacy on the network of a public research university, is wrong?

Let me know when you people get your stories straight.

And please, RTFA:

Here, Savoy provided extensive testimony that he was acting to secure the Mail2 server, and that his actions were not motivated by a need to collect evidence for law enforcement purposes or at the request of law enforcement agents. ... The integrity and security of the campus e-mail system was in jeopardy. Although Savoy was aware that the FBI was also investigating the use of a computer on the university network to hack into the Qualcomm system, his actions were not taken for law enforcement purposes. Not only is there no evidence that Savoy was acting at the behest of law enforcement, but also the record indicates that Savoy was acting contrary to law enforcement requests that he delay action.

Under these circumstances, a search warrant was not necessary because Savoy was acting purely within the scope of his role as a system administrator. Under the university's policies, to which Heckenkamp assented when he connected his computer to the university's network, Savoy was authorized to "rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system." Savoy discovered through his examination of the network logs, in which Heckenkamp had no reasonable expectation of privacy, that the computer that he had earlier blocked from the network was now operating from a different IP address, which itself was a violation of the university's network policies.

This discovery, together with Savoy's earlier discovery that the computer had gained root access to the university's Mail2 server, created a situation in which Savoy needed to act immediately to protect the system. Although he was aware that the FBI was already seeking a warrant to search Heckenkamp's computer in order to serve the FBI's law enforcement needs, Savoy believed that the university's separate security interests required immediate action. Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warran

Re:Correct decision

[The+Only+Druid]

Fantastic post. Frankly, the thread should end right here.

Re:Correct decision

[Nukenbar2]

How is that different from any evidence collected from anywhere?

Most evidence has to be authenticated by the person that recovered it. Just like if a store security guard see you shop-lifting, stops you and searches you, anything he finds, such as a bag of coke, you can be prosecuted for. How do we know he didn't plan it? He has to take the stand, swear to it, and then be cross-examined. That is how our system works, mostly.

Re:Correct decision

[garcia]

Problem with your logic there. If the University thinks being hacked is wrong, then why do they think hacking someone else is right? Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple.

And the fact that this user agreed that SysAdmins may take steps to end emergency situations doesn't immediately say to me "oh, they can then hack my machine to hand over my personal files to the government without a warrant."

To me that says, "oh, they can fucking shut off my port and block my current MAC address," but I'm not a University of Wisconsin IT staff member/zealot like Mr. Schroder.

Re:Correct decision

[sumdumass]

The ninth circuit has a large percentage of rulings overturned by a higher court.

I cannot find the quote but I think they hold over 60% of the overturns the supreme court has done in the last 20 or so years. They tend to have what some would call "activist decisions" and have been questioned about which constitution they were looking at when deciding some cases in the past. The tend to have a liberal interpretation of the laws too.

Re:Correct decision

[daveschroeder]

Its track record is clear, exactly as stated, and no matter how "liberal" it is or isn't, the 9th Circuit has a consistent record of always erring on the side of individual rights, liberties, and freedoms, and against the interests of the government, sometimes to ridiculous degrees.

And since there's an entire huge section in Wikipedia and over 1 million hits on google for "9th circuit liberal", regardless of "how much" it's true, there is no denying that, among all appeals circuits, the 9th is the "most" liberal.

But in this case, it's so clear cut that the University acted properly, it wasn't difficult for the court to rule on the side of the University's actions.

The point is, the court most likely to overturn the conviction didn't. And therefore, it's reasonable to believe this is how it will remain.

Re:Correct decision

[bhsx]

If the University thinks being hacked is wrong, then why do they think hacking someone else is right? Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple. Scenario:
You are at the mall and some psycho starts shooting everyone in sight with an AK-47. You work in the mall as an armed guard. If the mall thinks being shot at and killed is wrong, then why do they think shooting someone else is right? Two wrongs don't make a right. The shooter is a criminal, and the mall security guard is a criminal. It's that simple.

Re:Correct decision

[sumdumass]

There are a lot of situations were people are forced to do things that are illegal but is otherwise considered ok in the circumstances. Killing a person is illegal, killing a person to save your own life gets you a pass. Speeding is illegal, speeding away from a shootout where it is likely you could be hit by a stray gets you a pass. Jaywalking is illegal, jaywalking to get away from a crumbling building gets you a pass.

Do you see a pattern here? Sometimes in order to protect yourself, illegal actions don't' make you a criminal. It was supposed that these illegal actions were necessary and therefore don't make the universities criminal.

Re:Correct decision

[Waffle+Iron]

Since his computer was in a dorm room, the correct thing to do would have been to walk down to the dorm, get the local Resident Adviser or whoever is in charge to open up the room (which is undoubtedly allowed in emergency situations under the lease-like contract that students sign), unplug the network jack, and call the police. This would have had the additional benefit of clearly preserving any evidence of wrongdoing within the attacking system.

Even if access to the room were not possible, they could have simply gone down to the router, pulled the plug on that room, and called the police.

Illegally counter-hacking the attacking computer (which also was likely to taint any evidence in the system) was *not* necessary under the exigent circumstances.

Re:Correct decision

[eli+pabst]

I'm not that familiar with the case, but my question is who owned the computer that the administrator "hacked" into. If this was a University-purchased system, then I think they had every right. But if this is his own system that he purchased and simply was connected to a U of W network in his dorm then I think he had a reasonable expectation of privacy. His network traffic would be fair game, but unauthorized access is something different.

I'm not sure how connecting to someones network gives them the right to access my system without my consent. If I'm on a Verizon network, does that mean they can bruteforce my passwords and log onto my system, simply because I 'm connected to their network? What about Starbucks?

If the justification was to "protect the mail server" couldn't they just have physically disconnected his dorm room from the network (they knew where the first IP address was coming from). Again, I don't know the specifics of the case so I'm more curious than trying to throw stones.

Re:Correct decision

[bugnuts]

Most universities with any sort of net access have rules stating that the sysadmins, in the course of their duties, can take action to stop attacks on the network.

The sysadmin initially blocked the port and called it good, probably with the intent to inform management and let them deal with it. One could argue that "I pay tuition and I was blocked illegally" but nobody here is saying that violated any rights.

Blocking was not sufficient to prevent the attacks, so the sysadm escalated his effort. That is a reasonable discharge of his duties IMHO, but some people are saying that this was illegal. I claim that doing nothing, or blocking the whole dorm would probably have been far worse for the rights of the students.

It's important to consider the rights of the guilty... the last thing we need is a drumhead legal system. But the rights of the innocent must be considered first. The impact of doing nothing or blocking everything was too great.

Re:Correct decision

[Waffle+Iron]

After a 5-year, $50 million network upgrade, a lot of these things people are suggesting from their armchairs are now possible.

No, the only person with an armchair problem was that guy who couldn't be bothered to get out of his and make an appropriate response to the incident. Instead, he went the lazy/fun route, kept his butt firmly planted in his chair, and took matters into his own hands as a vigilante. Now 300 million Americans have just seen their bill of rights eroded by yet another increment because the university had to set new legal precedents to cover their asses from the fallout of this poor decision.

No matter what, they could have blocked access from the entire dorm for the hour or two that it would have taken to sort out the problem legally. If their network management was sooooo crappy that even that couldn't be done, they should have just turned off their own goddamned mail server to protect it from this omnipotent hacker that was apparently impervious in his dorm room a couple of blocks away. Committing new federal felonies as a first option was not the answer.

Re:Correct decision

[woolio]

Indeed...

I'd saw remotely unplugging the room at the router is probably better than entering the room and unplugging the computer.

That way the admin would never obtain *physical* access to the computer (e.g. this removes a tiny amount of doubt that he could have tampered with the computer, e.g. with a boot disk/cd before the police arrive ).

Re:Correct decision

Maybe they had other options. As it happens, the one he chose was against the law, so it wasn't an option. He did it anyway and is apparently getting away scot free.

Re:Correct decision

[Brad+Eleven]

Right, exactly. The network, at least, and possibly the computer are/were the property of the University, so it has every right to inspect. This doesn't mean that the University was in its rights to turn over evidence to law enforcement, however; their rights end at the limits of their policy. That is, they could expel the student, even levy fines, penalties, whatever their policy provides for.

This is the same argument for not using resources at work for your own purposes. You can be fired, your employer can file civil suits, etc., because the computers, the network, the desk you sit at, etc., belong to the employer.

I think that the defense lawyer could have filed for suppression of the evidence obtained from the University, since it constitutes illegal search and seizure. Funny thing about these rights; they're subject to interpretation by judges, all the way to the Supreme Court. Even at that level, precedents can be set in their ultimate interpretation which are then used to apply to similar cases. Of course, these can be overturned in future by other judges, even by Constitutional amendment.

The long and the short of it seems to be that once the police have got you, there's very little you can do about it if you're denied bail--or worse yet, access to counsel and/or the evidence and the charges against you. The latter often require counsel, e.g., prosecutors can and do simply refuse to speak with non-attorneys.

There is the law, and then there is policy. The former is a set of ideals; the latter is a matter of practice.

Implications for RIAA/MPAA lawsuits

I'm a bit scared as to what this will mean for RIAA attacks against innocent people accused of file sharing. If "self help" is available for the university when someone hacked their server, why WOULDN'T the courts allow "investigators" working for the MAFIAA to hack into computers to determine if they were "pirating" music or movies?

Excellent

[Capt+James+McCarthy]

I knew two wrongs make a right. (obviously if it benefits certain organizations only)

Forensics Anyone?

[madsheep]

Ok this just sounds a bit ridiculous. This is essentially vigilante cyber justice. Now it had a bit more of a law enforcement/good guy vs bad guy twist, but I just don't see how this can be allowed. Where is this special need and why was this an acceptable method to go about anything?

Is anyone familiar with forensics? "Hacking" into another machine alters a ton of stuff..even if you're just logging in remotely with username/password you found. You've change login dates, profiles, logs, etc. How would this sysadmin have known this machine wasn't already compromised and was just being used a launching point?? If this was the case and the guy adamantly denied having been a part of it, he would have essentially *ruined* any and all evidence. This is just rediculous.

There they go again

[oldmacdonald]

Those darned liberals, always standing up for individual rights.

Not even a close question.

The fourth amendment applies only to the state's action to investigate. So really the question here was whether the admin's knowledge of police activity made him an agent of the state. I don't see this case raising even a remotely close question. The admin did what any admins ought to do. Even if the admins' activities were illegal, he could get prosecuted, but the evidence is admissable

Just to hammer things home, if a thief breaks into your house and then turns in evidence of illegal doings over to the police, the fourth amendment won't exclude the evidence or any further evidence uncovered by the police based on a later search warrant.

Re:Told you So...

[jonesy16]

A poetic response, so concise that I can't even comment about spelling or grammar. Anyhow, nice to see the world must be coming to an end if Slashdot's frontpage makes reference to a Linux box being hacked.

Regardless, as a former residential network admin at my college, I fully understand the position of the university. All students on my previous campus, anyway, were made to sign a use agreement prior to connecting their computers to the network. That agreement ensured the university's authority in maintaining a safe and legal network for all connected computers which included being able to shut down hackers, file sharers, etc. It is interesting to see that this sort of information can be submitted in a court case though. I still have no pity for this kid and hope he spends a lot of time in jail trying to build a computer from toothpicks and creamed corn. Watch your "backdoor" kid.

Re:Told you So...

[jonesy16]

RTFC, at no point did I promote/encourage/favor the unethical treatment of said convict's posterior. Secondly, you added the "violent" part all on your own. Sweet dreams.

Re:Told you So...

[Rosonowski]

Watch your "backdoor" kid. would imply that you would condone such things within our prison system. We're trying to rehabilitate people, and that's not going to help. As for violent, do you know of any other kind of rape?