EBay Hacker's Conviction Upheld

An anonymous reader writes "The 9th Circuit Court of Appeals has ruled in the case of Jerome Heckenkamp, the former University of Wisconsin student convicted of federal computer crime charges in 2004 after hacking into Qualcomm, Cygnus Solutions and other companies, and defacing eBay. Heckenkamp was caught after a system administrator at the university hacked into his Linux box to gather evidence that Heckenkamp had been attacking the college mail server. The court ruled today that such counter-hacks are allowable under the 'special needs' exception to the Fourth Amendment, and upheld the warrantless search."

Correct decision

[daveschroeder]

The University was not acting as law enforcement, as an agent of law enforcement, or at the behest of law enforcement, and thus is expressly and explicitly not covered by, or even related to, the Fourth Amendment.

The University acted to mitigate and prevent further intrusions, the scale of which were as yet unknown, into critical University servers and infrastructure upon which tens of thousands of people and many diverse University functions depend.

If you hack University servers from your computer (or even if the computer is being used a zombie), and then take steps to hide your identity or otherwise conceal your activities, your network access will be removed, such removal will be actively enforced and verified, and any immediate actions required to protect the security and integrity of the University network and computing resources will be taken.

Academic, legal, and possible criminal action will then follow, as warranted. These were exigent circumstances, and not done under the guise of law enforcement, but rather the protection of critical university resources from activities clearly and explicitly disallowed by numerous University information technology, housing, academic, and general policies (not to mention various federal and state laws).

Also, while we're on this topic, if the situation were reversed, I can imagine slashdotters would hardly call the equivalent situation a "hack" (i.e., "the university hacked into his Linux box"). Using the typical logic, he apparently didn't protect his machine well enough, so it's okay, right? Oh, but he's on the malicious side, so he's right, and the University trying to protect itself, from someone violating just about every University policy with no expectation of privacy on the network of a public research university, is wrong?

Let me know when you people get your stories straight.

And please, RTFA:

Here, Savoy provided extensive testimony that he was acting to secure the Mail2 server, and that his actions were not motivated by a need to collect evidence for law enforcement purposes or at the request of law enforcement agents. ... The integrity and security of the campus e-mail system was in jeopardy. Although Savoy was aware that the FBI was also investigating the use of a computer on the university network to hack into the Qualcomm system, his actions were not taken for law enforcement purposes. Not only is there no evidence that Savoy was acting at the behest of law enforcement, but also the record indicates that Savoy was acting contrary to law enforcement requests that he delay action.

Under these circumstances, a search warrant was not necessary because Savoy was acting purely within the scope of his role as a system administrator. Under the university's policies, to which Heckenkamp assented when he connected his computer to the university's network, Savoy was authorized to "rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system." Savoy discovered through his examination of the network logs, in which Heckenkamp had no reasonable expectation of privacy, that the computer that he had earlier blocked from the network was now operating from a different IP address, which itself was a violation of the university's network policies.

This discovery, together with Savoy's earlier discovery that the computer had gained root access to the university's Mail2 server, created a situation in which Savoy needed to act immediately to protect the system. Although he was aware that the FBI was already seeking a warrant to search Heckenkamp's computer in order to serve the FBI's law enforcement needs, Savoy believed that the university's separate security interests required immediate action. Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warran

Re:Correct decision

[The+Only+Druid]

Fantastic post. Frankly, the thread should end right here.

Re:Correct decision

[Score+Whore]

Last Post!

Re:Correct decision

[stecoop]

You forgot to add that Odds are that the 9th Circuit will get overturned...AGAIN!

Can you guarantee that the System Admin didn't plant the evidence or the evidence was otherwise compromised? Well, now here is the problem, since you said you can guarantee it, that anyone that is called a System Admin is now allowed to plant evidence and vigilantism rules the internet.

Re:Correct decision

[daveschroeder]

Well, the 9th Circuit (which issued this ruling) is a very liberal court, which routinely sides with privacy, individual rights, and personal liberties, and does not err on the side of the state. So you can rest assured that any appropriate protections afforded Heckencamp were more than duly considered.

You may be interested in reading the entire ruling.

The applicable bit:

Once a court determines that the special needs doctrine
applies to a search, it must "assess the constitutionality of the
search by balancing the need to search against the intrusiveness
of the search." Henderson, 305 F.3d at 1059 (citing Ferguson,
532 U.S. at 78). The factors considered are the subject
of the search's privacy interest, the government's interests in
performing the search, and the scope of the intrusion. See id.
at 1059-60.

[...]

The district court did not err in denying the motion to
suppress the evidence obtained through the remote search of
the computer.

[...]

Here, even without the evidence gathered through the
allegedly improper search, there is sufficient information in
the affidavit to establish probable cause. The affidavit recited
evidence that the server intrusion had been tracked "to a campus
dormitory room computer belonging to Jerome T. Heckenkamp";
that "[t]he computer is in Room 107, Noyes House,
Adams Hall on the University of Wisconsin-Madison"; and
that "Heckenkamp previously had a disciplinary action in the
past for unauthorized computer access to a University of Wisconsin
system." This was sufficient evidence to obtain the
warrant to search "Room 107, Noyes House, Adams Hall."

So, the search warrant exemption applied, and even without the information in question, there was, regardless, already sufficient information for a search warrant.

Re:Correct decision

[jrockway]

> Using the typical logic, he apparently didn't protect his machine well enough, so it's okay, right? Oh, but he's on the malicious side, so he's right, and the University trying to protect itself, from someone violating just about every University policy with no expectation of privacy on the network of a public research university, is wrong?

Problem with your logic there. If the University thinks being hacked is wrong, then why do they think hacking someone else is right? Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple.

Re:Correct decision

[daveschroeder]

The reason the 9th Circuit gets overturned is because it's a very liberal court that is often seen as out of step with prevailing views.

It also is very protective of personal and individual rights, liberty, and privacy, and does not err on the side of law enforcement or the state. It is probably statistically the most likely court to rule against the interests of the government and for the interests of the individual.

This one's not going to be overturned.

Also, you should really, really read the ruling.

Re:Correct decision

[Nukenbar2]

How is that different from any evidence collected from anywhere?

Most evidence has to be authenticated by the person that recovered it. Just like if a store security guard see you shop-lifting, stops you and searches you, anything he finds, such as a bag of coke, you can be prosecuted for. How do we know he didn't plan it? He has to take the stand, swear to it, and then be cross-examined. That is how our system works, mostly.

Re:Correct decision

[garcia]

Problem with your logic there. If the University thinks being hacked is wrong, then why do they think hacking someone else is right? Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple.

And the fact that this user agreed that SysAdmins may take steps to end emergency situations doesn't immediately say to me "oh, they can then hack my machine to hand over my personal files to the government without a warrant."

To me that says, "oh, they can fucking shut off my port and block my current MAC address," but I'm not a University of Wisconsin IT staff member/zealot like Mr. Schroder.

Re:Correct decision

[daveschroeder]

You missed one critical point. The exigent circumstances allowed the University to take legally take necessary actions to protect its computing and network resources and infrastructure, and the court upheld this.

The University was clearly correct in taking steps to ensure that the network access of the offending computer, in violation of numerous University policies and actively putting critical systems and services in jeopardy to unknown scope, was terminated and remained terminated in an emergent situation.

It's that simple. And even the 9th Circuit agrees with the University's actions.

Re:Correct decision

[sumdumass]

The ninth circuit has a large percentage of rulings overturned by a higher court.

I cannot find the quote but I think they hold over 60% of the overturns the supreme court has done in the last 20 or so years. They tend to have what some would call "activist decisions" and have been questioned about which constitution they were looking at when deciding some cases in the past. The tend to have a liberal interpretation of the laws too.

Re:Correct decision

[daveschroeder]

Its track record is clear, exactly as stated, and no matter how "liberal" it is or isn't, the 9th Circuit has a consistent record of always erring on the side of individual rights, liberties, and freedoms, and against the interests of the government, sometimes to ridiculous degrees.

And since there's an entire huge section in Wikipedia and over 1 million hits on google for "9th circuit liberal", regardless of "how much" it's true, there is no denying that, among all appeals circuits, the 9th is the "most" liberal.

But in this case, it's so clear cut that the University acted properly, it wasn't difficult for the court to rule on the side of the University's actions.

The point is, the court most likely to overturn the conviction didn't. And therefore, it's reasonable to believe this is how it will remain.

Re:Correct decision

[bhsx]

If the University thinks being hacked is wrong, then why do they think hacking someone else is right? Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple. Scenario:
You are at the mall and some psycho starts shooting everyone in sight with an AK-47. You work in the mall as an armed guard. If the mall thinks being shot at and killed is wrong, then why do they think shooting someone else is right? Two wrongs don't make a right. The shooter is a criminal, and the mall security guard is a criminal. It's that simple.

Re:Correct decision

[daveschroeder]

You forgot the whole part about how even without the allegedly improperly obtained information, there was still sufficient evidence for a search warrant.

Also, at the time that this incident occurred, there wasn't an integrated capability to block MACs on the Housing network by the central IT organization, for various reasons. The most immediately available option was blackholing the IP, which was done, at which point the user simply manually assigned himself an unused IP on the DHCP network and continued malicious activity. The central IT organization does not operate the Housing network, and also didn't have immediate capability to physically disable ports in dorm rooms.

Today, we have all of those capabilities. Then, the only option for dealing with a very critical situation was taking all steps to actively ensure and verify that this computer did not come back on the network during the evolving emergency situation occurring over a very short period of time.

Re:Correct decision

[sumdumass]

There are a lot of situations were people are forced to do things that are illegal but is otherwise considered ok in the circumstances. Killing a person is illegal, killing a person to save your own life gets you a pass. Speeding is illegal, speeding away from a shootout where it is likely you could be hit by a stray gets you a pass. Jaywalking is illegal, jaywalking to get away from a crumbling building gets you a pass.

Do you see a pattern here? Sometimes in order to protect yourself, illegal actions don't' make you a criminal. It was supposed that these illegal actions were necessary and therefore don't make the universities criminal.

Re:Correct decision

[stecoop]

Thats right, cross examination solves the problem. Never mind that the perpetrator plead guilty.

You just missed the little fact about due process.

Re:Correct decision

[daveschroeder]

Yes.

Cutting off his network access wouldn't have been able to happen immediately. The central IT organization does not operate or have physical access to the Housing network. The only option, at the time this occurred, was blackholing the IP and ensuring insofar as was possible that the same computer not reappear on the network and continue malicious activities.

Today, after a 5-year, $50 million network upgrade, there are numerous options for blocking MACs, remotely disabling network ports, and so on. None of these options were available at that time. So in an emergency situation, everything was done to ensure that intrusions into critical systems and infrastructure, possibly broader than were even known at that time, would be stopped as soon as possible, which included actively ensuring that the same computer not reappear on the network. At that time, there wouldn't have even been an easy way to see the MAC on the Housing network, so verifying that it was indeed the same computer and then taking mitigating steps was the best immediate emergency option.

Re:Correct decision

[Nukenbar2]

I guess then he was guilty. The system works.

Re:Correct decision

[Kythe]

Whether there was sufficient evidence for a warrant is irrelevant -- as you yourself noted, the University is not a law enforcement entity, nor were they working in that capacity.

Additionally, whether the University had the means to sufficiently control its network is also not relevant to whether they had the right to break the law -- unless the man in question specifically allowed hacking into his computer by agreement. Did he do so?

IANAL, but I wouldn't be terribly surprised to see a lawsuit against the university over their actions. Frankly, I'm rather surprised no one has been charged with hacking the man's computer. Perhaps it's being "overlooked" due to the obviously bad actor involved -- but IMHO it shouldn't be. OKing this sort of vigilantism is a pretty dangerous thing to do, on many levels.

Re:Correct decision

[Waffle+Iron]

Since his computer was in a dorm room, the correct thing to do would have been to walk down to the dorm, get the local Resident Adviser or whoever is in charge to open up the room (which is undoubtedly allowed in emergency situations under the lease-like contract that students sign), unplug the network jack, and call the police. This would have had the additional benefit of clearly preserving any evidence of wrongdoing within the attacking system.

Even if access to the room were not possible, they could have simply gone down to the router, pulled the plug on that room, and called the police.

Illegally counter-hacking the attacking computer (which also was likely to taint any evidence in the system) was *not* necessary under the exigent circumstances.

Re:Correct decision

[Kythe]

You are at the mall and some psycho starts shooting everyone in sight with an AK-47. You work in the mall as an armed guard. If the mall thinks being shot at and killed is wrong, then why do they think shooting someone else is right? Two wrongs don't make a right. The shooter is a criminal, and the mall security guard is a criminal. It's that simple.

There are specific laws involved in self defense, as well as laws that govern people who carry weapons as part of their job. The two situations simply aren't comparable. Unless, of course, you can find statutes that say the university had the power break computer crime laws and hack the man's computer?

Re:Correct decision

[eli+pabst]

I'm not that familiar with the case, but my question is who owned the computer that the administrator "hacked" into. If this was a University-purchased system, then I think they had every right. But if this is his own system that he purchased and simply was connected to a U of W network in his dorm then I think he had a reasonable expectation of privacy. His network traffic would be fair game, but unauthorized access is something different.

I'm not sure how connecting to someones network gives them the right to access my system without my consent. If I'm on a Verizon network, does that mean they can bruteforce my passwords and log onto my system, simply because I 'm connected to their network? What about Starbucks?

If the justification was to "protect the mail server" couldn't they just have physically disconnected his dorm room from the network (they knew where the first IP address was coming from). Again, I don't know the specifics of the case so I'm more curious than trying to throw stones.

Re:Correct decision

[Slippery+Pete]

Because UW is a government facility, does that affect this at all? Are they able to make choices that would backfire on a privately owned company or college? Does the government have any extra access to their information due to the fact they are state funded? I don't know how much seperation of government there is between a state college and the federal goverment or how much the government can lean on them due to the fact that is where some of their money comes from.

Re:Correct decision

[daveschroeder]

He did have an expectation of privacy, and the court held that.

It also held that the emergency search fell under the doctrine of the "special needs" exemption to the Fourth Amendment.

These two principles were balanced, and special needs won out.

I really wish people would read the ruling, as it speaks in great detail about the principles of privacy, expectations thereof, why the search was acceptable in these circumstances, and so on.

Re:Correct decision

[Ardeaem]

AFAIK, you are wrong, and that is simply spin. A quick google search yielded this: http://mediamatters.org/items/200511090012

During its 2004-05 term, the Supreme Court reversed 84 percent of the cases it chose to hear from appeals of 9th Circuit decisions, compared to a 73 percent average reversal rate for all circuit courts of appeals.* But the high court reversed 100 percent of the decisions it heard from the 1st, 2nd, and 10th Circuit Courts of Appeals.* Moreover, as Media Matters for America has documented, the 9th Circuit's reversal rate was slightly lower than the national average for all circuit courts during the 2003-04 Supreme Court term (76 percent for 9th Circuit vs. 77 percent nationally), and only slightly higher than the national average during the 2002-03 term (75 percent for 9th Circuit vs. 73 percent nationally) and the 2001-02 term (76 percent for 9th Circuit vs. 75 percent nationally). and

While it is true that the Supreme Court has reversed more decisions by the 9th Circuit than by any other circuit court in terms of numbers alone, the 9th Circuit has a far bigger caseload than any other circuit (including the U.S. Court of Appeals for the Federal Circuit). People have tried to label them as some kind of crazy pinko judges, always on the wrong side of the Supreme Court, but it isn't true. And even if it WERE, with some of the decisions we've gotten lately you could do much better than always siding with the Supreme Court.

Re:Correct decision

[Kythe]

It also held that the emergency search fell under the doctrine of the "special needs" exemption to the Fourth Amendment.

Speaking as one who has read the ruling, I'll simply note that it applied to whether or not the evidence was admissable (a matter of law, as this is an appeal), not whether the university was right to hack the man's computer. In fact, reading the ruling, it would appear that that might not be the case.

However, I would also imagine that the limited nature of the search and the circumstances would weigh heavily in favor of the network admin who broke into the guy's computer.

Re:Correct decision

[bugnuts]

Most universities with any sort of net access have rules stating that the sysadmins, in the course of their duties, can take action to stop attacks on the network.

The sysadmin initially blocked the port and called it good, probably with the intent to inform management and let them deal with it. One could argue that "I pay tuition and I was blocked illegally" but nobody here is saying that violated any rights.

Blocking was not sufficient to prevent the attacks, so the sysadm escalated his effort. That is a reasonable discharge of his duties IMHO, but some people are saying that this was illegal. I claim that doing nothing, or blocking the whole dorm would probably have been far worse for the rights of the students.

It's important to consider the rights of the guilty... the last thing we need is a drumhead legal system. But the rights of the innocent must be considered first. The impact of doing nothing or blocking everything was too great.

Re:Correct decision

[jafiwam]

You would think this brain-dead idiot would clue into the fact the U was onto him at that point and bounce off a zombie somewhere instead.

This guy needs to go to jail because he's too stupid to not get himself hurt crossing the street.

Durrrr.....

Re:Correct decision

[daveschroeder]

I don't get that from the ruling. While speaking to the admissibility of evidence in the criminal proceedings, the underlying act itself was specifically exempted under special needs. This puts it on solid legal ground as far as the 9th Circuit and the original ruling court are concerned.

Re:Correct decision

[Sancho]

It's called a managed switch, and if they don't have them, their network could use some work.

Re:Correct decision

[TheZax]

Two wrongs don't make a right. The hacker is a criminal, and the University (employee that did the hacking) is a criminal. It's that simple.

That's the problem with oversimplification, it simply isn't that simple. Say someone starts punching me, and I start punching them back. Do 2 wrongs make a right, or am I just defending myself ?

Clearly the University was trying to safeguard its' mail server, from someone on the university network. You seem to have missed all that when you boiled it down to 2 equal wrongs. While there is still a good argument against what the University did, it really isn't that simple.

Re:Correct decision

[Kythe]

the underlying act itself was specifically exempted under special needs.

Again, this was specifically for the purpose of determining the admissibility of the evidence. The 9th Circuit was addressing an appeal, so could only rule on matters of law pertaining to that appeal.

Whether or not the university sysadmin would be convicted under the circumstances is a fairly open question, if he were charged with unauthorized access of a computer system. Now that I've read the ruling and the facts considered, it certainly doesn't look like this was "cyber vigilantism" under the normal definition of the term, nor was it for any of the normal purposes one might think of that make such unauthorized access illegal in the first place. It was directly intended to stop impending harm to the network, once the sysadmin had a reasonable suspicion he had the right guy. So I rather suspect that in this circumstance the sysadmin wouldn't be convicted even if charges were brought against him.

But again, I'm not a lawyer.

Darned good thing he didn't go further, though.

Re:Correct decision

[Kythe]

As the ruling itself stated, there was nothing in the university rules that made hacking the man's computer OK. They found the evidence admissible as a matter of law, not the university terms of service.

Re:Correct decision

[geekoid]

"Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school "

because the4 contitution should only be upgheld if it's conveniant.

Re:Correct decision

[daveschroeder]

I think we essentially agree on the basic points here.

I understand that this ruling is only speaking to the conviction that is unrelated to the University efforts with regard to ensuring this computer remained off the network.

However, since special needs only applies to the explicit and direct action the University took, while this ruling is speaking specifically to the appeal of the conviction, it is still reasonable to believe that the action itself would be viewed legal upon consideration of that action alone. In other words, if that action is legal and allowable under special needs in this context, it's intrinsically legal and allowable on its own for the purpose it was intended to serve, namely, the protection of the University network and computing resources. At least, that is, in the view of the 9th Circuit - and I understand the 9th Circuit has no standing to comment on that issue alone, but I trust you see that this as a reasonable conclusion.

I do agree with your other observations, but I'm not even sure that any prosecutorial entity could be persuaded to bring changes, especially in the light of the 9th Circuit ruling, even if it is tangential.

Re:Correct decision

[Kythe]

Guess I should modify the above, for consistency.

The ruling in question didn't address whether hacking the man's computer was right or wrong under the law.

However, unless the terms of service directly allows an admin to obtain unauthorized access in the name of protecting the network, I would bet the "terms of service" argument wouldn't hold up.

To me, the factors that would save the university sysadmin are the extremely limited nature of the break-in, as evidence for the purpose of that break-in, and the circumstances (the fact that he had reasonable concern that immediate damage could be done to the network). What the sysadmin did may very well be illegal, but whether he'd be charged or convicted under the circumstances is a different story.

And as always, IANAL.

Re:Correct decision

[geekoid]

"Do you see a pattern here?"

yes, clearly you have no idea how to keep an anology in context.

Re:Correct decision

[NeutronCowboy]

You know, I thought that this was indeed a very well written post, and was nodding my head until... well, until this line:

"Let me know when you people get your stories straight."

Yeah, because we, the collective Slashdot posters, have an oligation to you to speak with one voice. We ought to ensure that everyone in our midst presents the same argument. If they disagree, we ought to silence them so they will not disturb the unified presentation. We are Borg of Slashdot.

Seriously, either talk to specific people ("nickfoo, get your story straight"), say "some people" or don't bring this up. I'm not slashdot, you are not slashdot, and I'm pretty sure no one here likes to be lumped under the general heading "Slashdot poster". Say what you have to say, but leave the "you people" out of it. It brings down the rest of your post.

Re:Correct decision

[geekoid]

This is the Problem:
What recourse does the person have if the Admin planted evidence?

This may or may not be the case here(probably not) but we know how petty people who illusions of power can behave, espcially in college.

Re:Correct decision

[jelton]

I have read TFA and I agree with the holding in this case. I even agree that, given the context, Savoy's actions were justified. But, this holding does not exonerate counter-hacking in general. At the bottom of the article, there is a link to another article discussing why vigilantism is a poor response to cyberattcks. I suggest all interested parties read that freaking article, too.

The truth is, change a few facts in this case (say, the terms in the University's network access or housing agreements) and you get an entirely different scenario. In your posting, you said:

If you hack University servers from your computer (or even if the computer is being used a zombie), and then take steps to hide your identity or otherwise conceal your activities, your network access will be removed, such removal will be actively enforced and verified, and any immediate actions required to protect the security and integrity of the University network and computing resources will be taken [emphasis added].

But, if the attacker lives off-campus (say, on Mifflin Street) and was accessing the University through, say, a shell account, then only the network access agreement governs the University response. Does the university still have a contractual right to hack the student's computer? Their shell account is probably up for grabs, but, hopefully, not their home computer. And if the home computer is legally vulnerable, then perhaps the student government needs to step in and discuss these terms with the University's administration. I am not convinced that either public policy or the student's best interests are served by an agreement that allows even fettered access to a computer that is not physically, directly connected to the University network without first obtaining a warrant.

The concerns expressed here on Slashdot only serve to highlight the fact that the law is always trying to catch up to the real world. Accordingly, I was a bit confused by the defensive stance taken in your initial post and could not help but feel that you were trying to imply that nearly any means undertaken by the University IT department are justified to protect the network. If I misconstrued the tenor of your posting, please chalk it up to the especially weak cup of coffee I had this morning. If I did not, then I can only say that your immediate defensive posture should be a concern for any UW students reading this board. This ruling does not provide University IT staff carte blanche access to student computers. Furthermore, many of the questions posed by other Slashdotters are valid concerns and should, perhaps, be given due consideration, rather than shouting "RTFA" everytime one of them questions the situation.

How about a dialog, rather than a shouting match? ("You must be new here" posts to follow.)

Re:Correct decision

[Mister+Whirly]

So why didn't they just track down the "hacker" and kill him? I mean after all they have a right to protect their systems, apparently by any means necessary, legal or not...

Re:Correct decision

[Xofer+D]

Mr. Schroeder,

Thanks for your clear and unambiguous post. I was with you, right up until this bit:

Also, while we're on this topic, if the situation were reversed, I can imagine slashdotters would hardly call the equivalent situation a "hack" (i.e., "the university hacked into his Linux box"). Using the typical logic, he apparently didn't protect his machine well enough, so it's okay, right? Oh, but he's on the malicious side, so he's right, and the University trying to protect itself, from someone violating just about every University policy with no expectation of privacy on the network of a public research university, is wrong? Let me know when you people get your stories straight.

Slashdot is not a single entity with a number of spokespeople, like a corporation or a natural person. It is not a team or club, or a "side". It is a place where many individuals can go and post arbitrary text. There is no reason for you to think that "we people" are in fact "a" people - that is, there is no reason for any of these individuals - including you and I - to get our stories "straight". Further, you seem to be quite capable of debating this (frequently held) opinion on its merits, which would be a much better contribution to the discussion and more likely to convince the opinion's holders. Ultimately, this addition to your post dramatically detracts from your otherwise clear and rational analysis of the situation by making it needlessly hostile and challenging.

Please remember that you are most likely upset about a fourteen year old middle class boy's whine. Put it in perspective and don't let it get under your skin.

Re:Correct decision

[NeutronCowboy]

Something else I wish: that "liberal" stops being usurped by paleolithic talking heads as a swear word. Liberal is not a 4-letter word, and the ideas behind liberalism are not anathema to the American spirit.

Re:Correct decision

[daveschroeder]

This was 7 years ago, and all network resources (access, authentication, topology), among many other things, were not centrally managed.

There were a limited amount of things that could be done centrally. One of them was blackholing IPs. Physically disabling the port was also not possible in a timely manner.

After a 5-year, $50 million network upgrade, a lot of these things people are suggesting from their armchairs are now possible. But they weren't then. This was an IMMEDIATE situation that required emergency action.

This isn't as easy as it seems on a decentralized campus with 18000 staff, 45000 students, and 850 buildings, with the dorms run by a complete distinct university department (including, at the time and still today to an extent, the network), and so on.

Re:Correct decision

[FreakinSyco]

But.. but.. think of all that walking he saved himself from!

Re:Correct decision

[daveschroeder]

Because that would not have been appropriate.

This was. And the 9th Circuit agrees. It probably wouldn't have agreed that murder was an appropriate response, whereas this intrusion for protective purposes was, on balance.

Read the ruling. It's pretty informative.

Re:Correct decision

[daveschroeder]

I think part of the issue is one that you mention: the fact that it is our own house.

Students and everyone else using University network and computing resources agree to abide by the University's policies on appropriate use of these resources.

While one might argue that if the RIAA believes its interests critically need to be protected, why wouldn't they be able to use the same tactics? But the RIAA has no standing with the University or its students in that manner. They have a general legal standing to protect the content under their purview, and can apply ordinary legal means to protect that content. I also highly doubt that special needs exemptions to the Fourth Amendment would apply to the RIAA in such an argument.

But in the case of the University, students, staff, and faculty have a direct relationship with the University, and there is a mutual understanding on appropriate usage of University resources. There is a level of expectation that persons and devices on the network will comply with these guidelines. And in an emergency situation such as this, it really came down to all resources being brought to bear to secure critical infrastructure under active attack.

This is also a unique situation because the attack originates from a University building on University property by a University-affiliated person. This would be different if it were, as you say, someone on Mifflin Street in a private residence on a cable modem connection (University-affiliated or not), or someone coming in from Duke University, etc.

Today we have tools that would have allowed for much easier blocking and mitigation, instead of a cat-and-mouse game of someone continually (and foolishly) regaining network access to continue known-malicious activities. But at this point, and in a rapidly evolving situation, it wouldn't have been practical or possible to immediately disable this person's network access. The immediacy and potential impact of the situation demanded that reasonable steps be taken to protect University assets and services.

While the 9th Circuit ruling only speaks to the conviction and the admissibility of evidence in that case, it does fairly clearly decide that while Heckencamp did indeed have an expectation of privacy, the special needs outweighed Heckencamp's right or expectation to privacy. It's likely that a court viewing that event alone would also reach the same conclusion that the 9th Circuit and the original ruling court did. Namely, that the steps taken by the University to protect itself - including taking direct action to verify and mitigate the immediate actions of the attacking host - were appropriate, on balance.

This isn't at all a blank check for "vigilantism" by administrators, nor did I say it was; rather, it is recognition of the fact that exigent circumstances, that are clearly identifiable as such, may sometimes call for an unorthodox response, and that such a response can be legal when taken from a protective posture with a broad scope. And by that definition and in the context of such recognition by the 9th Circuit, this wasn't really "vigilantism" at all.

Re:Correct decision

[keraneuology]

How does browsing through tmp block an account? He had verified that the computer was the same one that had been previously blocked but decided to give the hacker an additional 15 minutes of time which could have been used to cause additional damage on the university's network. Since the sysadmin was taking the time to snoop it should be clear that he was going beyond what was necessary in the emergency situation. A cop kicks in a door because he hears a scream and finds a woman bleeding to death on the floor. Instead of calling an ambulance or otherwise rendering aid he takes 15 minutes to wander through the house to search for drugs. Proper action?

Re:Correct decision

[daveschroeder]

Too right.

I should have said (and, believe it or not, actually intended to say) "some slashdotters", not "slashdotters".

Re:Correct decision

[Mister+Whirly]

Breaking the law was their appropriate response. All I'm saying is if it is appropriate to break one law, why not all of them? How is breaking the law in the exact same manner as the "hacker" justified in their case? Makes no sense. Laws should apply to eveyone, not just "the bad guys". With all the evidence the sysadmin had acquired without breaking the law, it seems like he could have gone to the proper law enforcement authorities and let them handle the "case building evidence" phase.

Re:Correct decision

[kad77]

It's only that simple to simpletons. GTFO.

Re:Correct decision

[Waffle+Iron]

After a 5-year, $50 million network upgrade, a lot of these things people are suggesting from their armchairs are now possible.

No, the only person with an armchair problem was that guy who couldn't be bothered to get out of his and make an appropriate response to the incident. Instead, he went the lazy/fun route, kept his butt firmly planted in his chair, and took matters into his own hands as a vigilante. Now 300 million Americans have just seen their bill of rights eroded by yet another increment because the university had to set new legal precedents to cover their asses from the fallout of this poor decision.

No matter what, they could have blocked access from the entire dorm for the hour or two that it would have taken to sort out the problem legally. If their network management was sooooo crappy that even that couldn't be done, they should have just turned off their own goddamned mail server to protect it from this omnipotent hacker that was apparently impervious in his dorm room a couple of blocks away. Committing new federal felonies as a first option was not the answer.

Re:Correct decision

[JAFSlashdotter]

[...] I'm pretty sure no one here likes to be lumped under the general heading "Slashdot poster".

Hey! I do!

Re:Correct decision

[daveschroeder]

If you are a system administrator responsible for securing a network that serves 65000 people on a public research campus with a $2.1 billion annual budget, and you take actions to defend it from active a malicious attack that originating from the facility's own property and network by a person who is affiliated with your facility in violation of numerous policies of said facility, and this were nearly a decade ago and other suitable avenues for denying the attacker access weren't immediately available, then your emergency actions, too, may be considered appropriate by a court.

Does that help to answer your question?

Re:Correct decision

[jelton]

A good reply! Thanks for the well-thought out response.

As for the RIAA fears, I mostly chalk those comments up to the Slashdot RIAA conspiracy mania and tend to ignore them. I do agree that when the user is in the university's house (as you put it), they are, by definition, giving up some privacy. The hypothetical I posed (someone living in off campus private housing) was designed to focus in on the question I find so compelling in this story: To what extent does this ruling affect the admissibility of the evidence in a future case with similar, but not identical, circumstances? I think the controversy is in determining how much privacy best satisfies all parties involved.

Moreover, I tried to make my prior posting consistent with the fact that this incident took place in 1999. Even so, I still think that any justification for a system adminstrator breaking in to a user's computer should be fully scrutinized, batted back and forth and discussed. Here, in the real world and in the courts. And since that debate is what we all appeared to be engaged in, the system appears to be working. Also, if I jumped the gun on implying the ruling was being construed as a blank check on system admin vigilantism, I apologize. I didn't mean to state that quite so forcefully, but as more of a gentle reminder. That said, I do think calling counter-hacking an "unorthodox response" engages in euphamism that strains normal conceptions of right and wrong, even in exigent circumstances.

Finally, I'm still curious about the initially defensive nature of your first post. I'm not trying to step on toes here, but I would like to know what prompted that tone out of the gate. Was it a reflexive response to a presumption (potentially a good one) that Slashdotters would jump to the predictable and wrong-headed conclusion that Heckencamp's rights were violated or was it something else?

Re:Correct decision

[Plutonite]

I agree, the sysadmin's response seems very reasonable, and it is quite hard to conceive of any other form of action given that a warrant was already being sought, and the threat to the university systems was immediate.

The articles give a pretty vague picture of what happened though, because they say the passowrds to the .200 IP were the same as the ones to the 117 one, which Savoy had obtained earlier. My question is: why did Savoy wait and take a defensive stance if he had already cracked the machine before?.

Also, would you care to give us some insider geek-info on the counter hacks? It is always amusing to see this sort of thing, with a supposed "hacker" having ssh wide open with easily an guessable pass. Or was this more involved? Just curious.

Re:Correct decision

[daveschroeder]

The issue is that this ruling doesn't speak to the legality of the action itself; only that the action was legal insofar as it applied to the case at hand. This, of course, means that a court would likely consider the action allowable and appropriate on its own, as well, but that's why this doesn't speak to anything else other than this specific act. In other words, this doesn't really set a precedent for such activity to begin taking place wholesale, or to target systems off campus, etc. This just happened to be a fairly unique situation, and the fact that the attack originated from a University network on University property made it unique.

Was it a reflexive response to a presumption (potentially a good one) that Slashdotters would jump to the predictable and wrong-headed conclusion that Heckencamp's rights were violated or was it something else?

No, that was pretty much it. ;-)

But in seriousness, this ruling does determine that Heckencamps "rights" (in this case, the right to privacy, such as it is) was "violated", but that, on balance, the University action was still appropriate considering the circumstances. Under lesser circumstances, it may not have been considered appropriate, and may have even been in itself "illegal". But that's why we have doctrines for things like self-defense and other exigent circumstances: sometimes, society (in the form of courts, laws, and legal processes) can collectively consider an act allowable that would otherwise be illegal or questionable.

Such is the case here.

Re:Correct decision

[woolio]

Indeed...

I'd saw remotely unplugging the room at the router is probably better than entering the room and unplugging the computer.

That way the admin would never obtain *physical* access to the computer (e.g. this removes a tiny amount of doubt that he could have tampered with the computer, e.g. with a boot disk/cd before the police arrive ).

Re:Correct decision

[Score+Whore]

how petty people who illusions of power can behave, espcially in college.

I didn't think students had any particular power?

(*FLUSH* goes my karma....)

Re:Correct decision

[harl]

So while the University was within their rights I am not as certain that the conviction was valid. I will give an example that might help show why I would be hesitant to accept this type of behavior: so lets say that a bank wants to do the "right thing" and starts searching all its records for odd behavior in their customer's records and reporting them to the police. Would this be a valid action? In the USA banks already do this under the Bank Secrecy Act[1]. So I guess the answer is yes.

[1]http://en.wikipedia.org/wiki/Bank_Secrecy_Act

Re:Correct decision

[ginotech]

Right on, it's not like the sysadmin's purpose is to keep the services running or anything. Just shut down the entire university mail server that serves 50,000+ people.

Re:Correct decision

[eli+pabst]

Thanks for posting that, definitely informative. Some salient quotes from the judgement:

Although we conclude that Heckenkamp had a reasonable expectation of privacy in his personal computer, we conclude that the search of the computer was justified under the "special needs" exception to the warrant requirement.

Although Savoy was aware that the FBI was also investigating the use of a computer on the university network to hack into the Qualcomm system, his actions were not taken for law enforcement purposes. Not only is there no evidence that Savoy was acting at the behest of law enforcement, but also the record indicates that Savoy was acting contrary to law enforcement requests that he delay action

This discovery, together with Savoy's earlier discovery that the computer had gained root access to the university's Mail2 server, created a situation in which Savoy needed to act immediately to protect the system

Re:Correct decision

[daveschroeder]

The ruling already spoke to this. (Has anyone read it?)

Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school, see T.L.O., 469 U.S. at 352- 53 (Blackmun, J., concurring in the judgment), requiring a warrant to investigate potential misuse of the university's computer network would disrupt the operation of the university and the network that it relies upon in order to function.

[...]

The district court was entirely correct in holding that the special needs exception applied.

[...]

Once a court determines that the special needs doctrine applies to a search, it must "assess the constitutionality of the search by balancing the need to search against the intrusiveness of the search." Henderson, 305 F.3d at 1059 (citing Ferguson, 532 U.S. at 78). The factors considered are the subject of the search's privacy interest, the government's interests in performing the search, and the scope of the intrusion. See id. at 1059-60.

[...] although Heckenkamp had a subjectively real and objectively reasonable expectation of privacy in his computer, the university's interest in maintaining the security of its network provided a compelling government interest in determining the source of the unauthorized intrusion into sensitive files. The remote search of the computer was remarkably limited given the circumstances. Savoy did not view, delete, or modify any of the actual files on the computer; he was only logged into the computer for 15 minutes; and he sought only to verify that the same computer that had been connected at the 117 IP address was now connected at the 120 IP address. Here, as in Henderson, "the government interest served[ ] and the relative unobtrusiveness of the search" lead to a conclusion that the remote search was not unconstitutional. Id. at 1061. The district court did not err in denying the motion to suppress the evidence obtained through the remote search of the computer.

[...]

The district court also did not err in denying the motion to suppress evidence obtained during the searches of Heckenkamp's room. Assuming, without deciding, that Savoy and the university police violated Heckenkamp's Fourth Amendment rights when they entered his dormitory room for nonlaw- enforcement purposes, the evidence obtained through the search was nonetheless admissible under the independent source exception to the exclusionary rule.

Under the independent source exception, " 'information which is received through an illegal source is considered to be cleanly obtained when it arrives through an independent source.' " Murray v. United States, 487 U.S. 533, 538-39, (1988) (quoting United States v. Silvestri, 787 F.2d 736, 739 (1st Cir. 1986)). Therefore, we have held that " '[t]he mere inclusion of tainted evidence in an affidavit does not, by itself, taint the warrant or the evidence seized pursuant to the warrant.' " United States v. Reed, 15 F.3d 928, 933 (9th Cir. 1994) (quoting United States v. Vasey, 834 F.2d 782, 788 (9th Cir. 1987)). In order to determine whether evidence obtained through a tainted warrant is admissible, "[a] reviewing court should excise the tainted evidence and determine whether the remaining untainted evidence would provide a neutral magistrate with probable cause to issue a warrant." Id. (quoting Vasey, 834 F.2d at 788).

Here, even without the evidence gathered through the allegedly improper search, there is sufficient information in the affidavit to establish probable cause. The affidavit recited evidence that the server intrusion had been tracked "to a campus dormitory room computer belonging to Jerome T. Heckenkamp"; that "[t]he computer is in Room 107, Noyes House, Adams Hall on the University of Wisconsin-Madison"; and that "Heckenkamp previously had a disciplinary action in the past for unauthorized computer access to a University of Wisconsin system." This

Re:Correct decision

[daveschroeder]

Nope, because all of that logic is fallacious, and further, wouldn't be held as allowable and appropriate responses to the situations you describe by a court.

This, however, was.

Your beef isn't with me. It's with the 9th Circuit Court of Appeals, which routinely upholds personal rights and privacy, and often sides against government interest. And yet, it still found this action appropriate.

Extremely poor use of car analogies, by the way. ;-(

Re:Correct decision

[Waffle+Iron]

The sysadmin's original responsibility was to ensure that enough network management capability was in place so that attacks like this can be isolated and dealt with. That's how they are supposed "keep services running or anything". Given that it appears that they failed miserably in that regard, then shutting down the mail server for 50,000 people might possibly have been their only *legal* recourse. In that case, the outage would be attributable to poor planning. But poor planning is not an excuse for engaging in your own criminal activity.

Re:Correct decision

Maybe they had other options. As it happens, the one he chose was against the law, so it wasn't an option. He did it anyway and is apparently getting away scot free.

Re:Correct decision

[3x37]

Well-written and well-argued.

But, the totality of daveschroeder's messages today should make a Wisconsin taxpayer wonder why they are paying him to read slashdot all day. Hopefully, he's actually NOT on work status today and that previous comment is just an uninformed shot.

Mr. Schroeder should get his doughy ass off his well-molded chair, finish his B.S. and then a J.D. so he can get paid--appropriately--to pursue his real talent: argument.

Re:Correct decision

[lab16]

We can just promise that anyone else can get away with trespass or breaking and entering when they search your house.

Can get away with it as far as the police are concerned, but not always as far as the victim is concerned, especially an armed victim. That's why we have the 2nd amendment.

Re:Correct decision

[daveschroeder]

You'd be surprised at how quickly I can craft and fire off responses. And I doubt that, collectively, these added up to half of my lunch hour. ;-)

This is pretty much the only article I've paid any attention to...

Re:Correct decision

[3x37]

But they weren't during your lunch hour.

Re:Correct decision

[daveschroeder]

So?

I'm also not at work from 9:00:00AM to 5:00:00PM every day, either.

Yet, somehow I manage to work more than 40 hours a week. ;-)

Re:Correct decision

[misterpault]

Your analysis is incorrect from the first sentence. The Fourth amendment is triggered by federal government action (extended to state action under the 14th Amendment), and does *not* require anyone to "act as an agent of law enforcement." While Fourth amendment cases generally concern law enforcment, there are many others that revolve around other state actions (administrative searches by quasi-governmental agencies, school locker searches by school personnel, etc.). Otherwise, it's an interesting post.

Re:Correct decision

[daveschroeder]

I suppose your issue is with the ruling of the 9th Circuit Court of Appeals then, not myself, since it indicated numerous times that part of the reasoning for being exempted from Fourth Amendment requirements under the special needs doctrine was that the University official was not acting as an agent of law enforcement or for law enforcement purposes.

Re:Correct decision

[daveschroeder]

Oh, and don't get me wrong...I appreciate the compliment within your post.

But various IT components (in fact, many components) of the University don't have specific start and end times for work hours, as some clerical and administrative positions may.

You are expected to do your work, be available in the office and for meetings and other duties as dictated by your job, fulfill your job responsibilities, report your hours accurately, and so on. But that doesn't mean non-work-related or quasi-work-related activities can't occur intermittently within what are normally considered to be business hours any more than it means that University work isn't routinely done outside of such hours (as it indeed is).

Re:Correct decision

[Evets]

Agreed. You also have to take into account that SCOTUS does not agree to hear every appeal put forth to them, but a subset of those where an appeal has merit, among a series of other deciding factors that can change at any given point and time.

No court is immune from bad decisions - even SCOTUS. Whether a court leans towards private interests, corporate interests, left, or right shouldn't matter to the people - as long as ALL of the courts aren't leaning in one particular direction (one that is unfair to the people).

Re:Correct decision

[sumdumass]

We can get into a "who's biased site has more stats proving our side" war if you want. Here is something talking about their 2002 record. And Of course, we wouldn't be without slant then a site about law that shows the averages of the ninth circuits appeals being reverses better then 70% of the time they goto the supreme court. Although, the interesting thing it that even when a lower number goto the higher court, they still have better then half overturned.

I don't think we need to go that far. It is something that just happens with them for whatever reasons.

It isn't just that they have been reverses that makes them far left, It is that they tend to have a good portion of their decisions unanimously overturned by the supreme court too. When you factor that into the equation, It makes you wonder why the cases even got as far as the supreme court. And that makes the liberal activist thing sound real believable.

Re:Correct decision

[Attila+Dimedici]

Hackenkamp agreed to allow the University Sys Admin to hack into his computer as a condition of connecting to the University Network. Our glorious student hacker did not hack into the University computers from some remote location. He connected to the University Network from the campus through University Network connections. If he had logged into the UN across the Internet from a remote location, he might have an argument against the University Sys Admin, but since he logged into the Network from on campus, the agreements he signed upon entering the University went into effect.

Re:Correct decision

[Brad+Eleven]

Right, exactly. The network, at least, and possibly the computer are/were the property of the University, so it has every right to inspect. This doesn't mean that the University was in its rights to turn over evidence to law enforcement, however; their rights end at the limits of their policy. That is, they could expel the student, even levy fines, penalties, whatever their policy provides for.

This is the same argument for not using resources at work for your own purposes. You can be fired, your employer can file civil suits, etc., because the computers, the network, the desk you sit at, etc., belong to the employer.

I think that the defense lawyer could have filed for suppression of the evidence obtained from the University, since it constitutes illegal search and seizure. Funny thing about these rights; they're subject to interpretation by judges, all the way to the Supreme Court. Even at that level, precedents can be set in their ultimate interpretation which are then used to apply to similar cases. Of course, these can be overturned in future by other judges, even by Constitutional amendment.

The long and the short of it seems to be that once the police have got you, there's very little you can do about it if you're denied bail--or worse yet, access to counsel and/or the evidence and the charges against you. The latter often require counsel, e.g., prosecutors can and do simply refuse to speak with non-attorneys.

There is the law, and then there is policy. The former is a set of ideals; the latter is a matter of practice.

Re:Correct decision

[Snaller]

Oh, but he's on the malicious side, so he's right, and the University trying to protect itself, from someone violating just about every University policy with no expectation of privacy on the network of a public research university, is wrong?

Let me know when you people get your stories straight.


Or you could take your pills and stop freaking out over something which wasn't written. The story simply reports what has happened.

Fourth Ammendment?

[Rie+Beam]

" The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. "

So, does it fit? What was the evidence before the hack? IANAL, just curious.

Re:Fourth Ammendment?

[alen]

this only applies to the government performing the search. in this case it was the university and he was on their network which probably gave them the right via something he signed

and even if it was the government, there is probably case law that says a warrant can be given out after the fact if the government can prove they had proof or a compelling reason to gather this evidence at that time and getting a warrant would take too long, etc. it's like if a police officer arrests you without an arrest warrant because he saw you do something bad.

the constitution is not a suicide pact

Re:Fourth Ammendment?

[bikeidaho]

You do have the right to privacy when you are in your own home, which you own and on property which you own. These laws differ from State to State but in essence renters and students to not have the same protections under the law. When you are accessing a private or public network you are stepping out of your house and into the public domain; forfeiting your right to privacy.

Thank God

[normuser]

The court ruled today that such counter-hacks are allowable under the 'special needs' exception to the Fourth Amendment

Now I don't feel so bad about killing those zombies that keep trying to ssh into my box.

What?

[Spazntwich]

The court ruled today that such counter-hacks are allowable under the 'special needs' exception to the Fourth Amendment

So suddenly the retarded aren't protected by the bill of rights?

This is preposterous!

Implications for RIAA/MPAA lawsuits

I'm a bit scared as to what this will mean for RIAA attacks against innocent people accused of file sharing. If "self help" is available for the university when someone hacked their server, why WOULDN'T the courts allow "investigators" working for the MAFIAA to hack into computers to determine if they were "pirating" music or movies?

Re:Implications for RIAA/MPAA lawsuits

[normuser]

Heckenkamp was caught after a system administrator at the university hacked into his Linux box to gather evidence that Heckenkamp had been attacking the college mail server.

Looks to me like they already logged his attacks on there mail server.
As far as I'm concerned once you see an attack on your network from the same ip more than twice there fair game.

Re:Implications for RIAA/MPAA lawsuits

[proxima]

I'm a bit scared as to what this will mean for RIAA attacks against innocent people accused of file sharing. If "self help" is available for the university when someone hacked their server, why WOULDN'T the courts allow "investigators" working for the MAFIAA to hack into computers to determine if they were "pirating" music or movies?

Well, one reason is that apparently this guy was connected to the university's network. He was using it to actively hack other systems, which is more clearly an "emergency" than copyright infringement (IANAL).

However, given that basically all major ISPs have user agreements such that you may not use their network for copyright infringement, they may be able to write in language that gives them the ability to not only shut down your network access but "counterhack" you at the behest of the RIAA.

Still, it's not clear that this would make their cases stronger. There might be some desire to actually have poked around in an alleged infringer's computer before they get a chance to wipe it clean, and it might reduce instances of "but someone was sharing my IP through my open wireless access point". Even so, it sounds like more trouble than it's worth, even for the RIAA.

Re:Implications for RIAA/MPAA lawsuits

[jmv]

If "self help" is available for the university when someone hacked their server, why WOULDN'T the courts allow "investigators" working for the MAFIAA to hack into computers to determine if they were "pirating" music or movies?

Cuts both ways (with the general interpretation you make). If they try to break into your box and you didn't do anything wrong, then *you* would then be allowed to break into their machines... Then again, I'm pretty sure there are lots of restrictions.

Re:Implications for RIAA/MPAA lawsuits

[rilian4]

why WOULDN'T the courts allow "investigators" working for the MAFIAA to hack into computers to determine if they were "pirating" music or movies?

they Wouldn't because the target computers of the RIAA/MPAA would be largely in private homes, not in public places. Different rules apply (as has been said multiple times above) They might be allowed this tactic on a university campus such as U of Wisc for similar legal reasons that the U of Wisc. Sysadmin was allowed.

Excellent

[Capt+James+McCarthy]

I knew two wrongs make a right. (obviously if it benefits certain organizations only)

Not at UW...

[daveschroeder]

Except for the fact that the University of Wisconsin isn't cooperating with the RIAA in its latest efforts:

University of Wisconsin-Madison Bucks RIAA
http://slashdot.org/article.pl?sid=07/03/20/015121 6

UW to RIAA: No way
http://badgerherald.com/news/2007/03/21/uw_to_riaa _no_way.php

It may be illegal...
http://www.doit.wisc.edu/news/story.asp?filename=8 12

counter-hacking is legal?

[JeanBaptiste]

I don't buy it

and if it is, then looks like I have a whole bunch of new targets.

any law talking people in here?

Question

[DaJoky]

And in the case where the system administrator is an hacker, who will counter-hack him ?

Re:Question

[MysteriousPreacher]

The Coast Guard?

Re:Question

[lys1123]

That would be a small group of Mac users, all of which have awesome nicknames like "Crash" and "Burn", who are lead by a fearless hacker leader who due to his previous hacking antics hasn't actually touched a computer in seven years.

DUH!

Re:Question

[Mister+Whirly]

Chuck Norris

Re:Question

[Briareos]

I thought Bruce Schneier was the latest fact rage, and isn't he much more suited to the task?

Counter-hacking

[Rob+T+Firefly]

Heckenkamp was caught after a system administrator at the university hacked into his Linux box to gather evidence that Heckenkamp had been attacking the college mail server.

But what if that evidence had not been there? Would the so-called "counter-hack" have been a punishable offense had the target turned out to be innocent?

It'd be fun if you could hack anyone you wanted at that University as long as you're looking for evidence of wrongdoing.. especially since all the skills you'd need to hack into a box are generally the same skills you'd need to plant whatever evidence you want onto it.

Forensics Anyone?

[madsheep]

Ok this just sounds a bit ridiculous. This is essentially vigilante cyber justice. Now it had a bit more of a law enforcement/good guy vs bad guy twist, but I just don't see how this can be allowed. Where is this special need and why was this an acceptable method to go about anything?

Is anyone familiar with forensics? "Hacking" into another machine alters a ton of stuff..even if you're just logging in remotely with username/password you found. You've change login dates, profiles, logs, etc. How would this sysadmin have known this machine wasn't already compromised and was just being used a launching point?? If this was the case and the guy adamantly denied having been a part of it, he would have essentially *ruined* any and all evidence. This is just rediculous.

Re:Forensics Anyone?

[Zader]

Ok this just sounds a bit ridiculous. This is essentially vigilante cyber justice. Now it had a bit more of a law enforcement/good guy vs bad guy twist, but I just don't see how this can be allowed. Where is this special need and why was this an acceptable method to go about anything? Let me put it another way. If you come into my place of employment with a laptop, plug it into my network, and it's doing something dubious - I have every right to protect our network acting as the systems administrator here. This includes anything up to and including hacking into the machine in question in the course of gathering information to determine the level of compromise or threat. By plugging into our network, you accept our company policy towards allowed usage. It's just plain that simple. If that is determined to "taint" the evidence, that's not a problem - we're protecting company assets, not enforcing the law. I'd almost certainly take the benefit of the doubt and assume it's a compromised machine rather than someone being up to something (this not being a university, and I'd be dealing with professionals - not students). However, they would remove the machine from the network, and potentially asked to leave if the situation escalated.

This is just rediculous. (sic) So no, it's not ridiculous, it's just called being a professional systems administrator. We enforce company (or university policy in that case) - we are not law enforcement. We have neither the same restrictions nor do we have the same privileges.
ObBOFHJoke: So what's your IP address again? (clickety click)

Re:Forensics Anyone?

[sumdumass]

I'm willing to bet that if this guy would concentrate on that aspect he would get a lot further then challenging the constitutionality of the evidence.

On another note, The courts have in the past allowed evidence that was obtained illegally but not by a law enforcement officer or officer of the courts (including anyone acting on their behalf). It is assumed that the evidence would become public knowledge if the illegal act went to trial and then become fair game. And seeing how the constitution primarily restricts the government, they come down harder of government officers.

But knowing that someone broke the law because someone else broke the law to prove it, doesn't give the person an automatic pass. Someone could have been trespassing when they witnessed me murder my wife's boyfriend, it doesn't make their testimony less valid. I shouldn't walk because the only thing linking me to the murder is the trespasser. It isn't much different here. Except one could argue if the admin should face charges on their illegal behavior or not.

Re:Forensics Anyone?

[madsheep]

You claim this but this might not be true. Does everyone that comes into your environment sign of a Rules of Behavior or acknowledge these terms at some point? I would argue that it's not reasonable to "hack" into someone's machine to "protect" your network. Last I checked you could go visit the user or disable their port or block their MAC address. Well at least in most well run environments this would be completely feasible (and reasonable). What are you going to say next? Does your company policy actually say you can break into a machine if you suspect it's doing something dubious? I'd like to see that.. and what a humorous company policy.

Why not modify your company policy to say you can just take the machine and burn it and then take a baseball bat to the person's knee caps? You cannot just write whatevet you want into a policy. Well you can but that doesn't make it legal or reasonable. I do IT Security for a living and I will repeat -- ridiculous! oh yeah and rediculous too. Thanks.

Concerning the banks

[wiredog]

They are pretty much required by law to do that already.

There they go again

[oldmacdonald]

Those darned liberals, always standing up for individual rights.

Re:There they go again

[sumdumass]

A right is something you have or is protected form being taken aways. It would be disingenuous to consider something the court didn't have the right to give, as a right in the first place.

You statement should be more to the effect of, Those darned liberals, always giving false hope up to individuals by inferring rights the don't really have. As i mentioned before, If the right was there, the other courts would have agreed with it. So the individual didn't have a right in the first place.

Re:There they go again

[honkycat]

Right, because the other courts are infallible in this regard.

Re:There they go again

[sumdumass]

I don't know about infallible but they would be more accurate. There are several reasons for this so I will just list a few.

One is that there are more judges. Another is that the judges only have to consider the context of the ruling alongside the law and constitution. Another is that once removed from the drama of the case, you aren't tied up in it and subconsciously rooting for one side or another.

But more importantly, they have the final say in the matter. If they didn't find the right then the lower court improperly gave one that didn't exist. Either way, it isn't that they are always standing up for individual rights.

Re:There they go again

[honkycat]

Pragmatically, what you say is correct. If the appellate courts won't recognize a right, you cannot exercise it. Whether that means you have a right in the first place is a philosophical and/or linguistic question. Still, one need not look further than the civil rights era or World War II era Japanese interment rulings to find cases where the system failed to protect rights that citizens pretty clearly had.

That is why I generally distinguish (at least in my own head) between legally protected rights and moral (inalienable?) rights. I don't believe anyone should take the court's word as to whether we have (or should have) a particular right. Courts screw up, even the Supreme Court, and there are recourses, albeit difficult ones.

Anyway, I don't know much about the particulars of this circuit other than the reputation for being out in left field, I just bristle at the implication that courts have a special place to declare what rights we have that is somehow above scrutiny. From your reply, I don't think you feel that way, but I inferred it from your original post.

Did they really 'hack' the system over the network

[FatSean]

I mean, why not just bust down the door and take the system back to the lap?

Or do you have expectation of privacy in your dorm room, but not in your computer....

Not even a close question.

The fourth amendment applies only to the state's action to investigate. So really the question here was whether the admin's knowledge of police activity made him an agent of the state. I don't see this case raising even a remotely close question. The admin did what any admins ought to do. Even if the admins' activities were illegal, he could get prosecuted, but the evidence is admissable

Just to hammer things home, if a thief breaks into your house and then turns in evidence of illegal doings over to the police, the fourth amendment won't exclude the evidence or any further evidence uncovered by the police based on a later search warrant.

Re:Incorrect Decision

[daveschroeder]

Except that two courts, including the 9th Circuit Court of Appeals, which has a very strong track record on upholding individual rights when warranted and ruling against the interests of the government, already clearly decided that no search warrant was required, and that the "special needs" exemption applied to the situation, and thus no warrant was required.

The ruling answers all of your concerns.

Don't be so sure it was illegal.

[oneiros27]

The "Code of Conduct for Users of Computing Systems" (basically an AUP) at the university I went to for undergrad had the following clause:

Enforcement: Computer activity may be monitored by authorized individuals for purposes of maintaining system performance and security. In instances when individuals are suspected of abuse of computer usage, the contents of user files may also be inspected upon the approval of an individual authorized by the Vice President for the area with jurisdiction over the computer system in which the files reside, or their delegate.

Odds are the user was acting under _some_ sort of an AUP, and it might have a similar clause.

(which basically means the user signed some of their rights away by using the systems at the university)

Too Bad...

[Nom+du+Keyboard]

Too bad it was the 9th Circuit that upheld this. They are by far the most overturned of all Courts of Appeal.

Straight Stories

[Greyfox]

Well we could be of the opinion that two wrongs don't make a right and they were both wrong. I'm often amused by the assumption made by people that I'm either for their opinion or for some arbitrary opinion that's completely the opposite. Take the current "You're either for this or you're for the terrorists!" argument that congressmen like to break out to support their current pet project. To which my response, were I confronted with that attitude in person is, "No! You are both a menace to the ideals that founded this country! I'm against you and the terrorists!"

However I also know that the media would call several activities that fall under the range of day-to-day IT operations "Hacking." I also feel that the University has the duty to know what's going on with their network and to prevent as much hacking as possible from it. They should already have a policy of aggressive logging and a clause in the student housing contracts granting them access to any system connected to their network upon request. If they don't currently, they should rectify that oversight.

Re:Straight Stories

[Kythe]

This is a very good comment.

As I read it, and given the fact that this story appears to be regarding an appealed ruling, the 9th Circuit was simply upholding the admissibility of the evidence obtained through the university's hacking. It wasn't ruling as to whether the University had the right to hack, or whether they ran afoul of the law in the process.

IANAL. That said, I would bet what the university sysadmin did ran afoul of at least one computer crime law. Whether or not he'd be convicted or suffer legal ramifications under the circumstances is an open question.

Throw it out of court on a technicality

[JackMeyhoff]

" was caught after a system administrator at the university hacked into his Linux box to gather evidence"' We have laws of evidence where I am and this is not legally permitted as evidence.

Admin should be charged

[sdbytnar]

Regardless of whether the info the admin gathered is admissible or not (it is), what the admin did is *illegal*. If he had to "hack" to get a login and password, then he illegally accessed the computer and should be charged, convicted, and jailed for it. Unless, the University agreement said, "I authorize the University to access my computer in any way they wish," then the access is illegal. And if the access isn't deemed illegal, then I can hack any computer I want as long as I "think" they tried to access mine.

Re:Admin should be charged

[Creepy+Crawler]

So pulling his network connection is above your intelligence?

Re:Told you So...

[jonesy16]

A poetic response, so concise that I can't even comment about spelling or grammar. Anyhow, nice to see the world must be coming to an end if Slashdot's frontpage makes reference to a Linux box being hacked.

Regardless, as a former residential network admin at my college, I fully understand the position of the university. All students on my previous campus, anyway, were made to sign a use agreement prior to connecting their computers to the network. That agreement ensured the university's authority in maintaining a safe and legal network for all connected computers which included being able to shut down hackers, file sharers, etc. It is interesting to see that this sort of information can be submitted in a court case though. I still have no pity for this kid and hope he spends a lot of time in jail trying to build a computer from toothpicks and creamed corn. Watch your "backdoor" kid.

Neo-con lies

[WrongMonkey]

Only if you're definition of "by far" is "barely or sometimes not at all" http://mediamatters.org/items/200511090012

During its 2004-05 term, the Supreme Court reversed 84 percent of the cases it chose to hear from appeals of 9th Circuit decisions, compared to a 73 percent average reversal rate for all circuit courts of appeals.* But the high court reversed 100 percent of the decisions it heard from the 1st, 2nd, and 10th Circuit Courts of Appeals.* Moreover, as Media Matters for America has documented, the 9th Circuit's reversal rate was slightly lower than the national average for all circuit courts during the 2003-04 Supreme Court term (76 percent for 9th Circuit vs. 77 percent nationally), and only slightly higher than the national average during the 2002-03 term (75 percent for 9th Circuit vs. 73 percent nationally) and the 2001-02 term (76 percent for 9th Circuit vs. 75 percent nationally). In previous years, the 9th Circuit's reversal rate has exceeded the national average, most notably during the 1996-97 term, when the court's 95 percent reversal rate had exceeded the national average of 71 percent and "earned the Western circuit [the 9th Circuit] its reputation as the nation's 'most reversed,

In the interest of balance, I did try to find a more "right-wing" source, but interestingly they don't seem to cite any verifiable numbers.

Now that I've read the ruling..

[Kythe]

...I have to modify my comments, above. It appears that the sysadmin wasn't involved in "vigilantism" under the normal definition of the term.

Wrong.

[NeutronCowboy]

At least read the Wikipedia entry before repeating Rush's and Bill's hallucinations.

Sure you do

[iceperson]

YOu don't even know the difference between accessing a system that may or not be comprimised and taking the "machine and burn it and then take a baseball bat to the person's knee caps". Hyperbole much? A better analogy would be me running naked across my neighbor's lawn and expecting my "right to privacy" while doing so.

Hacker conviction

[Capt.+Cautious]

Maybe I am somewhat naive but am I the only one to see the increased speed down the slippery slope this decision has created? Capt. Cautious

"special needs" section?

[jlowery]

The court ruled today that such counter-hacks are allowable under the 'special needs' exception to the Fourth Amendment.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Um, there isn't a "special needs" section of the Fourth Amendment. Is it too much to ask Slashdot editors to assume some journalistic responsibility?

Firemen

[PeterJFraser]

If a building is on fire, should firemen have the right to enter the building, search though it to find the source of the fire, and put it out?

I think the situation is similar. It is the administrator's job to stop the attack.

Firemen don't just spay water on the outside of nearby building until the get permission to enter.

Re:Firemen

[BlakeReid]

This is a pretty tortured analogy, but 'putting out the fire' in this situation would involve disconnecting the machine from the network (via a managed switch 'turn off the port' command and/or MAC filtering) and calling the police. It wouldn't involve hacking into the machine, which would be a job for law enforcement forensics experts after the fact.

eye for eye tooth for tooth

[r4g3]

I like the Old testament a lot because of the Eye for eye tooth for tooth approach. I mean if you are that great to hack, you should be smart enough to cover your foot prints... And one rule of a hacker is not to use your box! A rookie is always itching to get noticed and in this case he got noticed with punishment. As a sys Admin my self.. I am not gonna have someone jeopardize my job.. How do you tell you friends how you got fire?? I got hacked so they fired me?? come on it makes you weak as a Sys Admin... It is always fun to retaliate.

Re:Told you So...

[jonesy16]

RTFC, at no point did I promote/encourage/favor the unethical treatment of said convict's posterior. Secondly, you added the "violent" part all on your own. Sweet dreams.

"superhacker??"

[leereyno]

The article calls him a "confessed superhacker." He's a punk, a loser. Only losers spend their time breaking into other people's computers, and only an extreme loser would actually leave his computer so wide-open that a university sysadmin would be able to walk into it. I work at a university as a sysamdin. We're not a bunch of uber-crackers.

I've said it before and I'll say it again, the only things that anyone is ever punished for in this world are being unpopular and being incompetent. This punk definitely fits the latter to a T.

The truly comptent, if evil, crackers out there are not going to be caught...ever. This guy was low hanging fruit and deserves whatever he gets both for being malicious, and especially for being such a complete ass-clown.

Re:"superhacker??"

[dbmasters]

I totally agree, that name puts him on a quasi-pedestal in the hacking community, it gives him the notoriety and celebrity he wants... He's a punk-ass.

Can't have it both ways

[imunfair]

You either leave the net as the wild west, and let every man fend for himself, or you set up concrete rules about hacking, etc and enforce them fairly.

I'm not defending the 'ebay hacker', but I think if he's in trouble then the sysadmin should be as well. There are a lot of physical solutions to cut off someone's net access if you have control of their building, in the event that you can't handle it on the technological side. The responsible thing to do if neither of those options were available would be to remove your server from the net, or actually make your system secure, and report the attacker through the proper channels.

And to all the people defending the sysadmin as justified, I would like to know why - if he thought blackholing the first ip was enough at the time - did he bother to find a working password on the system in question, and what methodology did he use to do that? Seems like he's just using the second attack as a CYA to hide his proclivity to hacking students machines when he wants to. (If you RTFA it says that he used a password from the first time to log in the second time and snoop around to verify it was the same computer)

Re:Told you So...

[Rosonowski]

Watch your "backdoor" kid. would imply that you would condone such things within our prison system. We're trying to rehabilitate people, and that's not going to help. As for violent, do you know of any other kind of rape?

Re:Incorrect Decision

[DavidShor]

I believe he was in a dormitory, universities can break into those whenever they like. In mine, we are not allowed to add an extra lock precisely for that purpose.

Too bad

[treeves]

his name isn't Hackenkamp.

Re:Correct decision, Hackenkamp is guilty

[Douglas+Goodall]

When they gave him a new name at the border, they messed up slightly.

Re:Counter-hacking (criminality overlooked)

[KudyardRipling]

The criminality of the so-called counterhack was overlooked because it was committed in the name of an **institution**. Please check your clock and GPS. In Amerika, institutions rule and individual human beings are suspects.