Oxford Students Hack University Network

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

Yeah... and?

[Anonymous Coward]

What appropriately aged Slashdotter hasn't hacked into their university or college's network?

these people will be in charge someday

[unbiasedbystander]

These are the future leaders of the world. Don't forget it.

"How I Rooted Oxford University"

[aardvarko]

... a.k.a. A Beginner's Guide to tcpdump and ettercap

500 pound fine?

[Anonymous Coward]

Now that is a heavy fine.

kebabs and bon jovi

[lovecult]

...spurred on by Bon Jovi's Livin' on Prayer, they did more research

They should be damn well "rusticated" for their tast in music alone!

Re:500 pound fine?

[nacturation]

Now that is a heavy fine.

In Oxford, they call it the "Sisyphus Punishment".

Re:*Yawn*

[atlantis191]

Forgot one:

SCO sues B

Re:Yeah... and?

[Anonymous Coward]

I got a two day suspension for it! (highschool)

All I got was this stupid t-shirt.

Re:Are there any adults in the house?

[pbox]

Well, it's still better than here in the US. This would most definitely end up being a clear-cut terrorism case. These two guys would already be working on their tan in Gitmo. In about 3-5 years after a lengthy legal process involving the US Superior Court, they will be allowed to proceed with their legal defense, which of course will be completely torpedoed by the fact that the prosecution will introduce any and all evidence as "top secret", so the defense team will not be able to counter any of them. They will serve 30 years, in solitary confinement.

Re:500 pound fine?

[Brandybuck]

In Oxford, they call it the "Sisyphus Punishment".

For those of you that want to Cambridge this is a reference to rolling a heavy stone uphill over and over.

Yes, do call the Coppers, but..

[saskboy]

But the police should be called, and when they see how lax the university was at keeping sensitive information private, they should file charges against Oxford too.

Then they can put Oxford Hack in the dictionary:
Someone who tattles, and gets in trouble too because of their guilt in the incident.

Re:Mod Parent Down

[erick99]

My gosh - the folks here who rabidly espouse the need for public outting of information all post anonymously.

Erick

Re:500 pound fine?

[martinX]

Once the UK goes REALLY metric, it will be a 226.7962 kg fine.

Re:500 pound fine?

[Anonymous Coward]

Those of us who attended Cambridge can actually spell "went".

It's college, right?

[empaler]

They also have to learn that it doesn't pay to go against the system... ;p

We know how well that works with administrations

[Anonymous Coward]

The FBI had been informed about both the first and the second WTC attacks, but didn't do shit to stop them.
If it had been more widely publicized after the first WTC attack, then maybe they would have done something to prevent the second.

500 pound fine...

[the-build-chicken]

It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.

Couldn't figure out why they were snickering though?

Re:Yeah... and?

[Anonymous Coward]

Atleast his English teachers could still feel superior in the face of his overwhelming computer knowledge.

Re: Lets be scientific about this...

[Anonymous Coward]

"A monkey could do it with the right software."

As an unemployed Unix Administrator currently working in a Zoo to pay the rent I can put this to the test.

Situation:
Pentium 3 750mhz, Knoppix boot CD, unswitched network, plain text protocols running over network, 3 Columbus Lemur Monkeys.

Test 1 Monkey sat infront of screen and left to own devices.
Result 1 Neither monkey acheives much, taking no interest in the screen.

Test 2 Console opened, "ethereal" typed in as hint, monkey sat infront of screen.
Result 2 Again monkeys take little interest, monkey 3 does paw at the screen for a few minutes. Monkey 1 is distracted by small child waving icecream in its face, result for monkey 1 discarded.

Test 3 Ethereal opened, required options selected, bit of banana left on the enter key.
Result 3 All monkeys successfully grab the banana, triggering the enter key, and starting the packet sniffing session, in each case all plain text data over the network is recorded - SUCCESS!

So kids, as we've shown, a monkey is quite capable of doing this kind of hack. Now nobody is safe.

Re:Are there any adults in the house?

[bobbis.u]

This never would have happened at Cambridge.

We produce fine, upstanding journalists like Paxman.

Re:Yeah... and?

[mikael]

That reminds me of an ultra-paranoid sys-admin we once had (the kind that makes Burt Gummer look like a Quaker).

The sys-admin set up our CompSci server to log every command every user had made (lastcomm services). So one night, one student is waiting for the others in the group project team to arrive. Rather than constantly running between labs, he simply writes a shell script:


while 1
do
who
sleep 10
done


Harmless enough? After about 2-3 hours of use, the entire /var partition has been completely filled, which now jams the /var/spool print queue. A postgrad student attempting to laser-print a section of his Ph.D project finds that he can't, and in order to gather evidence against this denial of service attack prints the entire contents of the 'acct' file.

Which burned up two large boxes of line printer paper. Needless to say, the sys-admin was furious and makes the student sign a form requiring him never to run an infinite-loop script without permission again.

Re:Yeah... and?

[Anonymous Brave Guy]

Well since you asked, we have some cretin in the UK who is suing his university after they kicked him out for plagiarising his entire coursework.

I thought the fantastic thing about that case -- assuming it's the same one I remember -- was that he was kicked out about two weeks before graduation, and was claiming that they should have detected his plagiarism earlier and thrown him out then, rather than ripping him off for three years' worth of fees first. Hey, at least if he flunks that course, with arguments like that he'll have a great career as lawyer.

Re:Yeah... and?

[julesh]

I got thrown out of the school library for taking the mice apart to clean the balls.

Of course, once people saw me doing that, everyone started taking the balls out and throwing them at each other...

When you were at what?

[Scratch-O-Matic]

When i was at collage...

And, um, which collage did you go to?

Further quirks

[LondonLawyer]

If student rumour is correct, there's an unrepealed Oxford law by which Crusaders on their way to the Holy Land could stop by and pick up a degree. Apocryphally, students have tried to invoke this right and been turned down by the Proctors because they weren't wearing their swords when the claim was made.

There is also meant to be a law still in force by which you can request a glass of sherry be brought to you during Finals exams. I don't know if anyone has had the balls to try it - it's exactly the sort of thing the Proctors find unamusing.

Re:Yeah... and?

[The Grassy Knoll]

"When i was at collage"

Art collage, presumably? ;-)

Heh.

[SatanicPuppy]

The first college I went to had this poorly secured novell network running on an old Vax cluster.

They had it set up so that, to use a computer, you logged in as the computer, instead of as a user. I found out that, if you logged a pc into the network, using a username meant for a Mac, and if that Mac were not already logged in, it would completely screw up your priviledges, and let you do many things normally reserved for "Administrator".

Friend of mine wrote a batch script to send out an amusing system message once an hour. Unfortunately he didn't count zero correctly, and so the first one was an hour, but the second through 1000000th were somewhat quicker.

The first I knew of it was when I walked into a computer lab and heard this symphony of "beepbeepbeepbeepbeep" and saw a couple lab techs ripping the cables and stuff off of this poor little Mac while screaming, "ITS UNPLUGGED! WHY IS IT STILL SENDING MESSAGES?!?!"

Re:Yeah... and?

[lordmage]

Hacking and geting a setuid bash is easy. Ahh the stories we can tell from our days.. keystroke loggers, replacing ls, intercepting Chats.. making GIF do what we need.

Darnit, got me all misty eyed.

The real trick was that one student hacked the system and his reward? He got to become System Administrator.

Universities encourage exploration. Thats the great thing.

Re:Yeah... and?

[mek2600]

I got an A for it. Not that the teacher was aware of the fact, though.