Oxford Students Hack University Network 662
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Are there any adults in the house? (Score:5, Insightful)
Cheers!
Erick
Oxford Loses Out (Score:5, Insightful)
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
*Yawn* (Score:3, Insightful)
A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.
The worst part... (Score:4, Insightful)
Comment removed (Score:3, Insightful)
Re:Are there any adults in the house? (Score:4, Insightful)
But the administration should get past the embarassment and call off the cops.
In the BIG picture, they have been done a favor.
Re:Are there any adults in the house? (Score:5, Insightful)
Cheers!
Erick
embarassing... (Score:1, Insightful)
ogg
Re:Are there any adults in the house? (Score:3, Insightful)
Right, security by obscurity. What a great idea.
How many times do we have to go over this? The way to make things secure is NOT by hiding information, but by publicizing it as quickly as possible so that everyone can know that there is a problem and get on fixing it. These students are heroes, not criminals. They did the university a service and should be rewarded for what they did. Instead of hiring security consultants to figure out what's wrong with the network, these students did it for free. It's an indication of how the priorities of these places are reversed that the students are now in trouble. Embarrassing the administration is exactly the right thing to do. Don't want to be embarrassed? Then use open source software and publicize any security holes so they can be fixed.
"Adults" -- indeed. The only adults here are the students.
Re:Oxford Loses Out (Score:3, Insightful)
Re:Oxford Loses Out (Score:5, Insightful)
I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?
Rule of Law (Score:5, Insightful)
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
Re:Get permission! (Score:3, Insightful)
Re:Are there any adults in the house? (Score:2, Insightful)
Erick
They deserved it (Score:3, Insightful)
I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.
On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree
Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.
So What? (Score:2, Insightful)
So what? It is always as easy especially if you are some kind of insider. But normally you do not hack your university for good reasons:
a) It is yours.
b) You will get a lot of trouble / lose accounts.
Re:Oxford Loses Out (Score:2, Insightful)
Right, so when my billing information and network passwords are being stored, its ok to cheap out. Come on, its ok to use cheaper network equipment, but how many times do we need to stress the security of private information, often of which is vital. Now the students whos information would have been on that system was also violated and exposed. Why not just take the money to prosicute them and, I don't know, secure a few servers.
Re:Yeah... and? (Score:2, Insightful)
Re:On the contrary (Score:2, Insightful)
MAYBE, if their exploit didn't involve publishing the vulnerability to the general populace. Worst case scenario, it gets picked up by the BBC and/or
It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same.
They've publicly invited every literate/malicious individual to do so. Getting a killer scoop at the expense of the school's security comes close enough to malicious in my book. In the real world, few (statistic pulled out of my ass based on number of companies/organizations who plug in/install and go, not size or profitability) have "adequately" secure systems, be it the refusal or inability to spend the time or money do so, let alone keep up. Anonymity IS part of a system's security. By publishing this article they've opend up the schools network to attention it wouldn't have received othewise. Mabe the Admins will be able to make necessary adjustments before backdoors are added. Maybe they didn't even have the staff to secure it properly. Point is, the consequence of their actions is that students are more vulnerable than they were before the story was published. Intentions be damned, they f^@%ed up.
Re:Good thing for then they're in England (Score:3, Insightful)
Re:Aargh, again with the confusion. (Score:2, Insightful)
I wonder if it's something as simple as unencrypted passwords going a wireless network or some nonsense like that.
Re:Oxford Loses Out (Score:2, Insightful)
They have no legal right to do so. If they really wanted to do this, what they should have done is broken into each others accounts, with the other person's permission. That would bypass the "unauthorized access" issue as far as school policy goes, and possibly kept them out of a lot of trouble with the law too. It's still a grey enough area that they would take a lot of crap over it, but ultimately they would probably win out because it's a gray area.
Face it. These kids were beginning script kiddies who were just out to prove how much smarter they were than the IT staff at their University. Mostly what they managed to do was to piss of the higher ups who actually wield the power at the University. What a brilliant plan... Dumbasses.
Re:Are there any adults in the house? (Score:4, Insightful)
Yeah, they should have kept their mouths shut (Score:5, Insightful)
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
Re:Are there any adults in the house? (Score:5, Insightful)
Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.
In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).
The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.
What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:
1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".
2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.
Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.
Or maybe not. Hard to tell with the details in the linked articles.
Re:Yeah... and? (Score:5, Insightful)
Re:Yeah... and? (Score:5, Insightful)
Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.
Well, maybe there is something worth protecting (Score:5, Insightful)
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"little we can do? (Score:5, Insightful)
Somebody fire this person.
He said what!?!? (Score:3, Insightful)
Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.
The Point Most Will Miss... (Score:5, Insightful)
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
Re:Are there any adults in the house? (Score:3, Insightful)
I don't buy the "cheaper computer set-up" excuse.
They probably didn't even bother to turn on the security features of what they had. It's not likely a hardware problem.
I mean, passwords being sent in the clear. That sounds like a software issue to me and there aren't very many pieces of current software that you can turn on SSL at least for something like that.
Basically the budget excuse is being used to cover-up for some admins who didn't know (or care) what they were doing when they set the stuff up.
Proud of the students... (Score:5, Insightful)
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Re:Oxford Loses Out (Score:3, Insightful)
The student bode does have a right to take action on the insecurity of the network, but through official channels. The administration may not be forthcoming with the information or quick to act on it, but that still does not give the students to circumvent the law. Britain has some really paranoid privacy laws, so if Oxford is so reluctant to fix potential problems or even refuses an audit that the student body could request, chances are Oxford is now breaking some of those laws, and that will bring changes, and all of this still through legal official channels.
Calling someone or yourself a 'white-hat' hacker does not magically put you above the law.
Re:Rule of Law (Score:2, Insightful)
Re:Oxford Loses Out (Score:5, Insightful)
For christ sakes it's just a law, you know those man made things. Usually written to protect the people with money. It's not like there's anything special about them. In fact every so often they get changed what was legal is now ILLEGAL and what was ILLEGAL is now legal.
But I guess writng ILLEGAL in big letters makes it in some way important.
The only problem with my view point is that the people who write and enforce the law know it's a pile of shit but they get really ticked off if anybody outside the club explains this to them, they get doubly annoyed if said person is addressed as the accused and happens to be explaining as to why he should not have to pay a fine for drunk and disorderly. They usually start shouting about contempt and 30 days and stuff like that. I find it best to shut up in those situations.
Re:On the contrary (Score:3, Insightful)
This was just a couple of punk-ass script kiddies trying to make the school administration look bad. Seriously, what did they think was going to happen? It's one thing to do serious research in an ethical manner, and another to play 31337 h@xor script kiddie under the guise of journalism. They aren't even good script kiddies -- they got caught way to easily.
Re:root/root (Score:1, Insightful)
Re:Yeah... and? (Score:4, Insightful)
If everybody broke into a network would it still be unlawful.
Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").
Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.
I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.
I hope the two students in question counter sue the university for lapse protection of their student records.
Reminds me of when a professor of mine explained the term "hutzpah [reference.com]" to me...
A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
That is hutzpah, and those two would be exhibiting quite a bit to sue the university.
Re:Are there any adults in the house? (Score:2, Insightful)
I completely agree. But the administration should get past the embarassment and call off the cops. In the BIG picture, they have been done a favor.
Even if you ignore the embarassment, what favor have the students done? They broke into the network and trespassed. Even if they had fixed the security holes that let them get in you've committed yourself to a slippery moral slope of where you do draw the line? Can everybody hack everybody else's computers without permission to fix whatever they deem to be a security hole?
Re:Oxford Loses Out (Score:3, Insightful)
That sounds very dubious to me. Do you have a source for that?
Re:Oxford Loses Out (Score:2, Insightful)
After my so called friend told my high school that I had cracked the passwords for the school and district. (they used windows 2000 and the admin account password was the district admin password, how stupid) they expelled me and told the police who charged me with a felony "Unauthorized access to a protect computer network" Luckily it was my first offense so I was put on probation and had to pay 600 dollars, write a formal letter apologizing and write a 5 page paper on "Computer Crime and their cost to Society" All I did was get the passwords log on, log off. End of story, so yes they do tend to over react.
I'm an info security auditor... (Score:4, Insightful)
Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.
I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)
That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.
Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.
The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.
Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.
From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.
I say that they should make an example of these script kiddies.
not feeling too sorry for them... (Score:3, Insightful)
Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?
If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?
They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.
Re:Yeah... and? (Score:1, Insightful)
Girls must love you.
No, really, people. I knew more about stupid computers than my teachers too back in the days, but I wasn't an arrogant prick. It's just fucking computers, man. It's not astrophysics or anything. Get over yourself.
Re:Are there any adults in the house? (Score:5, Insightful)
Budget is the primary reason on all networks for failed security practices.
Re:Yeah... and? (Score:5, Insightful)
Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.
Re:Yeah... and? (Score:5, Insightful)
You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.
I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.
Re:Yeah... and? (Score:1, Insightful)
That kind of damage is unlikely if this uni network was as brain dead simpleas most, but it could, and the guys "just looking around"probably don't know enough to even realize the possibility.
Re:little we can do? (Score:5, Insightful)
I personally was responsible for a hostel network with 450 odd users... and tell you, the ONLY way you can sleep soundly is by making things assuming everybody has the root password! Students have way much time on their hands, are creative and generally up-to-date with security issues. ONE person cannot spend THAT much time... at 3AM you'd be sleeping while some sleepless fellows will be looking over a just released security advisory! By the time you wake up and check your mailing list mails, they'd have already broken into the system! (most of the time without any damage, but just to "see" if its indeed true).
Sorry man... a network/system administrator in a school/college is probably the worst IT admin job you'd be looking at!
no shit. (Score:5, Insightful)
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
No Excuse (Score:3, Insightful)
What I find really scary is the feeble " we bought cheap systems, we can't secure it " excuses the systems admins are giving.
If they had used free software it would have been pretty secure out of the box (or whatever the eqivalent is for downloading).
Most of the places I have worked recently are using the famously secure and "trusted" software from "honest" Bill Gates, and, they have reasonably secure networks, it just takes a some actual admin from the sysadmins.
What software are they using that stores passwords in plain text? In the 21st century ? This is just plain neglegent, I think the students involved should pursue the college through the data protection act. In the UK anyone holding somebody elses personal information on thier computer system has a duty to secure that data and prevent access from unauthorised users. Clearly asking the student body to "please obey the rules and not look" falls short of "reasonable measures to protect ".
Re:Yeah... and? (Score:5, Insightful)
Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.
What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.
Re:Yeah... and? (Score:5, Insightful)
2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.
3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?
Re:no shit. (Score:1, Insightful)
Er, quite easily, with minor technical details such as "This school runs webmail over HTTP not HTTPS". "This school runs messenger on non-switched network segments". They just had to find out basic details of the protocols in use, most of which wouldn't even have needed any beyond a simple glance around the oxford uni website or a 30 second chat with one of the admin staff.
I hate to disturb your dream here, but asking permission might have made life difficult.
What because they don't own the network?
Maybe asking permission to hack other peoples networks is difficult because people don't want their network hacked, especially not by some pimply freshers with just about enough skill to run ethereal. Theres too much danger that they will do some severe damage and you can be damn sure they wouldn't be the ones working overtime to fix it.
What should happen to them is they should get booted out, this country is already full of bullshit wannabe journalists who will do anything to get a story regardless of law or ethics. No doubt they'll be getting work at the Sun as I.T. experts advising the nation.
They broke the law, quite cleary, infact they possibly violated both the Computer Misuse Act and the Data Protection Act. Since they're from Oxford uni its unlikely the old boys network will allow them to get prosecuted, infact as another poster already noted the case got referred straight back to uni by the police.
If it had been someone in some council flat hacking the uni network you can be guaranteed they'd be locked up by now.
Unintentional Cracking (Score:3, Insightful)
That's true, but what about when an intranet is left open and someone, exploring the network, stumbles upon it?
My friend's wife once found the answers to all the homework and exams during a class on computer administration, while viewing the intranet from her workstation. The files were not password protected and there was nothing indicating that this was supposed to be private (before opening it).
She realized this wasn't right, and told the teacher. Unfortunately, the professor was not pleased, and the school tried to expel her on grounds of illegally cracking into the network! In the end, she was forced to drop the class even though my friend's wife knew more than the teacher himself! (I think the college's lawyers realized they could be sued if they expelled her.)
She wasn't the only one. A while back, I heard about a case where the New York Times sued a hacker when he found a security hole in their network and told them about it (and didn't do anything else). In both cases nothing was damaged at all, nothing was really seen and nobody was hurt. It's like someone notices that your back door's lock is broken, sends you a letter about it, and you sue them for trespassing.
What I'm saying is that we need some kind of legal protection for these kind of accidental "hacking."
Re:Are there any adults in the house? (Score:3, Insightful)
Re:Are there any adults in the house? (Score:3, Insightful)
In fact, they didn't uncover any major security flaw which the University IT support were unaware of. As I understand it, some traffic was sniffed on an old unswitched hub. I believe, the last one in use at that college, and which was scheduled to be replaced with switched connections. Though that hadn't yet been implemented partly due to the budgetary constraints mentioned in the article. Even with a switched network people playing games with ARP can sniff traffic, though at least that's an active attck which can be detected by diligent admins.
Lo and behold, when the students looked at the traffic they found IM content being sent in the clear and a whole lot of Outlook users collecting their mail by POP/IMAP rather than IMAPS. This is no surprise to anyone in IT support though it may well have shocked some of the more clueless users,
This is certainly against the University's computer use policy, and as such they are being investigated by the Proctors. They do have the authority to suspend student's access to University buildings and facilities (or Rusticate them, in local terms), but as far as I know no decision on what sanction, if any, they will face has been reached.
IT staff at the University do try to keep users informed about network security, and students are told to use secure methods to access email servers, but obviously more education could always be done. Much effort has been needed recently in keeping Windows users up to date with security patches, and AV software. The more effort is spent on communicating these matters the less attention students have left to listen to more general security messages.
Re:Aargh, again with the confusion. (Score:1, Insightful)
Anyone reading the article properly/knowing anything at all about any university network would realise that's exactly what happened.
Everything students & staff need to know about email & other computer security is up on the university's site (oucs.ox.ac.uk). IT staff at all unis (not just Oxford) do their damndest to educate them about what is and what isn't secure. Some people just don't listen though.
No servers were hacked. What they did (packet sniffing) wasn't particularly clever. A monkey could do it with the right software. The only thing which was actually down to the Uni, as mentioned above, was the availability of CCTV footage from one location. This has now presumably been rectified, and certainly doesn't deserve all the press coverage it's getting.
Re:Yeah... and? (Score:1, Insightful)
Re:Yeah... and? (Score:3, Insightful)
This is definitely not a case where it's "easier to ask forgiviness than permission."
Re:Are there any adults in the house? (Score:3, Insightful)
It's because $COMPANY shouldn't be getting sued due to a speculative case of neglect. Specifically they shouldn't be liable for damages that could happen because they chose to use $SECURITY_MEASURES instead of $PUBLICLY_ACCEPTED_SECURITY_MEASURES.
If your twisted world was the case, all companies using Linux would be sued when NETWORK($LARGE_COMPANY && $POLITICAL_BACKING) spends RAND(10)*10^RAND(4,5) dollars on a marketing campaign that "proves" by "independant study" that $POPULAR_SECURITY_METHOD is better than $LINUX_SECURITY_METHOD. All companies will be forced to use $POPULAR_SECURITY_METHOD in fear of getting sued.
Now, furthermore, if $LARGE_COMPANY decides to milk the fear FWIW then whenever $POPULAR_SECURITY_METHOD[DATE()] comes out and it is marketed, they [find someone] to sue a company using $POPULAR_SECURITY_METHOD[DATE()-1] and scare everyone else into upgrading.
Standard Practice? (Score:3, Insightful)
Generally speaking it must be very difficult to ensure a secure network at a uni. The sheer variety of different machines and operating systems, and the ad-hoc nature of the network will invariably leave gaps in the security.
However i'd like to hope that most students are just excersizing their enquisitive nature and doing little harm in the process, after all University is "yours" just as much as it is the people who run or own it. It is a seat of learning after all!
nick
Re:Are there any adults in the house? (Score:3, Insightful)
You do know that the open source doesn't provide any extra guarantees, right? And that, for example, the recent Mozilla security weaknesses were known about (at least in a related form) two years ago but left unfixed? Get off your damn "Open Source R0x0rz" high horse and live in the real world, FFS. Mindless rants like yours do neither the OSS world nor the computer security world any favours.
I don't know what's sadder: the fact that you're posting a standard-yet-incorrect Slashbot cliche (as if security through obscurity doesn't help to protect vast amounts of information in numerous fields throughout the world); the fact that several people clearly bought it enough to mod you up; or the fact that you gave yourself away as a pro-OSS zealot right at the end there. I'd mod you (-1, Troll) if I weren't posting in this thread.
Public fame is of no use for hackers (Score:2, Insightful)
Please, all future kiddie hackers, realise that people at power are *always* more concerned about their power than about technology flaws or productivity/effectiveness of systems they control. And showing their failure in public makes them very angry, because it can endanger their image of power control the most.
Next time, if you do it for sport, do it quiet. Make yourself an outer image of a complete moron. Enjoy your insight. A fame is without purpose for you.
Re:Yeah... and? (Score:4, Insightful)
this is not a security hole
Any unfettered access to ports that aren't being used IS a security disaster, period. Do some reading as I don't feel like teaching you all about it.
I get an unfirewalled, public IP from my ISP.
This practice by ISP's is one of the biggest reasons beyond Microsoft for the spread of Code Red, Blaster and all the other IP scanning worms/viruses out there.
It is up to the student to make sure they're protected. If they can't do that (or pay someone to do it for them), then they shouldn't be online.
The first sentence is rediculous. I won't even delve into how rediculous. But they DO in fact pay someone--the University. Every university I know of removes viruses and such from students computers. They pay for that in their "technology fee" or whatever their school calls it.
Um, firewalled servers with private IPs aren't exactly very useful.
Here is a cluestick for you--NAT. Go look it up. Any network security admin worth one cent knows there is no reason to give the outside (or inside) world access to port 7754 or any other random unused port. There is no reason a web server should allow anythying other than port 80 access and maybe a few others.
Professors and students who live off campus might want to do work from home.
Cluestick #2--VPN.
How many people were running servers before that now couldn't?
I bet dollars to doughnuts most schools out there specifically forbid that due to porn and all the other crap people would use it for. My school had a clause that the Internet was to be used for academic purposes only and any violations were grounds for revoking the priveledge to use it. It is THEIR pipe and they can dictate how people use it.
Putting up a firewall solves nothing
I pray you are trolling and you don't really believe any of what you just said.
Re:Yeah... and? (Score:5, Insightful)
Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.
Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.
(disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)