Oxford Students Hack University Network 662
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Yeah... and? (Score:4, Funny)
Re:Yeah... and? (Score:5, Insightful)
Re:Yeah... and? (Score:5, Insightful)
Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.
Re:Yeah... and? (Score:5, Interesting)
That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...
Re:Yeah... and? (Score:4, Informative)
From the Guardian article:
"The police referred the matter back to the university, saying it was best dealt with internally."
Re:Yeah... and? (Score:5, Insightful)
You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.
I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.
Re:Yeah... and? (Score:4, Interesting)
Once I went to deliver a software app, they did not have my money so I uninstalled it grabbed my stuff and started to leave. He threatened to call the cops, at which point i said, "please do, I would like to file a fraud report against you for trying to steal my software without paying for it." after some arguing, I picked up my cellphone and said, "fine I'll call the cops." at which point the customer magically was able to produce a check for me (Check's over $1000.00 are fine to take, it's a nasty felony that will get you thrown in jail for writing a bad check over $1000.00)
I sat down and reinstalled, and gave them another invoice for 3 hours more labor to cover the BS they tried to pull.
I later forced the jerk to pay me in small claims court for the final labor invoice.
Never put in time-bombs. ALWAYS have them pay up front for labor and demand payment fo rthe product at delivery. If the company will not do that, then dont work for them, there are plenty of companies out there that are not scumbags.
BTW, after a few years of freelance, I learned that most companies in the area knew about the company that tried to screw me, they had a reputation of trying to steal from contractors.
Re:Yeah... and? (Score:5, Interesting)
As for prosecuting students who hack the systems and networks, we take a different approach. Before I was a sysadmin, I was a student at the same University and certainly had a go at the systems (I found a way to get a setuid copy of bash), on telling the sysadmins, they fixed the security hole, but I got kudos and respect for finding the hole.
The general policy is that our Computer Science students should be smart enough to root the systems, and if they manage it, so long as they don't abuse it and they report it quickly, then we are happy!
Re:Yeah... and? (Score:5, Interesting)
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.
Quick Lesson in Oxford.... (Score:4, Interesting)
But with the entire event being isolated to a university campus...
There is no single campus at Oxford, only a collection of Colleges, Libraries and Faculties.
The policing of Oxford students is dealt with mainly by the Colleges and the Proctors. The Proctors can be quite fierce if they fail to see the funny side. They are also quite old fashioned - most students hope only to encounter them at ceremonial occasions when they'll be wearing gowns and funny hats. There are also the 'Bulldogs' who are basically the heavies for the Proctors and go round in bowler hats and used to chase the students out of pubs in the old days.
In this instance, the fact that the story was splashed on the front page of a newspaper with circulation throughout Oxford (rather than just within a campus) probably caused a lot of embarassment. Added to which, I wouldn't be surprised if the Proctors have very little understanding of exactly what has been done or how. They will assume the worst. They probably just want to be seen to be taking the matter seriously and don't know exactly how serious it really is or what reaction is appropriate. In any case, rustication isn't so bad - you can come back to study once you've served your time away). They could have been 'sent down', in which case it'd be game over.
Re:Yeah... and? (Score:5, Interesting)
When i was at collage, i remember a friend of mine came over, but needed to do some work. Now the work was a document on a server in Preston Polytechnic, so we tried to FTP it over to the local VAX. Eventually we just gave up because it wasnt working
Now we dont know exactly what happened, but next day i got an email from a very annoyed SYSadmin for this system because we had caused some form of system failiure by our actions. I think he called it a "Network breakthrough event" or something. Apparently somehow we had cacked their system in some way (I dont think it was permement, or particularly serious). They were Threataning to sue me and the guy involved.
I send them an email saying we only wanted to get some work off the server and promising never to go near their crappy system again.
From what i found out later, the reason he was threatening me was because the Poly had recently promised someone doing some research that their system was safe and secure, and apparently something died (Probably the FTP daemon) when the guy was in the room. Very embarrasing. So of course it all got blamed on them nasty hackers.
I later found out exacly now flaky a default PrimeOs installation was in person, it always surprised me after that how anyone would ever dream of using it in a production system, but then again, being braught up on VMS and UNIX, i seem to have got the strange impression that more than 10 hours uptime in one stretch is my god-given right
Re:Yeah... and? (Score:5, Funny)
The sys-admin set up our CompSci server to log every command every user had made (lastcomm services). So one night, one student is waiting for the others in the group project team to arrive. Rather than constantly running between labs, he simply writes a shell script:
while 1
do
who
sleep 10
done
Harmless enough? After about 2-3 hours of use, the entire
Which burned up two large boxes of line printer paper. Needless to say, the sys-admin was furious and makes the student sign a form requiring him never to run an infinite-loop script without permission again.
When you were at what? (Score:5, Funny)
And, um, which collage did you go to?
Re:Yeah... and? (Score:4, Funny)
Art collage, presumably?
Re:Why such high security at a college campus?? (Score:4, Interesting)
Why all these intrusive and secure measures just for a college campus? Its not a military base or anything....
Re:Yeah... and? (Score:5, Insightful)
Ha ha ha. A degree in computer science qualifies someone to be a sysadmin about as a much as it qualifies them to be a chartered accountant - a lot of CS degrees hardly touch systems admin at all, for starters, and given that the prime requirement for being a good sysadmin is experience, there's a big difference between 'has run Linux' and 'can administer large heterogeneous networks containing thousands of hosts and tens of thousands of users'.
Good academic sysadmins are actually pretty hard to come by. it's a field which involves providing very high levels of service to demanding users who want to do any number of unconventional things but who will want to do them right now, on a budget of about half what's really needed. In addition, academic admins tend to have to be a lot more generalistic in their outlook than admins of other large networks as there are fewer of them to go round.
(disclaimer - I've been a sysadmin at various academic sites for 8 years which means that while I may be biased, I've also observed the strange world of academia for longer than most students get to do so for)
Re:Yeah... and? (Score:4, Funny)
I thought the fantastic thing about that case -- assuming it's the same one I remember -- was that he was kicked out about two weeks before graduation, and was claiming that they should have detected his plagiarism earlier and thrown him out then, rather than ripping him off for three years' worth of fees first. Hey, at least if he flunks that course, with arguments like that he'll have a great career as lawyer.
Re:Yeah... and? (Score:4, Insightful)
If everybody broke into a network would it still be unlawful.
Yes, it would. To quote the oft-cliched parental question, "If everyone else was jumping off a cliff would you?" Morality, and by corollation, law and justice are not relative. That is to say, the law doesn't change because some people don't obey it. The underlying moral principle of "respect other people's property" still applies. So it'd be easier to argue for changing the speed limit because it's not founded on the same fundamental moral principles as laws such as trespassing (Alan Donagan, "The Theory of Morality").
Obviously you know nothing about good investigative journalism. It would seem the only journalism worth a dman is when the writer feel sthe issue is worth risking his liberty.
I think you could say that these two acted with a disregard for the liberty of others in their pursuit. If they had seriously caused damaged, it would've affected thousands of other people, not just themselves. I don't think that kind of disregard can be justified as investigative journalism.
I hope the two students in question counter sue the university for lapse protection of their student records.
Reminds me of when a professor of mine explained the term "hutzpah [reference.com]" to me...
A man was arrested and charged with murdering his two parents. There were several witnesses to the grisly crime and no doubt as to who was to blame. When he stood before the judge he claimed he shouldn't be tried because of mitigating circumstances. "What circumstances are those?" the judge asked. The man replied, "I'm emotionally traumatized from just having become an orphan."
That is hutzpah, and those two would be exhibiting quite a bit to sue the university.
Re:Yeah... and? (Score:5, Insightful)
2. I'm not sure what you're saying. The students could somehow have accidentally caused damage? Oops, the deleted the student records by pressing the wrong button? This is an absurd viewpoint. You might as well argue that driving a car could accidentally hit a pedestrian, and should be punished. Add this to the reality that they didn't cause any damage, and had no malicious intent, since they actively turned over the information they found to the authorities.
3. Your argument is weak, hiding behind the word "hutzpah." It's a legitimate concern if the university computer systems don't provide enough security to ensure that their personal information was secure. How would you like it if your doctor did the equivalent of posting your medical records online?
It's college, right? (Score:5, Funny)
Re:Yeah... and? (Score:5, Insightful)
Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.
What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.
Re:Yeah... and? (Score:4, Interesting)
Among the big security problems were:
-All students getting unfirewalled public IPs (I shit you not)
-All servers having unfirewalled public IPs
-E-mail hosted on old (probably unpatched) HP-Unix with the most basic of unshadowed DES passwords
-NT servers (see above) without the latest patches
When I contacted the IT department with comment on all of this prior to publishing, they said something like, "the average student doesn't know how to take advantage of all of those issues." That comment frosted me and prompted me to publish.
The result? A firewall was installed in a matter of days and public IPs went private. Yes, I could have run any kind of server I wanted unhindered (and did) but I was concerned for the welfare of the students who would have their computers molested by crackers.
Of course I later applied for a network admin job at the school upon graduating and didn't get the job so maybe that wasn't so smart. But I did get a better job instead. In fact, the job formerly held by the guy my alma matter chose instead of me. How's that for irony?
Re:Yeah... and? (Score:4, Insightful)
this is not a security hole
Any unfettered access to ports that aren't being used IS a security disaster, period. Do some reading as I don't feel like teaching you all about it.
I get an unfirewalled, public IP from my ISP.
This practice by ISP's is one of the biggest reasons beyond Microsoft for the spread of Code Red, Blaster and all the other IP scanning worms/viruses out there.
It is up to the student to make sure they're protected. If they can't do that (or pay someone to do it for them), then they shouldn't be online.
The first sentence is rediculous. I won't even delve into how rediculous. But they DO in fact pay someone--the University. Every university I know of removes viruses and such from students computers. They pay for that in their "technology fee" or whatever their school calls it.
Um, firewalled servers with private IPs aren't exactly very useful.
Here is a cluestick for you--NAT. Go look it up. Any network security admin worth one cent knows there is no reason to give the outside (or inside) world access to port 7754 or any other random unused port. There is no reason a web server should allow anythying other than port 80 access and maybe a few others.
Professors and students who live off campus might want to do work from home.
Cluestick #2--VPN.
How many people were running servers before that now couldn't?
I bet dollars to doughnuts most schools out there specifically forbid that due to porn and all the other crap people would use it for. My school had a clause that the Internet was to be used for academic purposes only and any violations were grounds for revoking the priveledge to use it. It is THEIR pipe and they can dictate how people use it.
Putting up a firewall solves nothing
I pray you are trolling and you don't really believe any of what you just said.
Re:Yeah... and? (Score:5, Informative)
I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.
At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".
Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...
We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.
Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.
What were these two plonkers trying to prove? The bleedingly obvious?
Cheers
Stor
Re:Yeah... and? (Score:5, Funny)
All I got was this stupid t-shirt.
Re:Yeah... and? (Score:5, Insightful)
Forcing people to use SSL? That's not something netadmins can force thousands of students to do. This isn't about cracking a weakly protected security system, it's about eating packets.
On the other hand, enabling it... (Score:5, Interesting)
And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad [wfu.edu], and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!
(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)
Re:On the other hand, enabling it... (Score:5, Informative)
If you have a full shell account on the remote end (i.e. pine doesn't start automatically upon login, and you don't exit when exiting pine), read this [colug.net] to learn how to automatically pull down your email with pop3 over ssh without entering passwords. Works great.
Re:Yeah... and? (Score:5, Interesting)
My first school hack was a real hack. I was playing some BASIC game on the Commodore 64 in the library and I hit a bug that prevented me from winning the game. A real, live bug. So I listed the line, identified the bug, and started fixing it when the librarian walked up and asked what I was doing. She wound up calling my parents saying I was trying to rewrite the game so I could win, you know, cheating.
My parents were cool about it. When I got home my dad asked me what had happened, and since I had previously saved the game to my own disk (we weren't allowed to do that...) and brought it home I fired it up and reproduced the bug for him. Then he watched me fix it, called the librarian and bitched at her, because it was a real bug.
I got kicked off the computer in the library after that. No big loss, we had two of those machines at home and tons more stuff. ;) But I've had a severe prejudice against librarians every since then...
Are there any adults in the house? (Score:5, Insightful)
Cheers!
Erick
Re:Are there any adults in the house? (Score:4, Insightful)
But the administration should get past the embarassment and call off the cops.
In the BIG picture, they have been done a favor.
Re:Are there any adults in the house? (Score:5, Insightful)
Cheers!
Erick
Re:Are there any adults in the house? (Score:5, Funny)
English law: Accessory after the fact. (Score:4, Informative)
Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.
Re:Are there any adults in the house? (Score:3, Insightful)
Right, security by obscurity. What a great idea.
How many times do we have to go over this? The way to make things secure is NOT by hiding information, but by publicizing it as quickly as possible so that everyone can know that there is a problem and get on fixing it. These students are heroes, not criminals. They did the university a service and should be rewarded for what they did. Instead of hiring security consultants to figure out what's wrong with the network, these students did it for free. It
Re:Are there any adults in the house? (Score:4, Insightful)
Re:Are there any adults in the house? (Score:5, Interesting)
1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued
But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.
Anyone notice how badly this deck is stacked yet?
Re:Are there any adults in the house? (Score:5, Insightful)
Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.
In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).
The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.
What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:
1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".
2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.
Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.
Or maybe not. Hard to tell with the details in the linked articles.
Re:Are there any adults in the house? (Score:3, Insightful)
I don't buy the "cheaper computer set-up" excuse.
They probably didn't even bother to turn on the security features of what they had. It's not likely a hardware problem.
I mean, passwords being sent in the clear. That sounds like a software issue to me and there aren't very many pieces of current software that you can turn on SSL at least for something like that.
Basically the budget excuse is being used to cover-up for some admins who didn't know (or care) what they were doing when they set the stuff up.
Re:Are there any adults in the house? (Score:5, Insightful)
Budget is the primary reason on all networks for failed security practices.
Re:Are there any adults in the house? (Score:3, Interesting)
Best interest of the school, or of the students?
Have you ever happened to try reporting security issues to a school? I have--the grades database server at my old high school was insecure (no sa password on the sql server). After I reported the issue to the superintendent, the entire IT department, several teachers, and an assistant principal, it took the IT guys 4 month
Re:Are there any adults in the house? (Score:5, Informative)
An IT Officer's Perspective (Score:5, Informative)
Re:Mod Parent Down (Score:5, Funny)
Erick
"How I Rooted Oxford University" (Score:5, Funny)
500 pound fine? (Score:5, Funny)
Re:500 pound fine? (Score:5, Funny)
In Oxford, they call it the "Sisyphus Punishment".
Re:500 pound fine? (Score:5, Funny)
For those of you that want to Cambridge this is a reference to rolling a heavy stone uphill over and over.
Re:500 pound fine? (Score:5, Funny)
Re:500 pound fine? (Score:5, Funny)
Oxford Loses Out (Score:5, Insightful)
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
Re:Oxford Loses Out (Score:5, Interesting)
Re:Oxford Loses Out (Score:3, Insightful)
Re:Oxford Loses Out (Score:5, Insightful)
I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?
Re:Oxford Loses Out (Score:5, Interesting)
I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.
If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google
Re:Oxford Loses Out (Score:3, Insightful)
That sounds very dubious to me. Do you have a source for that?
Re:Oxford Loses Out (Score:4, Interesting)
If the airport screeners actually found the gun, he would be breaking rocks in a federal pen.
Bullshit. (Score:5, Interesting)
In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.
As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.
E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
no shit. (Score:5, Insightful)
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
Not at all (Score:5, Informative)
Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.
Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.
Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
Nope, sorry (Score:3, Interesting)
If they suspect a problem, they need to talk to the school about it and get permission. Just running off and doing it isn't acceptable.
You are free to test the security of things YOU OWN. You can break in to your house, you can hack your own computer. You can break the window of your own car. However you can't do any of those things
Re:Oxford Loses Out (Score:3, Insightful)
The student bode does have a right to take action on the insecurity of the network, but through official channels. The administration may not be forthcoming with the information or quick to act on it, but that still does not give the students to circumv
Re:Oxford Loses Out (Score:5, Insightful)
For christ sakes it's just a law, you know those man made things. Usually written to protect the people with money. It's not like there's anything special about them. In fact every so often they get changed what was legal is now ILLEGAL and what was ILLEGAL is now legal.
But I guess writng ILLEGAL in big letters makes it in some way important.
The only problem with my view point is that the people who write and enforce the law know it's a pile of shit but they get really ticked off if anybody outside the club explains this to them, they get doubly annoyed if said person is addressed as the accused and happens to be explaining as to why he should not have to pay a fine for drunk and disorderly. They usually start shouting about contempt and 30 days and stuff like that. I find it best to shut up in those situations.
*Yawn* (Score:3, Insightful)
A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.
Re:*Yawn* (Score:5, Funny)
SCO sues B
The worst part... (Score:4, Insightful)
Comment removed (Score:3, Insightful)
Re:On the contrary (Score:3, Insightful)
couldn't the newspaper be anonomyous (Score:3, Interesting)
kebabs and bon jovi (Score:5, Funny)
They should be damn well "rusticated" for their tast in music alone!
Aargh, again with the confusion. (Score:5, Interesting)
Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right?
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.
Re:Aargh, again with the confusion. (Score:5, Informative)
I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.
There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.
1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.
1a) same goes for the departments and faculties.
2) there is the OUCS network, linking the colleges and departments to each other and JANET
3) oucs also provides services, e.g.
Now, of the various problems observed here, three are pulled out as particularly noteworthy.
1) email passwords stolen.
Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).
2) msn messenger conversations listened to
MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here [ox.ac.uk]. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!
3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.
Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad [ox.ac.uk]
So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.
Move along please, nothing to see..
Get permission! (Score:5, Informative)
Re:Get permission! (Score:3, Insightful)
Re:Get permission! (Score:3, Interesting)
what they could have done... (Score:5, Informative)
academic freedom (Score:5, Interesting)
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.
..Well (Score:5, Interesting)
Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.
The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.
I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
Well, maybe there is something worth protecting (Score:5, Insightful)
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"They deserved it (Score:3, Insightful)
I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.
On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree
Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.
root/root (Score:5, Interesting)
I was just curious at the time
A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.
Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do
Re:root/root (Score:4, Interesting)
The fact that they responded the next day indicates they were watching rather closely. Log watching is not something you expect from sysadmins who don't change their passwords.
Yes, do call the Coppers, but.. (Score:3, Funny)
Then they can put Oxford Hack in the dictionary:
Someone who tattles, and gets in trouble too because of their guilt in the incident.
I'm a little surprised (Score:5, Informative)
Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).
Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.
If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.
I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)
Yeah, they should have kept their mouths shut (Score:5, Insightful)
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
little we can do? (Score:5, Insightful)
Somebody fire this person.
Re:little we can do? (Score:5, Insightful)
I personally was responsible for a hostel network with 450 odd users... and tell you, the ONLY way you can sleep soundly is by making things assuming everybody has the root password! Students have way much time on their hands, are creative and generally up-to-date with security issues. ONE person cannot spend THAT much time... at 3AM you'd be sleeping while some sleepless fellows will be looking over a just released security advisory! By the time you wake up and check your mailing list mails, they'd have already broken into the system! (most of the time without any damage, but just to "see" if its indeed true).
Sorry man... a network/system administrator in a school/college is probably the worst IT admin job you'd be looking at!
He said what!?!? (Score:3, Insightful)
Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.
The only difference (Score:3, Interesting)
The Point Most Will Miss... (Score:5, Insightful)
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
Proud of the students... (Score:5, Insightful)
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Where this world moves ? (Score:5, Interesting)
This is the proper way. But making the unprotected network and call police... it's a degradation.
I'm an info security auditor... (Score:4, Insightful)
Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.
I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)
That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.
Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.
The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.
Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.
From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.
I say that they should make an example of these script kiddies.
not feeling too sorry for them... (Score:3, Insightful)
Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?
If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?
They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.
500 pound fine... (Score:5, Funny)
Couldn't figure out why they were snickering though?
Some facts (and my opinion) (Score:5, Informative)
The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).
What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.
This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.
They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches
The nature of the hack (Score:5, Informative)
[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].
One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".
As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.
The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.
The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...
The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).
One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.
Re:They shouldnt be punished.. (Score:5, Interesting)
This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.
Its Uni - not a top secret government agency.
Rule of Law (Score:5, Insightful)
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
Re:Good thing for then they're in England (Score:3, Insightful)
No, but I'm curious about the URL. On the actual topic of this thread, I think severe penalties are not appropriate, even though the school was embarrassed. However, it's more of a problem in that