Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Education

Oxford Students Hack University Network 662

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
This discussion has been archived. No new comments can be posted.

Oxford Students Hack University Network

Comments Filter:
  • by Anonymous Coward on Thursday July 15, 2004 @11:35PM (#9713793)
    What appropriately aged Slashdotter hasn't hacked into their university or college's network?
    • Re:Yeah... and? (Score:5, Insightful)

      by gilrain ( 638808 ) <gilrain@NOspAM.lunarpolicy.net> on Friday July 16, 2004 @12:18AM (#9713959) Homepage
      Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.
      • Re:Yeah... and? (Score:5, Insightful)

        by TeraCo ( 410407 ) on Friday July 16, 2004 @12:21AM (#9713971) Homepage
        Well.. this might seem obvious.. but it's because it's still illegal to break into other peoples networks.

        Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.

        • Re:Yeah... and? (Score:5, Interesting)

          by gilrain ( 638808 ) <gilrain@NOspAM.lunarpolicy.net> on Friday July 16, 2004 @12:43AM (#9714057) Homepage
          The thing is, university campuses tend to almost have their own legal systems. At least, on the campuses I've been on, certain things are more legal than in the real world, and others are less legal. In general, unless it gets out of hand, problems on campus are handled by the university administration. For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?

          That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...
          • Re:Yeah... and? (Score:4, Informative)

            by ZzzzSleep ( 606571 ) on Friday July 16, 2004 @02:03AM (#9714282) Homepage Journal
            Quoth gilrain
            That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...
            I'm pretty sure they're not going to be prosecuted.
            From the Guardian article:
            "The police referred the matter back to the university, saying it was best dealt with internally."
            • Re:Yeah... and? (Score:5, Insightful)

              by Monkelectric ( 546685 ) <slashdot AT monkelectric DOT com> on Friday July 16, 2004 @02:22AM (#9714322)
              "The police referred the matter back to the university, saying it was best dealt with internally."

              You know, with our whacked out legal system in the United States that sees enemies everywhere , the kids would have been sentenced to 10 years prison each for terrorism.

              I read a story about a fellow once who wrote a program for a firm that had stiffed him on payments before. He inserted into the program code that would delete the program on date X. When the company *DID* pay, he called them up and (stupidly) told them about it, and he would send a new version of the program without the trojan horse. They called the police, and he spent two years in prison for nothing.

              • Re:Yeah... and? (Score:4, Interesting)

                by Lumpy ( 12016 ) on Friday July 16, 2004 @08:30AM (#9715373) Homepage
                Good example, when I did freelance work I ALWAYS required 50% payment up front. and my expenses were split as product and labor. the up front pay's for labor only and the final payment at delivery was for the product (software, hardware, whatever) it was clearly written that way on the invoices.

                Once I went to deliver a software app, they did not have my money so I uninstalled it grabbed my stuff and started to leave. He threatened to call the cops, at which point i said, "please do, I would like to file a fraud report against you for trying to steal my software without paying for it." after some arguing, I picked up my cellphone and said, "fine I'll call the cops." at which point the customer magically was able to produce a check for me (Check's over $1000.00 are fine to take, it's a nasty felony that will get you thrown in jail for writing a bad check over $1000.00)

                I sat down and reinstalled, and gave them another invoice for 3 hours more labor to cover the BS they tried to pull.

                I later forced the jerk to pay me in small claims court for the final labor invoice.

                Never put in time-bombs. ALWAYS have them pay up front for labor and demand payment fo rthe product at delivery. If the company will not do that, then dont work for them, there are plenty of companies out there that are not scumbags.

                BTW, after a few years of freelance, I learned that most companies in the area knew about the company that tried to screw me, they had a reputation of trying to steal from contractors.
          • Re:Yeah... and? (Score:5, Interesting)

            by andy landy ( 306369 ) <aplandellsNO@SPAMhotmail.com> on Friday July 16, 2004 @04:22AM (#9714591) Homepage
            I'm a sysadmin for a UK university and it's certainly true that we have our own rules. For example, our AUP forbids the use of peer-to-peer software as it's easier that way. Anyone using it is in breach of the AUP, clean and simple. That way we avoid having to deal with legalities of copyright infringement etc.

            As for prosecuting students who hack the systems and networks, we take a different approach. Before I was a sysadmin, I was a student at the same University and certainly had a go at the systems (I found a way to get a setuid copy of bash), on telling the sysadmins, they fixed the security hole, but I got kudos and respect for finding the hole.

            The general policy is that our Computer Science students should be smart enough to root the systems, and if they manage it, so long as they don't abuse it and they report it quickly, then we are happy!
            • Re:Yeah... and? (Score:5, Interesting)

              by olderchurch ( 242469 ) on Friday July 16, 2004 @05:20AM (#9714728) Homepage Journal
              This is the exact same reason why I love my provider. From their general conditions [xs4all.nl]:
              4.4 Without prejudice to article 4.3, customers are permitted to hack the
              XS4ALL system.

              The first customer who succeeds in attaining a position equivalent to that
              of the XS4ALL system administrator will be offered six months' free use of
              the system, provided that the said customer explains how he or she succeeded
              in hacking the system, has not damaged the system or other customers and has
              respected the privacy of other customers. Each customer hereby gives consent
              for other customers to attempt to hack the system under the aforementioned
              conditions.
          • by LondonLawyer ( 609870 ) on Friday July 16, 2004 @05:02AM (#9714686) Journal
            university campuses tend to almost have their own legal systems

            But with the entire event being isolated to a university campus...

            There is no single campus at Oxford, only a collection of Colleges, Libraries and Faculties.

            The policing of Oxford students is dealt with mainly by the Colleges and the Proctors. The Proctors can be quite fierce if they fail to see the funny side. They are also quite old fashioned - most students hope only to encounter them at ceremonial occasions when they'll be wearing gowns and funny hats. There are also the 'Bulldogs' who are basically the heavies for the Proctors and go round in bowler hats and used to chase the students out of pubs in the old days.

            In this instance, the fact that the story was splashed on the front page of a newspaper with circulation throughout Oxford (rather than just within a campus) probably caused a lot of embarassment. Added to which, I wouldn't be surprised if the Proctors have very little understanding of exactly what has been done or how. They will assume the worst. They probably just want to be seen to be taking the matter seriously and don't know exactly how serious it really is or what reaction is appropriate. In any case, rustication isn't so bad - you can come back to study once you've served your time away). They could have been 'sent down', in which case it'd be game over.
      • by empaler ( 130732 ) on Friday July 16, 2004 @12:25AM (#9713991) Journal
        They also have to learn that it doesn't pay to go against the system... ;p
      • Re:Yeah... and? (Score:5, Insightful)

        by boaworm ( 180781 ) <boaworm@gmail.com> on Friday July 16, 2004 @03:41AM (#9714489) Homepage Journal
        You cant really mean that it's OK to hack/crack stuff if you cloak it as "excellent investigative journalism" ?

        Journalists get far too much slack already, ranting arould like fools saying they are doing a "great job for society" when they take paparazzi photos of officials and private persons so they can sell more newspapers.

        What the kids SHOULD have done was to contact the principles office and ask for permission. They could very well have been given such a permission if being supervised, and everything would be fine.
        • Re:Yeah... and? (Score:4, Interesting)

          by div_2n ( 525075 ) on Friday July 16, 2004 @07:12AM (#9715000)
          I did almost the same thing for my college except I didn't admit to actually perform the hacking. I published HOW to hack the entire network, where to go and what software to get. For example, every Lexmark printer on campus was not password protected. By downloading the readily available Markvision management software, you could oh say change the LED display screen language to Mandarin.

          Among the big security problems were:

          -All students getting unfirewalled public IPs (I shit you not)

          -All servers having unfirewalled public IPs

          -E-mail hosted on old (probably unpatched) HP-Unix with the most basic of unshadowed DES passwords

          -NT servers (see above) without the latest patches

          When I contacted the IT department with comment on all of this prior to publishing, they said something like, "the average student doesn't know how to take advantage of all of those issues." That comment frosted me and prompted me to publish.

          The result? A firewall was installed in a matter of days and public IPs went private. Yes, I could have run any kind of server I wanted unhindered (and did) but I was concerned for the welfare of the students who would have their computers molested by crackers.

          Of course I later applied for a network admin job at the school upon graduating and didn't get the job so maybe that wasn't so smart. But I did get a better job instead. In fact, the job formerly held by the guy my alma matter chose instead of me. How's that for irony?
    • Re:Yeah... and? (Score:5, Informative)

      by stor ( 146442 ) on Friday July 16, 2004 @12:31AM (#9714016)
      Heh.

      I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.

      At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".

      Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...

      We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.

      Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.

      What were these two plonkers trying to prove? The bleedingly obvious?

      Cheers
      Stor
  • by erick99 ( 743982 ) * <homerun@gmail.com> on Thursday July 15, 2004 @11:36PM (#9713797)
    If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration. They could have taken the information to the school and if the school ignored it they could have then published an article. They did call the school for comment but it was clear they were going to publish so that didn't afford the school a chance to remedy the problem. I think they were more interested in an article that would generate a lot of excitment and make them look good. I don't buy their arguments about doing all of this in the best interests of the school. I believe they had their own best interests at heart. I can't say I think much more of the administration in their handling of the matter either. There is a lot of ass-covering going on here and I don't see anybody handling this like adults except for the police who acted quickly and appropriately. Jeeze, what a mess.

    Cheers!

    Erick

    • by gooman ( 709147 ) on Thursday July 15, 2004 @11:41PM (#9713816) Journal
      I completely agree.
      But the administration should get past the embarassment and call off the cops.
      In the BIG picture, they have been done a favor.

      • by erick99 ( 743982 ) * <homerun@gmail.com> on Thursday July 15, 2004 @11:44PM (#9713831)
        The police referred it back to school as an matter that should be handled "internally." I do agree with you though, they did not need to involve the police. While I think the students were very misguided and out to make a name for themselves, they did not need to involve the police. The students were not malicious, simply self-serving.

        Cheers!

        Erick

        • by pbox ( 146337 ) on Friday July 16, 2004 @12:02AM (#9713903) Homepage Journal
          Well, it's still better than here in the US. This would most definitely end up being a clear-cut terrorism case. These two guys would already be working on their tan in Gitmo. In about 3-5 years after a lengthy legal process involving the US Superior Court, they will be allowed to proceed with their legal defense, which of course will be completely torpedoed by the fact that the prosecution will introduce any and all evidence as "top secret", so the defense team will not be able to counter any of them. They will serve 30 years, in solitary confinement.
        • by MROD ( 101561 ) on Friday July 16, 2004 @06:44AM (#9714896) Homepage
          I believe that it is the law in England (and Wales) that if you know of a criminal act taking place then if you do not report it to the police then you are deemed to be an accessory after the fact and have hence committed a criminal act yourself.

          Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.
    • by Anonymous Coward

      Right, security by obscurity. What a great idea.

      How many times do we have to go over this? The way to make things secure is NOT by hiding information, but by publicizing it as quickly as possible so that everyone can know that there is a problem and get on fixing it. These students are heroes, not criminals. They did the university a service and should be rewarded for what they did. Instead of hiring security consultants to figure out what's wrong with the network, these students did it for free. It

    • by Goonie ( 8651 ) * <robert,merkel&benambra,org> on Friday July 16, 2004 @12:07AM (#9713922) Homepage
      These people were investigative journalists (or playing at being investigative journalists, at least). Journalists don't sit on stories and wait for the powers that be to fix them on the quiet. It's not their job. Their job is to find stuff of concern out and publish it as widely as possible. And, generally, it is in everybody's interest to have maladministration reported widely. It tends to act as a strong disinctive to anybody else that might be tempted.
      • by perlchild ( 582235 ) on Friday July 16, 2004 @12:38AM (#9714041)
        It's only maladministration if the administration is warned of a potential exploit, and does nothing. However, the recent legal climate makes it MANDATORY that this warning be done in an anonymous manner. Quite simply, because it's a crime to find an exploit on someone else's network, but choosing NOT to fix a bug is not a punishable crime(that's defensible, in a way: some bugfixes have been known to the worse than what they cured before). The only problem is that if a) the network handles YOUR sensitive private confidential or financial information, and you know it's being mishandled, you have one choice, to leave the institution, since:

        1) You can't force them to use secure transmission of all data
        2) You can't force them to use secure transmission of YOUR data
        3) You can't force them to follow best practices in the handling of all data
        4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued

        But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.

        Anyone notice how badly this deck is stacked yet?
    • by DrMrLordX ( 559371 ) on Friday July 16, 2004 @12:15AM (#9713942)
      I can't say that I agree completely. This reminds me all too much of a small "controversy" that went on in my highschool alma mater here in the States. Several members of the school's newspaper staff uncovered information regarding the existance of a peculiar group within the school known as the "Cotton Club"(as I recall) whose purpose was unclear, but which contained members from both the student body, alumni, and supposedly trustees who were all male, white, and rather racist. The only known function of the group that I can recall was that there was a great deal of consumption of alcohol involved. They probably did some other dull things.

      Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.

      In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).

      The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.

      What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:

      1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".

      2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.

      Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.

      Or maybe not. Hard to tell with the details in the linked articles.

      • I don't buy the "cheaper computer set-up" excuse.

        They probably didn't even bother to turn on the security features of what they had. It's not likely a hardware problem.

        I mean, passwords being sent in the clear. That sounds like a software issue to me and there aren't very many pieces of current software that you can turn on SSL at least for something like that.

        Basically the budget excuse is being used to cover-up for some admins who didn't know (or care) what they were doing when they set the stuff up.
        • by cavebear42 ( 734821 ) on Friday July 16, 2004 @02:07AM (#9714291)
          The budget is a very valid claim. The most expensive part of running a successful network is not good hardware, it's competent professionals. Hell, even a slacker who just came outta high school and has no experience cost more in 1 year than a server which you will use for 3-5 years.

          Budget is the primary reason on all networks for failed security practices.
    • If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration.

      Best interest of the school, or of the students?

      Have you ever happened to try reporting security issues to a school? I have--the grades database server at my old high school was insecure (no sa password on the sql server). After I reported the issue to the superintendent, the entire IT department, several teachers, and an assistant principal, it took the IT guys 4 month
    • by sunnytzu ( 629976 ) on Friday July 16, 2004 @03:09AM (#9714422)
      You're completely right. I was at Oxford when this incident occurred, and I'm appalled that the Guardian and BBC News have bought into this flagrant piece of self-promotion. From what I know of the story there was no attempt made to liaise with the University Computer Services to rectify this problem before they published the information in the paper. Unfortunately people involved in student journalism, particularly at Oxford in my experience, are only interested in bolstering their CV so that they can land a job at a British national newspaper. This means that they will do anything to promote themselves without any real thought for the consequences.
    • by yamahito ( 797434 ) on Friday July 16, 2004 @04:00AM (#9714534)
      Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op No, that's not journalism. That's scare-mongering. I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did. The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford... Somebody fire this person (re: the comments by IT officer A) It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt. These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened. Have you heard of Whistleblowing Have you heard of Shit-stirring?
  • ... a.k.a. A Beginner's Guide to tcpdump and ettercap

  • by Anonymous Coward on Thursday July 15, 2004 @11:37PM (#9713800)
    Now that is a heavy fine.
  • Oxford Loses Out (Score:5, Insightful)

    by mfh ( 56 ) on Thursday July 15, 2004 @11:39PM (#9713803) Homepage Journal
    The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

    From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?

    These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.

    Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
    • Re:Oxford Loses Out (Score:5, Interesting)

      by sirsnork ( 530512 ) on Thursday July 15, 2004 @11:42PM (#9713820)
      The multiple-PHD Admin certainly knows it, and has likely been voicing his concerns for some time. Unfortuantly the way the word works is that if it ain't broke, don't fix it. I imagine said admin(s) will now get the money they require to resolve the problem properly, otherwise Oxford risk more students doing this in 12 months time and looking even more silly
    • by jhunsake ( 81920 )
      The only problem with allowing this behavior is that you open yourself to more cracking attempts, including more fierce ones. The crackers know that they could just say they were writing a newspaper article if they were caught.
    • by cmallinson ( 538852 ) * <[chris] [at] [mallinson.ca]> on Thursday July 15, 2004 @11:48PM (#9713849) Homepage
      They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

      I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?

      • Re:Oxford Loses Out (Score:5, Interesting)

        by Smitty825 ( 114634 ) on Friday July 16, 2004 @12:23AM (#9713984) Homepage Journal
        Maybe my memory is foggy, plus, I realize that the incident occurred at Oxford University, which is in the UK, not the US, but.... (Is that enough of a disclaimer?)

        I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

        If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google :-)
        • I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

          That sounds very dubious to me. Do you have a source for that?
        • Re:Oxford Loses Out (Score:4, Interesting)

          by EvilTwinSkippy ( 112490 ) <yoda@nOSpAM.etoyoc.com> on Friday July 16, 2004 @06:33AM (#9714873) Homepage Journal
          Actually, no. There is not such exemption. There never was such an exemption. A journalist reporting the event might try to claim the 5th admendment (right to not testify against oneself). If he got the gun past security, and was the sole witness to his crime, he would get off on a technicality. There was no crime since he would be the only person to testify for the prosecution (and anyone who read the account in the news would be insumbisable as heresay.)

          If the airport screeners actually found the gun, he would be breaking rocks in a federal pen.

    • Bullshit. (Score:5, Interesting)

      by Crasoum ( 618885 ) on Thursday July 15, 2004 @11:54PM (#9713871) Journal
      White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

      In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.

      As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.

      E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.

      The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
      • no shit. (Score:5, Insightful)

        by twitter ( 104583 ) on Friday July 16, 2004 @03:04AM (#9714409) Homepage Journal
        ... most of the shit is just because people are not security conscious.

        Obviously, now. Before hand, how could they have shown it?

        White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

        I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.

        Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.

        We shall see what happens to them.

    • Not at all (Score:5, Informative)

      by Sycraft-fu ( 314770 ) on Friday July 16, 2004 @12:36AM (#9714032)
      Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.

      Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.

      Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.

      Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
    • by 0racle ( 667029 )
      How is this insightful? Whether you're a student a journalist or a bum, if you do something illegal, you better be prepared for the consequences. If they thought they were going to get off scott-free, well its about time they entered the real world isn't it.

      The student bode does have a right to take action on the insecurity of the network, but through official channels. The administration may not be forthcoming with the information or quick to act on it, but that still does not give the students to circumv
  • *Yawn* (Score:3, Insightful)

    by OverlordQ ( 264228 ) * on Thursday July 15, 2004 @11:40PM (#9713807) Journal
    Move on. How many stories have there been on slashdot of this exact same thing happening?

    A works for/goes to/etc B.
    A finds exploit in B's Systems
    A exploits systems.
    A finally gets around to telling B.
    A gets in trouble for violating laws and/or rules of B.
  • The worst part... (Score:4, Insightful)

    by oiper ( 575250 ) on Thursday July 15, 2004 @11:40PM (#9713808) Homepage Journal
    .. has to be having the police handle a situation that they don't understand.
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Thursday July 15, 2004 @11:40PM (#9713810)
    Comment removed based on user account deletion
    • Re:On the contrary (Score:3, Insightful)

      by awkScooby ( 741257 )
      Hey, you're right. I think that I should:
      1. break into your house to show you how easy it is. It will really help you out in the long run, and you should thank me.
      2. show the pilot on the next flight I'm on how easy it is to get a gun through airport security
      3. show the Secret Service (hey, this is sarcasm. I don't need you guys to visit) how easy it is to jump the fence at the whitehouse and run across the lawn
      4. stick up the local bank to show them how bad their security is. I could write a really good artic
  • by samot84aol.com ( 554299 ) on Thursday July 15, 2004 @11:42PM (#9713823)
    Why did they use names in the paper--they could have used an anonomyous source.
  • by lovecult ( 682522 ) on Thursday July 15, 2004 @11:45PM (#9713833)
    ...spurred on by Bon Jovi's Livin' on Prayer, they did more research

    They should be damn well "rusticated" for their tast in music alone!

  • by randyest ( 589159 ) on Thursday July 15, 2004 @11:46PM (#9713835) Homepage
    An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

    Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do :)

    The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.


    How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right? ;)

    It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."


    Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.
    • by thesp ( 307649 ) on Friday July 16, 2004 @03:23AM (#9714443)
      Good lord, I can't read this thread any longer.

      I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.

      There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.

      1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.

      1a) same goes for the departments and faculties.

      2) there is the OUCS network, linking the colleges and departments to each other and JANET

      3) oucs also provides services, e.g. .ox.ac.uk DNS, herald email, HFS backup, site-license software, training, etc. etc. etc. OUCS also run the University level (ox.ac.uk) firewall. They also advise the colleges on network security.

      Now, of the various problems observed here, three are pulled out as particularly noteworthy.

      1) email passwords stolen.

      Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).

      2) msn messenger conversations listened to

      MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here [ox.ac.uk]. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!

      3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.

      Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad [ox.ac.uk]

      So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.

      Move along please, nothing to see..
  • Get permission! (Score:5, Informative)

    by Sowelu ( 713889 ) on Thursday July 15, 2004 @11:47PM (#9713839)
    This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.
  • by tisme ( 414989 ) on Thursday July 15, 2004 @11:47PM (#9713840)
    They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.
  • academic freedom (Score:5, Interesting)

    by havaloc ( 50551 ) * on Thursday July 15, 2004 @11:49PM (#9713853) Homepage
    While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
    When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.
  • ..Well (Score:5, Interesting)

    by SinaSa ( 709393 ) on Thursday July 15, 2004 @11:53PM (#9713868) Homepage
    Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.

    Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.

    The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.

    I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
    • by TubeSteak ( 669689 ) on Friday July 16, 2004 @12:22AM (#9713979) Journal
      Like social security numbers, health information, whether the student is seeing the school shrink, grades (any teacher's temp internet files), scholarship information...

      What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.

      As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?

      maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.

      Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites
      And why is this? Maybe we have different ideas about what constitutes "information worth stealing"
  • They deserved it (Score:3, Insightful)

    by 0x0d0a ( 568518 ) on Thursday July 15, 2004 @11:56PM (#9713880) Journal
    Really, they broke the law for a sensational story for which they could have written a less interesting story without the privacy violations. I don't consider them to have a "journalistic duty to society" justification.

    I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.

    On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree ... the admins should get chewed out), would have gotten their story, and so forth. Oh, and this assumes that they notified the admins far enough in advance of their publish date that the problem could be *fixed* before all the students at the university were told about it -- unlike the Manhattan Project, where a couple more guards can just be rolled out or reassigned from another location temporarily, it may take a bit to test software changes before a rollout is appropriate.

    Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.
  • root/root (Score:5, Interesting)

    by codeonezero ( 540302 ) on Thursday July 15, 2004 @11:57PM (#9713884)
    Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....

    I was just curious at the time :-)

    A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.

    Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do :-)
    • Re:root/root (Score:4, Interesting)

      by TrevorB ( 57780 ) on Friday July 16, 2004 @12:34AM (#9714024) Homepage
      Are you sure that they didn't change the "root" user account to something else, and left the login id "root" as a honeypot to watch for hackers?

      The fact that they responded the next day indicates they were watching rather closely. Log watching is not something you expect from sysadmins who don't change their passwords.
  • by saskboy ( 600063 ) on Friday July 16, 2004 @12:03AM (#9713906) Homepage Journal
    But the police should be called, and when they see how lax the university was at keeping sensitive information private, they should file charges against Oxford too.

    Then they can put Oxford Hack in the dictionary:
    Someone who tattles, and gets in trouble too because of their guilt in the incident.
  • by siliconbunny ( 632740 ) on Friday July 16, 2004 @12:03AM (#9713907)
    I studied at Oxford some years ago, and found the computing service (OUCS) to be one of the better and more competent computing services when it came to running and maintaining the networks.

    Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).

    Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.

    If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.

    I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)

  • by warm sushi ( 168223 ) on Friday July 16, 2004 @12:11AM (#9713929)

    Imagine never failing another subject.

    Imagine being able to push your enemies down a grade.

    Imagine making some extra cash selling exam information.

    Imagine trashing the occasional file to irk a disliked professor.

    Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.

    Imagine how much easier life would be not doing the right thing.

    Just imagine...

    Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.

  • little we can do? (Score:5, Insightful)

    by blazen1 ( 583950 ) on Friday July 16, 2004 @12:30AM (#9714011)
    An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."

    Somebody fire this person.
    • by mritunjai ( 518932 ) on Friday July 16, 2004 @02:42AM (#9714371) Homepage
      Fire the IT Officer ?? Apparantly you haven't been to a school and never had chance to administer a network.

      I personally was responsible for a hostel network with 450 odd users... and tell you, the ONLY way you can sleep soundly is by making things assuming everybody has the root password! Students have way much time on their hands, are creative and generally up-to-date with security issues. ONE person cannot spend THAT much time... at 3AM you'd be sleeping while some sleepless fellows will be looking over a just released security advisory! By the time you wake up and check your mailing list mails, they'd have already broken into the system! (most of the time without any damage, but just to "see" if its indeed true).

      Sorry man... a network/system administrator in a school/college is probably the worst IT admin job you'd be looking at!
  • He said what!?!? (Score:3, Insightful)

    by Anonymous Coward on Friday July 16, 2004 @12:33AM (#9714022)
    An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

    Well yes, keeping a network segmented and firewalled where necessary is a part of it. He claims he's able to monitor his network, but apparently doesn't bother to. Arp cache poisoning attacks are pretty loud and easily detectable, even with inexpensive hardware and software. Of course someone who puts a CCTV security camera network on the same network segment as the one providing student access isn't particularly concerned with security.

  • The only difference (Score:3, Interesting)

    by DarkMantle ( 784415 ) on Friday July 16, 2004 @12:35AM (#9714027) Homepage
    I made a deal with the school... Don't expel me... I'll help you fix it. Also admitting through an anonymouse hotmail account helped... especially since every time i logged in it was from the school IP address.
  • by severed ( 82501 ) on Friday July 16, 2004 @12:36AM (#9714035) Homepage
    Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:

    This was an action of the press.

    Let me repeat myself, because it's important.

    This was an action of the press.

    It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.

    This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."

    These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.

    * Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
  • by LibrePensador ( 668335 ) on Friday July 16, 2004 @12:43AM (#9714058) Journal
    I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?

    Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.

    As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?

    I don't think so!
  • by nickol ( 208154 ) on Friday July 16, 2004 @12:47AM (#9714074)
    What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.

    This is the proper way. But making the unprotected network and call police... it's a degradation.

  • by JRHelgeson ( 576325 ) on Friday July 16, 2004 @01:53AM (#9714264) Homepage Journal
    I've audited everything from banks to schools and I must say that a College campus network environment is by far the most unique environment that I've ever audited.

    Corporations, banks, etc all work to protect themselves from the internet, whereas colleges need to protect the internet from their internal users. Its a very interesting paradigm shift.

    I've seen universities that literally connect the internet to the DMZ interface on their firewall, and then connect the residential dorm network to the external interface. (Thereby trusting their students less than they do the entire internet.)

    That being said; Kids are curious, and they're learning about computers and exploring their environment. If the network admin's have done nothing to protect their network then I say they're at fault, but I highly doubt that is the case. I've worked with all types of educational institutions, from catholic girls schools to Ivy League institutes and none of them were irresponsible when it came to their security.

    Nobody is saying that they need to completely lock down the entire network and turn it into a prison camp, they simply need to perform their due-dilligence to protect their network.

    The three pilars of computer security consists of Accessability, Availability, and Integrity. For the college, integrity is the most important. You don't want kids creating, modifying, or deleting their attendance information. You want to make sure that information is available to the users and that access to that information is accessable by those whom are authorized to access it.

    Yes, it is possible to hack any network and perform arp cache poisoning (just check out the tool Cain & Able @ www.oxid.it) and you can see how powerful these hacking utilities are and how easy it is to capture data like this - intercept IM conversations, decrypt passwords and create a whole lot of problems for responsible admins.

    From the sounds of this article, it looks like they came across this Cain&Able utility, played with it, and wrote an article saying that university staff was incompetent when in fact there is little to nothing that an administrator can do to protect against such an attack short of creating a prison camp of a network.

    I say that they should make an example of these script kiddies.
  • by sdedeo ( 683762 ) on Friday July 16, 2004 @02:00AM (#9714276) Homepage Journal
    The Oxford student newspaper guys are angling to get a nice job on Fleet street after graduation, and are trying to come up with attention getting scoops. If their real intention was to help the network sysadmins, they should have brought this up privately (since the article doesn't mention it, I assume they didn't.)

    Instead, they went to the front page. I wonder why they didn't stop to check with the Uni? Perhaps they were afraid that locking down the network would have prevented their scoop?

    If you want to class these guys as do-gooding whistle-blowers, it's a tough task. Should they be punished? Yes. What if, in order to prove their point, went in and read your e-mail after hacking your account? Or their off-the-shelf hack-kit contained malware that trashed your directories? Still keen on this kind of "journalism"?

    They could, perhaps, have avoided problems and gotten their scoop, by having a few users consent to being hacked as a demonstration -- if, of course, the hacking was just a packet sniffer.
  • by the-build-chicken ( 644253 ) on Friday July 16, 2004 @02:25AM (#9714332)
    It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.

    Couldn't figure out why they were snickering though?
  • by hsenag ( 56002 ) on Friday July 16, 2004 @03:29AM (#9714460) Homepage
    I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.

    The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).

    What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.

    This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.

    They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches :-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.
  • by Neil ( 7455 ) on Friday July 16, 2004 @05:07AM (#9714702) Homepage

    [I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].

    One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".

    As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.

    The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.

    The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...

    The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).

    One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...