Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oxford Students Hack University Network

CowboyNeal posted more than 10 years ago | from the unintentional-online-services dept.

Security 662

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

Sorry! There are no comments related to the filter you selected.

Yeah... and? (4, Funny)

Anonymous Coward | more than 10 years ago | (#9713793)

What appropriately aged Slashdotter hasn't hacked into their university or college's network?

Re:Yeah... and? (0)

Anonymous Coward | more than 10 years ago | (#9713798)

I got a two day suspension for it! (highschool)

Re:Yeah... and? (5, Funny)

Anonymous Coward | more than 10 years ago | (#9713886)

I got a two day suspension for it! (highschool)

All I got was this stupid t-shirt.

Re:Yeah... and? (0)

Anonymous Coward | more than 10 years ago | (#9713983)

Both in grade school and high school, I got the heat for someone elses sloppy abuse of the computers, because they assumed it was the computer genious who did it. Go figure.
Shit, in high school they even tried pinning movie downloads on me... As if I'd ever try and fetch a several hundred mb file onto their computers when I didn't own a laptop to copy it onto... farkheads.

Re:Yeah... and? (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9713895)

Really, I did some ARP sniffing in a University of Michigan dorm. I made a slight boo-boo when forwarding the packets to the gateway, so the cisco router somewhat exploded and began to actually physically kill the ports in the rooms, IE, no green light when you plugged your comp into it. I thought it was funny that I somewhat destroyed the network completely on accident, absolutely no security, an ARP proxy would have solved the issue.

Re:Yeah... and? (1)

roror (767312) | more than 10 years ago | (#9713913)

i found out the sysads' personal a/c password .. skg skg123 :P i had a friend who modified lynx source code and put it in /usr/local/bin and when the sysad ran it, my friend got a suid executable file in a 'hidden place' :D

Re:Yeah... and? (5, Insightful)

gilrain (638808) | more than 10 years ago | (#9713959)

Of course, in this case they were researching for an article for the university paper. Honestly, as long as no damage was caused, I'm not sure why they are being punished as opposed to given awards for excellent investigative journalism.

Re:Yeah... and? (5, Insightful)

TeraCo (410407) | more than 10 years ago | (#9713971)

Well.. this might seem obvious.. but it's because it's still illegal to break into other peoples networks.

Good investigative journalism would be working out whether it is possible WITHOUT breaking in, then writing a story about that.

these people will be in charge someday (2, Funny)

unbiasedbystander (660703) | more than 10 years ago | (#9713795)

These are the future leaders of the world. Don't forget it.

Actually ... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9713859)

not.

They will be selling their pale white caucasian asses to the next gay nigger for not much EUR EUR EUR.

I seriously hope the stupid fuckheads will be expelled.

Re:these people will be in charge someday (0, Troll)

Hatta (162192) | more than 10 years ago | (#9713864)

No, these people will be charged someday. And soon.

Are there any adults in the house? (5, Insightful)

erick99 (743982) | more than 10 years ago | (#9713797)

If they were really interested in the best interests of the school they should have avoided embarrassing the school's administration. They could have taken the information to the school and if the school ignored it they could have then published an article. They did call the school for comment but it was clear they were going to publish so that didn't afford the school a chance to remedy the problem. I think they were more interested in an article that would generate a lot of excitment and make them look good. I don't buy their arguments about doing all of this in the best interests of the school. I believe they had their own best interests at heart. I can't say I think much more of the administration in their handling of the matter either. There is a lot of ass-covering going on here and I don't see anybody handling this like adults except for the police who acted quickly and appropriately. Jeeze, what a mess.

Cheers!

Erick

Re:Are there any adults in the house? (4, Insightful)

gooman (709147) | more than 10 years ago | (#9713816)

I completely agree.
But the administration should get past the embarassment and call off the cops.
In the BIG picture, they have been done a favor.

Re:Are there any adults in the house? (5, Insightful)

erick99 (743982) | more than 10 years ago | (#9713831)

The police referred it back to school as an matter that should be handled "internally." I do agree with you though, they did not need to involve the police. While I think the students were very misguided and out to make a name for themselves, they did not need to involve the police. The students were not malicious, simply self-serving.

Cheers!

Erick

Re:Are there any adults in the house? (5, Funny)

pbox (146337) | more than 10 years ago | (#9713903)

Well, it's still better than here in the US. This would most definitely end up being a clear-cut terrorism case. These two guys would already be working on their tan in Gitmo. In about 3-5 years after a lengthy legal process involving the US Superior Court, they will be allowed to proceed with their legal defense, which of course will be completely torpedoed by the fact that the prosecution will introduce any and all evidence as "top secret", so the defense team will not be able to counter any of them. They will serve 30 years, in solitary confinement.

Re:Are there any adults in the house? (0)

Anonymous Coward | more than 10 years ago | (#9713987)

Yeah, cause that just happens all the time! </sarcasam>

Re:Are there any adults in the house? (0)

Anonymous Coward | more than 10 years ago | (#9713826)

they should have just posted an anonymous note to someone in the right place to friendily notify them of the security mess, and only gone public if they didn't do anything about it.

Re:Are there any adults in the house? (1)

EdZep (114198) | more than 10 years ago | (#9713982)

That's not how idealistic (student) journalists work. Those guys got a sensational story, and they knew the risks when they published it. I'm sure they would site "journalistic integrity" and the public's "right to know." And, yes, they've got something that will stand out in their clip files and resumes.

Re:Are there any adults in the house? (3, Insightful)

Anonymous Coward | more than 10 years ago | (#9713846)

Right, security by obscurity. What a great idea.

How many times do we have to go over this? The way to make things secure is NOT by hiding information, but by publicizing it as quickly as possible so that everyone can know that there is a problem and get on fixing it. These students are heroes, not criminals. They did the university a service and should be rewarded for what they did. Instead of hiring security consultants to figure out what's wrong with the network, these students did it for free. It's an indication of how the priorities of these places are reversed that the students are now in trouble. Embarrassing the administration is exactly the right thing to do. Don't want to be embarrassed? Then use open source software and publicize any security holes so they can be fixed.

"Adults" -- indeed. The only adults here are the students.

Re:Are there any adults in the house? (2, Insightful)

erick99 (743982) | more than 10 years ago | (#9713877)

I will continue to teach my children how to be socially responsible as well as how to give people a chance to remedy a problem before publicly humiliating them. That's what adults do. I also understand that you have a differen point of view and while I don't agree with it, I certainly can allow room for it.

Erick

Mod Parent Down (0)

Anonymous Coward | more than 10 years ago | (#9713882)

> I don't buy their arguments about doing all of this in the best interests of the school.

Someone who has obviously never gone up against a belligerent administration before. This was the only way to get the money required to make changes to the security. Without proof there is but conjecture and speculation.

Re:Mod Parent Down (4, Funny)

erick99 (743982) | more than 10 years ago | (#9713912)

My gosh - the folks here who rabidly espouse the need for public outting of information all post anonymously.

Erick

Re:Are there any adults in the house? (3, Insightful)

Goonie (8651) | more than 10 years ago | (#9713922)

These people were investigative journalists (or playing at being investigative journalists, at least). Journalists don't sit on stories and wait for the powers that be to fix them on the quiet. It's not their job. Their job is to find stuff of concern out and publish it as widely as possible. And, generally, it is in everybody's interest to have maladministration reported widely. It tends to act as a strong disinctive to anybody else that might be tempted.

Re:Are there any adults in the house? (5, Insightful)

DrMrLordX (559371) | more than 10 years ago | (#9713942)

I can't say that I agree completely. This reminds me all too much of a small "controversy" that went on in my highschool alma mater here in the States. Several members of the school's newspaper staff uncovered information regarding the existance of a peculiar group within the school known as the "Cotton Club"(as I recall) whose purpose was unclear, but which contained members from both the student body, alumni, and supposedly trustees who were all male, white, and rather racist. The only known function of the group that I can recall was that there was a great deal of consumption of alcohol involved. They probably did some other dull things.

Anyway, the school newspaper staff(full of multicultural liberals) found the existance of this Cotton Club to be horrendous and wished investigate the matter. Shortly after this became known to the school's administration, the faculty member at the head of the newspaper staff was pressured into forcing his staff to avoid writing any stories about the Cotton Club.

In other words, there was a secret club in the school that contributed to the deliquency of minors(as well as the violation of the school's Honor Code), adults were sponsoring this, and the administration didn't want anyone to find out about it or bring an end to the secret club(which is what they should have done).

The University Proctors seem to be behaving in the same fashion while also being less successful in covering up their mess. There was, and likely still is, a security flaw within the Oxford network. Someone tipped off the school newspaper(why they went to the paper is anyone's guess), indicating that at least one person, if not a small number of people, outside the newspaper staff knew about the problem. Foster and White investigated, reported their findings to the University, and were slapped in the face and told that they may have comitted a crime. Mind you that, reportedly, this happened BEFORE the article was published.

What this tells me is that the university knew about the problem and did not want to fix it. A number of reasons for this could exist, such as:

1). It'd cost too much to secure the network. Quote from the article, "A university spokesperson quoted in the story admitted that, in some cases, a cheaper computer set-up was chosen to provide wider access".

2). Someone, or several someones, within the university staff may have been exploiting security flaw towards their own ends. I don't know that I buy that, however. You'd think they'd have similar access just through their IT department or whatever it is they have there.

Whatever the reasons may be, Foster and White obviously felt that it was their duty to let the student body know about the security loophole so that the university would be pressured into fixing the problem. They may have done quite a bit of good.

Or maybe not. Hard to tell with the details in the linked articles.

"How I Rooted Oxford University" (5, Funny)

aardvarko (185108) | more than 10 years ago | (#9713799)

... a.k.a. A Beginner's Guide to tcpdump and ettercap

500 pound fine? (5, Funny)

Anonymous Coward | more than 10 years ago | (#9713800)

Now that is a heavy fine.

Re:500 pound fine? (0, Offtopic)

unbiasedbystander (660703) | more than 10 years ago | (#9713805)

i hope somebody catches the humor in that.

Re:500 pound fine? (0)

Anonymous Coward | more than 10 years ago | (#9713819)

I did. I giggled. Apparently the person that modded you down didn't get it.

Re:500 pound fine? (0)

Anonymous Coward | more than 10 years ago | (#9713867)

Apparently the person that modded you down didn't get it

*gobble gobble* Wuh? I dunno. Prehasp its cuz im Americain that i dun get it.

Re:500 pound fine? (0)

Anonymous Coward | more than 10 years ago | (#9713875)

Prehasp its cuz im Americain that i dun get it.

That's the reason why you should get it, dipshit.

Re:500 pound fine? (0)

Anonymous Coward | more than 10 years ago | (#9713916)

oh the irony!

Re:500 pound fine? (4, Funny)

nacturation (646836) | more than 10 years ago | (#9713881)

Now that is a heavy fine.

In Oxford, they call it the "Sisyphus Punishment".

Re:500 pound fine? (5, Funny)

Brandybuck (704397) | more than 10 years ago | (#9713905)

In Oxford, they call it the "Sisyphus Punishment".

For those of you that want to Cambridge this is a reference to rolling a heavy stone uphill over and over.

Re:500 pound fine? (5, Funny)

Anonymous Coward | more than 10 years ago | (#9713937)

Those of us who attended Cambridge can actually spell "went".

Re:500 pound fine? (5, Funny)

martinX (672498) | more than 10 years ago | (#9713919)

Once the UK goes REALLY metric, it will be a 226.7962 kg fine.

Re:500 pound fine? (1)

LostCluster (625375) | more than 10 years ago | (#9713936)

No joke... a $900ish fine is painful for most college students.

Oxford Loses Out (5, Insightful)

mfh (56) | more than 10 years ago | (#9713803)

The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?

These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.

Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?

Re:Oxford Loses Out (4, Interesting)

sirsnork (530512) | more than 10 years ago | (#9713820)

The multiple-PHD Admin certainly knows it, and has likely been voicing his concerns for some time. Unfortuantly the way the word works is that if it ain't broke, don't fix it. I imagine said admin(s) will now get the money they require to resolve the problem properly, otherwise Oxford risk more students doing this in 12 months time and looking even more silly

Said Admin will only get the money if... (1)

AltGrendel (175092) | more than 10 years ago | (#9713927)

...he has his concerns and propose solutions in writing.

Otherwise, he gets the blame. Believe me, I've been there. Unless you can document that you had a solution in mind, they'll "hang you from the higest yard-arm".

It was a close call my friend, mighty close.

Re:Oxford Loses Out (2, Insightful)

jhunsake (81920) | more than 10 years ago | (#9713848)

The only problem with allowing this behavior is that you open yourself to more cracking attempts, including more fierce ones. The crackers know that they could just say they were writing a newspaper article if they were caught.

Re:Oxford Loses Out (1, Flamebait)

Not The Real Me (538784) | more than 10 years ago | (#9713897)

On the other hand, playing Devil's Advocate here...is it okay for students to try to break into people's houses, peruse through the private information of the homeowners and then publish their results?

Breaking into a dwelling, even if you don't steal anything, is covered by "Breaking and Entering" laws. The notion of data and network security is the same.

Re:Oxford Loses Out (1)

Synonymous Yellowbel (720524) | more than 10 years ago | (#9713961)

This is slightly different though, as the students were investigating flaws in a system they rely on for their own protection (as it holds their personal information and can control their physical security such as CCTVs). There isn't really any other way for them to find, much less prove the existence of, flaws in a computer system you don't have legitimate access to than to actually crack it.

Re:Oxford Loses Out (5, Insightful)

cmallinson (538852) | more than 10 years ago | (#9713849)

They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

I am not familiar with this right. One has the right to commit a crime, as long as one writes an article about it later?

Intent (0)

Anonymous Coward | more than 10 years ago | (#9713869)

The intent of the students was to act as journalists in the interest of the student body. They have every right to force the school to increase spending on sedcurity. If anything, Oxford could find themselves sued by the student body over this.

It was a risky move, but there was no other way to force the school to change their policies.

Re:Intent (0)

Anonymous Coward | more than 10 years ago | (#9713902)

It doesn't matter. If, as a journalist, I break into someone's house with no intent to steal stuff, just with the intent to write a story about how messy their place is later, IT'S STILL FUCKING ILLEGAL. god.

Re:Intent (0)

Anonymous Coward | more than 10 years ago | (#9713945)

If you can plead that it was in the public interest, and you didn't stand to gain by it (in other words, that motive is pretty clear), the judge may well let you off, though.

Re:Oxford Loses Out (4, Interesting)

Smitty825 (114634) | more than 10 years ago | (#9713984)

Maybe my memory is foggy, plus, I realize that the incident occurred at Oxford University, which is in the UK, not the US, but.... (Is that enough of a disclaimer?)

I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google :-)

Bullshit. (5, Interesting)

Crasoum (618885) | more than 10 years ago | (#9713871)

White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.

As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.

E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.

The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.

Re:Oxford Loses Out (2, Insightful)

Klebz (787966) | more than 10 years ago | (#9713890)

In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.'

Right, so when my billing information and network passwords are being stored, its ok to cheap out. Come on, its ok to use cheaper network equipment, but how many times do we need to stress the security of private information, often of which is vital. Now the students whos information would have been on that system was also violated and exposed. Why not just take the money to prosicute them and, I don't know, secure a few servers.

Re:Oxford Loses Out (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9713917)

They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into.

They have no legal right to do so. If they really wanted to do this, what they should have done is broken into each others accounts, with the other person's permission. That would bypass the "unauthorized access" issue as far as school policy goes, and possibly kept them out of a lot of trouble with the law too. It's still a grey enough area that they would take a lot of crap over it, but ultimately they would probably win out because it's a gray area.

Face it. These kids were beginning script kiddies who were just out to prove how much smarter they were than the IT staff at their University. Mostly what they managed to do was to piss of the higher ups who actually wield the power at the University. What a brilliant plan... Dumbasses.

True but... (1)

MMaestro (585010) | more than 10 years ago | (#9713941)

the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.

True the students were producing a news article about the computer security at Oxford, but is hacking the same system a good idea to do? If we were to allow that to go unpunished, what would happen next? Would we let people who bring bombs onboard airplanes go 'because they wanted to show how lackluster airport security was'? Would we let people who speed down highways at dangerously high speeds on purpose 'because they wanted to show how lackluster funding to police made them unequiped for ultra fast muscle cars'?

This goes beyond public appearance of the college. What do you think Slashdot would do if you were to post a comment here explaining how it is possible to hack and take down the Slashdot server without asking for their permission to publish it, let alone attempt to confirm it? You'd have your user account banned to say the least. You wanna publish an exploit to the newest version of Windows Internet Explorer without telling Microsoft? Go ahead, but you mighta just caused the newest virus outbreak. You wanna publish how you managed to hack into the CIA database? Go ahead, but Russian KGB hackers just used that exploit to gain access their systems. Etc, etc, etc.

They shouldnt be punished.. (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9713806)

the university should be thankful it was brought to their attention by their own students who werent intending any malicious harm..

Re:They shouldnt be punished.. (5, Interesting)

MrRTFM (740877) | more than 10 years ago | (#9713851)

Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.

This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.

Its Uni - not a top secret government agency.

Re:They shouldnt be punished.. (0)

Anonymous Coward | more than 10 years ago | (#9713923)

probably just trying to divert people's attention from what would be a highly embarrassing situtation for them.

*Yawn* (3, Insightful)

OverlordQ (264228) | more than 10 years ago | (#9713807)

Move on. How many stories have there been on slashdot of this exact same thing happening?

A works for/goes to/etc B.
A finds exploit in B's Systems
A exploits systems.
A finally gets around to telling B.
A gets in trouble for violating laws and/or rules of B.

Re:*Yawn* (5, Funny)

atlantis191 (750037) | more than 10 years ago | (#9713883)

Forgot one:

SCO sues B

Re:*Yawn* (1)

geekanarchy (769840) | more than 10 years ago | (#9713898)

How many stories have there been on slashdot of this exact same thing happening?

Not near enough to compete with the Mozilla updates.

Re:*Yawn* (0)

Anonymous Coward | more than 10 years ago | (#9713960)

...

Profit!

Re:*Yawn* (0)

Anonymous Coward | more than 10 years ago | (#9713973)

You're stupid. There was no exploit. It was just that everybody in the dorm was on the same network segment, so they could sniff their packets. The university and probably any CS major there with half a brain knew about it. The problem was that people were using insecure protocols over this unsegmented network.

The worst part... (4, Insightful)

oiper (575250) | more than 10 years ago | (#9713808)

.. has to be having the police handle a situation that they don't understand.

On the contrary (3, Insightful)

cloudkj (685320) | more than 10 years ago | (#9713810)

I think the university officials need to thank the students for their work in exploiting the security vulnerabilities. It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same. But of course, the university must save face, and pressured by public relations forces, they must chastise the students for their actions, which ultimately probably saved the university from bigger headaches in the long run.

Re:On the contrary (2, Insightful)

Donoho (788900) | more than 10 years ago | (#9713900)

I think the university officials need to thank the students for their work in exploiting the security vulnerabilities.

MAYBE, if their exploit didn't involve publishing the vulnerability to the general populace. Worst case scenario, it gets picked up by the BBC and/or /.

It is 100 times better for two students without malicious cause to break into the internal networks than for malicious individuals to do the same.

They've publicly invited every literate/malicious individual to do so. Getting a killer scoop at the expense of the school's security comes close enough to malicious in my book. In the real world, few (statistic pulled out of my ass based on number of companies/organizations who plug in/install and go, not size or profitability) have "adequately" secure systems, be it the refusal or inability to spend the time or money do so, let alone keep up. Anonymity IS part of a system's security. By publishing this article they've opend up the schools network to attention it wouldn't have received othewise. Mabe the Admins will be able to make necessary adjustments before backdoors are added. Maybe they didn't even have the staff to secure it properly. Point is, the consequence of their actions is that students are more vulnerable than they were before the story was published. Intentions be damned, they f^@%ed up.

couldn't the newspaper be anonomyous (3, Interesting)

samot84aol.com (554299) | more than 10 years ago | (#9713823)

Why did they use names in the paper--they could have used an anonomyous source.

kebabs and bon jovi (5, Funny)

lovecult (682522) | more than 10 years ago | (#9713833)

...spurred on by Bon Jovi's Livin' on Prayer, they did more research

They should be damn well "rusticated" for their tast in music alone!

Aargh, again with the confusion. (4, Interesting)

randyest (589159) | more than 10 years ago | (#9713835)

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do :)

The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.


How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right? ;)

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."


Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.

Re:Aargh, again with the confusion. (2, Insightful)

robolemon (575275) | more than 10 years ago | (#9713909)

It can take
less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
It seems to me that unless his password changes every minute or so this tactic will prove useless!

I wonder if it's something as simple as unencrypted passwords going a wireless network or some nonsense like that.

Re:Aargh, again with the confusion. (0)

Anonymous Coward | more than 10 years ago | (#9713938)

It's something as simple as plaintext passwords going over a wired network. You're stupid.

STUPID NEWS (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9713836)

Who the hell let this post come in? I mean seriously. What's so special about that hack? It's a fuckin piece of cake to hack into any univ. network and the fuckin clueless admins are to blame; no-one else really. This *news* dare I call it as such is basically the same thing as "the US doesn't like Iraq".

embarassing... (2, Insightful)

super_ogg (620337) | more than 10 years ago | (#9713837)

They will be punished and fined for embarassing the school, not because they broke the law.

ogg

Get permission! (5, Informative)

Sowelu (713889) | more than 10 years ago | (#9713839)

This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.

Re:Get permission! (2, Insightful)

Hatta (162192) | more than 10 years ago | (#9713874)

And when that permission is denied because they know their security is worthless?

Re:Get permission! (1)

Lehk228 (705449) | more than 10 years ago | (#9713964)

do it anyways, just not from a machine that will be traced back to you.

Re:Get permission! (2, Interesting)

Artega VH (739847) | more than 10 years ago | (#9713915)

what university did you goto? my uni newspaper is hated by the administration.... so much so that there are now two.. the student one and the one put out by the administration :p

what they could have done... (5, Informative)

tisme (414989) | more than 10 years ago | (#9713840)

They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.

Nah (0)

Anonymous Coward | more than 10 years ago | (#9713866)

> They could have asked for permission to attempt and hack into the network

They wouldn't give the journalists permission to do that, because it would involve spending money on improving security, plus most higher ups are computer peasants. Hacking the network was half an act of civil disobedience and the other half of journalism. Either way, Oxford has some dumbass administrators on high, if they follow through on the charges.

Beware (1)

iMaple (769378) | more than 10 years ago | (#9713844)

So next time u are in UK and you see someone forgetting to lock his door or forgetting his bag beware before you go and tell him ... U could be a possible housebreaker or a purse snatcher. Come on guys this a couple of collge students finding a flaw in their universities system which may compromise their privacy and bang .... they get punished !!! Ok ok they went for some publicity but shouldnt Oxford just say thanks and bash/change /think abt their network administration

Re:Beware (1)

tmbg37 (694325) | more than 10 years ago | (#9713957)

Well, your anaology's flawed a bit. It'd be more like finding someone's door unlocked, then walking in, looking through their things, then informing a newspaper about that person's poor security.

See what... (1)

geekanarchy (769840) | more than 10 years ago | (#9713847)

See what investigative journalism gets you? You'd be better to leave it all alone and let the system be full of holes. I mean, we don't want responsible people to break in and tell us what our problem is. We'd rather someone malicious got in nice and quiet like, and we would never know the difference.

Bloody reporters. Free speech be damned, this time they have gone too far.

Rule of Law (5, Insightful)

konekoniku (793686) | more than 10 years ago | (#9713873)

Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.

academic freedom (4, Interesting)

havaloc (50551) | more than 10 years ago | (#9713853)

While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.

Re:academic freedom (1)

Simple-Simmian (710342) | more than 10 years ago | (#9713892)

WTH? How is securing a computer against cracking a threat to "academic freedom?" I don't get that one.

..Well (5, Interesting)

SinaSa (709393) | more than 10 years ago | (#9713868)

Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.

The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.

I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.

Well, maybe there is something worth protecting (4, Insightful)

TubeSteak (669689) | more than 10 years ago | (#9713979)

Like social security numbers, health information, whether the student is seeing the school shrink, grades (any teacher's temp internet files), scholarship information...

What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.

As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?

maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"

Good thing for then they're in England (1, Flamebait)

craXORjack (726120) | more than 10 years ago | (#9713870)

If they were Americans they could be in Camp Xray already playing naked pile up with a hood over their head. Our 'Patriot' act would see to that. Did anyone else see that the Bush administration admitted the other day that the Patriot Act is being used for routine police investigations such as porn and kidnapping?

Re:Good thing for then they're in England (2, Insightful)

shanen (462549) | more than 10 years ago | (#9713908)

If they were Americans they could be in Camp Xray already playing naked pile up with a hood over their head. Our 'Patriot' act would see to that. Did anyone else see that the Bush administration admitted the other day that the Patriot Act is being used for routine police investigations such as porn and kidnapping?
No, but I'm curious about the URL. On the actual topic of this thread, I think severe penalties are not appropriate, even though the school was embarrassed. However, it's more of a problem in that a university should be an open, trusting community, without a need for the kind of draconian security measures that would stop all hacking or exploration. This was not black hat phishing, but more of a learning experience, and learning is supposed to be the whole point of a university.

Re:Good thing for then they're in England (1, Informative)

Anonymous Coward | more than 10 years ago | (#9713928)

They deserved it (2, Insightful)

0x0d0a (568518) | more than 10 years ago | (#9713880)

Really, they broke the law for a sensational story for which they could have written a less interesting story without the privacy violations. I don't consider them to have a "journalistic duty to society" justification.

I can understand journalism where people trespassed on the Manhattan Project grounds. There's really no other way to demonstrate that you can get into nuclear research facilities other than to do so.

On the other hand, they could have easily said "we have found the following vulnerability, which probably allows us full access to X, Y, and Z". They would have done their security work (and if they got hammered by the network admins for probing the network, I'd agree ... the admins should get chewed out), would have gotten their story, and so forth. Oh, and this assumes that they notified the admins far enough in advance of their publish date that the problem could be *fixed* before all the students at the university were told about it -- unlike the Manhattan Project, where a couple more guards can just be rolled out or reassigned from another location temporarily, it may take a bit to test software changes before a rollout is appropriate.

Besides, if all it takes is the willingness to write an article later to avoid getting in trouble, people can be poking around some awfully dicey places.

root/root (5, Interesting)

codeonezero (540302) | more than 10 years ago | (#9713884)

Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....

I was just curious at the time :-)

A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.

Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do :-)

Gratuitous Karma Whoring ~or~ The Complete Article (2, Informative)

Anonymous Coward | more than 10 years ago | (#9713885)

University IT network wide open to hackers

Email passwords and MSN Messenger Conversations easily accessible.
CCTV networks can be compromised.
University says colleges' drive to cut costs could compromise security.

Computer networks across the University lie wide open to hackers, due to serious failings in IT security provision.

An investigation by The Oxford Student has learnt that CCTV cameras, email passwords and MSN Messenger conversations can be compromised with ease by members of the University with only a modicum of technical knowledge, jeapardising the privacy and safety of students and dons alike.

It is understood that by using software that is freely and easily accessible over the internet, every student has the power to snoop on the MSN Messenger conversations of others or infiltrate their Webmail account. More advanced users can even tap into college CCTV networks, with the possibility of disrupting the entire system, forcing colleges into total security blackouts.

A University spokesperson told The OxStu: "In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security." Just how low the security across the University has now become clear.

Access to the video-streaming of CCTV footage of College A was easily available, pictured right, and cameras across the College could be taken down at the touch of a button. One student who appeared in security footage accessed said: "As well as understanding the security implications, it was personally shocking and especially worrying."

As such networks are put in place to safeguard the security of College members, the fact that they can be easily bypassed should send a serious message to staff responsible for their upkeep.

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."

Likewise at College C a first year student's Webmail password was obtained. The student told The OxStu: "I'm outraged. I've personal as well as employment and academic related information in my account, which is private." College B's IT Officer said: "There is a rolling programme to upgrade [the network]...If students are abusing it, it is a concern."

Similarly, conversations held over instant messenging programmes can be easily intercepted. A Human Sciences student said it was "insane and quite disturbing...not something you want others to see." Her conversation was eavesdropped upon as she told another member of the same College about her essay crisis. One student at College D, who declined to be named, told The OxStu the problem was "shady", as we recounted her conversation to her. College D refused to comment, on the basis that it felt the law had been broken in relation to these activities.

A University spokesperson said: "Security measures are constantly reviewed in order to minimize the security risks. Of course, anyone found to have breached security with ill intent would be subject to punishment."

At the time of going to press, The OxStu was in the process of handing over all the data given to the investigation to both the police and the University.

Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 1990, which creates an absolute offence of "causing a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case."

So What? (2, Insightful)

xcomm (638448) | more than 10 years ago | (#9713889)

>>were able to easily hack into the university's internal network

So what? It is always as easy especially if you are some kind of insider. But normally you do not hack your university for good reasons:
a) It is yours.
b) You will get a lot of trouble / lose accounts.

Yes, do call the Coppers, but.. (2, Funny)

saskboy (600063) | more than 10 years ago | (#9713906)

But the police should be called, and when they see how lax the university was at keeping sensitive information private, they should file charges against Oxford too.

Then they can put Oxford Hack in the dictionary:
Someone who tattles, and gets in trouble too because of their guilt in the incident.

I'm a little surprised (5, Informative)

siliconbunny (632740) | more than 10 years ago | (#9713907)

I studied at Oxford some years ago, and found the computing service (OUCS) to be one of the better and more competent computing services when it came to running and maintaining the networks.

Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).

Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.

If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.

I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)

Mehhh (1)

Ignorant Aardvark (632408) | more than 10 years ago | (#9713911)

Just script kiddies. They managed to hack in ... but they didn't manage to escape detection. Does it really matter if you can't get out cleanly? Now they're going to be facing heavy penalties. They should have planned it out better before they undertook their hack.

Re:Mehhh (1)

Ziviyr (95582) | more than 10 years ago | (#9713921)

They were doing a campus article.

Crap, didn't know anyone read that stuff... :-)

Re:Mehhh (0)

Anonymous Coward | more than 10 years ago | (#9713949)

They didn't hack into anything. All they did was sniff packets, and people were checking their mail insecurely.

They should've faced criminal charges (1)

davidwr (791652) | more than 10 years ago | (#9713924)

This isn't the early '80s folks.

Breaking into other people's computers without permission is a Very Bad Thing and an example must be made.

These students should've faced criminal charges.

Having said that, they had good intent, and deferred adjudication with a a year or so's probation, a weekend in jail, and a fine they could work off with community service hours* would be appropriate. If they meet the terms of their probation, their criminal record can be expunged.

*appropriate community service includes helping audit security for the university's computers.

Yeah, they should have kept their mouths shut (5, Insightful)

warm sushi (168223) | more than 10 years ago | (#9713929)

Imagine never failing another subject.

Imagine being able to push your enemies down a grade.

Imagine making some extra cash selling exam information.

Imagine trashing the occasional file to irk a disliked professor.

Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.

Imagine how much easier life would be not doing the right thing.

Just imagine...

Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.

Re:Yeah, they should have kept their mouths shut (1)

Lehk228 (705449) | more than 10 years ago | (#9713981)

my university had the official listserv hacked and sending out viruses.... that was rather funny at the time (no it wasn't me, but i do know the guy that did it)

Oxford standards? (1)

LuxFX (220822) | more than 10 years ago | (#9713955)

Wait, these guys can get into Oxford and they don't know better than to write these types of articles anonymously?

I don't know if Oxford should be more worried about their network or their entrance standards....

of Sweaters and Sensibility (1)

tatewake (797403) | more than 10 years ago | (#9713977)

Nowadays I'm more of the opinion that companies and universities don't care whether or not you can unravel their sweaters by pulling at a single string. It was a cute trick 10 years ago, but its just getting tiring now.

Alot of modern society is based on such concepts as "trusted networks" - not in the computer sense, but in the social sense. You're free to the services an entity provides, but please don't abuse them.

Personally I think it works better that way.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?