NEWS Two Oxford students have been suspended after hacking into the university's IT systems in an attempt to expose security weaknesses for an article in the student newspaper.
Patrick Foster and Roger Waite used free software downloaded using Google to access a database of university students' email passwords and other personal details, spy on MSN Messenger conversations and look at some of the CCTV network.
The security holes were exposed in an article they wrote for the Oxford Student newspaper but university authorities were less than impressed and called in Thames Valley police.
The university's own IT staff were also unimpressed by the students' investigation and contacted silicon.com claiming they didn't actually manage to hack into anything.
The police declined to get involved, saying it was an internal disciplinary matter for the university. At the Court of Summary Jurisdiction hearing last week, reports said, Foster and Waite pleaded guilty to charges against them but argued they had acted in the public interest to improve security at the university.
The pair escaped fines but Foster has been suspended until next May and Waite has been suspended until January. They have until 9 November to lodge an appeal.
Comments
There are 9 comments. Join the discussion
1. anonymous
Messengers "killed" from bringing bad news.
I feel this once again highlight the total lack cleverness from the authorities above those students.
Students report some securty flaws in the network, ie student show that IT dept do their job properly. IT dept and Uni authorities don't like the news and get upset about (personal pride hurt too much).
IT dept and Uni authorities suspend (bacause actually killing the messengers would be very controvertial those days).
I can't help that the Oxford IT dept and Uni authorities personal pride got hurt and that's why the students where suspended, instead of dealing with the matter objectively.
Perhaps the IT dept would have prefered to be hacked without any warning and any mean to defend themselves. After all the was "inside information" given by the students so network security could be improved before a real break in.
This shows 1 thing. Those days it doesn't pay to come clean. and blowing the whisle seem to always backfire.
2. Paul Higgins
Hopefully the police of the Information Commissioner will take action against the University for a breach of the data protection act.
3. Peter Danckwerts
It sounds as though Oxford University want it both ways. If the two students didn't hack into anything, as the IT staff claim, then what are they being punished for?
If other students' passwords can be accessed without 'hacking', what constitutes hacking?
4. IT Officer
Hi. I am the IT Officer quoted in the article linked to above, and I'd like to make some responses to the article above and the replies below.
Firstly, the database as referred to above, does not exist. Since very few directly sourced materials exist from this story, a lot of the reported 'facts' are taken from other articles - the Guardian was, I believe, the first to refer to this non-existant database.
Secondly, one aspect of the whole affair has failed to be taken into account. Oxford university is not a centrally run institution - there are 40 autonomous colleges, one of which I work for, and several departments. There are some central services (OUCS, the computing services, is an example. They provide student email addresses for our college, but not for all of them). The CCTV circuit, for instance, was maintained in only one small college, and was not university wide. There is certainly no central facility with responsibilities for university wide IT provision nor security.
Thirdly, Anon, This was not blowing the whistle. This was panic-mongering, and story creation. The Oxford IT services were not compromised, only the personal privacy of some student members. If the two had been writing an awareness-raising article to help students know how to secure their data, they may well have been handled differently. If they had come to the relevant IT staff and made us aware of what they were planning to do, they may even have had permission to do so granted. But that sort of story doesn't sell as many papers as the one they actually wrote.
Fourthly, Paul, to imply that we were in breach of the data protection act would be libellous. We were not.
Fifthly, Peter, the students in question did not 'hack' - but you're right in pointing out that this is semantics. What they certainly have done is to invade other people's privacy and waste our time, which, unfortunately is in short supply. Aren't these alone enough that the university should discourage such behaviour?
Lastly, the views expressed above are my own, and are in no way condoned by the university, and given without their consent. This is in no way an official statement. Thank you.
5. Paul Higgins
To the "IT Officer", my comment was not in any way libelous and I resent the suggestion it was. It was a comment on the information given in the article. Indeed this article and the previous one given in Silicon.com
I trust that no personal information was or can be accessed on any Oxford Uni systems. Can you assure us this is the case?
6. anonymous
While I understand the stance taken by the IT Officer, I am also left wondering how the two students have been subjected to discipline.
Ordinarily an organisation will have a policy about the use (and abuse) of its IT resources. We are not told whether such a policy exists. If it does not then the only proper basis for action would have to be through a police investigation as to whether the Computer Misuse Act has been breached. If such a policy does exist, then I would expect the college to have to establish that the policy was properly published and explained to the students before any disciplinary action could be taken.
In my experience few colleges and universities do have a properly drawn up, published and explained policy. In the absence of these then any action taken would appear to be contrary to the principles of natural justice.
The comments about wasting time, in the absence of proper policies and quantification, would equally apply to someone who repeatedly asked for directions within the college. But that would not normally be regarded as giving rise to a disciplinary action unless there is also a policy about how much staff time and resources each student is allowed to consume.
To me the college's stance appears quite mad in the absence of a proper and complete explanation. I would like to know which college it is - just to satisfy myself that it is not my own.
regards
Don
7. anonymous
Speaking as another Oxford IT officer, I can state that the University does have a definite policy regarding IT usage and what constitutes abuse. Colleges and Departments may have their own regulations on top of the central ones, but all students are given the terms and conditions, and must sign to indicate that they accept them.
As far as the issue in question is concerned, the students discovered no 'major new security vulnerability'. They hacked into nothing. To the best of my understanding, they just downloaded standard network diagnostic software freely available and proved that, on an unswitched network, you can see other network traffic. That is how networks work. Whether the networks should be switched or unswitched is a question, but my (limited) knowledge is that the students plugged machines into smaller sections of a couple of colleges, and into small outside houses used as accommodation - those at the bottom of the ladder as far as state of the art network equipment goes. In this college, the majority of the network connections are switched, and certainly in all administration and other areas where security of data is essential.
The University email systems use and encourage encrypted connections, and all setup instructions show how to set that up. For legacy reasons, unencrypted connections are also allowed, and some students do configure their own computers incorrectly, allowing that student's password to be sniffed. I believe they also stated that MSN conversations could be read. MSN Messenger is not a service provided by the University, or supported. If Microsoft make it possible to be sniffed, then someone should take it up with them.
The CCTV is a more serious matter and I don't know details of whether that was sniffed passwords, or default passwords that hadn't been reset. It does highlight an issue that sometimes decisions might get made by people who don't consider all of the implications. (It's a security camera, why do we need to ask IT about it?)
The punishment? To me it does seem a little heavy handed. But since the students seem to have done this purely to make a front page article on the Oxford Student newspaper, perhaps it's justified. Certainly if they'd discovered this and had a quiet word with their local IT people to get some facts straight before rushing to tell everyone that the whole network is insecure and their passwords are compromised, I can't imagine they'd have faced any disciplinary measures. But where's the story in that?
8. IT Officer
Paul, yes, I can assure you that no personal data that the college nor the central university computer services was compromised.
Don "anon" - such a policy does exist, both for abuse of computer systems and for the wasting of staff time in persuits of such a matter. The documents are published and accessible, and in fact have to be read and agreed to when students join. The fact that most don't is, to a certain extent, out of our control. If, as you seem to suggest, you are a member of the University here and a lawyer, you should be familliar with the internal legal processes here, as well as our regulations, to more of an extent than I am.
Again, these are my personal opinions, not those of my employers or associated organisations.
9. anonymous
I'm very impressed with anonymous' valiant attempt to express his feelings about this case.
However he has missed one small, but I feel, salient point, if the guys were attempting to improve the security by exposing security flaws, then surely they should have advised the IT Dept and the Faculty prior to printing the story and advertising to everyone that there were security issues.