Can Email Be Saved?
Good Samaritan Hacker Gets Home Detention

Oxford May Suspend Students Who Pointed Out Network Flaws

(Mis)Uses of Technology

from the shoot-the-messenger dept

Fri, Jul 16th 2004 1:54amMike Masnick
Stories like these are way too common these days. Two Oxford University students, working for the school newspaper, figured out how easy it was to break into the school's network and access private student data. They wrote up a front page article on the vulnerabilities in the system, and were promptly handed over to the police. The police told the university to handle it internally, but Oxford is now looking at suspending the students and potentially fining them as well. Of course, there's no word whatsoever on whether the university actually patched the holes in their system. Why is it that so many people who point out security vulnerabilities are immediately accused of criminal acts? This only gives good people the incentive not to find and point out these vulnerabilities -- but you can be quite sure that those up to no good are already exploiting them.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    McGroarty, 16 Jul 2004 @ 5:58am

    ...

    Let me get this straight. They found vulnerabilities in their employer's computer, then instead of working to help get those patched, they published the vulnerabilities.

    The point of full disclosure is to get the word out to others whose systems may be vulnerable. Telling the world about local problems before anyone can fix them is downright destructive.

    link to this | view in thread ]

  2. identicon
    Inferno, 16 Jul 2004 @ 6:05am

    Is it really not clear to you?

    If you really can't understand the issue, Mike, here you go:

    Pointing out network or software vulnerabilities to internal administrators who can fix them is GOOD. Shouting them from the rooftops or putting them in print is BAD...it's the equivalent of a bank employee handing out keys to the vault to anyone who passes by on the street. And if you don't want to get handed over to the police, simply avoid breaking into your school's private files and accessing confidential information.

    As a network admin with some experience in this area, I'll share a little secret: Well-meaning people don't spend their spare time trying to find vulnerabilities in someone's network. If they do, they're getting paid for it by the network's owner. And for that rare Internet Robin Hood who is the exception, they still wouldn't publicize their findings without notifying the powers-that-be beforehand.

    Your moral compass is due for some recalibration, man...

    link to this | view in thread ]

  3. identicon
    Peter F Bradshaw, 16 Jul 2004 @ 6:46am

    Re: Is it really not clear to you?

    "....handing out keys....": Rubbish. As the article makes clear there is no need to hand out any keys at all. The university has left all the doors open.

    An insecure system is insecure period. Obscurity is not a valid security policy. In addition the students were working on the school paper. The lesson they are liable to learn from this incident is that investigative reporting does not pay. Not a lesson any school should be teaching.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 16 Jul 2004 @ 7:39am

    To the first two reponders:

    You might try reading the article. Though it is not clear as to the exact timeline, it says: "We informed the university about what we were up to and handed over all the data we accessed."

    link to this | view in thread ]

  5. identicon
    Michael Vilain, 16 Jul 2004 @ 8:13am

    It happened to a local school system here

    A reporter for a local paper sat on the bleachers and was able to access most of the fileserver from her laptop. The folders were made public to make it easier for everyone to have access and share files. Unfortunately, there was student information in that folder.

    The school shutdown the network, set the access to closed, and now all the parent volunteers can't access it, including the network admins.

    No police were called. It must be the type of culture in England to treat whistleblowers differently (they even made a movie about it where the whistleblowers are blown up in the end)

    link to this | view in thread ]

  6. identicon
    Peter F Bradshaw, 16 Jul 2004 @ 8:48am

    The "Oxford Student" article

    It might be instructive to read the actual article in question at:

    University IT network wide open to hackers

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 16 Jul 2004 @ 9:08am

    Morally wrong


    Publishing their way of getting into the network is wrong. Had they gone to the administration & reported it, I highly doubt they would be in the trouble that they are in.

    link to this | view in thread ]

  8. icon
    Mike (profile), 16 Jul 2004 @ 9:10am

    Re: Morally wrong

    Ok:

    1. They did tell the administration before publishing the story.

    2. They didn't publish *how* they did it, just that they had done it.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 16 Jul 2004 @ 9:13am

    No Subject Given

    Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 1990, which creates an absolute offence of "causing a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case."

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 16 Jul 2004 @ 6:57pm

    because....

    they have to commit criminal acts to prove their theory?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 17 Jul 2004 @ 2:34am

    Re: because....

    "they have to commit criminal acts to prove their theory?": That's alleged "criminal acts" to you. Whether criminal acts have been committed or otherwise is decided by a jury in a trial. But there has been no trial. Why not. Because the police have taken the view that a conviction would not occur. Had they decided otherwise then the prosecutor would have made a similar decision. Had the prosecutor tried to run this case a jury would have thrown it out of court so hard that it is unlikely that it would hit the ground any time this century. That's the problem with your assertions.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 19 Jul 2004 @ 9:48am

    Big Brother loves you ...

    Regardless of what you all think, it was a thought crime pure and simple.
    Report to the ministry of information for reprogramming.
    Big brother loves you ...

    link to this | view in thread ]


Can Email Be Saved?
Good Samaritan Hacker Gets Home Detention
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.