Just Because A Site's Online Doesn't Mean It's Legal To Hack It
from the nice-try-but-no dept
In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years' probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips' defense that he didn't really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he -- and any other internet user -- was inherently authorized to access it. That's sort of a bizarre argument -- basically saying that it's okay to hack any site or system that's online, as long as some part of it is publicly accessible -- and one that's inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people's card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
mens rea
There's been a rash of crimes in Japan in the past week where perverts have grabbed children and thrown them off of pedestrian bridges, which is rather easy to do; but the ease of doing so does not excuse the crime.
[ link to this | view in chronology ]
To call him a hacker, based on this, would be insulting to hackers.
I mean, it's basically an over glorified macro.
[ link to this | view in chronology ]
hacking?
[ link to this | view in chronology ]
Indeed
Shame on them. I hope the publicity of this case has made them reconsider their security measures.
[ link to this | view in chronology ]
Re: Indeed
[ link to this | view in chronology ]
So what did the university get handed down?
However the university should be looking at some sort of charge for an almost criminal act of negligence in posting what I *assume* was sensitive data on a public website with no security (sorry but entering in one field to get the data is not security - it's a search engine)
$177,000 restitution to fix a simple brute force attack on an inadequate piece of software and find the originator? Wow I'm working for the wrong company if the university rewards like that
[ link to this | view in chronology ]
Re: So what did the university get handed down?
Set up an attractive honey pot.
Track everyone who enters without prior authorization, e.g., everyone.
Sue each/every one of them.
Use whatever restitution recovered to fund securing the real site, after paying attorneys. Pocket the rest.
Lather, rinse, repeat.
Involve the DHS to accelerate prosecution and claims, but realize the trade-offs beforehand.
[ link to this | view in chronology ]
So, instead of protecting your valuable personal identity, the Universities are more worried about stopping you from sharing your music or downloading videos.
Idiots.
[ link to this | view in chronology ]
Poor security on all kinds of levels.
[ link to this | view in chronology ]
Judges should pay clear attention to "intent" but sadly due to the way the legal system is set up they rarely do
[ link to this | view in chronology ]
I did read that in order to protect yourself or your client's computers, you should have a text file in the root that reads; "Private computer network, unauthorized use prohibited". It is kinda like having a "No Trespassing" sign on your property. Everyone knows not to trespass, but the sign allows more legal prosecution of the idiots.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That is exactly why...
You can't really know what so called hackers will try next, and you can't know what holes exists on your site.
[ link to this | view in chronology ]
Comment 11 is lame
[ link to this | view in chronology ]
devil's advocate
Doesn't make what he did acceptable, but I don't think it should be prosecuted the same as, say, Mitnick.
[ link to this | view in chronology ]
Re: devil's advocate
[ link to this | view in chronology ]
How is this stealing?
[ link to this | view in chronology ]
Shooting dogs and raping kids is also VERY easy.
[ link to this | view in chronology ]
perhaps a business opportunity
[ link to this | view in chronology ]
LOL!
[ link to this | view in chronology ]
two cents worth
[ link to this | view in chronology ]
Kind of Scary
On the first few pages you already get 5+ hits for different universities.
[ link to this | view in chronology ]
Since this attack, all of the University's online security has been/is being reworked.
But the university website still sucks just as much as it always has...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A better analogy for what he did would be to walk around a publically acessable building, peering at the desks until he sees something interesting, and reading it. The idiot that set up the site should be held to blame, at least in part, just like financial instituitions.
[ link to this | view in chronology ]
SSN formula... NOT!
When they were first introduced there was some kind of checkdigit / validity algorithm used in SSNs, but we moved away from that years ago due to lack of numbers.
I've worked on bank software for years (ugh, actually a decade) and know this to be the case.
[ link to this | view in chronology ]
re: SSN formula... NOT!
As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.
As for Jack's story...while I don't have a link myself, my own recollection of the story is the person who "reported" the flaw in the URL hack wanted compensation for his efforts. Extortion is the illegality there.
And as for legally walking about "looking for something" would imply "intent"; AFAIK industrial espionage is illegal, yes?
[ link to this | view in chronology ]
Re: re: SSN formula... NOT!
Two words: Grandfather Clause
It doesn't excuse anything, but it explains it at least.
Also, shortly after that event UT removed nearly everything regarding SSNs from computers that could be publicly accessed and now uses a user-chosen name/password combo for all secure online activities (the UT EID). University employees are also required to run a sensitive number finder on their computers and servers.
https://source.its.utexas.edu/groups/its-iso/projects/senf/
UT takes the SSN event *very* seriously.
[ link to this | view in chronology ]
Hacking
they don't have the concept that their words and actions
have copability, in their minds if you talk back to anything
they do or say than your a complete piece of S#!%. and how dare you question or make comment on a lie or crime they commited, this may sound far fetched to people from the real world but is only a small piece of the redneck mind and culture, in their minds they can hack your pc, piggy back it, get your cell phone info and then do anything they want to slander, deformation or cyber crime you into the ground just because of some thing they imagined over a split second look at you! it is really bad when they have some cop idiot of a friend who is more than happy to help them commit crimes, they giggle like 6yo's and think they are mature at the same time, and these are the adults i'm talking about! Thank the stars for artical 18-1001 federal law! also most poeple think IP tracking is leagle, there is a thing called intent, it makes somthing that was leagle become illegle, like following IP information with the Intent to slander or defame, thats a felony! just like shooting somone in the head, if somone breaks into your home
and you shoot them in the head, its good for you, if you just go out in the street and shoot somone its murder!
a little word intent makes it illeagle just like IP trace!
I feel sorry for all the cyber criminals out there that think they can get away with everything, the FBI is starting to change all that, looks like the prison system
is going to get alot bigger!
[ link to this | view in chronology ]