Just Because A Site's Online Doesn't Mean It's Legal To Hack It

from the nice-try-but-no dept

Mon, Feb 5th 2007 3:32am — Carlo Longino

In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years' probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips' defense that he didn't really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he -- and any other internet user -- was inherently authorized to access it. That's sort of a bizarre argument -- basically saying that it's okay to hack any site or system that's online, as long as some part of it is publicly accessible -- and one that's inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people's card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

dorpus, 5 Feb 2007 @ 4:23am

mens rea
As criminal law says, the intent to commit a crime is the crux of the matter; the ease of doing so is moot.

There's been a rash of crimes in Japan in the past week where perverts have grabbed children and thrown them off of pedestrian bridges, which is rather easy to do; but the ease of doing so does not excuse the crime.
[ link to this | view in chronology ]
eric, 5 Feb 2007 @ 4:28am

This is not really "hacking" persay.

To call him a hacker, based on this, would be insulting to hackers.

I mean, it's basically an over glorified macro.
[ link to this | view in chronology ]
WhiteStone, 5 Feb 2007 @ 4:36am

hacking?
If a houseowner forgets to lock his door, that doesnt make it legal to walk in and take his loveletters or his money.
[ link to this | view in chronology ]
Xiera, 5 Feb 2007 @ 4:37am

Indeed
Yeah, this really should not be called hacking. It's really just a matter of the convict being lucky enough that he found a site with what is clearly insecure access. I'm surprised more people haven't "hacked" the site.

Shame on them. I hope the publicity of this case has made them reconsider their security measures.
[ link to this | view in chronology ]
- teswolf96, 28 Feb 2011 @ 1:48pm
  
  Re: Indeed
  I am sure plenty of hackers have, but with security like that who says they ever caught them...
  [ link to this | view in chronology ]
Enrico Suarve, 5 Feb 2007 @ 4:41am

So what did the university get handed down?
I agree that his defense that effectivly an "easy hack is a legal hack" is laughable at best

However the university should be looking at some sort of charge for an almost criminal act of negligence in posting what I *assume* was sensitive data on a public website with no security (sorry but entering in one field to get the data is not security - it's a search engine)

$177,000 restitution to fix a simple brute force attack on an inadequate piece of software and find the originator? Wow I'm working for the wrong company if the university rewards like that
[ link to this | view in chronology ]
- Brad Eleven, 5 Feb 2007 @ 10:24am
  
  Re: So what did the university get handed down?
  Hear, hear! Now *that's* a racket!
  
  Set up an attractive honey pot.
  Track everyone who enters without prior authorization, e.g., everyone.
  Sue each/every one of them.
  Use whatever restitution recovered to fund securing the real site, after paying attorneys. Pocket the rest.
  
  Lather, rinse, repeat.
  
  Involve the DHS to accelerate prosecution and claims, but realize the trade-offs beforehand.
  [ link to this | view in chronology ]
ScytheNoire, 5 Feb 2007 @ 5:14am

I'm shocked how easy their site was to hack though, errr, well, not hack, but brute force. Wouldn't network traffic monitors kinda go off when the same IP, or even if it was different IP's, kept entering invalid ID's, one after another. This just sounds like horrible University security.

So, instead of protecting your valuable personal identity, the Universities are more worried about stopping you from sharing your music or downloading videos.
Idiots.
[ link to this | view in chronology ]
The Swiss Cheese Monster, 5 Feb 2007 @ 5:16am

Bad Sysadmins. 40000 illeagle logins from, I presume the same IP address?

Poor security on all kinds of levels.
[ link to this | view in chronology ]
Jack Sombra, 5 Feb 2007 @ 5:27am

While i can agree with the verdict in this case as he obviously intended to break into the system with intent to steal, cannot help but think of another case reported lately, the one where a guy just cut out part of url and found it allowed him unautorised access to the system and after reporting it was arrested and charged.

Judges should pay clear attention to "intent" but sadly due to the way the legal system is set up they rarely do
[ link to this | view in chronology ]
_Jon, 5 Feb 2007 @ 5:42am

Yeah, the lawyers get everything twisted in their logic of "details" and "letter of the law", rather than the "spirit of the law".

I did read that in order to protect yourself or your client's computers, you should have a text file in the root that reads; "Private computer network, unauthorized use prohibited". It is kinda like having a "No Trespassing" sign on your property. Everyone knows not to trespass, but the sign allows more legal prosecution of the idiots.
[ link to this | view in chronology ]
Adam, 5 Feb 2007 @ 5:53am

Universities were known for poor IT security years back. When I attended one on NY universities they only required SS# as the only piece of info to login up to something like 2002 - your SS# was your "Net ID" and was even printed on student's ID photocards!! Then, mainly due to overwhelming criticism (and perhaps a couple of lawsuits) they started using Kerberos ID with long alphanumeric passwords. There was a time one could just walk in to any IT offices and find desktops with full admin/root access in public areas. Fortunately, back then hacking and on-line crime wasn't that widespread as it is today.
[ link to this | view in chronology ]
David Allouch, 5 Feb 2007 @ 5:57am

That is exactly why...
Thats exactly why poeple use software like dotDefender.
You can't really know what so called hackers will try next, and you can't know what holes exists on your site.
[ link to this | view in chronology ]
sheesh, 5 Feb 2007 @ 6:08am

Comment 11 is lame
That's why "poeple" [sic] use software like the one you created and link to in the given URL? Come one you spammer, this is NOT a advertising space. Sheesh.
[ link to this | view in chronology ]
Wolfger, 5 Feb 2007 @ 6:27am

devil's advocate
I can see this guy's point... he didn't really hack into anything. He went to a publicly accessible website and viewed users accounts that were not password protected. The equivalent walking down the street and looking into people's houses through the windows. Publicly accessible, with no security measures in place to prevent it.

Doesn't make what he did acceptable, but I don't think it should be prosecuted the same as, say, Mitnick.
[ link to this | view in chronology ]
- dataGuy, 5 Feb 2007 @ 8:47am
  
  Re: devil's advocate
  That's not the best analogy since you don't need to make 40,000 attempts per hour to look in the window before you can see anything. However, given that, if you started walking down a residential street looking in every window it would take very long before you were arrested.
  [ link to this | view in chronology ]
Paul, 5 Feb 2007 @ 6:30am

How is this stealing?
So, he made a list of valid social security numbers. Why is this always called 'stealing'? Did the original owners of the number lose the ability to use their social security numbers? Stealing is taking something from you such that you no longer have it. Maybe we need a new word.
[ link to this | view in chronology ]
Shohat, 5 Feb 2007 @ 7:44am

Shooting dogs and raping kids is also VERY easy.
Both are publicly accessible , and frankly speaking , are quite poorly protected .
[ link to this | view in chronology ]
mosh, 5 Feb 2007 @ 8:08am

perhaps a business opportunity
So I just need to make an easy to hack site with "sensitive" info and trace the inevitable hacker wannabe..... then I can sue for $170,000.... hmmmmmmmm sounds like a sweet money maker to me!
[ link to this | view in chronology ]
Buzz, 5 Feb 2007 @ 9:07am

LOL!
Daaaaaang... I better take my web sites off all search engines, add password logins, and remove the public domain. I don't want it to be legal to hack my site. :P
[ link to this | view in chronology ]
Trouble Maker, 5 Feb 2007 @ 10:04am

two cents worth
...just as a reminder it is illegal to use the SSN as a means of identification.
[ link to this | view in chronology ]
Anonymous Coward, 5 Feb 2007 @ 10:22am

Kind of Scary
Google: enter your ssn
On the first few pages you already get 5+ hits for different universities.
[ link to this | view in chronology ]
Liz, 5 Feb 2007 @ 10:24am

As it were, I happen to go to UT (of the particularly esteemed security measures.)

Since this attack, all of the University's online security has been/is being reworked.

But the university website still sucks just as much as it always has...
[ link to this | view in chronology ]
Joe T, 5 Feb 2007 @ 4:15pm

It's curious how the same people who champion their supposed right to access someone's WiFi "because it's there" feel quite differently when it's Social Security information; Techdirt staff included.
[ link to this | view in chronology ]
|333173|3|_||3, 5 Feb 2007 @ 8:55pm

Jack Sombra: do you have a link. Maybe anything which can be accessed by typing stuff into the address bar of firefox should be considered fair game. HTere are ways of protecting databases from such trivial attacks, so there is no excuse for prosecuting someone for that.

A better analogy for what he did would be to walk around a publically acessable building, peering at the desks until he sees something interesting, and reading it. The idiot that set up the site should be held to blame, at least in part, just like financial instituitions.
[ link to this | view in chronology ]
Jo Mamma, 6 Feb 2007 @ 12:13am

SSN formula... NOT!
There is no formula to create SSNs and hasn't been for at least a decade, perhaps many decades.

When they were first introduced there was some kind of checkdigit / validity algorithm used in SSNs, but we moved away from that years ago due to lack of numbers.

I've worked on bank software for years (ugh, actually a decade) and know this to be the case.
[ link to this | view in chronology ]
Ancientmath, 6 Feb 2007 @ 9:49am

re: SSN formula... NOT!
There may be no formula being used "today", but SSNs are given for life. Since all college students today are older than a mere decade and required to obtain one at birth now, the algorithm could still be used to obtain valid numbers.

As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.

As for Jack's story...while I don't have a link myself, my own recollection of the story is the person who "reported" the flaw in the URL hack wanted compensation for his efforts. Extortion is the illegality there.

And as for legally walking about "looking for something" would imply "intent"; AFAIK industrial espionage is illegal, yes?
[ link to this | view in chronology ]
- nekowafer, 6 Feb 2007 @ 12:08pm
  
  Re: re: SSN formula... NOT!
  "As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that."
  
  Two words: Grandfather Clause
  
  It doesn't excuse anything, but it explains it at least.
  
  Also, shortly after that event UT removed nearly everything regarding SSNs from computers that could be publicly accessed and now uses a user-chosen name/password combo for all secure online activities (the UT EID). University employees are also required to run a sensitive number finder on their computers and servers.
  
  https://source.its.utexas.edu/groups/its-iso/projects/senf/
  
  UT takes the SSN event *very* seriously.
  [ link to this | view in chronology ]
Scott, 18 Mar 2009 @ 3:50am

Hacking
the artical above is exactly how the redneck mind works,
they don't have the concept that their words and actions
have copability, in their minds if you talk back to anything
they do or say than your a complete piece of S#!%. and how dare you question or make comment on a lie or crime they commited, this may sound far fetched to people from the real world but is only a small piece of the redneck mind and culture, in their minds they can hack your pc, piggy back it, get your cell phone info and then do anything they want to slander, deformation or cyber crime you into the ground just because of some thing they imagined over a split second look at you! it is really bad when they have some cop idiot of a friend who is more than happy to help them commit crimes, they giggle like 6yo's and think they are mature at the same time, and these are the adults i'm talking about! Thank the stars for artical 18-1001 federal law! also most poeple think IP tracking is leagle, there is a thing called intent, it makes somthing that was leagle become illegle, like following IP information with the Intent to slander or defame, thats a felony! just like shooting somone in the head, if somone breaks into your home
and you shoot them in the head, its good for you, if you just go out in the street and shoot somone its murder!
a little word intent makes it illeagle just like IP trace!
I feel sorry for all the cyber criminals out there that think they can get away with everything, the FBI is starting to change all that, looks like the prison system
is going to get alot bigger!
[ link to this | view in chronology ]