Students suspended for hacking Oxford network

Two Oxford students have been suspended after admitting to gaining unauthorized access to the university's IT network.

Patrick Foster, 20, and Roger Waite, 21, claimed they had carried out the hack to expose security flaws. But at a disciplinary hearing Friday, it was decided that both students should be "rusticated," or suspended--Foster until May 2005 and Waite until January 2005.

The pair's actions came to light in May, when they wrote an article for The Oxford Student, a university newspaper, detailing their activities. They warned that using tools found through Google they had managed to view live CCTV footage, access information about the computer use of individual students and see their e-mail passwords.

Google has become a tool for hackers, who often use the popular search engine to turn up Web sites with vulnerabilities. For instance, intruders can sniff out default server page titles to find easily exploitable servers.

Foster admitted to seven charges--two of using university facilities for unlawful activity, two of gaining unauthorized access to the network, two of violating users' privacy, and one charge of wasting staff time by engaging them in activity unrelated to study.

Waite pleaded guilty to four charges, all related to the CCTV network--conspiring to breach an IT network, using facilities for an unlawful activity, gaining unauthorized access and wasting staff time.

There was no suggestion that either Foster or Waite had tried to cause any damage through the attack or achieve any financial gain.

The Oxford University proctors who investigated the incident reportedly have recommended that fines should be imposed. However, the panel of three Oxford fellows who conducted Friday's heading at the university's Court of Summary Jurisdiction decided to suspend the two students for what they deemed an attack on the university.

Foster, who is now the editor of The Oxford Student, has reportedly said that both he and Waite plan to appeal.

Graeme Wearden of ZDNet UK reported from London.

[nathanchilton]

Nobody listens

If you run a large network, it is your responsibility to keep it safe. These kids found vulnerabilities and exploited them to prove their danger. If you just tell someone that their system needs to be kept up-to-date with patches or needs to be re-configured in a more secure way, they don't often take it seriously. But tell them that you got into something sacred ("I know what your wife keeps in her underwear drawer...") and you get their attention. The problem is that now the amateur (and unauthorized) security analyst is considered a criminal.

Since these horrible failures in campus security have been exposed, the security has hopefully been tightened. And now, hopefully, the people with malicious intent (who wouldn't dream of admitting to what they have been able to get away with on the university's network) have lost their access.

Of course, it's only a matter of time before security becomes a low priority and people are again able to breach it. But the next time, they'll be sure not to tell anyone.

[nathanchilton]

Nobody listens

If you run a large network, it is your responsibility to keep it safe. These kids found vulnerabilities and exploited them to prove their danger. If you just tell someone that their system needs to be kept up-to-date with patches or needs to be re-configured in a more secure way, they don't often take it seriously. But tell them that you got into something sacred ("I know what your wife keeps in her underwear drawer...") and you get their attention. The problem is that now the amateur (and unauthorized) security analyst is considered a criminal.

Since these horrible failures in campus security have been exposed, the security has hopefully been tightened. And now, hopefully, the people with malicious intent (who wouldn't dream of admitting to what they have been able to get away with on the university's network) have lost their access.

Of course, it's only a matter of time before security becomes a low priority and people are again able to breach it. But the next time, they'll be sure not to tell anyone.