Reader Comments (rss)

(Flattened / Threaded)

1.  

   ...

   

   McGroarty, Jul 16th, 2004 @ 5:58am

   
   

   Let me get this straight. They found vulnerabilities in their employer's computer, then instead of working to help get those patched, they published the vulnerabilities.
   
   The point of full disclosure is to get the word out to others whose systems may be vulnerable. Telling the world about local problems before anyone can fix them is downright destructive.

   [ reply to this | link to this | view in thread ]

2.  

   Is it really not clear to you?

   

   Inferno, Jul 16th, 2004 @ 6:05am

   
   

   If you really can't understand the issue, Mike, here you go:
   
   Pointing out network or software vulnerabilities to internal administrators who can fix them is GOOD. Shouting them from the rooftops or putting them in print is BAD...it's the equivalent of a bank employee handing out keys to the vault to anyone who passes by on the street. And if you don't want to get handed over to the police, simply avoid breaking into your school's private files and accessing confidential information.
   
   As a network admin with some experience in this area, I'll share a little secret: Well-meaning people don't spend their spare time trying to find vulnerabilities in someone's network. If they do, they're getting paid for it by the network's owner. And for that rare Internet Robin Hood who is the exception, they still wouldn't publicize their findings without notifying the powers-that-be beforehand.
   
   Your moral compass is due for some recalibration, man...

   [ reply to this | link to this | view in thread ]

3.  

   Re: Is it really not clear to you?

   

   Peter F Bradshaw, Jul 16th, 2004 @ 6:46am

   
   

   "....handing out keys....": Rubbish. As the article makes clear there is no need to hand out any keys at all. The university has left all the doors open.
   
   An insecure system is insecure period. Obscurity is not a valid security policy. In addition the students were working on the school paper. The lesson they are liable to learn from this incident is that investigative reporting does not pay. Not a lesson any school should be teaching.

   [ reply to this | link to this | view in thread ]

4.  

   To the first two reponders:

   

   Anonymous Coward, Jul 16th, 2004 @ 7:39am

   
   

   You might try reading the article. Though it is not clear as to the exact timeline, it says: "We informed the university about what we were up to and handed over all the data we accessed."

   [ reply to this | link to this | view in thread ]

5.  

   It happened to a local school system here

   

   Michael Vilain, Jul 16th, 2004 @ 8:13am

   
   

   A reporter for a local paper sat on the bleachers and was able to access most of the fileserver from her laptop. The folders were made public to make it easier for everyone to have access and share files. Unfortunately, there was student information in that folder.
   
   The school shutdown the network, set the access to closed, and now all the parent volunteers can't access it, including the network admins.
   
   No police were called. It must be the type of culture in England to treat whistleblowers differently (they even made a movie about it where the whistleblowers are blown up in the end)

   [ reply to this | link to this | view in thread ]

6.  

   The "Oxford Student" article

   

   Peter F Bradshaw, Jul 16th, 2004 @ 8:48am

   
   

   It might be instructive to read the actual article in question at:
   
   University IT network wide open to hackers

   [ reply to this | link to this | view in thread ]

7.  

   Morally wrong

   

   Anonymous Coward, Jul 16th, 2004 @ 9:08am

   
   

   
   Publishing their way of getting into the network is wrong. Had they gone to the administration & reported it, I highly doubt they would be in the trouble that they are in.
   
   

   [ reply to this | link to this | view in thread ]

8.  

   Re: Morally wrong

   

   Mike (profile), Jul 16th, 2004 @ 9:10am

   
   

   Ok:
   
   1. They did tell the administration before publishing the story.
   
   2. They didn't publish *how* they did it, just that they had done it.

   [ reply to this | link to this | view in thread ]

9.  

   No Subject Given

   

   Anonymous Coward, Jul 16th, 2004 @ 9:13am

   
   

   Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 1990, which creates an absolute offence of "causing a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case."

   [ reply to this | link to this | view in thread ]

10.  

    because....

    

    Anonymous Coward, Jul 16th, 2004 @ 6:57pm

    
    

    they have to commit criminal acts to prove their theory?
    

    [ reply to this | link to this | view in thread ]

11.  

    Re: because....

    

    Anonymous Coward, Jul 17th, 2004 @ 2:34am

    
    

    "they have to commit criminal acts to prove their theory?": That's alleged "criminal acts" to you. Whether criminal acts have been committed or otherwise is decided by a jury in a trial. But there has been no trial. Why not. Because the police have taken the view that a conviction would not occur. Had they decided otherwise then the prosecutor would have made a similar decision. Had the prosecutor tried to run this case a jury would have thrown it out of court so hard that it is unlikely that it would hit the ground any time this century. That's the problem with your assertions.
    

    [ reply to this | link to this | view in thread ]

12.  

    Big Brother loves you ...

    

    Anonymous Coward, Jul 19th, 2004 @ 9:48am

    
    

    Regardless of what you all think, it was a thought crime pure and simple.
    Report to the ministry of information for reprogramming.
    Big brother loves you ...

    [ reply to this | link to this | view in thread ]

Add Your Comment