Just Because A Site's Online Doesn't Mean It's Legal To Hack It

from the nice-try-but-no dept

In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years' probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips' defense that he didn't really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he -- and any other internet user -- was inherently authorized to access it. That's sort of a bizarre argument -- basically saying that it's okay to hack any site or system that's online, as long as some part of it is publicly accessible -- and one that's inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people's card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    dorpus, Feb 5th, 2007 @ 4:23am

    mens rea

    As criminal law says, the intent to commit a crime is the crux of the matter; the ease of doing so is moot.

    There's been a rash of crimes in Japan in the past week where perverts have grabbed children and thrown them off of pedestrian bridges, which is rather easy to do; but the ease of doing so does not excuse the crime.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    eric, Feb 5th, 2007 @ 4:28am

    This is not really "hacking" persay.

    To call him a hacker, based on this, would be insulting to hackers.

    I mean, it's basically an over glorified macro.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    WhiteStone, Feb 5th, 2007 @ 4:36am

    hacking?

    If a houseowner forgets to lock his door, that doesnt make it legal to walk in and take his loveletters or his money.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Xiera, Feb 5th, 2007 @ 4:37am

    Indeed

    Yeah, this really should not be called hacking. It's really just a matter of the convict being lucky enough that he found a site with what is clearly insecure access. I'm surprised more people haven't "hacked" the site.

    Shame on them. I hope the publicity of this case has made them reconsider their security measures.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Enrico Suarve, Feb 5th, 2007 @ 4:41am

    So what did the university get handed down?

    I agree that his defense that effectivly an "easy hack is a legal hack" is laughable at best

    However the university should be looking at some sort of charge for an almost criminal act of negligence in posting what I *assume* was sensitive data on a public website with no security (sorry but entering in one field to get the data is not security - it's a search engine)

    $177,000 restitution to fix a simple brute force attack on an inadequate piece of software and find the originator? Wow I'm working for the wrong company if the university rewards like that

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Brad Eleven, Feb 5th, 2007 @ 10:24am

      Re: So what did the university get handed down?

      Hear, hear! Now *that's* a racket!

      Set up an attractive honey pot.
      Track everyone who enters without prior authorization, e.g., everyone.
      Sue each/every one of them.
      Use whatever restitution recovered to fund securing the real site, after paying attorneys. Pocket the rest.

      Lather, rinse, repeat.

      Involve the DHS to accelerate prosecution and claims, but realize the trade-offs beforehand.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    ScytheNoire, Feb 5th, 2007 @ 5:14am

    I'm shocked how easy their site was to hack though, errr, well, not hack, but brute force. Wouldn't network traffic monitors kinda go off when the same IP, or even if it was different IP's, kept entering invalid ID's, one after another. This just sounds like horrible University security.

    So, instead of protecting your valuable personal identity, the Universities are more worried about stopping you from sharing your music or downloading videos.
    Idiots.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    The Swiss Cheese Monster, Feb 5th, 2007 @ 5:16am

    Bad Sysadmins. 40000 illeagle logins from, I presume the same IP address?

    Poor security on all kinds of levels.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jack Sombra, Feb 5th, 2007 @ 5:27am

    While i can agree with the verdict in this case as he obviously intended to break into the system with intent to steal, cannot help but think of another case reported lately, the one where a guy just cut out part of url and found it allowed him unautorised access to the system and after reporting it was arrested and charged.

    Judges should pay clear attention to "intent" but sadly due to the way the legal system is set up they rarely do

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    _Jon, Feb 5th, 2007 @ 5:42am

    Yeah, the lawyers get everything twisted in their logic of "details" and "letter of the law", rather than the "spirit of the law".

    I did read that in order to protect yourself or your client's computers, you should have a text file in the root that reads; "Private computer network, unauthorized use prohibited". It is kinda like having a "No Trespassing" sign on your property. Everyone knows not to trespass, but the sign allows more legal prosecution of the idiots.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Adam, Feb 5th, 2007 @ 5:53am

    Universities were known for poor IT security years back. When I attended one on NY universities they only required SS# as the only piece of info to login up to something like 2002 - your SS# was your "Net ID" and was even printed on student's ID photocards!! Then, mainly due to overwhelming criticism (and perhaps a couple of lawsuits) they started using Kerberos ID with long alphanumeric passwords. There was a time one could just walk in to any IT offices and find desktops with full admin/root access in public areas. Fortunately, back then hacking and on-line crime wasn't that widespread as it is today.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    David Allouch, Feb 5th, 2007 @ 5:57am

    That is exactly why...

    Thats exactly why poeple use software like dotDefender.
    You can't really know what so called hackers will try next, and you can't know what holes exists on your site.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    sheesh, Feb 5th, 2007 @ 6:08am

    Comment 11 is lame

    That's why "poeple" [sic] use software like the one you created and link to in the given URL? Come one you spammer, this is NOT a advertising space. Sheesh.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Wolfger, Feb 5th, 2007 @ 6:27am

    devil's advocate

    I can see this guy's point... he didn't really hack into anything. He went to a publicly accessible website and viewed users accounts that were not password protected. The equivalent walking down the street and looking into people's houses through the windows. Publicly accessible, with no security measures in place to prevent it.

    Doesn't make what he did acceptable, but I don't think it should be prosecuted the same as, say, Mitnick.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      dataGuy, Feb 5th, 2007 @ 8:47am

      Re: devil's advocate

      That's not the best analogy since you don't need to make 40,000 attempts per hour to look in the window before you can see anything. However, given that, if you started walking down a residential street looking in every window it would take very long before you were arrested.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Paul, Feb 5th, 2007 @ 6:30am

    How is this stealing?

    So, he made a list of valid social security numbers. Why is this always called 'stealing'? Did the original owners of the number lose the ability to use their social security numbers? Stealing is taking something from you such that you no longer have it. Maybe we need a new word.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Shohat, Feb 5th, 2007 @ 7:44am

    Shooting dogs and raping kids is also VERY easy.

    Both are publicly accessible , and frankly speaking , are quite poorly protected .

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    mosh, Feb 5th, 2007 @ 8:08am

    perhaps a business opportunity

    So I just need to make an easy to hack site with "sensitive" info and trace the inevitable hacker wannabe..... then I can sue for $170,000.... hmmmmmmmm sounds like a sweet money maker to me!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Buzz, Feb 5th, 2007 @ 9:07am

    LOL!

    Daaaaaang... I better take my web sites off all search engines, add password logins, and remove the public domain. I don't want it to be legal to hack my site. :P

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Trouble Maker, Feb 5th, 2007 @ 10:04am

    two cents worth

    ...just as a reminder it is illegal to use the SSN as a means of identification.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 5th, 2007 @ 10:22am

    Kind of Scary

    Google: enter your ssn
    On the first few pages you already get 5+ hits for different universities.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Liz, Feb 5th, 2007 @ 10:24am

    As it were, I happen to go to UT (of the particularly esteemed security measures.)

    Since this attack, all of the University's online security has been/is being reworked.

    But the university website still sucks just as much as it always has...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Joe T, Feb 5th, 2007 @ 4:15pm

    It's curious how the same people who champion their supposed right to access someone's WiFi "because it's there" feel quite differently when it's Social Security information; Techdirt staff included.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    |333173|3|_||3, Feb 5th, 2007 @ 8:55pm

    Jack Sombra: do you have a link. Maybe anything which can be accessed by typing stuff into the address bar of firefox should be considered fair game. HTere are ways of protecting databases from such trivial attacks, so there is no excuse for prosecuting someone for that.

    A better analogy for what he did would be to walk around a publically acessable building, peering at the desks until he sees something interesting, and reading it. The idiot that set up the site should be held to blame, at least in part, just like financial instituitions.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jo Mamma, Feb 6th, 2007 @ 12:13am

    SSN formula... NOT!

    There is no formula to create SSNs and hasn't been for at least a decade, perhaps many decades.

    When they were first introduced there was some kind of checkdigit / validity algorithm used in SSNs, but we moved away from that years ago due to lack of numbers.

    I've worked on bank software for years (ugh, actually a decade) and know this to be the case.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ancientmath, Feb 6th, 2007 @ 9:49am

    re: SSN formula... NOT!

    There may be no formula being used "today", but SSNs are given for life. Since all college students today are older than a mere decade and required to obtain one at birth now, the algorithm could still be used to obtain valid numbers.

    As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.

    As for Jack's story...while I don't have a link myself, my own recollection of the story is the person who "reported" the flaw in the URL hack wanted compensation for his efforts. Extortion is the illegality there.

    And as for legally walking about "looking for something" would imply "intent"; AFAIK industrial espionage is illegal, yes?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      nekowafer, Feb 6th, 2007 @ 12:08pm

      Re: re: SSN formula... NOT!

      "As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that."

      Two words: Grandfather Clause

      It doesn't excuse anything, but it explains it at least.

      Also, shortly after that event UT removed nearly everything regarding SSNs from computers that could be publicly accessed and now uses a user-chosen name/password combo for all secure online activities (the UT EID). University employees are also required to run a sensitive number finder on their computers and servers.

      https://source.its.utexas.edu/groups/its-iso/projects/senf/

      UT takes the SSN event *very* seriously.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Scott, Mar 18th, 2009 @ 3:50am

    Hacking

    the artical above is exactly how the redneck mind works,
    they don't have the concept that their words and actions
    have copability, in their minds if you talk back to anything
    they do or say than your a complete piece of S#!%. and how dare you question or make comment on a lie or crime they commited, this may sound far fetched to people from the real world but is only a small piece of the redneck mind and culture, in their minds they can hack your pc, piggy back it, get your cell phone info and then do anything they want to slander, deformation or cyber crime you into the ground just because of some thing they imagined over a split second look at you! it is really bad when they have some cop idiot of a friend who is more than happy to help them commit crimes, they giggle like 6yo's and think they are mature at the same time, and these are the adults i'm talking about! Thank the stars for artical 18-1001 federal law! also most poeple think IP tracking is leagle, there is a thing called intent, it makes somthing that was leagle become illegle, like following IP information with the Intent to slander or defame, thats a felony! just like shooting somone in the head, if somone breaks into your home
    and you shoot them in the head, its good for you, if you just go out in the street and shoot somone its murder!
    a little word intent makes it illeagle just like IP trace!
    I feel sorry for all the cyber criminals out there that think they can get away with everything, the FBI is starting to change all that, looks like the prison system
    is going to get alot bigger!

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This