Oxford May Suspend Students Who Pointed Out Network Flaws

from the shoot-the-messenger dept

Stories like these are way too common these days. Two Oxford University students, working for the school newspaper, figured out how easy it was to break into the school’s network and access private student data. They wrote up a front page article on the vulnerabilities in the system, and were promptly handed over to the police. The police told the university to handle it internally, but Oxford is now looking at suspending the students and potentially fining them as well. Of course, there’s no word whatsoever on whether the university actually patched the holes in their system. Why is it that so many people who point out security vulnerabilities are immediately accused of criminal acts? This only gives good people the incentive not to find and point out these vulnerabilities — but you can be quite sure that those up to no good are already exploiting them.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Oxford May Suspend Students Who Pointed Out Network Flaws”

Subscribe: RSS Leave a comment
McGroarty says:


Let me get this straight. They found vulnerabilities in their employer’s computer, then instead of working to help get those patched, they published the vulnerabilities.

The point of full disclosure is to get the word out to others whose systems may be vulnerable. Telling the world about local problems before anyone can fix them is downright destructive.

Inferno says:

Is it really not clear to you?

If you really can’t understand the issue, Mike, here you go:

Pointing out network or software vulnerabilities to internal administrators who can fix them is GOOD. Shouting them from the rooftops or putting them in print is BAD…it’s the equivalent of a bank employee handing out keys to the vault to anyone who passes by on the street. And if you don’t want to get handed over to the police, simply avoid breaking into your school’s private files and accessing confidential information.

As a network admin with some experience in this area, I’ll share a little secret: Well-meaning people don’t spend their spare time trying to find vulnerabilities in someone’s network. If they do, they’re getting paid for it by the network’s owner. And for that rare Internet Robin Hood who is the exception, they still wouldn’t publicize their findings without notifying the powers-that-be beforehand.

Your moral compass is due for some recalibration, man…

Peter F Bradshaw (user link) says:

Re: Is it really not clear to you?

“….handing out keys….”: Rubbish. As the article makes clear there is no need to hand out any keys at all. The university has left all the doors open.

An insecure system is insecure period. Obscurity is not a valid security policy. In addition the students were working on the school paper. The lesson they are liable to learn from this incident is that investigative reporting does not pay. Not a lesson any school should be teaching.

Michael Vilain says:

Re: Re: It happened to a local school system here

A reporter for a local paper sat on the bleachers and was able to access most of the fileserver from her laptop. The folders were made public to make it easier for everyone to have access and share files. Unfortunately, there was student information in that folder.

The school shutdown the network, set the access to closed, and now all the parent volunteers can’t access it, including the network admins.

No police were called. It must be the type of culture in England to treat whistleblowers differently (they even made a movie about it where the whistleblowers are blown up in the end)

Anonymous Coward says:

Re: No Subject Given

Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 1990, which creates an absolute offence of “causing a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case.”

Anonymous Coward says:

Re: because....

“they have to commit criminal acts to prove their theory?”: That’s alleged “criminal acts” to you. Whether criminal acts have been committed or otherwise is decided by a jury in a trial. But there has been no trial. Why not. Because the police have taken the view that a conviction would not occur. Had they decided otherwise then the prosecutor would have made a similar decision. Had the prosecutor tried to run this case a jury would have thrown it out of court so hard that it is unlikely that it would hit the ground any time this century. That’s the problem with your assertions.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...