Oxford May Suspend Students Who Pointed Out Network Flaws
from the shoot-the-messenger dept
Stories like these are way too common these days. Two Oxford University students, working for the school newspaper, figured out how easy it was to break into the school’s network and access private student data. They wrote up a front page article on the vulnerabilities in the system, and were promptly handed over to the police. The police told the university to handle it internally, but Oxford is now looking at suspending the students and potentially fining them as well. Of course, there’s no word whatsoever on whether the university actually patched the holes in their system. Why is it that so many people who point out security vulnerabilities are immediately accused of criminal acts? This only gives good people the incentive not to find and point out these vulnerabilities — but you can be quite sure that those up to no good are already exploiting them.
Comments on “Oxford May Suspend Students Who Pointed Out Network Flaws”
Let me get this straight. They found vulnerabilities in their employer’s computer, then instead of working to help get those patched, they published the vulnerabilities.
The point of full disclosure is to get the word out to others whose systems may be vulnerable. Telling the world about local problems before anyone can fix them is downright destructive.
Is it really not clear to you?
If you really can’t understand the issue, Mike, here you go:
Pointing out network or software vulnerabilities to internal administrators who can fix them is GOOD. Shouting them from the rooftops or putting them in print is BAD…it’s the equivalent of a bank employee handing out keys to the vault to anyone who passes by on the street. And if you don’t want to get handed over to the police, simply avoid breaking into your school’s private files and accessing confidential information.
As a network admin with some experience in this area, I’ll share a little secret: Well-meaning people don’t spend their spare time trying to find vulnerabilities in someone’s network. If they do, they’re getting paid for it by the network’s owner. And for that rare Internet Robin Hood who is the exception, they still wouldn’t publicize their findings without notifying the powers-that-be beforehand.
Your moral compass is due for some recalibration, man…
Re: Is it really not clear to you?
“….handing out keys….”: Rubbish. As the article makes clear there is no need to hand out any keys at all. The university has left all the doors open.
An insecure system is insecure period. Obscurity is not a valid security policy. In addition the students were working on the school paper. The lesson they are liable to learn from this incident is that investigative reporting does not pay. Not a lesson any school should be teaching.
Re: Re: It happened to a local school system here
A reporter for a local paper sat on the bleachers and was able to access most of the fileserver from her laptop. The folders were made public to make it easier for everyone to have access and share files. Unfortunately, there was student information in that folder.
The school shutdown the network, set the access to closed, and now all the parent volunteers can’t access it, including the network admins.
No police were called. It must be the type of culture in England to treat whistleblowers differently (they even made a movie about it where the whistleblowers are blown up in the end)
To the first two reponders:
You might try reading the article. Though it is not clear as to the exact timeline, it says: “We informed the university about what we were up to and handed over all the data we accessed.”
The "Oxford Student" article
It might be instructive to read the actual article in question at:
University IT network wide open to hackers
Re: Morally wrong
Publishing their way of getting into the network is wrong. Had they gone to the administration & reported it, I highly doubt they would be in the trouble that they are in.
Re: Re: Morally wrong
1. They did tell the administration before publishing the story.
2. They didn’t publish *how* they did it, just that they had done it.
Re: No Subject Given
Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 1990, which creates an absolute offence of “causing a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case.”
they have to commit criminal acts to prove their theory?
“they have to commit criminal acts to prove their theory?”: That’s alleged “criminal acts” to you. Whether criminal acts have been committed or otherwise is decided by a jury in a trial. But there has been no trial. Why not. Because the police have taken the view that a conviction would not occur. Had they decided otherwise then the prosecutor would have made a similar decision. Had the prosecutor tried to run this case a jury would have thrown it out of court so hard that it is unlikely that it would hit the ground any time this century. That’s the problem with your assertions.
Big Brother loves you ...
Regardless of what you all think, it was a thought crime pure and simple.
Report to the ministry of information for reprogramming.
Big brother loves you …