Just Because A Site's Online Doesn't Mean It's Legal To Hack It

from the nice-try-but-no dept

In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years’ probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips’ defense that he didn’t really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he — and any other internet user — was inherently authorized to access it. That’s sort of a bizarre argument — basically saying that it’s okay to hack any site or system that’s online, as long as some part of it is publicly accessible — and one that’s inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people’s card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Just Because A Site's Online Doesn't Mean It's Legal To Hack It”

Subscribe: RSS Leave a comment
Xiera says:


Yeah, this really should not be called hacking. It’s really just a matter of the convict being lucky enough that he found a site with what is clearly insecure access. I’m surprised more people haven’t “hacked” the site.

Shame on them. I hope the publicity of this case has made them reconsider their security measures.

Enrico Suarve says:

So what did the university get handed down?

I agree that his defense that effectivly an “easy hack is a legal hack” is laughable at best

However the university should be looking at some sort of charge for an almost criminal act of negligence in posting what I *assume* was sensitive data on a public website with no security (sorry but entering in one field to get the data is not security – it’s a search engine)

$177,000 restitution to fix a simple brute force attack on an inadequate piece of software and find the originator? Wow I’m working for the wrong company if the university rewards like that

Brad Eleven (profile) says:

Re: So what did the university get handed down?

Hear, hear! Now *that’s* a racket!

Set up an attractive honey pot.
Track everyone who enters without prior authorization, e.g., everyone.
Sue each/every one of them.
Use whatever restitution recovered to fund securing the real site, after paying attorneys. Pocket the rest.

Lather, rinse, repeat.

Involve the DHS to accelerate prosecution and claims, but realize the trade-offs beforehand.

ScytheNoire (profile) says:

I’m shocked how easy their site was to hack though, errr, well, not hack, but brute force. Wouldn’t network traffic monitors kinda go off when the same IP, or even if it was different IP’s, kept entering invalid ID’s, one after another. This just sounds like horrible University security.

So, instead of protecting your valuable personal identity, the Universities are more worried about stopping you from sharing your music or downloading videos.

Jack Sombra says:

While i can agree with the verdict in this case as he obviously intended to break into the system with intent to steal, cannot help but think of another case reported lately, the one where a guy just cut out part of url and found it allowed him unautorised access to the system and after reporting it was arrested and charged.

Judges should pay clear attention to “intent” but sadly due to the way the legal system is set up they rarely do

_Jon says:

Yeah, the lawyers get everything twisted in their logic of “details” and “letter of the law”, rather than the “spirit of the law”.

I did read that in order to protect yourself or your client’s computers, you should have a text file in the root that reads; “Private computer network, unauthorized use prohibited”. It is kinda like having a “No Trespassing” sign on your property. Everyone knows not to trespass, but the sign allows more legal prosecution of the idiots.

Adam says:

Universities were known for poor IT security years back. When I attended one on NY universities they only required SS# as the only piece of info to login up to something like 2002 – your SS# was your “Net ID” and was even printed on student’s ID photocards!! Then, mainly due to overwhelming criticism (and perhaps a couple of lawsuits) they started using Kerberos ID with long alphanumeric passwords. There was a time one could just walk in to any IT offices and find desktops with full admin/root access in public areas. Fortunately, back then hacking and on-line crime wasn’t that widespread as it is today.

Wolfger (profile) says:

devil's advocate

I can see this guy’s point… he didn’t really hack into anything. He went to a publicly accessible website and viewed users accounts that were not password protected. The equivalent walking down the street and looking into people’s houses through the windows. Publicly accessible, with no security measures in place to prevent it.

Doesn’t make what he did acceptable, but I don’t think it should be prosecuted the same as, say, Mitnick.

|333173|3|_||3 says:

Jack Sombra: do you have a link. Maybe anything which can be accessed by typing stuff into the address bar of firefox should be considered fair game. HTere are ways of protecting databases from such trivial attacks, so there is no excuse for prosecuting someone for that.

A better analogy for what he did would be to walk around a publically acessable building, peering at the desks until he sees something interesting, and reading it. The idiot that set up the site should be held to blame, at least in part, just like financial instituitions.

Jo Mamma says:

SSN formula... NOT!

There is no formula to create SSNs and hasn’t been for at least a decade, perhaps many decades.

When they were first introduced there was some kind of checkdigit / validity algorithm used in SSNs, but we moved away from that years ago due to lack of numbers.

I’ve worked on bank software for years (ugh, actually a decade) and know this to be the case.

Ancientmath says:

re: SSN formula... NOT!

There may be no formula being used “today”, but SSNs are given for life. Since all college students today are older than a mere decade and required to obtain one at birth now, the algorithm could still be used to obtain valid numbers.

As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.

As for Jack’s story…while I don’t have a link myself, my own recollection of the story is the person who “reported” the flaw in the URL hack wanted compensation for his efforts. Extortion is the illegality there.

And as for legally walking about “looking for something” would imply “intent”; AFAIK industrial espionage is illegal, yes?

nekowafer says:

Re: re: SSN formula... NOT!

“As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.”

Two words: Grandfather Clause

It doesn’t excuse anything, but it explains it at least.

Also, shortly after that event UT removed nearly everything regarding SSNs from computers that could be publicly accessed and now uses a user-chosen name/password combo for all secure online activities (the UT EID). University employees are also required to run a sensitive number finder on their computers and servers.


UT takes the SSN event *very* seriously.

Scott says:


the artical above is exactly how the redneck mind works,
they don’t have the concept that their words and actions
have copability, in their minds if you talk back to anything
they do or say than your a complete piece of S#!%. and how dare you question or make comment on a lie or crime they commited, this may sound far fetched to people from the real world but is only a small piece of the redneck mind and culture, in their minds they can hack your pc, piggy back it, get your cell phone info and then do anything they want to slander, deformation or cyber crime you into the ground just because of some thing they imagined over a split second look at you! it is really bad when they have some cop idiot of a friend who is more than happy to help them commit crimes, they giggle like 6yo’s and think they are mature at the same time, and these are the adults i’m talking about! Thank the stars for artical 18-1001 federal law! also most poeple think IP tracking is leagle, there is a thing called intent, it makes somthing that was leagle become illegle, like following IP information with the Intent to slander or defame, thats a felony! just like shooting somone in the head, if somone breaks into your home
and you shoot them in the head, its good for you, if you just go out in the street and shoot somone its murder!
a little word intent makes it illeagle just like IP trace!
I feel sorry for all the cyber criminals out there that think they can get away with everything, the FBI is starting to change all that, looks like the prison system
is going to get alot bigger!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...