Just Because A Site's Online Doesn't Mean It's Legal To Hack It
from the nice-try-but-no dept
In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years’ probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips’ defense that he didn’t really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he — and any other internet user — was inherently authorized to access it. That’s sort of a bizarre argument — basically saying that it’s okay to hack any site or system that’s online, as long as some part of it is publicly accessible — and one that’s inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people’s card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.
Comments on “Just Because A Site's Online Doesn't Mean It's Legal To Hack It”
mens rea
As criminal law says, the intent to commit a crime is the crux of the matter; the ease of doing so is moot.
There’s been a rash of crimes in Japan in the past week where perverts have grabbed children and thrown them off of pedestrian bridges, which is rather easy to do; but the ease of doing so does not excuse the crime.
This is not really “hacking” persay.
To call him a hacker, based on this, would be insulting to hackers.
I mean, it’s basically an over glorified macro.
hacking?
If a houseowner forgets to lock his door, that doesnt make it legal to walk in and take his loveletters or his money.
Indeed
Yeah, this really should not be called hacking. It’s really just a matter of the convict being lucky enough that he found a site with what is clearly insecure access. I’m surprised more people haven’t “hacked” the site.
Shame on them. I hope the publicity of this case has made them reconsider their security measures.
Re: Indeed
I am sure plenty of hackers have, but with security like that who says they ever caught them…
So what did the university get handed down?
I agree that his defense that effectivly an “easy hack is a legal hack” is laughable at best
However the university should be looking at some sort of charge for an almost criminal act of negligence in posting what I *assume* was sensitive data on a public website with no security (sorry but entering in one field to get the data is not security – it’s a search engine)
$177,000 restitution to fix a simple brute force attack on an inadequate piece of software and find the originator? Wow I’m working for the wrong company if the university rewards like that
Re: So what did the university get handed down?
Hear, hear! Now *that’s* a racket!
Set up an attractive honey pot.
Track everyone who enters without prior authorization, e.g., everyone.
Sue each/every one of them.
Use whatever restitution recovered to fund securing the real site, after paying attorneys. Pocket the rest.
Lather, rinse, repeat.
Involve the DHS to accelerate prosecution and claims, but realize the trade-offs beforehand.
I’m shocked how easy their site was to hack though, errr, well, not hack, but brute force. Wouldn’t network traffic monitors kinda go off when the same IP, or even if it was different IP’s, kept entering invalid ID’s, one after another. This just sounds like horrible University security.
So, instead of protecting your valuable personal identity, the Universities are more worried about stopping you from sharing your music or downloading videos.
Idiots.
Bad Sysadmins. 40000 illeagle logins from, I presume the same IP address?
Poor security on all kinds of levels.
While i can agree with the verdict in this case as he obviously intended to break into the system with intent to steal, cannot help but think of another case reported lately, the one where a guy just cut out part of url and found it allowed him unautorised access to the system and after reporting it was arrested and charged.
Judges should pay clear attention to “intent” but sadly due to the way the legal system is set up they rarely do
Yeah, the lawyers get everything twisted in their logic of “details” and “letter of the law”, rather than the “spirit of the law”.
I did read that in order to protect yourself or your client’s computers, you should have a text file in the root that reads; “Private computer network, unauthorized use prohibited”. It is kinda like having a “No Trespassing” sign on your property. Everyone knows not to trespass, but the sign allows more legal prosecution of the idiots.
Universities were known for poor IT security years back. When I attended one on NY universities they only required SS# as the only piece of info to login up to something like 2002 – your SS# was your “Net ID” and was even printed on student’s ID photocards!! Then, mainly due to overwhelming criticism (and perhaps a couple of lawsuits) they started using Kerberos ID with long alphanumeric passwords. There was a time one could just walk in to any IT offices and find desktops with full admin/root access in public areas. Fortunately, back then hacking and on-line crime wasn’t that widespread as it is today.
That is exactly why...
Thats exactly why poeple use software like dotDefender.
You can’t really know what so called hackers will try next, and you can’t know what holes exists on your site.
Comment 11 is lame
That’s why “poeple” [sic] use software like the one you created and link to in the given URL? Come one you spammer, this is NOT a advertising space. Sheesh.
devil's advocate
I can see this guy’s point… he didn’t really hack into anything. He went to a publicly accessible website and viewed users accounts that were not password protected. The equivalent walking down the street and looking into people’s houses through the windows. Publicly accessible, with no security measures in place to prevent it.
Doesn’t make what he did acceptable, but I don’t think it should be prosecuted the same as, say, Mitnick.
Re: devil's advocate
That’s not the best analogy since you don’t need to make 40,000 attempts per hour to look in the window before you can see anything. However, given that, if you started walking down a residential street looking in every window it would take very long before you were arrested.
How is this stealing?
So, he made a list of valid social security numbers. Why is this always called ‘stealing’? Did the original owners of the number lose the ability to use their social security numbers? Stealing is taking something from you such that you no longer have it. Maybe we need a new word.
Shooting dogs and raping kids is also VERY easy.
Both are publicly accessible , and frankly speaking , are quite poorly protected .
perhaps a business opportunity
So I just need to make an easy to hack site with “sensitive” info and trace the inevitable hacker wannabe….. then I can sue for $170,000…. hmmmmmmmm sounds like a sweet money maker to me!
LOL!
Daaaaaang… I better take my web sites off all search engines, add password logins, and remove the public domain. I don’t want it to be legal to hack my site. 😛
two cents worth
…just as a reminder it is illegal to use the SSN as a means of identification.
Kind of Scary
Google: enter your ssn
On the first few pages you already get 5+ hits for different universities.
As it were, I happen to go to UT (of the particularly esteemed security measures.)
Since this attack, all of the University’s online security has been/is being reworked.
But the university website still sucks just as much as it always has…
It’s curious how the same people who champion their supposed right to access someone’s WiFi “because it’s there” feel quite differently when it’s Social Security information; Techdirt staff included.
Jack Sombra: do you have a link. Maybe anything which can be accessed by typing stuff into the address bar of firefox should be considered fair game. HTere are ways of protecting databases from such trivial attacks, so there is no excuse for prosecuting someone for that.
A better analogy for what he did would be to walk around a publically acessable building, peering at the desks until he sees something interesting, and reading it. The idiot that set up the site should be held to blame, at least in part, just like financial instituitions.
SSN formula... NOT!
There is no formula to create SSNs and hasn’t been for at least a decade, perhaps many decades.
When they were first introduced there was some kind of checkdigit / validity algorithm used in SSNs, but we moved away from that years ago due to lack of numbers.
I’ve worked on bank software for years (ugh, actually a decade) and know this to be the case.
re: SSN formula... NOT!
There may be no formula being used “today”, but SSNs are given for life. Since all college students today are older than a mere decade and required to obtain one at birth now, the algorithm could still be used to obtain valid numbers.
As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.
As for Jack’s story…while I don’t have a link myself, my own recollection of the story is the person who “reported” the flaw in the URL hack wanted compensation for his efforts. Extortion is the illegality there.
And as for legally walking about “looking for something” would imply “intent”; AFAIK industrial espionage is illegal, yes?
Re: re: SSN formula... NOT!
“As already mentioned, the SSN should not have been used for identification in the first place, but the story makes no mention of the university being fined for that.”
Two words: Grandfather Clause
It doesn’t excuse anything, but it explains it at least.
Also, shortly after that event UT removed nearly everything regarding SSNs from computers that could be publicly accessed and now uses a user-chosen name/password combo for all secure online activities (the UT EID). University employees are also required to run a sensitive number finder on their computers and servers.
https://source.its.utexas.edu/groups/its-iso/projects/senf/
UT takes the SSN event *very* seriously.
Hacking
the artical above is exactly how the redneck mind works,
they don’t have the concept that their words and actions
have copability, in their minds if you talk back to anything
they do or say than your a complete piece of S#!%. and how dare you question or make comment on a lie or crime they commited, this may sound far fetched to people from the real world but is only a small piece of the redneck mind and culture, in their minds they can hack your pc, piggy back it, get your cell phone info and then do anything they want to slander, deformation or cyber crime you into the ground just because of some thing they imagined over a split second look at you! it is really bad when they have some cop idiot of a friend who is more than happy to help them commit crimes, they giggle like 6yo’s and think they are mature at the same time, and these are the adults i’m talking about! Thank the stars for artical 18-1001 federal law! also most poeple think IP tracking is leagle, there is a thing called intent, it makes somthing that was leagle become illegle, like following IP information with the Intent to slander or defame, thats a felony! just like shooting somone in the head, if somone breaks into your home
and you shoot them in the head, its good for you, if you just go out in the street and shoot somone its murder!
a little word intent makes it illeagle just like IP trace!
I feel sorry for all the cyber criminals out there that think they can get away with everything, the FBI is starting to change all that, looks like the prison system
is going to get alot bigger!