Just Because A Site's Online Doesn't Mean It's Legal To Hack It
from the nice-try-but-no dept
In 2003, a University of Texas student, Christopher Phillips, hacked into a university computer system and stole the Social Security numbers of some 45,000 students, staff and faculty, and two years later, he was convicted and sentenced to five years' probation and 500 hours of community service, and ordered to pay about $170,000 in restitution to the university. Phillips appealed the decision, but a court last month upheld the conviction, not buying into Phillips' defense that he didn't really access the system without authorization. The system in question required only a Social Security number for access, so Phillips set up a program that simply used the formula for creating SSNs, and entered them into the system one after another, up to 40,000 times per hour. When it found a valid one, the program entered the system and extracted personal information from the account attached to it. Phillips argued, though, that since the site was publicly accessible from the internet, he -- and any other internet user -- was inherently authorized to access it. That's sort of a bizarre argument -- basically saying that it's okay to hack any site or system that's online, as long as some part of it is publicly accessible -- and one that's inherently problematic. By using that logic, it would be okay for Phillips to hack into a credit-card site and steal people's card numbers, a viewpoint that few people would share. It should also be noted, though, that the system he hacked featured pretty weak security measures: all that was needed for access was a Social Security number, and no other information. It would seem pretty obvious that such a set up is a ridiculously juicy, and easy, target for a hacker.