Christopher Andrew Phillips, hacker?
March 14, 2003 12:53 PM   Subscribe

'course it's hacking (cracking) - it was done on purpose with no understandable motive apart from obtaining info that isn't intended for legitimate use. it was crap security, but he still had to put effort into getting the data. if you leave your door open and someone steals your stuff, it's still a crime (you might feel stupid, and you might not get an insurance payout, but the person who took your stuff still shouldn't have done what they did).
posted by andrew cooke at 2:09 PM on March 14, 2003

"a publicly accessible Web application that allowed a user to query a database using only a Social Security number and then returned student and staff data for a person with the matching number"

Do you know how easy it is to get your address? What's your license plate number? I'll come by later with some beers.

Is that stealing/hacking/cracking?
posted by Big_B at 2:39 PM on March 14, 2003

ac: if you "leave your door open"? - don't you mean if you "leave your stuff lying around on the street". The 'net analogy to walking around on the street is entering URLs in your browser. That's all this guy did, with a bit of automation.

Hey, here's a novel idea: make any hacking legal for economic/strategic reasons. The country who does that will end up being the world leader in security software. Currently, we are relying on the police/lawyers instead of our own intelligence. It's software, for chrissake - we can do it.
posted by mediaddict at 2:42 PM on March 14, 2003

I can't find the link, but I remember a similar story about this guy who found an exploit in his company's competitors website (or maybe it was an ISP? it's been a while) Anyway, when he notified the owner(s) of the problem, they pressed charges against him for hacking.
Any who, CAPhillips intentionally hacked the SSN database to gather info, if he would have gone to the appropriate people to notify them of this problem, things would have been a lot different.
posted by lsd4all at 4:09 PM on March 14, 2003

Imo, there is some theoretical point-of-balance to strike between security through protection/prevention and security through consequence (law).

I say this with the caveat that I do not know exactly what security was surrounding the form, but I do not believe that a publicly accessible form should constitute a secured item.

If anything, I would assign fault to the university in this case, for their leaving so much information openly accessible.
posted by rudyfink at 4:15 PM on March 14, 2003

Is it respectably challenging hacking, a la Wargames? Surely not.

Big_B, you do understand that with the easily-obtained -- or in this case, merely sequentially generated -- SSN, the database spit out considerably more private information than your home address?

What he did was illegal, plain and simple. It may be easy to slice through my screen window, but I'm sure you'll also agree that in that case what is merely easy is not legal.

The point here isn't whether this was a crime; the point is indeed precisely that this information shouldn't be so easily obtained. Many people still don't know that, for a certain unknown percentage of persons, googling on their name plus hometown displays their home address and phone. The point is that using this sort of information as a data key is dumb, which I'm sure you'll agree. Applications that hold any type of sensitive information should be more rigorously designed.

This error isn't, oddly enough, dissimilar from what the Social Security administration itself did a couple of years ago when it put lifetime earnings data online. Fortunately, they learned quickly and now have a higher bar. It's almost identical, as well, to the "hacking" that happened last year between a couple of Ivy League colleges when one discovered how easy it was to look up application/acceptance data on the other's, and then fumbled the notification process.

There's another issue here, which is that the SSN numbering system was designed too early to include any kind of checksum or hash to ensure its integrity, which is pretty basic for identifiers such as credit card numbers these days: technically you're not supposed to be able to "guess" a valid credit card number, and anyone using that as the GUID in their database is simply asking for trouble; yet people think nothing of designing around SSNs and attaching all sorts of important information to it: for example, criminal records. Good or bad as the information may be, the SSN is a weak link, and should be regarded with suspicion by programmers rather than a foundation data point.
posted by dhartung at 4:21 PM on March 14, 2003

Still, the question remains whether there whould be different penalties for people who break in to show a hole in defenses and those who break in to steal the TV.

It's like finding your neighbor's door open and then popping in to tell them they should lock it. (and then when they ignore you, you take a couple monogrammed socks to demonstrate how bad this Could Have Been.) It would take a real asshole of a neighbor to prosecute for this, and even then one would hope that the case got thrown out and the neighbor laughed at.

(alternative post:)

yeesh. who gives a damn about the numbers, anyway? life grows quickly ridiculous when living in a beaurocratic, overly litigous tecnocracy.
posted by kaibutsu at 5:17 PM on March 14, 2003

ac: if you "leave your door open"? - don't you mean if you "leave your stuff lying around on the street". The 'net analogy to walking around on the street is entering URLs in your browser. That's all this guy did, with a bit of automation.


i like the "bit of". like someone just walked into your house "a bit" and just took your posessions "a bit"...

i make a living doing "a bit of" automation.
posted by andrew cooke at 7:40 PM on March 14, 2003

Any who, CAPhillips intentionally hacked the SSN database to gather info, if he would have gone to the appropriate people to notify them of this problem, things would have been a lot different.

Indeed; they'd probably have ignored him, and the problem would have persisted. Maybe the next person who thought of the same trick would have actually done something with the information. This way, nobody's been hurt, and the college has been publicly embarassed so they're more likely to fix the problem quickly.
posted by Mars Saxman at 7:56 PM on March 14, 2003

I can't understand the logic behind calling this illegal. Putting something online is an implicit statement that it's public unless there are security measures in place. I once got in trouble with a sysadmin because (it was my first Unix account) I was poking around the system ls-ing various directories, including other users home directories -- not deleting anything, not editing anything, just looking. It seemed — and seems — to me that, when simple security measures (i.e., chmod) are available and are not in use, it's not unreasonable to assume that the information in question is public.
posted by IshmaelGraves at 9:41 PM on March 14, 2003

Exactly. What's the difference between this and a bot that harvests email addresses from web sites? There was no security in place, therefore no break-in took place. Why is this a crime? It's not ethical, but it's not illegal, either.
posted by Oops at 2:18 AM on March 15, 2003

Er, after a second reading of the article, I suppose that he did use the identity of another person, so scratch that argument.
posted by Oops at 2:20 AM on March 15, 2003

Yes and no, Ishmael. The internet isn't just about making information public, it's also about enabling people to efficiently use a centralized resource over a common commodity -- their computer. Online banking is a good example of this. The clear difference is that with online banking you've got better security. The information the site spit out with the correct SSN was protected (albeit weakly) with a page and program that was publicly accessable. I think that's reasonable to assume they did not wish to make all the information behind the page available, or they would have simply done it.

Unfortunately, while it may be extremely foolish of the University to have such a piss-poor interface, that is inconsequential. My car might have a crappy lock, or no lock at all. Do I expect a reasonable amount of security with the CD player inside? Realistically, not really. But legally it doesn't matter if it's locked or not, since the property is mine; anyone accessing things inside my car without my permission will be prosecuted regardless (though I'm sure the lines of ownership are more blurred with personal information).
posted by Civil_Disobedient at 2:53 AM on March 15, 2003