[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Hacker strikes through student's router


Hacker strikes through student's router
Alex Clerc

Earlier this week, a hacker infiltrated the website of a company in
France, defacing the site and using it to send vulgar emails. The
hacker was not a Rose-Hulman student. But through a router maintained
by a Rose-Hulman student, the hacker was able to do this anonymously.

The student, senior computer science major David Yip, was maintaining
a router on his computer called a Tor onion router. What Tor basically
does is enable anonymous communications over the internet. Yip
downloaded and installed Tor on his computer about two months ago. His
machine became a Tor exit node on September 4, 2005.

Early Thursday morning, the French company traced the hacker back to
Yip's computer and contacted IAIT. IAIT took action by freezing Yip's
Kerberos account; he is unable to access the Internet, email, Angel,
or Banner. His case will be considered by the Computer Use Committee
and a recommendation will be made to Pete Gustafson, the Dean of
Students if disciplinary action is deemed appropriate. Staff members
at IAIT were unwilling to comment on the circumstances, as was

In an interview, Yip made it clear that he read the policy for
responsible use of Rose-Hulman computing facilities and took the "due
diligence" it demands for students setting up networks. As a
precaution against people using his machine for malicious activity,
Yip disabled the ability to send mail, use peer-to-peer programs, and
use internet relay chat (IRC). He also limited the transfer quota to
800 megabytes per day.

"The services I left open are generally considered to be benign," he
said. Yip stated that he saw nothing specifically banning Tor nodes in
the Rose-Hulman internet policy.

Yip does not know who has been using his Tor node or what it has been
used for. "That's the point," he said. "Being able to communicate
anonymously is very important. I feel there are certain ideas in
certain contexts that cannot be expressed unless they are expressed

"I also find [Tor] interesting from a research standpoint. It's a neat
research project," Yip added.

Tor was originally developed by the U.S. Naval Research Laboratory and
has been facilitated by the Electronic Frontier Foundation (EFF) for
the last year and a half. According to Fred von Lohmann, a staff
attorney at the EFF, Yip's case is the first case ever involving
potential disciplinary action for the use of Tor. "If this is
something that was done by a third party, the student shouldn't be
held responsible," he said.

Assistant Professor of Computer Science Larry Merkle disagreed: "I can
definitely see there being a case against [Yip] because he used
bandwidth for non-academic purposes." Merkle added, "… but I know
[Yip] fairly well and I don't think he had any malicious intentions."

What Tor enables – anonymous online communications – raises ethical
questions that are yet to be settled. By allowing anonymous
communications to anyone, it offers equal protection to both good and
bad users.

Van Lohmann said, "Before we start questioning the right to anonymous
speech, we need to ask if the [French] website's security had a flaw."

Professor of Computer Science David Mutchler added, "I think anonymous
communication over the Internet is critical. There are many places in
the world where free speech is not protected. Anonymous communication
allows that free speech to exist."

On its website, the EFF lists many beneficial applications of Tor,
including socially sensitive communications (such as chat rooms for
victims of rape, abuse, or illnesses) and journalistic communications
with whistleblowers and dissidents. Law enforcement groups can use Tor
for data sting operations and the U.S. Navy uses it for open source
intelligence gathering.

Merkle warned, "The [EFF] makes a good case for the reasons to use it,
but completely ignores the reasons why providing it might be bad for

Situations involving improper Internet use are usually first detected
by IAIT and then passed to Student Affairs. If an expert opinion is
needed, the case is presented to the Computer Use Committee. Pete
Gustafson makes the final decision.

The last incident in which the Computer Use Committee was consulted
was a case in the '03-'04 school year. The case involved a student
hacking in to the computer of an employee of the admissions office.
The student then attempted to send an all campus email claiming that
one of the Olsen twins decided to attend Rose-Hulman. The Computer Use
Committee recommended that the student be suspended; Pete Gustafson
followed through on this recommendation.

"The single best thing that can come of this," concluded Mutchler,
"would be if students read the policy at
www.rose-hulman.edu/TSC/policies/computer_use and discuss with faculty
and administration any parts of the policy that they think are not

     ..o:   It's 12 o'clock - do you know where your data is?   :o...
Hardening Your Macintosh - http://members.lycos.co.uk/hardapple/

pgp key fingerprint: 0F02 99D5 1D23 E445 22C9 9C90 8F24 FDBA B618 33C4