http://www.rose-hulman.edu/Users/groups/Thorn/HTML/ http://www.rose-hulman.edu/Users/groups/Thorn/HTML/current/frontpage/1.html Hacker strikes through student's router Alex Clerc Earlier this week, a hacker infiltrated the website of a company in France, defacing the site and using it to send vulgar emails. The hacker was not a Rose-Hulman student. But through a router maintained by a Rose-Hulman student, the hacker was able to do this anonymously. The student, senior computer science major David Yip, was maintaining a router on his computer called a Tor onion router. What Tor basically does is enable anonymous communications over the internet. Yip downloaded and installed Tor on his computer about two months ago. His machine became a Tor exit node on September 4, 2005. Early Thursday morning, the French company traced the hacker back to Yip's computer and contacted IAIT. IAIT took action by freezing Yip's Kerberos account; he is unable to access the Internet, email, Angel, or Banner. His case will be considered by the Computer Use Committee and a recommendation will be made to Pete Gustafson, the Dean of Students if disciplinary action is deemed appropriate. Staff members at IAIT were unwilling to comment on the circumstances, as was Gustafson. In an interview, Yip made it clear that he read the policy for responsible use of Rose-Hulman computing facilities and took the "due diligence" it demands for students setting up networks. As a precaution against people using his machine for malicious activity, Yip disabled the ability to send mail, use peer-to-peer programs, and use internet relay chat (IRC). He also limited the transfer quota to 800 megabytes per day. "The services I left open are generally considered to be benign," he said. Yip stated that he saw nothing specifically banning Tor nodes in the Rose-Hulman internet policy. Yip does not know who has been using his Tor node or what it has been used for. "That's the point," he said. "Being able to communicate anonymously is very important. I feel there are certain ideas in certain contexts that cannot be expressed unless they are expressed anonymously." "I also find [Tor] interesting from a research standpoint. It's a neat research project," Yip added. Tor was originally developed by the U.S. Naval Research Laboratory and has been facilitated by the Electronic Frontier Foundation (EFF) for the last year and a half. According to Fred von Lohmann, a staff attorney at the EFF, Yip's case is the first case ever involving potential disciplinary action for the use of Tor. "If this is something that was done by a third party, the student shouldn't be held responsible," he said. Assistant Professor of Computer Science Larry Merkle disagreed: "I can definitely see there being a case against [Yip] because he used bandwidth for non-academic purposes." Merkle added, "? but I know [Yip] fairly well and I don't think he had any malicious intentions." What Tor enables ? anonymous online communications ? raises ethical questions that are yet to be settled. By allowing anonymous communications to anyone, it offers equal protection to both good and bad users. Van Lohmann said, "Before we start questioning the right to anonymous speech, we need to ask if the [French] website's security had a flaw." Professor of Computer Science David Mutchler added, "I think anonymous communication over the Internet is critical. There are many places in the world where free speech is not protected. Anonymous communication allows that free speech to exist." On its website, the EFF lists many beneficial applications of Tor, including socially sensitive communications (such as chat rooms for victims of rape, abuse, or illnesses) and journalistic communications with whistleblowers and dissidents. Law enforcement groups can use Tor for data sting operations and the U.S. Navy uses it for open source intelligence gathering. Merkle warned, "The [EFF] makes a good case for the reasons to use it, but completely ignores the reasons why providing it might be bad for society." Situations involving improper Internet use are usually first detected by IAIT and then passed to Student Affairs. If an expert opinion is needed, the case is presented to the Computer Use Committee. Pete Gustafson makes the final decision. The last incident in which the Computer Use Committee was consulted was a case in the '03-'04 school year. The case involved a student hacking in to the computer of an employee of the admissions office. The student then attempted to send an all campus email claiming that one of the Olsen twins decided to attend Rose-Hulman. The Computer Use Committee recommended that the student be suspended; Pete Gustafson followed through on this recommendation. "The single best thing that can come of this," concluded Mutchler, "would be if students read the policy at www.rose-hulman.edu/TSC/policies/computer_use and discuss with faculty and administration any parts of the policy that they think are not right." -- ..o: It's 12 o'clock - do you know where your data is? :o... ----------------------------------------------------------------------------- -------------- Hardening Your Macintosh - http://members.lycos.co.uk/hardapple/ pgp key fingerprint: 0F02 99D5 1D23 E445 22C9 9C90 8F24 FDBA B618 33C4 ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]