Hacking Tradition Under Fire?

[InfoSec News <alerts () infosecnews org>]

http://www-tech.mit.edu/V127/N66/hacking.html

By Angeline Wang
The Tech
February 4, 2008

After students were found exploring the MIT Faculty Club by the Campus 
Police late on a Saturday night and found themselves facing felony 
charges, MIT found itself struggling to define exactly how it valued the 
hacking community. The result of MITs soul-searching, a statement and a 
set of guidelines to be included in the student handbook, was drafted 
throughout 2007 with input from students.

In a recent draft of the revised guidelines, MIT endorses hacking as a 
tradition to be preserved and outlines rules that hackers should follow 
rules based on the well-known Hackers Code of Ethics [1]. Additionally, 
all future cases involving unauthorized access will be brought to the 
faculty-student Committee on Discipline. The statement and guidelines 
await one further round of review before they will be made public.


The Faculty Club incident

In October 2006, three MIT students set off a burglar alarm in the E52 
Faculty Club in the middle of the night and were found by the MIT 
Police. The case was taken to the Middlesex County Cambridge District 
Court.

The students Kristina K. Brown 09, David Nawi, and Matthew W. Petersen 
09 were charged with breaking and entering in the nighttime with intent 
to commit a felony and trespassing. Additionally, Petersen was charged 
with possession of burglarious tools for carrying a slide, an L-shaped 
piece of metal that can be used to open some doors.

According to a joint statement from their attorneys, the students had 
absolutely no intent to do any harm. They were engaged in a longstanding 
tradition among MIT students of after-hours exploration of the 
university campus, the statement continues.

Motions to dismiss were filed for all three students on the grounds that 
there was no evidence the students broke into the building and that 
there was no evidence the students intended to commit a felony.

Then-MIT Police Chief John DiFava said in February that he believed all 
elements of an apparent felony breaking and entering were present that 
evening and that his officers were justified in issuing a summons to 
court. I support the officers decision at the time, DiFava said.

How do we know a hacker from a thief? DiFava said. This whole issue of 
hacking or not hacking, thats not a police matter.

Thefts of items in the Faculty Club had been reported prior to the 
October incident, which may have influenced the officers decisions that 
night.

The narrative filed with the police report states that MIT Police 
Officers Sean C. Munnelly and Duane R. Keegan responded to a burglar 
alarm in the Faculty Club at approximately 1:50 a.m. on Oct. 22, 2006 
and found Brown, Petersen, and Nawi in the kitchen. The students were 
found near an open panel in the wall that leads to a crawl space.

The narrative, written by Munnelly, states that the elevator used to 
reach the sixth floor Faculty Club would only take the officers to the 
fifth floor. The elevators are supposed to be locked so that they will 
not travel to the sixth floor when the Faculty Club is closed. The 
narrative also states that there was a visible no trespassing sign on 
the door that opened onto the sixth floor from the stairwell.

Nawis motion moved to dismiss conflicts with the polices story, stating 
that the elevator functioned without restriction that night, taking the 
three students to the sixth floor, and that there were no signs 
indicating that access to the sixth floor was not permitted after-hours. 
Mr. Nawi and his friends did not access the 6th floor by a stairwell, 
the motion states.

After the arrest became widely known in February 2007, some students and 
community members became concerned that this case was indicative of a 
change in internal policy regarding how students caught hacking would be 
treated in the future. In most cases, students caught hacking in 
unauthorized areas would be brought before MITs Committee on Discipline, 
where they would be given fines or community service.

I have never heard of students being given a felony without something 
else involved, either a violent activity or a theft, said Joseph T. 
Foley 98, who is friends with the students involved. This sets a really 
bad precedent at MIT. These people were not doing anything strange. They 
were just in the wrong place at the wrong time.

Then-Undergraduate Association President Andrew T. Lukmann 07 (currently 
a Tech photographer) said in February that there was a strong consensus 
among MIT administrators that what happened in this case is an isolated 
incident and is not indicative of a change in policy.

The MIT administration also faced pressure from concerned faculty and 
alumni. At the Feb. 21 faculty meeting, Professor Harold Abelson PhD 73 
raised the issue to determine what MIT is planning to do now.

?I think that there was a lapse in MIT procedures that resulted in this 
case getting so far along without the top administration knowing about 
it, Abelson said in an e-mail in February.

At the meeting, Chancellor Phillip L. Clay PhD 75 told the faculty that 
administrators were working with the district attorneys office to move 
the felony trials out of the Cambridge court system to an internal 
Committee on Discipline process.

The charges against the students were dropped on Feb. 28, when the 
prosecution filed nolle prosequi orders for the three students, 
indicating that they would not move forward on the charges.

Nawis order states that the prosecution spoke with R. Greg Morgan, 
general counsel for MIT, and that Mr. Morgan on behalf of MIT has 
requested the case be dismissed, so MIT may handle this matter 
internally and administratively, as they have done in the past in 
similar situations. The Commonwealth also spoke with Chief DiFava of the 
MIT Police who indicated that the MIT Police would be in agreement with 
a dismissal.

Students and alumni involved in the hacking community helped to pay the 
legal bills of the three students. Over $10,000 had been raised by the 
beginning of March.


Hacking guidelines drafted

Discussions between administrators, student leaders, and four or five 
members of the hacking community began in the spring and have resulted 
in a hacking statement and guidelines that are pending one more round of 
approval, according to UA Senator Steven M. Kelch 08.

The guidelines are coming about because there has always been ambiguity 
as to how MIT would handle its position on hacking, Kelch said in 
October.

The guidelines, which will be added to the student handbook, will 
include three parts, UA President Martin F. Holmes 08 said in October. 
The first is an MIT statement supporting the preservation of the hacking 
tradition; the second is the restatement of the hackers code of ethics; 
and the third is a policy on unauthorized access.

The statement on hacking is the big change, Kelch said. MIT is finally 
taking a stance on hacking, he said, and is recognizing that hacking is 
a tradition that should be preserved.

However, it is a delicate balance for MIT, which could face legal 
liability if it were seen to condone illegal activity. Most 
administrators do understand hacking, Kelch said. They are willing to 
try to preserve that, but they cant condone dangerous activity.

One major change is that all future hacking cases dealing with 
unauthorized access will be brought to the faculty-student Committee on 
Discipline. Holmes said that the administration was very insistent on 
this point. In the past, hacking cases were handled by many different 
groups, including the MIT Police, deans, and the CoD, Kelch said. The 
committee has recognized that they cant have multiple tracks, Kelch 
said. Its too hard to be accountable.

Kelch said that the unauthorized access policy included in the 
guidelines would be general enough to go beyond hacking. UA Vice 
President Ali S. Wyne 08 said that the committee is working to achieve a 
balance between two extremes giving too explicit a policy, one which 
delineates all possible hacks and penalties, and being too vague.

The unauthorized access policy proposed by former UA Vice President 
Jessie H. Lowell 07 in 2005 will not be used, according to Kelch. The 
proposed policy, listing very specific penalties for a first offense and 
repeat offenses, replaced the previous rooftop fines with community 
service. This service policy never went into effect, Kelch said, though 
some students have been given community service when found in 
unauthorized areas such as rooftops.

Additionally, a module on campus culture and hacking will be included in 
the training the CoD receives each year.

In preparation for the release of these guidelines, Chancellor Clay sent 
an e-mail out to all MIT students in October that said students must 
take full responsibility for their actions even while celebrating and 
protecting traditions such as hacking.

Clay said in October that the e-mail was prompted in part by numerous 
events over the past couple years that have revealed a need to 
re-emphasize safety, responsibility, and integrity. Though he did not 
name specific events in his e-mail, Clay was referring to the Faculty 
Club incident as well a January 2006 incident in which an undergraduate 
fell through a skylight on the roof of Building 5.

We cannot deny the fact that what was tolerated in the past, and may 
even have been celebrated, is now viewed different, Clay said in his 
e-mail to students, referring to changes in perception since Sept. 11, 
2001.

Dangerous or illegal behavior labeled as hacks is a risk for us all and 
threatens our ability to be as open as we have been in the past, Clay 
said. The October e-mail was also sent shortly after volunteers on the 
Charles River Cleanup Boat were injured by a piece of sodium that may 
have originated from an MIT sodium drop.

[1] http://www-tech.mit.edu/V127/N66/graphics/hackingethics.html

Copyright 1881-2008 The Tech


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn