Motives Revealed by Athena Hacker
The person responsible for stealing over 600 Athena username/password pairs last Tuesday night released a statement via e-mail late Friday night. The e-mail was sent from a quickstation in the Stata Center, with the same Yahoo! account used to send out the username/password pairs last week.
Jeffrey I. Schiller ’79, network manager for Information Services and Technology, said that he received an e-mail from the individual on Friday night and has since received several more, though he declined to comment on the nature of the other e-mails.
“The point that I’m out to prove is not that there is a newly discovered vulnerability in Athena,” the e-mail stated. “I just believe that the current level of security that is present is completely unacceptable.”
“I understand that the designers of Athena realized these vulnerabilities and decided to leave the system with these vulnerabilities present, but it is my belief that they did not consider the serious implications of deploying such an insecure system,” the e-mail stated.
Schiller declined to comment on developments in the investigation or whether the recent e-mails had provided any clues to the identity of the perpetrator.
“We will either catch the person, or we will keep trying until we do,” Schiller said. Once the perpetrator has been identified, said Schiller, the matter will be referred to William M. Fischer, associate dean for student conduct and risk management, or the Committee on Discipline. Schiller confirmed that the perpetrator is a student.
IS&T questions hacker’s motives
Though the hacker’s e-mail stated that an effort was made “to point out these insecurities in a rather non-destructive way,” it did admit causing “a lot of inconvenience for a lot of people” that could have been reduced with better planning.
“However, I think that a benign compromise of this scale is the only way the administrators of the Athena system can be convinced to change their security policy,” the e-mail stated.
Schiller criticized the individual’s attitude, saying it is wrong to do something just because one might get away with it, and also questioned the sincerity of the individual’s claim.
“It's a bogus argument,” Schiller said, arguing that if the individual had really felt there was a problem with security, the person should have approached someone in IS&T.
“The reality is, if you have physical control of the workstation, then you can do basically anything with it,” Schiller said.
Schiller also said that the security of public workstations is “a problem that’s going to go away on its own” as public workstations are replaced in a shift to create public work areas.