Court Okays Counter-Hack of eBay Hacker's Computer (Updated)

A federal appeals court just shot down an attempt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convictions, which were an end result of information provided by a university sysadmin who broke into Heckenkamp's computer to gather evidence.

The warrantless cyber-search was justified by the "special needs" exception to the Fourth Amendment, because "the administrator reasonably believed the computer had been used to gain unauthorized access to confidential records on a university computer," the U.S. 9th Circuit Court of Appeals ruled Thursday.

(Updated: someone from the University of Wisconsin responds).

The case began in December 1999, when an official at Qualcomm in San Diego detected a hack attack against the company's system, and notified both the FBI, and administrators at the apparent source of the attack -- the University of Wisconsin at Madison.

UWisc system administrator Jeffrey Savoy tracked the intrusion to Heckenkamp's dorm computer, and then determined that Heckencamp was also trying to hack into the university's mail server. Savoy blocked the hacker's IP address, which ended in 117, but Heckenkamp, being a pretty smart guy, changed it.

That's when Savoy turned the tables and counter-cracked the suspect computer, supposedly for the limited purpose of determining if it really was the same system with a different IP address, and to protect the university server from further attack. From today's ruling:

He logged into the computer, using a name and password he had discovered in his earlier investigation into the 117 computer. Savoy used a series of commands to confirm that the 120 computer was the same computer that had been logged on at 117 and to determine whether the computer still posed a risk to the university server. After approximately 15 minutes of looking only in the temporary directory, without deleting, modifying, or destroying any files, Savoy logged off of the computer.

It's unclear why it took Savoy 15 minutes of poking around to determine the 117 computer and the 120 computer were the same -- since he used the password for the former to crack the latter. In any event, the FBI got a warrant and seized Heckenkamp's Linux box, which turned up evidence that Heckenkamp had hacked into Qualcomm, Exodus Communications, Juniper Networks, Lycos, and Cygnus Solutions. He was also, it turns out, the mysterious "MagicFX" who defaced eBay in 1999 and bragged about it to Forbes.

After years of sometimes bizarre court proceedings (at one point he argued the indictment against him was illegal because it spelled his name in all capital letters) Heckenkamp admitted the hacking and pleaded guilty to two felonies in 2004. He was sentenced to eight months in prison, which by then he'd already served in pre-trial custody.

His plea agreement allowed him to challenge the hacking of his computer, as well as a subsequent search of his dorm room and an FBI search warrant that was built on the warrantless searches. The 9th Circuit's ruling today (.pdf) says the counter-hacking was legal, in language that suggests students would be well advised to install a decent firewall before plugging into a university network.

Here, Savoy provided extensive testimony that he was acting to secure the Mail2 server, and that his actions were not motivated by a need to collect evidence for law enforcement purposes or at the request of law enforcement agents. ... The integrity and security of the campus e-mail system was in jeopardy. Although Savoy was aware that the FBI was also investigating the use of a computer on the university network to hack into the Qualcomm system, his actions were not taken for law enforcement purposes. Not only is there no evidence that Savoy was acting at the behest of law enforcement, but also the record indicates that Savoy was acting contrary to law enforcement requests that he delay action.

Under these circumstances, a search warrant was not necessary because Savoy was acting purely within the scope of his role as a system administrator. Under the university's policies, to which Heckenkamp assented when he connected his computer to the university's network, Savoy was authorized to "rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system." Savoy discovered through his examination of the network logs, in which Heckenkamp had no reasonable expectation of privacy, that the computer that he had earlier blocked from the network was now operating from a different IP address, which itself was a violation of the university’s network policies.

This discovery, together with Savoy’s earlier discovery that the computer had gained root access to the university's Mail2 server, created a situation in which Savoy needed to act immediately to protect the system. Although he was aware that the FBI was already seeking a warrant to search Heckenkamp's computer in order to serve the FBI’s law enforcement needs, Savoy believed that the university's separate security interests required immediate action. Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warrant to investigate potential misuse of the university's computer network would disrupt the operation of the university and the network that it relies upon in order to function. Moreover, Savoy and the other network administrators generally do not have the same type of "adversarial relationship" with the university’s network users as law enforcement officers generally have with criminal suspects.

Also on Wired today, Bruce Schneier's thesis on why vigilantism is a poor response to cyberattack.

Update:

University of Wisconsin IT guy Dave Schroeder (who is not an official spokesman) takes issue with my post. Specifically, my observation that the decision "suggests students would be well advised to install a decent firewall before plugging into a university network."

Uh, how exactly does it suggest that?

First, the University of Wisconsin actually recommends that all students run firewalls on their computers.

Second, students MUST comply with the University's acceptable use policy covering University computing resources and the network that is operated by the University.

Third, if you start hacking University servers or infrastructure components that tens of thousands of people and many critical and diverse university resources and functions depend on, immediate actions WILL be taken to remove, and verify removal, or access to the network, to be followed by legal and criminal action.

So yeah, if you want to hack from the University network in violation of University policy, Housing policy, and various laws, sure, better "install a decent firewall".

Regards,

Dave Schroeder

University of Wisconsin - Madison

This smacks of vigilantism. According to the decision, UWisc cracked Heckenkamp's computer in order to confirm that he was the hacker they were looking for. Heckenkamp turned out to be guilty, so Schroeder's tough talk has some surface appeal. But what if Heckenkamp had been innocent?

The whole policy has some nasty implications for student privacy. There's no judge in the loop; no independent finder of fact. So who decides when there's enough evidence to break into the student's machine and riffle through his files? And then there's the inevitable mission creep. What happens when system administrators crack a suspected hacker's computer, and find he's innocent of the hack, but also turn up evidence that he's been selling dope to his friends? Or downloading pirated music? And eventually, instead of Qualcomm, it'll be the RIAA or the MPAA calling up the University of Wisconsin for a little help.

(Photo: Jake Schoellkopf /AP)