
How M.I.T. Ensnared a Hacker, Bucking a Freewheeling Culture - bensw
http://www.nytimes.com/2013/01/21/technology/how-mit-ensnared-a-hacker-bucking-a-freewheeling-culture.html?hpw&_r=0
======
denzil_correa
In order to understand why this incident was even more shocking than usual,
one just needs to read this snippet

    
    
        The arrest shocked friends of Mr. Swartz, as well as 
        M.I.T. alumni. Brewster Kahle, an M.I.T. graduate and 
        founder of the digital library Internet Archive, where 
        Mr. Swartz gave programming assistance, wrote: “When I 
        was at M.I.T., if someone went to hack the system, say 
        by downloading databases to play with them, might be 
        called a hero, get a degree, and start a company. But 
        they called the cops on him. Cops.”
    

I find the change of perspective - from hero to criminal - from MIT quite
astonishing. I wonder if this incident makes current students wary about the
change in _MIT ethos_.

~~~
Anechoic
_I wonder if this incident makes current students wary about the change in MIT
ethos._

As an alum, I don't see a change in ethos. During my time there ('91 to '95)
things were open, but if you were doing something that the institute
considered improper they asked you to stop. If you persisted in the behavior,
they escalated the response. In my four years there, I witnessed this
philosophy applied to drinking, trespassing in forbidden places (roofs for
example), harassing behavior and yes, behavior on the network.

Students often "explored" the network (myself included) but it was possible to
go too far.

(no, I don't think Swartz's transgressions warranted multiple years in prison
and the whole situation is a tragedy)

~~~
mc32
I don't think this is only MIT. It's just a new ecosystem growing up. I
remember when spoofing a superior's email was fun. I remember when accessing
other people's emails via misconfiguration, etc. was 'fun'. I remember when
very few paces had any kind of firewall.

None of these things are true any longer. As things mature, they take on a new
importance and are treated as such.

When the first aeroplanes were around, did one need to get a pilot's license
(no), could you buzz buildings (yes)? When the first autos came about, where
there any traffic regulations? Nope. They were both freewheeling till they
took on importance.

------
waterlesscloud
"At 9:44 a.m. the M.I.T. police were called in; by 10:30 a.m., the Cambridge
police were en route, and by 11 a.m., Michael Pickett, a Secret Service agent
and expert on computer crime, was on the scene. "

Less than 1.5 hours from campus cops to Secret Service _on scene_.

~~~
MichaelSalib
The Secret Service office in Boston is a 2 mile drive from MIT. Once you
decide to bring in the police, it makes sense that they'll contact specialist
law enforcement that focus on computer crimes, especially since the Secret
Service is so close.

~~~
wpietri
The surprise isn't that they got their easily from their nearby office. It's
that they so quickly decided to leave their office.

~~~
MichaelSalib
If I were a USSS officer specializing in computer crime and MIT called me
after discovering a laptop that was used in an ongoing crime, I'd run like
hell because I wouldn't want decisions to be made by the local Cambridge cops
since they don't know anything about computer crimes. I mean, if you think the
laptop represents a crime scene, you really don't want non-specialists
handling it right?

------
gnosis
_"'M.I.T. had to identify the hacker and assist with his apprehension in order
to prevent further abuse,' the government argued in court."_

Or they could have just tried talking to him and giving him a verbal warning.

~~~
mpyne
What would a verbal warning have been useful for? He already knew his behavior
was unwanted, and that's what verbal warnings are for. He wasn't stupid, so
the verbal warnings wouldn't have been the first time that he learned that
there were actual laws against unauthorized network access.

Besides, what's there to warn him about, he's 100% right in what he was doing,
wasn't he? To hear it from the hacktivists, he did nothing wrong (and so
there's nothing to warn him about). If he did do something to warrant a
warning then he was already past the point of needing one.

~~~
gnosis
First, by talking to him, MIT would have revealed that they knew who he was.
That alone might have dissuaded him, as he was clearly acting under the
assumption that he had successfully hidden his identity (or otherwise he would
not have bothered to hide his face from the camera).

Second, they might have learned his motives and either found another way for
him to achieve his objective (perhaps through some sort of compromise) or
persuaded him to stop.

Third, they could have made clear to him what the penalties the government was
ready to use against him in this case were, and that they had enough evidence
to take him to court if he persisted.

Any of these might have been enough to lead to a less tragic outcome than what
wound up happening when they immediately threw the book at him.

------
rdl
I wonder what "activity from China" was.

Also, looks like this went all the way up to the Chancellor, so it's not as if
it was just the libraries or someone pushing for this.

~~~
kanzure
"Counsel for the government understands that a number of external connections
were made and/or attempted to the Acer laptop between January 4, 2011 and
January 6, 2011, including from a Linux server at MIT and from China."

("Attempted" means his laptop probably had a public ip address assigned
through dhcp and someone was knocking on ports from China. This "attempt"
happens constantly 24/7 and is nothing to write home about.)

"7. Exculpatory Evidence. In paragraph H of the government's letter, the
government described but refused to provide almost all of certain exculpatory
evidence, including evidence that, during the period covered by the
indictment, persons other than Mr. Swartz at Harvard, MIT and China accessed
the Acer laptop that was seized by the government, and persons other than Mr.
Swartz at MIT and elsewhere were engaging in "journal spidering" of JSTOR data
using a "virtual computer" that can be hosted by anyone at MIT. The government
has no basis for withholding the electronic evidence described as exculpatory
in its letter."

<http://diyhpl.us/~bryan/irc/aaronsw-lost-pirate-treasure.txt>

------
SagelyGuru
Why did MIT call in the secret service right away?

The answer must lie with certain Charles M. Vest who, in 1990, became
president of MIT and served in that position until December 2004. He is now
MIT professor and president emeritus.

He also happens to be a key member of the board of trustees of Ithaka, the
owners of JSTOR.

I would not hold out my breath for MIT investigation criticising its own
President Emeritus.

~~~
mjn
I think it's a bigger change than with JSTOR specifically, so I'm skeptical
that connection is the root cause. Another example, completely unrelated to
IP, is that MIT used to quasi-tolerate tunnel/roof exploration, and in any
case certainly didn't report students to the cops for it. But now they charge
students with felonies for doing it:
<http://tech.mit.edu/V127/N4/hackers.html>

------
MichaelSalib
So, is there anything in this story that we didn't know from the indictment?
Or any bits of the indictment that have been confirmed by NYT reporters
talking to sources who were there? If the NYT is just summarizing the
indictment, this doesn't seem very helpful at all.

------
charlesfracchia
I think one of the keys of this incident resides in the article posted by
thaumaturgy (<http://tech.mit.edu/V127/N66/hacking.html>):

"At the meeting, Chancellor Phillip L. Clay PhD ’75 told the faculty that
administrators were working with the district attorney’s office to move the
felony trials out of the Cambridge court system to an internal Committee on
Discipline process. The charges against the students were dropped on Feb. 28,
when the prosecution filed nolle prosequi orders for the three students,
indicating that they would not move forward on the charges."

My personal opinion is that following identification by MIT and clarification
of his intent, this should have been dealt with internally. While it was
totally within the power of the prosecution to persist and press charges, the
article shows an example where top MIT management did the right thing and
insisted upon dealing with this internally (again: my opinion).

As an MIT student, it worries me that a measured response was not achieved by
MIT management in this case. Whether that means MIT should not have called the
police and allow uncontrollable escalation or should have done a better job in
convincing the prosecution to not press on, I cannot be sure. It is of course
also possible that what happened is just a reflection of the prosecution's
resolve to treat this with the full force of the law and whatever MIT
management may have said fell into deaf ears.

I am unsure what weight each of those has in this sad case and I deeply
appreciate President Reif's initiative to carry an internal investigation into
MIT's response.

However, two other things bother me with regard to this case. First, it
strikes me that the Computer Fraud and Abuse Act is inadequately broad and
allows for dangerous interpretations. Second, it is very scary to think that
individuals in the prosecution are insentivized to press for the maximum
amount of charges, with little to no regard for proportionality. I can only
hope for a system in which sentences are not used as a metric for a
prosecutor's competence.

It seems to me that the concept of proportionality -as it is applied in armed
conflict- is an essential one when talking about this whole issue. I fear that
it is the root failing in this affair both in MIT's inability to treat this
internally and later, in the prosecution's attitude towards the case.

------
shail
I wish these stupid universities would soon stop mattering and go into
oblivion.

------
mithacker
So not only did Aaron try to hide his crime, he ran away when police tried to
talk to him about it? Why are we defending him again?

~~~
herbig
You created an account solely to post this dumb comment?

