
MIT Closet Allegedly Used by Aaron Swartz - mrb
http://cryptome.org/2013/01/swartz/mit-closet-swartz.htm
======
gregholmberg
When I clicked on the link, I expected to see an unlocked closet primarily
used to store mops, floor wax and boxes of copier paper.

Instead, I saw a small carpeted room containing a half-full rack of telecom
gear, featuring several Ethernet switches providing 100 or so switchports for
end users, punchdown blocks for terminating phone service to a similar number
of incoming lines, and a small number of switchports on what looks like an
administratively privileged network via a second smaller switch.

The list price of the larger Cisco with all three power supplies and several
24-port GigE cards was at least $15,000 the last time I had to buy one.

The fiber uplinks to other rooms (provisioned like this one, or better,
typically one per wing on each floor of a large building) are likely to carry
some very interesting traffic -- not just between end users and their
preferred servers, but between the large switches themselves, possibly even
routing outbound traffic for the "administrative" switch, as well.

I sometimes use separate "control plane" switched media to access "remote
power strips". These allow an admin to remain seated at a desk while rebooting
machines all over the campus.

Allowing unrestricted access to a storage closet containing that much gear
(uninstalled) is irresponsible. Theft is likely.

Allowing unrestricted access to a wiring closet containing that much gear
(provisioned, configured, and running in production mode) is a hilarious wtf.
The imagination soars ...

Allowing unrestricted physical access to any administrative switch that
carries traffic for power-cycling campus equipment on and off remotely is a
fairly serious oversight, and not in the least bit hilarious.

edit: It looks like the photos show two different rooms. The wiring closet
itself has a bare concrete floor.

~~~
jasonzemos
I'm not surprised. That seems to be the MIT ethos since Stallman proclaimed
the best account password for all users was the enter key.

~~~
carlob
Several times while visiting Boston, I have entered the medialab on weekends
and no one prevented me from getting a good tour of the building. I always
thought this was part of the MIT culture, not a blunder of security.

~~~
Timmmmbob
That's how all universities work. It's quite impractical to secure them
properly, and nobody can hope to recognise all the students (and visitors!) so
you can basically walk around any university and as long as you look like you
belong there nobody will challenge you.

~~~
carlob
No, I'll have to disagree here. I've spent around 10 years in several
universities both in Europe and the US and most of them are closed during
weekends and you can't walk around and touch experiments when no one is
around.

MIT is special in its openness, or at least the Medialab is (you can't really
walk in any lab of the Physics department).

------
alaskamiller
Aaron's impact has been rippling through the internets lately and that's awe
inspiring but we're slowly marching into morbid reality porn. Nancy Grace does
this exact "thing" for a living. Tread lightly.

~~~
Zimahl
I agree, it's getting creepy. I'm starting to get the feeling of 'man worship'
where perfectly sane men put giant Fathead pictures of professional athletes
on their walls, wear their jerseys, and get a little too involved.

------
jrockway
Makes me wonder how many years in prison the prosecutors would give you if you
just walked into JSTOR and stole one of their hard drives. It's not even a
federal crime anymore.

~~~
jlgreco
Well, assuming that would be treated the equivalent of armed bank robbery
(robbery of a... data bank? ;)... a maximum of 25 years. Knock off 5 years if
you don't bring a gun.

~~~
corin_
How is it the equivalent to _armed_ bank robbery?

~~~
jlgreco
It's not, but I figure I may as well highlight that even if you rob a bank
with a gun your maximum sentence is less than 35 years.

~~~
slapshot
That's simply not true. "Possession of a firearm in furtherance of a bank
robbery carries a minimum statutory sentence of five years in prison and a
maximum of life imprisonment consecutive to any other sentence, plus a
$250,000 fine."

[1]
[http://www.justice.gov/usao/ncw/pressreleases/Charlotte-2012...](http://www.justice.gov/usao/ncw/pressreleases/Charlotte-2012-07-23-humphrey.html)
, among many other sources.

~~~
jlgreco
That is the page I found before I commented, I am seeing on that page:

 _"Bank robbery carries a statutory maximum sentence 20 years in prison and a
$250,000 fine. Bank robbery while armed with a firearm carries a maximum
sentence of 25 years."_

It also seems, in addition to armed bank robbery being a crime, having the
firearm during a bank robbery is itself is a crime, and the maximum punishment
for having the firearm, but not the bank robbery itself, is life.

It seems you are practically correct.

~~~
slapshot
If you want to get really technical, those are the federal penalties for armed
bank robbery. Under state law, plenty of states have maximum sentences of life
for armed robbery in general. Here's Virginia's law allowing a life sentence
for armed robbery of anything (not just banks):
[http://law.justia.com/codes/virginia/2006/toc1802000/18.2-58...](http://law.justia.com/codes/virginia/2006/toc1802000/18.2-58.html)

~~~
jlgreco
Of course states vary, so a comparison to federal penalties make the most
sense. For example, it seems California caps robbery sentences to 9 years.
[http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=pen...](http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=pen&group=00001-01000&file=211-215) I don't know what
they give for armed robbery though.

One thing seems fairly clear though: at least in many states stealing
harddrives (without using a gun) is probably better than copying the contents
of harddrives with a computer. The punishments we have decided that 'hackers'
should get are out of proportion when compared to crimes committed 'in
meatspace'.

For example, just since I'm already looking at the Californian penal code:

> _(c) (1) Any person who commits rape in violation of paragraph (2) of
> subdivision (a) of Section 261 upon a child who is under 14 years of age
> shall be punished by imprisonment in the state prison for 9, 11, or 13
> years._

~~~
slapshot
Again, there are other statutes that make life in prison the maximum penalty
for child sexual assault in California. The rape statute you quote expressly
says that the 9-13 years you quote is stacked on top of the general crime of
sexual assault of a minor:

>> This subdivision does not preclude prosecution under Section 269, Section
288.7, or any other provision of law.

>> 269: Any person who commits any of the following acts upon a child who is
under 14 years of age and seven or more years younger than the person is
guilty of aggravated sexual assault of a child [statute lists all conceivable
forms of sexual gratification] ... Any person who violates this section is
guilty of a felony and shall be punished by imprisonment in the state prison
for 15 years to life.

Section 288 adds yet more penalties for using force, being in a position of
trust, etc.

You keep using examples of "hackers get stronger penalties than these other
crimes" (bank robbery, child rape), but the other crimes consistently have
life in prison as a maximum sentence if you stop to read the full context of
the law.

~~~
jrockway
I think it's more realistic to do a "where are they now" style survey to see
how long sentences end up being in practice. With overcrowded state prisons,
not many people end up serving the max.

------
rdl
Heh. I used to leave my bag in one of those closets when I went to the
bathroom if I was in a computer lab.

~~~
gt565k
I bet no one locks those closets. I know for a fact there are a few comm
closets with actual servers controlling the PLC of the building at my
university that are often left unlocked, door wide open. No one gives a crap
at these institutes. If a real malicious hacker got into one of those, he
could easily wreak havoc.

~~~
sneak
And yet somehow, havoc isn't wreaked. Most bills aren't counterfeit. Most
contracts don't get litigated.

I think about security, so I know what you're talking about... but there is a
real line between security and fearmongering.

It's just network access, or denial of service. Nothing more.

~~~
BCM43
Or a MITM attack stealing personal information?

------
bstar77
Seems like this could had been done much more discretely, makes me think Aaron
may have wanted to get caught. Why not just buy a cheap 1u server and add it
to the rack, I bet that goes unnoticed much longer.

------
Riesling
Interesting. Keeping my fingers crossed that the download script will be
released next. I would love to read through the code and see for myself how
much actual "hacking" was involved.

------
clicks
The SAMSUNG EcoGreen F2 HD154UI hard drive pictured is 1.5 TB.

The alleged JSTOR archive torrent making the rounds is 35 GB. If Aaron went
through the trouble of getting a HDD 1+ TB, it means the JSTOR files probably
amassed to a size indeed to the tune of ~1 TB, (at least, if he in fact did
have accurate foreknowledge of their true size).

~~~
S201
Or maybe he just had a spare 1.5TB drive around.

------
jlgreco
I like the graffiti on the right wall in the first picture. Gives off some
serious vibes of "secured room".

~~~
borski
That's not graffiti. MIT hackers commonly 'sign in' to places that they've
found and gained entrance to. A wiring closet, frankly, is kind of a lame
place to sign in at, but the steps under Lobby 7 or the steam tunnels or the
little dome are far more interesting, for example.

It's actually looked down upon fairly heavily if a sign in is larger than a
regular signature by very much - typically sign ins are lauded, graffiti
isn't.

Just thought I'd clarify. :)

~~~
jwr
I suspect there won't be as many MIT hackers now that this sort of culture is
no longer tolerated. Getting in trouble with your principal/dean/chairman is
quite different from facing the secret service, federal prosecution, 30 years
in jail and multi-million dollar fines.

~~~
borski
MIT over the last few years, sadly, under the Hockfield administration, has
screwed hackers over - no doubt about that. Numbers decreased because of that.
But they increased at the same time due to the MIT blogs and better (sometimes
unintentional) publicity of MIT hacks.

I honestly suspect that things will be better for hackers under Reif's
administration. He does, in my humble opinion, "not suck."

EDIT: Also important of note is that Aaron wasn't a student at MIT -
historically, MIT students were forgiven for things like hacking, but non-MIT
students were typically handed over to Cambridge Police. Typically, when
hacking with a non-MIT student, you would pretend they were a 'pre-frosh' if
you could.

~~~
rdl
I've never heard anything but criticism of Hockfield on any front.

------
jpdoctor
> _Download Equipment Allegedly Stored in Building 20_

I assume this is a typo? or is there a recent renumbered bldg?

~~~
systemizer
No, that is correct. He left his hard drive and laptop in the SIPB office in
W20. See the Tech's article from August 2011.

<http://tech.mit.edu/V131/N30/swartz.html>

~~~
rdl
Ah, you're right (W20 != 20). The basement wiring closet was Building 16, but
the SIPB stuff was W20. (you can tell by the ghetto furniture with duct tape).

SIPB at least used to be pretty friendly about letting visiting "reasonable"
people plug into the network, based on whoever was at the office at the time.

------
gadders
Whereabouts was the tramp (hobo) sleeping?

~~~
mindslight
Presumably the police weren't quite as eager to photograph that.

------
beedogs
how the fuck could they _not find_ a laptop connected _directly_ to an
Ethernet switch? What a crock of shit. that laptop should've been discovered
within 15 minutes.

~~~
ef4
You're forgetting the context. The network is open and freely available to
anyone. They're _not trying_ to keep anyone out.

That's precisely what Swartz's defense team has pointed out -- there was
precious little "hacking" involved because there was no defense to hack.

~~~
mpyne
> That's precisely what Swartz's defense team has pointed out

Perhaps Swartz should have chose smarter lawyers then, because he wasn't
charged with "hacking" but with "intentional unauthorized access" and other
similar things.

It's not as if he accidentally logged onto an open Wifi and accidentally
downloaded terabytes of information from JSTOR, they specifically blocked
Swartz's machine multiple times. They may not be trying to keep everyone out
but they were definitely trying to keep Swartz out (and they didn't even know
it was Swartz until he was arrested).

~~~
ef4
> They may not be trying to keep everyone out

Which was exactly my point. That's why your original comment about "that
laptop should've been discovered within 15 minutes" doesn't make sense.

Their network model deliberately doesn't care about an extra random laptop,
until somebody complains.

~~~
mpyne
To be clear, I wasn't the one who made the comment regarding whether the
laptop should have been discovered within 15 minutes.

But in general, it does an individual who was trespassing (in this case, on a
network) no good to complain that _other people_ were allowed in. There are
exceptions to that for MIT since it's a university, but given that Aaron was
both white and male, I don't think he'd have been able to play the minority
discrimination card.

