When I clicked on the link, I expected to see an unlocked closet primarily used to store mops, floor wax and boxes of copier paper.

Instead, I saw a small carpeted room containing a half-full rack of telecom gear, featuring several Ethernet switches providing 100 or so switchports for end users, punchdown blocks for terminating phone service to a similar number of incoming lines, and a small number of switchports on what looks like an administratively privileged network via a second smaller switch.

The list price of the larger Cisco with all three power supplies and several 24-port GigE cards was at least $15,000 the last time I had to buy one.

The fiber uplinks to other rooms (provisioned like this one, or better, typically one per wing on each floor of a large building) are likely to carry some very interesting traffic -- not just between end users and their preferred servers, but between the large switches themselves, possibly even routing outbound traffic for the "administrative" switch, as well.

I sometimes use separate "control plane" switched media to access "remote power strips". These allow an admin to remain seated at a desk while rebooting machines all over the campus.

Allowing unrestricted access to a storage closet containing that much gear (uninstalled) is irresponsible. Theft is likely.

Allowing unrestricted access to a wiring closet containing that much gear (provisioned, configured, and running in production mode) is a hilarious wtf. The imagination soars ...

Allowing unrestricted physical access to any administrative switch that carries traffic for power-cycling campus equipment on and off remotely is a fairly serious oversight, and not in the least bit hilarious.

edit: It looks like the photos show two different rooms. The wiring closet itself has a bare concrete floor.

I'm not surprised. That seems to be the MIT ethos since Stallman proclaimed the best account password for all users was the enter key.

Several times while visiting Boston, I have entered the medialab on weekends and no one prevented me from getting a good tour of the building. I always thought this was part of the MIT culture, not a blunder of security.

Yet they lock the doors to the classrooms, in which are chalkboards and chairs...

That's how all universities work. It's quite impractical to secure them properly, and nobody can hope to recognise all the students (and visitors!) so you can basically walk around any university and as long as you look like you belong there nobody will challenge you.

No, I'll have to disagree here. I've spent around 10 years in several universities both in Europe and the US and most of them are closed during weekends and you can't walk around and touch experiments when no one is around.

MIT is special in its openness, or at least the Medialab is (you can't really walk in any lab of the Physics department).

It wasn't just Stallman. Hacker subculture has always contained an element that is opposed to unequal access, like locks. And it's still going strong; last month's CCC hacker conference in Hamburg had a large lockpicking workshop. http://events.ccc.de/congress/2012/wiki/Lockpicking_Area

He forgot the human condition when he came up with that...

Deliberate openness is irresponsible now?

I remember being invited to visit the cockpit of a commercial airliner during a flight when I was little. On US airlines, at least, that kind of openness is a distant memory.

If you don't work in network security, you might find it unsettling to see just how much additional trouble a person can cause by having physical access to the hardware itself -- the cables and ports and LCD front panels and the like.

As an example, here's a dirty secret: in quite a few of the large, institutional settings I have had access to, the hash of the IOS enable password is stored on local flash inside the machine, and set to the same string across many core devices. This means that if you can compromise one switch (perhaps a small one in a basement closet), you could also have privileged access to larger switches deep inside data centers on the same campus.

Compromising the first switch is much easier if you can attach a serial console and reboot it at will. If I were serious about doing something like this, I might even bring an extra switch along to substitute in, so the regular users of the network would see no downtime.

Groups of switches inside a data center (when viewed with eyeballs) have a kind of tedious homogeneity to them. Generic faceplates all in rows, kudzu of brightly-colored generic cables fanning out in every direction, armies of green LEDs flashing with traffic, thick black ropes of power cables in back ready to wiggle loose from a stray nudge. Aloof. Opaque.

The traffic to and from each data center switchport, though, is often highly individual. Many times it is deadly dull for port after port after port. But sometimes, you see that you are watching a machine that appears to be processing payroll. Or saving a series of very expensive and proprietary chip masks to some huge file server. Or, best of all, you might see millions of rows of data describing those things and more, all being stored as tidy SQL.

So yes, I draw the line somewhere short of allowing homeless people into a space where they would be sleeping next to network devices with important roles.

What's the point of link-level security when governments control the CAs and global routing tables anyway? You're probably being spied on right now, and not because someone has physical access to a mop closet with some switches in it.

Even as broke as the government is, I'm not worried about them sniffing my credit card number or emptying my checking account.

I'm wondering when some government is going to figure out how to make money through plausibly deniable widespread credit card fraud.

Greece.

Now we can look forward to a government getting away with it scot-free. (Is that an objectionable term now?)

Much of this thread complains that physical access is the end all to security, in that people on this thread suggest that access to physical gear should be our number one rule. I have a few problems with this in that I don't specifically need physical access to a core router if the network is flat nor would I think that simply locking up my network equipment would solve my security problems. Its true that giving end users access to production network is a mistake, but to say that schools and corporations don't every day make basic security mistakes including physical access, its how we security practitioners reduce our exposure of the work of idiots, monitoring and alerting, port management and a plethora of other mitigation techniques, its endless game of cat and cat.

MrEthiopian

You can actually still go in the cockpit on commercial airlines, just not during the flight. Before or after the flight the pilots are usually happy to show you the cockpit.

...

It always has been.

Aaron's impact has been rippling through the internets lately and that's awe inspiring but we're slowly marching into morbid reality porn. Nancy Grace does this exact "thing" for a living. Tread lightly.

I agree, it's getting creepy. I'm starting to get the feeling of 'man worship' where perfectly sane men put giant Fathead pictures of professional athletes on their walls, wear their jerseys, and get a little too involved.

Makes me wonder how many years in prison the prosecutors would give you if you just walked into JSTOR and stole one of their hard drives. It's not even a federal crime anymore.

How is it the equivalent to armed bank robbery?

It's not, but I figure I may as well highlight that even if you rob a bank with a gun your maximum sentence is less than 35 years.

That's simply not true. "Possession of a firearm in furtherance of a bank robbery carries a minimum statutory sentence of five years in prison and a maximum of life imprisonment consecutive to any other sentence, plus a $250,000 fine."

[1] http://www.justice.gov/usao/ncw/pressreleases/Charlotte-2012... , among many other sources.

That is the page I found before I commented, I am seeing on that page:

"Bank robbery carries a statutory maximum sentence 20 years in prison and a $250,000 fine. Bank robbery while armed with a firearm carries a maximum sentence of 25 years."

It also seems, in addition to armed bank robbery being a crime, having the firearm during a bank robbery is itself is a crime, and the maximum punishment for having the firearm, but not the bank robbery itself, is life.

It seems you are practically correct.

If you want to get really technical, those are the federal penalties for armed bank robbery. Under state law, plenty of states have maximum sentences of life for armed robbery in general. Here's Virginia's law allowing a life sentence for armed robbery of anything (not just banks): http://law.justia.com/codes/virginia/2006/toc1802000/18.2-58...

Of course states vary, so a comparison to federal penalties make the most sense. For example, it seems California caps robbery sentences to 9 years. http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen... I don't know what they give for armed robbery though.

One thing seems fairly clear though: at least in many states stealing harddrives (without using a gun) is probably better than copying the contents of harddrives with a computer. The punishments we have decided that 'hackers' should get are out of proportion when compared to crimes committed 'in meatspace'.

For example, just since I'm already looking at the Californian penal code:

> (c) (1) Any person who commits rape in violation of paragraph (2) of subdivision (a) of Section 261 upon a child who is under 14 years of age shall be punished by imprisonment in the state prison for 9, 11, or 13 years.

Again, there are other statutes that make life in prison the maximum penalty for child sexual assault in California. The rape statute you quote expressly says that the 9-13 years you quote is stacked on top of the general crime of sexual assault of a minor:

>> This subdivision does not preclude prosecution under Section 269, Section 288.7, or any other provision of law.

>> 269: Any person who commits any of the following acts upon a child who is under 14 years of age and seven or more years younger than the person is guilty of aggravated sexual assault of a child [statute lists all conceivable forms of sexual gratification] ... Any person who violates this section is guilty of a felony and shall be punished by imprisonment in the state prison for 15 years to life.

Section 288 adds yet more penalties for using force, being in a position of trust, etc.

You keep using examples of "hackers get stronger penalties than these other crimes" (bank robbery, child rape), but the other crimes consistently have life in prison as a maximum sentence if you stop to read the full context of the law.

I think it's more realistic to do a "where are they now" style survey to see how long sentences end up being in practice. With overcrowded state prisons, not many people end up serving the max.

Yes, I am well aware. I don't think that is material to my point.

I think this whole thing has become a meme now and people are starting to believe what they want to believe.

Heh. I used to leave my bag in one of those closets when I went to the bathroom if I was in a computer lab.

I bet no one locks those closets. I know for a fact there are a few comm closets with actual servers controlling the PLC of the building at my university that are often left unlocked, door wide open. No one gives a crap at these institutes. If a real malicious hacker got into one of those, he could easily wreak havoc.

And yet somehow, havoc isn't wreaked. Most bills aren't counterfeit. Most contracts don't get litigated.

I think about security, so I know what you're talking about... but there is a real line between security and fearmongering.

It's just network access, or denial of service. Nothing more.

Or a MITM attack stealing personal information?

yeah. someone might go crazy downloading shit

I went to a similarly prestigious uni (Imperial College, London) and nothing was ever left unlocked. Even leaving a bag unattended in one of the labs could throw a security alert spanner in the works.

Then again at the time we had the IRA bombing London and we were told specific bomb threats against the uni from idiots every few months or so.

Things must have changed then - I find security is very lax at Imperial, especially in the EEE department.

Funny enough, me too.

Seems like this could had been done much more discretely, makes me think Aaron may have wanted to get caught. Why not just buy a cheap 1u server and add it to the rack, I bet that goes unnoticed much longer.

Interesting. Keeping my fingers crossed that the download script will be released next. I would love to read through the code and see for myself how much actual "hacking" was involved.

The SAMSUNG EcoGreen F2 HD154UI hard drive pictured is 1.5 TB.

The alleged JSTOR archive torrent making the rounds is 35 GB. If Aaron went through the trouble of getting a HDD 1+ TB, it means the JSTOR files probably amassed to a size indeed to the tune of ~1 TB, (at least, if he in fact did have accurate foreknowledge of their true size).

Or maybe he just had a spare 1.5TB drive around.

The filing mentions him entering the closet to swap out storage devices when one filled up.

the torrent is just a fraction and it says so right in its title.

I like the graffiti on the right wall in the first picture. Gives off some serious vibes of "secured room".

That's not graffiti. MIT hackers commonly 'sign in' to places that they've found and gained entrance to. A wiring closet, frankly, is kind of a lame place to sign in at, but the steps under Lobby 7 or the steam tunnels or the little dome are far more interesting, for example.

It's actually looked down upon fairly heavily if a sign in is larger than a regular signature by very much - typically sign ins are lauded, graffiti isn't.

Just thought I'd clarify. :)

I suspect there won't be as many MIT hackers now that this sort of culture is no longer tolerated. Getting in trouble with your principal/dean/chairman is quite different from facing the secret service, federal prosecution, 30 years in jail and multi-million dollar fines.

MIT over the last few years, sadly, under the Hockfield administration, has screwed hackers over - no doubt about that. Numbers decreased because of that. But they increased at the same time due to the MIT blogs and better (sometimes unintentional) publicity of MIT hacks.

I honestly suspect that things will be better for hackers under Reif's administration. He does, in my humble opinion, "not suck."

EDIT: Also important of note is that Aaron wasn't a student at MIT - historically, MIT students were forgiven for things like hacking, but non-MIT students were typically handed over to Cambridge Police. Typically, when hacking with a non-MIT student, you would pretend they were a 'pre-frosh' if you could.

I've never heard anything but criticism of Hockfield on any front.

> Download Equipment Allegedly Stored in Building 20

I assume this is a typo? or is there a recent renumbered bldg?

No, that is correct. He left his hard drive and laptop in the SIPB office in W20. See the Tech's article from August 2011.

http://tech.mit.edu/V131/N30/swartz.html

Ah, you're right (W20 != 20). The basement wiring closet was Building 16, but the SIPB stuff was W20. (you can tell by the ghetto furniture with duct tape).

SIPB at least used to be pretty friendly about letting visiting "reasonable" people plug into the network, based on whoever was at the office at the time.

Whereabouts was the tramp (hobo) sleeping?

Presumably the police weren't quite as eager to photograph that.

how the fuck could they not find a laptop connected directly to an Ethernet switch? What a crock of shit. that laptop should've been discovered within 15 minutes.

I don't have any idea about how easy it would be to detect a laptop connected directly to an Ethernet switch, but the court documents do mention that Aaron placed the laptop in the closet on December 26th, and it wasn't noticed until January 4th. Perhaps many of the IT administrators were away on Christmas holidays?

You're forgetting the context. The network is open and freely available to anyone. They're not trying to keep anyone out.

That's precisely what Swartz's defense team has pointed out -- there was precious little "hacking" involved because there was no defense to hack.

> That's precisely what Swartz's defense team has pointed out

Perhaps Swartz should have chose smarter lawyers then, because he wasn't charged with "hacking" but with "intentional unauthorized access" and other similar things.

It's not as if he accidentally logged onto an open Wifi and accidentally downloaded terabytes of information from JSTOR, they specifically blocked Swartz's machine multiple times. They may not be trying to keep everyone out but they were definitely trying to keep Swartz out (and they didn't even know it was Swartz until he was arrested).

> They may not be trying to keep everyone out

Which was exactly my point. That's why your original comment about "that laptop should've been discovered within 15 minutes" doesn't make sense.

Their network model deliberately doesn't care about an extra random laptop, until somebody complains.

To be clear, I wasn't the one who made the comment regarding whether the laptop should have been discovered within 15 minutes.

But in general, it does an individual who was trespassing (in this case, on a network) no good to complain that other people were allowed in. There are exceptions to that for MIT since it's a university, but given that Aaron was both white and male, I don't think he'd have been able to play the minority discrimination card.

Last I knew comms rooms aren't generally patrolled on a regular basis .. but then, where ever I've worked the rooms have always been locked.

Well, is the laptop on the chair Aaron's or part of the official setup? Cause if SOP was "random laptops plugged into the switches", his setup wouldn't really stand out very much.