Patrick Foster and Roger Waite were able to retrieve email passwords, listen in on MSN Messenger conversations, and even view live CCTV camera footage.
After they contacted the University, the authorities, rather than thanking them for revealing potentially dangerous flaws in their IT setup, reacted in typically draconian fashion, summoning them to a Court of Summary Jurisdiction, where they could be fined up to £500 and suspended from the university (known as rustication). The case was also referred to Thames Valley Police. If they had not contacted the university authorities, it's unlikely that their activities would ever have been exposed.
If people who test networks responsibly are treated in this way, the University can never expect to improve it's security - those with more malicious intentions are hardly likely to own up to their activities!
Students have the right (not least in the light of the Data Protection Act) to have private information kept secure - the University have failed them. Students should encrypt all information held on the "swiss cheese security" university computer system using a known safe copy of gpg - http://www.gnupg.org/ (pgp for M$ windoze users http://www.pgpi.org/products/pgp/versions/freeware/winxp/8.0/ )
Here are the links: