Slashdot Mirror
Arrested for Planting Spyware on College Compus
AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
Information wants to be free! I don't see that he did anything wrong. GNU forever!
Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.
But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!
An MIT zealot.
A Unix Zealot.
A bash Microsoft at all chances zealot.
Or all of the above.
This isn't about systems, or schools, or companies. It is about a thief. An identity thief that used computers to do his crime. Get over yourself.
Happened at WPI a few years back. After taking an assembly class that showed him how to catch keyboard interrupts, he loaded a new interrupt handler that logged the keystroke and then called the real handler so that everything looked normal. He was caught, but I'm not sure what happened to him.
The guy only managed to steal $2000? This guy must be stupid.
Help I'm a rock.
There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.
This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.
:)
Trying to keep tabs on this kind of thing can be nigh on impossible.
We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.
We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.
No, I dont work for Fortres Grand but thought it seemed appropriate to the subject!
"Hey! Unless this is a nude love-in, get the hell off my property!!"
He was part of a Internet backing project for a large European bank. This bank was one of the first to offer services over the Internet. He always used cash and did all of his banking with a real live teller. He didn't have any credit or banking cards. I think that says a lot.
I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.
I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.
Actually I was with the guy right up until he turned to the dark side and used the information to steal. I think the penalty for 'liberation of information' or white hat hacking should be pretty thin, but the minute someone steps over the line and does something bad with that information we lop off a hand (like they do in ?Muslim countries for stealing?) I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.
Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)
Glonoinha the MebiByte Slayer
Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this and paste character by character. It's slow but better than having your identity stolen.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
When I was at BC(around 6 years ago) I was a CS and Econ major. BC is not a big CS school. We had this computer lab of about 12 DECstations.
My first experience with the internet and Mosaic(ahh the days)
Anyways, at one point when I would log onto any of the machines my account would completely hang. I would have to shutdown the machine. I quickly noticed when I logged on and my machine hung, also ALL the other DECstations would freeze!!!! LOL
The admin was completely puzzled. I had no clue I was a fledgling CS major. Anyways he had to delete my account and create a new one. Ahhhh the power I had to stop all the workstations *evil laugh* But I never took advantage of that.
All my friends thought it was pretty funny...
Haha! This is much better than typing- now you don't have to worry about keystroke recorders, but everyone around you can see what your password is!
Read jack phelps dot net
How about College Campus Computers?
As in "he made it gleam by scrubbing it."
"gleaned"
As in "she gleaned through the dupes, only to find improper usage of 'gleamed'."
"frustration"
Keep your packets off my GNU/Girlfriend!
Use the right one.
Something shiny gleams.
Something taken is gleaned.
Arrested for Misspelling Compus on Slashdot
CB
free ipod and free gmail!
You only need to install your sniffers on a few boxes to get plenty of good credit card numbers and passwords and such. And if it's installed on only a few boxes, it would (unless they were specifically looking for this) be very hard to detect if done correctly.
And then if you're careful about the credit cards that you use (i.e. use only one or two, or only those that have bought stuff from a given site, etc.) they won't even suspect that people are sniffing at this one site. (If you use every credit card you find, the credit card companies will figure it out pretty quick by finding out what's in common with all the cards in question.)
In short, for every guy who's caught, there's probably dozens of guys who aren't caught.
Be afraid. Or, more importantly, be careful.
Say for example I am a user on a public machine that I suspect has keystroke monitoring software. What can I do, load onto it, download, to protect myself and detect and/or remove these things? One can always go to site to check a machine for viruses and such, but what can be done/loaded to protect against keystroke monitoring?
"Trusting every aspect of our lives to a giant computer was the smartest thing we ever did.." Homer Simpson
The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."
Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
I just finished teaching a 2-day class in a computer lab that used Clean Slate. It works as advertised.
:-O
The biggest problem was having to reinstall the program I was teaching the second day.
Usually I make a habit of NOT logging onto websites when I'm using a strange computer. I did check one of my e-mail accounts while I was there. I think I'd better change my password now...
My father is a blogger.
Boudreau, who faces up to 20 years in prison if convicted on all charges, was not immediately available for comment. Boston College said it suspended Boudreau, 21, last year once it learned of his scheme. Suspended? Do they think he'll continue his education in 20 years? How is it he's been suspended for a year and only now their just indicting him....gotta love the speed of justice. I spose they can't expell him until he's convicted (innocent till proven guilty and all)... So, do you think he had all the keystroke logs sent to his main email acct?
While this might be annoying to some, in general, its a good thing on public computers. Besides undoing any software installs a user might've tried, it also removes old cookies and temp files that might contain someone's personal info.
Most public uni. computers ive seen all have zip drives. If you want to download and save something, I suggest putting this to use. It is, after all, a public computer.
-
This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.
This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.
There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.
In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.
By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.
--Paul
He had access to all that information and the best he could do was get caught stealing 2000 bucks? Bwaaaahhh hahahaha...
Yes, I agree.
Maybe we should all have spyware installed on our machines so that all of our information can be "liberated".
If it wasn't for those meddling kids!
Join the elite! Post at score:2! Ghostwheel is online.
1. People (most people, the majority of people) are completely clueless when it comes to security. The see that their password isn't displayed, so therefore it must be safe. Public computer? ... not a concept or an issue to them.
Question: Is this their fault? IMO, no it isn't. The visual indications they see indicate they are indeed using some kind of security. The problem here is software manufactuers (not just M) do not have most users best interests at heart when it comes to security.
2. A system that allows key monitoring software to be installed so easily SHOULD NOT be sold for public use! Not only are the software makers at fault, but so is whomever decided to use such an unsecure system in a public area. But whoever that is, is probably fairly clueless when it comes to security too.
This will continue indefinitely until 1 of 2 things happen;
1. Someone comes out with a dumbed down computing device that uses Windows (sorry, but that's a reality), is cheap, and requires little to no administration (or little enough that breaking the security by a clueless admin will be impossible).
- or -
2. People get a clue about security... not gonna happen.
In fact, I don't see either of the two happening, so IMO this kind of stuff will continue well into the future.
You know you're a geek if you've ever replied to a tagline.
It is in the title and looks really distracting.
Absolutely. I think I'll build a few bombs in my garage, maybe brew up some anthrax or smallpox virus. Hey, as long as I don't do anything with them, the penalty shouldnt' be too severe... right?
Where do I go to get my white hat?
I am NOT a man!
I am a free number!
No one but an idiot would 'trust' a public terminal for anything confidential anyway.
Even if it wasn't 'cracked', do you know whom the admins are? Or who they work for..
Its just a big risk to trust ANYTHING public these days..
---- Booth was a patriot ----
Sounds fine to me, but just be careful you don't harm anybody with those. Once you do, then you deserve to be punished.
If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these babies. That'll catch the BIOS password (when/if it gets typed in) and all.
Ouch.
Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...
But we're just talking here, aren't we friend?
Keep your packets off my GNU/Girlfriend!
Maybe he was pulling an office space and actually did it right haha? (No decimal errors @ him) ;]
But on a serious note, yeah he really is a moron. What a couple friends of mine did at a school which will remain anonymous is it connected to a master server where the logs were gnugp/pgp (duno which) encrypted then saved. and, if he was caught, there was an abort mechanism which automatically pgp wiped the hard drive a few times and trashed the mbr. they never actually got around to installing it though, but it's what i would do if i were to install keyloggers on a private facility.
I can pretty easily write a program for unix that does this:
Makes the screen black, and displays a "Welcome to Athena" sign on screen that looks just like the real one. It takes the username and password, and invokes su to run a shell/window manager as the user. In the meanwhile it logs their username/password to a file in my directory.
I guess it depends if su is installed on Athena (IANAMITS I Am Not An MIT Student), but probably it is. If not, you can just put a hardware keystroke recorder on the computer.
Unix does not a secure system make.
The Right Reverend K. Reid Wightman,
So I led the students to install keystroke loggers on all of the computers, and it was quite fun for a while.
I never got caught for that... but I did get caught for something much lesser the next year when Novell was installed on all of the machines.
See, Novell has a nice feature called Novell Messaging. By default, there was no way to reach it... but if you create a shortcut to a Novell NetBIOS share (like //server_name/ ), you can right-click on it and tada: Novell Messaging. It will list every user who is currently online. And allow messages to pop up on their screens.
When I discovered this (on my own... the class was getting boring), I told everyone. But the Network Administrator for our school district wasn't that apt, she had files in the server directory that student accounts could delete (I just checked the permissions, I didn't actually delete anything). Anyway, I got banned from the computers for a couple weeks, blah blah blah.
Radical, dude! Did he also Gleam the Cube, to get even by risking it all?
P.S.
Not that I feel bad for him for being depressed or anything, but he's being viewed as a real criminal who stole from hundreds where all he really did was mess around on a computer.
My opinion: in a "free" country, if the United States is actually supposed to be free, then we should be "free" to install spyware anytime we would like on our own computers (i.e., school administrators and internet cafe owners should be allowed to install keystroke monitoring software on their own systems) as long as they do not use the information maliciously. On the other hand, there are ethical issues when there is no warning of installation of said software. And, again, when data gathered by such measures are used for purposes other than network security -- such as to violate the security of an individual without warrant for any reason -- foul play is afoot and repercussions should be harsh.
/There are 10 types of people in this world; those who steal sigs and those don't
...you should use a hardware keystroke logger for stuff like this, like the KEYKatcher. Those things are undetectable...I mean who ever looks at the back of a public computer to see if there's a little adapter on the end of your keyboard??
I belong to the ______ generation.
This one reminds me of those Ann Landers "Stupid Thief" stories. What kind of idiot tries to steal from people using a college network? Students are broke, and most of the professors probably are not doing well either.
Maybe the next guy to try this will get a clue and do it at a law firm, so that he makes enough money to leave the country before getting caught!
The article doesn't say how he used information from the logging to add value to the cards, but I would guess he either a)found a way to transfer it from someone else's account (either their stored valued account or a bank account linked to it) or b)he found a way to add money by finding some sort of backdoor or the like to increase the amount shown in the account without actually increasing the amount of cash.
Neither is victimless - in the first, he still stole money from students, in the second he stole money from the college. While he arguably could have done much more damage, he should't be commended for only stealing a little
I have blog like everyone else
The Eindhoven University of Technology (tue.nl) reinstalled the entire operating system (win9x) of all public computers from an image every day at first boot. Also, any user could choose to do the same thing at any time. Just reboot, and choose to reinstall.
The systems were completely open, you could install anything you wanted, so I used to do it everytime, just to be sure I was working on a clean system.
This was about 5 years ago, since then, every student has his own laptop, so I guess the public computers are gone...
Ruud
On top of the $2000 he stole, it appears he must have invaded the privacy of thousands of people. Scumbags who do this kind of stuff need to be made an example of. This is loathsome behavior, and I hope the judge throws the book at him.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?
Surely this should be in Your Rights Online? That's were all the stories about computer criminals getting caught go...
I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.
Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.
To clarify, Boston (in Massachusetts, United States) was named after Boston (in Lincolnshire, United Kingdom) - more information can be found here.
"Be vewy vewy quiet, I'm hunting wuntime ewwors!" - Elmer Fudd
No specifics on what he actually stole. Did he just card stuff? That's pretty dumb.
I remember logged into a shell from a public terinal CCC99 in Berlin and was all disappointed when nobody showed up to own my box by the time I'd got home to Canada.
my question is:
What's a Compus? And why doesnt my college have one?
Now, how about indicting and convict Kazaa and those of the same ilk who pepper their users' computer with all sorts of spyware without explicitly warning them right upfront???
"The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy. Even if there isn't a 3rd party breaking into and modifying the public machines, the true administrator of the machine might have all sorts of logging software."
I feel quite safe doing my online banking in any dodgy Internet cafe. As with most online banking services, the bank's website sends a challenge which I key into a device that generates a response. This response is then used a a one-time password. (Actually, the chip on my bank card is inserted into the device and generates the response, only after keying in my PIN first). Our company web mail system and tunneling software use a similar system. I have no worries about my passwords being stolen, since I use them only once.
Of course, even with a challenge-response system you still have to be careful about theft of data that you retrieve.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Yes, but then the sysadmins are allowed to do this everyday.. If people will use computers they must except the possibility of being monitored all the time.
You wouldnt jerk off in front of a public computer would you now.
but wouldn't a hardware logger make having to dick with the BIOS a moot point? I mean, we were going to mess with it so we could install it in software, right?
let's stay focussed, here -- on this... conceptual exercize.
Keep your packets off my GNU/Girlfriend!
It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."
Let's see now.
1) School AUP, contract law
2) Program EULA, contract law
3) Gathering access tokens like passwords, criminal law
4) Gathering confidential material (yes I've had classes where the raw case material was confidential, like interviews. I could be typing up that. Or writing a letter to my doctor), criminal law
5) Gathering personal info, privacy laws, anti-stalking laws
6) Planning to commit fraud (a crime even if he hadn't actually done it yet), criminal law
Give me a break, installing that software is a crime in itself. The fraud charge is just one more to add to the list. It's not purchasing the tool, it's putting that tools to illegal use. It's not legal for me to make keys for other people houses even if I haven't robbed the place yet. Or to swipe someones credit card, even if I haven't used it to get money yet. And for the immidiate discussion-stopper, it's not legal for terrorists to gather intelligence, even if they haven't blown up the target yet.
Kjella
Live today, because you never know what tomorrow brings
This makes me glad I use Knoppix.
When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.
They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.
I want my Cowboyneal
I dunno, my mom works at a library and always has stories about the weirdos who wander in and head straight for the porn...
I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.
Whoops! It really looked like you in the security camera! I'm sorry, dude. Yeah, you're innocent. My bad. Here's a complimentary prosthetic hand.
I'm not sure if you were joking or not, but it's always important to consider the accuracy of our judicial system when penalties like that.
There are no trails. There are no trees out here.
Have any of you tried Deep Freeze? We run at my university and it works under the same premise of Clean Slate; however, I've found it to be faster to boot up. Also, I have yet to hear of some way around it -- it really does an amazing job.
This is my digital signature. 10011011001
http://www.gator.com Gator which also logs passwords, account numbers, login names....
Shouldn't that be gleaned?
I though gleam was related to "shiney objects". (OOOoooh!)
{heh, and no, I'm not new here}
.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
*ahem* but of course I haven't done that sort of thing in decades... ;^)
One line blog. I hear that they're called Twitters now.
Amazing, I see some posts that actually support this guy. As to most of the others, I agree that the Admins of public domains need to be mroe security conscious. However, we cannot fault the users of these computers. Most of the /.'ers are all in the IS/IT/(whatever it is called now) field and do not realize that the common public do not want to learn everything we know. In the same way I could care less all the ins and outs of, say, biology when all I want to do is plant something. The inner workings of chlorophyl is not something I particularly care about, I just want my plant to grow. In the same respect, a common user is not going to care about how computer security should work and whatnot, they just want to use this fancy cool-looking email to go to their friend/significant other/(whatever they call them these days). This guy is a criminal, stole information, and then may or may not have used i for personal gain, although it sounds like he did. The guy is at fault, not the users. Don't blame the sheep for getting eaten by the wolf, blame the wolf for eating the sheep.
Brief terminology refresher: "volatile memory" refers to computer storage that is erased when power is lost.
This could be the basis for a beautifully secure public workstation (hardware security aside). Imagine a machine with maybe 1 GB of RAM instead of a hard drive. Upon boot, a static image of everything could be transferred to RAM.
So everything the user does is in RAM, and most importantly: rebooting is a guaranteed fresh start. Not only would this workstation be tremendously fast, but also relatively secure.
By the way, I got this idea after using Knoppix on some machines at school that have no hard drive.No shit. Piss-ass poor spelling and grammar in the body of a story is bad enough, but misspelling a word in the story's title is just pathetic. This is only made worse by the fact that at least some of the editors have probably attended college at a campus, seeing the word in print at least a few dozen times, at some point or other. They may have all dropped out, but that's no excuse.
BTW, I normally have IE prompt for *any* ActiveX load, and usually say no. (Some sites require it, argh.) I was kind of annoyed when Slashdot put an ActiveX on their page. I eventually made Slashdot a trusted site, but perhaps I should have made it an UNtrustworthy site to kill the prompts?
One line blog. I hear that they're called Twitters now.
Cut & pasting (as a previous poster suggested) is a very bad idea, because it makes your password readily available to any other program on that machine.
:)
Here's an interesting alternative:
Ask web sites you visit to use LoginGuardian (www.loginguardian.com -- I'll admit this is a shameless plug, but it needs to be added to the discussion)
(It's free for personal, government and educational use.)
LoginGuardian is a very simple utility that is installed on a login page by the webpage author. It's a simple javascript-based keyboard that enables you to enter userid & password without using the hardware keyboard (and so can't be detected by keyloggers)
It has some additional secure features to protect you from more sophisticated keyloggers.
There's also a very unique "universal password" feature that you can use to maintain online accounts by memorizing only one password and passphrase. Check it out!
(I'd be interested to hear from anyone who can suggest a practical method to circumvent it, cross-scripting browser bugs not included
In reality, $2000 isn't much money when talking about the possibility of how much the guy could have stole with that many victims.
If your going to ruin your life over fraud, you might as well go all out.
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
Richard Smith, a Massachusetts-based Internet security consultant, said the software in question is typically used by jealous husbands or wives to spy on their spouses -- or by employers who want to snoop on their workers.
Gee, Dick, that would be because the early adoptors of computer technology, such as MIT had a clue. Oh, you and the University thought you could just buy some stuff from M$ and be done with the work?
Now, my old friend, the Waffle Iron, needs some help understanding part of MIT's system. Someone who tried to mod a public terminal for their own use is likely to be bit by this dog. Hardware capture by additional device is another issue, but I'll bet the MIT folks thought of that too. In any case, someone with enough brains to do all that would have enough brains to avoid stupid stuff like that. There's always someone better and they will get you.
Friends don't help friends install M$ junk.
If that law were in effect there would be a lot of one handed (and no handed) people. If anyone considers chopping of the hand to be a good punishment ask yourself what if some guy turns out to be innocent after 2 years of jail for example. How would someone like that get a job? They might end up having to steal. Plus think about downloading mp3z that you don't own. Can you imagine loosing a hand because of it? How about some old lady trying knowingly to use an expired coupon? Is that considered stealing and if so does grandma loose a hand? Maybe forgiveness is the best idea. I'm actually more against violent crime, but I won't steal anything in Saudi Arabia:).
I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.
Hopefully he will get one year for every count of invasion of privacy, one count for every person.
He'll be getting out when Jesus returns.
--- Grow a pair, liberals... stop letting the Republicans bully you!
I'd love to see some statistics as to which external sites are hit by which departments. I know we have the technology to do this, but I doubt any company would want to take official cognizance of the obvious fact that workers web surf betimes.
Why not just allow users to run any programs they want, but not grant permission to do harmful things?
I've never really understood why, in the windows world, ability to run a chat client == ability to sniff the keyboard or reformat the hard drive or something.
I think it's time to head over to the library, and see if I can find myself a free hardware based keylogger! You're right that it seems like people would be doing this already, so there must be some just sitting around on public computers.
It would be even more fun to find one, then set up a sting operation by feeding it specific data that they would use later...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Only $2000? That isn't much of a return on investment for spending so much time and effort. One would think he could do a lot better. Perhaps he had too much data to work with. I think maybe this guy should have learned some scripting skills to harvest a few more credit card numbers
Having installed these programs on some of my school's machines, I can explain. The program itself is a low-level driver that basically sits between the OS and the hard drive. Whenever the OS wants to write to the HD, the driver does the writing and also makes a note of what was changed in a hidden location on the drive. When the machine boots, these notes are re-read, and the changes undone. This means that you can go to C:\, Select All, Delete, Empty Trash and it'll really be done (well, most of it; you can't delete certain things) - but the driver will remember those changes, and undelete everything when you reboot.
Can it be defeated? You bet. A classmate of mine demonstrated defeating Deep Freeze by booting from a Linux floppy and simply renaming the driver files, preventing the program from loading itself. He then proceeded to install StarCraft (back in Windows), then repeated the linux-boot procedure and restored the drivers, effectively preventing anyone who didn't know the Deep Freeze disable password (or the Linux solution) from deleting the game.
Neat, eh?
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
IANAML, but I thought getting your hand cut off was for a second offense under Sharia law. A good slap for a first offense and trouble opening jamjars after the second.
Anyway, in the "civilised" west we could add a few wrinkles, like instead of throwing the offender's mitt to the mutts we could stick it on ice for a few years. Then, when the bad man has behaved himself, and said he's very sorry for being naughty, and promised he's never going to be naughty again we can re-attach it with microsurgery.
I think this would be especially appropriate for teeny car thieves. Find out which hand they spank the monkey with and and then ice the paw until their majority. A couple of years having to satisfy themselves with the wrong hand (because car thieves ARE wankers) and they'll learn the error of their ways. It'd work the same for crackers too.
And if something goes wrong sticking it back on and their hand turns black and their arm has to be amputated at the shoulder, well... fuck 'em.
One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors - Plato
ThinkGeek continues to sell these...here
Ok, what if I supported you in this, but that your punishment for a single instance of malicious use of your bomb, anthrax, or smallpox was to have your lineage traced back four generations and every person was included in that family tree killed in a particularly savage manner, insuring that your genes (the bad ones) were wiped from the planet and were lost forever ... ?
/. are technically savvy enough to capture keystrokes, install spyware, and odds are most of us have done a little snooping of data we were not exactly entitled to ... whether looking through other people's computer, flexing a little sys/admin muscle, exploiting a security flaw, etc... That doesn't make us bad people - but when one of us starts using this knowledge for criminal gains ... off with his hand!
That severe enough for you?
Most of the people here in
Glonoinha the MebiByte Slayer
Most of us do, it is called Windows XP (or Windows 2000 sp3.0.)
Glonoinha the MebiByte Slayer
No, I don't us ATM's. I use that elusive endangered species: 'CASH'. Gotten direct
from a live teller.
Both for security of my account, but more importantly privacy.
The government doesn't need to know what I buy, or where I buy it at. its none if their damned business. Even if it is just lunch.. or a book on how to build a machine pistol.. they DON'T need to know.
---- Booth was a patriot ----
It happened at Boston College! If the person tried this at Boston University, the IT department would be on it in a second, the hockey team would win the beanpot, chapagne would fall from the sky, etc.
let me clue you in to just a few things. a - a majority of the kids here do come from VERY wealthy families. Of course there are your fair share of typical college students, but there is more than enough people that probably wouldn't notice a few bucks missing. that being said, he was probably only taking a small emount from everyone. b - the "money" he stole [from my understanding] was what they call "eagle bucks", meaning it was good within the university, could be used the the bookstore, dining hall, etc etc. There's no real way to withdraw this money, so i'm guessing that there's really only so much stuff you can buy on campus, and $2000 will cover that. c - the real issue in this whole thing is the BC policy with PIN numbers. they assign you one at the start of freshman year [or when you're hired] and it never changes. when this whole issue surfaced IT had to scramble for a way to let everyone change their PINs. Now we're getting an entirely "new system", with new IDs and supposedly a bunch of other "security features" that don't sound all that innovative or secure. d - i can't believe that a cs major from BC made slashdot. although i didn't really know him, i think he was in a few of my CS classes.
A thin client would be an ideal solution to this kind of problem except that thin clients have become very much out of vogue, although they do allow admins to have much better control over the system. Another approach, although rather expensive and ungainly, is Novell's ZENworks. It allows an admin to control what is on the users machine and what not.
I see the solution as being a compromise in allowing users freedoms and controlling the workstations. Ideally the computer would be regularly monitored, but this can be difficult in an environment where there are thousands of computers.
TWENTY YEARS IN PRISON for this? when murderer's can get off on manslaughter charges which results in 3-5 years, plus parole?!?
something is seriously FCKED UP with our judicial system to allow a petty crime such as this cause twenty years inprisonment. something just is NOT right. gawd.
my predicition is that in fourty years (by the time i'm an old grampa) computer crimes like these will finally be reduced to misdemeanors and such. when enough of the population is doing silly things like these that they have amended and reformed the newly idiotic laws..
twenty years.. geez.. what is this world coming to??
--even a broken watch is correct twice a day.
I dunno (doubt) if he had the guts to try it, but with keylogged data on that many people, there has got to be more than a couple hot girls with blackmail-able problems...
stealing is wrong, any way you look at it.
using GNU to steal is even more wrong.
stop being a criminal you idiot
Jesse! I think you need to press that buzzer by your pillow and have them change your depends.
Also note that Linux has a 'pseudo-SAK' key, Alt-SysRq-K. It's not a true SAK, as XFree86 (and any other program with root priveleges) can take control of the keyboard if it wants to. However, Alt-SysRq-K will kill normal user processes on the console (also, processes with root priveleges that don't take over the keyboard handling) and return you to whatever the
Does my bum look big in this?
1. Install keystroke monitoring software...
2. Wait...
3. PROFIT!!!
What a dumbass for 2grand? Mother fucking assholes like this make admin's lives hellish. just for a prank or some measly cash they wreck havoc on other peoples lives. This same punk will move to creditcard/phone/swindle your grandmother scams next time.
I SAY JUST SHOOT THE FUCKER
When I use a computer at the school lab I always run Trend Micro's Housecall in the background. That is if they haven't disabled ActiveX. I'm assuming it would catch the popular keyloggers and trojans. Of course, its nearly impossible to stop someone who is really motivated from keylogging, stealing, murdering, etc, but it sure beats nothing and if I do find something I'm making sure someone who makes policy will hear my complaint.
How about an app which listens for keyloggers? There has to be a way to detect keylogging regardless of how its done. Why can't this be built into the heuristic part of anti-virus scanners?
How about a virtual keyboard? Web-based services (hotmail, hushmail, etc) could spring up a Java box with randomly ordered letters and numbers and you simply use your mouse to click on the proper letter. Just make it small enough so no one can shoulder-surf without making themselves noticable.
The title says "College Compus" but should be "College Campus" This isn't that important but I figured someone will wanna correct this.
~ I am logged on, therefore I am.
But this is a natural consequence of RMS's philosophy.
Who decides what is private, what should remain private, and what is public information that wants to be free.
Knowing your banking records might make my job as a prosecutor easier. That should be public informations. Knowing that you are courting someone else would allow me not to make a fool out of myself by asking you out, so that should be public information.
this isn't funny, as much as it points to the failure of RMS's thinking. Is he going to be the one that draws the definitive lines?
I would think Ctrl-Alt-Backspace would work just as well in X. Is this user-trappable in any way? (assuming text login prompts are disabled)
They can't afford to be. Clinton had ONE underling convicted of underreporting payments to a mistress. Reagan had dozens, Bush I likewise, and though there have been no convictions yet, Bush II's is the most corrupt admin since Harding.
rms is the greatest man alive!
I can see it now:
Some Hot Chick: "Wow, we've really connected in the past couple days, it's as if you know me better than I know myself. Wanna go to my room?"
Reading some emails: Fun
Sniffing some credit card numbers: $2000
Having a sex monopoly on all the hot chicks at your college: Priceless
I gleamed a lot when I was on compus
Anytime you get a positive hit with AdAware, an arrest warrant is sent out for the author of the spyware module found...
The Man Who Almost Invented The Vacuum Cleaner
The man officially credited with inventing the vacuum cleaner is
Hubert Cecil Booth. However, he got the idea from a man who almost
invented it.
In 1901 Booth visited a London music-hall. On the bill was an
American inventor with his wonder machine for removing dust from carpets.
The machine comprised a box about one foot square with a bag on top.
After watching the act -- which made everyone in the front six rows sneeze
-- Booth went round to the inventor's dressing room.
"It should suck not blow," said Booth, coming straight to the
point. "Suck?", exclaimed the enraged inventor. "Your machine just moves
the dust around the room," Booth informed him. "Suck? Suck? Sucking is
not possible," was the inventor's reply and he stormed out. Booth proved
that it was by the simple expedient of kneeling down, pursing his lips and
sucking the back of an armchair. "I almost choked," he said afterwards.
-- Stephen Pile, "The Book of Heroic Failures"
- this post brought to you by the Automated Last Post Generator...