Arrested for Planting Spyware on College Compus

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."

Re:MIT

Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.

Or exploiting a compromise. Granted at MIT they are more likely to catch you than at other places, but don't think that passwords make you immune to buffer overflow and other attacks.

They may be shared machines

[Marqui]

But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!

Re:They may be shared machines

[packetgeek]

This idea of letting users install "whatever they need" is how organizations get busted for licensing ifractions. Besides that, who says that the software a random user installs is stable and will play nice with the other software on the system? Should the people responsible for system uptime/availability be expected to spend precious resources scouring a facility for illegal software and fixing machines that were needlessly broken? IT departments are charged with providing the required services to all of the authorized users with as much efficiency to the users as a whole as possible. Not trapsing around after a small handfull of users who think the systems are their just for them.

Re:They may be shared machines

[Tack]

You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.

A nice sentiment from someone who is obviously not a sysadmin of any non-trivial setup, or from someone who is fortunate enough not to be overworked and have plenty of time to do one's job.

The problems with giving users free reign on public/lab systems are several. The biggest one is that letting users install whatever they want can leave behind god-knows-what, like spyware or trojans. Also, it's easily possible for installing a piece of software to break another, more important piece of software. When that happens, since I'm the admin, it's my job to fix it. Of course since I have so much free time and generally do nothing all day except post on slashdot, this isn't a problem, right?

Another issue is licensing, and that's something most users, even ones competent enough to install software, don't take into consideration. They install their copy of Corel Office on the public/lab system because that's what they used at home to do their presentation or document, and suddenly there are legal implications to the organization servicing that computer.

If it's your computer, that's an entirely different story. For example, Microsoft has no business mandating what can and can't be installed on your computer. But if the system is an asset of my organization under my administrative control, you better believe I'm going to lock it down. My job is to make it very easy for users to do authorized tasks, such as web browsing or word processing, and very difficult for users to do unauthorized tasks, like installing foreign software, or accessing/deleting data that's not their own.

Jason.

Re:MIT

[Edmund+Blackadder]

Well if the MIT networks are at least partially hubbed, which they probably are you can use a packet sniffer.

A packet sniffer will get you some juicy info ... even though it can be thwarted with public key encryption, i think.

Re:MIT

[Waffle+Iron]

Any workstation that is pysically accessible to the public is subject to reprogrammning so that it emulates its original behavior plus logs keystrokes. Unless you're using honest-to-goodness dumb terminals with non-flashable ROMs, I wouldn't be so confident.

Re:MIT

Nonsense. I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy. Even if there isn't a 3rd party breaking into and modifying the public machines, the true administrator of the machine might have all sorts of logging software.

Even if you use something like SSH or SSL, that only products you between the two endpoints. When one of the end-points (the client you are using, in thise case) is insecure, a secured data tunnel is worthless. Indeed, your keys/passwords/etc. can be stolen quite easily.

If you need to compute on the run, get a laptop that you are in control of. Don't use someone else's machine to conduct sensitive business or utilize sensitive information.

Re:MIT

[jd142]

So how do you make a public machine, where random people can come in off the street a multi-user system? Think of people who go to a library to work on the web because they don't have a computer at home.

The problem isn't inherent in single user windows systems, it's quite simple to lock down a windows machine to prevent easy installation of this kind of program, the problem is lack of security protocols on the tech end.

Re:This software...

[Cirvam]

Why not just lock the user from writing to most of the hardrive but allow them acess to a temp folder or a network drive where they can install stuff and save stuff. Then when a new user logs in just have a login script wipe the local directory and connect to the new users's network drive? Otherwise students could install stuff like back orface or sub7 and screw with the computer until it is rebooted. I don't know exactly how well Clean Slate works, but it seems that XP has all that built in (doesn't it even allow you to rollback to a previous setup?) although if its anything like their desktop lockdown program its pretty easy to bypass.

Crime is Crime not computer crime

[Dragon218]

The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."

Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.

Re:Actually...

[palindrome]

Yes, I agree.
Maybe we should all have spyware installed on our machines so that all of our information can be "liberated".

Re:This software...

[Sgs-Cruz]

Oh yes, at our school board (Halton School Board in Ontario) we use software called Deep Freeze. Which worked great (people would download and install MSN, mIRC, Quake II, etc. and it would disappear next time the computer was turned on) until some of the computer-oriented kids used a miniscule (literally, asking a teacher that didn't know much about the system) to get the Deep Freeze password.

We then had every computer in the school getting installed with many games and chat programs every time the computer got turned on. Not only that, the password was changed so the teachers couldn't change it back.

My point is this: perfect physical security is nothing without dedication by the humans that have to use it.

Re:Actually...

Sounds fine to me, but just be careful you don't harm anybody with those. Once you do, then you deserve to be punished.

Food for thought:

[Hubert_Shrump]

If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these babies. That'll catch the BIOS password (when/if it gets typed in) and all.

Ouch.

Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...

But we're just talking here, aren't we friend?

Re:MIT

[nutznboltz]

The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy.

But under certain circumstances anonymity is privacy so some behaviours on a public machine are more private than on personal machines. If you provide nothing but false data about your identity on a public machine (i.e. don't access anything that is connected to your true identity) you can post messages that have high plausibility of denial ("I don't know anything about that post".)

Re:This software...

[sheetsda]

Many years ago my high school used a Fortres product (may or may not have been the one you're talking about but the idea sounds the same). It worked well enough for keeping the majority of average high school students out of trouble but the lab techs had no problem hacking through it. At one point there was an old system with Fortres on it which no one knew the password to, and so the lab techs were asked to take Fortres down so the machine could be updated and so forth. We succeeded in minutes, and consequently I've been skeptical of the usefulness of products like this one ever since.

Re:Don't quit your day job

[Zontar+The+Mindless]

Ever consider the possibility that he got snagged for only 2 grand but actually got away with more?

Re:Zealotry.

[Ibag]

I think the point was not that "MIT and unix rox0r w00t!" but more that there are ways to avoid problems like this. Had they implemented a system like the one at MIT, a software based attack would have been much harder, if even feasable at all.

To say, "No, you mentioned unix and MIT so therefore you must be a zealot and cannot have a point," is stupid. Saying that the useage of computers is irrelevent in this case is just as ignorant. The point of the story was not just to say crime happens. By alerting people to specific kinds of crime, people know to be cautous or to look for ways to avoid being victomized. For example, if the article was about someone using a defect in a specific brand of lock to break into houses and steal things, would you claim that the story isn't about locks or defects but instead only about a thief and his breaking and entering? I should hope not. More likely, you would check to make sure that you weren't using that kind of lock and if you were, you'd replace it to make sure you weren't vulnerable. Just because there is a theif does not mean that the general problem and solutions to it must be ignored.

Now, how about Kazaa?

[Pig+Hogger]

Now, how about indicting and convict Kazaa and those of the same ilk who pepper their users' computer with all sorts of spyware without explicitly warning them right upfront???

Re:This reminds me of a PM I had one time

[JaredOfEuropa]

Hmm... that PM (I am guessing: project manager) sounds like a paranoid luddite to me... which isn't to say that one should not be careful. But the few stories one hears of people having their money stolen because of credit card or Internet banking fraud dwindle beside the millions upon millions of happy users of these services. And the cases in which the defrauded users haven't had their money restored to them in the end are even fewer.

Cash has its drawbacks too, and it's not just the waiting in line to withdraw or deposit money. Ever gotten a counterfit bill as payment, or as change in a supermarket or bar? Good luck convincing anyone that they were the ones to hand you that particular bill.

Run that by me one more time...

[Kjella]

It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."

Let's see now.
1) School AUP, contract law
2) Program EULA, contract law
3) Gathering access tokens like passwords, criminal law
4) Gathering confidential material (yes I've had classes where the raw case material was confidential, like interviews. I could be typing up that. Or writing a letter to my doctor), criminal law
5) Gathering personal info, privacy laws, anti-stalking laws
6) Planning to commit fraud (a crime even if he hadn't actually done it yet), criminal law

Give me a break, installing that software is a crime in itself. The fraud charge is just one more to add to the list. It's not purchasing the tool, it's putting that tools to illegal use. It's not legal for me to make keys for other people houses even if I haven't robbed the place yet. Or to swipe someones credit card, even if I haven't used it to get money yet. And for the immidiate discussion-stopper, it's not legal for terrorists to gather intelligence, even if they haven't blown up the target yet.

Kjella

Glad I use Knoppix

[Rysc]

This makes me glad I use Knoppix.

When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.

They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.

Re:MIT

[carsont]

Nonsense. I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

Not if the PROM is configured to require a password to boot from an alternate device, or to boot up at all.

Even if you use something like SSH or SSL, that only products you between the two endpoints. When one of the end-points (the client you are using, in thise case) is insecure, a secured data tunnel is worthless. Indeed, your keys/passwords/etc. can be stolen quite easily.

Or you can use a one-time password system like S/Key for authentication. That's what I do whenever it's necessary for me to log in to my machine at home from campus, anyway.

Of course, this doesn't help you with email or website logins, but it's a step in the right direction.

I doubt if we'll ever see online banking, webmail and so forth adopt more secure authentication mechanisms, but maybe after enough fiascos like this, universities and libraries might adopt a dumb terminals-and-smartcards approach (such as SunRays).

pocket change

[Servo]

In reality, $2000 isn't much money when talking about the possibility of how much the guy could have stole with that many victims.

If your going to ruin your life over fraud, you might as well go all out.

Re:MIT

[Blkdeath]

You can get hardware keyboard loggers. They go between the keyboard and the case. They're fairly cheap, and availiable to consumers.

Pardon my ignorance, having never laid eyes on the public systems referenced at either University, but how open, exactly, are they?

A few things come immediately to mind; why not encase the whole system, including keyboard connectors et al, in an external case? (Not a PC case, but an enveloping case that might even include the monitor) Also, why even have a floppy or CDROM drive attached? Makes securing the BIOS password a lot more pointless if you now have to cart around a set of lock-pick tools, a spare floppy drive and ribbon, and be able to perform surgery on the box while nobody's looking.

If these truly are desktop machines, open and exposed to the world in all their glory, it seems to me as if they'd be the last machines I'd trust with my PIN, credit card, bank card, or any other personal details. Casual web surfing only, thankyouverymuch.