Arrested for Planting Spyware on College Compus

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."

Re:MIT

Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.

Or exploiting a compromise. Granted at MIT they are more likely to catch you than at other places, but don't think that passwords make you immune to buffer overflow and other attacks.

They may be shared machines

[Marqui]

But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!

Re:They may be shared machines

[Tack]

You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.

A nice sentiment from someone who is obviously not a sysadmin of any non-trivial setup, or from someone who is fortunate enough not to be overworked and have plenty of time to do one's job.

The problems with giving users free reign on public/lab systems are several. The biggest one is that letting users install whatever they want can leave behind god-knows-what, like spyware or trojans. Also, it's easily possible for installing a piece of software to break another, more important piece of software. When that happens, since I'm the admin, it's my job to fix it. Of course since I have so much free time and generally do nothing all day except post on slashdot, this isn't a problem, right?

Another issue is licensing, and that's something most users, even ones competent enough to install software, don't take into consideration. They install their copy of Corel Office on the public/lab system because that's what they used at home to do their presentation or document, and suddenly there are legal implications to the organization servicing that computer.

If it's your computer, that's an entirely different story. For example, Microsoft has no business mandating what can and can't be installed on your computer. But if the system is an asset of my organization under my administrative control, you better believe I'm going to lock it down. My job is to make it very easy for users to do authorized tasks, such as web browsing or word processing, and very difficult for users to do unauthorized tasks, like installing foreign software, or accessing/deleting data that's not their own.

Jason.

Re:MIT

[Waffle+Iron]

Any workstation that is pysically accessible to the public is subject to reprogrammning so that it emulates its original behavior plus logs keystrokes. Unless you're using honest-to-goodness dumb terminals with non-flashable ROMs, I wouldn't be so confident.

Re:MIT

Nonsense. I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy. Even if there isn't a 3rd party breaking into and modifying the public machines, the true administrator of the machine might have all sorts of logging software.

Even if you use something like SSH or SSL, that only products you between the two endpoints. When one of the end-points (the client you are using, in thise case) is insecure, a secured data tunnel is worthless. Indeed, your keys/passwords/etc. can be stolen quite easily.

If you need to compute on the run, get a laptop that you are in control of. Don't use someone else's machine to conduct sensitive business or utilize sensitive information.

Re:MIT

[jd142]

So how do you make a public machine, where random people can come in off the street a multi-user system? Think of people who go to a library to work on the web because they don't have a computer at home.

The problem isn't inherent in single user windows systems, it's quite simple to lock down a windows machine to prevent easy installation of this kind of program, the problem is lack of security protocols on the tech end.

Crime is Crime not computer crime

[Dragon218]

The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."

Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.

Food for thought:

[Hubert_Shrump]

If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these babies. That'll catch the BIOS password (when/if it gets typed in) and all.

Ouch.

Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...

But we're just talking here, aren't we friend?

Re:Don't quit your day job

[Zontar+The+Mindless]

Ever consider the possibility that he got snagged for only 2 grand but actually got away with more?

Re:Zealotry.

[Ibag]

I think the point was not that "MIT and unix rox0r w00t!" but more that there are ways to avoid problems like this. Had they implemented a system like the one at MIT, a software based attack would have been much harder, if even feasable at all.

To say, "No, you mentioned unix and MIT so therefore you must be a zealot and cannot have a point," is stupid. Saying that the useage of computers is irrelevent in this case is just as ignorant. The point of the story was not just to say crime happens. By alerting people to specific kinds of crime, people know to be cautous or to look for ways to avoid being victomized. For example, if the article was about someone using a defect in a specific brand of lock to break into houses and steal things, would you claim that the story isn't about locks or defects but instead only about a thief and his breaking and entering? I should hope not. More likely, you would check to make sure that you weren't using that kind of lock and if you were, you'd replace it to make sure you weren't vulnerable. Just because there is a theif does not mean that the general problem and solutions to it must be ignored.

Now, how about Kazaa?

[Pig+Hogger]

Now, how about indicting and convict Kazaa and those of the same ilk who pepper their users' computer with all sorts of spyware without explicitly warning them right upfront???

Glad I use Knoppix

[Rysc]

This makes me glad I use Knoppix.

When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.

They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.