Slashdot Mirror
Arrested for Planting Spyware on College Compus
AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
Information wants to be free! I don't see that he did anything wrong. GNU forever!
Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.
But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!
The guy only managed to steal $2000? This guy must be stupid.
Help I'm a rock.
There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.
This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.
:)
Trying to keep tabs on this kind of thing can be nigh on impossible.
We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.
We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.
No, I dont work for Fortres Grand but thought it seemed appropriate to the subject!
"Hey! Unless this is a nude love-in, get the hell off my property!!"
Actually I was with the guy right up until he turned to the dark side and used the information to steal. I think the penalty for 'liberation of information' or white hat hacking should be pretty thin, but the minute someone steps over the line and does something bad with that information we lop off a hand (like they do in ?Muslim countries for stealing?) I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.
Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)
Glonoinha the MebiByte Slayer
Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this and paste character by character. It's slow but better than having your identity stolen.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."
Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.
This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.
There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.
In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.
By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.
--Paul
If it wasn't for those meddling kids!
Join the elite! Post at score:2! Ghostwheel is online.
Absolutely. I think I'll build a few bombs in my garage, maybe brew up some anthrax or smallpox virus. Hey, as long as I don't do anything with them, the penalty shouldnt' be too severe... right?
Where do I go to get my white hat?
I am NOT a man!
I am a free number!
If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these babies. That'll catch the BIOS password (when/if it gets typed in) and all.
Ouch.
Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...
But we're just talking here, aren't we friend?
Keep your packets off my GNU/Girlfriend!
Ever consider the possibility that he got snagged for only 2 grand but actually got away with more?
Il n'y a pas de Planet B.
yep! you can't get any more inconspicuous than a BRIGHT MAGENTA page with "Copy and paste into password forms:" in a 24 size bold font!
/There are 10 types of people in this world; those who steal sigs and those don't
I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.