Slashdot Mirror
Student Logs Teachers Keystrokes
handy_vandal writes "A 16-year-old student has been charged with a misdemeanor for rigging a keystroke-recording device onto a teacher's computer. School district police received a tip from students that the boy was trying to sell answers to final exams. The District Attorney's Office has charged the teen with breach of computer information, a Class B misdemeanor punishable by a fine of up to $2,000 and up to 180 days in jail. This sort of thing has happened before. The problem is so pervasive that the GRE board has switched from computers back to paper and pencil."
It's not hard to install keyloggers. You just plug them between the keyboard cable and the back of the machine. When you're done, you take it off, plug it into yours and then type the passwordKEYLOGGER 3.15 MENU OPTIONS 1. DUMP 2. CLEAR 3. EXIT
RTFA. The teacher didn't notice. The kid confessed when they found him selling the exams.
Who said he had to install anything? He could have used one of these with about 5 seconds of unmonitored physical access
Or you could read TFA
Unless you think they should hot-glue-gun the keyboard into the PS/2 port?
Sentencing guidlines are maximums, AS in the legal limit that cannot be exceeded. So for this particular crime he may be sentenced to no more than 180 days in jail. Even if the judge feels he's dangerous scum, the 180 days is the absolute statutory max. The judge may, and likely will, use his discression and lower the sentence.
In the case of a misdemeanor carrying this little time, it's highly likely the kid will get probation, or a suspended sentence, plus some community service. Means that provided he keeps his nose clean for a few months after this and does what the court tells him, he'll be fine. Being he's a minor, it'll all go away at 18 also, the record will be expunged or sealed.
That's something people often forget when quoting sentences, it's the max being quoted, not the normal or minimum. Even minor crimes generally have a highish maximum, in relation to the crime, to deal with repeat or flagrant offendors. If this kid tries it again, clearly didn't learn his lesson, and perhaps some jail time is in order. However for misdemeanors, it's rare to see more tham a small amount of jail time, and often none.
Remember: a misdemeanor is a rather minor crime. Even as an adult, it doesn't cause you much trouble. It doesn't stick with you like a felony (employers can generally only ask about felony records) and prevent you from getting a job, owning a gun, etc. If it's a first time thing, espically for lesser ones, it's generally a slap on the wrist.
It's real different than felony computer crime, which is more serious. Also felonies quite often mandidate minimum jail time. There's a little more room to be concerned there.
Here, sounds like justice is being served. This kid broke the law, make no mistake. It is NOT legal to go and record keystrokes or otherwise take data off a computer you don't own, any more than it's legal to break in to a house that's not yours.
In this case, it's more akin to taking and copying a key. Just because you get a hold of my keyring and successfully make a copy of my key, does not give you permission to get yourself into what that key accesses. Likewise, jsut because you find out my password, doesn't give you the right to access my computer. Both are methods for securing something, indicating unauthorized access is forbidden and you need permission. Copying/stealing the key isn't permission.
So the kid broke the law. However, no real harm was caused and it's not a big deal. So he's being charged with a minor crime, and will get a small sentence. He keeps his nose clean, in 2 years they'll be no legal record of it, and likely nobody will know he did it. However, if he does it again, maybe he gets a couple months in jail to consider where the path he's choosing leads him.
To me, it sounds like justice being served as it should.
These little devices simply plug in between the keyboard and the PS/2 port on a PC. They're usually beige in color and look as if they're supposed to be there.
You can get them at sites like this and this.
I've never heard of USB keystroke loggers however (probably because the information transfered between USB keyboards is in an arbitrary format), so any computer using a USB keyboard (modern Macs only have USB keyboards) should be safe.
Finally, the method of data retrieval is also fairly simple. Simply unplug the device and plug it into your own computer, and in any text editor start typing a certain "code" to open an interface to the keylogger (I think some might come with special software for it as well).
Best. Webhost. Ever. Dreamhost.
Nope. This took in the signal from the keyboard, recorded it, and passed it unchanged (barring minor quantum crap ;-) ) to the PS/2 port. As far as the computer was concerned, there was no difference.
If you're referring to the actual article, then maybe this quote will help " 'He was cooperative and admitted he had done this,' Simpson said, adding that police confiscated the device, which plugged into a keyboard port in the back of a computer tower."
Sooo, how many run of the mill teachers are supposed to be checking their ps2 port every day, or even before/after each class? Yeah... That's what I thought!
Two things I did in high school:
:) This had been done before but without actually login them in so it was much uglier. But, I didnt stop at this.
:)
:) and got some vague threat about the police and stuff.. I hadnt done anything wrong, but they just wanted to know if it really was me who logged in using my acount and if I would know how to change the "settings" so that I wouldnt be able to login any more :-D
1. My school ran a Novell network where the login program was a simple dos-program (login.exe) that prompted you for username and password. I made a trojan and swapped the exe-file (I think I used Pascal) for a program that wrote down the username and password to file. This file you could pipe to the original login.exe and voilá: the user wouldnt know that his password had been sniffed
Instead of going around to every computer collecting all passwords (which had also been done before by some other guy) I used the command-line mail program to mail the username/password to me everytime some logged in (very stupid, I actually used my OWN mail account, not a hacked one, luckily I didnt get caught). So everytime I logged in I would get "You have 354 new messages!" *chuckle*.
So the next step was of course to write a program that would sort this information into one master file, replacing old entries and so on.. in a couple of days I had a full register of all users passwords in the whole school, including all teachers (and comp admins)
2. I logged in to the schools web server using telnet just looking around. I used my own login name and password. The next day I was picked up in class and taken to a room, and I swear there was this interrogation-table-lamp there and all
28 days, 6 hours, 42 minutes and 12 seconds... that is when the world will end.
Isn't this similar to this article?3 11227&tid=158&tid=17
Federal Judge: Keystroke Logging Isn't Wiretapping
http://yro.slashdot.org/article.pl?sid=04/11/23/0
And why is he being charged at all?
I dare say it's a 1st offence (Pretty crafty - But minor nontheless) and he is 16 - not even an adult yet!
Isn't this why we have suspension in schools?
'Charging' the kid just sound like typical american dumb-ass syndrome.
Here is a smart enough kid to think up such a bright idea (misguided as it was) and the US system wants to fsck him over rather than guide him in the right direction (say, computer security courses might be handy!)
Here's one procedure you can use whenever you use a computer that might have been interfered with (in a lab, in an internet cafe, even in a dorm).
This only works for GUIs, I'm afraid. It's important to use the *mouse* for cursor positioning, not the keyboard, as described below.
The basic approach is this: When you type in a username and/or password, don't type the username and password straight in. Instead, swap betwen the two fields, don't enter the characters in order. You will have to position the cursor where appropriate. For example:
Click on the password field, and enter the 4th letter of your password. Then click on the username field, and enter the last letter of the username. Then click at the front of the field and enter the second character. Then back to the password, and enter the first character. Etc etc. Even if you only do this for a few characters, it will help security immensely.
At the end, the keystroke logger will have collected all the characters in your username, but any spy will have a nice anagram to reconstruct.
The truly paranoid can add extra characters early in the process, and then overtype them later on. This is particularly useful if the selection is done by the mouse and not the keyboard - the spy wil have no chance of reconstructing the password if some of the captured kestrokes aren't even part of the final password.
A simpler method is to stop typing the password partway through, click on another app (don't use alt-tab or another keyboard shortcut; the logger will capture this) and press a few keys, then return to the browser/whatever and complete the password.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
The students at the school I went to quickly worked out that At Ease could be circumvented simply by pressing the "Interrupt" key that Mac Classics had handily available on the side of the case. The teacher wrote in to MacUser and the solution they suggested was to "detach the keys" :).
... fun times.
At least they had got a tad more of a clue than when I was there. I got banned from the computer room for locking a file (ie opening the properties box and clicking "locked"). They had to march me into the computer room and make me show them how to unlock it. It didn't help that my friend had recently renamed the hard drive to "This is shit" because all the games had been taken off.
Oh, and I can't count how many times the head of computing used to have to go round renaming "Pubic Folder"
"The dew has clearly fallen with a particularly sickening thud this morning"
The article linked to is from 2002 and is about giving the GRE on paper in China and India. Sort of misleading in the summary. The GRE in the US is and will be given via computers.
The Tao that can be spoken is not the one eternal Tao