Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
Blowjob would have done the same without all this popularity. Huh .. kids will never learn.
Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.
Hulk SMASH Celiac Disease
she cant keep up at school, or while hacking the teachers.
No, I'm not sure the universities are that careless.
They're also supposed to initiate the students to some very basical social behaviour and these don't include cheating and stealing identities.
I'd suggest thy just eject the faulty students because they failed at being responsible grown ups.
Trolling using another account since 2005.
if only unsophisticated hackers can get into the system, we have nothing to worry about! carry on...
I guess it brings a new meaning to not being able to hack it in college.
*ducks*
"I'd be smart if I didn't let thinking get in the way."
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
According to the article, this was merely social engineering at work, as "the person guilty of changing the grades fraudulently obtained passwords using personal information of faculty members who have access to the grading system, Desruisseaux said."
XML is like violence. If it doesn't solve the problem, use more.
The least she could have done was use Tor and Privoxy. Oh well. So much for changing her grade. Now that she's going to be a bonified convict, she can pull down the six figures like Mitnick.
"It's not like 300 grades were changed or anything like that," he said. "It's not even close."
Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?
"It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."
Idiot!
Get your Unix fortune now!
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
the only grade that was changed was an F in "Ethics 101".
That this is significant slashdot news. The woman did the wrong thing, and didn't even do it well. What's the deal? That she hacked, or that she was caught? She fsked up and now she pays the price. Nothing to see here, folks, move along...
"Eve of Destruction", it's not just for old hippies anymore...
Changing your grade is as simple as looking for the password taped under the desk!
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
i would worry about the people that didn't
[*_-]
... just blends way too smoothly with the body of your comment! Was it intentional, by any chance? ;-)
Paul B.
"An important distinction in this case, compared to some other instances you've seen reported on around the country, the integrity and security of our grading system is intact and was not compromised," said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.
If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
The Security of the grading system is INTACT? Hell yeah!
All generalizations are wrong.
Their security is laughable! "If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said." Now-a-days that is not hard info to get a hold of. Whats next, will they let you reset someones password if you know their occupation?
By direct inference, any academic establishment that DOES get hacked by amateurish methods, or by people walking off with laptops holding unsecured data, etc, is clearly NOT a University, or at least not one with any credibility.
The obvious solution is to say that any teaching establishment that suffers loss or distortion of data by techniques that could be expected of that age group (or younger) should lose their license to teach for that year. If you don't have the brains to back your credentials, then your credentials are worthless.
HOWEVER, this can ONLY work if Universities (and other teaching establishments) have the money to become secure in the first place. They should be given that funding and then they should be expected to deliver on it.
If the Government won't cough up the cash, it shouldn't be in the business of teaching in the first place. A little knowledge really is a dangerous thing. If the Universities and schools can't manage their own learning, then they can't be trusted with someone else's.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I was cleaning a computer lab today. Under a desk were piles of CS final exams and progress reports from 1992-5. Not that I could change the grade, but it's a bit scary to think that's where those things end up. One of them belonged to a current staff member. She was slightly scared when I gave it to her.
The fault in the software is that to change the password it requires no "hidden" information. Name, birthdate, and social security are not all that hidden especially on a college campus where they are thrown around daily.
In most cases where you forget your password they send it to your e-mail address. Why do they not do that in this case? If they had done that the girl would not have access to it since she never did know his password.
Saying this is not a fault in the software is to save face, but people will know.
Get real. This doesn't even rate "script kiddie".
As for the answer to the question "are universities too careless with their data?" -- well, UCSB certainly was. Allowing passwords to be reset with just the SSN and birthdate was asking for trouble.
I always mod up spelling trolls.
No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after...
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
Believe it or not, they keep mac address databases, any self respecting router will. Who is to say the police can't trace the IP to an wireless access point and check Mac addresses? Who is to say that free is really free, that it's not one big honey pot? They have camera's? They know the time it happened??
It ain't that easy...
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
So don't click "Read more" and post a comment.
Dude, get with it - it's news cuz it's a chick! Everyone knows the only good chick hackers are Jeri Ellsworth and Angelina Jolie! :)
Try a degree in Zen. You can't do anything with it (like Comp sci) but you get the benefit of a state of well-being.
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
Follow the logic! It's very simple why we like her:
1) She hacked in and changed grades, which required password theft.
2) Theft is what is needed to get the mp3 files that Slashdotters download on P2P networks.
3) Mp3 files are ignoring IP rights.
4) IP rights are what commercial software is based on.
5) Commercial software is what we hate!
Therefore, her hacking helps FOSS!!
Everything should be FREE!! Now can you spare a dime? I need to buy some new cardboard to patch my walls up.
"If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. "
Well that's why the "Chip in the Forehead" technology is being worked on. Find my identity will you *CHOP!*
I happen to think of hackers like a baseball player. They have a greater responsibility to people, they were born with gifts. And if they use them for their own benifit and not society, then why did God give them more?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
A friend of mine at university used to have "Tempus Fugit" in his email signature file. This pretentiousness could not go unpunished so we changed it to "I wank daily"
He was sending out emails with it on for a week before a professor wrote to him telling him to change it to something more appropriate.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The suspect worked for an insurance agency, but it would not be difficult to find this information through other means. :-)
I agree. What is worse is that there is this system out there where joe black-hat can crack and steal a shitload of valid SS#s... not what I would call smart overhead for the school. They should make it all anonymous. Forget your passwords, click to reset and validate through email. Fsk private information! It's stupid.
"Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?"
Hmmm...that reminds me.
*checks on P2P download*
Coming along nicely. Uh, what were you saying?
Yes i'm careless for having windows made of regular glass instead of tempered. While we're on that note, lets fault me for having a wooden door instead of a steel one, and dirt in my crawlspace someone can tunnel into.
I think the university did the best it could here. No matter how high/tall/hard you build it, folks are always gonna try and break it. It's just a fact of life.
I think the only person careless in this whole shebang is the girl that did the grade changing. I doubt this is the most morally devoid thing that has ever happened in this professors class
I can't recall how many times I had girls that liked me offering to do my homework in school, or how many times I saw someone blatenly fuck another persons report up by checking all the books pertaining to their subject from all the local libraries. I think the worse i've seen is the prefferential treatment some students get, weather it's because of being on the football team, or some other popular school group.
There's a lot worse that goes on in schools, it's just she got caught.
Can it be an indictment on society? Do we have a society where we MUST be the best to be happy? Are we stacked up against each other?
What does an "A" mean? What does a "C" mean? And how fucking desperate does a person have to be to cheat, to risk expulsion? God, what are we doing people?
People learn differently, some visually, some auditory, some hands-on. Yet we have done little to maximize people to thier potential. We over work the lower classes. We have a system where life at the bottom to middle is miserable.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
War games?
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
"You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking..."
Although you will notice that no one will dispute that a crazed individual with an axe isn't a "Hacker".
So that's where all the female computer geeks are...jail.
"Student Engineers, grade hack" rather than "Student engineers grade-hack"...
I'd grade it an F. (She got caught.)
Paleotechnologist and connoisseur of pretty shiny things.
Leave it to a woman to get caught.
I'm not a mysogynist!
Changing grades = 4 felonies ?
In 9th grade a friend I discovered that we could open up the chooser (macs) on any computer in the school, click on a teachers name, put in their password (super easy guesses... last names in most cases) and have full access to all their files. We read both the school and district rules and found that as long as we didnt change anything we were safe. So during class we would browse that teachers files while they were looking. It was pretty funny considering most of our teachers were pretty cool.
really bored? My blog
Universities too careless with their data? You tell me..
2 2+site%3Awww.mit.edu&btnG=Google+Search
http://www.google.com/search?hl=en&lr=&q=%22index+ of%22+site%3Awww.stanford.edu&btnG=Search
http://www.google.com/search?q=%22index+of%22+site :www.princeton.edu&hl=en&lr=&start=100&sa=N
http://www.google.com/search?hl=en&lr=&q=%22index+ of%22+site%3Awww.yale.edu&btnG=Search
http://www.google.com/search?hl=en&q=%22index+of%
" They are also centers of research, collectors of learning, venerated halls which house the brightest of the bright."
Universities are also are suppose to be models of openness. That's why the BSD's and Open Source originated there. Let alone the Internet. Crimminals by definition, are about exploitation. The two naturally are at odds.
... did she really think there'd be no trail, and no way to repair what she did?
Obviously not. Obviously, it never occured to her that there are people who work with computers for a living, whose very job definitions are "Maintain this data's integrity. Make sure that we can correct whatever faults are introduced."
Give her e-mail account a Darwin award. I mean, really...
Forget what she did for just a moment. When it comes to any even slightly unethical action -- either online or in the physical world -- you're going to leave a trail. Unless you assume from the get-go that you are going to leave a trail, are exceedingly careful, and more than a bit lucky.
That is not a Hack but a fraud, felony, break-in ! /. moderators should know the meaning a of a hack.
How is this any different than the widespread cheating that goes on in campuses everywhere now days? It's common to see students cheating by sharing answers to homework, gathering information from others about previous quizzes/tests and the silly amount of plagiarised papers/code, etc that is turned in as original work and graded as so because it slips by the plagiarism filters? I'm not blaming professors as this is not necessarily their responsibility at all times. It is expected you are there to learn and work hard to get there. But with grades being so important to some people, they will go to great lengths to cheat. The saddest part is many people don't see this as cheating but rather "playing the game".
The fact this girl changed her grades is of course wrong in every way possible but I give her credit for being original about it. She should have thought it out better but she is better off having been caught. My only point is her type of cheating only scrapes the surface of what I've observed going on around campus.
I myself have never cheated, although tempted, in any of my courses and I think that gives me an edge on others. But, with so many curved systems, it bothers me to know that you see someone coping someone else's homework get the same, if not better, grade than you. In the end I don't care. I'm not in a personal contest to get the best grades...I do it for myself. But lets make no mistake, cheating is rampant on probably every campus in the world. And lets not even start on parents doing their kids homework in high school with the hope of landing a better college for their brat!
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
The article makes a big deal about how "savvy" this girl is, but seriously - how much knowledge does it require? When you click on the "forgot your password" link, it gives you a prompt with the information it needs to let you change your password. If presented with a website that says "Please enter your SSN and DOB to change your password", it doesn't take a genius to figure out what information to get.
She did demonstrate some creativity by using her work DB to look up her prof's personal info. However, considering that she did NOTHING to conceal her identity (steal wi-fi, use a proxy, etc), she clearly wasn't a savvy hacker. Smarter than the average user, perhaps, but definitely not a crafty blackhat.
Well at least the person gets to get a college education through our prison system. Although what use is it when a company runs a background check or requires you to have use of a computer system.
At least they were lucky enough to let their employer know they will be required to give up logs for the user.
http://yro.slashdot.org/comments.pl?sid=142268&thr eshold=-1&commentsort=0&tid=98&mode=thread&pid=119 25054%2311930483
i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
It's an ID number. The problem is, your name and DOB don't necessiarly uniquely identify you, there are many documented cases of two people being born with the same name on the same day. Also, names are a very easy thing to confuse, you say one thing, they hear another.
So SSNs are a good identifier. Their primary, and orignal, purpose is to track earnings for social security purposes. However congress later authorized its use for lots of other identification things (like tax ID).
Now the problem is that for some reason many instutions treat it as a password or the like, rather than ID. They assume names and birthdates are public knowledge, but for some reason an SSN is secret. No, not really. It's just another identifier, and should be treated as such.
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret. It should be given no more or less weight than information like address, DOB, full name, etc. It's all just tidbits to uniquely identify you.
Now part of the problem is, short of DNA, how do you really go about verifying your identity? I mean most proofs of identity rely on other proofs of identity. My passport proves my identity, but to prove I should have it I used things like my driver license, birth certificate, and personal details.
So you can understand why things like SSNs are used for identity purposes, the problem is too much weight is put in them. It's assumed that they are like some kind of secret password that only the person can know, when really they are just like a DOB, not hard to find out.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
Not to be confused with regular https. Geeky https is where you've been taking too many brain pills and decide to encrypt regular http by hand!!! In 128-bit no less!
This chick is like a lame script kiddie!
Come on, did she not even bother to watch Hackers? Don't compare her to angelina jolie. At least Jolie helped hacked the gibson from a telephone booth.
This poor excuse for a script kiddie tried to change her grades from her dorm room and was caught she was logged from her residential IP address. LAME!
The least she could do was consult her local Blockbuster and rent a movie that would teach her not to be dumb as a tack. Not that I'm condoning Hackers as a movie with any real redeeming technical information (aside from mentioning the Dragon Book -- which owns)...
I'm pretty much just calling her stupid.
-- -=innocent ramblings from the mind of an insomniatic programmer=-
"No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after..."
Smart Cheater. Is that anything like "Military Intelligence"?
So if cheaters are smart? Then who exactly are they cheating?
"failed to conceal her IP address from authorities"So she also got an F for cracking?
"Never trust a computer you can not throw out of a window..."
"Blowjob would have done the same without all this popularity. Huh .. kids will never learn."
Unfortunately this leaves the straight guys out in the cold.
She's making other female hackers look bad! Damn her!
The reported MAC can be changed at the OS level, and there is no need to alter the card in any way.
Oh shit!
Not that I'd condone this, but it actually is that easy. You change the reported MAC address. Not a big deal at all.
I dunno. I have heard that companies have made PC components that have more information then is known. The electrical pulse. The DNA of the computer world.
If I really, really, really wanted to hack into something, and I think I would get a cheap NIC card, one I could later burn. What is a MAC address? Something we know? But what don't we know. Printers are being sold that print microscopic dots, so if someone prints a dollar bill the Secret Service will know some things about the person. Can anyone here tell me they have not build that kind of technology in NIC cards?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
I think the point is that Universities in the US are being hacked far too often and that people's personal information is being easily exposed. The deal is that she successfully hacked something which should be way more secure and isn't a particularly good hacker.
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth
Am I the only one who thinks this is a ridiculously shortsighted authentication system? Its not that difficult to get a person's (professor's) ss# and date of birth. I could pay $100 right now and get Henry Yang's (UCSB Chancellor) ss# and date of birth. Please tell me I misread this!
So, come on now, tell me: ;-)
What grade did the student engineers of UCSB give the girl for her hack?
First, yes this does show that something is wrong with the security of campuses...I am at UCB and I recall that sometime last year we got an email through an instructional (class) account saying that our Student ID Numbers might have been compromised and that they are looking into it. While there isn't much one can do with SID's, it still kinda got me worried - I mean what if they got our passwords or something, and what if it was the same password as say the registration system (where someone could actually unregister you from Berkeley...).
I understand that since universities are prominent institutions, they may be the target of many different attacks but on the flip side, since so many students and faculty members are part of the university community, there should be that much more done in terms of security. I sure as hell don't want anything about me compromised (boy am I glad only the grad students' ssn were stolen the other day).
And also, to those who talk about how easy it is to cheat, it isn't. Almost all CS classes (for example) have a hardcore system that checks your code against everyone else's. Yes, it does take care of changing variable names and whatnot, it checks logic - and if you get caught (which many do) you will get an email telling you who you stole from, how much you stole, how much is deducted, etc. So in short, cheating is not easy.
There are comparable systems for say papers in humanities' courses, although checking natural language is a lot harder of course - but I believe those systems DO check against a massive database of published papers to see if you plagiarized from outside sources (in addition to checks with other students). And as for exams, it is rare for people to cheat - usually TA's are walking all over - if it was so easy to cheat as some people here say it is, then I am sure many bright college students would figure it out (and the bright TA's and professors would probably respond to it quickly too).
University of Computer Skills and Bowhunting.
Schmidt said although eGrades is accessible through the Internet, there are security precautions that protect it from unauthorized usage.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
So that's why Amazon.com uses https - they want to protect their ordering system from unauthorized non-geeks.
Seriously though, there was not very much "technical savvy" in this "hacking" incident.
Pop under ads!!!!
XML is like violence. If it doesn't solve the problem, use more.
... we did have some REALLY cool gals in our class back then! ;-)
Archaeology, maybe?...
Paul B.
was the password "pencil"?
- "You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I certainly hope those aren't his exact words. Otherwise, I'd have to say, he's complete f'ing idiot. SSL is not "real protection". At it's very best, it stops people from snooping. And having seen, first hand, how a number of universities manage SSL web servers, I would not be surprised in the least if they were using/allowing 48 bit SSL (which any modern computer can crack in less than a day.) HTTPS vs. HTTP didn't have a damned thing to do with this "hack".Maybe the university would like to explain why they are using a person's SSN as a form of identification in explicit violation of the Socal Security Act of 1970. Btw, that's a serious felony that trumps the student's 4 (lame) felonies... just saying my name is [something other than my name] is a felony now? What. The. Fuck.
Besides everyone's favorite memory of bypassing the computer security at highschool (i did this about between 6 and 12 different ways)...
On my campus my friend found an anonymous FTP and downloaded a file. That file just happened to contain the names, SSN, and other information of all the international students...
They decided to tell the university. one roomate worked for the IT department and told them about the FTP.
later that day, the FBI gets a warrent to search the appartment. The roomate working in IT gets fired, the roomate who downloaded the file gets expelled (overturned), and a third roomate has his computer taken (still not returned, taken august 2004).
oddly enough the university couldn't really do anything, as there was no laws regarding logging into public sites, nor was there a campus policy about it. still, it justified expelling one student, firing another, and telling a computer engineer that he couldn't use computers on campus for a few months...
With other computing snafus recently making headlines, are universities too careless with their data?
Yes, yes they are. From "student IDs" (aka your social security number) to passwords that haven't changed in over 10 years that access "test" databases with actual, unencrypted passwords... it's a wonder this isn't happening more frequently. I was given access to the complete student record when I was just a student employee too. I was shocked at the amount of trust my manager put in someone they had only known a week.
Knowing how bad things are, when I recently signed up for an extended learning class at another university, I asked if they could give me a number other than my SSN for my ID. Their answer was a flat no... which is ridiculous because I'm sure they make up a number for foreign students, they surely don't have SSNs.
discourages inventiveness and increases possiblity of writing off the punishers... prepare for soup stewing. Where's the voice that perhaps the students have surpassed the teachers? (in system security and use, most obviously) A measured and productive response would be to change policy (improve systems, increase openness) and participatory rationalization and system introspection (open discussion between educators, parents and children, with actual response to change in the environment)... as it stands, the whole point of education seems to be to funnel the innocent into lives of obedience and disjected proponency of authoritarianism. Perhaps there's not the funding . Throwing up walls between teachers and students is no good for anyone. The best way to learn is to teach, but learning requires a nurturing environment, not unquestionable dictation. As teachers, they've the most to learn.
[quote]Do they really want to send people like this girl to prison for several years? For what reason? [/quote]There's no joy in gaining power if you don't exert it. Every ill-conceived law will eventually be abused by an "ambitious", "hungry", "eager" young assistant DA trying to work the angles towards a federal judgeship.
How many of those federal judges used to be defense attorneys, and how many used to be prosecutors?
The system is inherently flawed.
What's wrong with using encryption at higher levels? Like, indeed, SSL?
True, browsers and other software store passwords in files, which are usually accessed unencrypted (SMB, vanilla NFS), but these file are usually encrypted these days -- decrypted only by the software itself.
Why encrypt ARP, again?
In Soviet Washington the swamp drains you.
I can't believe they quoted Kevin Schmidt, campus network programmer for the Office of Information Technology as saying:
...although eGrades is accessible through the Internet, there are security precautions that protect it from unauthorized usage.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I know I feel better now, knowing they protect people from accessing and altering their grading system WITH AN SSL CERT.
That's an embarrassment.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
I'm not going to say where, but it's a major school. I know that most of the professors do not realize that the network drives they are using like local drives are public by default. Some professors like to use them since they can access those drives anywhere on campus. Any somewhat knowledgeable student, even with a guest login, can browse through them and see everything that the professors think is private. Tests, answer keys, quizzes, family pictures, and yes, even porn. Anything they save on the drive.
;)
Also note, student shares are also public by default, so you can browse other student's homework if you get stuck on a problem
It's been like that for YEARS.
Buy Steampunk Clothing Online!
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
... Except for the whole IP address thing, I think she should at least have gotten extra credit in her computer class.
"Derp de derp."
Like their student clerks? All of that whiz bang security was negated because an advisor didn't want to do the paperwork himself. Whether the password was disclosed to you or they typed it in and gave you free reign, there was no "security".
Someone asked if I had patched against MSBlast; I said yes, I installed Linux.
was 'pencil'. That week. Written down on a piece of paper carefully kept in the drawer.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
I'm willing to bet she wouldn't be facing as much jail time, she wouldn't be in the news, and she wouldn't have had bail set at $25,000.
Just some perspective.
--This sig is in beta. Please let us know abut any errors you find.
In some Pascal Classes (yeah... that was long ago) I got perfect scores without coming to the classes at all, whereas a lot of people had slightly above average. The professor decided to take action for the last exam, and put me in a corner, two desk away from everybody, and a SECOND professor came on to observe me for the whole exam. She admited as much afterward. Result : Everybody else got a bottom low score, and I still got my next to perfect score. It was clear from the question asked and the results, that the contrary to what she thougth happened : all people in all direction peeked at my papers, and I was not cheating. She discussed about it with me afterward but it was rather funny, if she had discussed with me and the other it would have gotten apparent that I already had a lot of pascal experience before university whereas the other student were "sinking" completly and lost. 5 Minutes conversation with student would had been enough to check that. But hey, professor speaking with student, the horror, the horrors....
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
you said:
:: terrorist attack : prank
USCB student action : hack
I think we would agree that a terrorist attack is much more serious than a prank. So by your piss poor analogy, that would mean that what this gal did was a much more serious / severe form of a 'hack.'
I don't believe that's what you intended to communicate; think first next time. That way even if you're making a pedestrian, tired, cliched point, you may at least do so competently. That's all.
Hate to break it to you, but that's not how you get head. (Insert smiley here)
Is it only me, or did you as well notice that a hacked computer login is now called "identity theft" as in "credit card fraud" and all the other stuff we use to associate with it?
I do a comp science degree... the holes I've seen at my uni are rather large. For example, we sit some exams on PCs, but if you go on MSN while in the test nobody will notice... Citrix sessions on public terminals with username/password for the server saved to machine. FTP servers running software with known exploits.
lol, and you can "net send" the machines projected in the 400 people lecture halls. I havent even been looking for holes/etc these are just really obvious.
As for plagarism... thats a bit of a joke really. I know people that have paid someone on the internet to write a piece of software for their coursework... they then paid him extra to make two copies of it which look different.
"Don't fumble through boring man pages. Try my product!" - Richard M. Stallman, GNU Founder and CEO
GNU GVideo GProfessor is the leader in computer learning. We have taught over 5 million people, and we can teach you GNU/Linux, GNU/Emacs, GNU/gcc, and more! GNU GVideo GProfessor was founded in 1983 to provide consumers with training on software for their personal computers. Since that time, millions have successfully used and learned from GNU GVideo GProfessor's fool-proof "What-You-See-Is-What-You-Do" teaching method. The first lesson, GNU
It's FAST! You'll be up and running in an hour! Don't waste time sifting through man pages, commuting to classes or seminars. Just pop in the CD-ROM and you're learning!
It's EASY! It's as simple as 1-2-3! GNU GVideo GProfessor's straightforward "What-You -See-Is-What-You-Do" approach makes learning as easy as watching TV!
It's CONVENIENT! We're ready to teach you day and night! With your busy schedule, you don't have time to waste at classes or seminars. Don't fumble through boring man pages. Whatever your schedule, we're ready when you are!
It's COMPLETE! These aren't short teaser lessons. Each 60-minute lesson takes you from installing the software to more advanced skills. And they're not just for beginners! We'll surprise you with the knowledge you'll gain!
Why Am I Making This Incredible Offer? I'm so confident that once you try my exceptional " What-You-See-Is-What-You-Do" learning method, you'll turn to us for all your computer learning needs.
* How it works!
The bonus gift and ANY TWO of the three computer learning CD-ROMs are yours free without further obligation, PERIOD. Take 10 days to decide if you want to keep the complete set of CDs. After your 10 day free trial, if you decide to keep the complete set, we'll conveniently bill your credit card just $69. Or simply contact our customer care number at rtfm@gnu.org if you decide to return any one of the lessons, and you will be charged nothing more!
Every day hundreds of people just like you learn with GNU GVideo GProfessor this same fast and easy way. If you decide to keep all three lessons, every five weeks you will continue learning by automatically receiving other GNU GVideo GProfessor subjects you have an interest in, billed on the same exact terms as your first shipment. Or simply call and cancel. Everything is up to you! But most important, you are never under any obligation to purchase a subject that you don't keep. Best of all, the bonus gift, and your choice of any two of the three computer learning CD-ROMs are yours to keep FREE!
Welcome to GNU GVideo GProfessor!
In our University we dont have such previliges.
i believe the password was "pencil", but WOPR probably decided otherwise.
Yes, little, cute, white suburban kiddies... Affirmative action is practiced by the UC system. It's unbelievable. Most on you people from Kansas will refuse to accept reality. What's her name? Ramirez? Yeah... it's "never" affirmative action when it's obvious... but we still "need" affirmative action. Yeah, right...
It really is the best way to avoid summer school.
Some people WANT to be offended. If you look to find offense hard enough, you'll get offended.
Well, since we're offtopic. Words with gender: "Chairman is sexist because it implies that only men get the top jobs". Well, if that is the condordance required to make that assumption, what about the words man, human and woman?
Is that saying man is less than human (because it has fewer letters) and woman is more than human because it is longer in proportional fonts? Because if we can make the link "Chairman" -> "Men in chanrge" then this one is at least more overt. I mean, "ChairMAN" has the same three letters in common with men as women, wheras "Chairwoman" has three more letters than man has and all of them are in woman. "Chairperson" is worse because it dehumanises the position. It is now a neuter position - men have been emasculated and women have lost their difference.
So how about we drop reading more into a word than is meant to be there and read into any ambiguity the *best* interpretation of what the speaker meant rather than the *worst*?
While I was finishing out my engineering studies with the required Ethics class taught by the department chair, he actually encouraged everyone to lie on their resumes, but in a way that was difficult to catch. No, it wasn't anything like civil engineering, just metallugical. Have a nice flight....
There are a significant number of reasons why electronic fingerprinting of the underlying modulation methods will not work - the same NRZI (or whatever encoding) stream will be modified every single time it passes through another 'box' Basically you will not (necessarily) be getting the actual electrons sent from the target machine, so any analysis is somewhat futile.
The manufacturer will list common tolerances for each NIC, but it makes no financial sense to database pulse characteristics for the 'millions upon millions' of cards currently in the world.
RADAR can be fingerprinted very accurately, the key difference is you receive the radiated energy directly from the emitter itself.
Not to disagree with you fully, there are other methods people are trying, but they are mostly borderline snake oil. Traffic analysis is the only viable solution, think of it like sifting through someones garbage, their friends garbage, and their friends friends garbage, and.... up to three or four association levels, any more and you begin to have issues with storage capacity.
Fingerprinting is indeed possible, but it will require very close access to the targets machine. Rarely possible without being noticed. Impossible unless you already know where the source is located.
I can expertly tell you there is no such technology in consumer network cards that will fire off information to 'them' - this can be confirmed with an off the shelf o-scope and some knowledge of coding schemes. Any other method can be detected with software. Protocol analysis.
No conspiracy.
Comment removed based on user account deletion
I find it bad, that changing your grade counted as 4 counts felony.
3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony
http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...
She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.
Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.
But hey, you feel safe now, right?
"With other computing snafus recently making headlines, are universities too careless with their data?"
Add to that
CSU Chico Identities Compromised, Mar. 22
Identity Theft from University Computers, Jan. 12
It's the trifecta that finally starts to turn people's heads, isn't it?
not much, really. if you RTFA, you'll see that they try to make it sound as if she did something technically savvy, but all she did was know the URL of the university's eGrades site. TFA has the quote:
which is bogus because her browser probably connected with https by default. it also mentions that she changed the profs' password using their Social Security numbers, which she got from her work at an insurance company.it reads like the investigators are trying to spin it like she did something like cracking the system, but it's a simple case of identity theft and unauthorized access to the system, which is what the charges are. there's nothing that the UCSB staff could have done about this, except to follow their procedures. and it sounds like they did just that, which resulted in her arrest.
OTOH, the UC Berkeley incident sounds like lax staff. the person who put the info on the stolen laptop and subsequently left it unattended (presumably the same person) should be beaten severely.
... is that she'll probably end up with a $100k/yr job with a computer security firm.. that is.. once she is out of prison.
"Let's just say i had a little help from a little box"
"is this chick hot?"
We're a little ways from the penalty phase of this case, aren't we? The woman has been arrested and charged with a crime, by a real police department (i.e., not just campus security). It's just been or is about to be handed over to a DA or city/county prosecutor.
The penalty phase won't come until and if she is found guilty by a jury, and generally they'll decide on the severity of the punishment. Of course, the penalty could come earlier, if she accepts a plea agreement.
It's not offtopic, dumbass. It's orthogonal.
I'm always amazed that Universities publish this information on their websites. See https://titan.isc.ucsb.edu/cgi-bin/ldap/advsearch. cgi
That seems like a gaping stupid hole that was probably instituted because of forgetful professors insisted on it.
I found that many professors are so focused in their areas they cannot comprehend the rest of the world around them. Then other have such a huge ego and they wave there PHD like it was assigned to them from God. I think in this case they should stop all the getting there password business and put the responsibility in the professors hands. If they forgot their password they will need to go the sys-admins themselves show there ID. And explain that they did forget there password. If they don't want to do that then they will need to send their paperwork to who ever does the grading the old way and take the consequences for it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Sadly, due to a lack of any substantial penalty when corporations fail at privacy, corporations are most lax with personal data. And sadly, it rarely makes headlines when corporate data is leaked into the world.
... and the same with the health care industry (called HIPPA). Any known failure (or even potential for failure) needs to be reported, and then quickly reaches the press - or else larger legal penalties apply.
After all, corporations have a strict communication and control policies - it's rare for a corporate insider to leak the news that 10,000 accounts have been stolen.
On the flip side, universities are regulated by strict privacy laws (called "FURPA")
Corporations do need to abide by some privacy regulations, but for the most part they are very lax, and the regulations only apply to a small amount of personal data, and the penalties for leaks are non-existant, so there is no incentive to do the right thing. Corporations also regularly sell and trade private, personal data to 3rd parties, and many 3rd parties may be untrustworthy.
Why not boost GPA's across the board, being random enough to elude detection, but not random enough to ensure that yours get's boosted? That sounds like the smarter alternative.
Windows has detected an undetectable error.
"I know a lot of people who'd fire a woman offering a blowjob for a favour, if they were her employer/boss."
Yeah, but most of them are women or gay.
I love how a handful of uptight mongoloids with mod points tried to knock the parent down because they didn't like the representation of male genitals. Oh, sure, it's funny and all, but if it looks kind of like a penis or has the word sucking in it, it's automatically flamebait, right?
Dopes.
UCSB Student Engineers Grade Hack
And they gave it an F.
...expect something different after reading the article's title?
"UCSB Student Engineers Grade Hack" - I expected that a bunch of UCSB "Student Engineers" had graded a hack (I give it a 7 for being clever, ...), not that a UCSB Student Engineered a grade hack.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
"...are universities too careless with their data?"
Well, that all depends on what you mean by "universities".
Generally, administrative systems are administered by computer professionals who follow all the basic best-practices, just like everyone else. And, university departmental systems are administered by pros as well.
The main problem you have is the students on the network and the rogue professors (who you can't get to comply even with submitting their damn grades, much less computer security guidelines).
Another point is that academic networks are generally more open than corporate networks. The academic network is not homogenous, and needs to be able to allow whatever strange and curious systems might need to connect to others. In the name of research, don'tcha know?
One thing to remember is that these "...other computing snafus recently making headlines" are high profile because they're in the news. What about all the security incidents that aren't in the news? For example, the corporate incidents which don't get reported.
Anybody who has experience with trying to secure computers knows that you can't be 100% sure that you're un-crackable. You follow security best-practices, patch like crazy, do your best, and hope that your users don't use their login names as passwords.
I think singling out universities, in particular, is unfair. Especially if you're not familiar with the academic culture.
"Knowing what information you need in order to do the password reset and gathering that information and then going and submitting the grade changes -- you don't just trip and accidentally fall into that," Schmidt said. "That requires some specific planning and effort to do that."
I'd like to ask Mr. Schmidt kow did he obtain his job. Perhaps some "planning and effort"? THIS GUY IS RIDICULOUS, aspires to be the next nerd party cult hero.
Anyone else but me immediately think of the phrase "guilty until proven innocent"?
It's nice your school is trying to perform steps to prevent cheaters but that's just way too much. A university should be a place where you can live the life you want and the free exchange of ideas with many different types of people from all around the world, not worried if you've sufficiently proven you aren't a cheater to the satisfaction of one of the 70 select individuals.
Sheesh... why not just study and actually earn the fscking grades!
Organic free-range music... yum!
This is not my sandwich.
The people who care the most about college grades are the parents who subsidize the tuition. Keep them happy and the rest will take care of itself. Wouldn't it be easier to get by with an inferior but passing GPA and print a nice-looking document that looks like a transcript for Mom & Dad? If there is no signature, then there is no forgery. If the grades remain unchanged, it's not a hacking attack. Is there any law that covers a counterfeit transcript that was NOT used for employment purposes?
If the students are not willing to show up and get at least minimally passing grades, they should skip school altogether and head straight for the diploma mills. Of course, the budget-minded cheater can create bogus transcripts from colleges that used to exist but are now closed/merged/renamed.
I worked in higher education administration. I interviewed job applicants who had fake degrees. Our HR people went hog-wild researching the validity of transcripts. I doubt the average employer would allocate the resources to this activity to make it truly effective. Then there were the overseas degrees. Transcripts in Polish, Chinese, etc. Verifying the information was NOT easy. Most employers would be easily duped.
The weak point in the system is not the computer -- it is the hardcopy output.
if it wasn't for those darn meddling kids!!!
(Mwaaahhhh-ha-ha-ha!)
#6495ED - cornflower blue
I'm dying over here, I believe this is the most graphic thing I've ever seen on Slashdot. lol
I've watched this behavior, and it's much more prevalent (at least among all- or almost-all-male groups) when the group is a bunch of men who are constantly jockeying for position.
It didn't happen by and large in the campus sci-fi club, even at the events that were heavily male-dominated. It did happen in the computer labs late at night. Yes, there was a large amount of overlap between the two groups, but something about the different environment triggered this change in behavior. I'm saying that my personal observation has been that you get crude sexism much more when there's more showing-off and one-upmanship in general.
Back in the mid-80's there was a football-star/son-of-mayor Bully who was a pain in the arse... from kindergarden. He always got his way, and teachers were kinda forced to give him a passing grade. He was a supreme jerk, bashed us tokers into lockers, etc. He lied all the time -- but about stuff you could not easily prove. If he did get caught, his daddy would bail him out.
Anyway, a friend of mine "guessed" the admin password for their brand new district-wide IBM 360 based system; it was... "1 2 3 4 5". Rather than fix his grades or any of his friends, he did the unthinkable. He gave Bully straight A's for the current semester (it was December), and then we agreed _never_ to log into the system again. Luckly, report cards were just about ready to be printed... and they did print.
So, a few days later everyone got their report card. Including the Bully, who got A's. Then Bully and his parents made the fatal mistake -- they didn't report the error promptly.
Of course, several months later, the English teacher got pretty irate when she found out Bully got an A in her class for the previous semester. This caused an inquisition; and Bully was under the microscope by the whole staff.
Bully said he "didn't know" how he got the grade. The system administrator accused Bully of having one of his "dad's friends" break into the system and change his grade. Not a peep from us nerds. The latent frustration from the administrative staff set in... they were all too happy to have a "serious academic misconduct". No one believed him. No one believed his parents. He was suspended from school, and had to repeat his Junior year.
It was the best revenge. He _knew_ he got it up the arse, and everyone in the school knew "he cheated". We didn't have to taunt him... everyone else (including his football buddies) did it for him.
Hah!
because....? They obviously know it's a problem, so your flippant (whiney tone) "You're part of the problem, not the solution" isn't likely to make them change their mind.
You have a girl who worked at a company on the side where she had access to sensitive information about professors (and many other individuals). She steals that sensitive information and uses it to reset the password of the professors.
She then logs in to the grading system and changes her grades.
And the computer system worked like a charm. Any grade change resulted in a departmental notification. The professor, realizing that he did not make the change and could not log into the account any more, notified the appropriate authorities.
An investigation occurred and this criminal was discovered. Sounds like an open and shut case to me.
First off, the university in question *here* was compromised by a student that had external and unrelated access to her professors' personal information.
Second, the UCB article linked as additional evidence of carelessness discusses a laptop theft which took place in a restricted area of campus where the theft was actually witnessed.
This is careless? Why in the world would you blame the universities for these situations? It's not like either of these incidents involved someone breaking into the network from off-campus and downloading records or changing grades.
Microsoft cheerleader, blue flag waving, you got a problem with that?
UCSB states that the system worked. They are correct in that the system caught the change, and it was corrected, and the perpitrator caught. However, there was still a breach of privacy. The flaw in the system was the insufficient requirements to change a password (SSN and DOB? gimme a break!).
The password change has been disabled. You now request a password change, and someone phones you back, verifies you more extensively, and gives you a new one.
Keep in mind though, UCSB is hardly the only organization with such lax password reset requirements.
Without getting into a big discussion of database design, referential integrety, etc., this is the sort of thing I've always used triggers for: updating a row writes another record to another table indicating that it was inserted/updated/deleted.
I wrote a couple of trading-ish systems that used this when a person placed a trade. Came in very handy when a user called to say that he had lost some major $$$ because we screwed up his order, only to show him in the log that he had in fact placed his order at this time, and then tried to cancel it not a minute later, but a full two hours later, long after the close.
Yes it can be done in a procedure, write to another table, etc., but what I've always liked about triggers is that they're automatic, somewhat hidden, and easy to forget...
She didn't even do it behind a proxy? Dang...
Ours was a bit more cruel. We added the following line to their login script:
logout
The profs caught on after awhile and fixed the bad login scripts though.
***It doesn't say anything negative about women at all.
*That's a fact, the worst I ever had was wonderful.
This is Slashdot! What are you talking about?
Thank you, thank you. I just got tea all over my keyboard and computer desk. My day will be a little brighter now.
Over Christmas break last year I got an email explaining that for an hour, personal information of some 30 computer science students was downloadable via the school's CS webpage. This personal information included everything... name, address, even so far as SSN. During this time, the information was viewed 14 times. The email goes on to say that I was one of the students whose information was shared. Thanks. The thing that troubles me the most, aside from the unnecessary use of everyone's SSN, is the fact that it was the *CS* department that posted this information. If the computer guys can't get it right...?
A bank robber who forgot to put on his mask, was captured today. News at 11.
The massive amount of security is actually tied to a much much larger system. BYU-Provo (the original poster was referring to BYU-Idaho) is three times larger, with over 30,000 students. However, the campus actually runs the data center for the Church of Jesus Christ. The personal records of 11,000,000 living people (and nearly a billion dead ones) are warehoused there so technical security, identity theft prevention, and privacy are extremely high priorities. Security policies both technical and procedural are employed at the university level, church level, and every level related to them. Some have compared BYU to being more technically advanced than MIT as far as full implementation of technology throughout the campus.
;). BYU will destroy its football program before they will allow the honor code to be slighted. The administration has booted entire sections of the starting lineup for honor code violations. You give your word to uphold the standards, and if you don't, you're gone. Simple as that. No hypocrisy, just enforcement. Most universities probably have honor codes, but at BYU, its actually enforced.
Regarding the honor code. The Church Educational System which runs the BYUs and several hundred other smaller educational programs is guided by fundamentally religious principles. All students are asked to commit to living the standards of the Church in their educational pursuits. This is recorded in the record system. I'd have to disagree that asking someone to recommit is an example of hypocrisy, more like an example of support, encouragement, and patience.
And yes, if you break the honor code it is your ass, and probably your soul
I am a professional Security Consultant. This is what I do.
Most universities, schools, workplaces, SOHOs, and many homes are all "under secure" and could use help.
The problem is $$...my services and services of people like me do not come cheap.
So fix it, and just be secure - Firewall, backups, etc.
--E--
then how come my son hacking Wikipedia yesterday isn't emblazoned across the front pages?
Geesh, hackers at UCSB, the Zombie Capitol of the World, who would have thunk it?
[caveat, my sister works there]
-- Tigger warning: This post may contain tiggers! --
Started playing a nice game of Global Thermonuclear War.
Even with the information ramirez obtained, in a good system she would have also had to hijack the prof's mail. Much better to have the system email (yes, that is insecure too) you a new random password and disallow any further password changes until the person has successfully logged in. This way the victim knows immediately if something is going on while causing them little inconvenience.
my thirteen year old grandson got busted at home cuz he left his pron addresses in the location bar deally and my daughter found them rather easily. great, now i have to set up a squid proxy etc here at my house cuz he has a log in account on my deb sid desktop. oh well, the box i use for masquerading needed to be updated soon anyway...
Serenity now, insanity later.
I mean, can we have conjugal visits? Maybe she has a /. account.
/\/\icro/\/\uncher
FWIW, "your-2r8c40dfb2" or "your-34slks32sc" or similar (I don't know the exact number of letters off the top of my head) match the default Compaq naming pattern, at least for Presario laptops--my gf's shows up as something like that on my AP, and I've seen one or two others that did likewise. I the random-looking part is either (a) pseudorandom or (b) the machine's service tag, so that when you go plug two brand new laptops into your network you don't get a naming conflict.
With that said, I suspect that if the same name showed up elsewhere as a spam source and then did a lot of upstream but little downstream traffic at your site, it's probably a spammer hopping from connection to connection with the computer auto-registering itself with the same hostname each time.
How many universities have you been in lately? I have been in/ visited four in the past year, and they all have been locked down to the point of diminishing usefulness. In a corporate environment, IT staffs get in hot water for adversely affecting productivity, or for adversely affecting the boss's pr0n access. So a balance has to be kept. In the academic environment, IT only gets in hot water if a hack becomes publicized that affects school prestige. So all the pressure is in favor of locked-down, filtered, port-80-only access.
So in my experience, acadmic IT departments have become more authoritarian and less accountable in their use of power than other environments.
By the way- on the many campuses that use SSN for ID, you don't even need to hack a computer. Any class roster has everybody's SSNs right there.
The reason most First Posts are funny, is because it's several orders of magnitude easier to just come up with a funny quip relating to the topic, rather than reading the article, thinking, and typing up something that might be informative or interesting.
UCSB Student Engineers Grade Hack"
SANTA BARBARA - At yesterday's hearing, the UCSB Engineering Student Ethics committee recommended expelling Nancy Ramirez, 21, for altering grades stored in the campus computer systems. The committee took the unusual step of publicly explaining the expulsion:
"Mrs. Ramirez's conduct was not only unethical, but the way she went about it was amateurish and did not show the proper use of intellect we expect from UCSB students. She left herself wide open to getting caught. If this had been a classroom assignment, she would have failed. Had she done this with the professionalism that the UCSB Engineering School instills in most of its students, nobody would have ever known."
A real hack is one who has a degree from MIT in computer science, and has never been to Massachusetts. And didn't attend MIT. And didn't enroll at MIT. And doesn't own a computer. And doesn't speak english. And lives in Zimbabwe. In a hut. With his mother. That would be a hack. This, this is unauthorized network use from a local terminal. Not a hack.
FWIW, "your-2r8c40dfb2" or "your-34slks32sc" or similar (I don't know the exact number of letters off the top of my head) match the default Compaq naming pattern, at least for Presario laptops--my gf's shows up as something like that on my AP, and I've seen one or two others that did likewise.
Close, but no cigar. It's XP's way of uniquely naming a computer. It uses the first word of the organization plus a "random" jumble of characters to make up the computer name. If the user accepts the default name in the end-user setup (aka mini-setup in the OEM world), or was never given the chance to change, this would result.
I agree with the term "to get ahead u have to give some head," but if she can steal the idenity of 2 male professors maybe she wasnt worth the extra grade. IDK
One day.
I don't think that "Anonymous Coward" should be the appropriate term to describe who I am. I am the idiot, the girl that got caught. I got a note on www.thefacebook.com from a guy that asked me if that was me in "Slashdot." I had never heard of this website nor am I familiar with it.
First of all I'm not an engineer major. I'm a PolSci and Latin American Studies major. It doesn't take a genious to figure out how to get in. I didn't break my head for nights trying to figure out how to do it. I came across it (the website) and saw how easy it was. There's a lot the article is missing and that is because I didn't want to talk to the newspaper. I have enough going through all this legal drama. It not the University that is at fault...I'm the one that got in their system. However they should realize that their security measures are not so secure. I didn't fail any classes. I changed other grades and figured "heck why not change my B to an A." Someone with more knowledge can do a lot more damage. Popularity...trust me I don't want it. What's done is done and I have to face the consequences.
Best to all,
---The idiot
When students start at Texas A&M, their student ID is their social security #. This number is used to login to various services for setup purposes, along with a PIN ... which is the student's birthdate.
...
I once ran the I.T. team for my Corps outfit, and chuckled at the thought of the 60+ sets of SSN's and birthdates on my machine. Like a postal employee with a conceal-carry permit, I was amused at the possibilities before me