Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
"It's not like 300 grades were changed or anything like that," he said. "It's not even close."
Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?
"It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."
Idiot!
Get your Unix fortune now!
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
"An important distinction in this case, compared to some other instances you've seen reported on around the country, the integrity and security of our grading system is intact and was not compromised," said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.
If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
The Security of the grading system is INTACT? Hell yeah!
No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after...
Gee, no wonder women are leaving it.
Geeks are starting to act like construction workers..."if a woman wants to get ahead, all she has to do is suck some dick."
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
Yes i'm careless for having windows made of regular glass instead of tempered. While we're on that note, lets fault me for having a wooden door instead of a steel one, and dirt in my crawlspace someone can tunnel into.
I think the university did the best it could here. No matter how high/tall/hard you build it, folks are always gonna try and break it. It's just a fact of life.
I think the only person careless in this whole shebang is the girl that did the grade changing. I doubt this is the most morally devoid thing that has ever happened in this professors class
I can't recall how many times I had girls that liked me offering to do my homework in school, or how many times I saw someone blatenly fuck another persons report up by checking all the books pertaining to their subject from all the local libraries. I think the worse i've seen is the prefferential treatment some students get, weather it's because of being on the football team, or some other popular school group.
There's a lot worse that goes on in schools, it's just she got caught.
The article makes a big deal about how "savvy" this girl is, but seriously - how much knowledge does it require? When you click on the "forgot your password" link, it gives you a prompt with the information it needs to let you change your password. If presented with a website that says "Please enter your SSN and DOB to change your password", it doesn't take a genius to figure out what information to get.
She did demonstrate some creativity by using her work DB to look up her prof's personal info. However, considering that she did NOTHING to conceal her identity (steal wi-fi, use a proxy, etc), she clearly wasn't a savvy hacker. Smarter than the average user, perhaps, but definitely not a crafty blackhat.
It's an ID number. The problem is, your name and DOB don't necessiarly uniquely identify you, there are many documented cases of two people being born with the same name on the same day. Also, names are a very easy thing to confuse, you say one thing, they hear another.
So SSNs are a good identifier. Their primary, and orignal, purpose is to track earnings for social security purposes. However congress later authorized its use for lots of other identification things (like tax ID).
Now the problem is that for some reason many instutions treat it as a password or the like, rather than ID. They assume names and birthdates are public knowledge, but for some reason an SSN is secret. No, not really. It's just another identifier, and should be treated as such.
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret. It should be given no more or less weight than information like address, DOB, full name, etc. It's all just tidbits to uniquely identify you.
Now part of the problem is, short of DNA, how do you really go about verifying your identity? I mean most proofs of identity rely on other proofs of identity. My passport proves my identity, but to prove I should have it I used things like my driver license, birth certificate, and personal details.
So you can understand why things like SSNs are used for identity purposes, the problem is too much weight is put in them. It's assumed that they are like some kind of secret password that only the person can know, when really they are just like a DOB, not hard to find out.
Fact of the matter is this is just going to happen more and more often. University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std cd. then they can fire up ettercap and go to town on everything getting passed on the switch. When campuses use SSL protected systems for grades it is just asking for trouble. Its just a matter of time before Joe Blow will have eery profs passwords. Once that happens it can be tempting to change a couple grades here and there. And grades are nothing compared to the other information that can be obtained, SSN's of the entire campus for instance... Basicly ARP needs to get secure because there is really no way for a college (that has to have an open network to function) can be a safe place to send important data back and forth. Maybe the solution is a private network for profs with the important info on it. Good lesson though.
Crawl This - http://darkry.net/test/test.php
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
First, yes this does show that something is wrong with the security of campuses...I am at UCB and I recall that sometime last year we got an email through an instructional (class) account saying that our Student ID Numbers might have been compromised and that they are looking into it. While there isn't much one can do with SID's, it still kinda got me worried - I mean what if they got our passwords or something, and what if it was the same password as say the registration system (where someone could actually unregister you from Berkeley...).
I understand that since universities are prominent institutions, they may be the target of many different attacks but on the flip side, since so many students and faculty members are part of the university community, there should be that much more done in terms of security. I sure as hell don't want anything about me compromised (boy am I glad only the grad students' ssn were stolen the other day).
And also, to those who talk about how easy it is to cheat, it isn't. Almost all CS classes (for example) have a hardcore system that checks your code against everyone else's. Yes, it does take care of changing variable names and whatnot, it checks logic - and if you get caught (which many do) you will get an email telling you who you stole from, how much you stole, how much is deducted, etc. So in short, cheating is not easy.
There are comparable systems for say papers in humanities' courses, although checking natural language is a lot harder of course - but I believe those systems DO check against a massive database of published papers to see if you plagiarized from outside sources (in addition to checks with other students). And as for exams, it is rare for people to cheat - usually TA's are walking all over - if it was so easy to cheat as some people here say it is, then I am sure many bright college students would figure it out (and the bright TA's and professors would probably respond to it quickly too).
Nothing is really secure.
mund freud.
Yeah, changing the account with your name on it won't give a damn thing away as long as your IP is untraceable. Who'd think to look at your name.
A smarter hacker would infect the system with a script that would gradually, over time, boost their GPA in a difficult to trace method. Maybe figure out a minor improvement that you'd make every day to all students that had a student id number that fit a given algorithm.. where your own id just happens to be one that comes up most frequently. Say that your student number was divisable by 3 so one day you'd improve all that were divesable by 3, the next day 6, the next day 9, and back to 3, or some such pattern. (More complex is better.. just an example..)
Gee.. in my day we actually used some imagination when hacking the schools computers. Of course I never bothered altering my grades. I was more interested on messing with the lab rats. (sysadmins, lab monitors, etc)
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Being able to reset anyone's password with a birth date and SSN is careless. University passwords typically give you access to e-mail, class registration, bursar statements, private storage space, and many other things. My school requires a photo ID or notarized form to reset a password. UCSB can [and probably will] do more for security. This wasn't some super 1337 cracking going on.
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
Yes, don't tell anyone what university this is at so that the problem never gets fixed.
You are part of the problem, not the solution.
Is it only me, or did you as well notice that a hacked computer login is now called "identity theft" as in "credit card fraud" and all the other stuff we use to associate with it?
...and they some how manage to get computer lab monitors that aren't clueless stoners that only have the job because they're workstudy qualified?
my sig's at the bottom of the page.
Compromising the grade-system destroy's the common-people's faith in "the system", so it has to be punished more.
Beating up old ladies only destorys faith in the person who did it.
It's one reason petty counterfeiters are hit so harder than a petty theft. It's not like the few $100's they make will actually lead to inflation. But if enough people get away with it then it leads to a general lack of faith and confidence in the dollar. That's a bad thing, since the whole economy works on the idea that we all pretty much believe a dollar is worth the same thing.
It says nothing about women or their behaviour, it is purely an assertion that they have an option open to them.
You're assuming a lot. I know a lot of people who'd fire a woman offering a blowjob for a favour, if they were her employer/boss.
"Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
Granted this can be abused let's not forget that tampering with a university computer isn't a "minor" event. It can potentially affect many peoples lives.
....
Suppose you decide you really should have that engineering degree but just don't want to study... Now you're in the middle of building a 90-storey office complex and you have about 40% of the knowledge you need
And besides, I had to drudge through college without cheating [which included repeating some classes] why shouldn't she?
Tom
Someday, I'll have a real sig.
Er, set up a system where you couldn't change someone's password just by knowing their SSN?
_O_
.|< The named which can be named is not the true named
Anyone else but me immediately think of the phrase "guilty until proven innocent"?
It's nice your school is trying to perform steps to prevent cheaters but that's just way too much. A university should be a place where you can live the life you want and the free exchange of ideas with many different types of people from all around the world, not worried if you've sufficiently proven you aren't a cheater to the satisfaction of one of the 70 select individuals.
Disclaimer: I am the author of the article.
Thank you for the kind comments, xmas2003 and obsol33t.
I'd like to clarify and reply to some of the comments made on Slashdot, if you would allow.
I did not think this incidient could be considered "hacking." Notice that we didn't use the terms "hacker," "hacked," "exploited" or "compromised" in the headlines or article when describing what happened. Like the article says, there were technically not exploits in the system -- no SQL injection, buffer overflow, XSS, etc.
Not every person could repeat what Ramirez allegedly did. Her job gave her a specific access to personal information. It's really a case of identity theft, a felony offense. The police are responsible for charging Ramirez, not the university.
When reading the story, you have to remember that it's a general newspaper, not 2600 or the like. The three (3) paragraphs, out of roughly 30, about the knowledge required to enter eGrades was included to give readers a perspective on the difficulty level needed to do what the perpetrator did. "Was this person a 'true hacker' or was it something simpler than that?"
The phrase, "required some technical savvy," was meant to indicate a small amount, not emphasize, of technical knowledge was needed.
Also, the lede -- the first sentence in a news article -- states, the grades of several students, not just Ramirez's and her roommate's, were changed. Police would not release further specific details about others' changes because of the ongoing investigation, as the article stated.
Schmidt, as far as I know, is a very competent network programmer/sysadmin/computer geek. He's also pleasant on the phone. =) I'm guessing he simplified his statements because he was talking to the press and did not know if I had any technical knowledge. For the record, I know enough. =)
"For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer."
They don't, by chance, ask advisors to sign the same affirmation to abide by all the rules, do they?
Keep in mind, Schmidt was talking to the media. Ever try to explain something technical, knowing the other person probably doesn't have a clue what you're talking about, but will re-word it anyways to tell thousands of more people?
That's why that dumb 'geeky https' comment came out.
Personally, I think the penalties should be pretty harsh for stealing sensetive information from a bank, and using it to gain illegal entry to state-owned systems.
Social security numbers are so easy to abuse, that society needs to appropriately punish those who are abuse their access to that sensetive information.
hehe, that means politicians are pretty much equal to counterfeiters, they are very adept at producing 'a general lack of faith and confidence in the dollar'.
:)
In fact counterfeiting doesn't even come close to the kind of effect a good elected official can achieve in this respect
MP3 Search Engine
I don't. Walking your dog without obeying the leash law counts as a felony in some places. If you're doing this with 4 dogs, that would be 4 felony counts. I've never heard of someone getting a life sentence for leash-law violations, or any other trivial thing (except drug posessions).
The flack over the 3-strikes law is pretty ridiculous. It was widely reported that a man got a life sentence due to the 3-strikes law for stealing a slice of pizza. The minor detail that was omitted was that he brutally beat the pizza delivery guy to get that slice of pizza.
Yes, SEPERATE felonies, not related ones. She's not getting a life sentence, and it's ridiculous to suggest it.
But she IS a criminal. This is not a mistake or misunderstanding. I don't imagine any rational people having a problem with the fact that she can't vote or own a gun anymore. She can live without those things, as she has shown herself to make very poor (illegal) decisions.
No, they don't. They list the one trivial crime that finally got someone a mandatory sentence, for shock value, and barely mention that the two previous crimes were actually rather serious. I think a Simpsons quote is in order:
Their allegation that one of those cases was fabricated by the police is a very serious claim, and they provide no evidence to support that. Quality journalism, really...
I would have voted for Prop 66 myself, if not for the serious crimes it excluded from 3-strikes penalties (like cases of arson, even when someone is injured, or armed burglary). The 3-strikes law may be a bit excessive in some cases, but these are career criminals who continue to comit felonies, and get away with their crimes many times more than they are actually charged with.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant