Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
"It's not like 300 grades were changed or anything like that," he said. "It's not even close."
Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?
"It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."
Idiot!
Get your Unix fortune now!
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
Gee, no wonder women are leaving it.
Geeks are starting to act like construction workers..."if a woman wants to get ahead, all she has to do is suck some dick."
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
Fact of the matter is this is just going to happen more and more often. University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std cd. then they can fire up ettercap and go to town on everything getting passed on the switch. When campuses use SSL protected systems for grades it is just asking for trouble. Its just a matter of time before Joe Blow will have eery profs passwords. Once that happens it can be tempting to change a couple grades here and there. And grades are nothing compared to the other information that can be obtained, SSN's of the entire campus for instance... Basicly ARP needs to get secure because there is really no way for a college (that has to have an open network to function) can be a safe place to send important data back and forth. Maybe the solution is a private network for profs with the important info on it. Good lesson though.
Crawl This - http://darkry.net/test/test.php
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
Compromising the grade-system destroy's the common-people's faith in "the system", so it has to be punished more.
Beating up old ladies only destorys faith in the person who did it.
It's one reason petty counterfeiters are hit so harder than a petty theft. It's not like the few $100's they make will actually lead to inflation. But if enough people get away with it then it leads to a general lack of faith and confidence in the dollar. That's a bad thing, since the whole economy works on the idea that we all pretty much believe a dollar is worth the same thing.
It says nothing about women or their behaviour, it is purely an assertion that they have an option open to them.
You're assuming a lot. I know a lot of people who'd fire a woman offering a blowjob for a favour, if they were her employer/boss.
"Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
Granted this can be abused let's not forget that tampering with a university computer isn't a "minor" event. It can potentially affect many peoples lives.
....
Suppose you decide you really should have that engineering degree but just don't want to study... Now you're in the middle of building a 90-storey office complex and you have about 40% of the knowledge you need
And besides, I had to drudge through college without cheating [which included repeating some classes] why shouldn't she?
Tom
Someday, I'll have a real sig.
Disclaimer: I am the author of the article.
Thank you for the kind comments, xmas2003 and obsol33t.
I'd like to clarify and reply to some of the comments made on Slashdot, if you would allow.
I did not think this incidient could be considered "hacking." Notice that we didn't use the terms "hacker," "hacked," "exploited" or "compromised" in the headlines or article when describing what happened. Like the article says, there were technically not exploits in the system -- no SQL injection, buffer overflow, XSS, etc.
Not every person could repeat what Ramirez allegedly did. Her job gave her a specific access to personal information. It's really a case of identity theft, a felony offense. The police are responsible for charging Ramirez, not the university.
When reading the story, you have to remember that it's a general newspaper, not 2600 or the like. The three (3) paragraphs, out of roughly 30, about the knowledge required to enter eGrades was included to give readers a perspective on the difficulty level needed to do what the perpetrator did. "Was this person a 'true hacker' or was it something simpler than that?"
The phrase, "required some technical savvy," was meant to indicate a small amount, not emphasize, of technical knowledge was needed.
Also, the lede -- the first sentence in a news article -- states, the grades of several students, not just Ramirez's and her roommate's, were changed. Police would not release further specific details about others' changes because of the ongoing investigation, as the article stated.
Schmidt, as far as I know, is a very competent network programmer/sysadmin/computer geek. He's also pleasant on the phone. =) I'm guessing he simplified his statements because he was talking to the press and did not know if I had any technical knowledge. For the record, I know enough. =)
SSNs are a terrible identifier:
Congress later authorized its use for lots of other identification things (like tax ID).
Congress later authorized its use for one other identification thing (tax ID).
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret.
Until SSNs cannot be used in violation of rule 6 and in spite of rule 5, they must treat it as a secret as important as the combination to your safe.
This is not my sandwich.