Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.
Hulk SMASH Celiac Disease
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
i would worry about the people that didn't
[*_-]
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
Believe it or not, they keep mac address databases, any self respecting router will. Who is to say the police can't trace the IP to an wireless access point and check Mac addresses? Who is to say that free is really free, that it's not one big honey pot? They have camera's? They know the time it happened??
It ain't that easy...
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
At my University there is a strict honor code. Every Winter semester students must be endorsed, meaning that they have met with an advisor and have committed to abide by the rules of the honor code. There are only about 70 people that can do the endorsements on campus. A failure to get endorsed means that you are no longer a student and you are blocked from registering. For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer. We were given a six digit number to sign in, with a ten digit, alpha-numeric, randomly assigned password. The letter with the password did not come with the sign in. Further, the letter stated that the University doesn't even know the password, so it should be kept safe. Advisors were asked to keep the password in strict confidence, and not to disclose them to anyone, under any circumstances. To top it off, the University set it so that there was a narrow time period for the endorsements to be done. So assuming that you managed to find out the user name for you advisor, you would have to brute force the password within time.
Needless to say, I would argue, at least at my school, they are not careless. In fact, I would argue that they are erring on the side that someone will try to hack the system. But the school also takes computer issues seriously. The computer use policy is very strict, and makes it clear that abuse of a computer, on or off campus is grounds for getting expelled.
The views expressed are mine own and do not express the views of my employer.
true.
You can reset your passwd at my college with SSN and DOB too, the extra securfity being that you have to go to a lab (like the one where I work) and use a specific comp that is always at the admin desk and cannot be used without supervision. When you log in with said info to change your password a big picture of you comes on the screen, if the you on the screen doesnt match the you changing the passwd we boot your sorry ass out of the center.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Mind you, it's not the only thing they can do to get ahead.
And if she has to resort to hacking, maybe she doesn't deserve to get ahead. On the other hand, if she succeeded in hacking, maybe there is some redeeming quality about her. Then again, she did get caught, so she's either not smart enough or just unlucky.
And finally, how many men would perform sexual favors on a possibly fugly and old female professor for an A?
Felony charges for computer tampering are really overkill. This kind of thing used to earn a slap on the wrist, back in the 70's and early 80's.
Also, weren't the "Identity Theft" laws written to address the actual crime of identity theft, which is when someone totally takes over the victim's credit profile, and so on? That doesn't appear to have happened in this case at all. The "Identity Theft" charges seem to be irrelevant.
At least they didn't jail her for 3 years prior to filing charges, ala Mitnick.
What was the reason for cheating? What was the consequence of failing the class? What was the risk of getting caught cheating?
I don't think we will kill people for cheating, or sentance them to some lifelong hell. But if someone fails, and gets pushed into the lower class, it is hell. Like George Bush said "Congrats, you have two jobs, something uniquely American"
If society realizes all people are valuable, and can contribute, and does not push a person beyond their means, then being in the "lower" class will not be a punishment.
There is the second side of the equation. We could just make the punishment so great for cheating to discourage people. That seems to be the trend with all crimes.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
- "You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I certainly hope those aren't his exact words. Otherwise, I'd have to say, he's complete f'ing idiot. SSL is not "real protection". At it's very best, it stops people from snooping. And having seen, first hand, how a number of universities manage SSL web servers, I would not be surprised in the least if they were using/allowing 48 bit SSL (which any modern computer can crack in less than a day.) HTTPS vs. HTTP didn't have a damned thing to do with this "hack".Maybe the university would like to explain why they are using a person's SSN as a form of identification in explicit violation of the Socal Security Act of 1970. Btw, that's a serious felony that trumps the student's 4 (lame) felonies... just saying my name is [something other than my name] is a felony now? What. The. Fuck.
Not impossible, but probably more effort than just passing the class through legit means.
True. I always thought there was nobility in failing a few classes in college. If you didn't fail a few, you weren't really pushing yourself hard enough. My transcript represented this worldview pretty well.
But the social aspect of the hack is interesting, even if it isn't useful. The best hack is not one that is never resolved, but one that is resolved neatly, definitively, and completely wrong.
I knew someone in High School who was a master keygrabber. He would arrange intricate dances around all of the teachers so that he could grab their key ring for an hour and make copies of everything. This ranged from "intimate talks" about problems that didn't exist, to mundane copier issues, to larger things like students getting "caught" doing things they weren't supposed to be doing.
It was the plausable misdirection that made him a master. Somehow the instructions to change the sprinkler times to 10:30 would be communicated to the gardener as 6:30, and due to this oversite two weeks later all of the people at the homecoming game would freak out and go running for the gardener's shed, where they would cut off the lock, and turn off the sprinklers. There, the typo would be discovered in the instructions, and the case would be closed. Bad typing was to blame. In their rush, nobody noticed that the lock they cut off of the gardener's shed wasn't keyed the same as the lock that originally was on the shed. Nor did they notice that the full set of maintenence keys that were in the gardener's shed was now slightly warm to the touch.
Never try to "get away with it" by being untracable. "Get away with it" by giving people a plausable explanation for the inconsistincies they see... something believeable, easy, and invisibly incorrect. Never leave a case open.
The ______ Agenda
SSNs and DoBs are far too easy to find.
My $CREDITCARDCOMPANY just got gobbled up by a bigger one. One of their "innovations" is that you can't have an arbitrary ID - it has to be all numbers and defaults to your SSN. I had a little talk with one of their managers who said "that's the way it is and we have no intention of changing it" who suggested that I could use my phone number instead of my SSN if I wanted an easy to remember but "more" secure ID.
On top of that, their passwords are currently alphanumeric only, which makes me guess that they aren't hashing the passwords and are storing the password in plaintext in the the database (yes, you'd have to be really stupid to do that, but these guys give every indication of being that dumb), which means anyone that does penetrate their db system has all kinds of good stuff at his/her fingertips.
They're my soon to be ex-$CREDITCARDCOMPANY...
Actually, I'm a teacher at UCSB, so I've used eGrade before.
eGrades security is far worse than that. It doesn't require a social security number and date of birth, rather it uses the "university id" that at student uses to login to some campus wireless networks, campus e-mail and the uweb/ustorage accounts.
Here's the login interface:
http://www.egrades.sa.ucsb.edu/
Resetting the password requires:
Last Name, Perm Number (id number), last four of social and birthdate.
Obtaining these, albeit not easy is not that hard at all.
I'm not going to say where, but it's a major school. I know that most of the professors do not realize that the network drives they are using like local drives are public by default. Some professors like to use them since they can access those drives anywhere on campus. Any somewhat knowledgeable student, even with a guest login, can browse through them and see everything that the professors think is private. Tests, answer keys, quizzes, family pictures, and yes, even porn. Anything they save on the drive.
;)
Also note, student shares are also public by default, so you can browse other student's homework if you get stuck on a problem
It's been like that for YEARS.
Buy Steampunk Clothing Online!
Go here, SSL is insecure if the key exchange is sniffed. Ettercap does this and ssh1 in real time as it sniffs. Its a fun program to play with. There is an option to just leave it on and let it log all passwords to a file. I was amazed when I first found it and have spent a ton of time in the source figuring out how it works. Cool stuff.
Crawl This - http://darkry.net/test/test.php
Interesting. I have always held the theory that poor hackers (crackers for the pedantic) sometimes get caught. Good hackers rarely get caught and the best ones are never discovered as they do their deed and disappear into the void.
However, there is a class who is above all. They do what they want to do, and intricately weave a web so convincing, that there is never, ever a chance that anything can be traced back to them. Like in the case you described, the guy did not have to cover his tracks of having replaced the lock, but made other people do it. This is the key, what can be simply attributed to someone, can never be held against someone else.
Sorry, you're right -- you have misunderstood. Any switched network will happily deliver packets to the wrong port if the MITM has used ARP cache poisoning, by feeding fake ARP information to the client and server -- the switch won't protect you from being sniffed unless it locks MAC addresses to IP addresses (which most switches don't do.)
As I see it, the only options are:
1) Eliminate ARP entirely, by locking ARP caches with fixed addresses of critical devices (an administrative nightmare);
2) Use an IDS to look for bogus ARP chatter, and respond very quickly to illegal injections.
Naturally, my company designs software to do the latter. We scan the CAM tables of all switches constantly, and correlate with the ARP caches on routers, and alert on any discrepancies. We sell only into high-end security accounts, including Banks.
Paul Gillingwater
MBA, CISSP, CISM
There are a significant number of reasons why electronic fingerprinting of the underlying modulation methods will not work - the same NRZI (or whatever encoding) stream will be modified every single time it passes through another 'box' Basically you will not (necessarily) be getting the actual electrons sent from the target machine, so any analysis is somewhat futile.
The manufacturer will list common tolerances for each NIC, but it makes no financial sense to database pulse characteristics for the 'millions upon millions' of cards currently in the world.
RADAR can be fingerprinted very accurately, the key difference is you receive the radiated energy directly from the emitter itself.
Not to disagree with you fully, there are other methods people are trying, but they are mostly borderline snake oil. Traffic analysis is the only viable solution, think of it like sifting through someones garbage, their friends garbage, and their friends friends garbage, and.... up to three or four association levels, any more and you begin to have issues with storage capacity.
Fingerprinting is indeed possible, but it will require very close access to the targets machine. Rarely possible without being noticed. Impossible unless you already know where the source is located.
I can expertly tell you there is no such technology in consumer network cards that will fire off information to 'them' - this can be confirmed with an off the shelf o-scope and some knowledge of coding schemes. Any other method can be detected with software. Protocol analysis.
No conspiracy.
I find it bad, that changing your grade counted as 4 counts felony.
3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony
http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...
She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.
Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.
But hey, you feel safe now, right?
Duh.. and a system where you use social security numbers and birth dates as password hints??? c'mon.. this is silly.. But what a dumb chick eh? As if the professors wouldn't notice the change in passwords let alone a grade from F to B+!!! Unless the original exam material is in the same system it serves no purpose to change grades because they always have the original paperwork and class notes. And in addition to all this stupidity she didn;t even consider concealing the IP address..
This is not a "hack"!!!! She didn't exploit any technological weakness, only stole data giving access to a system.
-if at first you don't succeed, stay the heck away from paragliding.
The people who care the most about college grades are the parents who subsidize the tuition. Keep them happy and the rest will take care of itself. Wouldn't it be easier to get by with an inferior but passing GPA and print a nice-looking document that looks like a transcript for Mom & Dad? If there is no signature, then there is no forgery. If the grades remain unchanged, it's not a hacking attack. Is there any law that covers a counterfeit transcript that was NOT used for employment purposes?
If the students are not willing to show up and get at least minimally passing grades, they should skip school altogether and head straight for the diploma mills. Of course, the budget-minded cheater can create bogus transcripts from colleges that used to exist but are now closed/merged/renamed.
I worked in higher education administration. I interviewed job applicants who had fake degrees. Our HR people went hog-wild researching the validity of transcripts. I doubt the average employer would allocate the resources to this activity to make it truly effective. Then there were the overseas degrees. Transcripts in Polish, Chinese, etc. Verifying the information was NOT easy. Most employers would be easily duped.
The weak point in the system is not the computer -- it is the hardcopy output.
"nowadays"? You say that as though you remember a time when it was perfectly acceptable to publically suggest that a woman just go down on a prof if she wants better grades.
Look, I'm not trying to make you change all occurrences of "he" to "he/she" or some worse neologism, I'm not trying to make sure that all your example sentences have an equal balance of male and female names, and I'm not trying to make sure you hire unqualified employees so that your organization fits some desired overall demographics. I'm just saying - this is crude, and cheap, and symptomatic of a long-standing sexist tradition which exists inside computer geekdom. (and, as others have pointed out, exists elsewhere too)
To venture into an overstretched analogy, I'm not asking you to wash your hands several dozen times a day and scrub your skin till it bleeds to get the dirt off - I'm just requesting that people not piss on the carpet.
Also, "dogs" vs "whores"? Do you really believe that these are even vaguely equivalent terms?
Without getting into a big discussion of database design, referential integrety, etc., this is the sort of thing I've always used triggers for: updating a row writes another record to another table indicating that it was inserted/updated/deleted.
I wrote a couple of trading-ish systems that used this when a person placed a trade. Came in very handy when a user called to say that he had lost some major $$$ because we screwed up his order, only to show him in the log that he had in fact placed his order at this time, and then tried to cancel it not a minute later, but a full two hours later, long after the close.
Yes it can be done in a procedure, write to another table, etc., but what I've always liked about triggers is that they're automatic, somewhat hidden, and easy to forget...