Slashdot Mirror


UCSB Student Engineers Grade Hack

An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"

17 of 544 comments (clear)

  1. Shoulda used an open wireless access point! by xmas2003 · · Score: 4, Interesting
    She might have gotten away with it if she had used an open wireless access point - shoulda changed the grades at Starbucks! ;-)

    Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.

    --
    Hulk SMASH Celiac Disease
    1. Re:Shoulda used an open wireless access point! by R.Caley · · Score: 4, Interesting
      A smarter hacker would infect the system with a script that would gradually, over time, boost their GPA

      Anythig which boosts your score is going to point at you.

      What you want to do is plant evidence of the professors having a bias against you. Subtle things. Enough to form the basis of an appeal. Then you drop your grades in your good subjects so a review will see that you are a victim and give you a pass.

      --
      _O_
      .|<
      The named which can be named is not the true named
  2. Pfft... this is nothing by Raul654 · · Score: 5, Interesting

    I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
  3. Professor mistakes by suso · · Score: 5, Interesting

    Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.

  4. i wouldn't worry about the people that got caught by Anonymous Coward · · Score: 5, Interesting

    i would worry about the people that didn't

    [*_-]

  5. Cheaters by softparade · · Score: 5, Interesting

    Ah cheating how it has evolved.
    I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.

    another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.

    As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges

    1. Re:Cheaters by void* · · Score: 5, Interesting

      Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct.

      I never went to college.

      However, in high school, my history teacher noticed that a good proportion of the answers given on tests were highly correlated - not exact, per se, but suspiciously close to the exact same answers.

      He made up seven different versions of the test, and ensured that the answer key for any version was different enough from the others to cause dramatic test failures in the case of copying. (multiple choice, 5 options, 30 questions - plenty of combinations).

      That test, about six to ten people, people, all in a rough blob behind and to the right of me, failed.

      I was oblivious to the fact that they were copying me, but it was pretty funny - he'd given me one version of the test and every one else a different version. After that I got rather paranoid about making sure my answers weren't visible to others.

      --


      Code or be coded.
  6. Re:Carelessness ? by utlemming · · Score: 4, Interesting

    At my University there is a strict honor code. Every Winter semester students must be endorsed, meaning that they have met with an advisor and have committed to abide by the rules of the honor code. There are only about 70 people that can do the endorsements on campus. A failure to get endorsed means that you are no longer a student and you are blocked from registering. For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer. We were given a six digit number to sign in, with a ten digit, alpha-numeric, randomly assigned password. The letter with the password did not come with the sign in. Further, the letter stated that the University doesn't even know the password, so it should be kept safe. Advisors were asked to keep the password in strict confidence, and not to disclose them to anyone, under any circumstances. To top it off, the University set it so that there was a narrow time period for the endorsements to be done. So assuming that you managed to find out the user name for you advisor, you would have to brute force the password within time.
    Needless to say, I would argue, at least at my school, they are not careless. In fact, I would argue that they are erring on the side that someone will try to hack the system. But the school also takes computer issues seriously. The computer use policy is very strict, and makes it clear that abuse of a computer, on or off campus is grounds for getting expelled.

    --
    The views expressed are mine own and do not express the views of my employer.
  7. Re:"Hack"? by Anubis350 · · Score: 5, Interesting

    true.
    You can reset your passwd at my college with SSN and DOB too, the extra securfity being that you have to go to a lab (like the one where I work) and use a specific comp that is always at the admin desk and cannot be used without supervision. When you log in with said info to change your password a big picture of you comes on the screen, if the you on the screen doesnt match the you changing the passwd we boot your sorry ass out of the center.

    --
    "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
  8. Re:Perfect crime? by cgenman · · Score: 4, Interesting

    Not impossible, but probably more effort than just passing the class through legit means.

    True. I always thought there was nobility in failing a few classes in college. If you didn't fail a few, you weren't really pushing yourself hard enough. My transcript represented this worldview pretty well.

    But the social aspect of the hack is interesting, even if it isn't useful. The best hack is not one that is never resolved, but one that is resolved neatly, definitively, and completely wrong.

    I knew someone in High School who was a master keygrabber. He would arrange intricate dances around all of the teachers so that he could grab their key ring for an hour and make copies of everything. This ranged from "intimate talks" about problems that didn't exist, to mundane copier issues, to larger things like students getting "caught" doing things they weren't supposed to be doing.

    It was the plausable misdirection that made him a master. Somehow the instructions to change the sprinkler times to 10:30 would be communicated to the gardener as 6:30, and due to this oversite two weeks later all of the people at the homecoming game would freak out and go running for the gardener's shed, where they would cut off the lock, and turn off the sprinklers. There, the typo would be discovered in the instructions, and the case would be closed. Bad typing was to blame. In their rush, nobody noticed that the lock they cut off of the gardener's shed wasn't keyed the same as the lock that originally was on the shed. Nor did they notice that the full set of maintenence keys that were in the gardener's shed was now slightly warm to the touch.

    Never try to "get away with it" by being untracable. "Get away with it" by giving people a plausable explanation for the inconsistincies they see... something believeable, easy, and invisibly incorrect. Never leave a case open.

  9. Re:Who needs programmatic security... by ethank · · Score: 4, Interesting

    Actually, I'm a teacher at UCSB, so I've used eGrade before.

    eGrades security is far worse than that. It doesn't require a social security number and date of birth, rather it uses the "university id" that at student uses to login to some campus wireless networks, campus e-mail and the uweb/ustorage accounts.

    Here's the login interface:

    http://www.egrades.sa.ucsb.edu/

    Resetting the password requires:

    Last Name, Perm Number (id number), last four of social and birthdate.

    Obtaining these, albeit not easy is not that hard at all.

  10. Re:Mack Daddy says "NO!" by petecarlson · · Score: 4, Interesting

    Since when is a MAC address any useful identifier?

    Alone it means little, but along with other information, it can sometimes tell you something. Yesterday I put up a new AP and left it open as a loss leader of sorts as there are other free conections in the area. (The first hit is free) Going through my access logs I came accros a user that used quite a bit of upstream but little downstream bandwidth. I cross checked the MAC with my dhcp server log and came up with 'client-hostname "your-2r8c4odfb2"'. That's an odd thing to name your computer. Thinking that 2r8c4odfb2 might me some wierd 1337 speak, I googled it and found: your-2r8c4odfb2.cpe.ozrk.al.charter.com listed as the hostname for a computer which had sent quite a bit of email (read SPAM). Now I could be way off base here, but the wierd traffic coupled, with the hostname listed as having a high probibility of being a spam server, was enough for me to ban the mac till the AP is added to the authentication and billing system.

  11. Re:Is SSL breakable? by DarKry · · Score: 3, Interesting

    Go here, SSL is insecure if the key exchange is sniffed. Ettercap does this and ssh1 in real time as it sniffs. Its a fun program to play with. There is an option to just leave it on and let it log all passwords to a file. I was amazed when I first found it and have spent a ton of time in the source figuring out how it works. Cool stuff.

  12. Re:Female? by mark-t · · Score: 5, Interesting
    Kudos?

    A person breaks the law and you offer kudos?

  13. Take off the tinfoil... by digitalchinky · · Score: 3, Interesting

    There are a significant number of reasons why electronic fingerprinting of the underlying modulation methods will not work - the same NRZI (or whatever encoding) stream will be modified every single time it passes through another 'box' Basically you will not (necessarily) be getting the actual electrons sent from the target machine, so any analysis is somewhat futile.

    The manufacturer will list common tolerances for each NIC, but it makes no financial sense to database pulse characteristics for the 'millions upon millions' of cards currently in the world.

    RADAR can be fingerprinted very accurately, the key difference is you receive the radiated energy directly from the emitter itself.

    Not to disagree with you fully, there are other methods people are trying, but they are mostly borderline snake oil. Traffic analysis is the only viable solution, think of it like sifting through someones garbage, their friends garbage, and their friends friends garbage, and.... up to three or four association levels, any more and you begin to have issues with storage capacity.

    Fingerprinting is indeed possible, but it will require very close access to the targets machine. Rarely possible without being noticed. Impossible unless you already know where the source is located.

    I can expertly tell you there is no such technology in consumer network cards that will fire off information to 'them' - this can be confirmed with an off the shelf o-scope and some knowledge of coding schemes. Any other method can be detected with software. Protocol analysis.

    No conspiracy.

  14. Felony by BrookHarty · · Score: 4, Interesting

    I find it bad, that changing your grade counted as 4 counts felony.

    3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony

    http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...

    She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.

    Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.

    But hey, you feel safe now, right?

  15. Re:she didn't compromise the system by DenDave · · Score: 4, Interesting

    Duh.. and a system where you use social security numbers and birth dates as password hints??? c'mon.. this is silly.. But what a dumb chick eh? As if the professors wouldn't notice the change in passwords let alone a grade from F to B+!!! Unless the original exam material is in the same system it serves no purpose to change grades because they always have the original paperwork and class notes. And in addition to all this stupidity she didn;t even consider concealing the IP address..
    This is not a "hack"!!!! She didn't exploit any technological weakness, only stole data giving access to a system.

    --
    -if at first you don't succeed, stay the heck away from paragliding.