Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
Blowjob would have done the same without all this popularity. Huh .. kids will never learn.
Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.
Hulk SMASH Celiac Disease
she cant keep up at school, or while hacking the teachers.
No, I'm not sure the universities are that careless.
They're also supposed to initiate the students to some very basical social behaviour and these don't include cheating and stealing identities.
I'd suggest thy just eject the faulty students because they failed at being responsible grown ups.
Trolling using another account since 2005.
I guess it brings a new meaning to not being able to hack it in college.
*ducks*
"I'd be smart if I didn't let thinking get in the way."
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
According to the article, this was merely social engineering at work, as "the person guilty of changing the grades fraudulently obtained passwords using personal information of faculty members who have access to the grading system, Desruisseaux said."
XML is like violence. If it doesn't solve the problem, use more.
The least she could have done was use Tor and Privoxy. Oh well. So much for changing her grade. Now that she's going to be a bonified convict, she can pull down the six figures like Mitnick.
"It's not like 300 grades were changed or anything like that," he said. "It's not even close."
Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?
"It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."
Idiot!
Get your Unix fortune now!
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
the only grade that was changed was an F in "Ethics 101".
Changing your grade is as simple as looking for the password taped under the desk!
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
i would worry about the people that didn't
[*_-]
... just blends way too smoothly with the body of your comment! Was it intentional, by any chance? ;-)
Paul B.
"An important distinction in this case, compared to some other instances you've seen reported on around the country, the integrity and security of our grading system is intact and was not compromised," said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.
If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
The Security of the grading system is INTACT? Hell yeah!
All generalizations are wrong.
Their security is laughable! "If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said." Now-a-days that is not hard info to get a hold of. Whats next, will they let you reset someones password if you know their occupation?
By direct inference, any academic establishment that DOES get hacked by amateurish methods, or by people walking off with laptops holding unsecured data, etc, is clearly NOT a University, or at least not one with any credibility.
The obvious solution is to say that any teaching establishment that suffers loss or distortion of data by techniques that could be expected of that age group (or younger) should lose their license to teach for that year. If you don't have the brains to back your credentials, then your credentials are worthless.
HOWEVER, this can ONLY work if Universities (and other teaching establishments) have the money to become secure in the first place. They should be given that funding and then they should be expected to deliver on it.
If the Government won't cough up the cash, it shouldn't be in the business of teaching in the first place. A little knowledge really is a dangerous thing. If the Universities and schools can't manage their own learning, then they can't be trusted with someone else's.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I was cleaning a computer lab today. Under a desk were piles of CS final exams and progress reports from 1992-5. Not that I could change the grade, but it's a bit scary to think that's where those things end up. One of them belonged to a current staff member. She was slightly scared when I gave it to her.
The fault in the software is that to change the password it requires no "hidden" information. Name, birthdate, and social security are not all that hidden especially on a college campus where they are thrown around daily.
In most cases where you forget your password they send it to your e-mail address. Why do they not do that in this case? If they had done that the girl would not have access to it since she never did know his password.
Saying this is not a fault in the software is to save face, but people will know.
Get real. This doesn't even rate "script kiddie".
As for the answer to the question "are universities too careless with their data?" -- well, UCSB certainly was. Allowing passwords to be reset with just the SSN and birthdate was asking for trouble.
I always mod up spelling trolls.
No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after...
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
Believe it or not, they keep mac address databases, any self respecting router will. Who is to say the police can't trace the IP to an wireless access point and check Mac addresses? Who is to say that free is really free, that it's not one big honey pot? They have camera's? They know the time it happened??
It ain't that easy...
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Dude, get with it - it's news cuz it's a chick! Everyone knows the only good chick hackers are Jeri Ellsworth and Angelina Jolie! :)
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
I happen to think of hackers like a baseball player. They have a greater responsibility to people, they were born with gifts. And if they use them for their own benifit and not society, then why did God give them more?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
A friend of mine at university used to have "Tempus Fugit" in his email signature file. This pretentiousness could not go unpunished so we changed it to "I wank daily"
He was sending out emails with it on for a week before a professor wrote to him telling him to change it to something more appropriate.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The suspect worked for an insurance agency, but it would not be difficult to find this information through other means. :-)
I agree. What is worse is that there is this system out there where joe black-hat can crack and steal a shitload of valid SS#s... not what I would call smart overhead for the school. They should make it all anonymous. Forget your passwords, click to reset and validate through email. Fsk private information! It's stupid.
I'd rather get a degree in Zan, be able to take water forms.
Sigs are like bumper stickers.
Yes i'm careless for having windows made of regular glass instead of tempered. While we're on that note, lets fault me for having a wooden door instead of a steel one, and dirt in my crawlspace someone can tunnel into.
I think the university did the best it could here. No matter how high/tall/hard you build it, folks are always gonna try and break it. It's just a fact of life.
I think the only person careless in this whole shebang is the girl that did the grade changing. I doubt this is the most morally devoid thing that has ever happened in this professors class
I can't recall how many times I had girls that liked me offering to do my homework in school, or how many times I saw someone blatenly fuck another persons report up by checking all the books pertaining to their subject from all the local libraries. I think the worse i've seen is the prefferential treatment some students get, weather it's because of being on the football team, or some other popular school group.
There's a lot worse that goes on in schools, it's just she got caught.
Can it be an indictment on society? Do we have a society where we MUST be the best to be happy? Are we stacked up against each other?
What does an "A" mean? What does a "C" mean? And how fucking desperate does a person have to be to cheat, to risk expulsion? God, what are we doing people?
People learn differently, some visually, some auditory, some hands-on. Yet we have done little to maximize people to thier potential. We over work the lower classes. We have a system where life at the bottom to middle is miserable.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
"Student Engineers, grade hack" rather than "Student engineers grade-hack"...
I'd grade it an F. (She got caught.)
Paleotechnologist and connoisseur of pretty shiny things.
Leave it to a woman to get caught.
I'm not a mysogynist!
Changing grades = 4 felonies ?
In 9th grade a friend I discovered that we could open up the chooser (macs) on any computer in the school, click on a teachers name, put in their password (super easy guesses... last names in most cases) and have full access to all their files. We read both the school and district rules and found that as long as we didnt change anything we were safe. So during class we would browse that teachers files while they were looking. It was pretty funny considering most of our teachers were pretty cool.
really bored? My blog
Universities too careless with their data? You tell me..
2 2+site%3Awww.mit.edu&btnG=Google+Search
http://www.google.com/search?hl=en&lr=&q=%22index+ of%22+site%3Awww.stanford.edu&btnG=Search
http://www.google.com/search?q=%22index+of%22+site :www.princeton.edu&hl=en&lr=&start=100&sa=N
http://www.google.com/search?hl=en&lr=&q=%22index+ of%22+site%3Awww.yale.edu&btnG=Search
http://www.google.com/search?hl=en&q=%22index+of%
That is not a Hack but a fraud, felony, break-in ! /. moderators should know the meaning a of a hack.
How is this any different than the widespread cheating that goes on in campuses everywhere now days? It's common to see students cheating by sharing answers to homework, gathering information from others about previous quizzes/tests and the silly amount of plagiarised papers/code, etc that is turned in as original work and graded as so because it slips by the plagiarism filters? I'm not blaming professors as this is not necessarily their responsibility at all times. It is expected you are there to learn and work hard to get there. But with grades being so important to some people, they will go to great lengths to cheat. The saddest part is many people don't see this as cheating but rather "playing the game".
The fact this girl changed her grades is of course wrong in every way possible but I give her credit for being original about it. She should have thought it out better but she is better off having been caught. My only point is her type of cheating only scrapes the surface of what I've observed going on around campus.
I myself have never cheated, although tempted, in any of my courses and I think that gives me an edge on others. But, with so many curved systems, it bothers me to know that you see someone coping someone else's homework get the same, if not better, grade than you. In the end I don't care. I'm not in a personal contest to get the best grades...I do it for myself. But lets make no mistake, cheating is rampant on probably every campus in the world. And lets not even start on parents doing their kids homework in high school with the hope of landing a better college for their brat!
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
The article makes a big deal about how "savvy" this girl is, but seriously - how much knowledge does it require? When you click on the "forgot your password" link, it gives you a prompt with the information it needs to let you change your password. If presented with a website that says "Please enter your SSN and DOB to change your password", it doesn't take a genius to figure out what information to get.
She did demonstrate some creativity by using her work DB to look up her prof's personal info. However, considering that she did NOTHING to conceal her identity (steal wi-fi, use a proxy, etc), she clearly wasn't a savvy hacker. Smarter than the average user, perhaps, but definitely not a crafty blackhat.
Well at least the person gets to get a college education through our prison system. Although what use is it when a company runs a background check or requires you to have use of a computer system.
At least they were lucky enough to let their employer know they will be required to give up logs for the user.
i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
It's an ID number. The problem is, your name and DOB don't necessiarly uniquely identify you, there are many documented cases of two people being born with the same name on the same day. Also, names are a very easy thing to confuse, you say one thing, they hear another.
So SSNs are a good identifier. Their primary, and orignal, purpose is to track earnings for social security purposes. However congress later authorized its use for lots of other identification things (like tax ID).
Now the problem is that for some reason many instutions treat it as a password or the like, rather than ID. They assume names and birthdates are public knowledge, but for some reason an SSN is secret. No, not really. It's just another identifier, and should be treated as such.
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret. It should be given no more or less weight than information like address, DOB, full name, etc. It's all just tidbits to uniquely identify you.
Now part of the problem is, short of DNA, how do you really go about verifying your identity? I mean most proofs of identity rely on other proofs of identity. My passport proves my identity, but to prove I should have it I used things like my driver license, birth certificate, and personal details.
So you can understand why things like SSNs are used for identity purposes, the problem is too much weight is put in them. It's assumed that they are like some kind of secret password that only the person can know, when really they are just like a DOB, not hard to find out.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
Not to be confused with regular https. Geeky https is where you've been taking too many brain pills and decide to encrypt regular http by hand!!! In 128-bit no less!
This chick is like a lame script kiddie!
Come on, did she not even bother to watch Hackers? Don't compare her to angelina jolie. At least Jolie helped hacked the gibson from a telephone booth.
This poor excuse for a script kiddie tried to change her grades from her dorm room and was caught she was logged from her residential IP address. LAME!
The least she could do was consult her local Blockbuster and rent a movie that would teach her not to be dumb as a tack. Not that I'm condoning Hackers as a movie with any real redeeming technical information (aside from mentioning the Dragon Book -- which owns)...
I'm pretty much just calling her stupid.
-- -=innocent ramblings from the mind of an insomniatic programmer=-
"failed to conceal her IP address from authorities"So she also got an F for cracking?
"Never trust a computer you can not throw out of a window..."
The reported MAC can be changed at the OS level, and there is no need to alter the card in any way.
Oh shit!
Not that I'd condone this, but it actually is that easy. You change the reported MAC address. Not a big deal at all.
I dunno. I have heard that companies have made PC components that have more information then is known. The electrical pulse. The DNA of the computer world.
If I really, really, really wanted to hack into something, and I think I would get a cheap NIC card, one I could later burn. What is a MAC address? Something we know? But what don't we know. Printers are being sold that print microscopic dots, so if someone prints a dollar bill the Secret Service will know some things about the person. Can anyone here tell me they have not build that kind of technology in NIC cards?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth
Am I the only one who thinks this is a ridiculously shortsighted authentication system? Its not that difficult to get a person's (professor's) ss# and date of birth. I could pay $100 right now and get Henry Yang's (UCSB Chancellor) ss# and date of birth. Please tell me I misread this!
So, come on now, tell me: ;-)
What grade did the student engineers of UCSB give the girl for her hack?
"Smartness" goes by specialty. Somebody may be smart in the subject matter of "unix system security", but less in "neural networks" for instance.
First, yes this does show that something is wrong with the security of campuses...I am at UCB and I recall that sometime last year we got an email through an instructional (class) account saying that our Student ID Numbers might have been compromised and that they are looking into it. While there isn't much one can do with SID's, it still kinda got me worried - I mean what if they got our passwords or something, and what if it was the same password as say the registration system (where someone could actually unregister you from Berkeley...).
I understand that since universities are prominent institutions, they may be the target of many different attacks but on the flip side, since so many students and faculty members are part of the university community, there should be that much more done in terms of security. I sure as hell don't want anything about me compromised (boy am I glad only the grad students' ssn were stolen the other day).
And also, to those who talk about how easy it is to cheat, it isn't. Almost all CS classes (for example) have a hardcore system that checks your code against everyone else's. Yes, it does take care of changing variable names and whatnot, it checks logic - and if you get caught (which many do) you will get an email telling you who you stole from, how much you stole, how much is deducted, etc. So in short, cheating is not easy.
There are comparable systems for say papers in humanities' courses, although checking natural language is a lot harder of course - but I believe those systems DO check against a massive database of published papers to see if you plagiarized from outside sources (in addition to checks with other students). And as for exams, it is rare for people to cheat - usually TA's are walking all over - if it was so easy to cheat as some people here say it is, then I am sure many bright college students would figure it out (and the bright TA's and professors would probably respond to it quickly too).
University of Computer Skills and Bowhunting.
Schmidt said although eGrades is accessible through the Internet, there are security precautions that protect it from unauthorized usage.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
So that's why Amazon.com uses https - they want to protect their ordering system from unauthorized non-geeks.
Seriously though, there was not very much "technical savvy" in this "hacking" incident.
Pop under ads!!!!
XML is like violence. If it doesn't solve the problem, use more.
... we did have some REALLY cool gals in our class back then! ;-)
Archaeology, maybe?...
Paul B.
- "You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I certainly hope those aren't his exact words. Otherwise, I'd have to say, he's complete f'ing idiot. SSL is not "real protection". At it's very best, it stops people from snooping. And having seen, first hand, how a number of universities manage SSL web servers, I would not be surprised in the least if they were using/allowing 48 bit SSL (which any modern computer can crack in less than a day.) HTTPS vs. HTTP didn't have a damned thing to do with this "hack".Maybe the university would like to explain why they are using a person's SSN as a form of identification in explicit violation of the Socal Security Act of 1970. Btw, that's a serious felony that trumps the student's 4 (lame) felonies... just saying my name is [something other than my name] is a felony now? What. The. Fuck.
I'm 99% sure there is currently law that states no organization(short of the feds) can make you use your SSN as an ID number and they have to change it at your request. I know the DMV(I'm in VA) had to change my Driver ID when i requested.(It used to be my SSN)
"There is no real right or wrong, just what the majority accepts at the time."
discourages inventiveness and increases possiblity of writing off the punishers... prepare for soup stewing. Where's the voice that perhaps the students have surpassed the teachers? (in system security and use, most obviously) A measured and productive response would be to change policy (improve systems, increase openness) and participatory rationalization and system introspection (open discussion between educators, parents and children, with actual response to change in the environment)... as it stands, the whole point of education seems to be to funnel the innocent into lives of obedience and disjected proponency of authoritarianism. Perhaps there's not the funding . Throwing up walls between teachers and students is no good for anyone. The best way to learn is to teach, but learning requires a nurturing environment, not unquestionable dictation. As teachers, they've the most to learn.
[quote]Do they really want to send people like this girl to prison for several years? For what reason? [/quote]There's no joy in gaining power if you don't exert it. Every ill-conceived law will eventually be abused by an "ambitious", "hungry", "eager" young assistant DA trying to work the angles towards a federal judgeship.
How many of those federal judges used to be defense attorneys, and how many used to be prosecutors?
The system is inherently flawed.
What's wrong with using encryption at higher levels? Like, indeed, SSL?
True, browsers and other software store passwords in files, which are usually accessed unencrypted (SMB, vanilla NFS), but these file are usually encrypted these days -- decrypted only by the software itself.
Why encrypt ARP, again?
In Soviet Washington the swamp drains you.
I can't believe they quoted Kevin Schmidt, campus network programmer for the Office of Information Technology as saying:
...although eGrades is accessible through the Internet, there are security precautions that protect it from unauthorized usage.
"You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I know I feel better now, knowing they protect people from accessing and altering their grading system WITH AN SSL CERT.
That's an embarrassment.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
I'm not going to say where, but it's a major school. I know that most of the professors do not realize that the network drives they are using like local drives are public by default. Some professors like to use them since they can access those drives anywhere on campus. Any somewhat knowledgeable student, even with a guest login, can browse through them and see everything that the professors think is private. Tests, answer keys, quizzes, family pictures, and yes, even porn. Anything they save on the drive.
;)
Also note, student shares are also public by default, so you can browse other student's homework if you get stuck on a problem
It's been like that for YEARS.
Buy Steampunk Clothing Online!
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
... Except for the whole IP address thing, I think she should at least have gotten extra credit in her computer class.
"Derp de derp."
Like their student clerks? All of that whiz bang security was negated because an advisor didn't want to do the paperwork himself. Whether the password was disclosed to you or they typed it in and gave you free reign, there was no "security".
Someone asked if I had patched against MSBlast; I said yes, I installed Linux.
was 'pencil'. That week. Written down on a piece of paper carefully kept in the drawer.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
I'm willing to bet she wouldn't be facing as much jail time, she wouldn't be in the news, and she wouldn't have had bail set at $25,000.
Just some perspective.
--This sig is in beta. Please let us know abut any errors you find.
Ok I was sorta right:
:
:)
"How can a school use my Social Security number?
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding (FERPA, also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g). One of FERPA's provisions requires written consent for the release of educational records or personally identifiable information, with some exceptions. The courts have stated that Social Security numbers fall within this provision.
FERPA applies to state colleges, universities and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a release of personally identifiable information, violating FERPA. However, many schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law. Social Security numbers may be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid. In Krebs v. Rutgers, the court ruled that SSNs are "educational records" under FERPA (Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
The FERPA text can be found at the web, www.cpsr.org/cpsr/privacy/ssn/ferpa.buckley.html. For the U.S. Department of Education's web site on FERPA, see www.ed.gov/offices/OM/fpco/ferpa/index.html.
Public schools, colleges and universities that ask for your SSN fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the Social Security number is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement. If one is not offered, you may want to file a complaint with the school, citing the Privacy Act.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID."
You can find other info at
http://www.privacyrights.org/fs/fs10-ssn.htm
Hope this helps.
"There is no real right or wrong, just what the majority accepts at the time."
In some Pascal Classes (yeah... that was long ago) I got perfect scores without coming to the classes at all, whereas a lot of people had slightly above average. The professor decided to take action for the last exam, and put me in a corner, two desk away from everybody, and a SECOND professor came on to observe me for the whole exam. She admited as much afterward. Result : Everybody else got a bottom low score, and I still got my next to perfect score. It was clear from the question asked and the results, that the contrary to what she thougth happened : all people in all direction peeked at my papers, and I was not cheating. She discussed about it with me afterward but it was rather funny, if she had discussed with me and the other it would have gotten apparent that I already had a lot of pascal experience before university whereas the other student were "sinking" completly and lost. 5 Minutes conversation with student would had been enough to check that. But hey, professor speaking with student, the horror, the horrors....
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Is it only me, or did you as well notice that a hacked computer login is now called "identity theft" as in "credit card fraud" and all the other stuff we use to associate with it?
I do a comp science degree... the holes I've seen at my uni are rather large. For example, we sit some exams on PCs, but if you go on MSN while in the test nobody will notice... Citrix sessions on public terminals with username/password for the server saved to machine. FTP servers running software with known exploits.
lol, and you can "net send" the machines projected in the 400 people lecture halls. I havent even been looking for holes/etc these are just really obvious.
As for plagarism... thats a bit of a joke really. I know people that have paid someone on the internet to write a piece of software for their coursework... they then paid him extra to make two copies of it which look different.
In our University we dont have such previliges.
i believe the password was "pencil", but WOPR probably decided otherwise.
There are a significant number of reasons why electronic fingerprinting of the underlying modulation methods will not work - the same NRZI (or whatever encoding) stream will be modified every single time it passes through another 'box' Basically you will not (necessarily) be getting the actual electrons sent from the target machine, so any analysis is somewhat futile.
The manufacturer will list common tolerances for each NIC, but it makes no financial sense to database pulse characteristics for the 'millions upon millions' of cards currently in the world.
RADAR can be fingerprinted very accurately, the key difference is you receive the radiated energy directly from the emitter itself.
Not to disagree with you fully, there are other methods people are trying, but they are mostly borderline snake oil. Traffic analysis is the only viable solution, think of it like sifting through someones garbage, their friends garbage, and their friends friends garbage, and.... up to three or four association levels, any more and you begin to have issues with storage capacity.
Fingerprinting is indeed possible, but it will require very close access to the targets machine. Rarely possible without being noticed. Impossible unless you already know where the source is located.
I can expertly tell you there is no such technology in consumer network cards that will fire off information to 'them' - this can be confirmed with an off the shelf o-scope and some knowledge of coding schemes. Any other method can be detected with software. Protocol analysis.
No conspiracy.
Comment removed based on user account deletion
I find it bad, that changing your grade counted as 4 counts felony.
3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony
http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...
She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.
Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.
But hey, you feel safe now, right?
not much, really. if you RTFA, you'll see that they try to make it sound as if she did something technically savvy, but all she did was know the URL of the university's eGrades site. TFA has the quote:
which is bogus because her browser probably connected with https by default. it also mentions that she changed the profs' password using their Social Security numbers, which she got from her work at an insurance company.it reads like the investigators are trying to spin it like she did something like cracking the system, but it's a simple case of identity theft and unauthorized access to the system, which is what the charges are. there's nothing that the UCSB staff could have done about this, except to follow their procedures. and it sounds like they did just that, which resulted in her arrest.
OTOH, the UC Berkeley incident sounds like lax staff. the person who put the info on the stolen laptop and subsequently left it unattended (presumably the same person) should be beaten severely.
Huh? It's emasculating to call someone a person?
"Chairperson" is worse because it dehumanises the position
Because we all know that people aren't human.
___
It's the end of my comment as I know it and I feel fine.
... is that she'll probably end up with a $100k/yr job with a computer security firm.. that is.. once she is out of prison.
We're a little ways from the penalty phase of this case, aren't we? The woman has been arrested and charged with a crime, by a real police department (i.e., not just campus security). It's just been or is about to be handed over to a DA or city/county prosecutor.
The penalty phase won't come until and if she is found guilty by a jury, and generally they'll decide on the severity of the punishment. Of course, the penalty could come earlier, if she accepts a plea agreement.
It's not offtopic, dumbass. It's orthogonal.
Heh. Its not like Universities will pay attention until they get hit where it hurts, their wallet. Ive been bitching at my university (Ohio State) for years about their lax policies. Profs will even be so naieve as to leave grades posted on the walls with SSNs (OSU's ONLY student identifier) becide them. Until someone finds a case against them and sues them though, there wont be any motivation to change the system.
Hrm loving these
That seems like a gaping stupid hole that was probably instituted because of forgetful professors insisted on it.
I found that many professors are so focused in their areas they cannot comprehend the rest of the world around them. Then other have such a huge ego and they wave there PHD like it was assigned to them from God. I think in this case they should stop all the getting there password business and put the responsibility in the professors hands. If they forgot their password they will need to go the sys-admins themselves show there ID. And explain that they did forget there password. If they don't want to do that then they will need to send their paperwork to who ever does the grading the old way and take the consequences for it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Why not boost GPA's across the board, being random enough to elude detection, but not random enough to ensure that yours get's boosted? That sounds like the smarter alternative.
Windows has detected an undetectable error.
UCSB Student Engineers Grade Hack
And they gave it an F.
...expect something different after reading the article's title?
"UCSB Student Engineers Grade Hack" - I expected that a bunch of UCSB "Student Engineers" had graded a hack (I give it a 7 for being clever, ...), not that a UCSB Student Engineered a grade hack.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
"...are universities too careless with their data?"
Well, that all depends on what you mean by "universities".
Generally, administrative systems are administered by computer professionals who follow all the basic best-practices, just like everyone else. And, university departmental systems are administered by pros as well.
The main problem you have is the students on the network and the rogue professors (who you can't get to comply even with submitting their damn grades, much less computer security guidelines).
Another point is that academic networks are generally more open than corporate networks. The academic network is not homogenous, and needs to be able to allow whatever strange and curious systems might need to connect to others. In the name of research, don'tcha know?
One thing to remember is that these "...other computing snafus recently making headlines" are high profile because they're in the news. What about all the security incidents that aren't in the news? For example, the corporate incidents which don't get reported.
Anybody who has experience with trying to secure computers knows that you can't be 100% sure that you're un-crackable. You follow security best-practices, patch like crazy, do your best, and hope that your users don't use their login names as passwords.
I think singling out universities, in particular, is unfair. Especially if you're not familiar with the academic culture.
Anyone else but me immediately think of the phrase "guilty until proven innocent"?
It's nice your school is trying to perform steps to prevent cheaters but that's just way too much. A university should be a place where you can live the life you want and the free exchange of ideas with many different types of people from all around the world, not worried if you've sufficiently proven you aren't a cheater to the satisfaction of one of the 70 select individuals.
Sheesh... why not just study and actually earn the fscking grades!
Organic free-range music... yum!
This is not my sandwich.
The people who care the most about college grades are the parents who subsidize the tuition. Keep them happy and the rest will take care of itself. Wouldn't it be easier to get by with an inferior but passing GPA and print a nice-looking document that looks like a transcript for Mom & Dad? If there is no signature, then there is no forgery. If the grades remain unchanged, it's not a hacking attack. Is there any law that covers a counterfeit transcript that was NOT used for employment purposes?
If the students are not willing to show up and get at least minimally passing grades, they should skip school altogether and head straight for the diploma mills. Of course, the budget-minded cheater can create bogus transcripts from colleges that used to exist but are now closed/merged/renamed.
I worked in higher education administration. I interviewed job applicants who had fake degrees. Our HR people went hog-wild researching the validity of transcripts. I doubt the average employer would allocate the resources to this activity to make it truly effective. Then there were the overseas degrees. Transcripts in Polish, Chinese, etc. Verifying the information was NOT easy. Most employers would be easily duped.
The weak point in the system is not the computer -- it is the hardcopy output.
if it wasn't for those darn meddling kids!!!
(Mwaaahhhh-ha-ha-ha!)
#6495ED - cornflower blue
I've watched this behavior, and it's much more prevalent (at least among all- or almost-all-male groups) when the group is a bunch of men who are constantly jockeying for position.
It didn't happen by and large in the campus sci-fi club, even at the events that were heavily male-dominated. It did happen in the computer labs late at night. Yes, there was a large amount of overlap between the two groups, but something about the different environment triggered this change in behavior. I'm saying that my personal observation has been that you get crude sexism much more when there's more showing-off and one-upmanship in general.
You have a girl who worked at a company on the side where she had access to sensitive information about professors (and many other individuals). She steals that sensitive information and uses it to reset the password of the professors.
She then logs in to the grading system and changes her grades.
And the computer system worked like a charm. Any grade change resulted in a departmental notification. The professor, realizing that he did not make the change and could not log into the account any more, notified the appropriate authorities.
An investigation occurred and this criminal was discovered. Sounds like an open and shut case to me.
First off, the university in question *here* was compromised by a student that had external and unrelated access to her professors' personal information.
Second, the UCB article linked as additional evidence of carelessness discusses a laptop theft which took place in a restricted area of campus where the theft was actually witnessed.
This is careless? Why in the world would you blame the universities for these situations? It's not like either of these incidents involved someone breaking into the network from off-campus and downloading records or changing grades.
Microsoft cheerleader, blue flag waving, you got a problem with that?
*BZZT* wrong. Google for Proposition 209. Or what, you think a student with the last name 'Ramirez' is evidence of affirmative action? Then you're just a moron. What, you didn't get in?
Keep in mind, Schmidt was talking to the media. Ever try to explain something technical, knowing the other person probably doesn't have a clue what you're talking about, but will re-word it anyways to tell thousands of more people?
That's why that dumb 'geeky https' comment came out.
Very few words in English have gender (pronouns basicly).
From there on you just get more and more confused...
_O_
.|< The named which can be named is not the true named
Without getting into a big discussion of database design, referential integrety, etc., this is the sort of thing I've always used triggers for: updating a row writes another record to another table indicating that it was inserted/updated/deleted.
I wrote a couple of trading-ish systems that used this when a person placed a trade. Came in very handy when a user called to say that he had lost some major $$$ because we screwed up his order, only to show him in the log that he had in fact placed his order at this time, and then tried to cancel it not a minute later, but a full two hours later, long after the close.
Yes it can be done in a procedure, write to another table, etc., but what I've always liked about triggers is that they're automatic, somewhat hidden, and easy to forget...
Ours was a bit more cruel. We added the following line to their login script:
logout
The profs caught on after awhile and fixed the bad login scripts though.
***It doesn't say anything negative about women at all.
*That's a fact, the worst I ever had was wonderful.
This is Slashdot! What are you talking about?
Over Christmas break last year I got an email explaining that for an hour, personal information of some 30 computer science students was downloadable via the school's CS webpage. This personal information included everything... name, address, even so far as SSN. During this time, the information was viewed 14 times. The email goes on to say that I was one of the students whose information was shared. Thanks. The thing that troubles me the most, aside from the unnecessary use of everyone's SSN, is the fact that it was the *CS* department that posted this information. If the computer guys can't get it right...?
A bank robber who forgot to put on his mask, was captured today. News at 11.
The massive amount of security is actually tied to a much much larger system. BYU-Provo (the original poster was referring to BYU-Idaho) is three times larger, with over 30,000 students. However, the campus actually runs the data center for the Church of Jesus Christ. The personal records of 11,000,000 living people (and nearly a billion dead ones) are warehoused there so technical security, identity theft prevention, and privacy are extremely high priorities. Security policies both technical and procedural are employed at the university level, church level, and every level related to them. Some have compared BYU to being more technically advanced than MIT as far as full implementation of technology throughout the campus.
;). BYU will destroy its football program before they will allow the honor code to be slighted. The administration has booted entire sections of the starting lineup for honor code violations. You give your word to uphold the standards, and if you don't, you're gone. Simple as that. No hypocrisy, just enforcement. Most universities probably have honor codes, but at BYU, its actually enforced.
Regarding the honor code. The Church Educational System which runs the BYUs and several hundred other smaller educational programs is guided by fundamentally religious principles. All students are asked to commit to living the standards of the Church in their educational pursuits. This is recorded in the record system. I'd have to disagree that asking someone to recommit is an example of hypocrisy, more like an example of support, encouragement, and patience.
And yes, if you break the honor code it is your ass, and probably your soul
I am a professional Security Consultant. This is what I do.
Most universities, schools, workplaces, SOHOs, and many homes are all "under secure" and could use help.
The problem is $$...my services and services of people like me do not come cheap.
So fix it, and just be secure - Firewall, backups, etc.
--E--
then how come my son hacking Wikipedia yesterday isn't emblazoned across the front pages?
Geesh, hackers at UCSB, the Zombie Capitol of the World, who would have thunk it?
[caveat, my sister works there]
-- Tigger warning: This post may contain tiggers! --
Started playing a nice game of Global Thermonuclear War.
Even with the information ramirez obtained, in a good system she would have also had to hijack the prof's mail. Much better to have the system email (yes, that is insecure too) you a new random password and disallow any further password changes until the person has successfully logged in. This way the victim knows immediately if something is going on while causing them little inconvenience.
As emasculating is defined as reducing or eliminating maleness, yes.
My other first post is car post.
my thirteen year old grandson got busted at home cuz he left his pron addresses in the location bar deally and my daughter found them rather easily. great, now i have to set up a squid proxy etc here at my house cuz he has a log in account on my deb sid desktop. oh well, the box i use for masquerading needed to be updated soon anyway...
Serenity now, insanity later.
I mean, can we have conjugal visits? Maybe she has a /. account.
/\/\icro/\/\uncher
FWIW, "your-2r8c40dfb2" or "your-34slks32sc" or similar (I don't know the exact number of letters off the top of my head) match the default Compaq naming pattern, at least for Presario laptops--my gf's shows up as something like that on my AP, and I've seen one or two others that did likewise. I the random-looking part is either (a) pseudorandom or (b) the machine's service tag, so that when you go plug two brand new laptops into your network you don't get a naming conflict.
With that said, I suspect that if the same name showed up elsewhere as a spam source and then did a lot of upstream but little downstream traffic at your site, it's probably a spammer hopping from connection to connection with the computer auto-registering itself with the same hostname each time.
A real hack is one who has a degree from MIT in computer science, and has never been to Massachusetts. And didn't attend MIT. And didn't enroll at MIT. And doesn't own a computer. And doesn't speak english. And lives in Zimbabwe. In a hut. With his mother. That would be a hack. This, this is unauthorized network use from a local terminal. Not a hack.
FWIW, "your-2r8c40dfb2" or "your-34slks32sc" or similar (I don't know the exact number of letters off the top of my head) match the default Compaq naming pattern, at least for Presario laptops--my gf's shows up as something like that on my AP, and I've seen one or two others that did likewise.
Close, but no cigar. It's XP's way of uniquely naming a computer. It uses the first word of the organization plus a "random" jumble of characters to make up the computer name. If the user accepts the default name in the end-user setup (aka mini-setup in the OEM world), or was never given the chance to change, this would result.
The campus that I attended up until a few months ago was definately vulnerable to this. A guy I know got caught doing this exact attack, the only reason that he was caught was because he didn't understand ARP poisoning and managed to shut down all traffic on his switch. I am friends with the IT staff at another smaller campus that I went to years ago and am currently working with them to get around this issue, I was able to test the feasability there and found a machine in the library with no BIOS lock. So yeah, in my experience its just not something that campus IT staff think of when designing a network. Most people these days are worried about patching the servers every 5 minutes againt the latest greatest (next to impossible to exploit) integer underflow. Instead they should be looking at the flaws that have existed for years and are easily exploitable. A VPN for profs would go a long way but still I am not sure how well it would go over with administration. Most people want things to be easy and couldn't give a damn about security (untill the school gets hacked and its their ass).
Pertaining to you observation though, I really doubt that the firewalls you are talking about had anything to do with the internal network that I am talking about. blocking outside traffic is all well and good but any internal machine can still see everything that is going on internally.
Crawl This - http://darkry.net/test/test.php
I agree with the term "to get ahead u have to give some head," but if she can steal the idenity of 2 male professors maybe she wasnt worth the extra grade. IDK
One day.