Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
Blowjob would have done the same without all this popularity. Huh .. kids will never learn.
Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.
Hulk SMASH Celiac Disease
I guess it brings a new meaning to not being able to hack it in college.
*ducks*
"I'd be smart if I didn't let thinking get in the way."
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
The least she could have done was use Tor and Privoxy. Oh well. So much for changing her grade. Now that she's going to be a bonified convict, she can pull down the six figures like Mitnick.
"It's not like 300 grades were changed or anything like that," he said. "It's not even close."
Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?
"It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."
Idiot!
Get your Unix fortune now!
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
the only grade that was changed was an F in "Ethics 101".
Changing your grade is as simple as looking for the password taped under the desk!
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
i would worry about the people that didn't
[*_-]
"An important distinction in this case, compared to some other instances you've seen reported on around the country, the integrity and security of our grading system is intact and was not compromised," said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.
If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
The Security of the grading system is INTACT? Hell yeah!
No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after...
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
Believe it or not, they keep mac address databases, any self respecting router will. Who is to say the police can't trace the IP to an wireless access point and check Mac addresses? Who is to say that free is really free, that it's not one big honey pot? They have camera's? They know the time it happened??
It ain't that easy...
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
At my University there is a strict honor code. Every Winter semester students must be endorsed, meaning that they have met with an advisor and have committed to abide by the rules of the honor code. There are only about 70 people that can do the endorsements on campus. A failure to get endorsed means that you are no longer a student and you are blocked from registering. For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer. We were given a six digit number to sign in, with a ten digit, alpha-numeric, randomly assigned password. The letter with the password did not come with the sign in. Further, the letter stated that the University doesn't even know the password, so it should be kept safe. Advisors were asked to keep the password in strict confidence, and not to disclose them to anyone, under any circumstances. To top it off, the University set it so that there was a narrow time period for the endorsements to be done. So assuming that you managed to find out the user name for you advisor, you would have to brute force the password within time.
Needless to say, I would argue, at least at my school, they are not careless. In fact, I would argue that they are erring on the side that someone will try to hack the system. But the school also takes computer issues seriously. The computer use policy is very strict, and makes it clear that abuse of a computer, on or off campus is grounds for getting expelled.
The views expressed are mine own and do not express the views of my employer.
A friend of mine at university used to have "Tempus Fugit" in his email signature file. This pretentiousness could not go unpunished so we changed it to "I wank daily"
He was sending out emails with it on for a week before a professor wrote to him telling him to change it to something more appropriate.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I'd rather get a degree in Zan, be able to take water forms.
Sigs are like bumper stickers.
Yes i'm careless for having windows made of regular glass instead of tempered. While we're on that note, lets fault me for having a wooden door instead of a steel one, and dirt in my crawlspace someone can tunnel into.
I think the university did the best it could here. No matter how high/tall/hard you build it, folks are always gonna try and break it. It's just a fact of life.
I think the only person careless in this whole shebang is the girl that did the grade changing. I doubt this is the most morally devoid thing that has ever happened in this professors class
I can't recall how many times I had girls that liked me offering to do my homework in school, or how many times I saw someone blatenly fuck another persons report up by checking all the books pertaining to their subject from all the local libraries. I think the worse i've seen is the prefferential treatment some students get, weather it's because of being on the football team, or some other popular school group.
There's a lot worse that goes on in schools, it's just she got caught.
true.
You can reset your passwd at my college with SSN and DOB too, the extra securfity being that you have to go to a lab (like the one where I work) and use a specific comp that is always at the admin desk and cannot be used without supervision. When you log in with said info to change your password a big picture of you comes on the screen, if the you on the screen doesnt match the you changing the passwd we boot your sorry ass out of the center.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
So if someone wants to stay in school but disobey the honor code, they can either spend a great deal of effort to hack the system...
Or just lie and say they'll follow the honor code? Why go through all that trouble to safeguard a system that can be circumvented verbally?
That is not a Hack but a fraud, felony, break-in ! /. moderators should know the meaning a of a hack.
The article makes a big deal about how "savvy" this girl is, but seriously - how much knowledge does it require? When you click on the "forgot your password" link, it gives you a prompt with the information it needs to let you change your password. If presented with a website that says "Please enter your SSN and DOB to change your password", it doesn't take a genius to figure out what information to get.
She did demonstrate some creativity by using her work DB to look up her prof's personal info. However, considering that she did NOTHING to conceal her identity (steal wi-fi, use a proxy, etc), she clearly wasn't a savvy hacker. Smarter than the average user, perhaps, but definitely not a crafty blackhat.
i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
It's an ID number. The problem is, your name and DOB don't necessiarly uniquely identify you, there are many documented cases of two people being born with the same name on the same day. Also, names are a very easy thing to confuse, you say one thing, they hear another.
So SSNs are a good identifier. Their primary, and orignal, purpose is to track earnings for social security purposes. However congress later authorized its use for lots of other identification things (like tax ID).
Now the problem is that for some reason many instutions treat it as a password or the like, rather than ID. They assume names and birthdates are public knowledge, but for some reason an SSN is secret. No, not really. It's just another identifier, and should be treated as such.
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret. It should be given no more or less weight than information like address, DOB, full name, etc. It's all just tidbits to uniquely identify you.
Now part of the problem is, short of DNA, how do you really go about verifying your identity? I mean most proofs of identity rely on other proofs of identity. My passport proves my identity, but to prove I should have it I used things like my driver license, birth certificate, and personal details.
So you can understand why things like SSNs are used for identity purposes, the problem is too much weight is put in them. It's assumed that they are like some kind of secret password that only the person can know, when really they are just like a DOB, not hard to find out.
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
First, yes this does show that something is wrong with the security of campuses...I am at UCB and I recall that sometime last year we got an email through an instructional (class) account saying that our Student ID Numbers might have been compromised and that they are looking into it. While there isn't much one can do with SID's, it still kinda got me worried - I mean what if they got our passwords or something, and what if it was the same password as say the registration system (where someone could actually unregister you from Berkeley...).
I understand that since universities are prominent institutions, they may be the target of many different attacks but on the flip side, since so many students and faculty members are part of the university community, there should be that much more done in terms of security. I sure as hell don't want anything about me compromised (boy am I glad only the grad students' ssn were stolen the other day).
And also, to those who talk about how easy it is to cheat, it isn't. Almost all CS classes (for example) have a hardcore system that checks your code against everyone else's. Yes, it does take care of changing variable names and whatnot, it checks logic - and if you get caught (which many do) you will get an email telling you who you stole from, how much you stole, how much is deducted, etc. So in short, cheating is not easy.
There are comparable systems for say papers in humanities' courses, although checking natural language is a lot harder of course - but I believe those systems DO check against a massive database of published papers to see if you plagiarized from outside sources (in addition to checks with other students). And as for exams, it is rare for people to cheat - usually TA's are walking all over - if it was so easy to cheat as some people here say it is, then I am sure many bright college students would figure it out (and the bright TA's and professors would probably respond to it quickly too).
University of Computer Skills and Bowhunting.
Nothing is really secure.
mund freud.
What was the reason for cheating? What was the consequence of failing the class? What was the risk of getting caught cheating?
I don't think we will kill people for cheating, or sentance them to some lifelong hell. But if someone fails, and gets pushed into the lower class, it is hell. Like George Bush said "Congrats, you have two jobs, something uniquely American"
If society realizes all people are valuable, and can contribute, and does not push a person beyond their means, then being in the "lower" class will not be a punishment.
There is the second side of the equation. We could just make the punishment so great for cheating to discourage people. That seems to be the trend with all crimes.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
- "You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.
I certainly hope those aren't his exact words. Otherwise, I'd have to say, he's complete f'ing idiot. SSL is not "real protection". At it's very best, it stops people from snooping. And having seen, first hand, how a number of universities manage SSL web servers, I would not be surprised in the least if they were using/allowing 48 bit SSL (which any modern computer can crack in less than a day.) HTTPS vs. HTTP didn't have a damned thing to do with this "hack".Maybe the university would like to explain why they are using a person's SSN as a form of identification in explicit violation of the Socal Security Act of 1970. Btw, that's a serious felony that trumps the student's 4 (lame) felonies... just saying my name is [something other than my name] is a felony now? What. The. Fuck.
I'm not going to say where, but it's a major school. I know that most of the professors do not realize that the network drives they are using like local drives are public by default. Some professors like to use them since they can access those drives anywhere on campus. Any somewhat knowledgeable student, even with a guest login, can browse through them and see everything that the professors think is private. Tests, answer keys, quizzes, family pictures, and yes, even porn. Anything they save on the drive.
;)
Also note, student shares are also public by default, so you can browse other student's homework if you get stuck on a problem
It's been like that for YEARS.
Buy Steampunk Clothing Online!
Go here, SSL is insecure if the key exchange is sniffed. Ettercap does this and ssh1 in real time as it sniffs. Its a fun program to play with. There is an option to just leave it on and let it log all passwords to a file. I was amazed when I first found it and have spent a ton of time in the source figuring out how it works. Cool stuff.
Crawl This - http://darkry.net/test/test.php
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
was 'pencil'. That week. Written down on a piece of paper carefully kept in the drawer.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Ok I was sorta right:
:
:)
"How can a school use my Social Security number?
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding (FERPA, also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g). One of FERPA's provisions requires written consent for the release of educational records or personally identifiable information, with some exceptions. The courts have stated that Social Security numbers fall within this provision.
FERPA applies to state colleges, universities and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a release of personally identifiable information, violating FERPA. However, many schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law. Social Security numbers may be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid. In Krebs v. Rutgers, the court ruled that SSNs are "educational records" under FERPA (Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
The FERPA text can be found at the web, www.cpsr.org/cpsr/privacy/ssn/ferpa.buckley.html. For the U.S. Department of Education's web site on FERPA, see www.ed.gov/offices/OM/fpco/ferpa/index.html.
Public schools, colleges and universities that ask for your SSN fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the Social Security number is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement. If one is not offered, you may want to file a complaint with the school, citing the Privacy Act.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID."
You can find other info at
http://www.privacyrights.org/fs/fs10-ssn.htm
Hope this helps.
"There is no real right or wrong, just what the majority accepts at the time."
SSL is insecure if the key exchange is sniffed.
Huh?
There are two SSL key exchange methods which are mostly used: (1) RSA and (2) ephemeral Diffie Hellman.
With (1), the client (browser) picks a random 48-byte key k, PKCS1 pads this, then raises it to the server's public exponent (e) mod N and sends that.
With (2), the client and server do a diffie hellman key exchange with the addition of the server signing his (so that the client can be sure he's talking to the server) with his RSA private key.
In neither case can the pre-master secret be obtained by a sniffer. In case (1), obtaining the pre-master secret from C = PKCS1( k )^e mod N implies being able to find e'th roots mod N (good luck with that). With the latter, the sniffer has: g^a mod p and g^b mod p, finding g^ab mod p is exactly the diffie hellman problem, good luck with that, too.
Is it only me, or did you as well notice that a hacked computer login is now called "identity theft" as in "credit card fraud" and all the other stuff we use to associate with it?
...and they some how manage to get computer lab monitors that aren't clueless stoners that only have the job because they're workstudy qualified?
my sig's at the bottom of the page.
Compromising the grade-system destroy's the common-people's faith in "the system", so it has to be punished more.
Beating up old ladies only destorys faith in the person who did it.
It's one reason petty counterfeiters are hit so harder than a petty theft. It's not like the few $100's they make will actually lead to inflation. But if enough people get away with it then it leads to a general lack of faith and confidence in the dollar. That's a bad thing, since the whole economy works on the idea that we all pretty much believe a dollar is worth the same thing.
The problem is not breaking SSL. The problem is that tools like ettercap and CAIN (for Windows) can perform a Man In the Middle attack, where they use ARP cache poisoning to interpose themselves between the SSL client and SSL server BEFORE the session is established. Then, when the client tries to connect to the server, the MITM will fetch the client information, and use it to establish its own session to the server -- then quickly fake a certificate which it feedback back to the client.
Admittedly, most browsers will detect this, and throw up a dialogue box -- but due to poor training or understanding of security, 99% of users will simply click away the warning to get their application, and will happily login and access information, while the MITM steals all packets without having to attack the encryption.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Paul Gillingwater
MBA, CISSP, CISM
There are a significant number of reasons why electronic fingerprinting of the underlying modulation methods will not work - the same NRZI (or whatever encoding) stream will be modified every single time it passes through another 'box' Basically you will not (necessarily) be getting the actual electrons sent from the target machine, so any analysis is somewhat futile.
The manufacturer will list common tolerances for each NIC, but it makes no financial sense to database pulse characteristics for the 'millions upon millions' of cards currently in the world.
RADAR can be fingerprinted very accurately, the key difference is you receive the radiated energy directly from the emitter itself.
Not to disagree with you fully, there are other methods people are trying, but they are mostly borderline snake oil. Traffic analysis is the only viable solution, think of it like sifting through someones garbage, their friends garbage, and their friends friends garbage, and.... up to three or four association levels, any more and you begin to have issues with storage capacity.
Fingerprinting is indeed possible, but it will require very close access to the targets machine. Rarely possible without being noticed. Impossible unless you already know where the source is located.
I can expertly tell you there is no such technology in consumer network cards that will fire off information to 'them' - this can be confirmed with an off the shelf o-scope and some knowledge of coding schemes. Any other method can be detected with software. Protocol analysis.
No conspiracy.
I find it bad, that changing your grade counted as 4 counts felony.
3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony
http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...
She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.
Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.
But hey, you feel safe now, right?
oh, and she knew how to use google also. http://www.google.com/search?q=university%20califo rnia%20santa%20barbara%20egrades
Huh? It's emasculating to call someone a person?
"Chairperson" is worse because it dehumanises the position
Because we all know that people aren't human.
___
It's the end of my comment as I know it and I feel fine.
This reminds me of a little experiment I did with my universities ID card system. When you first enrol they ask you to supply, electronically, an image of your face so they can make you an ID card. I thought it was odd that they would ask for an image and not even check to see if it was of you.
Now I'm white, small and not very built at all so naturally the only real option was for me to submit an image of Mr T. A fortnight passed with anticipation and soon my new ID was ready to be picked up. I had this whole bogus "There must have been some mistake here! This isn't me" speech ready or if I felt funny on the day I had the "This is so me, I pitty the foo who be discriminating against my people" speech. I go to pick up the ID, the lady asks for my student number, name, dob etc. Takes a look at the ID to see the details match and hands it over...
nothing.
She didn't even question the fact that there was a huge black man with bulk bling on my ID and it was clearly not me.
I went home with my new souveneer, resubmitted my real photo and got a replacement ID two weeks later. I still bring the thing out for laughs.
Er, set up a system where you couldn't change someone's password just by knowing their SSN?
_O_
.|< The named which can be named is not the true named
Duh.. and a system where you use social security numbers and birth dates as password hints??? c'mon.. this is silly.. But what a dumb chick eh? As if the professors wouldn't notice the change in passwords let alone a grade from F to B+!!! Unless the original exam material is in the same system it serves no purpose to change grades because they always have the original paperwork and class notes. And in addition to all this stupidity she didn;t even consider concealing the IP address..
This is not a "hack"!!!! She didn't exploit any technological weakness, only stole data giving access to a system.
-if at first you don't succeed, stay the heck away from paragliding.
I didn't have any mod points here, so I just logged in to the UCSB grading system and gave you a 100.
Now accepting PayPal donations!
Anyone else but me immediately think of the phrase "guilty until proven innocent"?
It's nice your school is trying to perform steps to prevent cheaters but that's just way too much. A university should be a place where you can live the life you want and the free exchange of ideas with many different types of people from all around the world, not worried if you've sufficiently proven you aren't a cheater to the satisfaction of one of the 70 select individuals.
You have a girl who worked at a company on the side where she had access to sensitive information about professors (and many other individuals). She steals that sensitive information and uses it to reset the password of the professors.
She then logs in to the grading system and changes her grades.
And the computer system worked like a charm. Any grade change resulted in a departmental notification. The professor, realizing that he did not make the change and could not log into the account any more, notified the appropriate authorities.
An investigation occurred and this criminal was discovered. Sounds like an open and shut case to me.
"For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer."
They don't, by chance, ask advisors to sign the same affirmation to abide by all the rules, do they?
Keep in mind, Schmidt was talking to the media. Ever try to explain something technical, knowing the other person probably doesn't have a clue what you're talking about, but will re-word it anyways to tell thousands of more people?
That's why that dumb 'geeky https' comment came out.
Without getting into a big discussion of database design, referential integrety, etc., this is the sort of thing I've always used triggers for: updating a row writes another record to another table indicating that it was inserted/updated/deleted.
I wrote a couple of trading-ish systems that used this when a person placed a trade. Came in very handy when a user called to say that he had lost some major $$$ because we screwed up his order, only to show him in the log that he had in fact placed his order at this time, and then tried to cancel it not a minute later, but a full two hours later, long after the close.
Yes it can be done in a procedure, write to another table, etc., but what I've always liked about triggers is that they're automatic, somewhat hidden, and easy to forget...
hehe, that means politicians are pretty much equal to counterfeiters, they are very adept at producing 'a general lack of faith and confidence in the dollar'.
:)
In fact counterfeiting doesn't even come close to the kind of effect a good elected official can achieve in this respect
MP3 Search Engine
Didn't we learn anything from Wargames when it comes to changing grades?!?!
The password is kept under the desk on a sheet of paper, look for the one right below the crossed out password.
And don't change anything more than 1 or 2 grade levels... sheesh.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Ettercap can also detect an SSH connection going out and respond to the client saying that the server only allows SSHv1. The default client behavior is to initiate the connection over SSHv1 (this is wrong). Ettercap then sniffs the key exchange and forwards the connection (over SSHv2 this time) to the remote server. The server thinks you're connecting through SSHv2, from your machine. The only real workaround is to ABSOLUTELY disable client support for SSHv1.
I mod down pyramid schemes in sigs.