Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
I guess it brings a new meaning to not being able to hack it in college.
*ducks*
"I'd be smart if I didn't let thinking get in the way."
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
the only grade that was changed was an F in "Ethics 101".
i would worry about the people that didn't
[*_-]
Nonono! The line is "if it hadn't been for those pesky kids and that dog!"
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
"Professor, I will do ANYTHING to get an A. (wink wink nudge nudge"
"Well then, why don't you try studying?"
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
A friend of mine at university used to have "Tempus Fugit" in his email signature file. This pretentiousness could not go unpunished so we changed it to "I wank daily"
He was sending out emails with it on for a week before a professor wrote to him telling him to change it to something more appropriate.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
true.
You can reset your passwd at my college with SSN and DOB too, the extra securfity being that you have to go to a lab (like the one where I work) and use a specific comp that is always at the admin desk and cannot be used without supervision. When you log in with said info to change your password a big picture of you comes on the screen, if the you on the screen doesnt match the you changing the passwd we boot your sorry ass out of the center.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
Fact of the matter is this is just going to happen more and more often. University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std cd. then they can fire up ettercap and go to town on everything getting passed on the switch. When campuses use SSL protected systems for grades it is just asking for trouble. Its just a matter of time before Joe Blow will have eery profs passwords. Once that happens it can be tempting to change a couple grades here and there. And grades are nothing compared to the other information that can be obtained, SSN's of the entire campus for instance... Basicly ARP needs to get secure because there is really no way for a college (that has to have an open network to function) can be a safe place to send important data back and forth. Maybe the solution is a private network for profs with the important info on it. Good lesson though.
Crawl This - http://darkry.net/test/test.php
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
What with men having the advantage because they give better blowjobs you mean?
"if a woman wants to get ahead, all she has to do is suck some dick."
Strange choice of example. It says that men are easily corrupted by offers of trivial sexual favours. It doesn't say anything negative about women at all.
_O_
.|< The named which can be named is not the true named
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
A person breaks the law and you offer kudos?
File under 'M' for 'Manic ranting'
SSL is insecure if the key exchange is sniffed.
Huh?
There are two SSL key exchange methods which are mostly used: (1) RSA and (2) ephemeral Diffie Hellman.
With (1), the client (browser) picks a random 48-byte key k, PKCS1 pads this, then raises it to the server's public exponent (e) mod N and sends that.
With (2), the client and server do a diffie hellman key exchange with the addition of the server signing his (so that the client can be sure he's talking to the server) with his RSA private key.
In neither case can the pre-master secret be obtained by a sniffer. In case (1), obtaining the pre-master secret from C = PKCS1( k )^e mod N implies being able to find e'th roots mod N (good luck with that). With the latter, the sniffer has: g^a mod p and g^b mod p, finding g^ab mod p is exactly the diffie hellman problem, good luck with that, too.
Compromising the grade-system destroy's the common-people's faith in "the system", so it has to be punished more.
Beating up old ladies only destorys faith in the person who did it.
It's one reason petty counterfeiters are hit so harder than a petty theft. It's not like the few $100's they make will actually lead to inflation. But if enough people get away with it then it leads to a general lack of faith and confidence in the dollar. That's a bad thing, since the whole economy works on the idea that we all pretty much believe a dollar is worth the same thing.
The problem is not breaking SSL. The problem is that tools like ettercap and CAIN (for Windows) can perform a Man In the Middle attack, where they use ARP cache poisoning to interpose themselves between the SSL client and SSL server BEFORE the session is established. Then, when the client tries to connect to the server, the MITM will fetch the client information, and use it to establish its own session to the server -- then quickly fake a certificate which it feedback back to the client.
Admittedly, most browsers will detect this, and throw up a dialogue box -- but due to poor training or understanding of security, 99% of users will simply click away the warning to get their application, and will happily login and access information, while the MITM steals all packets without having to attack the encryption.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Paul Gillingwater
MBA, CISSP, CISM
This reminds me of a little experiment I did with my universities ID card system. When you first enrol they ask you to supply, electronically, an image of your face so they can make you an ID card. I thought it was odd that they would ask for an image and not even check to see if it was of you.
Now I'm white, small and not very built at all so naturally the only real option was for me to submit an image of Mr T. A fortnight passed with anticipation and soon my new ID was ready to be picked up. I had this whole bogus "There must have been some mistake here! This isn't me" speech ready or if I felt funny on the day I had the "This is so me, I pitty the foo who be discriminating against my people" speech. I go to pick up the ID, the lady asks for my student number, name, dob etc. Takes a look at the ID to see the details match and hands it over...
nothing.
She didn't even question the fact that there was a huge black man with bulk bling on my ID and it was clearly not me.
I went home with my new souveneer, resubmitted my real photo and got a replacement ID two weeks later. I still bring the thing out for laughs.
I didn't have any mod points here, so I just logged in to the UCSB grading system and gave you a 100.
Now accepting PayPal donations!
oh, men are usually so easy we don't *have* to offer a blowjob... I remember I used to manage an auto shop, and occasionally when things were slow I'd pull my car into the garage and change the oil, tune it up, etc. I kid you not, all I'd have to do is put my car on the lift and say in a tired voice "this drain plugs on really tight!" Next thing you know I'd have two guys working on my car to prove how easy it all is while I drank my coffee and listened to the radio show. please women...let them think they help us, let them think *they is* so so smart before you mess up my whole M.O.!!!