Phishing for Credit
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to
determine how readily students will give up personal information if
the phishing emails appear to come from close friends. Using only
publicly available
information, they sent out emails to students asking them to click a
link that required username/password information. Needless to say,
the study has generated lots of attention on campus. The student
newspaper has the story
and the researchers have created a blog where the participants can vent."
The body of the e-mail instructed, "Hey, check this out!" and provided a link on the IU server that prompted students to provide their username and password. The e-mails were not actually sent from the e-mail accounts they seemed to originate from.
I am pretty sure this is illegal. It is like going to a bank with a note that says "I have a gun, give me all your money", then publishing the results as a study.
"It was deceptive, (but) there was no other way to conduct the study," said Filipo Menczer, an associate professor of Informatics and computer science. The study was conducted by Jagatic and Johnson as part of Menczer's graduate-level Web mining course offered through the School of Informatics. Associate Professor of Informatics Markus Jakobsson was the faculty adviser for the study.
"We feel very bad that the students feel violated," Menczer said. "That doesn't mean it was unethical or illegal."
Who wants to make a bet that this professor is gonna get it from *someone*??
Because of the ethical issues associated with deception, Jagatic and Johnson had to obtain permission from the Human Subjects Committee, which approves experiments on campus that involve humans and ensures studies are ethical and do not violate participants' privacy.
HUH?? I had to re-read that three times. This is better spinning than Fox News. The Human Subjects Committee is designated with protecting student privacy. And the first thing they do is???
The second part was more complicated. In most experiments, subjects must give informed consent to participate. But because the phishing study tests responses to e-mails from close friends or acquaintances -- what the study calls a person's "social network" -- it was important to keep an element of secrecy, Menczer said. So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects.
I know this is going off topic, but this reminds me of the LSD studies the CIA did in the late 70's.
This professor should be fired, and he along with the students should be prosecuted. They lied. They could have done 100 differnet studies to make a network more secure. But they chose to study deception by decieving.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."