Slashdot Mirror
Phishing for Credit
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to
determine how readily students will give up personal information if
the phishing emails appear to come from close friends. Using only
publicly available
information, they sent out emails to students asking them to click a
link that required username/password information. Needless to say,
the study has generated lots of attention on campus. The student
newspaper has the story
and the researchers have created a blog where the participants can vent."
They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.
But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.
"I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."
Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.
"I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."
If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.
And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.
Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.
"I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"
Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.
The Doormat
If you're not outraged, then you're not paying attention.
... to find that they did this experiment under the oversight of the university's Human Subjects Committee.
If that doesn't sound like some sort of ethical guidelines I don't know what does.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?