Oxford Temporarily Blocks Google Docs To Fight Phishing

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."

Report Abuse

[RedACE7500]

As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.

Re:Report Abuse

[BlkRb0t]

How is Google Docs employed for phishing? Can anyone enlighten me here? I've used Google Docs at certain times and don't see how it can be used to tricking users to believe that it is the original site they're entering the data into. Or am I missing something here? Unless the users are really that dumb to enter their info.

Re:Report Abuse

[bruce_the_loon]

You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.

Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.

Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.

Re:Report Abuse

there used to be this thing called IT infrastructure... maybe it will make a come back

cloud cloud, cloud cloud cloud... cloud

Re:Report Abuse

Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

Re:Report Abuse

Unable to remember his ever-changing password, Bob simply leaves a sticky note on the corner of his monitor as a reminder. When again chastised by IT, he makes his best effort to remember, which results in him locking out his account multiple times per day and calling help desk. Help desk is busy because Bob isn't the only person needing a password reset, so Bob has to wait on hold for 15 minutes. Because of this, Bob misses the notice for a last-minute meeting with an important client and the client is lost. After much yelling, Owen, the owner of the company storms into the IT department and has a little talk.

Re:Report Abuse

I'd love to see you try that on someone who matters. Don't know how it works in universities, but in the real world getting ideas above your station as a replaceable cost centre peasant, by getting in the way of the grown ups sounds like an awesome way to get free supplies of pink paper.

Re:Report Abuse

[Archangel+Michael]

Or they will come up with a new password Scheme that is completely insecure.

Old Password: password
New Password: password19 (todays date)

Tomorrow ....

Old Password: password19
New Password: password20

that way, I can have 28-31 different passwords every month, without having to remember any one in particular.

Re:Report Abuse

[Darinbob]

But why Google Docs? A form is a form, no matter what generates it. How is this different from using Word or even vi?

(and actually I am surprised enough people use Google Docs that there would be an uproar of a short shutdown)

Re:Report Abuse

[slartibartfastatp]

If they would come up with this kind of idea, they wouldn't be filling phishingh forms in the first place, I guess.

Re:Report Abuse

[jbmartin6]

We've worked out a way to use our HTTP proxies to deny POSTing of information to Google docs/drive. This way, folks can still access information, they just can't use POST or PUT commands to send any. It isn't too hard to determine the necessary POST URLs to whitelist for logon, logoff, password change, and other operations. It's not perfect but a lot better than nothing. Maybe you could take a similar approach. Does require a proxy that intercepts SSL traffic.

Re:Report Abuse

[hawguy]

Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

Why not just issue him a two-factor authentication token, then you can actually solve the problem instead of a bandaid approach that won't really help. (even if he has to do daily password resets, if he gives up his password in the morning, the hacker has 24 hours to use it).

The tokens are cheap (even cheaper when it is a smart-phone app), every company with data worth stealing should use them.

Re:Report Abuse

[swillden]

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.

The victims tend to learn from all the inconvenience caused by the attack itself. It's everyone that didn't get phished you need to reach.

Perhaps the solution is to send out a university-sponsored phishing attack, then conduct an Internet-safety education seminar for everyone who falls for it.

Re:Report Abuse

[davidbrit2]

Not if you enforce a minimum Levenshtein distance between the new password and the user's entire password history.

Re:Report Abuse

[countach]

I'm guessing it makes phishing ridiculously easy by hosting a form service on the web where you can easily and anonymously get the results back over the net.

Re:Report Abuse

[hazah]

In the same paragraph you describe the real children and call *them* grown up. Irony abound.

Re:Report Abuse

[Brandon+Hume]

Many universities aren't even willing to spend the money for a mail server anymore, I don't see how you could convince them to spend a quarter million dollars for tokens (assuming $1/user). And yes, that includes alumni, who likely wouldn't use the 2-factor because it's too much hassle, which would sink the entire project.

Yes, universities want alumni to keep their accounts, because that's the easiest way for them to beg for money.

Re:Report Abuse

[Brandon+Hume]

I'm the same for

What I've done is written a script that generates random usernames and passwords and submits them to the form. The phishers then need to pick out the real stuff from the garbage I pumped in.

I've had phishers delete a form before Google did, simply because I pissed them off too much. *Very* satisfying, let me tell you. :)

Here's a phish I received just two hours ago: https://docs.google.com/forms/d/1RPht7SPAZywd3L13_lLMeB1pCAz6ufe6LX-S7YKtaR8/viewform
Feel free to join in the fun and type some garbage! The spam that contained the link was even written to spoof the quarantine message from our own antispam appliances.

Re:Report Abuse

[KPU]

Now you're either storing all the users' past passwords. Or maybe some clever hash of those passwords that preserves efficient computation of Levenshtein distance. However, given an oracle that computes Levenshtein distance, one could easily extract the password.

Re:Report Abuse

[HJED]

Wow, they don't even bother to make the password field not clear text. You'd think some users would pick up on that?

Re:Report Abuse

[sFurbo]

Isn't that the norm? I know that the two places where I work require that the password is different from my last 12 and 36 passwords*, respectively. Otherwise, forcing users to change passwords make no sense (not that it does in the first place).

I might be mistaken about the numbers, but they are in that ballpark.

Re:Report Abuse

[bWareiWare.co.uk]

Passwords should (and usually are) stored as hashes which means you can very quickly hash the user's entry and compare if it is exactly the same as the password, but by design can't infer any other details about the password if the entry is wrong.

Anything that allows you to compare how 'close' an entry is to the users current password is obviously makes guessing that password far easier.

If your passwords are securely salted and hashed then storing additional old entries shouldn't lower security, and as you say ensures that the user can't reuse a password precisely, but any minor change to the password with result in a completely unrelated hash.

Re:Report Abuse

[sFurbo]

Ah, of course, I should have thought of that. Not enough coffee today. Thanks.

Re:Report Abuse

[davidbrit2]

That's a good point. Maybe it would be more feasible to have the server cache the current password in RAM during the mandatory password change process, so it can at least compute edit distance from the previous password.

Or for added fun, have a server dedicated to brute force password cracking. When it gets somebody's password, their account gets flagged for a mandatory password change.

Re:Report Abuse

[Brandon+Hume]

You'd think. Or maybe the broken english, or the generic terms ("Dear Account User:"), or the vague threats ("Do this or you lose your email forever")... or any number of things.

You'd think they'd pick up on those. Then you see that they don't. Then you become sad. Or angry. Sometimes both.

Re:Report Abuse

[jonadab]

You can address that (somewhat) with password policy. Among other things, all passwords should be at least thirty characters long. (If you can get your software to call it a "passphrase" instead of a "password", it makes this seem slightly more reasonable.) Also, any password that contains the username as a substring should be rejected.

It doesn't stop the sticky notes, though, which is why I am against requiring frequent password changes. I think anything more often than once a year is actively bad for security.

I am in *favor*, however, of setting up the OS so that the user must type both the username *and* password every time they log on. That way they'll actually *know* their username, and if somebody who actually understands computers logs into a different account for some reason, you won't get a phone call, "I can't log in, my password is broken" just because the OS is auto-filling the wrong thing.

I'm also in favor of configuring the screen saver to lock the screen after a reasonable amount of time. Users will generally complain about anything shorter than eight hours. I say, let 'em complain. (A grace period is good -- so if it kicks in while the user is sitting there using the thing, they can bump the mouse within say thirty seconds and not have to type a password. But when they walk away from the computer for extended periods of time the screen should lock and they should have to reauthenticate. That's just basic security. Otherwise you actually have no idea whether it's still the same person or not.)

Of course, if a user types their password into a form on a website (any website, whether it is actually a phishing site or not -- typing their password in a Slashdot comment would qualify just as well), then of course you must change their password immediately. Otherwise an unauthorized person might have a chance to use it. In that situation, you can't wait for the user to change their own password: you must preemptively change it for them. Put a paper memo in their paper mailbox (sealed in a nondescript envelope such as might be used for mundane mail)...

The campus security software noticed that your password was compromised due to a phishing attack. (Apparently you visited a website that does not belong to the university and entered your password.) To protect your account and the entire university network from harm, we have issued you a new password. Your new password is: BizzBuzz-Twoinkel-87-Marvie-Red-Bathoscape.

It's a Google problem

[SSpade]

Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.

If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.

Re:It's a Google problem

[bruce_the_loon]

They've gotten better. If I hit the Report Abuse link at the bottom of the document, it normally disappears inside three hours.

Re:It's a Google problem

Hmm, sounds like it isn't hard for a very small group of people to denial-of-service attack a Google Document by simply reporting abuse on a legit document.

How is it used for phishing?

[Sedated2000]

I, like others, would like to know exactly how Google Docs is used for phishing. I've used Google Docs off and on since it was made available. I can't think of a particular feature that would make it an enticing service to use for phishing.

Can anyone offer an example or offer up an anecdote where they've encountered it?

Re:How is it used for phishing?

[bruce_the_loon]

My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/

It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.

Re:How is it used for phishing?

[CKW]

It sounds like end users simply "trust google", and thus ANYTHING on google docs is "trustworthy", because hey, "it's google".

I know, it's stupid as baloney. It's like trusting a billboard down the street that says "City Billboard" just because you trust your City government, totally being ignorant that any nutjob can post something to the billboard.

Some. People. Don't. Understand. Technology. AT ALL.

Re:How is it used for phishing?

[Sedated2000]

Thanks for the response. I guess it's been longer than I thought since I've used Docs. I didn't even think of the form angle. I'm sure this is causing more than a few "staff training" sessions. I suppose it's only worse since even if you have your own domain, you're still redirected to "docs.google.com", so it won't be immediately apparent that it did not come from a legit source (completely aside from the fact that a legit source wouldn't ask for that information in the first place).

Re:How is it used for phishing?

[Incadenza]

These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.

One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!

What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.

Re:How is it used for phishing?

[Darinbob]

Still baffled. Google Docs is a mail server? To use it, don't you still have to create the form, download it, then mail it out from your own account?

Re:How is it used for phishing?

This one looks like a current scam. Try it and let me know how it works. BTW, no to both of your questions.

Re:How is it used for phishing?

Why wouldn't you trust Google?

Re:How is it used for phishing?

[jader3rd]

Some. People. Don't. Understand. Technology. AT ALL.

That's kind of the point of a lot of technology. It's a solution to fix a problem. The end user doesn't care how it gets done, it only matters that it gets done. I'm sure there's technology that you use, and yet you don't understand all of details of every functioning piece in the process.

Re:How is it used for phishing?

+1 funny on my first try. That's awesome.

that's a misrepresentation problem

[poetmatt]

Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

Re:that's a misrepresentation problem

"Blame the people who suddenly decided phishing was a good idea."
Phishing is not a new concept...

i would blame the people (IT/execs) that decided that giving up control of docs/email to an outside entity was a good security decision.

Re:that's a misrepresentation problem

[hawguy]

Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

Because they are providing the tool that is so easily abused by phishers.

It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.

If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.

You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.

Re:that's a misrepresentation problem

So if I sell a knife to someone who uses it to rob a bank, I am responsible? Don't forget to indite the car manufacturer for providing the get-a-way car, and the hat manufacturer for making the ski mask.

Re:that's a misrepresentation problem

Imagine if the knife granted the person the ability to simultaneously attempt to rob 1000 banks anonymously with no physical risk and little chance of consequences. That's be a crazy awesome knife, right? It's also why your analogy fails.

Re:that's a misrepresentation problem

Knife wielding bank robber shot dead by police. The rest at 11.

Re:that's a misrepresentation problem

[sunderland56]

So if I sell a knife to someone who uses it to rob a bank, I am responsible?

The first time, no.

Around about the 100th time, if you don't start instituting some security measures - such as requiring a photo ID of knife purchasers, and saving a copy of the ID and a bill of sale for every purchase - then yes, you could be held responsible.

Re:that's a misrepresentation problem

[jbmartin6]

All the phishers are doing is using Docs in the way it is meant to be used. If Google sees a form to enter information for ABC corp's Mr John McNobody, there's no way for Google to know if this is legitimate or not, other than actually trying to find Mr John McNobody and ask if it was legit.

Re:that's a misrepresentation problem

Then why not blame the computer maker, and the builders of the Internet too?

Re:that's a misrepresentation problem

[SSpade]

Google offers free services. People will attempt to abuse them. That's no great surprise, nor is it specific to Google.

When someone abuses Googles services in a way that's a threat to other users there are only two ways to mitigate the incident. The best, by *far*, is for Google to stop the abusive behaviour. The other is for the affected parties to block access to (some subset of) Google. Those are really your only options.

Google is (based on externally visible behaviour) worse at mitigating abuse up-front by discouraging attempts to abuse their service, and at responding to reports of abuse, than other companies - and this appears to be an intentional choice by Google, based on their corporate culture. The tradeoff there is that people are more likely to just block Google servers, in response to the never ending trickle of abusive behaviour.

That's Google's problem. Well, actually, Google don't generally appear to think any of this is a problem at all - and *that's* the real problem as far as the rest of the Internet is concerned.

Re:that's a misrepresentation problem

I've (IT manager for dept at university) seen quite a few of these forms, google and otherwise. I can say that the google versions of the form tend to be rather simple and would seem to be easy to scan for. They are almost always 3 fields, something like "email address:", "password:", "userid:". In the past it used to be a lot of "reply to this hotmail address". I added spamassassin points for that, now I add spamassassin points for links to google forms.

Re:that's a misrepresentation problem

[AdamWill]

There is absolutely no legitimate use for a Google Docs form for the username and password of an external mail system. Go on, try and think of one. I'll wait.

Re:that's a misrepresentation problem

[jbmartin6]

Enjoy your wait. Perhaps you might respond to my point, which was that Google has created an online automated system that (in part) allows people to create forms that other people can use to submit data. What do you expect Google to do, somehow magically tell the difference between legit and fake forms? Or do you think simply forbidding a field named "password" would address the problem?

Re:that's a misrepresentation problem

Total logic fail.

You say this is Google's fault but then immediately and directly contradict yourself by giving the example of open email relays where you place the fault with the spammers.

Google are not obligated to provide Google Docs, and even when they do they are not obligated to police their service. A failure to note phishing on their about page and provide a useful like would be pretty bad in my opinion but that takes us in a different direction.

Finally, in the end, if another company provides a better cloud-based document editing system with a better phishing system at no cost, Google will lose market share and consequently ad revenue. This is not a tragedy of the commons problem; you will be vindicated by free market competition.

Re:that's a misrepresentation problem

[poetmatt]

oh hey, please prove a negative! That can't go wrong at any time, right?

Go ahead, make an actual argument for why creating a strawman argument asking to prove a negative is even relevant. Go on, try and think of one. I'll wait.

Here's the list of Google-hosted phishing sites.

[Animats]

One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

Really?

[Mullen]

I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.

Re:Really?

[ravenswood1000]

Expel them for being too stupid to be in Oxford

Re:Really?

[smartsheep+]

maybe on the second offense

Re:Really?

[zlives]

wow,
there are days i wish we had "your" policy in place... but then it would make for a very deserted office ;)

Re:Really?

[squiggleslash]

It's OK, the Magdalene Bridge normally takes care of "people too stupid to be at Oxford" on the 1st of May.

Re:Really?

You are shocked at how stupid people can be? How stupid would THAT be? Stupidity is to be expected.

Re:Really?

They are at Oxfored because they can pay up nicely or their parents can pay up and/or have an important function that facilitates the cash flowing into some important person's pockets.

Most of them are dumb as crap, but their parents have some sort of "social" intelligence which made them "relevant". If not, they would not fall for this kind of stuff.

Re:Really?

Or if firing them is too harsh, hold back a months pay . . .

Filter outbound email?

[Bill,+Shooter+of+Bul]

Why wouldn't oxford have just set up outbound email scanning? Once they detect an email account is spamming, cut off the user.

Re:Filter outbound email?

[PRMan]

They're wise to this. Many spam e-mails have a different e-mail address for every e-mail.

Re:Filter outbound email?

[Predius]

Worse, it only takes a few emails tripping the right filters or customer complaint bins before Hotmail decides to never accept email from that relay's IP ever again. No appeal, no cooling off, no support assistance, that IP goes into their blacklist and there is no digging it out afterwards.

Re:Filter outbound email?

In TFA it indicates that Google Docs can use HTTPS connections, which is another reason it is so attractive to phishers

Re:Filter outbound email?

[datapharmer]

Yes, since there is clearly no way to check an https connection for dangerous content. It would be wonderful if administrators of intranets had a tool that could look Deep into the Packets flowing through their network and Inspect them for malicious content... we could even call it something like "DPI" for short.

Re:Filter outbound email?

[Bill,+Shooter+of+Bul]

I can't tell if you misunderstood me, or are just wrong. They are harvesting email addresses from students, profs, etc. There is a limited resource of available oxford.edu addresses. They wouldn't be able to send many emails if they used a different account for each one. Even if they did, the filter should just usie ranking system like spam assasin to red flag outgoing emails likely to be spam. One bad email sent, block that message, send notice to user. five sent, block account. Even if there are a lot of false positives, you would only punish those doing something kind of wrong (sending out messages that look like spam) , rather than punishing everyone by blocking Google docs. It seems like a no-brainer to me.

Re:Filter outbound email?

[Brandon+Hume]

They're not harvesting email addresses, they're harvesting *accounts*, which grant access to the outbound SMTP server. A "limited resource" numbering in the hundreds of thousands, and adding a few thousand every year.

At the university I work at, we do exactly what you suggest. The spamming still happens. Why? Because the spammers (a group of guys located in Laos, Nigeria, and a few spots in Malaysia and Israel) will use a stolen "test" account to trickle a spam email or two through to see what gets through. Do you expect us to kill an account based on a SINGLE suspicious email? Do you expect us to read your personal email to make sure it's spam or not (very not-kosher in the province I'm in)? And the number of false positives is atrocious! People really do run mailing lists from their PC, even when we provide a proper listserv for the purpose, and they really do "Reply to all" with a 300+ CC'd email. Would you stomp on every one of these people?

What you're describing is nothing less than making the IT department "the enemy", an organization that should be circumvented at every opportunity.

Meanwhile, the level of intelligence you're suggesting is very expensive for the volumes of email we deal with, when management is already trying to kill off on-premises email. (They've succeeded... we're soon switching to Office 365, and it won't be our problem for much longer...) I've already designed the system you suggest, but I can't get the money or the time - university IT, understaffed and overworked - to implement it. And while I think our system is fairly large, I wouldn't claim to approach the level of an institution like Oxford.

And to add: the spam is the tiniest portion of the problem from my point of view. If I can send email via your account, I can probably read the email that's already there. That means I can harvest the email addresses of all your friends and family. I can glean personal details about you that I can use for the "send money plz" scams. How about if you're a doctor? Got any patient information in your email? If that gets loose, you're looking at a very unpleasant conversation with your Director about privacy law. How about grant numbers? Credit card numbers?

What about the other resources that the same username and password probably grants access to? Online storage? Personal websites? Hell, what about other sites that users reuse their passwords with?

I know what you're trying to say, but your solution is naive and doesn't stand up to the real world. *Especially* in academia, where there's a lot of entitlement on the part of the users, and very little money for the Oompa Loompas who make it happen.

Re:Filter outbound email?

On my freebsd mail server I run sma, which is a mail log parser

then I run from crontab hourly

#!/usr/local/bin/bash
# script to send sma maillog reports
SUBJECT="maillog report for mail.dept.institution.edu"
EMAIL="computer-support@dept.institution.edu"
EMAILMESSAGE="/tmp/emailmessage.txt" /usr/local/bin/sma -l 30 -r 30 /var/log/maillog > $EMAILMESSAGE /usr/bin/mail -s "$SUBJECT" "$EMAIL" $CHECKSTRINGFILE

    EMAILSUBJECT="Phlog alert for $HOSTNAME ($MAXNUMBEREMAILSSENT)"

    $CAT $HORDELOG | $PHLOG -svc > $EMAILMESSAGE

    $MAIL -s "$EMAILSUBJECT" "$EMAILADDRESS" $EMAILMESSAGE

fi

Also you change the horde settings to not allow setting the from address different than the authentication credentials. Can't remember exactly how to do that but it's trivial.

Re:Filter outbound email?

[DeepLinux]

This is not an 'intranet' it's a metropolitan scale network with tens of thousands of users personal machines connected to it.

Of course they use DPI for a variety of things however it does not help for this specific instance as because they are *personal* machines you can't MITM the https by installing trojan certificates on the client machines.
Which morally you shouldn't be doing anyway even if you are running a locked down corporate network.

Also the stuff required for doing DPI at line speed on 20Gbit/s links is expensive.

Re:Filter outbound email?

[Bill,+Shooter+of+Bul]

My solution sucks as a long term solution, but as a short term solution its better and more effective than what oxford did. Ban or warn users after one suspicious email. Turn that on for one day out of every month to get people's attention. IT will become the enemy, such that people that don't *have* to use university email, won't. Which will keep out the rifraff who are most likely to get their accounts compromised. Which will reduce the odds of being labeled as a spam domain. Which will improve the quality for users that are responsible. That is, if you don't get fired by administration first for banning all the social science professors.

Actually, I do know a system admin at a local university. I'll ask him the feasibility of it is. If it will work for his college, it should work for any college (given their minuscule budget and high enrollment)

Re:Filter outbound email?

[Brandon+Hume]

Short-term solutions can be worse because you don't have time to warn people, and the results are often slap-dash.

For example, to do as you propose:

- I'd have to block all direct outbound SMTP connections, just to keep people from circumventing the protections. I'd *love* to do this, seriously. But you wouldn't believe the hostility from the user community for thinking about it, even if they don't *use* any off-site mail servers. Hell, right here on Slashdot, I'd be called a jack-booted brainless wannabe-IT-thug for implementing anything like that.
- Our internal mail hubs would have to route all outward-bound email via our AV appliances, or we'd have to change our setup so that the AV appliances *are* our internal hubs (which would break smtp-auth). Not that difficult, actually... I have most of those rules set up already from the last time I looked at this.
- Based on the score assigned by the AVs, I'd have to quarantine or pass the email. The AVs, by the way, are McAfee appliances that (internally) use Spamassassin, just in case you were wondering.

To implement the punishment system you describe, I'd have to associate each quarantined email with the sending user... which is where things get difficult. If I'm going to (automatically!) trace an email to, say, a virused laptop on the campus wireless, that means I need to get my fingers into the logs of the APs, or somehow query the APs themselves... which means my *mail server* needs to figure out which AP a person is on, which is at the very least an . Are they using the campus Horde/IMP server? (The Nigerian spam gangs *love* Horde/IMP, by the way... 50% of phished accounts are exploited via webmail....) Then the mail server needs to troll around to figure out who was on a given webmail session.

All of this would be a lot easier if we forced people to use smtp-auth, even on-campus, and again, I would *love* to do that. But the backlash of suddenly demanding that would be really bad. You can't ask users to jump through a new hoop unless they think they're getting something new out of it... you need a carrot to match the stick. I mentioned that we're switching to Office 365... that will definitely require authenticated SMTP (possibly MAPI, ugh). But the new system is a carrot as well as a stick. As far as the users are concerned, turning on smtp-auth is just part of the setup process for their new toy, and it's a lot easier to sell.

You also have to decide little things, like: does a "potential" spam, sent once but CC'd to a dozen people, count as a single email or a dozen? How do you verify quarantined emails and stay on the right side of privacy law? As a sysadmin, I don't want to read your emails any more than you want me doing so. How do you make exceptions for people like pharmaceutical researchers, who probably send very "pill-pusher"-looking email to each *other* as normal business?

How do you build all this, as a short-term solution, scale it up to 0.25 to 0.5 million emails per day - without spending *any* money - and implement it *without* horribly breaking everything that already exists? Keep in mind you're talking about a user community numbering in the tens of thousands, and if an email doesn't arrive as fast as an instant message they're already on the phone to the help desk asking why "mail is so broken".

And, assuming you build this hair-trigger anti-spam system... after a number of people have been victimized by false positives, how do you keep your users from saying "Fuck you, I'm using Gmail"? To a certain extent, they're doing this already... and then they're storing research and email and patient data waaaay out of our hands. The hacking and phishing still goes on, but we can't do anything about it.

You can make it corporate/university policy that they're not *allowed* to do so, but then the users feel like they're trapped in IT-North Korea, a horrible system they're not allowed to escap

Re:Filter outbound email?

[Bill,+Shooter+of+Bul]

Yeah, you don't quite understand what I'm suggesting. I don't really want to specify it any further. But basically I was imagining something less comprehensive. The goal of Oxford was to raise awareness. My suggestion still has that in mind, raise awareness about phishing, but punish fewer people.

Why is this a big deal?

[guanxi]

Why is an organization somehow obligated to provide access to this application? Maybe they have promised something to their users, but otherwise Google Docs is not a universal human right; it's just another application offered by another company.

Re:Why is this a big deal?

[timmyf2371]

It's a big deal because students on a limited income are more likely to use free tools such as Google Docs, than they are to use paid software.

And at a university, these students typically submit coursework which may often be written using a word processing tool.

If said word processing tool is subsequently blocked for a few hours without prior warning, it's quite easy to see how this could well pose an issue for students making last minute changes to their course work.

Re:Why is this a big deal?

[im_thatoneguy]

Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.

Re:Why is this a big deal?

Surely "I couldn't get access to Google Docs for a couple of hours" is right up there with "the dog ate my homework"?

It's the student's choice to rely on a service without any sort of guarantee that it'll stay around, so it's the student's fault that it's not available. This is what we call a Learning Experience.

Re:Why is this a big deal?

[xaxa]

I expect staff also use it for collaborative work.

Computing staff (and some others) might use a shared version control system and LaTeX or similar, and many others will email round MS Word documents, but Google Docs can be superior to both.

(One of the few Google Documents I have was sent to me by an academic at Oxford, he is collaborating on a project with one of my colleagues in London.)

Re:Why is this a big deal?

Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.

That's some pretty vague information you're providing there. What is a "notable university" and why on earth would the ones you've "heard of" have any consequence to the vast majority of folks reading here?

Re:Why is this a big deal?

[DeepLinux]

Typically UK universities don't have the kind of agreements with Microsoft that would give all their students 'free' access to MS office.

MS do have a discounted program directly for students in higher education where office is around £28.

Oxford

[smartsheep+]

Good for Oxford U. If students and faculty will not take security seriously they should be denied the service in the same way as you would take the car keys from a drunk driver or matches from a child. Would you uses a bank that did not take security seriously? or a car that was not safe? I don't see the difference. Best David

Re:Oxford

[DarwinSurvivor]

Would you uses a bank that did not take security seriously?

Yes, because NON of them have adequate security for their customers. They protect their own servers with billions of dollars of protection, then let you pay by waving a card in the air or *shudder* sending a text message.

Re:Oxford

[DarwinSurvivor]

s/non/none/

Re:Oxford

[Fwipp]

If my bank shuts down my debit card for two hours without warning because my neighbor keeps leaving his at the bar? Yeah, that's an awful thing.

Re:Oxford

i do not understand this

Re:Oxford

[rk]

Then this may not be the right site for you.

Re:Oxford

[AdamWill]

You can pay a maximum of $50 by 'waving a card in the air', and any 'wave-a-card' transaction you challenge will just be resolved in your favour.

They don't _claim_ there's anything particularly secure about PayPass etc. They're just playing a numbers game. They have figured that the revenue increase that results from the increase in security is greater than the loss that results from a) actual fraudulent usage of such systems and b) fraudulent *claims* of fraudulent usage of such systems.

It's exactly the same calculation Starbucks ran when they stopped asking people to sign credit card slips: the amount of money they have to pay out to people whose cards are stolen by people who then buy a latte, or to people who *claim* someone stole their card to buy a latte in order to scam $3, is smaller than the amount of money they ultimately make because people don't have to line up for their coffee for so long.

At that scale, it's always a numbers game.

Re:Oxford

[AdamWill]

Sigh. I meant 'increase in convenience', not 'increase in security'. Damn you, lack of an edit button.

Re:Oxford

[DarwinSurvivor]

They don't _claim_ there's anything particularly secure about PayPass etc.

When I got my new credit card I actually phoned the company and specificaly requested (quite firmly) that they deactivate the feature on my card. I know they can't "special make" me a card that doesn't have the chip, but they absolutely REFUSED to deactivate such payments on my credit card account. They also kept repeating (as if they were reading) that it is completly secure.

*facepalm*

[Bobfrankly1]

It's interesting to see the Michael Morisy "security through no using internets". Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...

Re:*facepalm*

[whoever57]

Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...

There are probably thousands of scripts around the world that ping 8.8.8.8 or some other well known Google IP address on a regular basis to test their Internet connectivity. For example, this script

Oh, Passwords are Broken

[bill_mcgonigle]

ah, thanks for the link - now the story makes sense for me.

Something will someday push people over the edge and get them to give up on single-factor symmetric authentication. I know, breaking news...

or emeritus professors....

[fantomas]

Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.

I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)

Re:or emeritus professors....

Clearly the people at Oxford are stupid if they are giving their email account credentials away to a random email. I got my education from a simple State School in Pennsylvania, USA. I was not stupid enough to get into Oxford.

Re:or emeritus professors....

[John+Hasler]

This has nothing to do with expertise in IT. You don't need to know how the telephone system works to know not to give your bank account information to some guy who calls you up and asks for it.

Re:or emeritus professors....

[x_t0ken_407]

Exactly. In fact I see so often how people are wary of the things they see and people they interact with on the internet...you'd think this would also be a no-brainer.

Re:or emeritus professors....

[closer2it]

As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might

I understand your point and I partially agree with it, but IMHO a doctor that only knows about medicine, will never be a good doctor.
Don't you think is valuable for a doctor to know some basic knowledge about psychology and/or sociology for example? I think it is. Not a Phd in those fields, but some basic knowledge sure will be useful in his career and make him a better doctor.

Back on topic, I think that the PC and the Internet are amazing tools, which knowing how to use them will make you a better professional in your chosen profession.

staff using it to avoid IT politics as well

[fantomas]

I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.

I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...

Re:staff using it to avoid IT politics as well

[isorox]

I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.

I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...

This is nothing to do with universities, it happens in corporations too. IT departments think they're in charge, while the business works around them to get stuff done.

Unfortunately this all comes to a head when there's a data protection leak. I lay the blame at the door of IT, who will no doubt claim they're underfunded and understaffed, for not providing the right tools in the right timeframe.

It's mainly an attitude problem.

Here's a live example.

[Animats]

Here's a typical Google-hosted phishing page. Note that the page is long enough that the Google disclaimers at the bottom are pushed "below the fold", and some users won't notice. Such pages are used in conjunction with spam emails. Since the URL in the spam will be on Google, it makes it through most spam filters.

Google's own phishing detection catches some of these. Ones that mention "Microsoft Outlook" tend to be caught. This suggests that Google is using a simple classifier but needs a better training set. There's enough similarity between most of the fake login pages that many are clearly coming from the same sources or the same toolkits. It looks like there are only about two or three different attackers exploiting Google, and they're not working very hard at making convincing fake login pages. Or maybe the better-funded attacks aren't being detected by this approach.

Re:Here's a live example.

[Sedated2000]

Good information, thank you!

Re:Here's a live example.

[Animats]

Amusingly, Google has now killed that page, presumably from embarrassment. But here's another one just like it, hosted by Google since 2010.

"The Tool"

[nuggz]

You mean the university email system that delivers the malicious email?

I have a crazy idea, tell users not to give personal information out by email. It's that simple.

NEVER give out personal information by email.

Re:"The Tool"

[hawguy]

You mean the university email system that delivers the malicious email?

I have a crazy idea, tell users not to give personal information out by email. It's that simple.

NEVER give out personal information by email.

The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.

After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".

Re:"The Tool"

[Brandon+Hume]

The bluntest, least-energy thing I've been telling people is that the "From" address of ANY email is cosmetic. It can say anything. "But the email came from our domain!" "No, it SAID it came from our domain. There's a difference." Go into Outlook and change it to spoof the university president... it's four clicks.

True story: We sent out an email letting people know that a phishing attack was going on. We even provided a sample of the phishing email, which was your typical "Confirm your account, please reply with your username and password" template.

People responded to the warning with their usernames and passwords. They SKIPPED OVER the "READ THIS!" part and only read the example, and then proceeded to do exactly what we told them not to.

Yes, we reset their passwords because they put them into an email. But if you thought I had the opportunity to disable those accounts forever because their owners were criminally stupid, you'd be wrong. The highest levels of management explicitly forbid such action.

Re:"The Tool"

[AdamWill]

So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.

That's the whole point: you cannot rely on user education. There will always be a couple of idiots who send out their password. You can't go around every single flipping one of them and do the spoofing illustration in person, and even if you could, some of them would forget it a week later, or just not pay attention in the first place.

Re:"The Tool"

[x_t0ken_407]

And thus lies another example of IT being put between a rock and a hard place. SMH -____- I'd laugh at your story if I didn't think it was completely true. It's a shame, really.

Re:"The Tool"

[HJED]

Out of interest have you tried implementing something like SPF to stop spoofing of your own domain, a lot of spam filters pick it up now.

Re:"The Tool"

[Badge+17]

It's even worse than this. Occasionally, our University's IT actually does send out emails that sound like a phishing attack. The only difference is that they link to a legitimate website. However, because of the general mess of different sign-ons (e.g. billing, payroll, course schedule, parking, etc...) it takes me a while to remember if this is a real service or a fake one.

I think, somewhat optimistically, that people can be trained to not send username/password over email. However, far too many things reinforce the "go to website linked in email, put in password" message for this to not work some percentage of the time. Maybe we need to normalize "exchange of information" type logins, where you won't input your password until the website provides a signal / response to a challenge?

Re:"The Tool"

[Brandon+Hume]

So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.

How did I contradict myself? I said it was the least-energy thing I could tell them. I didn't make any claims to its efficacy. Nor did I connect the two together. As point of fact, that explanation usually comes after a particular user has already been victimized.

I used to give detailed explanations. It didn't work. Then I tried less-detailed. Then even less detail. The "From address is useless" is just the latest thing I'm trying in our sound-bite society. Ask me again in a year if it actually has any effect (probably not). Perhaps by then I'll have simplified down to just an angry grunt.

I'm not disagreeing with your comments on the futility of trying to educate, mind you, as cynical as it is.

Re:"The Tool"

[Brandon+Hume]

I looked at it seriously a couple of years ago, when it seemed like everything was set to "soft-fail" SPF checks, which was next to useless. There was also a lot of resistance from people using Gmail, Hotmail, etc. I'd look at it again, except now the spammers have given up spoofing our domain... they've discovered that mail coming in from *outside* claiming to be from us sets off more alarms than any garbage value they could think up. Now they just rely on the free-text part of the address, eg:

        From: University Email Administrator

The number of people who fall for the phishes has dropped considerably, thankfully. But a few still do, and it's all the more disappointing.

SPF *will* be implemented when we switch to O365, that's pretty much a certainty. But I expect the overall effect it'll have at this point will be minimal - which isn't to say zero, of course.

How about

[Hentes]

suspending accounts sending spam? Punish those who deserve it, not everybody.

It is googles fault professors are stupid.

It is googles fault professors are stupid.

The solution is....

[countach]

The Oxford administrators should phish their own students. Any student stupid enough to fall for it must attend compulsory remedial training. Rinse, repeat, rinse repeat until nobody falls for it anymore.

Re:The solution is....

[rs1n]

Mod parent up -- until users learn to not fall for even the more advanced phishinig schemes, we will never be rid of the problem.

Re:The solution is....

[Brandon+Hume]

I can't speak for Oxford, but I know at my workplace, traditionally it's the students who fall for it the *least*. Their numbers even out, but that's only because there's a hell of a lot more students. In general, the kids coming in today are reasonably technically-savvy and sceptical.

In terms of percentages, the people you need to watch out for are the faculty. They're older, less experienced with modern technology, and frequently believe that a PhD in Aztec basket weaving means they've mastered life.

Re:The solution is....

[HJED]

Or they could just change the passwords on accounts they phish and require users to wait a day or so to reset their password.

I am an IT professional but I dont give a fsck

I dont care and it doesnt matter to me what IT does at oxford for all I care they can shut off what they want to celebrate gay rights or promotoe some feminist agenda. Fuck them and why should I care.. we dont use google at all.

This is why University IT sucks in general...

[RocketRabbit]

In the olden days (and I am thinking as recently as the late 1990s) the universities would bake their own IT solutions. It was considered an academic challenge, and each campus had its own peculiar requirements, culture, etc. In those days, you had two tiers of IT - the local lab support, which was generally a grad student in the department who had undergone a short training course - if they even needed it - to help lusers figure out which part of the computer is the screen, which is the keyboard, and where the any key was. Sometimes these people, despite being English majors or what have you, would write good software that might be used in the university, or even across the world, while they sat there watching the herd of cattle called students and tenured professors prance across the keyboards. OK, I jest a bit, but not much.

Then, in the old days, you had the upper tier IT folks. These were people who essentially created and maintained the university's infrastructure. At the mid-sized midwestern university that I attended, the machine room contained a few IBM Power-based systems, running a redundant hardware / software stack, all of which connected to a dedicated user store. You could log into any of the servers and it would appear to be identical from the user's view. If one went down, the other could handle the load, and your full suite of Unix software was provided. It was beautiful. The entire infrastructure (minus the cabling running around campus, that was handled by union labor scrags) was maintained by about 4 people, and this was on a campus that included about thirty thousand students and faculty! Thousands of logged-in users at once, comfortably using a couple of computers that, if you added their processing capabilities together today, wouldn't be able to outdo an iPod Touch.

Many of the classic software packages that people use today were created by and for the academic campus. TeX, BSD, the easy to use (suitable for non-techie) Pico editor, and so forth, all combined to make a system that with minimal training, one could get started on, and with man pages, one could learn about on the fly. It was good for the university that created the software, in the firm of heightened prestige and perhaps lucrative government sheckel rainstorms, and it was good for the community because most of this software was then just given away, meaning that the academic community in general benefited. Smaller schools could use the software on smaller hardware, and wouldn't have to shoulder a massive IT cost beyond some dumb terminals, some Macintoshes, and a mid-sized "super-mini." The idea that sharing and helping the broader academic community was something to be proud of, and was useful to academia as a whole, was dominant.

Let's look at the situation now. IT services are managed by geniuses called "administrators" who probably couldn't code a "hello world" in BASIC, who hold MBAs, and who get all their IT information from Gartner or other such shill operations. The services they provide on-campus are shockingly similar to those one might have accessed over a 2400 baud modem in the early 1990s, except these services represent an enormous, ongoing cost. These campuses are entirely self-insufficient. Without access to external services, nothing would work, from payroll to class registration even down to the damn door locks in some cases! IT costs are an ever-increasing drain on the school's limited coffers, and the benefits are shrinking with the dollars spent. There is no incentive to create better software for the campus or academic IT in general, and thereby the whole academic world suffers. Just shoveling dollars into Google or MS Cloud or whatever hare-brained bullshit that the MIS types read is hot this week is destroying a lot of the in-built innovative potential of the university IT department.

My wife is in the math department at a major school in the Pacific Northwest. Her school (one of the biggest in the PNW!) has changed its entire campus management software stack 3 times in the 5 years that she has been there. Other universities have similar records. I would consider this to be a monumental failure and it should be a wake-up call for universities everywhere.

Re:This is why University IT sucks in general...

[isorox]

I completely agree. Same in corporations. The people with the purse strings will lap up the sales pitch from companies like ATOS and Capita, and flush the money down the toilet.

In parallel, the people that have responsibility for IT in the company have it locked down tighter than fort knox. At least on paper. Noone is allowed to create useful tools to fix problems in their department, it needs to go out to tender via a central funding pot.

Eventually you get people that, on paper, are "sales", but in reality are the department "techie", who will build his own infrastructure running on tin cans and 3G dongles, outside of the corporate IT structure. This is great, the problem is the 4 centralised masterminds in your university of old aren't there to provide the guidance and oversight, so eventually department techie makes a misstep and the company gets big problems.

Corporate IT needs to die, to be reborn with most of the work coming from people that are in the business.

Re:This is why University IT sucks in general...

[RocketRabbit]

The problems all started with the MIS types, who are more bean-counter than wizard. They got it into the organizational culture of both universities and business that IT is an expense instead of a place to save money and provide services. In the old days, we'd look at the cost of mailing a bunch of fucking papers around everywhere, and drafting on draft tables etc, add up the cost of all the shit and then compare it with an IT solution that was designed to increase the speed of the whole organization while also eliminating a lot of the recurring overhead like papers, stamps, etc. The IT solution was usually both cheaper in the long run, and eliminated organizational lag. It was a net savings, and everybody was happy. Now it's the opposite, there is no benchmark of "how do we do this thing without using computers" to compare the IT cost to, so any IT spending is labeled a loss inside the organization.

It's all basically a giant money farming operation at this point, with the tech-clueless people who somehow got put in charge of IT ("diversity" hires and nepotism are the real issue here) don't look at the long-term losses to the organization when they outsource everything.

Just this year here in Oregon, OSU in Corvallis has been trying to get a new Wifi system running, and the bids are into retarded money territory and it looks like they will be getting even bigger. If the system was run more like the 1990s campus mail would be handing out some Apple Airport Extremes or some similar easy to use product and a set of metal straps and screws to stop theft, with instructions to screw it to the wall and run a wire to it. A couple higher-powered Wifi units would be stuck up on some poles around campus as well. It would work fine, it would be decentralized, and the costs would be hardware alone. Now, instead, we have fuckin' Sprint and ATT and such operations wanting millions of bucks just to STUDY the problem before they even get going on actually doing a damned thing!

If I wanted to destroy the US's economy with sabotage I wouldn't have to do a damned thing, other than let the MIS types and their clueless PHBs do exactly what they are doing, at the pace that they are doing it, right now.

There is no campus at Oxford...

..apaert from Brookes (former polytechnic to the east of the city).It is colleges dotted around the city centre with shared faculty buildings. Always a joy directing tourists to "the university" when they are standing in the middle of it.

Re:Here's the list of Google-hosted phishing sites

[colfer]

Thanks so much for doing this.

Animats, you're AOK by APK... apk

I can use that information to block 'em out in my custom hosts file...

* :)

APK

P.S.=> See subject-line above...

... apk