Student Charged By FBI For Hacking His Grades More Than 90 times

An anonymous reader shares a report: In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God. And when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense) and "pineapple" (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme. According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems. Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months -- between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves' grades had been changed without her authorization. She reported it to campus IT security officials.

A for effort?

[ghoul]

At least he cares about grades. Most student athletes dont.

Re:A for effort?

[Austerity+Empowers]

They care, their scholarships usually need a minimum GPA. If they don't care it's because someone is fixing it for them, or the prof makes sure the team doesn't lose its star because he couldn't quite add a couple numbers.

Re:A for effort?

He's a wrestler, not a football or basketball player. Those 2 sports are the only ones where "student athletes" get special treatment because they're the equivalent of the minor leagues in baseball. They're basically getting recruited out of high school to try out for the NFL/NBA and there's absolutely no way a player can even get a joke degree with the practice and game schedule they have. They're either practicing or playing all fall and winter; it's a full time job.

I wish they'd just can the amateur facade and not even pretend that they're educating football and basketball players.

Re: A for effort?

Depends where youâ(TM)re at. Wrestling is a big deal in Iowa.

Re: A for effort?

Penn state has been dominating the last few years, but Iowa won 21 of the last 40 ncaa wrestling championships.

Re:A for effort?

[PopeRatzo]

They care, their scholarships usually need a minimum GPA. If they don't care it's because someone is fixing it for them, or the prof makes sure the team doesn't lose its star because he couldn't quite add a couple numbers.

Years ago, my wife taught math at Division I football and basketball powerhouse in Indiana. There was a great deal of pressure put on her to change grades for the players.

I don't want to say which school, but let's just say it was a Catholic school with a French name. In South Bend.

Re:A for effort?

[Darinbob]

The problem is that the vast majority of those players will never play professionally. Then when they "graduate" they don't actually have the necessary skills that the real world wants, they may not even have enough qualifications to be a junior high school coach. A school that participates in such practices is not one that you want to send your children to.

And forget the bit about sports bringing money to the university, as all that money goes to new stadiums and sports programs, it will never touch academia.

Re:A for effort?

As someone who earned 2 degrees 15 years ago, and has been in the workplace ever since, I can honestly say that colleges do not give you the necessary skills the real world wants, even if, like me, you worked very hard to maintain a good GPA. All your degree means is that you have a basic understanding of some theory, and that you might be trainable.

Because 89 times wasn't enough?

Not sure what he thought he would be doing with his life after graduating with a degree and knowing absolutely nothing about the subject matter.

Re:Because 89 times wasn't enough?

[sqorbit]

The same thing most other college graduates do - Fake it till you make it!

Re:Because 89 times wasn't enough?

[Billy+the+Mountain]

There's a career in professional wrestling waiting for this enterprising young fella.

Re:Because 89 times wasn't enough?

There's a big, big difference between faking it and outright fraud.

Re:Because 89 times wasn't enough?

Exactly this - a good 75% of students around me cheated in college. No one seemed(s) to give a fuck. Especially the professors or staff when you told them about it.

Re:Because 89 times wasn't enough?

Working for Microsoft in the marketing department.
HE SHOULD GO FAR.

Re:Because 89 times wasn't enough?

[HornWumpus]

You misspelled Oracle.

MS doesn't put the effort into marketing. It's like they can't be bothered to lie and/or offer no show jobs to decision makers.

Re:Because 89 times wasn't enough?

Second that. There were known cheat groups at my college. One professor stepped out for a minute during a test and walked back in a bunch of students cheating. Yelled at them, then promptly got in trouble for yelling at them. He also said in a class of 40 he would only get about 5 versions of the programming assignment meaning most students would outright copy the code.

Re:Because 89 times wasn't enough?

[blindseer]

I remember talking to my dad about one of his card playing buddies. I think it was about me overhearing them talking about him going to college. I asked what was his major, Dad said the guy just went to school to play baseball.

A lot of these student athletes don't think much about what they are going to do after college. They'll study just about anything so they can say they went to college. They go to school so that they can play sports and hope some professional team picks them up, or just to live the high school jock life for 2 or 4 years longer.

If they graduate then at least they can check that box on a job application saying they went to college, even if what they will be doing is answering phones and telling people that call to reboot their modem. Which will be especially odd if they end up working at an ice cream parlor.

Re:Because 89 times wasn't enough?

What? He's going to lie about the outcome of a rigged match?

Re:Because 89 times wasn't enough?

[tehcyder]

Not sure what he thought he would be doing with his life after graduating with a degree and knowing absolutely nothing about the subject matter.

Most people don't do a degree in (say) Chemistry then go on to become Research Chemists. If you do a degree in English Literature, you're somewhat more likely to end up as a banker or teacher than a professional poet.

Re:Because 89 times wasn't enough?

A degree in English Literature usually means you will spend the rest of your life as a waitress or a bank teller, buried by student debt. I know this, because I have several friends who stubbornly got their EL degrees after being begged to switch majors to something with better earning potential. 15 years later, they are all waitresses, and one or two have been bank tellers. They are all still buried by student debt, and will be for the next 25 years. Of course, they won't take responsibility for this, despite being pleaded-with. to them, the fault lies with the rich for not giving them six-figure incomes. As if their knowledge of Emerson warrants that kind of pay.

Cheating is a matter of perspective

[Tablizer]

He should change his major to "Hacking"; problem solved!

Re:Cheating is a matter of perspective

[plover]

He should change his major to "Hacking"; problem solved!

And he can hand out copies of his verdict when asked for his "Certified Unethical Hacker" (CUH) credentials.

I just hope some of the classes he faked his grades in were Comp Sci so when he gets out of prison he can go to work for a spammer.

What moron wrote this?

[xxxJonBoyxxx]

>> when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense)

Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar. And no one has used that phrase in a SFW setting since 1978.

>> and "pineapple" (???)

Prolly this: https://www.wifipineapple.com/

Re:What moron wrote this?

[networkBoy]

almost certainly.
Beautiful tool that thing...

Re:What moron wrote this?

[thegarbz]

Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar.

Depends on how your search bar is setup. You really need to duckduckgo with SafeSearch turned off to get anything NSFW. Even google with SafeSearch off doesn't show much beyond a child toy store, a music shop, references to a WoW achievement, and a typing skill trainer.

What actually impressed me is the choice weird porn search engine bing.com didn't produce anything either with Safe Search turned off.

He didn't know what he was doing.

Why would he intercept exams and test questions if he could just change his grade directly anyway?

Re:He didn't know what he was doing.

[parkinglot777]

Why would he intercept exams and test questions if he could just change his grade directly anyway?

Give it to other students? Read TFA... For him, he doesn't study it himself anyway so he just changed his own grade.

* A student identified as A.B. in court documents urged Graves to use the keylogger to steal an upcoming test, saying “I need 100 on final just to get B- at this point.” Graves’ reply: “Or we could use the time to study?”

* A student identified as Z.B. asked Graves whether he had told a classmate “about the Hand of God on that test.” Graves’ reply: “No. The less people know the better.”

Re:He didn't know what he was doing.

[HornWumpus]

He wouldn't have gotten caught if he had good enough memory to remember the exam questions.

I wouldn't hire him

[Arzaboa]

Seems like smart would have been to either obtain the quiz questions OR to change your grades only once every semester. Attacking both sides of the system makes way too much noise.

--
"What's up doc?!" - B. Bunny

Re:I wouldn't hire him

[bluefoxlucid]

Smart would have been to subtly modify other peoples's grades just a tad before totals are tallied. Too much noise to identify the signal.

Re:I wouldn't hire him

[Austerity+Empowers]

Smart would have been to study, do the homework and pay attention.

Re:I wouldn't hire him

[DontBeAMoran]

The summary says he "intercepted exams and test questions in advance", so I guess that guy really sucks at learning.

Re:I wouldn't hire him

[bluefoxlucid]

That assumes the goal was to learn the material, not simply to pass the class. We're operating in the scope of how to cheat effectively.

Besides, I've got a computer security background; discussing how to effectively penetrate a system without getting caught is in my scope of professional interest. (Imagine that: someone who's actually looked inside a computer trying to get a Congressional seat.)

Re: I wouldn't hire him

Nah he was changing his grades, and helping others cheat without letting them know he had the keys to the kingdom.

Re:I wouldn't hire him

[HornWumpus]

No, that would have guaranteed the teacher would have known something was up. As soon as a good student noticed a grade change the audit would have been on.

Smart would have been to study the test questions he downloaded and not share with class/team mates.

Even smarter would have been to actually attempt to get an education while in college. It's not like there's a great future for greco-roman wrestlers.

Re:I wouldn't hire him

[bluefoxlucid]

Shrug. That's not the problem that was posed. An alternate strategy may prove better but, hey, information warfare is a thing.

Re:I wouldn't hire him

[n329619]

Brainy would have been to study, do the homework and pay attention.

Smart would have been to study with a friend and finish the homework together as quick as possible, then do something else better with their time.

Re:I wouldn't hire him

[Agripa]

Seems like smart would have been to either obtain the quiz questions ...

I have seen that movie. They stole the wrong test.

New Job

He will be arrested and then hired by the FBI or someone else.

Re:New Job

[DontBeAMoran]

Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?

Re:New Job

[parkinglot777]

He will be arrested and then hired by the FBI or someone else.

Key logger != Hacking

Re:New Job

Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?

For being a sociopath, and willing to do whatever it takes to win, without annoyances like conscience or dignity to get in the way.

Re:New Job

Ah, but that's not a skill.

Re:New Job

[fahrbot-bot]

Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?

For being a sociopath, and willing to do whatever it takes to win, without annoyances like conscience or dignity to get in the way.

I'd say he could get a job on Wall Street, but you actually need skills and/or education for that. Perhaps he can run for President - the bar for that is apparently quite low now.

Re: New Job

Exactly, it's not a skill so you can't teach it. It requires a specific personality.
So he is valuable to them.

Re:New Job

Perhaps he can run for President - the bar for that is apparently quite low now.

Yeah, Hillary Clinton was a pretty crappy candidate.

Re:New Job

[blindseer]

I remember hearing something like that before... That's right in the movie Grosse Pointe Blank.
http://www.imdb.com/title/tt01...

Debi: [about the man Martin killed at the reunion] He was trying to kill you, right?

Marty: Yes.

Debi: It wasn't the other way around?

Marty: No.

Debi: Is it something you've done?

Marty: It's something I do... professionally, for about five years now.

[He lifts the gun in his hand]

Debi: [Gasps] You were joking! People joke about the horrible things they *don't* do, they don't *do* them! It's absurd!

Marty: When I left, I joined the Army, and when I took the service exam, my psych profile fit a certain... "moral flexibility" would be the only way to describe it. I was loaned out to a CIA-sponsored program and we sort of found each other. That's the way it works.

Debi: So, you're a government spook?

Marty: Yes, I mean no. I was before but I'm not now... but that' all irrelevant, really. The idea of government, nations is public relations theory at this point.

Debi: Don't. I don't wanna hear about the theories. I wanna hear about the dead people. Explain the dead people.

Re: New Job

Yeah but youâ(TM)re dealing with fucktards who think that if they leave shit open everywhere with default passwords or on a public open windows file share anybody who catches that must be a âoel33t h4ack3râ and needs to go to jail.

Re:New Job

[Agripa]

He will be arrested and then hired by the FBI or someone else.

The part I do not understand is, what part of this crime is interstate commerce?

Tell me again, why is USB can read keyboard input?

[JcMorin]

Why is USB device plug can read keyboard input without installation or authorization from the computer? Is plugin a mouse or keyboard really have the feedback of each key pressed? I know they need to know when caplock is on but what about all normal keys?".

Bad old days

Good thing I graduated when I did - in the bad old days. I once had to hack into a CS faculty member's account to enter a test grade she hadn't entered before she went on sabatical at the end of the Semester. Sadly, I guessed her password on the second try.

Re:Tell me again, why is USB can read keyboard inp

You plug the keyboard into the usb device which then plugs into the computer.

The computer isnt outputting things to the usb ports, the device is intercepting them. Considering that keyboard communication with the computer is not encrypted, the logger can record the plain text keyboard strokes.

Re:Tell me again, why is USB can read keyboard inp

Not sure what you're trying to say here. Looks like you're assuming that keypresses are broadcast to all USB devices, which is, of course, nonsese.

Your run of the mill hardware keylogger is a device that's between the computer and the keyboard. A "man in the middle" attack, only in hardware. There's no software installation, and no way for an OS to detect it.

https://en.wikipedia.org/wiki/...

So what did our "elite hacker" really do?

Stick a keylogger where he wasn't supposed to. That's "hacking", says sophos.

I say that if this is the level to expect from ostensibly respected computer security companies, it's no wonder they fail to protect anything.

Anyway, why send in the FBI to deal with a student? So he's been naughty and now he'll be a criminal felon all his life, doomed to do more and more of this sticking keyloggers where he isn't supposed to, bereft of other skills?

Bad Design

The PC is notoriously poorly designed as if it were meant to be run disconnected from the internet and in a room hidden away from intruders.

It's Intel's and Microsoft's security design flaw that allows USB keyloggers to be attached in between the PC and the real keyboard. This is as stupid as the autorun feature for DVDs and USB sticks.

Use two factor authentication!

[OldMugwump]

Use TFA. Here it is 2017. I'm running low on sympathy for those who get hacked because they didn't use TFA.

Re:Use two factor authentication!

Use TFA. Here it is 2017. I'm running low on sympathy for those who get hacked because they didn't use TFA.

Serious question, though: How much would it cost to set up a system like that? (For real. Like, how much did it cost other colleges to do this when they implemented a 2FA for their academic tracing system. Not the numbers quoted by InfoSys or your brother-in-law who says he could totally set it up in a week.)

You say "Here it is 2017" as if that means all the barriers to implementing 2FA have magically evaporated. Yes, it IS 2017 -- that is merely a timeframe reference which helps them measure how many decades old their software suite is.

Re:Use two factor authentication!

[TheCastro1689]

How much would it cost? Probably only the tuition payment of a handful of students per college.

Re:Use two factor authentication!

[ponraul]

Most school record keeping is done on systems similar to those still used in finance: ageing mainframes running the same COBOL they have for the past 40+ years. Attempts at modernizing this are money-pits that don't work any better. Emulating the old hardware is the most cost-efficient solution.

Re:Use two factor authentication!

[toadlife]

Which, I can tell you from direct experience, is still too much to the bean counters. For most educational institutions, there are very few serious regulatory incentives to spend adequate resources on security.

Re:Use two factor authentication!

[Ichijo]

That's true, calling the FBI is cheaper than implementing real security. A pound of cure is cheaper than an ounce of prevention!

Re:Tell me again, why is USB can read keyboard inp

[Obfuscant]

Why is USB device plug can read keyboard input without installation or authorization from the computer?

News for nerd: many, if not most, modern keyboards are USB. Plugging a device into the computer and then the keyboard into the device means it looks like a keyboard to the system and there is still only one on the system.

Is plugin a mouse or keyboard really have the feedback of each key pressed?

Yes, a keyboard knows what keys have been pressed. That's kinda the whole purpose of a keyboard.

Re:No surprise...

[Train0987]

That one is ridiculously expensive. Nice try sneaking in that affiliate link though.

Is he that bad?

[DontBeAMoran]

Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments.

Hey, let's get the exams and test questions in advance so I'll have a good score!

Fails.

Hey, let's enter the system and change my grades since I failed even when I had the exams and test questions in advance!

That guy's C.V. can be resumed in one sentence: Can't even cheat his way out by cheating. I'd never hire that guy in a million years.

Re:Is he that bad?

[jandrese]

And he got caught because he was incredibly stupid about how he did the cheating. He didn't even try to hide what he was doing, just log in and change that 20 to a 100 like the professor won't notice. This guy is a real piece of work.

Re:Is he that bad?

Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments.

Hey, let's get the exams and test questions in advance so I'll have a good score!

Fails.

Hey, let's enter the system and change my grades since I failed even when I had the exams and test questions in advance!

That guy's C.V. can be resumed in one sentence: Can't even cheat his way out by cheating. I'd never hire that guy in a million years.

Don't worry. You'll never be in a position to hire anyone.

A truly better effort

[Gay+Boners+For+Sale]

He would have been far better off spending the time and energy to study and improve himself not only to do better in academia but concordantly in business. In the amount of time he spent hacking, he could have aced everything. Instead, he fails miserably, demonstrates his moral fibre, and shows that he will excel at nothing but politics.

Sad.

Re:A truly better effort

[queazocotal]

The amount of learning needed is fairly minimal.
You buy a keylogger for $30 or so.
You plug it in between the keyboard and the PC.
Later, you unplug it from the keyboard and the PC, and look for passwords and userIDs. (easy to spot as they're the first after several hours idle).
Now, you simply type in the username and password, or use remote access if that's an option, to access the software in the same way the teacher would enter your grades.
This is not a complex attack.

Re:A truly better effort

[HornWumpus]

It's not like the classes jocks take are difficult either.

Bet he was a communications major.

Re:A truly better effort

[nospam007]

'He would have been far better off spending the time and energy to study'

Study? Why? The idiot got the questions in advance and still was too dumb to get the right answers.
If he had opened the book and take a few notes, he wouldn't have needed to up his grades.

"Court documents allege that Graves intercepted exams and test questions in advance...."

Re:A truly better effort

[blindseer]

It's not like the classes jocks take are difficult either.

Bet he was a communications major.

The article did state that grades were changed in business, engineering and chemistry classes. There may have been grades changed in Earth Science 101: "Rocks for Jocks" too. It sounds like he was selling his services to other students, which is just asking to get caught.

Changing grades on the computer is just stupid, IMHO, since it's not like the instructors don't keep paper records. Had he stuck to copying exams and answer keys then he might have gotten away with it, at least long enough to graduate. Or at least add enough doubt as to who did what when that no one would call the FBI on him. But then people that resort to cheating on exams aren't typically that bright.

What I have to ponder is why the FBI was involved. This was a state facility, not a federal one. Doesn't every state have their own investigation service? As a state university they'll have their own police force, with a direct line to said state investigation office. What federal law was broken? Not that this seems to matter any more, I remember an assault case that made national news. The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

Re:A truly better effort

Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

That should require Interpol

Re:A truly better effort

[tgetzoya]

The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

https://www.fbi.gov/investigat...

As I understand it, certain crimes mandate an FBI investigation even if it's within a single state.

Re:A truly better effort

[HornWumpus]

Selling the service was dumb. Sell the test questions, maybe...

When I was an undergrad, I taught someone how to make fake IDs (back when it was a little bit challenging, not illegal to teach someone how BTW). Moron put a sign in his dorm room window advertising fake IDs. You know how it turned out.

Re:A truly better effort

[blindseer]

As an undergrad I also knew someone that made fake IDs. Very convincing ones too, especially since the guy had got his hands on the state ID laminates with the watermark on them. I recall he said that he bought them off someone that stole them from a DMV office. I didn't want to ask any questions, the less I knew the better. He said he'd make me one with the clear laminate for free but if I wanted the laminate with the state watermark that I'd have to pay for that. Most people don't think to look for the watermark, or so he claimed.

He was smart enough to keep this to word of mouth, especially since he knew he had a limited number of laminates to sell.

You know how it turned out.

$50 fine and time served?

Re:A truly better effort

[HornWumpus]

Forgery is a felony.

Re:A truly better effort

[Gussington]

But then people that resort to cheating on exams aren't typically that bright.

Depends doesn't it? Is it smarter to put in a lot of effort, study hard and hope you pass, or fuck around all semester and party, then get your mate who's a year ahead to sit your exams for you?
Smart isn't about cheating or not cheating, smart is whether you get caught or not.

Re:A truly better effort

Additionally the FBI investigates crimes committed across state borders, which happens when a dope gets on a computer and commits a computer crime that the internet routes to an out of state computer. Like an off the shelf student information system.

Re:A truly better effort

[HornWumpus]

Depends. Is the class a required waste of time? Then cheat your ass off.

Put in other words: Study math and science, cheat in the indoctrinations.

Re:A truly better effort

So the FBI was involved because this was cybercrime?

Re:A truly better effort

If he made the access from one state other than where the systems are located.. it is FBI turf.

That's what PC stands for

[raymorris]

> The PC is notoriously poorly designed as if it were meant to be run disconnected from the internet and in a room hidden away from intruders.

Which, for those who don't know, is exactly the case. Prior PCs (PERSONAL computers) running DISK Operating System, there were time-sharing computers running NETWORK operating systems. Computers prior to the PC each had many users, hundreds of uses for each computer. They often used it over a network, using terminals. Security was of course important - you didn't want one authorized user to mess things up for another user.

Then technology advanced to the point that it was feasible fr a single person to have their own personal computer, with several KBs of RAM. What OS would run in just a few kilobytes of RAM, though? Just the security-related stuff was a couple KBs. But wait, a *personal* computer with only one user, running from local disk and not attached to a network didn't NEED security. So to fit the OS in 16KB, the smart thing to do was to make a minimal OS without any of that security or networking stuff. It worked great. Then the internet happened and the manufacturer of Disk Operating System shit bricks.

Re:That's what PC stands for

[HornWumpus]

Just how much memory do you think a computer like a PDP-11 had?

There are reasons the PC oses went through the path they did. But it wasn't lack of memory that made (MacOS prior to X/Windows prior to NT) such turds.

Destined for greatness

Haven't these guys heard about the Kobayashi Maru? Kirk cheated once, and he made Captain. This guy cheated 90 times, he's going to be President of the World!

So 1980s

[sycodon]

What is this? War Games?

Re:So 1980s

[mrbester]

You mean Ferris Bueller?

9 Times..

[sqorbit]

"Ferris has been absent 9 times"....."GRACE!"

Re: 9 Times..

I was just about to post this joke but you beat me to it.

Re: 9 Times..

Cut him some slack, it was his day off.

Give him a degree!

He has clearly demonstrated excellence in the IT field. Instead of arresting him, he should be issued a Bachelorâ(TM)s in Computer Science.

on the football / basketball team then no need to

[Joe_Dragon]

on the football / basketball team then no need to hack to your grades as the school will find away to make you pass.

Re:Tell me again, why is USB can read keyboard inp

[pegr]

"...no way for an OS to detect it."

It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)

in the 80's just needed to know where they wrote d

[Joe_Dragon]

in the 80's just needed to know where they wrote down the password

https://www.youtube.com/watch?...
https://www.youtube.com/watch?...

become a fake fire inspector and install at banks

[Joe_Dragon]

https://it.slashdot.org/story/...
https://www.csoonline.com/arti...
http://www.businessinsider.com...

Re:Tell me again, why is USB can read keyboard inp

[Obfuscant]

The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard.

A keylogger need not present itself as anything over the USB bus. It can simply monitor the data lines that pass through it, allowing your keyboard to talk to the system. How do you detect that?

Second, what OS has the 'feature' of locking itself to one specific vendor and device id for its input devices? That 'feature' would be disabled the very first time the keyboard needed to be replaced in a hurry, like "I just showed up to deliver a lecture and the keyboard on the display computer is broken. I'll use the keyboard from one of the other systems in the room..."

Re:on the football / basketball team then no need

[HornWumpus]

Iowa wrestling. Guaranteed these were the same 'easy As' that other jocks take.

so what pair each system to a there own keyboard?

[Joe_Dragon]

so what pair each system to a there own keyboard?
So now you need to keep track of all of that if fails a lot then users will just get used to repairing them all the time.

Re: No surprise...

Creimer affiliate spam. Mod down please. Thanks.

Re:Tell me again, why is USB can read keyboard inp

[HornWumpus]

It's coming. Lookup 'Rubber ducky'. Essentially a reprogrammed flash storage device that presents itself as a keyboard and runs scripts (typically attack scripts).

Many places have computers set to call IT if anybody plugs in a USB storage device. Soon it will also call for a keyboard.

I saw nimble fingers yesterday

[theendlessnow]

I noticed a kid (old enough to drive) sneaking out of CiCi's with a plate (a restaurant plate) of pizza.

Nimble fingers indeed!

Hey, I brought pizza into the thread....

Re:I saw nimble fingers yesterday

[R3d+M3rcury]

Did you bring enough for everyone?

They blame the student for their bad security

[blindseer]

The university told the FBI that the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security.

Maybe they should have thought about IT security from the start.

I've been to college and I see how "security" is done. The computers the instructors use are just put on a desk or table in the front of the room. To keep it from walking away there will be a flimsy cable attaching the parts to the desk or wall. Even basic security, like setting BIOS passwords, will not be done. This can allow spying on the computer with software keyloggers and such, or simply vandalizing it so it's unbootable. The installation of a hardware keylogger, like in this example, takes no real skill.

Newer classrooms will have a proper podium designed to hold a computer. The computer will still just be out in the open for someone to mess with, and being in a podium will make things like a hardware keylogger more difficult to see.

Had the school thought of security from the start then this would not have happened and the costs would have been minimal. For example, when installing the podium use one with a locking door to the space for the computer. This would make installing a keylogger, hardware or software, much more difficult. It would also add some inconvenience for the IT support and the instructors, which is likely why it wasn't considered until something like this happened.

There's a lot of simple things that should have been done on just getting basic physical security on the computers. From what I know the network and software is pretty secure. The software people on universities love to play with this and it costs next to nothing to implement since graduate students' time is effectively free.

Assuming that these computers have some basic physical security, and pretty solid software security, that doesn't stop things like a student sneaking into a classroom early in the morning, before classes start for the day, and putting a cheap cell phone in the ceiling tile so the camera looks down on the keyboard through a small hole, and recording keystrokes.

What I think will solve this problem is the inevitable march of technology. I suspect that computers will get small and powerful enough that instructors will simply bring their computer with them to the classroom. There will be nothing in the room to mess with that would allow keyloggers or whatever. Access to computers in public spaces like labs, libraries, and so forth will be require an actual thought on security instead of technology fixing it for them. I'd think that there's lots of ways that could fix this where graduate students could do some research and development on this, which doesn't require any hardware, and they get to write a paper on it for a grade.

At the start they need basic physical security. They failed on this, and when someone took advantage of this they claim this wasn't the school's fault. No, it was the school's fault. If you own a house but don't lock the door when you leave then don't be surprised if someone walks in to walk off with your spare change jar and the beer in your fridge. Punish the trespasser but own up to leaving the door unlocked.

Re:They blame the student for their bad security

[Joe_Dragon]

Had the school thought of security from the start then this would not have happened and the costs would have been minimal. For example, when installing the podium use one with a locking door to the space for the computer. This would make installing a keylogger, hardware or software, much more difficult. It would also add some inconvenience for the IT support and the instructors, which is likely why it wasn't considered until something like this happened.

and when it get's to hot and the door needs to be open all the time?

Re:They blame the student for their bad security

[blindseer]

and when it get's to hot and the door needs to be open all the time?

Use a screened door, add a ventilation fan, etc. I did IT support for a prison and I got to see how they locked down the systems to keep the prisoners (and some of the staff) from messing with the hardware. There are standard electronics cases that were nice looking, very solid, and easy to lock/unlock on three or four sides for access. Most have screened sides for airflow, and all of them have the option for ventilation fans. This university is a state facility and so, like the software issues, have access to cheap skilled labor to fabricate their own. I assume this cheap labor includes those prisoners working in the welding shop, likely right next to where they stamp out the license plates. My brother in law got to see the inside of some similar prison workshops to the ones I saw, this seems pretty common state to state.

Also, I've seen computers used in typical university classrooms, they aren't that big. The podium is typically a box that's something like 4' H x 2' W x 2' D. Even a large tower from ages ago could be put in there and keep cool with not much more than a air slot at top and bottom for convection. Now the computers are smaller than a typical chemistry text, consumes something like 70 watts, and still packs a quad core 64-bit 3 GHz processor.

I'd be more concerned about them using a crappy lock that can be opened with a pen cap and a paperclip. Or, more likely, leaving them unlocked because some old professor wants to keep using the lectures from decades ago he has on a CD-R disc and demands that the door remain unlocked so he has access to the optical drive and doesn't have to bother with remembering where his personal files exist on the network.

I've seen many lecture halls with the A/V equipment nicely laid out in a 19 inch rack on the wall, on the podium will be a fancy touch screen control for lights, lowering the projector screen, controlling the window blinds, selecting the video source, etc. These things had to cost a lot of money to buy and install. But the computer will look like it was vomited on the podium, where nothing is laid out right, nothing secured, and often times buggy as hell. I can only assume this place did the same. Perhaps not as bad but given the ease with which they were "hacked" there was little thought to physical security of the PC.

Why was the FBI brought in?

[schwit1]

This seems like simple criminal trespass, fraud and larceny. The local or state PD can handle this.

Re:Why was the FBI brought in?

Because it's under federal jurisdiction as well as possible state and local entities.

Re:Why was the FBI brought in?

[schwit1]

My point is the FBI's computer crimes folks should be working on major league crimes that are too big for state and local law enforcement.

Silly Mistakes

[DatbeDank]

Silly mistakes are silly. Kid had access to the test banks and answers. He could have easily memorized the correct answers.

Even if he failed the test, he could have corrupted everyone else's grades to obscure the fact that he was doing it.

If you're going to commit any sort of computer forgery, make sure you spread the love far and wide so even unrelated students in completely different classes have their grades changed. There would be absolutely no way they would be able to find him in this instance.

Only the stupid get caught.

Re:Silly Mistakes

Only the stupid think that there would be "absolutely no way". Computer logs. Find out when the grades were changed and from where and work it from there.

Re:Silly Mistakes

[HornWumpus]

Many years ago, when I was an undergrad, another student was caught stealing tests from a prof's account.

The prof logged in, the system told him he was already logged in at one of the labs. The prof _ran_ down to the lab and personally caught the student 'red handed'

Just booted him for cheating, no FBI.

Profs keep weird hours and are generally not stupid, there are no guarantees.

Re: Silly Mistakes

Thatâ(TM)s eerily similar to one of the final scenes from âoePatriot Games...â

Re:Silly Mistakes

[drinkypoo]

Some of us are crap at memorization. In the real world you can look stuff up, unless maybe you're an ER doctor, so this is not as much of an impediment as you might imagine.

I don't recall ever cheating on a test. Not so much because I am unwilling, but because I'm unable. I'm a big galoot and I've never been sneaky. I have to actually understand the material to do well because I'm poor at just memorizing things.

Re:Tell me again, why is USB can read keyboard inp

[ctilsie242]

I wonder how one would protect against keyboard loggers. Since they are totally passive, an ID on a keyboard would do little at all.

The only way I can really see it happening is with a separate protocol from USB (perhaps fiber optic, a la S/PDIF), where the keyboard and the computer are paired, the keyboard uses epoxy potting and tamper-evident wiring and enclosures, and some form of cryptographic handshaking is done. The instruct users that no "secure" light on the keyboard, no typing.

Of course, this also shows how important 2FA is, especially with regards to grades. One ideal would be having the info changed on the computer, then confirmations showing the changes appear on someone's smartphone, similar to how the old IBM Zurich ZTIC would show proposed transactions and ask to allow or deny them. That way, someone would have to get ahold of the access token as well as get the username/password pairing.

Original Unibus PDP-11 4MB, IBM 3081 had 32MB

[raymorris]

In the late 1970s, Ken Thompson added paging support to Multics so it could use the full 4MB of memory available in the first generation PDP-11 machines with the original Unibus. 4MB is 250 times as much memory as the 16KB PC.

By the time DOS was released, multi-user systems like the IBM System/370 3081 had 32MB, or two thousand times as much memory as the PC.

Re:Original Unibus PDP-11 4MB, IBM 3081 had 32MB

[HornWumpus]

PDP-11s were not universally stuffed with memory. We had a small 4 user LSI-11 in my Highschool with 12KB IIRC.

RAM was expensive, IIRC I paid more than $100/16KB for my first RAM expansion.

Re:Tell me again, why is USB can read keyboard inp

[HornWumpus]

It will be whack a mole. Lock the computer to the keyboard model and the keylogger will just get updated to report it is whatever keyboard plugged into it.

Epoxy is a solution, but not a good one.

They need to encrypt traffic between the computer and keyboard. Which will add admin overhead.

Record Bluetooth keystrokes

Just record Bluetooth keystrokes. Way easier and harder to detect.

Re:so what pair each system to a there own keyboar

Use Bluetooth with encryption? You control both in the pairing?

Re:so what pair each system to a there own keyboar

[Joe_Dragon]

and then pay for battery's?

And all that using an old dial phone . . .

And a modem with an acoustic coupler!
A strange game.
The only way to win is not to play.

Re:Tell me again, why is USB can read keyboard inp

[Obfuscant]

Epoxy is a solution, but not a good one.

There is no security without physical security.

The computer is in a place that the public can access.

Could have milked it forever

If he was as smart as he was cunning, he should have intercepted tests ahead of time and aced them (article says he had the access) rather than changing grades and risking capture

No Stupid Laws

[ghoul]

There is a saying in the Army - never give an Order that will not be obeyed. It just breaks down the respect for Authority which is needed for soldiers to take an order which will mean risking their life but will probably save lives during battles.
A similar principle should apply to laws - dont pass laws that will not be obeyed. The 21 yr drinking age is a stupid law. If someone is old enough to fuck, go to war, get married and be executed for a capital crime they very well should be old enough to drink.
Once you pass laws that are stupid people feel no guilt breaking them and breaking other laws like forgery laws to get around the stupid law.

Re:No Stupid Laws

[Joe_Dragon]

the 55 speed limit needs to be on that list.

Re:No Stupid Laws

[drinkypoo]

Laws are not orders. They have different purposes. You want orders to be obeyed. But that's not necessarily the goal of laws. Sometimes they are there to produce revenue.

Re:No Stupid Laws

There's actually an interesting thing I read about safety on city streets.

Our approach is to make lanes wider, give wide shoulders, keep obstructions away from the street, signs are visible and abundant, etc.

All of which communicates to drivers that the road is safe enough to speed on and to not pay close attention to. Which results in pedestrians getting killed.

The reverse side is to communicate that a city street should have low speed - through narrow lanes, lack of a shoulder, obstructions that slow traffic, even to the extreme of removing all signs and road markings. While such a street may seem to be more dangerous, the result is that drivers slow down and less people are killed.

Re:No Stupid Laws

[blindseer]

The best way to end a bad law is strict enforcement. If not enforced, like say a speeding limit, then people learn that there is no punishment for breaking the law. If caught then you get people that are indignant on being picked out from the crowd. If the police stop everyone that speeds, then you run the risk of a bunch of angry citizens at the next town hall meeting complaining about the stupid speed limit.

If you want revenue from speeding then you have to enforce it. If enforced consistently then people will obey the limit to avoid the fine, or lobby for a more reasonable speed limit. That goes for all laws. A law cannot exist for the goal of people breaking it for revenue. That breeds contempt for the law as people learn it's true purpose. Paying a fine to make the police go away is just one small step from bribery.

So, you do want all laws obeyed. If some laws are "more equal than others" then you don't have laws any more, you have a rule by men and not by law. I seem to recall some very smart people warning us of a rule by men and the need for law.

Re:No Stupid Laws

[drinkypoo]

Selective enforcement works almost as well as (sometimes better than) being consistent, and it's cheaper.

Re:No Stupid Laws

[blindseer]

Selective enforcement just means picking out the worst offenders for punishment. That's still a mockery of the law, as evidenced by my interstate commutes. The posted speed limit is 70 but unless you are going 75-80 you will be passed by other travelers regularly. The law is not the law at that point. Either post a reasonable speed limit, and enforce it rigorously, or allow the mockery of law to continue.

That applies to all laws. If the federal government wants to claim that marijuana possession is a felony then it needs to be enforced. Not enforcing the law on marijuana possession but enforcing it on other drugs starts to put in the minds of people the idea that maybe possessing heroin and MDMA aren't so bad after all. But then maybe that's the point. I think that there are a lot of people that have grown tired of enforcing laws that only produce revenue, as opposed to enforcing laws that keep the peace.

We used to have "peace officers" but now we have "law enforcement officers". I want my peace officers back.

Re:No Stupid Laws

[drinkypoo]

Selective enforcement just means picking out the worst offenders for punishment.

No, it does not. It means picking them out psuedorandomly. You ideally select the worst offenders, not least because they are worth the most money, but that's not the only criterion commonly used.

If the federal government wants to claim that marijuana possession is a felony then it needs to be enforced. Not enforcing the law on marijuana possession but enforcing it on other drugs starts to put in the minds of people the idea that maybe possessing heroin and MDMA aren't so bad after all.

Except the government already showed that their laws are bullshit with their ridiculous scheduling of cannabis, which doesn't meet their own standards.

Re:Tell me again, why is USB can read keyboard inp

[plover]

"...no way for an OS to detect it."

It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)

And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.

Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative input device in order to do their job. Perhaps they're in a wheelchair and need a wireless keyboard or mouse. Blocking random USB HID devices turns out to be a real problem for them.

Re:Tell me again, why is USB can read keyboard inp

[blindseer]

I've been to a hospital where all the keyboards have some kind of ID card slot on them. I'll see staff sit down, presumably type in a password, and get their screen. If the keyboard is smart enough, and a matching driver written, then the communication on the USB wire can be encrypted with a key in the ID card. At a minimum the systems on the university could be configured to not allow login without that ID card. I assume that there would have to be a backup plan for cases of broken hardware, lost ID card, and such so that it doesn't keep instructors completely out for the lecture. Maybe have to call the IT desk to ask for an override. Do they still put telephones in lecture halls, or will the instructors not have to be so absent minded to not lose their ID and cell phone at the same time?

Epoxy would work to keep out a lot of tampering but I'd think one of those locking equipment boxes would be much less costly in the long run. Computers with epoxy on the USB ports would have no resale value, and would be difficult to repair in many cases.

A better method

[Kamamura]

Display the exam questions on captcha banners that protect pr0n sites from bots, and sit back and watch how the whole world passes your exams.

Re:Tell me again, why is USB can read keyboard inp

I wonder how one would protect against keyboard loggers. Since they are totally passive, an ID on a keyboard would do little at all.

The only way I can really see it happening is with a separate protocol from USB (perhaps fiber optic, a la S/PDIF), where the keyboard and the computer are paired, the keyboard uses epoxy potting and tamper-evident wiring and enclosures, and some form of cryptographic handshaking is done. The instruct users that no "secure" light on the keyboard, no typing.

Of course, this also shows how important 2FA is, especially with regards to grades. One ideal would be having the info changed on the computer, then confirmations showing the changes appear on someone's smartphone, similar to how the old IBM Zurich ZTIC would show proposed transactions and ask to allow or deny them. That way, someone would have to get ahold of the access token as well as get the username/password pairing.

They can lock the computers up in a box like some kiosks have

Prof shouldn't log in from public PC

[knorthern+knight]

Security 101... Would you log in to a sensitive account by typing your password over an unknown wifi connection? Hopefully not. A public PC should be considered similarly untrustworthy.

Cheater

"He/she knew Graves was providing the copies to other students and did not want the grading curve to negatively impact his/her scores."

Then report him, you lying, cheating fucker!

What do we get out of this

Lets be honest here if he is able to do this 90 times then the college clearly has no reputable service to sell the guy and furthermore if he spends jail time with college debt gaining interest its just a new method for sales a means to squash opposition to past alumni.

In short if this dumbass gets caught you can be certain there are far more educated folks doing the same damn thing and getting away with it. He is exactly the kind of guy to keep around to reveal more perpetrators.

Just don't

If you're smart enough to cheat and not get caught, you are smart enough to not need to cheat

Not so silly

[hawk]

the obvious next step is to change his court or conviction file . . .

"Hey, Sarge! someone screwed up and put this idiot in a cell for jaywalking.'

And off he goes, free again . . . :)

hawk

lessons learned

[geowash01]

I learned two things: 1 - this kid is persistent and someone should hire him as a white hat; 2 - the administrators at this school/school district are really, really unteachable. Public education anyone?