Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Arrested for Planting Spyware on College Compus 414

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
This discussion has been archived. No new comments can be posted.

Arrested for Planting Spyware on College Compus

Comments Filter:
  • But... (Score:4, Funny)

    by Anonymous Coward on Sunday February 09, 2003 @10:48AM (#5264382)
    Information wants to be free! I don't see that he did anything wrong. GNU forever!
  • MIT (Score:5, Interesting)

    by cristofer8 ( 550610 ) on Sunday February 09, 2003 @10:49AM (#5264388) Homepage
    Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.
    • Re:MIT (Score:3, Insightful)

      by Anonymous Coward

      Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.

      Or exploiting a compromise. Granted at MIT they are more likely to catch you than at other places, but don't think that passwords make you immune to buffer overflow and other attacks.
    • Re:MIT (Score:3, Insightful)

      Well if the MIT networks are at least partially hubbed, which they probably are you can use a packet sniffer.

      A packet sniffer will get you some juicy info ... even though it can be thwarted with public key encryption, i think.
      • Re:MIT (Score:2, Interesting)

        by coolmacdude ( 640605 )
        No you cannot use a packet sniffer. I'm sure MIT has made this impossible. Here at Georgia Tech OIT encrypts all packets by destination MAC address so only the intended recipient can view them.
    • Re:MIT (Score:5, Insightful)

      by Waffle Iron ( 339739 ) on Sunday February 09, 2003 @11:01AM (#5264473)
      Any workstation that is pysically accessible to the public is subject to reprogrammning so that it emulates its original behavior plus logs keystrokes. Unless you're using honest-to-goodness dumb terminals with non-flashable ROMs, I wouldn't be so confident.
      • Mod parent up! As long as there's a public access terminal, it's easy enough to make a superfluous "fake login screen" program to log keystrokes and whatnot.
        • ATMs too (Score:5, Interesting)

          by kwenda ( 644349 ) on Sunday February 09, 2003 @02:45PM (#5265820)
          I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.
      • Re:MIT (Score:3, Interesting)

        by Bastian ( 66383 )
        Add built-in keyboards to the mix.

        Although these mainly exist for ps/2 keyboards, there are hardware keystroke loggers that plug in between the keyboard and the USB port and are designed to look nonconspicuous.
    • Re:MIT (Score:5, Insightful)

      by Anonymous Coward on Sunday February 09, 2003 @11:01AM (#5264476)
      Nonsense. I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

      The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy. Even if there isn't a 3rd party breaking into and modifying the public machines, the true administrator of the machine might have all sorts of logging software.

      Even if you use something like SSH or SSL, that only products you between the two endpoints. When one of the end-points (the client you are using, in thise case) is insecure, a secured data tunnel is worthless. Indeed, your keys/passwords/etc. can be stolen quite easily.

      If you need to compute on the run, get a laptop that you are in control of. Don't use someone else's machine to conduct sensitive business or utilize sensitive information.
      • Re:MIT (Score:5, Informative)

        by jd142 ( 129673 ) on Sunday February 09, 2003 @11:09AM (#5264522) Homepage
        I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

        Prevent booting from a floppy, password protect the bios and lock the case. Makes it much harder.

        You could still do it, but the odds are that someone would notice that you were literally hacking in to the computer so you could set the dip switch on the motherboard to blank out the bios password.

        And it should be obvious to the techs who do maintenance that someone has sawed through their lock.
        • Food for thought: (Score:5, Insightful)

          by Hubert_Shrump ( 256081 ) <cobranetNO@SPAMgmail.com> on Sunday February 09, 2003 @11:35AM (#5264689) Journal
          If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these [thinkgeek.com] babies. That'll catch the BIOS password (when/if it gets typed in) and all.

          Ouch.

          Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...

          But we're just talking here, aren't we friend?

          • Re:Food for thought: (Score:2, Informative)

            by jmauro ( 32523 )
            You can lock access to the bios without preventing the computer from booting. And one can have a different password for booting and for changine the bios options. I doubt you'd be able to insert the device and get someone then editing the bios password to change options in any case.
          • Re:Food for thought: (Score:3, Informative)

            by kasperd ( 592156 )
            does any other manufacturer use the PS/2 keyboard cord?

            AFAIK it is possible to use PS/2 keyboards on some Amiga models. And our NCD boxes (X-terminals) also use PS/2 keyboard and mouse. One of our happens to have a PS/2 keyboard from SGI, though I don't know if that one is identical to the keyboards connected to the SGI. I have noticed one functional difference on the keybards connected to the SGI though they look exactly like a standard PC keyboard. The software can see when the Pause/Break key is released, normally a PS/2 keyboard sends the key release code for that key already when it is being pressed.
        • Re:MIT (Score:5, Informative)

          by Rolo Tomasi ( 538414 ) on Sunday February 09, 2003 @12:34PM (#5265007) Homepage Journal
          Bad idea. Many (most?) BIOSes have a manufacturer default password, which overrides the user password. Most mainboard manufacturers also don't bother changing it (you can view & change it for AWARD BIOSes with a program called modbin, which you will have to obtain illegally). You can also overwrite some of the CMOS RAM (takes about five lines of assembly), so the checksum will become invalid and the BIOS will load the setup defaults on the next boot. No more password.

          The BIOS password is useless. Furthermore, even if it weren't, if you install a hardware keylogger, you will get the password anyway. If you want to do it professionally, install the keylogger inside the keyboard's case.

          In short, if you have physical access to a machine, the possibilities of compromise (even non-invasive) are endless. And that's not even taking into account fake logins, trojans, OS & app exploits, etc. pp.

      • Re:MIT (Score:3, Insightful)

        by nutznboltz ( 473437 )
        The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy.


        But under certain circumstances anonymity is privacy so some behaviours on a public machine are more private than on personal machines. If you provide nothing but false data about your identity on a public machine (i.e. don't access anything that is connected to your true identity) you can post messages that have high plausibility of denial ("I don't know anything about that post".)

    • Re:MIT (Score:5, Insightful)

      by jd142 ( 129673 ) on Sunday February 09, 2003 @11:05AM (#5264496) Homepage
      So how do you make a public machine, where random people can come in off the street a multi-user system? Think of people who go to a library to work on the web because they don't have a computer at home.

      The problem isn't inherent in single user windows systems, it's quite simple to lock down a windows machine to prevent easy installation of this kind of program, the problem is lack of security protocols on the tech end.

    • Well, finding the root password might be quite easy if the root user happens to log into one of the public computers... Keylogged... Job done.
    • Re:MIT (Score:3, Funny)

      by myrashka ( 452794 )
      Oh come on - MIT is a hacker training ground...so people hack the MIT systems all the time...not getting caught is the final exam!)
    • *bzzt*

      Wrong answer, thanks for playing.

      It is easy to get the login details of other users - I did this at Uni myself (many years ago) and over a few weeks I got the username and password of everyone in the department who were using those systems - Suns running SunOS which, last time I checked, is a unix-based system.

      (It wasn't big and it wasn't clever, although in my defense all I did this for was to see if people woudl fall for it - I never used the passwords to do anything)
    • Aside from distracting a logged-in user, pressing the 20-or-so keystrokes needed download to move them into your emulating-interface, and then you have a logger that's at least good enough for that session.

      Risks can be reduced, they cannot be eliminated.
    • Does it use a PS/2 keyboard? If so...

      Key Katcher [thinkgeek.com]

      Expensive, but will work on anything using a PS/2 keyboard.

      -----
    • I can pretty easily write a program for unix that does this:

      Makes the screen black, and displays a "Welcome to Athena" sign on screen that looks just like the real one. It takes the username and password, and invokes su to run a shell/window manager as the user. In the meanwhile it logs their username/password to a file in my directory.

      I guess it depends if su is installed on Athena (IANAMITS I Am Not An MIT Student), but probably it is. If not, you can just put a hardware keystroke recorder on the computer.

      Unix does not a secure system make.
      • Re:Uh...wrong (Score:4, Interesting)

        by Minna Kirai ( 624281 ) on Sunday February 09, 2003 @12:17PM (#5264919)
        I guess it depends if su is installed

        Even if its not, you can still collect passwords, just more slowly. If it can't su, the trickster software can just display an "authentication failed" message and quit to the real login screen. The victim just assumes she mistyped on the first try, and the attacker has a single new password to play with.

        Tricks like this is why Microsoft added the "Press Control+Alt+Delete to Log In" feature. (At the DoD's behest)

        Supposedly, it would be impossible for any user-level program to trap that keystroke, so you always can be sure you're seeing the real OS login screen. (Of course, given how easy it is to compromise the OS itself, this protection means little).
    • Re:MIT (Score:5, Interesting)

      by RainbowSix ( 105550 ) on Sunday February 09, 2003 @11:46AM (#5264750) Homepage
      Don't feel so secure. Here at CMU a long time ago someone stole passwords like this:

      When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.

      Don't think you're safe on a multiuser system either.
      • Re:MIT (Score:4, Informative)

        by Chester K ( 145560 ) on Sunday February 09, 2003 @03:04PM (#5265941) Homepage
        When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.

        Don't think you're safe on a multiuser system either.


        A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.
    • Ehh.. MIT gives you the root password to all of the public workstations that's why you need to type "access on" at the console in order to access a workstation remotely. I'd advise against this. Kerberos tickets are stored on teh HD until you log out, so somone else can become you for 10 hours (by default) if you turn acess on. The dialups, Kerberos servers, and departmet/private machines are entirely a dfferent matter.

      Oh, and su and access commands are supposedly remotely logged. I've been questioned in W20 shortly after logging in as root.

      Has anyone out there used the new Win32/Athena machines? I'm affraid, very affraid. Also, is the Administratr password the same as the root password for all of the *NIX workstations?

      • The only thing that might make those Win32 machines safe is that they present absolutely zero challenge.

        I briefly worked on the MIT I/S project to bring Windows to public clusters. The project's official name was "Pismere", latin for horse piss. The test servers were named "frequently-down" and "data-loss". Needless to say, we all considered the project to be an enormous security risk.

        I remember finding a nice proof of concept of a security hole when I was there. Found a web site that displayed an image saying "if you see this, I can get your username and password, click here". I clicked, and 2 minutes later the target page refreshed with my username and password! This was 1999, the web wasn't exactly new.

        The standard athena unix boxes have a fairly impressive (although certainly not impenetrable) set of defenses. There's a tripwire type system that runs on user logout and disables the system if anything funny is detected. Admins then fix the box by reinstalling from a network server (completely automated).

        (for those who are interested, the exploit was accomplished by pointing an IMG tag to a file on a SMB share that was running a hacked version of Samba. The Samba server would claim it didn't understand the modern authentication methods and request a LanManager style login. Windows LanManager password hashes had a flaw that made them fairly easy to reverse.)
    • Re:MIT (Score:5, Interesting)

      by jc42 ( 318812 ) on Sunday February 09, 2003 @12:15PM (#5264911) Homepage Journal
      There's no way (barring finding the root password) for me to do this to any user other than myself.

      Well, I haven't used an Athena workstation for a few years, but back then, knowing the root password wouldn't help you. Everyone knew the root passwords. They were all the same, and in many rooms it was posted on the wall for the benefit of new users. The password was "mrroot" (pron. "Mister Root"). The usual comment to people who raised their eyebrows at this was "If you think it's a problem, try to exploit it."

      The recommended approach with these machines was to reboot them (using the power switch, of course). This would cause them to download a new OS from the network. The local disk would be entirely "scratch", to be mounted and used as you liked. The general assumption was that you
      would clean up after yourself. If you left behind a trojan horse that trapped the next user, well, they trusted an unknown system, so it was their problem.

      Having the root password well-known was very useful. It meant very few "customer support" calls. This was MIT, after all. If something doesn't work, the natural reaction of most users is to start investigating. With the root password, competent MIT users could diagnose most problems themselves, and either fix them or leave a note describing the problems and move to the next available machine.

      Unix's "root" security is primarily a tool for protecting the system from buggy software and clumsy users. It's for building walls between parts of the system so that app X can't shoot down app Y, and no app can shoot down the OS. It's not really for preventing breakins, and hasn't been useful for that since unix systems became networked a quarter century or so ago. Intercepting network traffic is trivial, and anything that goes across the network is assumed public.

      Over the years, I've often been bemused by the idea that root passwords must be protected for security reasons. People really are that ignorant of how security works.

      When you keep your root passwords secret, you mostly interfere with your own people's ability to diagnose and fix problems. You don't add materially to your security.

    • Re:MIT (Score:3, Interesting)

      by perljon ( 530156 )
      Where I went to school, all public computers didn't require login. Each computer had to authenticate with an outbound firewall to get access to the internet (through telnet).

      Which means you could pretty much do anything you wanted on the local network or the local computer. You didn't have to login to the local computer AT ALL.

      So if you used a multiple user/non windows system and still didn't force the person to login to the local system, you'd still have the same problems.

      Also, because you were forcing people to authenticate with a firewall through clear TCP/IP, you are sure to pick up username/passwords if you decided to use a network sniffer.

      In short, stop being an OS biggot. There exists secure windows environments, and there exists insecure Unix ones.
  • by pelvismaximus ( 620832 ) on Sunday February 09, 2003 @10:51AM (#5264402)
    This is why you need to do all your tying through a proxy keyboard - that way the keystroke recorder records the keystrokes from THAT keyboard and not the one YOU used. Nothing like that extra layer of protection to help you sleep better at night.
  • by 26199 ( 577806 ) on Sunday February 09, 2003 @10:52AM (#5264413) Homepage

    It's a cautionary tale for admins. Users should not have to worry about basic things like whether keypreses are being logged.

    The fact that the guy got caught makes it also a cautionary tale for anyone planning something like this...

    • by Black Parrot ( 19622 ) on Sunday February 09, 2003 @11:02AM (#5264479)


      > The fact that the guy got caught makes it also a cautionary tale for anyone planning something like this...

      Did they catch him by monitoring his keystrokes?

    • It's a cautionary tale for admins.

      And how exactly should they prevent it? They can't possibly be aware of every single keystroke system out there, hardware or software, then monitor each host to ensure they don't get compromised. Admins at many sites are so overworked that they are lucky if they can keep all the machines up and running.

      • A well-administered system shouldn't allow users to install software that affects other users' systems. A well-administered system should support a logout key sequence which can't be ignored via software (ctrl+alt+del on winXP/NT, ctcr+alt+backspace or something else on an appropriately configured X station) so the user knows the login screen they see is really a login screen and not another users' app. A well-administered system should pull its files from a read-only soure (I use AFS) to prevent machines from being reconfigured by unauthorized personnel.

        It is indeed the admin's job, and a good one *can* do something about it. If their employer doesn't give them the resources to do so properly (ie. insufficient staffing) then that's said employer's problem -- but a good admin, with sufficient staff, should do things like this.
    • by Pike65 ( 454932 ) on Sunday February 09, 2003 @11:27AM (#5264636) Homepage
      We had the exact same problem when I helped administer our school network years ago. Because we were using Win95 clients, there were all kinds of things you could do to remove process from the task list, system tray, and taskbar.

      There was one program in particular called Intraspy [natasoft.com]. It hid everything so the only way we could snag it was by searching for files modified in the last few seconds to catch the log files. Luckily it logged the guy who installed it exiting the system, so we tore him a new asshole.

      In a weird twist of fate, it turned out it ran a program called ISSRV. Our virus checker ran ISRV and so our lame sysadmin got his wires crossed and went around disabling all the virus checkers . . .
    • The answer I think is that tech security is not enough. If you run a semi-public computer center such as that, you need physical security to watch over the operation.
  • by Marqui ( 512962 ) on Sunday February 09, 2003 @10:53AM (#5264416)
    But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!
    • by tekunokurato ( 531385 ) <jackphelps@gmail.com> on Sunday February 09, 2003 @11:14AM (#5264553) Homepage
      You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.

      At my school, we've got some computers in very public areas that are all full of restrictions, and people run into usability problems with them all the time. But on the computers in the library, users can install whatever they need. If I need to install a drawing program to help create a presentation, I should have the freedom to do so. If I want to install AIM to get files off my computer remotely or send myself information, I should be able to do this. These are important user rights in a computing age.

      As such, it is important to monitor what is being placed on computers, but it is foolish to restrict everything outright.
      • This idea of letting users install "whatever they need" is how organizations get busted for licensing ifractions. Besides that, who says that the software a random user installs is stable and will play nice with the other software on the system? Should the people responsible for system uptime/availability be expected to spend precious resources scouring a facility for illegal software and fixing machines that were needlessly broken? IT departments are charged with providing the required services to all of the authorized users with as much efficiency to the users as a whole as possible. Not trapsing around after a small handfull of users who think the systems are their just for them.
      • by Tack ( 4642 ) on Sunday February 09, 2003 @11:55AM (#5264798) Homepage
        You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.

        A nice sentiment from someone who is obviously not a sysadmin of any non-trivial setup, or from someone who is fortunate enough not to be overworked and have plenty of time to do one's job.

        The problems with giving users free reign on public/lab systems are several. The biggest one is that letting users install whatever they want can leave behind god-knows-what, like spyware or trojans. Also, it's easily possible for installing a piece of software to break another, more important piece of software. When that happens, since I'm the admin, it's my job to fix it. Of course since I have so much free time and generally do nothing all day except post on slashdot, this isn't a problem, right?

        Another issue is licensing, and that's something most users, even ones competent enough to install software, don't take into consideration. They install their copy of Corel Office on the public/lab system because that's what they used at home to do their presentation or document, and suddenly there are legal implications to the organization servicing that computer.

        If it's your computer, that's an entirely different story. For example, Microsoft has no business mandating what can and can't be installed on your computer. But if the system is an asset of my organization under my administrative control, you better believe I'm going to lock it down. My job is to make it very easy for users to do authorized tasks, such as web browsing or word processing, and very difficult for users to do unauthorized tasks, like installing foreign software, or accessing/deleting data that's not their own.

        Jason.

  • Happened Here Too (Score:3, Interesting)

    by Anonymous Coward on Sunday February 09, 2003 @10:54AM (#5264427)
    Happened at WPI a few years back. After taking an assembly class that showed him how to catch keyboard interrupts, he loaded a new interrupt handler that logged the keystroke and then called the real handler so that everything looked normal. He was caught, but I'm not sure what happened to him.
  • by prichardson ( 603676 ) on Sunday February 09, 2003 @10:55AM (#5264431) Journal
    The guy only managed to steal $2000? This guy must be stupid.
    • I know I shouldn't reply to my own comments, but this really needs to come out.

      Students are not poor. If you live in a university town like I do you can see all of the really nice stuff that gets thrown away by students. A lot of them have ass-loads of money from their parents. I know there are also a lot of struggling students, but with personal info on more than 4000 people, he should be able to do better than that.
  • Nothing new... (Score:4, Interesting)

    by shaklee ( 631847 ) on Sunday February 09, 2003 @10:56AM (#5264437)
    There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.
    • When I was in high school, I had to write a TSR to do this. You kids have things easy these days...
    • Re:Nothing new... (Score:3, Interesting)

      by cervo ( 626632 )
      Back in high school for me they used novell so it was super easy. We forged a fake login screen and then called the real one, so after capturing a user name and password it would log it to a file on the C drive. Totally undetectable that it was any of us. We got a supervisor password and made life a living hell for our net admin. We gave random users supervisor rights and used their accounts based on other passwords we stole to have fun. Sometimes we would give group EVERYONE supervisor rights. People have been doing this kind of thing a long time. Our downfall was the net admin figured out one of the supervisor accounts of a guy who was fired was logging in, then set up a trap and boom caught us.

      This guy was clearly more enterprising in that he stole some money, but the question is why didn't he steal more money? And what is with this installing ready made programs, now it is too easy. In the past you had to make TSR's, forge login screens, alter commands and so fourth it was actually not hard but not every idiot could do it. Now you just go to a website and download a packet sniffer or keystroke recorder. It is too easy to do. And because it is too easy to do you'd think net admins would be more aware and capable.

      But then again all these compromised systems are non UNIX like. It is hard to compromise a UNIX system without root access. And joe public can't necessarily get his hands on root access or exploit a bug to steal it so at least UNIX is somewhat secure.

      Also from the tone of the article it sounds like the college thinks that maybe the prosecutor went too far. The college seems to be more forgiving. For example "Smith said, noting that Boudreau could have used it with far more devastating consequences. ". So the security consultant is pointing out he could have done worse. And so is the spokesman for the college 'While we are grateful to the attorney general's office for their assistance in this case, it's important to state that Mr. Boudreau gathered personal identification numbers on students but never misused them in any way," said Jack Dunn, a spokesman for the college.' At least the schools aren't blowing the case out of proportion like the prosecutor is. Although he did steal $2000 so he shouldn't walk. It's one thing just to login and play pranks, but it is quite another to steal money or do other things.
    • Old tech keylogging (Score:3, Interesting)

      by AndroidCat ( 229562 )
      Back in the old days on the high school Teletype, we had a few successes capturing passwords by leaning on the paper tape punch on button. One time, someone spotted the moving tape after he'd logged in, stopped the tape, ripped it off, crumpled it and tossed the tape in the garbage. After he left the room, everyone dived for the garbage can. (A number of us could read paper tape manually.)

      *ahem* but of course I haven't done that sort of thing in decades... ;^)

  • This software... (Score:5, Interesting)

    by Chicane-UK ( 455253 ) <chicane-uk@ntlwor l d . c om> on Sunday February 09, 2003 @10:57AM (#5264443) Homepage
    This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.

    Trying to keep tabs on this kind of thing can be nigh on impossible.

    We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate [fortres.com] that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.

    We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.

    No, I dont work for Fortres Grand but thought it seemed appropriate to the subject! :)
    • by Cirvam ( 216911 )
      Why not just lock the user from writing to most of the hardrive but allow them acess to a temp folder or a network drive where they can install stuff and save stuff. Then when a new user logs in just have a login script wipe the local directory and connect to the new users's network drive? Otherwise students could install stuff like back orface or sub7 and screw with the computer until it is rebooted. I don't know exactly how well Clean Slate works, but it seems that XP has all that built in (doesn't it even allow you to rollback to a previous setup?) although if its anything like their desktop lockdown program its pretty easy to bypass.
      • i've seen this on a number of machines. I believe as soon as you logoff it reverts to the 'default' state.

        While this might be annoying to some, in general, its a good thing on public computers. Besides undoing any software installs a user might've tried, it also removes old cookies and temp files that might contain someone's personal info.

        Most public uni. computers ive seen all have zip drives. If you want to download and save something, I suggest putting this to use. It is, after all, a public computer.

      • I don't know about XP, but I know it's pretty much impossible to try to lock down a Win2K workstation with file system level permissions. Applications simply aren't designed to work without write access to their C:\Program Files\FooApp folder.

        You have to revert to registry hacks or security policy changes, which is a pain in the ass considering the same task is basically automatic on UNIX.

        Erik
    • by plsuh ( 129598 ) <plsuh@noSPaM.goodeast.com> on Sunday February 09, 2003 @11:26AM (#5264630) Homepage
      This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.

      This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.

      There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.

      In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.

      By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.

      --Paul
    • by Sgs-Cruz ( 526085 )
      Oh yes, at our school board (Halton School Board in Ontario) we use software called Deep Freeze [deepfreezeusa.com]. Which worked great (people would download and install MSN, mIRC, Quake II, etc. and it would disappear next time the computer was turned on) until some of the computer-oriented kids used a miniscule (literally, asking a teacher that didn't know much about the system) to get the Deep Freeze password.

      We then had every computer in the school getting installed with many games and chat programs every time the computer got turned on. Not only that, the password was changed so the teachers couldn't change it back.

      My point is this: perfect physical security is nothing without dedication by the humans that have to use it.

    • by sheetsda ( 230887 )
      Many years ago my high school used a Fortres product (may or may not have been the one you're talking about but the idea sounds the same). It worked well enough for keeping the majority of average high school students out of trouble but the lab techs had no problem hacking through it. At one point there was an old system with Fortres on it which no one knew the password to, and so the lab techs were asked to take Fortres down so the machine could be updated and so forth. We succeeded in minutes, and consequently I've been skeptical of the usefulness of products like this one ever since.
  • by RodeoBoy ( 535456 ) on Sunday February 09, 2003 @10:57AM (#5264444) Homepage
    He was part of a Internet backing project for a large European bank. This bank was one of the first to offer services over the Internet. He always used cash and did all of his banking with a real live teller. He didn't have any credit or banking cards. I think that says a lot.

    I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.

    I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.
    • Hmm... that PM (I am guessing: project manager) sounds like a paranoid luddite to me... which isn't to say that one should not be careful. But the few stories one hears of people having their money stolen because of credit card or Internet banking fraud dwindle beside the millions upon millions of happy users of these services. And the cases in which the defrauded users haven't had their money restored to them in the end are even fewer.

      Cash has its drawbacks too, and it's not just the waiting in line to withdraw or deposit money. Ever gotten a counterfit bill as payment, or as change in a supermarket or bar? Good luck convincing anyone that they were the ones to hand you that particular bill.
  • Actually BugBear do the same, stores keystrokes in a file and send them to a disabled email address. If those computers were accesible, then looking for that file (without installing anything, the worm spreads itself alone, but if you want you can install it opening mails with outlook) could give you the same information, and you will not be blamed for "planting" spyware, after all, was an email worm, and the files, well, you only found them
  • by yog ( 19073 ) on Sunday February 09, 2003 @11:10AM (#5264530) Homepage Journal
    Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this [tastysoftware.com] and paste character by character. It's slow but better than having your identity stolen.
  • by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Sunday February 09, 2003 @11:19AM (#5264584) Homepage
    The truly scary thing about all of this is this :

    You only need to install your sniffers on a few boxes to get plenty of good credit card numbers and passwords and such. And if it's installed on only a few boxes, it would (unless they were specifically looking for this) be very hard to detect if done correctly.

    And then if you're careful about the credit cards that you use (i.e. use only one or two, or only those that have bought stuff from a given site, etc.) they won't even suspect that people are sniffing at this one site. (If you use every credit card you find, the credit card companies will figure it out pretty quick by finding out what's in common with all the cards in question.)

    In short, for every guy who's caught, there's probably dozens of guys who aren't caught.

    Be afraid. Or, more importantly, be careful.

  • by Dragon218 ( 139996 ) on Sunday February 09, 2003 @11:21AM (#5264600) Homepage
    The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."

    Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.
  • suspended? (Score:2, Interesting)

    by myrashka ( 452794 )
    Boudreau, who faces up to 20 years in prison if convicted on all charges, was not immediately available for comment. Boston College said it suspended Boudreau, 21, last year once it learned of his scheme. Suspended? Do they think he'll continue his education in 20 years? How is it he's been suspended for a year and only now their just indicting him....gotta love the speed of justice. I spose they can't expell him until he's convicted (innocent till proven guilty and all)... So, do you think he had all the keystroke logs sent to his main email acct?
  • by RomikQ ( 575227 ) <romikq@mail.ru> on Sunday February 09, 2003 @11:29AM (#5264650) Homepage
    If it wasn't for those meddling kids!
  • 1. People (most people, the majority of people) are completely clueless when it comes to security. The see that their password isn't displayed, so therefore it must be safe. Public computer? ... not a concept or an issue to them.

    Question: Is this their fault? IMO, no it isn't. The visual indications they see indicate they are indeed using some kind of security. The problem here is software manufactuers (not just M) do not have most users best interests at heart when it comes to security.

    2. A system that allows key monitoring software to be installed so easily SHOULD NOT be sold for public use! Not only are the software makers at fault, but so is whomever decided to use such an unsecure system in a public area. But whoever that is, is probably fairly clueless when it comes to security too.

    This will continue indefinitely until 1 of 2 things happen;

    1. Someone comes out with a dumbed down computing device that uses Windows (sorry, but that's a reality), is cheap, and requires little to no administration (or little enough that breaking the security by a clueless admin will be impossible).

    - or -

    2. People get a clue about security... not gonna happen.

    In fact, I don't see either of the two happening, so IMO this kind of stuff will continue well into the future.
  • It is in the title and looks really distracting.
  • No one but an idiot would 'trust' a public terminal for anything confidential anyway.

    Even if it wasn't 'cracked', do you know whom the admins are? Or who they work for..

    Its just a big risk to trust ANYTHING public these days..

  • He then stole $2000 with the information he gleamed.


    Radical, dude! Did he also Gleam the Cube [imdb.com], to get even by risking it all?

    P.S. [reference.com]
  • Exaggeration (Score:2, Informative)

    by KIondike ( 614282 )
    The claims of stealing $2000 and other crimes are exaggerated. The story reported at CNet [com.com]:

    According to the attorney general's office, Boudreau began to install key-logging software around April 2002 and used intercepted information to add money to a stored-value card used in the campus dining and bookstore system. Boudreau is not, however, accused of misusing credit card numbers or profiting from selling any private information he allegedly gleaned.

    A person at Boston College with knowledge of the situation said the attorney general's office exaggerated Boudreau's accomplishments in its press release, in an attempt to tout this prosecution as a high-visibility test case. "I feel bad for this kid," the person said. "He's not the appropriate test case. He's feeling bad. He has all these issues. He's been depressed."


    Not that I feel bad for him for being depressed or anything, but he's being viewed as a real criminal who stole from hundreds where all he really did was mess around on a computer.
  • In what may serve as a cautionary tale for people who use computers in public areas...
    Given the headline associated with the story and this line, I couldn't tell whether sympathies lay with the ordinary Joes and Janes who may suffer the adverse effects of partial "identity theft", or with the hackers whose abilities are likely to be legislated against.

    My opinion: in a "free" country, if the United States is actually supposed to be free, then we should be "free" to install spyware anytime we would like on our own computers (i.e., school administrators and internet cafe owners should be allowed to install keystroke monitoring software on their own systems) as long as they do not use the information maliciously. On the other hand, there are ethical issues when there is no warning of installation of said software. And, again, when data gathered by such measures are used for purposes other than network security -- such as to violate the security of an individual without warrant for any reason -- foul play is afoot and repercussions should be harsh.

  • by Dexheimer ( 621938 ) on Sunday February 09, 2003 @12:03PM (#5264840)
    Key Katcher at ThinkGeek.com [thinkgeek.com]. There is much talk about blocking keylogging software in the first place, but what about something like this?
    This is a device that can be connected to a keyboard to record all keystrokes. It has a changeable password, keyword search, enable/disable option, and stores URLs. Records more than 65,000 keystrokes and does not require any software. Monitor unauthorized access to your computer or your network. Use it to troubleshoot or make fixes by tracing back through a users command sequence.

    Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost. Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost.
    To access the recorded data, you simply type your password in a text editor and the Key Katcher comes to life. A menu is displayed with options to erase data, view data, search data for keywords, change password, or disable the device.
    • by andfarm ( 534655 ) on Sunday February 09, 2003 @04:46PM (#5266572)
      Note to self: whenever logging into an untrusted machine, check along the keyboard cable to computer. If you see anything strange, unplug it and crush it under leg of handy chair.Crunch. Oops, was that your keylogger?

      Seriously, devices like these should be illegal. There's really no legitimate purpose for them -- no more than for those X10 spycams. (No, "maintenance and troubleshooting" isn't a real purpose -- most users don't enter a "command sequence" anyway, so that's a moot point.)

  • This one reminds me of those Ann Landers "Stupid Thief" stories. What kind of idiot tries to steal from people using a college network? Students are broke, and most of the professors probably are not doing well either.

    Maybe the next guy to try this will get a clue and do it at a law firm, so that he makes enough money to leave the country before getting caught!
  • Which one ? (Score:2, Informative)

    by LiteForce ( 102751 )
    ...and I thought the article was referring to the original Boston College [boston.ac.uk]!

    I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.

    Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.

    To clarify, Boston [cityofboston.gov] (in Massachusetts [mass.gov], United States) was named after Boston [boston.gov.uk] (in Lincolnshire [lincolnshire.info], United Kingdom) - more information can be found here [neu.edu].

  • by Pig Hogger ( 10379 ) <pig DOT hogger AT gmail DOT com> on Sunday February 09, 2003 @12:26PM (#5264968) Journal
    Now, how about indicting and convict Kazaa and those of the same ilk who pepper their users' computer with all sorts of spyware without explicitly warning them right upfront???
  • Glad I use Knoppix (Score:3, Insightful)

    by Rysc ( 136391 ) <sorpigal@gmail.com> on Sunday February 09, 2003 @12:41PM (#5265045) Homepage Journal
    This makes me glad I use Knoppix.

    When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.

    They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.
  • pocket change (Score:3, Insightful)

    by Servo ( 9177 ) <dstringf@tut[ ]ta.com ['ano' in gap]> on Sunday February 09, 2003 @01:16PM (#5265276) Journal
    In reality, $2000 isn't much money when talking about the possibility of how much the guy could have stole with that many victims.

    If your going to ruin your life over fraud, you might as well go all out.
  • by Anonymous Coward on Sunday February 09, 2003 @03:10PM (#5266010)
    The Norwegian University of Technology and Science [www.ntnu.no] was hit by password sniffing recently. The password capturing was un-detected for months, since no damage had been done, and just a few Windows computers were affected. In Nowember, an administrator logged on to one of those computers, and this meant that the crackers gained access to the Windows password files. They filled up file servers with warez.
    (Because of its position close to the Norwegian Internet backbone and large amounts of storage space, it is a big target for crackers. In an experiment where an out-of-the-box Windows server was hooked up to the network, crackers broke into it within minutes.)
    The real attack was detected on the afternoon of the 21st of January 2003. Resident geeks worked through the night, and approximately 100 IT staff worked at giving out passwords to 22000 studentes and faculty during the following days. The users had to show ID cards and select a new, totally different password. The waiting lines were pretty short thanks to the heroic efforts of the IT staff. The old passwords were retired on the 23rd/24th of January. The primary file servers, running on *nix were not affected, but the university would not risk the password files to be cracked.
    The way this was handled caused less distruption than when crackers attacked the University of Oslo [www.uio.no], an intrusion discovered on the 14. of November 2002. There, chaos ensued when all network access was suddenly closed down on at noon Friday (15?), and 52000 users had to show up to get a new passwords before they could log on again.
  • by Thing 1 ( 178996 ) on Sunday February 09, 2003 @03:13PM (#5266033) Journal
    He wasn't arrested for planting spyware, he was arrested for stealing $2,000.

    Just like the murdered wasn't arrested for purchasing the axe.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...