Arrested for Planting Spyware on College Compus 414
AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
But... (Score:4, Funny)
MIT (Score:5, Interesting)
Re:MIT (Score:3, Insightful)
Or exploiting a compromise. Granted at MIT they are more likely to catch you than at other places, but don't think that passwords make you immune to buffer overflow and other attacks.
Re:MIT (Score:3, Insightful)
A packet sniffer will get you some juicy info
Re:MIT (Score:2, Interesting)
Re:MIT (Score:3, Informative)
Re:MIT (Score:5, Insightful)
Re:MIT (Score:2)
ATMs too (Score:5, Interesting)
Re:MIT (Score:3, Interesting)
Although these mainly exist for ps/2 keyboards, there are hardware keystroke loggers that plug in between the keyboard and the USB port and are designed to look nonconspicuous.
Re:MIT (Score:5, Insightful)
The real thing to remember is to never, ever, ever use a public system. That is the most sure way to give up all privacy. Even if there isn't a 3rd party breaking into and modifying the public machines, the true administrator of the machine might have all sorts of logging software.
Even if you use something like SSH or SSL, that only products you between the two endpoints. When one of the end-points (the client you are using, in thise case) is insecure, a secured data tunnel is worthless. Indeed, your keys/passwords/etc. can be stolen quite easily.
If you need to compute on the run, get a laptop that you are in control of. Don't use someone else's machine to conduct sensitive business or utilize sensitive information.
Re:MIT (Score:5, Informative)
Prevent booting from a floppy, password protect the bios and lock the case. Makes it much harder.
You could still do it, but the odds are that someone would notice that you were literally hacking in to the computer so you could set the dip switch on the motherboard to blank out the bios password.
And it should be obvious to the techs who do maintenance that someone has sawed through their lock.
Food for thought: (Score:5, Insightful)
Ouch.
Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...
But we're just talking here, aren't we friend?
Re:Food for thought: (Score:2, Informative)
Re:Food for thought: (Score:3, Informative)
AFAIK it is possible to use PS/2 keyboards on some Amiga models. And our NCD boxes (X-terminals) also use PS/2 keyboard and mouse. One of our happens to have a PS/2 keyboard from SGI, though I don't know if that one is identical to the keyboards connected to the SGI. I have noticed one functional difference on the keybards connected to the SGI though they look exactly like a standard PC keyboard. The software can see when the Pause/Break key is released, normally a PS/2 keyboard sends the key release code for that key already when it is being pressed.
Re:MIT (Score:5, Informative)
The BIOS password is useless. Furthermore, even if it weren't, if you install a hardware keylogger, you will get the password anyway. If you want to do it professionally, install the keylogger inside the keyboard's case.
In short, if you have physical access to a machine, the possibilities of compromise (even non-invasive) are endless. And that's not even taking into account fake logins, trojans, OS & app exploits, etc. pp.
Re:MIT (Score:5, Informative)
Re:MIT (Score:3, Insightful)
Pardon my ignorance, having never laid eyes on the public systems referenced at either University, but how open, exactly, are they?
A few things come immediately to mind; why not encase the whole system, including keyboard connectors et al, in an external case? (Not a PC case, but an enveloping case that might even include the monitor) Also, why even have a floppy or CDROM drive attached? Makes securing the BIOS password a lot more pointless if you now have to cart around a set of lock-pick tools, a spare floppy drive and ribbon, and be able to perform surgery on the box while nobody's looking.
If these truly are desktop machines, open and exposed to the world in all their glory, it seems to me as if they'd be the last machines I'd trust with my PIN, credit card, bank card, or any other personal details. Casual web surfing only, thankyouverymuch.
Re:MIT (Score:3, Insightful)
But under certain circumstances anonymity is privacy so some behaviours on a public machine are more private than on personal machines. If you provide nothing but false data about your identity on a public machine (i.e. don't access anything that is connected to your true identity) you can post messages that have high plausibility of denial ("I don't know anything about that post".)
Re:MIT (Score:5, Insightful)
The problem isn't inherent in single user windows systems, it's quite simple to lock down a windows machine to prevent easy installation of this kind of program, the problem is lack of security protocols on the tech end.
Re:MIT (Score:2)
Re:MIT (Score:3, Funny)
Re:MIT (Score:2)
Wrong answer, thanks for playing.
It is easy to get the login details of other users - I did this at Uni myself (many years ago) and over a few weeks I got the username and password of everyone in the department who were using those systems - Suns running SunOS which, last time I checked, is a unix-based system.
(It wasn't big and it wasn't clever, although in my defense all I did this for was to see if people woudl fall for it - I never used the passwords to do anything)
Re:MIT (Score:2)
Risks can be reduced, they cannot be eliminated.
Re:MIT (Score:2)
Key Katcher [thinkgeek.com]
Expensive, but will work on anything using a PS/2 keyboard.
-----
Uh...wrong (Score:2)
Makes the screen black, and displays a "Welcome to Athena" sign on screen that looks just like the real one. It takes the username and password, and invokes su to run a shell/window manager as the user. In the meanwhile it logs their username/password to a file in my directory.
I guess it depends if su is installed on Athena (IANAMITS I Am Not An MIT Student), but probably it is. If not, you can just put a hardware keystroke recorder on the computer.
Unix does not a secure system make.
Re:Uh...wrong (Score:4, Interesting)
Even if its not, you can still collect passwords, just more slowly. If it can't su, the trickster software can just display an "authentication failed" message and quit to the real login screen. The victim just assumes she mistyped on the first try, and the attacker has a single new password to play with.
Tricks like this is why Microsoft added the "Press Control+Alt+Delete to Log In" feature. (At the DoD's behest)
Supposedly, it would be impossible for any user-level program to trap that keystroke, so you always can be sure you're seeing the real OS login screen. (Of course, given how easy it is to compromise the OS itself, this protection means little).
Re:MIT (Score:5, Interesting)
When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.
Don't think you're safe on a multiuser system either.
Re:MIT (Score:4, Informative)
Don't think you're safe on a multiuser system either.
A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.
Re:MIT (Score:2)
Oh, and su and access commands are supposedly remotely logged. I've been questioned in W20 shortly after logging in as root.
Has anyone out there used the new Win32/Athena machines? I'm affraid, very affraid. Also, is the Administratr password the same as the root password for all of the *NIX workstations?
Re:MIT (Score:2)
I briefly worked on the MIT I/S project to bring Windows to public clusters. The project's official name was "Pismere", latin for horse piss. The test servers were named "frequently-down" and "data-loss". Needless to say, we all considered the project to be an enormous security risk.
I remember finding a nice proof of concept of a security hole when I was there. Found a web site that displayed an image saying "if you see this, I can get your username and password, click here". I clicked, and 2 minutes later the target page refreshed with my username and password! This was 1999, the web wasn't exactly new.
The standard athena unix boxes have a fairly impressive (although certainly not impenetrable) set of defenses. There's a tripwire type system that runs on user logout and disables the system if anything funny is detected. Admins then fix the box by reinstalling from a network server (completely automated).
(for those who are interested, the exploit was accomplished by pointing an IMG tag to a file on a SMB share that was running a hacked version of Samba. The Samba server would claim it didn't understand the modern authentication methods and request a LanManager style login. Windows LanManager password hashes had a flaw that made them fairly easy to reverse.)
Re:MIT (Score:5, Interesting)
Well, I haven't used an Athena workstation for a few years, but back then, knowing the root password wouldn't help you. Everyone knew the root passwords. They were all the same, and in many rooms it was posted on the wall for the benefit of new users. The password was "mrroot" (pron. "Mister Root"). The usual comment to people who raised their eyebrows at this was "If you think it's a problem, try to exploit it."
The recommended approach with these machines was to reboot them (using the power switch, of course). This would cause them to download a new OS from the network. The local disk would be entirely "scratch", to be mounted and used as you liked. The general assumption was that you
would clean up after yourself. If you left behind a trojan horse that trapped the next user, well, they trusted an unknown system, so it was their problem.
Having the root password well-known was very useful. It meant very few "customer support" calls. This was MIT, after all. If something doesn't work, the natural reaction of most users is to start investigating. With the root password, competent MIT users could diagnose most problems themselves, and either fix them or leave a note describing the problems and move to the next available machine.
Unix's "root" security is primarily a tool for protecting the system from buggy software and clumsy users. It's for building walls between parts of the system so that app X can't shoot down app Y, and no app can shoot down the OS. It's not really for preventing breakins, and hasn't been useful for that since unix systems became networked a quarter century or so ago. Intercepting network traffic is trivial, and anything that goes across the network is assumed public.
Over the years, I've often been bemused by the idea that root passwords must be protected for security reasons. People really are that ignorant of how security works.
When you keep your root passwords secret, you mostly interfere with your own people's ability to diagnose and fix problems. You don't add materially to your security.
Re:MIT (Score:3, Interesting)
Which means you could pretty much do anything you wanted on the local network or the local computer. You didn't have to login to the local computer AT ALL.
So if you used a multiple user/non windows system and still didn't force the person to login to the local system, you'd still have the same problems.
Also, because you were forcing people to authenticate with a firewall through clear TCP/IP, you are sure to pick up username/passwords if you decided to use a network sniffer.
In short, stop being an OS biggot. There exists secure windows environments, and there exists insecure Unix ones.
Re:MIT (Score:3, Informative)
Odds are if it's a pure software problem the tech will never look at the back of the machine. Once he's fixed the problem and wandered off, you can retrieve the keystroke monitor and you probably have the admin account name and password.
Re:MIT (Score:3, Interesting)
Re:Zealotry. (Score:4, Insightful)
To say, "No, you mentioned unix and MIT so therefore you must be a zealot and cannot have a point," is stupid. Saying that the useage of computers is irrelevent in this case is just as ignorant. The point of the story was not just to say crime happens. By alerting people to specific kinds of crime, people know to be cautous or to look for ways to avoid being victomized. For example, if the article was about someone using a defect in a specific brand of lock to break into houses and steal things, would you claim that the story isn't about locks or defects but instead only about a thief and his breaking and entering? I should hope not. More likely, you would check to make sure that you weren't using that kind of lock and if you were, you'd replace it to make sure you weren't vulnerable. Just because there is a theif does not mean that the general problem and solutions to it must be ignored.
proxy keyboards (Score:5, Funny)
It's a joke! (Score:2, Informative)
The only thing that plugging in another keyboard would do is disable the FBI snooping device secretly installed in the other keyboard. (Yes, they have those devices.)
Allow me to quote you now: wow some people might be intelligent in some areas but fucking clueless in the obvious
This is not a cautionary tale for users... (Score:5, Interesting)
It's a cautionary tale for admins. Users should not have to worry about basic things like whether keypreses are being logged.
The fact that the guy got caught makes it also a cautionary tale for anyone planning something like this...
Re: This is not a cautionary tale for users... (Score:4, Funny)
> The fact that the guy got caught makes it also a cautionary tale for anyone planning something like this...
Did they catch him by monitoring his keystrokes?
Re:This is not a cautionary tale for users... (Score:2)
And how exactly should they prevent it? They can't possibly be aware of every single keystroke system out there, hardware or software, then monitor each host to ensure they don't get compromised. Admins at many sites are so overworked that they are lucky if they can keep all the machines up and running.
Re:This is not a cautionary tale for users... (Score:3, Insightful)
It is indeed the admin's job, and a good one *can* do something about it. If their employer doesn't give them the resources to do so properly (ie. insufficient staffing) then that's said employer's problem -- but a good admin, with sufficient staff, should do things like this.
Re:This is not a cautionary tale for users... (Score:5, Interesting)
There was one program in particular called Intraspy [natasoft.com]. It hid everything so the only way we could snag it was by searching for files modified in the last few seconds to catch the log files. Luckily it logged the guy who installed it exiting the system, so we tore him a new asshole.
In a weird twist of fate, it turned out it ran a program called ISSRV. Our virus checker ran ISRV and so our lame sysadmin got his wires crossed and went around disabling all the virus checkers . . .
Re:This is not a cautionary tale for users... (Score:2)
They may be shared machines (Score:5, Insightful)
Re:They may be shared machines (Score:5, Interesting)
At my school, we've got some computers in very public areas that are all full of restrictions, and people run into usability problems with them all the time. But on the computers in the library, users can install whatever they need. If I need to install a drawing program to help create a presentation, I should have the freedom to do so. If I want to install AIM to get files off my computer remotely or send myself information, I should be able to do this. These are important user rights in a computing age.
As such, it is important to monitor what is being placed on computers, but it is foolish to restrict everything outright.
Re:They may be shared machines (Score:2, Insightful)
Re:They may be shared machines (Score:5, Insightful)
A nice sentiment from someone who is obviously not a sysadmin of any non-trivial setup, or from someone who is fortunate enough not to be overworked and have plenty of time to do one's job.
The problems with giving users free reign on public/lab systems are several. The biggest one is that letting users install whatever they want can leave behind god-knows-what, like spyware or trojans. Also, it's easily possible for installing a piece of software to break another, more important piece of software. When that happens, since I'm the admin, it's my job to fix it. Of course since I have so much free time and generally do nothing all day except post on slashdot, this isn't a problem, right?
Another issue is licensing, and that's something most users, even ones competent enough to install software, don't take into consideration. They install their copy of Corel Office on the public/lab system because that's what they used at home to do their presentation or document, and suddenly there are legal implications to the organization servicing that computer.
If it's your computer, that's an entirely different story. For example, Microsoft has no business mandating what can and can't be installed on your computer. But if the system is an asset of my organization under my administrative control, you better believe I'm going to lock it down. My job is to make it very easy for users to do authorized tasks, such as web browsing or word processing, and very difficult for users to do unauthorized tasks, like installing foreign software, or accessing/deleting data that's not their own.
Jason.
Happened Here Too (Score:3, Interesting)
What I find amazing: (Score:5, Funny)
Re:What I find amazing: (Score:2)
Students are not poor. If you live in a university town like I do you can see all of the really nice stuff that gets thrown away by students. A lot of them have ass-loads of money from their parents. I know there are also a lot of struggling students, but with personal info on more than 4000 people, he should be able to do better than that.
Re:What I find amazing: (Score:3, Funny)
Nothing new... (Score:4, Interesting)
Re:Nothing new... (Score:2)
Re:Nothing new... (Score:2)
How about the network administrator's root password?
Re:Nothing new... (Score:3, Interesting)
This guy was clearly more enterprising in that he stole some money, but the question is why didn't he steal more money? And what is with this installing ready made programs, now it is too easy. In the past you had to make TSR's, forge login screens, alter commands and so fourth it was actually not hard but not every idiot could do it. Now you just go to a website and download a packet sniffer or keystroke recorder. It is too easy to do. And because it is too easy to do you'd think net admins would be more aware and capable.
But then again all these compromised systems are non UNIX like. It is hard to compromise a UNIX system without root access. And joe public can't necessarily get his hands on root access or exploit a bug to steal it so at least UNIX is somewhat secure.
Also from the tone of the article it sounds like the college thinks that maybe the prosecutor went too far. The college seems to be more forgiving. For example "Smith said, noting that Boudreau could have used it with far more devastating consequences. ". So the security consultant is pointing out he could have done worse. And so is the spokesman for the college 'While we are grateful to the attorney general's office for their assistance in this case, it's important to state that Mr. Boudreau gathered personal identification numbers on students but never misused them in any way," said Jack Dunn, a spokesman for the college.' At least the schools aren't blowing the case out of proportion like the prosecutor is. Although he did steal $2000 so he shouldn't walk. It's one thing just to login and play pranks, but it is quite another to steal money or do other things.
Old tech keylogging (Score:3, Interesting)
*ahem* but of course I haven't done that sort of thing in decades... ;^)
This software... (Score:5, Interesting)
Trying to keep tabs on this kind of thing can be nigh on impossible.
We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate [fortres.com] that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.
We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.
No, I dont work for Fortres Grand but thought it seemed appropriate to the subject!
Re:This software... (Score:3, Insightful)
Clean Slate... (Score:2)
While this might be annoying to some, in general, its a good thing on public computers. Besides undoing any software installs a user might've tried, it also removes old cookies and temp files that might contain someone's personal info.
Most public uni. computers ive seen all have zip drives. If you want to download and save something, I suggest putting this to use. It is, after all, a public computer.
Re:This software... (Score:2)
You have to revert to registry hacks or security policy changes, which is a pain in the ass considering the same task is basically automatic on UNIX.
Erik
Re:This software... -- is worse than useless (Score:5, Informative)
This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.
There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.
In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.
By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.
--Paul
Re:This software... (Score:2, Insightful)
We then had every computer in the school getting installed with many games and chat programs every time the computer got turned on. Not only that, the password was changed so the teachers couldn't change it back.
My point is this: perfect physical security is nothing without dedication by the humans that have to use it.
Re:This software... (Score:3, Insightful)
This reminds me of a PM I had one time (Score:3, Interesting)
I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.
I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.
Re:This reminds me of a PM I had one time (Score:3, Insightful)
Cash has its drawbacks too, and it's not just the waiting in line to withdraw or deposit money. Ever gotten a counterfit bill as payment, or as change in a supermarket or bar? Good luck convincing anyone that they were the ones to hand you that particular bill.
Re:This reminds me of a PM I had one time (Score:2)
Maybe it was his Prime Minister. Or his Pizza Man. Wait no, it was his Personal Masseuse. No, no, his Prime Meridian. Pre Menstrual?
No?
Does anyone? know what a PM is supposed to be?
Not so big (Score:2)
Cut and paste your passwords (Score:5, Interesting)
wonderful! (Score:2)
Re:wonderful! (Score:5, Funny)
Re:Cut and paste your passwords (Score:2)
Re:Cut and paste your passwords (Score:3, Informative)
Re:Cut and paste your passwords (Score:5, Informative)
thank you, try again.
The truly scary thing ... (Score:3, Interesting)
You only need to install your sniffers on a few boxes to get plenty of good credit card numbers and passwords and such. And if it's installed on only a few boxes, it would (unless they were specifically looking for this) be very hard to detect if done correctly.
And then if you're careful about the credit cards that you use (i.e. use only one or two, or only those that have bought stuff from a given site, etc.) they won't even suspect that people are sniffing at this one site. (If you use every credit card you find, the credit card companies will figure it out pretty quick by finding out what's in common with all the cards in question.)
In short, for every guy who's caught, there's probably dozens of guys who aren't caught.
Be afraid. Or, more importantly, be careful.
Crime is Crime not computer crime (Score:5, Insightful)
Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.
suspended? (Score:2, Interesting)
He would have gotten away with it too (Score:5, Funny)
This indicates a few things (Score:2)
Question: Is this their fault? IMO, no it isn't. The visual indications they see indicate they are indeed using some kind of security. The problem here is software manufactuers (not just M) do not have most users best interests at heart when it comes to security.
2. A system that allows key monitoring software to be installed so easily SHOULD NOT be sold for public use! Not only are the software makers at fault, but so is whomever decided to use such an unsecure system in a public area. But whoever that is, is probably fairly clueless when it comes to security too.
This will continue indefinitely until 1 of 2 things happen;
1. Someone comes out with a dumbed down computing device that uses Windows (sorry, but that's a reality), is cheap, and requires little to no administration (or little enough that breaking the security by a clueless admin will be impossible).
- or -
2. People get a clue about security... not gonna happen.
In fact, I don't see either of the two happening, so IMO this kind of stuff will continue well into the future.
it is about time you get rid of the typo (Score:2)
Public access banking? - Idiots (Score:2)
Even if it wasn't 'cracked', do you know whom the admins are? Or who they work for..
Its just a big risk to trust ANYTHING public these days..
Info-gleaming (Score:2)
Radical, dude! Did he also Gleam the Cube [imdb.com], to get even by risking it all?
P.S. [reference.com]
Exaggeration (Score:2, Informative)
Not that I feel bad for him for being depressed or anything, but he's being viewed as a real criminal who stole from hundreds where all he really did was mess around on a computer.
Caution for whom? (Score:2)
My opinion: in a "free" country, if the United States is actually supposed to be free, then we should be "free" to install spyware anytime we would like on our own computers (i.e., school administrators and internet cafe owners should be allowed to install keystroke monitoring software on their own systems) as long as they do not use the information maliciously. On the other hand, there are ethical issues when there is no warning of installation of said software. And, again, when data gathered by such measures are used for purposes other than network security -- such as to violate the security of an individual without warrant for any reason -- foul play is afoot and repercussions should be harsh.
Hardware based keylogger from ThinkGeek.com! (Score:4, Informative)
Re:Hardware based keylogger from ThinkGeek.com! (Score:5, Interesting)
Seriously, devices like these should be illegal. There's really no legitimate purpose for them -- no more than for those X10 spycams. (No, "maintenance and troubleshooting" isn't a real purpose -- most users don't enter a "command sequence" anyway, so that's a moot point.)
Stupid thief... (Score:2)
Maybe the next guy to try this will get a clue and do it at a law firm, so that he makes enough money to leave the country before getting caught!
Which one ? (Score:2, Informative)
I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.
Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.
To clarify, Boston [cityofboston.gov] (in Massachusetts [mass.gov], United States) was named after Boston [boston.gov.uk] (in Lincolnshire [lincolnshire.info], United Kingdom) - more information can be found here [neu.edu].
Now, how about Kazaa? (Score:4, Insightful)
Glad I use Knoppix (Score:3, Insightful)
When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.
They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.
pocket change (Score:3, Insightful)
If your going to ruin your life over fraud, you might as well go all out.
NTNU in Norway made warez store by crackers. (Score:3, Interesting)
(Because of its position close to the Norwegian Internet backbone and large amounts of storage space, it is a big target for crackers. In an experiment where an out-of-the-box Windows server was hooked up to the network, crackers broke into it within minutes.)
The real attack was detected on the afternoon of the 21st of January 2003. Resident geeks worked through the night, and approximately 100 IT staff worked at giving out passwords to 22000 studentes and faculty during the following days. The users had to show ID cards and select a new, totally different password. The waiting lines were pretty short thanks to the heroic efforts of the IT staff. The old passwords were retired on the 23rd/24th of January. The primary file servers, running on *nix were not affected, but the university would not risk the password files to be cracked.
The way this was handled caused less distruption than when crackers attacked the University of Oslo [www.uio.no], an intrusion discovered on the 14. of November 2002. There, chaos ensued when all network access was suddenly closed down on at noon Friday (15?), and 52000 users had to show up to get a new passwords before they could log on again.
!Arrested for Planting Spyware on College Compus (Score:3, Informative)
Just like the murdered wasn't arrested for purchasing the axe.
Re:Actually... (Score:5, Interesting)
Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)
Re:Actually... (Score:2, Insightful)
Maybe we should all have spyware installed on our machines so that all of our information can be "liberated".
Re:Actually... (Score:3, Funny)
Re:Actually... (Score:4, Funny)
Where do I go to get my white hat?
Re:Just think.... (Score:2, Insightful)
Stuff like this is already illegal; we don't worry about it as much because this isnt'big brother; this is someone we can throw in prison.
Re:Just think.... (Score:2)
Re:Don't quit your day job (Score:5, Insightful)