Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Education IT

UCSB Student Engineers Grade Hack 544

An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
This discussion has been archived. No new comments can be posted.

UCSB Student Engineers Grade Hack

Comments Filter:
  • Blowjob (Score:4, Funny)

    by Anonymous Coward on Thursday March 31, 2005 @01:02AM (#12097530)
    Blowjob would have done the same without all this popularity. Huh .. kids will never learn.
    • Re:Blowjob (Score:4, Insightful)

      by Anonymous Coward on Thursday March 31, 2005 @01:22AM (#12097652)
      Gee, no wonder women are leaving it [slashdot.org].

      Geeks are starting to act like construction workers..."if a woman wants to get ahead, all she has to do is suck some dick."
      • by fizbin ( 2046 ) <martin@ s n o w p l o w . org> on Thursday March 31, 2005 @02:06AM (#12097868) Homepage
        Geeks are
        starting to act like construction workers.
        (Emphasis mine)

        I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)

        Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.

        Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
      • Re:Blowjob (Score:5, Funny)

        by R.Caley ( 126968 ) on Thursday March 31, 2005 @02:17AM (#12097915)
        Gee, no wonder women are leaving it.

        What with men having the advantage because they give better blowjobs you mean?

        "if a woman wants to get ahead, all she has to do is suck some dick."

        Strange choice of example. It says that men are easily corrupted by offers of trivial sexual favours. It doesn't say anything negative about women at all.

        • Re:Blowjob (Score:5, Funny)

          by locr1an ( 771992 ) on Thursday March 31, 2005 @08:32AM (#12099043)
          oh, men are usually so easy we don't *have* to offer a blowjob... I remember I used to manage an auto shop, and occasionally when things were slow I'd pull my car into the garage and change the oil, tune it up, etc. I kid you not, all I'd have to do is put my car on the lift and say in a tired voice "this drain plugs on really tight!" Next thing you know I'd have two guys working on my car to prove how easy it all is while I drank my coffee and listened to the radio show. please women...let them think they help us, let them think *they is* so so smart before you mess up my whole M.O.!!!
    • Re:Blowjob (Score:5, Funny)

      by Profane MuthaFucka ( 574406 ) <busheatskok@gmail.com> on Thursday March 31, 2005 @01:22AM (#12097653) Homepage Journal
      "Professor, I will do ANYTHING to get an A. (wink wink nudge nudge"

      "Well then, why don't you try studying?"
    • Re:Blowjob (Score:5, Insightful)

      by DarKry ( 847943 ) <darkry@darkry.nBOYSENet minus berry> on Thursday March 31, 2005 @01:54AM (#12097822) Homepage Journal
      Fact of the matter is this is just going to happen more and more often. University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std [knoppix-std.org] cd. then they can fire up ettercap [sourceforge.net] and go to town on everything getting passed on the switch. When campuses use SSL protected systems for grades it is just asking for trouble. Its just a matter of time before Joe Blow will have eery profs passwords. Once that happens it can be tempting to change a couple grades here and there. And grades are nothing compared to the other information that can be obtained, SSN's of the entire campus for instance... Basicly ARP needs to get secure because there is really no way for a college (that has to have an open network to function) can be a safe place to send important data back and forth. Maybe the solution is a private network for profs with the important info on it. Good lesson though.
      • Re:Blowjob (Score:4, Informative)

        by jez9999 ( 618189 ) on Thursday March 31, 2005 @05:26AM (#12098460) Homepage Journal
        University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std cd...

        Well, here's one solution - set the BIOS not to boot from CD. Set a sensible BIOS password. That's that problem sorted.

        Seriously, I don't know why so many people bang on about Linux-on-a-CD being dangerous; it's like ActiveX - it's only dangerous if your computer setup allows it to be.
  • by xmas2003 ( 739875 ) * on Thursday March 31, 2005 @01:03AM (#12097535) Homepage
    She might have gotten away with it if she had used an open wireless access point - shoulda changed the grades at Starbucks! ;-)

    Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.

    • by Anonymous Coward
      ugh. chicks are hacking their college grades now.

      Comp sci has suddenly become too common for me, I need a new career.
    • The least she could have done was use Tor and Privoxy. Oh well. So much for changing her grade. Now that she's going to be a bonified convict, she can pull down the six figures like Mitnick.
    • She might have gotten away with it if she had used an open wireless access point


      Nonono! The line is "if it hadn't been for those pesky kids and that dog!"

    • She might have gotten away with it if she had used an open wireless access point - shoulda changed the grades at Starbucks! ;-)

      Believe it or not, they keep mac address databases, any self respecting router will. Who is to say the police can't trace the IP to an wireless access point and check Mac addresses? Who is to say that free is really free, that it's not one big honey pot? They have camera's? They know the time it happened??

      It ain't that easy...

      • by Yokaze ( 70883 ) on Thursday March 31, 2005 @01:48AM (#12097797)
        > Believe it or not, they keep mac address databases, any self respecting router will.
        ifconfig wlan0 down
        wlanctl-ng wlan0 dot11req_reset setdefaultmib=true macaddress=$RANDOMMAC
        ifconfig wlan0 hw ether $RANDOMMAC
        ifconfig wlan0 up
    • by Anonymous Coward on Thursday March 31, 2005 @01:34AM (#12097720)
      She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.

      So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
    • Yeah, changing the account with your name on it won't give a damn thing away as long as your IP is untraceable. Who'd think to look at your name.

      A smarter hacker would infect the system with a script that would gradually, over time, boost their GPA in a difficult to trace method. Maybe figure out a minor improvement that you'd make every day to all students that had a student id number that fit a given algorithm.. where your own id just happens to be one that comes up most frequently. Say that your student
      • by R.Caley ( 126968 ) on Thursday March 31, 2005 @03:01AM (#12098084)
        A smarter hacker would infect the system with a script that would gradually, over time, boost their GPA

        Anythig which boosts your score is going to point at you.

        What you want to do is plant evidence of the professors having a bias against you. Subtle things. Enough to form the basis of an appeal. Then you drop your grades in your good subjects so a review will see that you are a victim and give you a pass.

    • Is it only me? (Score:3, Insightful)

      by jetmarc ( 592741 )
      Is it only me, or did you as well notice that a hacked computer login is now called "identity theft" as in "credit card fraud" and all the other stuff we use to associate with it?
      • id you as well notice that a hacked computer login is now called "identity theft"

        She didn't hack the login, she used ID information to impersonate the professors and get the passwords changed.

        Given the level of security, it's perhaps better called ``identity casually picked up off the floor where it was just lying around'', but it's clearly a subclass of identity theft.

    • by jasonla ( 211640 ) on Thursday March 31, 2005 @09:51AM (#12099684)
      Disclaimer: I am the author of the article.

      Thank you for the kind comments, xmas2003 and obsol33t.

      I'd like to clarify and reply to some of the comments made on Slashdot, if you would allow.

      I did not think this incidient could be considered "hacking." Notice that we didn't use the terms "hacker," "hacked," "exploited" or "compromised" in the headlines or article when describing what happened. Like the article says, there were technically not exploits in the system -- no SQL injection, buffer overflow, XSS, etc.

      Not every person could repeat what Ramirez allegedly did. Her job gave her a specific access to personal information. It's really a case of identity theft, a felony offense. The police are responsible for charging Ramirez, not the university.

      When reading the story, you have to remember that it's a general newspaper, not 2600 or the like. The three (3) paragraphs, out of roughly 30, about the knowledge required to enter eGrades was included to give readers a perspective on the difficulty level needed to do what the perpetrator did. "Was this person a 'true hacker' or was it something simpler than that?"

      The phrase, "required some technical savvy," was meant to indicate a small amount, not emphasize, of technical knowledge was needed.

      Also, the lede -- the first sentence in a news article -- states, the grades of several students, not just Ramirez's and her roommate's, were changed. Police would not release further specific details about others' changes because of the ongoing investigation, as the article stated.

      Schmidt, as far as I know, is a very competent network programmer/sysadmin/computer geek. He's also pleasant on the phone. =) I'm guessing he simplified his statements because he was talking to the press and did not know if I had any technical knowledge. For the record, I know enough. =)
  • by Teknobob ( 43181 ) on Thursday March 31, 2005 @01:06AM (#12097551) Homepage
    I guess it brings a new meaning to not being able to hack it in college.
    *ducks*
  • by Raul654 ( 453029 ) on Thursday March 31, 2005 @01:06AM (#12097554) Homepage
    I can beat this [delawareonline.com] by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
    • This makes no sense to me. If you're going to change it, why not just change it to a P (pass, or numerical equivalent thereof)? Much less risk of detetction, and if you *do* get caught, you've got the excuse "Why would I change it to 51% if I could have changed it to 90%?"
  • by kwoo ( 641864 ) <kjwcodeNO@SPAMgmail.com> on Thursday March 31, 2005 @01:07AM (#12097555) Homepage Journal

    ... when the policy enforced by the program is broken to begin with?

    From TFA:

    The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.

    This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.

    For more examples of such problems in systems, check out Risks Digest [ncl.ac.uk].

    • by stewby18 ( 594952 ) on Thursday March 31, 2005 @02:13AM (#12097904)

      But on the other hand:

      When a grade is altered, a feedback system is automatically triggered to inform professors and the Registrar's Office of the changes.

      "There's basically a feedback mechanism, and ultimately, it comes back to the feedback mechanism and the individual department trying to reconcile grades and saying 'It doesn't look like this is correct and how can this happen?'"

      So while the access point security is awful, there are processes in place to flag potential problems. At least they are practicing security in depth, even if one of their layers is paper-thin.

    • SSNs and DoBs are far too easy to find.

      My $CREDITCARDCOMPANY just got gobbled up by a bigger one. One of their "innovations" is that you can't have an arbitrary ID - it has to be all numbers and defaults to your SSN. I had a little talk with one of their managers who said "that's the way it is and we have no intention of changing it" who suggested that I could use my phone number instead of my SSN if I wanted an easy to remember but "more" secure ID.

      On top of that, their passwords are currently alphan
    • by ethank ( 443757 ) on Thursday March 31, 2005 @02:44AM (#12098019) Homepage
      Actually, I'm a teacher at UCSB, so I've used eGrade before.

      eGrades security is far worse than that. It doesn't require a social security number and date of birth, rather it uses the "university id" that at student uses to login to some campus wireless networks, campus e-mail and the uweb/ustorage accounts.

      Here's the login interface:

      http://www.egrades.sa.ucsb.edu/ [ucsb.edu]

      Resetting the password requires:

      Last Name, Perm Number (id number), last four of social and birthdate.

      Obtaining these, albeit not easy is not that hard at all.
  • From TFA (Score:4, Insightful)

    by ImaLamer ( 260199 ) <john.lamar@NospaM.gmail.com> on Thursday March 31, 2005 @01:08AM (#12097562) Homepage Journal
    "It's not like 300 grades were changed or anything like that," he said. "It's not even close."

    Like one person getting credit for something they didn't do isn't enough... its got to be mass fraud to care?

    "It's believed at this time that [Ramirez] accessed the computer system from her house," Signa said. "There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations."

    Idiot!
  • Professor mistakes (Score:5, Interesting)

    by suso ( 153703 ) * on Thursday March 31, 2005 @01:09AM (#12097569) Journal
    Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
    • Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see.

      I had an instructor who did the same thing. Except his password was 26 characters long. He did denied that it started with the letter 'a' and ended with the letter 'z'. Go figure.
  • by Prophetic_Truth ( 822032 ) on Thursday March 31, 2005 @01:10AM (#12097574)
    I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
    • And you'll risk that Mitnick comes and exposes you :(
    • Hackers are no better than what they do. A criminal is a criminal, regardless of the tool they use. Just because the guy running Enron was a financial genius, does that mitigate his crimes?

      I happen to think of hackers like a baseball player. They have a greater responsibility to people, they were born with gifts. And if they use them for their own benifit and not society, then why did God give them more?

  • by therealfitzman ( 807672 ) on Thursday March 31, 2005 @01:10AM (#12097577) Homepage
    the only grade that was changed was an F in "Ethics 101".
  • War Games (Score:3, Funny)

    by bonch ( 38532 ) on Thursday March 31, 2005 @01:13AM (#12097592)
    Changing your grade is as simple as looking for the password taped under the desk!
  • SSN (Score:4, Insightful)

    by The Amazing Fish Boy ( 863897 ) on Thursday March 31, 2005 @01:13AM (#12097594) Homepage Journal
    . If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.

    Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.


    SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
    • It's an ID number. The problem is, your name and DOB don't necessiarly uniquely identify you, there are many documented cases of two people being born with the same name on the same day. Also, names are a very easy thing to confuse, you say one thing, they hear another.

      So SSNs are a good identifier. Their primary, and orignal, purpose is to track earnings for social security purposes. However congress later authorized its use for lots of other identification things (like tax ID).

      Now the problem is that fo
      • by theonetruekeebler ( 60888 ) on Thursday March 31, 2005 @11:00AM (#12100406) Homepage Journal
        SSNs are a good identifier.

        SSNs are a terrible identifier:

        1. They are not universal: They only work for US Citizens and resident aliens who have had lawful employment in the United States.
        2. They are not unique: After somebody dies their number can be recycled. Sometimes they get recycled by accident.
        3. They are still not unique: A person can obtain a new SSN.
        4. There is no referential integrity: A person can write down any nine-digit number they please and claim that it refers to them.
        5. There is no authentication: A person can use your SSN and claim to be you.
        6. They are used outside its scope: SSNs are designed solely to identify the relationship a taxpayer has with the U.S. government.

        Congress later authorized its use for lots of other identification things (like tax ID).

        Congress later authorized its use for one other identification thing (tax ID).

        What needs to happen is places like banks, universities, etc need to stop treating it like it's secret.

        Until SSNs cannot be used in violation of rule 6 and in spite of rule 5, they must treat it as a secret as important as the combination to your safe.

  • by Anonymous Coward on Thursday March 31, 2005 @01:14AM (#12097595)
    i would worry about the people that didn't

    [*_-]
  • From TFA (Score:2, Insightful)

    by Suhas ( 232056 )

    "An important distinction in this case, compared to some other instances you've seen reported on around the country, the integrity and security of our grading system is intact and was not compromised," said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.

    If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.

    The Security of the grading system is INTACT? Hell yeah!

  • They are also centers of research, collectors of learning, venerated halls which house the brightest of the bright.

    By direct inference, any academic establishment that DOES get hacked by amateurish methods, or by people walking off with laptops holding unsecured data, etc, is clearly NOT a University, or at least not one with any credibility.

    The obvious solution is to say that any teaching establishment that suffers loss or distortion of data by techniques that could be expected of that age group (or yo

  • I was cleaning a computer lab today. Under a desk were piles of CS final exams and progress reports from 1992-5. Not that I could change the grade, but it's a bit scary to think that's where those things end up. One of them belonged to a current staff member. She was slightly scared when I gave it to her.
  • The fault in the software is that to change the password it requires no "hidden" information. Name, birthdate, and social security are not all that hidden especially on a college campus where they are thrown around daily.

    In most cases where you forget your password they send it to your e-mail address. Why do they not do that in this case? If they had done that the girl would not have access to it since she never did know his password.

    Saying this is not a fault in the software is to save face, but pe
  • ... doesn't try to hacks into the system after the exam to fix his grades (which will be spotted as soon as teacher compares computerized results with her own records.

    No, the smart cheater hacks into the system before the exam, in order to lift the subject (and possibly answers...) from the teacher's homedirectory ;-) Much harder to detect, unless culprits boast about it on Slashdot twelve years after...

  • Cheaters (Score:5, Interesting)

    by softparade ( 736054 ) on Thursday March 31, 2005 @01:21AM (#12097642)
    Ah cheating how it has evolved.
    I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.

    another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ [turnitin.com] and found that a sizable number of students were cheating.

    As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
    • Re:Cheaters (Score:5, Interesting)

      by void* ( 20133 ) on Thursday March 31, 2005 @02:20AM (#12097923)
      Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct.

      I never went to college.

      However, in high school, my history teacher noticed that a good proportion of the answers given on tests were highly correlated - not exact, per se, but suspiciously close to the exact same answers.

      He made up seven different versions of the test, and ensured that the answer key for any version was different enough from the others to cause dramatic test failures in the case of copying. (multiple choice, 5 options, 30 questions - plenty of combinations).

      That test, about six to ten people, people, all in a rough blob behind and to the right of me, failed.

      I was oblivious to the fact that they were copying me, but it was pretty funny - he'd given me one version of the test and every one else a different version. After that I got rather paranoid about making sure my answers weren't visible to others.
      • Re:Cheaters (Score:3, Interesting)

        by kbielefe ( 606566 )
        I thought you were in my high school history class for a minute there. My teacher suspected that some students were receiving the answers from the class before. Just before Christmas break, word got around to our entire class (not just the usual cheaters) that the answers to the matching test spelled "MERRY CHRISTMAS" down the side. The teacher said as a Christmas gift he made an easy test and anyone who finished early could leave for lunch early. I did the first few problems just to be sure. "M", chec
  • Perfect crime? (Score:5, Insightful)

    by cgenman ( 325138 ) on Thursday March 31, 2005 @01:24AM (#12097659) Homepage
    When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.

    Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.

  • by dtjohnson ( 102237 ) on Thursday March 31, 2005 @01:24AM (#12097662)
    It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.

    Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
  • by t0qer ( 230538 ) on Thursday March 31, 2005 @01:30AM (#12097697) Homepage Journal
    With other computing snafus recently making headlines, are universities too careless with their data?"

    Yes i'm careless for having windows made of regular glass instead of tempered. While we're on that note, lets fault me for having a wooden door instead of a steel one, and dirt in my crawlspace someone can tunnel into.

    I think the university did the best it could here. No matter how high/tall/hard you build it, folks are always gonna try and break it. It's just a fact of life.

    I think the only person careless in this whole shebang is the girl that did the grade changing. I doubt this is the most morally devoid thing that has ever happened in this professors class

    I can't recall how many times I had girls that liked me offering to do my homework in school, or how many times I saw someone blatenly fuck another persons report up by checking all the books pertaining to their subject from all the local libraries. I think the worse i've seen is the prefferential treatment some students get, weather it's because of being on the football team, or some other popular school group.

    There's a lot worse that goes on in schools, it's just she got caught.

  • Not a Hack ! (Score:3, Informative)

    by Mr Europe ( 657225 ) on Thursday March 31, 2005 @01:46AM (#12097783)
    That is not a Hack but a fraud, felony, break-in ! /. moderators should know the meaning a of a hack.
  • "Tech savvy?" (Score:3, Insightful)

    by raistphrk ( 203742 ) on Thursday March 31, 2005 @01:47AM (#12097793)
    The article makes a big deal about how "savvy" this girl is, but seriously - how much knowledge does it require? When you click on the "forgot your password" link, it gives you a prompt with the information it needs to let you change your password. If presented with a website that says "Please enter your SSN and DOB to change your password", it doesn't take a genius to figure out what information to get.

    She did demonstrate some creativity by using her work DB to look up her prof's personal info. However, considering that she did NOTHING to conceal her identity (steal wi-fi, use a proxy, etc), she clearly wasn't a savvy hacker. Smarter than the average user, perhaps, but definitely not a crafty blackhat.
  • RTFA (Score:5, Informative)

    by blackcoot ( 124938 ) on Thursday March 31, 2005 @01:53AM (#12097819)
    i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
    • Re:RTFA (Score:3, Insightful)

      by Adam9 ( 93947 )
      Being able to reset anyone's password with a birth date and SSN is careless. University passwords typically give you access to e-mail, class registration, bursar statements, private storage space, and many other things. My school requires a photo ID or notarized form to reset a password. UCSB can [and probably will] do more for security. This wasn't some super 1337 cracking going on.
  • Female? (Score:3, Interesting)

    by Lord_Dweomer ( 648696 ) on Thursday March 31, 2005 @03:03AM (#12098091) Homepage
    I have to say, I'm not normally one to make a sexist comment, but was anybody else here just the LEAST bit surprised that this was done by a female? I know I sure was. I mean, kudos to her, but I certainly wasn't expecting a girl to ever do this.

  • by Mechcozmo ( 871146 ) on Thursday March 31, 2005 @03:07AM (#12098109)
    "You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it," Schmidt said.

    So... uh.... wha???

    If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?

    And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."

  • by mrjb ( 547783 ) on Thursday March 31, 2005 @03:29AM (#12098165)
    was 'pencil'. That week. Written down on a piece of paper carefully kept in the drawer.
  • Felony (Score:5, Interesting)

    by BrookHarty ( 9119 ) on Thursday March 31, 2005 @05:47AM (#12098505) Journal
    I find it bad, that changing your grade counted as 4 counts felony.

    3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony [wikipedia.org]

    http://www.facts1.com [facts1.com] has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...

    She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.

    Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.

    But hey, you feel safe now, right?
    • Re:Felony (Score:4, Insightful)

      by tomstdenis ( 446163 ) <tomstdenis&gmail,com> on Thursday March 31, 2005 @06:13AM (#12098586) Homepage
      Granted this can be abused let's not forget that tampering with a university computer isn't a "minor" event. It can potentially affect many peoples lives.

      Suppose you decide you really should have that engineering degree but just don't want to study... Now you're in the middle of building a 90-storey office complex and you have about 40% of the knowledge you need ....

      And besides, I had to drudge through college without cheating [which included repeating some classes] why shouldn't she?

      Tom
    • Re:Felony (Score:3, Informative)

      by parliboy ( 233658 )
      http://en.wikipedia.org/wiki/Three_strikes_law [wikipedia.org]

      "Three strikes laws are a category of statutes enacted by state governments in the United States, beginning in the 1990s, to mandate long periods of imprisonment for persons convicted of a felony on three (or more) separate occasions."

      If you're going to use Wikipedia as a source on Three Strikes laws, you could, at least, read the Wikipedia entry on Three Strikes laws.
    • Re:Felony (Score:3, Insightful)

      by evilviper ( 135110 )
      This post is the bigest load of nonsense I've seen in a while.

      I find it bad, that changing your grade counted as 4 counts felony.

      I don't. Walking your dog without obeying the leash law counts as a felony in some places. If you're doing this with 4 dogs, that would be 4 felony counts. I've never heard of someone getting a life sentence for leash-law violations, or any other trivial thing (except drug posessions).

      The flack over the 3-strikes law is pretty ridiculous. It was widely reported that a man

  • by Anthony Liguori ( 820979 ) on Thursday March 31, 2005 @09:46AM (#12099613) Homepage
    You have a girl who worked at a company on the side where she had access to sensitive information about professors (and many other individuals). She steals that sensitive information and uses it to reset the password of the professors.

    She then logs in to the grading system and changes her grades.

    And the computer system worked like a charm. Any grade change resulted in a departmental notification. The professor, realizing that he did not make the change and could not log into the account any more, notified the appropriate authorities.

    An investigation occurred and this criminal was discovered. Sounds like an open and shut case to me.
  • by wandazulu ( 265281 ) on Thursday March 31, 2005 @10:34AM (#12100094)
    Without getting into a big discussion of database design, referential integrety, etc., this is the sort of thing I've always used triggers for: updating a row writes another record to another table indicating that it was inserted/updated/deleted.

    I wrote a couple of trading-ish systems that used this when a person placed a trade. Came in very handy when a user called to say that he had lost some major $$$ because we screwed up his order, only to show him in the log that he had in fact placed his order at this time, and then tried to cancel it not a minute later, but a full two hours later, long after the close.

    Yes it can be done in a procedure, write to another table, etc., but what I've always liked about triggers is that they're automatic, somewhat hidden, and easy to forget...

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...