Student Charged By FBI For Hacking His Grades More Than 90 times (sophos.com) 142
An anonymous reader shares a report: In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God. And when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense) and "pineapple" (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme. According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems. Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months -- between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves' grades had been changed without her authorization. She reported it to campus IT security officials.
A for effort? (Score:2)
At least he cares about grades. Most student athletes dont.
Re: (Score:3)
They care, their scholarships usually need a minimum GPA. If they don't care it's because someone is fixing it for them, or the prof makes sure the team doesn't lose its star because he couldn't quite add a couple numbers.
A truly better effort (Score:1)
Sad.
Re:A truly better effort (Score:5, Insightful)
You buy a keylogger for $30 or so.
You plug it in between the keyboard and the PC.
Later, you unplug it from the keyboard and the PC, and look for passwords and userIDs. (easy to spot as they're the first after several hours idle).
Now, you simply type in the username and password, or use remote access if that's an option, to access the software in the same way the teacher would enter your grades.
This is not a complex attack.
Re: (Score:2)
It's not like the classes jocks take are difficult either.
Bet he was a communications major.
Re:A truly better effort (Score:5, Interesting)
It's not like the classes jocks take are difficult either.
Bet he was a communications major.
The article did state that grades were changed in business, engineering and chemistry classes. There may have been grades changed in Earth Science 101: "Rocks for Jocks" too. It sounds like he was selling his services to other students, which is just asking to get caught.
Changing grades on the computer is just stupid, IMHO, since it's not like the instructors don't keep paper records. Had he stuck to copying exams and answer keys then he might have gotten away with it, at least long enough to graduate. Or at least add enough doubt as to who did what when that no one would call the FBI on him. But then people that resort to cheating on exams aren't typically that bright.
What I have to ponder is why the FBI was involved. This was a state facility, not a federal one. Doesn't every state have their own investigation service? As a state university they'll have their own police force, with a direct line to said state investigation office. What federal law was broken? Not that this seems to matter any more, I remember an assault case that made national news. The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.
Re: (Score:2, Funny)
Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.
That should require Interpol
Re: (Score:2)
The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.
https://www.fbi.gov/investigat... [fbi.gov]
As I understand it, certain crimes mandate an FBI investigation even if it's within a single state.
Re: (Score:2)
Selling the service was dumb. Sell the test questions, maybe...
When I was an undergrad, I taught someone how to make fake IDs (back when it was a little bit challenging, not illegal to teach someone how BTW). Moron put a sign in his dorm room window advertising fake IDs. You know how it turned out.
Re: (Score:2)
As an undergrad I also knew someone that made fake IDs. Very convincing ones too, especially since the guy had got his hands on the state ID laminates with the watermark on them. I recall he said that he bought them off someone that stole them from a DMV office. I didn't want to ask any questions, the less I knew the better. He said he'd make me one with the clear laminate for free but if I wanted the laminate with the state watermark that I'd have to pay for that. Most people don't think to look for t
Re: (Score:2)
Forgery is a felony.
No Stupid Laws (Score:4, Insightful)
There is a saying in the Army - never give an Order that will not be obeyed. It just breaks down the respect for Authority which is needed for soldiers to take an order which will mean risking their life but will probably save lives during battles.
A similar principle should apply to laws - dont pass laws that will not be obeyed. The 21 yr drinking age is a stupid law. If someone is old enough to fuck, go to war, get married and be executed for a capital crime they very well should be old enough to drink.
Once you pass laws that are stupid people feel no guilt breaking them and breaking other laws like forgery laws to get around the stupid law.
Re: (Score:3)
the 55 speed limit needs to be on that list.
Re: (Score:2)
Laws are not orders. They have different purposes. You want orders to be obeyed. But that's not necessarily the goal of laws. Sometimes they are there to produce revenue.
Re: (Score:2)
The best way to end a bad law is strict enforcement. If not enforced, like say a speeding limit, then people learn that there is no punishment for breaking the law. If caught then you get people that are indignant on being picked out from the crowd. If the police stop everyone that speeds, then you run the risk of a bunch of angry citizens at the next town hall meeting complaining about the stupid speed limit.
If you want revenue from speeding then you have to enforce it. If enforced consistently then pe
Re: (Score:2)
Selective enforcement works almost as well as (sometimes better than) being consistent, and it's cheaper.
Re: (Score:2)
Selective enforcement just means picking out the worst offenders for punishment. That's still a mockery of the law, as evidenced by my interstate commutes. The posted speed limit is 70 but unless you are going 75-80 you will be passed by other travelers regularly. The law is not the law at that point. Either post a reasonable speed limit, and enforce it rigorously, or allow the mockery of law to continue.
That applies to all laws. If the federal government wants to claim that marijuana possession is a f
Re: (Score:2)
Selective enforcement just means picking out the worst offenders for punishment.
No, it does not. It means picking them out psuedorandomly. You ideally select the worst offenders, not least because they are worth the most money, but that's not the only criterion commonly used.
If the federal government wants to claim that marijuana possession is a felony then it needs to be enforced. Not enforcing the law on marijuana possession but enforcing it on other drugs starts to put in the minds of people the idea that maybe possessing heroin and MDMA aren't so bad after all.
Except the government already showed that their laws are bullshit with their ridiculous scheduling of cannabis, which doesn't meet their own standards.
Re: (Score:1)
But then people that resort to cheating on exams aren't typically that bright.
Depends doesn't it? Is it smarter to put in a lot of effort, study hard and hope you pass, or fuck around all semester and party, then get your mate who's a year ahead to sit your exams for you?
Smart isn't about cheating or not cheating, smart is whether you get caught or not.
Re: (Score:2)
Depends. Is the class a required waste of time? Then cheat your ass off.
Put in other words: Study math and science, cheat in the indoctrinations.
Re: (Score:2)
'He would have been far better off spending the time and energy to study'
Study? Why? The idiot got the questions in advance and still was too dumb to get the right answers.
If he had opened the book and take a few notes, he wouldn't have needed to up his grades.
"Court documents allege that Graves intercepted exams and test questions in advance...."
Re: (Score:2)
Years ago, my wife taught math at Division I football and basketball powerhouse in Indiana. There was a great deal of pressure put on her to change grades for the players.
I don't want to say which school, but let's just say it was a Catholic school with a French name. In South Bend.
So 1980s (Score:2)
What is this? War Games?
Re: (Score:1)
You mean Ferris Bueller?
Re: (Score:2)
The problem is that the vast majority of those players will never play professionally. Then when they "graduate" they don't actually have the necessary skills that the real world wants, they may not even have enough qualifications to be a junior high school coach. A school that participates in such practices is not one that you want to send your children to.
And forget the bit about sports bringing money to the university, as all that money goes to new stadiums and sports programs, it will never touch acade
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I remember talking to my dad about one of his card playing buddies. I think it was about me overhearing them talking about him going to college. I asked what was his major, Dad said the guy just went to school to play baseball.
A lot of these student athletes don't think much about what they are going to do after college. They'll study just about anything so they can say they went to college. They go to school so that they can play sports and hope some professional team picks them up, or just to live the
Re: (Score:2)
Not sure what he thought he would be doing with his life after graduating with a degree and knowing absolutely nothing about the subject matter.
Most people don't do a degree in (say) Chemistry then go on to become Research Chemists. If you do a degree in English Literature, you're somewhat more likely to end up as a banker or teacher than a professional poet.
Re: (Score:2)
You misspelled Oracle.
MS doesn't put the effort into marketing. It's like they can't be bothered to lie and/or offer no show jobs to decision makers.
Cheating is a matter of perspective (Score:1)
He should change his major to "Hacking"; problem solved!
Re: (Score:2)
He should change his major to "Hacking"; problem solved!
And he can hand out copies of his verdict when asked for his "Certified Unethical Hacker" (CUH) credentials.
I just hope some of the classes he faked his grades in were Comp Sci so when he gets out of prison he can go to work for a spammer.
What moron wrote this? (Score:4, Interesting)
Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar. And no one has used that phrase in a SFW setting since 1978.
>> and "pineapple" (???)
Prolly this: https://www.wifipineapple.com/
Re: (Score:2)
almost certainly.
Beautiful tool that thing...
Re: (Score:2)
Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar.
Depends on how your search bar is setup. You really need to duckduckgo with SafeSearch turned off to get anything NSFW. Even google with SafeSearch off doesn't show much beyond a child toy store, a music shop, references to a WoW achievement, and a typing skill trainer.
What actually impressed me is the choice weird porn search engine bing.com didn't produce anything either with Safe Search turned off.
Re: (Score:3)
Why would he intercept exams and test questions if he could just change his grade directly anyway?
Give it to other students? Read TFA... For him, he doesn't study it himself anyway so he just changed his own grade.
* A student identified as A.B. in court documents urged Graves to use the keylogger to steal an upcoming test, saying “I need 100 on final just to get B- at this point.” Graves’ reply: “Or we could use the time to study?”
* A student identified as Z.B. asked Graves whether he had told a classmate “about the Hand of God on that test.” Graves’ reply: “No. The less people know the better.”
Re: (Score:2)
He wouldn't have gotten caught if he had good enough memory to remember the exam questions.
I wouldn't hire him (Score:2)
Seems like smart would have been to either obtain the quiz questions OR to change your grades only once every semester. Attacking both sides of the system makes way too much noise.
--
"What's up doc?!" - B. Bunny
Re: (Score:2)
Smart would have been to subtly modify other peoples's grades just a tad before totals are tallied. Too much noise to identify the signal.
Re:I wouldn't hire him (Score:4, Insightful)
Smart would have been to study, do the homework and pay attention.
Re: (Score:3)
The summary says he "intercepted exams and test questions in advance", so I guess that guy really sucks at learning.
Re: (Score:2)
That assumes the goal was to learn the material, not simply to pass the class. We're operating in the scope of how to cheat effectively.
Besides, I've got a computer security background; discussing how to effectively penetrate a system without getting caught is in my scope of professional interest. (Imagine that: someone who's actually looked inside a computer trying to get a Congressional seat.)
Re: (Score:2)
Brainy would have been to study, do the homework and pay attention.
Smart would have been to study with a friend and finish the homework together as quick as possible, then do something else better with their time.
Re: (Score:3)
No, that would have guaranteed the teacher would have known something was up. As soon as a good student noticed a grade change the audit would have been on.
Smart would have been to study the test questions he downloaded and not share with class/team mates.
Even smarter would have been to actually attempt to get an education while in college. It's not like there's a great future for greco-roman wrestlers.
Re: (Score:2)
Shrug. That's not the problem that was posed. An alternate strategy may prove better but, hey, information warfare is a thing.
Re: (Score:2)
Seems like smart would have been to either obtain the quiz questions ...
I have seen that movie. They stole the wrong test.
Re: (Score:3)
Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?
Re: (Score:2, Interesting)
Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?
For being a sociopath, and willing to do whatever it takes to win, without annoyances like conscience or dignity to get in the way.
Re: (Score:3)
Hired by the FBI? For what skill? Being able to connect a USB device between a USB port and a USB keyboard?
For being a sociopath, and willing to do whatever it takes to win, without annoyances like conscience or dignity to get in the way.
I'd say he could get a job on Wall Street, but you actually need skills and/or education for that. Perhaps he can run for President - the bar for that is apparently quite low now.
Re: (Score:2)
I remember hearing something like that before... That's right in the movie Grosse Pointe Blank.
http://www.imdb.com/title/tt01... [imdb.com]
Debi: [about the man Martin killed at the reunion] He was trying to kill you, right?
Marty: Yes.
Debi: It wasn't the other way around?
Marty: No.
Debi: Is it something you've done?
Marty: It's something I do... professionally, for about five years now.
[He lifts the gun in his hand]
Debi: [Gasps] You were joking! People joke about the horrible things they *don't* do, they don't *do* them!
Re: (Score:2)
He will be arrested and then hired by the FBI or someone else.
Key logger != Hacking
become a fake fire inspector and install at banks (Score:2)
https://it.slashdot.org/story/... [slashdot.org]
https://www.csoonline.com/arti... [csoonline.com]
http://www.businessinsider.com... [businessinsider.com]
Re: (Score:2)
He will be arrested and then hired by the FBI or someone else.
The part I do not understand is, what part of this crime is interstate commerce?
Tell me again, why is USB can read keyboard input? (Score:2)
Re:Tell me again, why is USB can read keyboard inp (Score:4, Informative)
Not sure what you're trying to say here. Looks like you're assuming that keypresses are broadcast to all USB devices, which is, of course, nonsese.
Your run of the mill hardware keylogger is a device that's between the computer and the keyboard. A "man in the middle" attack, only in hardware. There's no software installation, and no way for an OS to detect it.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
"...no way for an OS to detect it."
It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)
Re: (Score:2)
The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard.
A keylogger need not present itself as anything over the USB bus. It can simply monitor the data lines that pass through it, allowing your keyboard to talk to the system. How do you detect that?
Second, what OS has the 'feature' of locking itself to one specific vendor and device id for its input devices? That 'feature' would be disabled the very first time the keyboard needed to be replaced in a hurry, like "I just showed up to deliver a lecture and the keyboard on the display computer is broken. I'll use
Re: (Score:2)
It's coming. Lookup 'Rubber ducky'. Essentially a reprogrammed flash storage device that presents itself as a keyboard and runs scripts (typically attack scripts).
Many places have computers set to call IT if anybody plugs in a USB storage device. Soon it will also call for a keyboard.
Re: (Score:2)
I wonder how one would protect against keyboard loggers. Since they are totally passive, an ID on a keyboard would do little at all.
The only way I can really see it happening is with a separate protocol from USB (perhaps fiber optic, a la S/PDIF), where the keyboard and the computer are paired, the keyboard uses epoxy potting and tamper-evident wiring and enclosures, and some form of cryptographic handshaking is done. The instruct users that no "secure" light on the keyboard, no typing.
Of course, this als
Re: (Score:2)
It will be whack a mole. Lock the computer to the keyboard model and the keylogger will just get updated to report it is whatever keyboard plugged into it.
Epoxy is a solution, but not a good one.
They need to encrypt traffic between the computer and keyboard. Which will add admin overhead.
Re: (Score:2)
Epoxy is a solution, but not a good one.
There is no security without physical security.
The computer is in a place that the public can access.
Re: (Score:2)
I've been to a hospital where all the keyboards have some kind of ID card slot on them. I'll see staff sit down, presumably type in a password, and get their screen. If the keyboard is smart enough, and a matching driver written, then the communication on the USB wire can be encrypted with a key in the ID card. At a minimum the systems on the university could be configured to not allow login without that ID card. I assume that there would have to be a backup plan for cases of broken hardware, lost ID ca
Re: (Score:3)
"...no way for an OS to detect it."
It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)
And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.
Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative
Re: (Score:2)
Why is USB device plug can read keyboard input without installation or authorization from the computer?
News for nerd: many, if not most, modern keyboards are USB. Plugging a device into the computer and then the keyboard into the device means it looks like a keyboard to the system and there is still only one on the system.
Is plugin a mouse or keyboard really have the feedback of each key pressed?
Yes, a keyboard knows what keys have been pressed. That's kinda the whole purpose of a keyboard.
Use two factor authentication! (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's true, calling the FBI is cheaper than implementing real security. A pound of cure is cheaper than an ounce of prevention!
Is he that bad? (Score:4, Insightful)
Hey, let's get the exams and test questions in advance so I'll have a good score!
Fails.
Hey, let's enter the system and change my grades since I failed even when I had the exams and test questions in advance!
That guy's C.V. can be resumed in one sentence: Can't even cheat his way out by cheating. I'd never hire that guy in a million years.
Re: (Score:2)
9 Times.. (Score:4, Funny)
on the football / basketball team then no need to (Score:2)
on the football / basketball team then no need to hack to your grades as the school will find away to make you pass.
Re: (Score:2)
Iowa wrestling. Guaranteed these were the same 'easy As' that other jocks take.
in the 80's just needed to know where they wrote d (Score:2)
in the 80's just needed to know where they wrote down the password
https://www.youtube.com/watch?... [youtube.com]
https://www.youtube.com/watch?... [youtube.com]
I saw nimble fingers yesterday (Score:2)
Nimble fingers indeed!
Hey, I brought pizza into the thread....
Re: (Score:2)
Did you bring enough for everyone?
They blame the student for their bad security (Score:2)
The university told the FBI that the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security.
Maybe they should have thought about IT security from the start.
I've been to college and I see how "security" is done. The computers the instructors use are just put on a desk or table in the front of the room. To keep it from walking away there will be a flimsy cable attaching the parts to the desk or wall. Even basic security, like setting BIOS passwords, will not be done. This can allow spying on the computer with software keyloggers and such, or simply vandalizing it so it's unbootable. The install
Re: (Score:2)
Had the school thought of security from the start then this would not have happened and the costs would have been minimal. For example, when installing the podium use one with a locking door to the space for the computer. This would make installing a keylogger, hardware or software, much more difficult. It would also add some inconvenience for the IT support and the instructors, which is likely why it wasn't considered until something like this happened.
and when it get's to hot and the door needs to be open
Re: (Score:2)
and when it get's to hot and the door needs to be open all the time?
Use a screened door, add a ventilation fan, etc. I did IT support for a prison and I got to see how they locked down the systems to keep the prisoners (and some of the staff) from messing with the hardware. There are standard electronics cases that were nice looking, very solid, and easy to lock/unlock on three or four sides for access. Most have screened sides for airflow, and all of them have the option for ventilation fans. This university is a state facility and so, like the software issues, have ac
Why was the FBI brought in? (Score:2)
Re: (Score:1)
Because it's under federal jurisdiction [cornell.edu] as well as possible state and local entities.
Re: (Score:2)
Silly Mistakes (Score:5, Interesting)
Silly mistakes are silly. Kid had access to the test banks and answers. He could have easily memorized the correct answers.
Even if he failed the test, he could have corrupted everyone else's grades to obscure the fact that he was doing it.
If you're going to commit any sort of computer forgery, make sure you spread the love far and wide so even unrelated students in completely different classes have their grades changed. There would be absolutely no way they would be able to find him in this instance.
Only the stupid get caught.
Re: (Score:2)
Some of us are crap at memorization. In the real world you can look stuff up, unless maybe you're an ER doctor, so this is not as much of an impediment as you might imagine.
I don't recall ever cheating on a test. Not so much because I am unwilling, but because I'm unable. I'm a big galoot and I've never been sneaky. I have to actually understand the material to do well because I'm poor at just memorizing things.
Not so silly (Score:2)
the obvious next step is to change his court or conviction file . . .
"Hey, Sarge! someone screwed up and put this idiot in a cell for jaywalking.'
And off he goes, free again . . . :)
hawk
Re: (Score:2)
Many years ago, when I was an undergrad, another student was caught stealing tests from a prof's account.
The prof logged in, the system told him he was already logged in at one of the labs. The prof _ran_ down to the lab and personally caught the student 'red handed'
Just booted him for cheating, no FBI.
Profs keep weird hours and are generally not stupid, there are no guarantees.
A better method (Score:1)
Display the exam questions on captcha banners that protect pr0n sites from bots, and sit back and watch how the whole world passes your exams.
Prof shouldn't log in from public PC (Score:2)
Security 101... Would you log in to a sensitive account by typing your password over an unknown wifi connection? Hopefully not. A public PC should be considered similarly untrustworthy.
lessons learned (Score:1)
Re: (Score:1)
That one is ridiculously expensive. Nice try sneaking in that affiliate link though.
That's what PC stands for (Score:3)
> The PC is notoriously poorly designed as if it were meant to be run disconnected from the internet and in a room hidden away from intruders.
Which, for those who don't know, is exactly the case. Prior PCs (PERSONAL computers) running DISK Operating System, there were time-sharing computers running NETWORK operating systems. Computers prior to the PC each had many users, hundreds of uses for each computer. They often used it over a network, using terminals. Security was of course important - you didn't
Re: (Score:2)
Just how much memory do you think a computer like a PDP-11 had?
There are reasons the PC oses went through the path they did. But it wasn't lack of memory that made (MacOS prior to X/Windows prior to NT) such turds.
Original Unibus PDP-11 4MB, IBM 3081 had 32MB (Score:2)
In the late 1970s, Ken Thompson added paging support to Multics so it could use the full 4MB of memory available in the first generation PDP-11 machines with the original Unibus. 4MB is 250 times as much memory as the 16KB PC.
By the time DOS was released, multi-user systems like the IBM System/370 3081 had 32MB, or two thousand times as much memory as the PC.
Re: (Score:2)
PDP-11s were not universally stuffed with memory. We had a small 4 user LSI-11 in my Highschool with 12KB IIRC.
RAM was expensive, IIRC I paid more than $100/16KB for my first RAM expansion.
so what pair each system to a there own keyboard? (Score:2)
so what pair each system to a there own keyboard?
So now you need to keep track of all of that if fails a lot then users will just get used to repairing them all the time.
Re: (Score:2)
and then pay for battery's?