
Tufts student claims innocence after being expelled for grade hacking - DyslexicAtheist
https://techcrunch.com/2019/03/08/tufts-grade-hacking/
======
j-c-hewitt
If you or others you know of are involved in any of these kangaroo court type
situations, it does help to hire an attorney to try to get these kinds of
proceedings taken out of the kangaroo court system whenever possible and as
soon as possible. This goes for both companies with internal kangaroo courts
and universities with internal kangaroo courts.

If you allow yourself to be placed at the mercy of these kinds of systems, you
are going to get clowned on because they are designed to achieve that goal and
to prevent you from pressing whatever actual legal rights you may have. If you
are on "trial" in a kangaroo court system you have to recognize that the court
trappings are there to disarm you, convince you to do things against your
interest, and to railroad an outcome that benefits the institution and not
you.

~~~
joecool1029
> If you or others you know of are involved in any of these kangaroo court
> type situations, it does help to hire an attorney to try to get these kinds
> of proceedings taken out of the kangaroo court system whenever possible and
> as soon as possible.

Understand that in the US students have no rights to challenge a college's
rulings, whether it be a public or private institution. They can absolutely do
arbitrary decisions like expel you.

I was in this situation. A friend did a stupid thing and police were called. I
had filed a witness statement with the police as supporting evidence that the
stupid thing he did was not malicious. Instead of a criminal charge, he got a
petty disorderly persons charge.

School didn't like that, the police got their blood but the administration
wanted to power trip. As I was signing up for classes for next semester, I
noticed the system had a financial hold on my account. So I contacted the dean
of academics, which responded by email saying that by student handbook
regulations I would have to give an account of what happened on school
grounds, this was procedural and no charges were being brought against me.

I go to give my account with other student witness, the 'kangeroo court' was
made up of 50% administration, 50% student body. I was given a school
advocate. I told them they had an official account from my police witness
statement. They informed me that they were looking to sanction me, but
wouldn't state what they would do that day. I told them the dean had said
there would be no charges against me, I was literally only a witness. I
demanded due process, claiming that since I hadn't been informed of potential
charges/sanctions I wasn't given the opportunity to retain legal advice. They
said they didn't have to abide by any sort of due process. I had to wait a
week for the outcome of the tribunal to come in the mail. I was to have my
records marred by the event, would be forced to do an absurd number of
community service hours, letters of apology, and a paper about the event.

I hired an attorney and spent 2 years in civil courts fighting. The school
retaliated by expelling me. They also did things like tell the other witness
that they would have reduced his sanctions, but because I was challenging them
he would have to serve out the full amounts. It was a gigantic waste of time
and money. I did get my credits out and was able to continue on with my life
but there was no other upside to this.

The disgust I have for US university administration knows no bounds. Going to
university in the US is like living in a concentration camp: the goal is not
to challenge the masters, but rather to keep one's head down and survive.

EDIT: Best part of the above. School couldn't touch the guy who was charged.
He paid a small fine and the record was sealed after a year of no charges.
Through the entire ordeal I had the support of my fellow students and the
faculty that believed such things were not possible. It absolutely is and I
have a large stack of court precedent detailing prior cases that have gone to
trial where the school was affirmed in its absolute power over students.

~~~
jnwatson
As I understand it, state universities are bound by law a bit more than
private ones.

I was adjacent to a similar situation that led to a student being improperly
involuntarily committed. I got a real attorney involved and they eventually
settled with the state for a full ride at a different state university. It
took a long time though.

~~~
joecool1029
>As I understand it, state universities are bound by law a bit more than
private ones.

FWIW, the above happened at a state one. Maybe I could have had a better
outcome if I could tolerate another year or two of court. It did not help in
my case that the original judge retired and new one was pushing hard for a
settlement.

------
zkms
This is an utter goatrope from start to end, between clueless administrators
and clueless IT department people who were clearly not qualified to do a
proper forensic investigation.

I won't and can't claim to know what's going on here from third-hand hearsay
but it's clear that there's more moving parts than the university claims were
involved (like the presence of a mysterious iPhone 5S, the activity that
happened when the student was demonstrably not anywhere near a computer). The
only conclusion I can see is that university IT departments should not be
doing these kinds of investigations, between their lack of
training/skill/knowledge and the very serious issues around conflicts of
interest.

Heck, for all we know, a guy in the IT department who illicitly changed grades
for $$$$ was using her as a fall-guy/patsy -- having the IT department do a
pseudo-forensic pseudo-investigation is a surefire way to prevent that sort of
thing from coming to light.

------
blackflame7000
I had a very similar experience happen to me in High School in which I was
expelled for hacking and changing 28 peoples transcripts. We used rainbow
tables to target weak NTLM hashes on library computers and exploited the fact
that the local admin and domain admin password was the same giving us
unlimited access to the entire districts files.

We were caught because one of the people I was working with left a flash drive
with his homework as well as decrypted teacher passwords in a classroom
workstation. When the teacher examined the drive to ascertain its owner, they
discovered their own decrypted password.

Interestingly, there was absolutley zero evidence tying me to the case since I
never needed to change my own grades. That didn’t matter. One students
testimony was all they needed to expell me. They used the fact that on back to
back calculus tests during the time in suspicion, I went from a 79% to a 95%.
They didn’t consider that the tests covered 2 different chapters. It was a
good life experience in hindsight however.

~~~
foldr
>there was absolutley zero evidence tying me to the case

From your description it sounds like there was actually quite a significant
amount of evidence (e.g. the testimony of one of the students).

~~~
blackflame7000
The kid who left his flash drive and was caught red handed. He had a big
incentive to downplay his role as much as possible. Didn’t work though, just
caused more people to get expelled

~~~
foldr
No witness is 100% reliable, but it sounds like he was in fact telling the
truth and the school came to more or less the right conclusions about who did
what.

People have been convicted of murder on the basis of the testimony of a single
witness, so it's not that shocking to me that a similar standard of evidence
suffices for expulsion.

------
treis
In the picture timeline it says:

>Tiffany Filler is accused of logging in with the "Scott Shaw" account from
her MacBook Air from Tufts' wireless network to view answers for a small
animal medicine bonus quiz, then minutes later on her own account to take the
quiz

That's smoking gun evidence. It's theoretically possible that she is the
victim of an elaborate scheme to frame her but it seems pretty extraordinarily
unlikely.

I don't quite see the evidence for the requirement of "detailed and extensive
hacking ability". It seems like on administrator account was compromised and
used to create/access other accounts. The initial compromise could be as
simple as looking over a shoulder, swiping a post it, or guessing an obvious
password. After that, it's just basic computer skills to do what they did.

~~~
Wowfunhappy
> That's smoking gun evidence.

Even after you consider all the counter evidence, such as the time she hacked
the network when working in a lab without computer access (according to many
witnesses)?

I don't know what could have happened here, but going off the TechCrunch
article, the school's story doesn't add up.

~~~
treis
>network when working in a lab without computer access (according to many
witnesses)?

Someone else was using her laptop.

~~~
Wowfunhappy
So now she had an accomplice too?

~~~
koolba
Or she had it automated to run a script when she wasn’t there.

~~~
Wowfunhappy
That's a whole lot of effort for someone who according to the school didn't
bother to spoof their MAC address.

------
rdiddly
There's an imprecision in much of this article, particularly -- but not
exclusively -- in quotes from administrators whose cluelessness is revealed
thereby, the cumulative effect of which I find infuriating. Settle A before
you move on to B, people.

Analogy: I place two champagne glasses in a box, close the box, put in
earplugs so I can't hear glass breaking, then shake the box violently. Then,
without opening the box, I decide champagne sucks forever and throw away the
_champagne bottle_. That's what this feels like.

Example: What does the word "hack" mean? There are at least two overall
"families" of connotations it has, one of which is in the name of this site.
But if someone told you to hack, that is in no way enough information to carry
out any specific action. That's how you know you're dealing with a derived or
secondary concept. Too many statements here are being formulated in secondary
concepts. Like the closed box of maybe-broken champagne-glass glass. And then
those vague concepts are being related vaguely to other vague secondary
concepts, and decisions made about those concepts based on that. Like throwing
away the champagne bottle. What a clusterfuck. Idiocracy is here.

And it's quite possible this girl is innocent but Jesus H. Christ don't post
your password on the WALL! Unless maybe you can satisfy yourself that you have
sole control of the room!

~~~
Wowfunhappy
Does it really matter whether or not we call it "hacking"? Let's call it
"unauthorized access" instead.

Whoever actually broke into this account was behaving _maliciously_ ,
regardless of how easy it was (or wasn't) to do.

------
hjk05
I hate the attempt at framing this as a “guilty until proven innocent” the
actual facts laid out its more of a “innocent until we had tons of evidence
that we deem sufficiently proves you did it at which point you’ll need to
mount a defense.”

~~~
dpwm
It's worth noting the following facts:

\- There were a chain of human and technical vulnerabilities exploited

\- MAC addresses can be changed – nearly all ethernet controllers and some
wireless chipsets support changing the MAC address;

\- MAC addresses are public knowledge. Anybody who ever receives a packet from
your machine has your MAC address – and don't forget that Apple devices send
tons of auto-discovery broadcast packets; and

\- Anybody suitably competent to pull off the technical side of the attack is
likely to be able to spoof MAC addresses.

It's worth noting that Knoll's letter also includes this gem of total
misunderstanding:

"... date stamps are easy to edit. In fact, the photos you shared with me
clearly include an "edit" button in the upper corner for this very purpose."

The article seems to me to be far more about low-burden-of-proof disciplinary
panels – where the same people who set the rules interpret and administer the
rules whilst trying to appear reasonable.

The fact that a "defendant" asks for a date and time of alleged incidents
before submitting evidence is not at all "puzzling" – the alternative is
submitting every photo over a months-long time-frame, which is certainly not
reasonable.

~~~
tptacek
The more important part of the letter regarding the photos is the fact that
they weren't produced until after the student was given the exact time periods
of the incidents.

~~~
upofadown
Obviously there would of been no point in producing random photos until they
counted for an alibi.

~~~
darkpuma
That's true. But nevertheless it's still low quality evidence of her
innocence.

~~~
ada1981
They could have said, ok, send us photos from this wide date range and then we
will look to see.

Even so, if she knew when she hacked the accounts she could create edited
photos _without_ them telling her when she hacked them (assuming she recalled
when she did it)

~~~
tptacek
Not necessarily, if she enlisted someone else to do it.

~~~
darkpuma
The possibility would be there though, forcing anybody considering the
evidence to consider the possibility that she was the culprit and, as the
culprit, was capable of fabricating evidence of her innocence.

~~~
tptacek
The standard of proof in cases like these isn't "beyond a reasonable doubt".

~~~
darkpuma
I'm well aware, not sure why you think I'm not.

If she were guilty of hiring somebody to do the hacking but not actually doing
it herself, then she might not know when the sensitive times were and would
therefore be unable to fabricate evidence covering the sensitive times. That's
what you pointed out, however it's _not particularly relevant_. The
possibility that she was the technically competent hacker who was capable of
fabricating EXIF data is a strong enough possibility for the university to
meet their low standard of proof, and consequently determine she's guilty.

------
dbg31415
Similar to "FerSris Bueller's Day Off" the teachers had the school's password
written on a list posted on a cork bulletin board in the teacher's lounge. I
had to have access to the teacher's lounge to use the scanner for my 6th grade
newspaper. This was like 1992, and I initiated a push to move the paper to use
computers.

Anyway, I got caught because I used the tool to remove some of the kids I
didn't like from classes I was in... but for every person I dropped I had to
add another... and I probably had to change about 300 people around to make it
all work out. The school kept the classes the way I left them, and my
"punishment" was that from then on I had to be "on call" for add / drop
periods every semester to help the administrators handle requests from other
students.

Let me tell you, I hated the first half of 6th grade, but 7th & 8th were
pretty cool since I got to pick all the people I went to class with.

Oh, and I called in a snow day once... you just had to know the verification
word associated with the school when you called the news. That word was also
written on the bulletin board. I miss how simple things were back then.

------
darkpuma
> _" insofar that she pinned her password to a corkboard in her room."_

I did something very similar to this in highschool, I believe after reading
about RMS doing the same, to give myself some sort of plausible deniability.

------
alphabettsy
It seems possible that her computer was used with remote access tools, but its
also possible that other grades were changed including hers to make it less
obvious who the actual culprit might be.

------
walrus01
If you think you have a computer security problem and the operating system has
been pwned, you don't hire some random person off Fiverr to "scan" your
computer.

~~~
IshKebab
You might if you are a vet and don't know much about computers. She had her
password on the wall of her room.

That's the most implausible thing about this - the university is suggesting
that a vet is some kind of l337 hacker. In my experience vets and hackers are
about the most distant groups of people possible.

However, it is plausible that someone else stole the librarian's password,
created the account and sold access to her.

~~~
projektfu
Vet and former high school hacker here. Just saying.

~~~
m463
where were you on the night in question?

------
ejanus
I can't support this student , why wiping her hard drive when there is a
serious hacking case allegedly committed through her laptop? Is her personal
bank account and ATM card passwords also written on her room wall? School
administrator pointed out that one of her supporting evidence was altered( not
the original rounds sheet.) Finally, when her results were bumped up she
should have exposed that .. to free herself.

------
detaro
meta: This was auto-killed, probably due to being an outline.com link

~~~
sctb
We've updated the link from
[https://outline.com/ZTzSYa](https://outline.com/ZTzSYa).

------
sizzle
Couldn't they trace the IP that the RAT was phoning home to for a lead on the
external culprit, given they were on campus and the possibility of matching
the times of the RAT accessing victim's machine and possible CCTV footage of
any dorm hall entrances indicated by IP and logs of users etc.

~~~
sleepysysadmin
The whole RAT idea doesn't make sense. There's no reason for someone to infect
her computer to go give her better marks. That's not how it works.

Countless engagements I have spoofed my MAC to 11:22:33:44:55:66 with a
hostname of 'you're being hacked'

------
runxel
In other news: A private uni knows how to attribute cyber attacks correctly.

I'm sure, some intel people would love to have that knowledge !

------
xt00
How hard is it to fool the fitness tracker? Unless it has some robust
detection of being taken off and being put back on it would seem like it could
be fooled in a variety of ways.. not that it means she is guilty but fitness
trackers being used in court is already a thing so I wonder if they are
actually hard to fool by just normal people doing something simple..

~~~
darkpuma
> _" fitness trackers being used in court is already a thing"_

It seems to me the quality of that sort of evidence really depends on the
nature of the accusations. If somebody is accused of being a technically
proficient hacker, this sort of technical evidence of their innocence may have
a lower value than if somebody is accused of murdering their business rival in
some mundane non-technical way.

In other words "accused is a murderer _and a hacker_ " is less likely than
"accused is a hacker _and a hacker "_

~~~
jonstewart
These sorts of arguments are sometimes made, that the suspect was technically
proficient and thus could manufacture/manipulate lots of evidence to cover
his/her tracks. My experience is that it’s rarely justified. Given the
repeated pattern of connections alleged by Tufts, it would be difficult not to
have trace evidence on the Mac corroborating it. Unfortunately, that evidence
is gone — the fact it was conveniently wiped makes it hard for me to be on the
student’s side. However, it’s also the case that Tufts did not conduct a
worthy forensic investigation.

As an example, macOS maintains a separate, hidden resource fork on every file
downloaded via the browser. There’s a corresponding SQLite database of such
“quarantined” files, providing some redundancy. I’d be curious about whether
the discovered RATs had quarantine entries. I’d also be curious about what the
system logs say.

~~~
Wowfunhappy
> macOS maintains a separate, hidden resource fork on every file downloaded
> via the browser. There’s a corresponding SQLite database of such
> “quarantined” files, providing some redundancy. I’d be curious about whether
> the discovered RATs had quarantine entries. I’d also be curious about what
> the system logs say.

Um, separate from this case, that's a bit worrying from a privacy perspective.

~~~
ghaff
In what way? You probably aren't proficient enough to cover your tracks on a
computer (short of wiping it--and maybe not even then) from a competent
computer forensics examiner? That shouldn't really be surprising.

~~~
jonstewart
Wiping works. The old saw about needing to wipe more than once is bunk.

~~~
ghaff
I meant that, even if you wipe your computer, there may be evidence generated
automatically elsewhere such as routers, backup/sync accounts, etc.

------
ggm
This feels like lawsuit material.

------
uberswe
Sounds like there may have been someone who she knows or doesn't know who
wanted to "help" her get better grades and such. They thought they were
helping without her knowledge and it backfired.

Just another theory I thought could be plausible.

------
paulpauper
>Filler is back home in Toronto. As her class is preparing to graduate without
her in May, Tufts has already emailed her to begin reclaiming her loans.

Guess she better default on those then. good luck collecting from someone in
Toronto

~~~
bch
And hope for the rest of your life nothing comes of it crossing the border

------
badfrog
> elaborate months-long scheme involving stealing and using university logins
> to break into the student records system, view answers, and alter her own
> and other students’ grades.

Is this actually considered hacking? My mental model of hacking has always
involved discovering and exploiting security vulnerabilities in a software
system, not just finding and using somebody's password.

~~~
DGAP
You or your business are much more likely to have your information stolen
because of credential theft than someone discovering and exploiting
vulnerabilities. This is regardless of whether your attacker is a nation state
or a cheating student. Whether you decide to call it "hacking" is irrelevant
when they're in your network.

~~~
badfrog
I never meant to suggest it shouldn't be taken seriously.

------
olefoo
Now that this has gained wide attention the Tufts university counsel and
administrative layers are preparing themselves for the inevitable lawsuit.
Defamation, actual damages, pain and suffering etc.

I doubt the public will learn what actually happened but just from that
article we can conclude that all parties to that investigation were remarkably
lax in their approach to DFIR and I've seen several people on twitter say she
would have been better off under an FBI investigation with people who actually
know the job than Tufts.

My guess; gender based harassment by a member of the Tufts IT staff who thinks
he was extremely clever and will not be caught since he ran the investigation
as well as the crime.

And we know what happens to people who think they are clever; they boast and
it is their undoing.

------
oh_sigh
I'm curious if this lady is a serial social media user like most young people?
Going on a 70 mile trip and not doing social media updates or taking more than
2 pictures would be suspect behavior for some people.

Does iPhone have location history option like Google maps does on android?

How did she get there? Did she just drive herself 70 miles? Does she own a car
or did she rent one? Did she take a train or bus and still has the ticket? Did
she go with a friend? Did she eat a meal and pay with a credit card there? Did
she buy gas?

How about checking in the provided photos if features present in the photos
match what would be there at the date in question. Does the forecast show it
was rainy there but it's sunny in her provided pictures? You could measure
shadow length if it may have been faked at a particularly different part of
the year. You could search social media for tagged pictures from others which
may show her in the background. Were there displays or construction that was
modified between the date of the alleged hack and when she could fake a photo
there?

Does the xiaomi tracker differentiate between (on a human and human sleeping)
vs (not on a human and sitting on a nightstand)?

Did any other student grades get modified upwards?

~~~
xkcd-sucks
Shit, you're making me concerned that I should open a facebook account and
start uploading records of everything + making paper trails of everything I do
in case I'm accused of a crime in the future

~~~
1024core
I once read about a black guy who would, when out and about, make it a point
to stop by places which have cameras (ATMs, stores, etc.) periodically, _just
so_ he would have proof of being near those places. I'm sorry I don't remember
where I read it, but it stuck with me.

~~~
NetBeck
I remember Patrice O'Neal had a bit about this.

[https://youtu.be/0xVF7yCKWno?t=60](https://youtu.be/0xVF7yCKWno?t=60)

