Hacker News new | past | comments | ask | show | jobs | submit login
Tufts student claims innocence after being expelled for grade hacking (techcrunch.com)
136 points by DyslexicAtheist 46 days ago | hide | past | web | favorite | 145 comments

If you or others you know of are involved in any of these kangaroo court type situations, it does help to hire an attorney to try to get these kinds of proceedings taken out of the kangaroo court system whenever possible and as soon as possible. This goes for both companies with internal kangaroo courts and universities with internal kangaroo courts.

If you allow yourself to be placed at the mercy of these kinds of systems, you are going to get clowned on because they are designed to achieve that goal and to prevent you from pressing whatever actual legal rights you may have. If you are on "trial" in a kangaroo court system you have to recognize that the court trappings are there to disarm you, convince you to do things against your interest, and to railroad an outcome that benefits the institution and not you.

> If you or others you know of are involved in any of these kangaroo court type situations, it does help to hire an attorney to try to get these kinds of proceedings taken out of the kangaroo court system whenever possible and as soon as possible.

Understand that in the US students have no rights to challenge a college's rulings, whether it be a public or private institution. They can absolutely do arbitrary decisions like expel you.

I was in this situation. A friend did a stupid thing and police were called. I had filed a witness statement with the police as supporting evidence that the stupid thing he did was not malicious. Instead of a criminal charge, he got a petty disorderly persons charge.

School didn't like that, the police got their blood but the administration wanted to power trip. As I was signing up for classes for next semester, I noticed the system had a financial hold on my account. So I contacted the dean of academics, which responded by email saying that by student handbook regulations I would have to give an account of what happened on school grounds, this was procedural and no charges were being brought against me.

I go to give my account with other student witness, the 'kangeroo court' was made up of 50% administration, 50% student body. I was given a school advocate. I told them they had an official account from my police witness statement. They informed me that they were looking to sanction me, but wouldn't state what they would do that day. I told them the dean had said there would be no charges against me, I was literally only a witness. I demanded due process, claiming that since I hadn't been informed of potential charges/sanctions I wasn't given the opportunity to retain legal advice. They said they didn't have to abide by any sort of due process. I had to wait a week for the outcome of the tribunal to come in the mail. I was to have my records marred by the event, would be forced to do an absurd number of community service hours, letters of apology, and a paper about the event.

I hired an attorney and spent 2 years in civil courts fighting. The school retaliated by expelling me. They also did things like tell the other witness that they would have reduced his sanctions, but because I was challenging them he would have to serve out the full amounts. It was a gigantic waste of time and money. I did get my credits out and was able to continue on with my life but there was no other upside to this.

The disgust I have for US university administration knows no bounds. Going to university in the US is like living in a concentration camp: the goal is not to challenge the masters, but rather to keep one's head down and survive.

EDIT: Best part of the above. School couldn't touch the guy who was charged. He paid a small fine and the record was sealed after a year of no charges. Through the entire ordeal I had the support of my fellow students and the faculty that believed such things were not possible. It absolutely is and I have a large stack of court precedent detailing prior cases that have gone to trial where the school was affirmed in its absolute power over students.

As I understand it, state universities are bound by law a bit more than private ones.

I was adjacent to a similar situation that led to a student being improperly involuntarily committed. I got a real attorney involved and they eventually settled with the state for a full ride at a different state university. It took a long time though.

>As I understand it, state universities are bound by law a bit more than private ones.

FWIW, the above happened at a state one. Maybe I could have had a better outcome if I could tolerate another year or two of court. It did not help in my case that the original judge retired and new one was pushing hard for a settlement.

I hired an attorney and took my case all the way to the city school-board. Lost by a 3-1 decision, was Expelled and still owed the lawyer 12k. (See my other post for more details)

I had an incident on the way out of high school. Mom hired a lawyer and wanted to fight but I didn't g.a.f. I went off to college and didn't look back. Saved the lawyer fee, never cared.

A PHD student with large amounts of debt can't afford a lawyer is why they get away with it.

This is an utter goatrope from start to end, between clueless administrators and clueless IT department people who were clearly not qualified to do a proper forensic investigation.

I won't and can't claim to know what's going on here from third-hand hearsay but it's clear that there's more moving parts than the university claims were involved (like the presence of a mysterious iPhone 5S, the activity that happened when the student was demonstrably not anywhere near a computer). The only conclusion I can see is that university IT departments should not be doing these kinds of investigations, between their lack of training/skill/knowledge and the very serious issues around conflicts of interest.

Heck, for all we know, a guy in the IT department who illicitly changed grades for $$$$ was using her as a fall-guy/patsy -- having the IT department do a pseudo-forensic pseudo-investigation is a surefire way to prevent that sort of thing from coming to light.

I had a very similar experience happen to me in High School in which I was expelled for hacking and changing 28 peoples transcripts. We used rainbow tables to target weak NTLM hashes on library computers and exploited the fact that the local admin and domain admin password was the same giving us unlimited access to the entire districts files.

We were caught because one of the people I was working with left a flash drive with his homework as well as decrypted teacher passwords in a classroom workstation. When the teacher examined the drive to ascertain its owner, they discovered their own decrypted password.

Interestingly, there was absolutley zero evidence tying me to the case since I never needed to change my own grades. That didn’t matter. One students testimony was all they needed to expell me. They used the fact that on back to back calculus tests during the time in suspicion, I went from a 79% to a 95%. They didn’t consider that the tests covered 2 different chapters. It was a good life experience in hindsight however.

>there was absolutley zero evidence tying me to the case

From your description it sounds like there was actually quite a significant amount of evidence (e.g. the testimony of one of the students).

The kid who left his flash drive and was caught red handed. He had a big incentive to downplay his role as much as possible. Didn’t work though, just caused more people to get expelled

No witness is 100% reliable, but it sounds like he was in fact telling the truth and the school came to more or less the right conclusions about who did what.

People have been convicted of murder on the basis of the testimony of a single witness, so it's not that shocking to me that a similar standard of evidence suffices for expulsion.

You’re lucky you weren’t in bigger trouble. My school called the FBI and prosecuted a kid for doing something similar.

My high school friend was threatened with expulsion and legal action for telling the school administration about the gaping security holes in their grade and attendance systems, which he probed (with permission from a teacher) but never exploited.

He offered that he could publicly announce his findings instead, and they told him they would let him off with a warning as long as he didn’t tell anyone. Then they did nothing about the vulnerabilities.

It would have been very hard to prove we hacked the system from within the network using the proper credentials. I doubt they could have proved much especially to the defree required tk make it worth anyones time

Our school hired me and a friend after the comp sci teacher found password printouts after we backdoored NetWare. We hadn't changed anything, it was more for the fun of it but we were certainly lucky he was understanding. Could have gone a lot differently.

If there’s doubt about the authenticity of a grade in the computer, why not ask to see the test paper in hard copy?

There were actually 2 separate gradebooks we were accessing. The first was called MakingTheGrade and it was used by teachers to compute semester scores. Another program that was used by counselors and admins could access digital transcripts. To access those we needed to get the hashes from a counselor’s computer which is where the infamous flash drive originated.

I never modified any of my semester or transcript grades but people who i worked with (like a counselors TA) changed theirs. I also changed transcripts for a few friends who were seniors and they actually were able to get a notorized copy of the fake transcripts before everything was uncovered and got into ucsd on appeal with the forged documents. However in case of disaster, most schools keep at least 1 years hard copy usually in some shipping container or trailer. We even considered setting fire to the hard copies but it turns out they just get replaced by the forge ones if you can get away with it long enough

Do you have any regrets?

No, because I consider the lesson learned far more valuable than what I lost. In college, I never had the urge to cheat on anything and if I didn't do the work I simply took the F rather than copy. My pre-expulsion self would have done whatever it took to get the A. Post-expulsion I realized that what I know and what people say or think I know will never be the same. A grade is simply what one person thinks that you know. It is not the arbiter of one's knowledge, you are.

I used to break into the locked cabinet that held my high school’s 5MB removable hard drives (Look upon my works, and weep), but I never touched the one with our grades, I was having too much fun with the one that had a single-user BASIC implementation.

It bumped available RAM to a whopping 16K, so I could develop my Super-StarTrek and Eight Queens programs. I certainly was in danger of being suspended or expelled just from the break-in, but in retrospect, my CS teacher was looking the other way.

Mind you, it may have played a factor in another way. There was a Computer Science medal, it went to another student with lower grades.

I was upset at the time, but in hindsight my devil-may-care attitude towards other people’s needs is a perfectly reasonable thing to take into consideration. He was probably more helpful to other students at the time, I was getting all my social credit from letting people play the game I wrote.

Any ways... Sorry you were expelled, but glad we have both learned lessons that helped us become decent human beings.

In the picture timeline it says:

>Tiffany Filler is accused of logging in with the "Scott Shaw" account from her MacBook Air from Tufts' wireless network to view answers for a small animal medicine bonus quiz, then minutes later on her own account to take the quiz

That's smoking gun evidence. It's theoretically possible that she is the victim of an elaborate scheme to frame her but it seems pretty extraordinarily unlikely.

I don't quite see the evidence for the requirement of "detailed and extensive hacking ability". It seems like on administrator account was compromised and used to create/access other accounts. The initial compromise could be as simple as looking over a shoulder, swiping a post it, or guessing an obvious password. After that, it's just basic computer skills to do what they did.

Seems to me like she hired someone to help her pass. They had remote access so they could make it look like she was taking the tests on her own laptop. They'd have to do it during times when she wasn't using it herself.

If she wasn't involved at all, how would she not notice that quizzes were being completed without her taking them? How would she not notice that her grades were improving?

> That's smoking gun evidence.

Even after you consider all the counter evidence, such as the time she hacked the network when working in a lab without computer access (according to many witnesses)?

I don't know what could have happened here, but going off the TechCrunch article, the school's story doesn't add up.

>network when working in a lab without computer access (according to many witnesses)?

Someone else was using her laptop.

So now she had an accomplice too?

That's quite a bit more reasonable than a mysterious disgruntled roommate extracting revenge through a convoluted cheating scheme over the better part of a year.

To me, the even more plausible scenario is that the school’s entire story is just wrong in some fundamental way. Who knows what was actually in their system logs. The school seems very eager to ignore anything that doesn’t support their case.

If she had an accomplice, that should have been the story presented by the school. But it wasn't. If you’re going to accuse someone of wrongdoing of this magnitude, you need to have a coherent version of events.

Or she had it automated to run a script when she wasn’t there.

That's a whole lot of effort for someone who according to the school didn't bother to spoof their MAC address.

And how exactly would you even attempt to do that when you can't even log in to see what you're working with, let alone test anything. Testing web apps with something like Selenium is hard enough as it is, trying to only work on it without access to anything while you're at the computer might as well be impossible.

Remember she had a housemate who had it in for her. And MAC addresses can be spoofed. And when attempts were made to contact that person, the person refused to respond.

The housemate's scheme didn't have to be elaborate in order for the spoofed MAC address to provide a smoking gun. It's dead simple. Beyond that, Tufts' theories are elaborate, or maybe a better word is torturous, but that's on them.

Focusing on cloning a MAC is a red herring, which we've unfortunately been pushed into from having to continually rebut this persistent nonsensical idea that it's some kind of fixed identifier.

The more likely scenario is a straightforward remote-access trojan installed by a housemate. Every other detail then falls out socially.

Ultimately, prosecution of computer tampering continues to reek of "burn the witch!". With emotionally charged terms simultaneously used to focus blame by ascribing superpowers to the defendant, while deflecting any competing theories as too complex for anyone but the witch.

School networks tend to emphasize MAC addresses as an identifier, simply as a historical consequence of when those networks developed. A MAC address used to be more meaningful than it is now. For example, at my boarding school around 2008, the internet shut off at 11pm, unless you set your MAC address to the same as a library computer...

Point is, I can easily imagine a grumpy and misinformed IT person placing an unrealistic amount of confidence in a piece of evidence drawn from a MAC address.

It works that way defendants too.

I was on a jury for a case where a guy plead manslaughter down to reckless driving because IT supporting various police agencies was inept or working with ancient junk and a expert witness was unable to explain how NTP works.

The defense attorney was able to dazzle and jive his way to dismissing the evidence. This happens because the issues are complex and the practice of IT is so poor.

/might be related

I've seen something similar in regards to a normal DUI case. The defense lawyer talking about 1970's RADAR tech in airplanes, NTFS filesystems, Windows Server, "md5 hashing protocols" and other items "related" to the case.

The judge was all sorts of confused and "phoned a trustworthy friend who worked in a fortune 500 company" for clarity.

That guy got out of a DUI after 5 x 2-3 hour sessions in court. 10+ hours of court to get out of a couple hundred dollar ticket, if that.

I really wonder what the lawyer fees were though. No way was he doing that for free or cheap. It was his first offense and this state is very lenient on DUIs.

Showed me exactly why I never want to be in court, on either side.

/leaving a lot of details out, but man, was it depressing to watch.

DUIs can be a lot more serious than just a few hundred dollar fine. They can result in the loss of your license (and consequently your ability to work), possibly several months in jail, and bar you for life from some countries (Canada won't let you visit if you've gotten a DUI.)

Spending many thousands of dollars on lawyer fees to get yourself out of a DUI can make a lot of sense unless you're in a jurisdiction that doesn't take DUI seriously. Of course it makes a lot more sense to only drive when bone dry sober.

Trust me, I know they can be serious, but

>> jurisdiction that doesn't take DUI seriously

That describes where this was at perfectly. Which is why I had put

>> It was his first offense and this state is very lenient on DUIs.

I probably should have used a different word than lenient, but it is what it is.

I would propose "rational". The level of animosity and punishment directed at checkpoint victims in most of USA is really quite amazing, and totally out of proportion to any reasonable understanding of the risks of automobile travel.

Yep that's also a very likely scenario, I agree.

That’s not even close to being smoking gun evidence. Courts treat all computer evidence as circumstantial, and the key for a forensics expert is to create such a preponderance of it that guilt is the only credulous explanation. Here you just have two events linked in time, and nothing establishing she was behind the keyboard.

And who’s to say she didn’t share the Scott Shaw account with others? She’s claiming that some of the times it was used she couldn’t have done it, not all of he times.

I think that’s pretty much the case regardless. Sometimes you just happen to be using your computer when someone hacks your account.

I think the answer is obvious, someone helped her.

I think the answer is obvious, they tried her without a defense. They never explored what actually happened.

There's an imprecision in much of this article, particularly -- but not exclusively -- in quotes from administrators whose cluelessness is revealed thereby, the cumulative effect of which I find infuriating. Settle A before you move on to B, people.

Analogy: I place two champagne glasses in a box, close the box, put in earplugs so I can't hear glass breaking, then shake the box violently. Then, without opening the box, I decide champagne sucks forever and throw away the champagne bottle. That's what this feels like.

Example: What does the word "hack" mean? There are at least two overall "families" of connotations it has, one of which is in the name of this site. But if someone told you to hack, that is in no way enough information to carry out any specific action. That's how you know you're dealing with a derived or secondary concept. Too many statements here are being formulated in secondary concepts. Like the closed box of maybe-broken champagne-glass glass. And then those vague concepts are being related vaguely to other vague secondary concepts, and decisions made about those concepts based on that. Like throwing away the champagne bottle. What a clusterfuck. Idiocracy is here.

And it's quite possible this girl is innocent but Jesus H. Christ don't post your password on the WALL! Unless maybe you can satisfy yourself that you have sole control of the room!

Does it really matter whether or not we call it "hacking"? Let's call it "unauthorized access" instead.

Whoever actually broke into this account was behaving maliciously, regardless of how easy it was (or wasn't) to do.

I'm not sure I understand the relevance of the analogy, can you explain?

I hate the attempt at framing this as a “guilty until proven innocent” the actual facts laid out its more of a “innocent until we had tons of evidence that we deem sufficiently proves you did it at which point you’ll need to mount a defense.”

It's worth noting the following facts:

- There were a chain of human and technical vulnerabilities exploited

- MAC addresses can be changed – nearly all ethernet controllers and some wireless chipsets support changing the MAC address;

- MAC addresses are public knowledge. Anybody who ever receives a packet from your machine has your MAC address – and don't forget that Apple devices send tons of auto-discovery broadcast packets; and

- Anybody suitably competent to pull off the technical side of the attack is likely to be able to spoof MAC addresses.

It's worth noting that Knoll's letter also includes this gem of total misunderstanding:

"... date stamps are easy to edit. In fact, the photos you shared with me clearly include an "edit" button in the upper corner for this very purpose."

The article seems to me to be far more about low-burden-of-proof disciplinary panels – where the same people who set the rules interpret and administer the rules whilst trying to appear reasonable.

The fact that a "defendant" asks for a date and time of alleged incidents before submitting evidence is not at all "puzzling" – the alternative is submitting every photo over a months-long time-frame, which is certainly not reasonable.

Also the incentives of the university staff are not at all aligned with "the truth". If they spend a hundred hours investigating it and find that they really did falsely accuse her and cause her harm, it advances their careers no more than rubber-stamping her expulsion

"MAC addresses can be changed – nearly all ethernet controllers and some wireless chipsets support changing the MAC address"

Just to be clear.

Windows 10, MacOS and Ubuntu, all allow one to set/override their MAC address usually via a dialogue box.

I don't recall ever using a DSL/Cable modem that did not support setting/overriding the MAC address.

Cable modems actually never allow you to change the MAC address. You're thinking of consumer routers which commonly allowed cloning a MAC because old internet services would hardcode a single MAC address per account in order to prevent customers from just grabbing 10 public IP addresses each.

Just about every single DOCSIS network still in existence uses BPI+ to encrypt the traffic to each customer to make sure that you can't just sniff traffic for the entire neighborhood and steal service. BPI+ has a certificate that is minted and signed at the factory with the device's MAC address in it. If you tried to change the MAC address, even if you had root, you wouldn't have a valid certificate so the modem would never get a connection.

Yes, of course you are correct. I did mean consumer routers.

Cellphones. Mine certainly doesn't allow me to alter my mac.

FWIW, that says more about your relationship with "your" cell phone than its own capabilities.

Protocol wise, a MAC address is fundamentally the choice of the client. And for cloning, they aren't even obscure but printed right on every device.

That this has to be continually re-explained to lawyers unfamiliar with technology, because they see some identifier and immediately assert it's immutable until rebutted, is getting to the root of the real problem here. An ethernet MAC is at best, circumstantial - acceptable for tracking down a lead, but means jack-squat when it comes to proof.

Furthermore, the fact that we're still going over this in a technology forum demonstrates the probable lack of competent diligence done by the school's IT department before presenting their "expert" opinion.

You must not be using android, because my android allows it without rooting

Some manufacturers and/or carriers require the phone to have developer options enabled (aka developer mode) for the MAC address to be changed, for example...most Verizon phones.

It does if you try a little bit. But, you said truly, not if you don't.

Your MAC address doesn’t leave your local network, so I am not sure how that can be used to track anyone?

"said to be traced from either her computer — based off a unique identifier, known as a MAC address — and the network she allegedly used, either the campus’s wireless network or her off-campus residence. When her grades went up, sometimes other students’ grades went down, the school said."

I'm guessing that the evidence they've got is that the IT dept have the MAC address that was used by the devices that connected to their network, and have associated MAC addresses with the IP addresses allocated. Then that IP was used to connect to their internal system to change grades.

It's pretty flimsy evidence, as anybody who had received a packet from her machine on the same network (i.e. if she ever connected to the university, which she allegedly did) would know the MAC address. So when I say it's public knowledge, I suppose I should've said it's public knowledge given you can connect to the same network. It really wouldn't be that hard to frame someone that way, and things like iTunes library sharing really help – because they conveniently tell you whose library is being shared.

It's quite possible that somebody who knew who she was and who knew her MAC address could have done this. That could have been somebody sat in the same class. It's also entirely possible that she had the technical skills to pull of the technical side of the hack (bypassing 2fa) and didn't know a thing about networking.

It also sounds like they have figured out the IP address that she has used to connect to her own university intranet account and found that it matched the IP that accessed the hijacked account. That's again pretty inconclusive.

I came here to comment that too. It didn’t sound like she was on a campus network from the article, so there is literally no way the university would know what MAC address was used.

that letter was hard to read. it was from someone who had already made up their mind and put up a reflector. her response made me think of someone playing play investigator and reminded me of michael bluth and maritime law in arrested development.

> Anybody suitably competent to pull off the technical side of the attack is likely to be able to spoof MAC addresses.

From reading the article, the technical side of the attacks seems to be illegitimately using an administrators password. There are no details of how the hacker obtained the password, perhaps they just glanced over the shoulder of the library staff member as they entered it?

The more important part of the letter regarding the photos is the fact that they weren't produced until after the student was given the exact time periods of the incidents.

Obviously there would of been no point in producing random photos until they counted for an alibi.

That's true. But nevertheless it's still low quality evidence of her innocence.

They could have said, ok, send us photos from this wide date range and then we will look to see.

Even so, if she knew when she hacked the accounts she could create edited photos without them telling her when she hacked them (assuming she recalled when she did it)

Not necessarily, if she enlisted someone else to do it.

The possibility would be there though, forcing anybody considering the evidence to consider the possibility that she was the culprit and, as the culprit, was capable of fabricating evidence of her innocence.

The standard of proof in cases like these isn't "beyond a reasonable doubt".

I'm well aware, not sure why you think I'm not.

If she were guilty of hiring somebody to do the hacking but not actually doing it herself, then she might not know when the sensitive times were and would therefore be unable to fabricate evidence covering the sensitive times. That's what you pointed out, however it's not particularly relevant. The possibility that she was the technically competent hacker who was capable of fabricating EXIF data is a strong enough possibility for the university to meet their low standard of proof, and consequently determine she's guilty.

The letter sounded as if it was part of a written conversation between two spouses fighting over when/what/where.

Far too emotional and completely out of place for a Dean writing an official letter.

Surely it would have been more suspicious if she had offered alibis without having been told when the incidents happened?

Sure, it would. She could have turned over all reasonable photos between a range of dates, though.

Is she supposed to just give every photo of herself to the school?

She obviously doesn't have to, but the manner in which she turns over photos certainly impacts their credibility as evidence.

You clearly have no experience with university tribunals. The only path to getting a fair hearing is to retain a lawyer and threaten to sue the school. At which point there's a good chance the school's counsel realizes their case actually won't hold up in civil court, and the school backs off.

The glaring question is what evidence is there that this was not done with a remote-access trojan on her computer? The article says that other students' grades were changed, and I can think of no better cover than making sure the blame falls on someone else.

> You clearly have no experience with university tribunals. The only path to getting a fair hearing is to retain a lawyer ...

Very true. During my onboarding at Gatech, they clearly told us (in similar words): "Unlike courts, the burden of proof is on you, not on us. If caught hacking, you'll serve jailtime then come back to find us waiting."

It's not quite that extreme, but the burden of proof is generally no more than preponderance of the evidence, i.e. more likely true than not true. This is the case for many associations that have internal discipline or jurisprudence for misconduct by their members.

By the way, the reason to retain a lawyer is so that you don't unwittingly say something that could create criminal liability. Nobody has a right to attend Tufts and as long as they follow their policies a lawyer or court is not going to stop them expelling you.

Except the board deliberating and passing judgement had a victim of the hacking on it, and chose to completely ignore the fact that this student was in class with mamy witnesses when some of the hacking events occured according to the logs.

This is pretty normal for K-20 committees though, they operate as extrajudicial kangaroo courts that can easily acrew students out of their education and labor.

> the board deliberating and passing judgement had a victim of the hacking on it

now that you mention it, that's a starkly direct conflict of interest.

Yes, even arbitration doesn't have direct, show stopping conflicts of interest like this.

The K-20 education sphere loves its kangaroo courts though, most LGBTQ+ people I know have been cheated of their high school diploma by this scam perpetuated by school administrators.

Don't be different in any way, lest an administrator chooses to boot stomp you amd refuse to acknowledge you ever took courses at their school.

Do you mind saying more? I've never heard of this before.

Most non-straight people I know did not graduate high school. Its a serious issue, and those that did generally flew under the radar and appeared straight until college.

I know one trans person who was set to go to an Ivy League school (incrediby adept at mathematics) that got outed and has been relentlessly harassed by both their parents and school.

I've been trying to encourage them to fire high school and go all Running Start, cause it ain't gonna get better wrt the school administrators being horrid. They likely won't graduate if things fail to improve.

Edit: This is in Seattle Public Schools proper, Bellevue, Northshore and other districts are on point about expelling those that cop to not being straight or cis. Its been painful to watch bright kids get needlessly ejected from the system that is supposed to provide them an education.

t its more of a “innocent until we had tons of evidence that we deem sufficiently proves you did it at which point you’ll need to mount a defense.”

Shorter version: preponderance of evidence, which is usually the burden schools are most prone to adopting, isn't it?

Yes, 51% of evidence. Also known as "random guess plus one percent."

Similar to "FerSris Bueller's Day Off" the teachers had the school's password written on a list posted on a cork bulletin board in the teacher's lounge. I had to have access to the teacher's lounge to use the scanner for my 6th grade newspaper. This was like 1992, and I initiated a push to move the paper to use computers.

Anyway, I got caught because I used the tool to remove some of the kids I didn't like from classes I was in... but for every person I dropped I had to add another... and I probably had to change about 300 people around to make it all work out. The school kept the classes the way I left them, and my "punishment" was that from then on I had to be "on call" for add / drop periods every semester to help the administrators handle requests from other students.

Let me tell you, I hated the first half of 6th grade, but 7th & 8th were pretty cool since I got to pick all the people I went to class with.

Oh, and I called in a snow day once... you just had to know the verification word associated with the school when you called the news. That word was also written on the bulletin board. I miss how simple things were back then.

> "insofar that she pinned her password to a corkboard in her room."

I did something very similar to this in highschool, I believe after reading about RMS doing the same, to give myself some sort of plausible deniability.

It seems possible that her computer was used with remote access tools, but its also possible that other grades were changed including hers to make it less obvious who the actual culprit might be.

If you think you have a computer security problem and the operating system has been pwned, you don't hire some random person off Fiverr to "scan" your computer.

You might if you are a vet and don't know much about computers. She had her password on the wall of her room.

That's the most implausible thing about this - the university is suggesting that a vet is some kind of l337 hacker. In my experience vets and hackers are about the most distant groups of people possible.

However, it is plausible that someone else stole the librarian's password, created the account and sold access to her.

Vet and former high school hacker here. Just saying.

where were you on the night in question?

Maybe you do, but you obviously shouldn't.

I can't support this student , why wiping her hard drive when there is a serious hacking case allegedly committed through her laptop? Is her personal bank account and ATM card passwords also written on her room wall? School administrator pointed out that one of her supporting evidence was altered( not the original rounds sheet.) Finally, when her results were bumped up she should have exposed that .. to free herself.

meta: This was auto-killed, probably due to being an outline.com link

We've updated the link from https://outline.com/ZTzSYa.

Couldn't they trace the IP that the RAT was phoning home to for a lead on the external culprit, given they were on campus and the possibility of matching the times of the RAT accessing victim's machine and possible CCTV footage of any dorm hall entrances indicated by IP and logs of users etc.

The whole RAT idea doesn't make sense. There's no reason for someone to infect her computer to go give her better marks. That's not how it works.

Countless engagements I have spoofed my MAC to 11:22:33:44:55:66 with a hostname of 'you're being hacked'

In other news: A private uni knows how to attribute cyber attacks correctly.

I'm sure, some intel people would love to have that knowledge !

How hard is it to fool the fitness tracker? Unless it has some robust detection of being taken off and being put back on it would seem like it could be fooled in a variety of ways.. not that it means she is guilty but fitness trackers being used in court is already a thing so I wonder if they are actually hard to fool by just normal people doing something simple..

> "fitness trackers being used in court is already a thing"

It seems to me the quality of that sort of evidence really depends on the nature of the accusations. If somebody is accused of being a technically proficient hacker, this sort of technical evidence of their innocence may have a lower value than if somebody is accused of murdering their business rival in some mundane non-technical way.

In other words "accused is a murderer and a hacker" is less likely than "accused is a hacker and a hacker"

These sorts of arguments are sometimes made, that the suspect was technically proficient and thus could manufacture/manipulate lots of evidence to cover his/her tracks. My experience is that it’s rarely justified. Given the repeated pattern of connections alleged by Tufts, it would be difficult not to have trace evidence on the Mac corroborating it. Unfortunately, that evidence is gone — the fact it was conveniently wiped makes it hard for me to be on the student’s side. However, it’s also the case that Tufts did not conduct a worthy forensic investigation.

As an example, macOS maintains a separate, hidden resource fork on every file downloaded via the browser. There’s a corresponding SQLite database of such “quarantined” files, providing some redundancy. I’d be curious about whether the discovered RATs had quarantine entries. I’d also be curious about what the system logs say.

> macOS maintains a separate, hidden resource fork on every file downloaded via the browser. There’s a corresponding SQLite database of such “quarantined” files, providing some redundancy. I’d be curious about whether the discovered RATs had quarantine entries. I’d also be curious about what the system logs say.

Um, separate from this case, that's a bit worrying from a privacy perspective.

It’s how it warns you whether you want to open a file that was downloaded from the internet. Windows has a similar feature with a similar implementation.

This should be done exclusively from extended attributes…


Could you please stop posting unsubstantive comments to Hacker News? You've been doing it a lot, and we're trying for better here.

In addition to https://news.ycombinator.com/newsguidelines.html, you might also find these links helpful for getting the spirit of this site:





In what way? You probably aren't proficient enough to cover your tracks on a computer (short of wiping it--and maybe not even then) from a competent computer forensics examiner? That shouldn't really be surprising.

> In what way?

Well, I don't intuitively see a huge difference between my browser history being kept in a database I can't clear (short of nuking the whole system) and my download history being kept in a database I can't clear. I think we'd agree that one would be a problem, so isn't the other? Could a malicious program read this, for instance?

Wiping works. The old saw about needing to wipe more than once is bunk.

I meant that, even if you wipe your computer, there may be evidence generated automatically elsewhere such as routers, backup/sync accounts, etc.

Couldn't they trace the IP that the RAT was phoning home to for a lead on the external culprit, given they were on campus and the possibility of matching the times of the RAT accessing victim's machine and possible CCTV footage of any dorm hall entrances indicated by IP and logs of users etc.

The fitness tracker defense is dumb. A hacker skilled to the point of finding 0days in their systems can just script the hacks while you sleep.

However the fitness tracker defense in conjunction with mac-user and going to apple store for help tells me she's tech dumb, location data turned on for pictures. I highly doubt there has ever been another PHD veternarian who is also a skilled hacker with this level of techdumb still happening.

She might be dating or know someone who is hacking... but you don't get to being a PHD student without knowing your field. Your teachers would know if you're dumb.

Hand it to someone else.

This feels like lawsuit material.

Sounds like there may have been someone who she knows or doesn't know who wanted to "help" her get better grades and such. They thought they were helping without her knowledge and it backfired.

Just another theory I thought could be plausible.

>Filler is back home in Toronto. As her class is preparing to graduate without her in May, Tufts has already emailed her to begin reclaiming her loans.

Guess she better default on those then. good luck collecting from someone in Toronto

And hope for the rest of your life nothing comes of it crossing the border

She will pay it off with the civil suit.

The US and Canada tend to bend over backwards for each other.

Better to move to a country where charging tuition is some kind of crime.

> elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.

Is this actually considered hacking? My mental model of hacking has always involved discovering and exploiting security vulnerabilities in a software system, not just finding and using somebody's password.

You or your business are much more likely to have your information stolen because of credential theft than someone discovering and exploiting vulnerabilities. This is regardless of whether your attacker is a nation state or a cheating student. Whether you decide to call it "hacking" is irrelevant when they're in your network.

I never meant to suggest it shouldn't be taken seriously.

I wouldn't consider it hacking. This is not using the system in a way it wasn't intended to be used. This is in fact the correct way to get into the system.

Depends on how the passwords were obtained, I guess.

We settled this debate in Slashdot in 1998. Your definition is too narrow.

This HN/hacker mindset that because the school/company/software was vulnerable or flat out incompetent, it’s ok to do something they know to be immoral. Just because you can do something, doesn’t mean it’s morally acceptable. The justification of look how stupid the school/company/software was is weak and lacking personal responsibility.

They are making a pointless argument about the definition of "hacking", there's nothing in the comment dismissing the wrongdoing.

Now that this has gained wide attention the Tufts university counsel and administrative layers are preparing themselves for the inevitable lawsuit. Defamation, actual damages, pain and suffering etc.

I doubt the public will learn what actually happened but just from that article we can conclude that all parties to that investigation were remarkably lax in their approach to DFIR and I've seen several people on twitter say she would have been better off under an FBI investigation with people who actually know the job than Tufts.

My guess; gender based harassment by a member of the Tufts IT staff who thinks he was extremely clever and will not be caught since he ran the investigation as well as the crime.

And we know what happens to people who think they are clever; they boast and it is their undoing.

I'm curious if this lady is a serial social media user like most young people? Going on a 70 mile trip and not doing social media updates or taking more than 2 pictures would be suspect behavior for some people.

Does iPhone have location history option like Google maps does on android?

How did she get there? Did she just drive herself 70 miles? Does she own a car or did she rent one? Did she take a train or bus and still has the ticket? Did she go with a friend? Did she eat a meal and pay with a credit card there? Did she buy gas?

How about checking in the provided photos if features present in the photos match what would be there at the date in question. Does the forecast show it was rainy there but it's sunny in her provided pictures? You could measure shadow length if it may have been faked at a particularly different part of the year. You could search social media for tagged pictures from others which may show her in the background. Were there displays or construction that was modified between the date of the alleged hack and when she could fake a photo there?

Does the xiaomi tracker differentiate between (on a human and human sleeping) vs (not on a human and sitting on a nightstand)?

Did any other student grades get modified upwards?

Shit, you're making me concerned that I should open a facebook account and start uploading records of everything + making paper trails of everything I do in case I'm accused of a crime in the future

I once read about a black guy who would, when out and about, make it a point to stop by places which have cameras (ATMs, stores, etc.) periodically, just so he would have proof of being near those places. I'm sorry I don't remember where I read it, but it stuck with me.

I remember Patrice O'Neal had a bit about this.


Social media posts have helped exonerated people in the past


Well, generally it couldn't hurt your defense case to have exculpatory evidence on a third party server which you don't have control of, whether it be Facebook, Google, cell tower records, etc.

Also please note that I did not day that not having social media updates is indicative of guilt in itself. Absence of evidence isn't evidence of a crime. Even if she was an obsessive social media user, maybe her phone died and she couldn't post that day.

Think you’re being downvoted because of “young people” generalizations, but you are absolutely correct that forensic analysis of her cellphone could provide countervailing evidence.

It’s too bad her Mac was wiped. It’s clear Tufts messed this up, and they should forgive her loans; it’s not clear she’s innocent.

According to Techcrunch, it has been done (after the expulsion evidently):

We asked Jake Williams, a former NSA hacker who founded cybersecurity and digital forensics firm Rendition Infosec, to examine the metadata embedded in the photos. The photos, taken from her iPhone, contained a matching date and time for the alleged hack, as well as a set of coordinates putting her at the Mark Twain House.

While photo metadata can be modified, Williams said the signs he expected to see for metadata modification weren’t there. “There is no evidence that these were modified,” he said.

>While photo metadata can be modified, Williams said the signs he expected to see for metadata modification weren’t there. “There is no evidence that these were modified,” he said.

Assuming the person changed all data/time fields including those in the file system, what other signs of modification would there be? I poked around online and didn't find anything.

My first guess would be weather records from that day, if the photo was taken outside.

I’ve met Jake a couple of times, he’s a good examiner.

TFA says he looked at the [EXIF] metadata of the photos. There’s nothing in here to suggest a comprehensive forensic analysis of the cellphone itself (eg from a Cellebrite extraction). A phone is a treasure trove of SQLite databases.

> A phone is a treasure trove of SQLite databases

This is so true. I've thought for a long time that a cool art experiment would be a blackbox with a lightning cable protruding out of it. You plug your phone in and answer "Do you trust this computer?" And if you do, those "SQLite databases" you mention get projected on the wall. A bit like the wall of sheep, I guess, but more for the purpose of educating people just how much data is actually on their phone.

Her loans are almost certainly not originated by Tufts, and even if they wanted to, the university wouldn't be able to unilaterally forgive them.

Also, what kind of student loans are dependent on graduation? If they were, we'd probably have cases of people intentionally being expelled to avoid debt shortly before graduation.

Or a market emerging of companies offering jobs to near-graduates with the understanding that dropping out wouldn't result in revocation of the offer. Actually, that might not be the worst outcome if it encourages a focus on abilities over credentials.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact