If you allow yourself to be placed at the mercy of these kinds of systems, you are going to get clowned on because they are designed to achieve that goal and to prevent you from pressing whatever actual legal rights you may have. If you are on "trial" in a kangaroo court system you have to recognize that the court trappings are there to disarm you, convince you to do things against your interest, and to railroad an outcome that benefits the institution and not you.
Understand that in the US students have no rights to challenge a college's rulings, whether it be a public or private institution. They can absolutely do arbitrary decisions like expel you.
I was in this situation. A friend did a stupid thing and police were called. I had filed a witness statement with the police as supporting evidence that the stupid thing he did was not malicious. Instead of a criminal charge, he got a petty disorderly persons charge.
School didn't like that, the police got their blood but the administration wanted to power trip. As I was signing up for classes for next semester, I noticed the system had a financial hold on my account. So I contacted the dean of academics, which responded by email saying that by student handbook regulations I would have to give an account of what happened on school grounds, this was procedural and no charges were being brought against me.
I go to give my account with other student witness, the 'kangeroo court' was made up of 50% administration, 50% student body. I was given a school advocate. I told them they had an official account from my police witness statement. They informed me that they were looking to sanction me, but wouldn't state what they would do that day. I told them the dean had said there would be no charges against me, I was literally only a witness. I demanded due process, claiming that since I hadn't been informed of potential charges/sanctions I wasn't given the opportunity to retain legal advice. They said they didn't have to abide by any sort of due process. I had to wait a week for the outcome of the tribunal to come in the mail. I was to have my records marred by the event, would be forced to do an absurd number of community service hours, letters of apology, and a paper about the event.
I hired an attorney and spent 2 years in civil courts fighting. The school retaliated by expelling me. They also did things like tell the other witness that they would have reduced his sanctions, but because I was challenging them he would have to serve out the full amounts. It was a gigantic waste of time and money. I did get my credits out and was able to continue on with my life but there was no other upside to this.
The disgust I have for US university administration knows no bounds. Going to university in the US is like living in a concentration camp: the goal is not to challenge the masters, but rather to keep one's head down and survive.
EDIT: Best part of the above. School couldn't touch the guy who was charged. He paid a small fine and the record was sealed after a year of no charges. Through the entire ordeal I had the support of my fellow students and the faculty that believed such things were not possible. It absolutely is and I have a large stack of court precedent detailing prior cases that have gone to trial where the school was affirmed in its absolute power over students.
I was adjacent to a similar situation that led to a student being improperly involuntarily committed. I got a real attorney involved and they eventually settled with the state for a full ride at a different state university. It took a long time though.
FWIW, the above happened at a state one. Maybe I could have had a better outcome if I could tolerate another year or two of court. It did not help in my case that the original judge retired and new one was pushing hard for a settlement.
I won't and can't claim to know what's going on here from third-hand hearsay but it's clear that there's more moving parts than the university claims were involved (like the presence of a mysterious iPhone 5S, the activity that happened when the student was demonstrably not anywhere near a computer). The only conclusion I can see is that university IT departments should not be doing these kinds of investigations, between their lack of training/skill/knowledge and the very serious issues around conflicts of interest.
Heck, for all we know, a guy in the IT department who illicitly changed grades for $$$$ was using her as a fall-guy/patsy -- having the IT department do a pseudo-forensic pseudo-investigation is a surefire way to prevent that sort of thing from coming to light.
We were caught because one of the people I was working with left a flash drive with his homework as well as decrypted teacher passwords in a classroom workstation. When the teacher examined the drive to ascertain its owner, they discovered their own decrypted password.
Interestingly, there was absolutley zero evidence tying me to the case since I never needed to change my own grades. That didn’t matter. One students testimony was all they needed to expell me. They used the fact that on back to back calculus tests during the time in suspicion, I went from a 79% to a 95%. They didn’t consider that the tests covered 2 different chapters. It was a good life experience in hindsight however.
From your description it sounds like there was actually quite a significant amount of evidence (e.g. the testimony of one of the students).
People have been convicted of murder on the basis of the testimony of a single witness, so it's not that shocking to me that a similar standard of evidence suffices for expulsion.
He offered that he could publicly announce his findings instead, and they told him they would let him off with a warning as long as he didn’t tell anyone. Then they did nothing about the vulnerabilities.
I never modified any of my semester or transcript grades but people who i worked with (like a counselors TA) changed theirs. I also changed transcripts for a few friends who were seniors and they actually were able to get a notorized copy of the fake transcripts before everything was uncovered and got into ucsd on appeal with the forged documents. However in case of disaster, most schools keep at least 1 years hard copy usually in some shipping container or trailer. We even considered setting fire to the hard copies but it turns out they just get replaced by the forge ones if you can get away with it long enough
It bumped available RAM to a whopping 16K, so I could develop my Super-StarTrek and Eight Queens programs. I certainly was in danger of being suspended or expelled just from the break-in, but in retrospect, my CS teacher was looking the other way.
Mind you, it may have played a factor in another way. There was a Computer Science medal, it went to another student with lower grades.
I was upset at the time, but in hindsight my devil-may-care attitude towards other people’s needs is a perfectly reasonable thing to take into consideration. He was probably more helpful to other students at the time, I was getting all my social credit from letting people play the game I wrote.
Any ways... Sorry you were expelled, but glad we have both learned lessons that helped us become decent human beings.
>Tiffany Filler is accused of logging in with the "Scott Shaw" account from her MacBook Air from Tufts' wireless network to view answers for a small animal medicine bonus quiz, then minutes later on her own account to take the quiz
That's smoking gun evidence. It's theoretically possible that she is the victim of an elaborate scheme to frame her but it seems pretty extraordinarily unlikely.
I don't quite see the evidence for the requirement of "detailed and extensive hacking ability". It seems like on administrator account was compromised and used to create/access other accounts. The initial compromise could be as simple as looking over a shoulder, swiping a post it, or guessing an obvious password. After that, it's just basic computer skills to do what they did.
If she wasn't involved at all, how would she not notice that quizzes were being completed without her taking them? How would she not notice that her grades were improving?
Even after you consider all the counter evidence, such as the time she hacked the network when working in a lab without computer access (according to many witnesses)?
I don't know what could have happened here, but going off the TechCrunch article, the school's story doesn't add up.
Someone else was using her laptop.
If she had an accomplice, that should have been the story presented by the school. But it wasn't. If you’re going to accuse someone of wrongdoing of this magnitude, you need to have a coherent version of events.
The housemate's scheme didn't have to be elaborate in order for the spoofed MAC address to provide a smoking gun. It's dead simple. Beyond that, Tufts' theories are elaborate, or maybe a better word is torturous, but that's on them.
The more likely scenario is a straightforward remote-access trojan installed by a housemate. Every other detail then falls out socially.
Ultimately, prosecution of computer tampering continues to reek of "burn the witch!". With emotionally charged terms simultaneously used to focus blame by ascribing superpowers to the defendant, while deflecting any competing theories as too complex for anyone but the witch.
Point is, I can easily imagine a grumpy and misinformed IT person placing an unrealistic amount of confidence in a piece of evidence drawn from a MAC address.
I was on a jury for a case where a guy plead manslaughter down to reckless driving because IT supporting various police agencies was inept or working with ancient junk and a expert witness was unable to explain how NTP works.
The defense attorney was able to dazzle and jive his way to dismissing the evidence. This happens because the issues are complex and the practice of IT is so poor.
I've seen something similar in regards to a normal DUI case. The defense lawyer talking about 1970's RADAR tech in airplanes, NTFS filesystems, Windows Server, "md5 hashing protocols" and other items "related" to the case.
The judge was all sorts of confused and "phoned a trustworthy friend who worked in a fortune 500 company" for clarity.
That guy got out of a DUI after 5 x 2-3 hour sessions in court. 10+ hours of court to get out of a couple hundred dollar ticket, if that.
I really wonder what the lawyer fees were though. No way was he doing that for free or cheap. It was his first offense and this state is very lenient on DUIs.
Showed me exactly why I never want to be in court, on either side.
/leaving a lot of details out, but man, was it depressing to watch.
Spending many thousands of dollars on lawyer fees to get yourself out of a DUI can make a lot of sense unless you're in a jurisdiction that doesn't take DUI seriously. Of course it makes a lot more sense to only drive when bone dry sober.
>> jurisdiction that doesn't take DUI seriously
That describes where this was at perfectly. Which is why I had put
>> It was his first offense and this state is very lenient on DUIs.
I probably should have used a different word than lenient, but it is what it is.
Analogy: I place two champagne glasses in a box, close the box, put in earplugs so I can't hear glass breaking, then shake the box violently. Then, without opening the box, I decide champagne sucks forever and throw away the champagne bottle. That's what this feels like.
Example: What does the word "hack" mean? There are at least two overall "families" of connotations it has, one of which is in the name of this site. But if someone told you to hack, that is in no way enough information to carry out any specific action. That's how you know you're dealing with a derived or secondary concept. Too many statements here are being formulated in secondary concepts. Like the closed box of maybe-broken champagne-glass glass. And then those vague concepts are being related vaguely to other vague secondary concepts, and decisions made about those concepts based on that. Like throwing away the champagne bottle. What a clusterfuck. Idiocracy is here.
And it's quite possible this girl is innocent but Jesus H. Christ don't post your password on the WALL! Unless maybe you can satisfy yourself that you have sole control of the room!
Whoever actually broke into this account was behaving maliciously, regardless of how easy it was (or wasn't) to do.
- There were a chain of human and technical vulnerabilities exploited
- MAC addresses can be changed – nearly all ethernet controllers and some wireless chipsets support changing the MAC address;
- MAC addresses are public knowledge. Anybody who ever receives a packet from your machine has your MAC address – and don't forget that Apple devices send tons of auto-discovery broadcast packets; and
- Anybody suitably competent to pull off the technical side of the attack is likely to be able to spoof MAC addresses.
It's worth noting that Knoll's letter also includes this gem of total misunderstanding:
"... date stamps are easy to edit. In fact, the photos you shared with me clearly include an "edit" button in the upper corner for this very purpose."
The article seems to me to be far more about low-burden-of-proof disciplinary panels – where the same people who set the rules interpret and administer the rules whilst trying to appear reasonable.
The fact that a "defendant" asks for a date and time of alleged incidents before submitting evidence is not at all "puzzling" – the alternative is submitting every photo over a months-long time-frame, which is certainly not reasonable.
Just to be clear.
Windows 10, MacOS and Ubuntu, all allow one to set/override their MAC address usually via a dialogue box.
I don't recall ever using a DSL/Cable modem that did not support setting/overriding the MAC address.
Just about every single DOCSIS network still in existence uses BPI+ to encrypt the traffic to each customer to make sure that you can't just sniff traffic for the entire neighborhood and steal service. BPI+ has a certificate that is minted and signed at the factory with the device's MAC address in it. If you tried to change the MAC address, even if you had root, you wouldn't have a valid certificate so the modem would never get a connection.
Protocol wise, a MAC address is fundamentally the choice of the client. And for cloning, they aren't even obscure but printed right on every device.
That this has to be continually re-explained to lawyers unfamiliar with technology, because they see some identifier and immediately assert it's immutable until rebutted, is getting to the root of the real problem here. An ethernet MAC is at best, circumstantial - acceptable for tracking down a lead, but means jack-squat when it comes to proof.
Furthermore, the fact that we're still going over this in a technology forum demonstrates the probable lack of competent diligence done by the school's IT department before presenting their "expert" opinion.
I'm guessing that the evidence they've got is that the IT dept have the MAC address that was used by the devices that connected to their network, and have associated MAC addresses with the IP addresses allocated. Then that IP was used to connect to their internal system to change grades.
It's pretty flimsy evidence, as anybody who had received a packet from her machine on the same network (i.e. if she ever connected to the university, which she allegedly did) would know the MAC address. So when I say it's public knowledge, I suppose I should've said it's public knowledge given you can connect to the same network. It really wouldn't be that hard to frame someone that way, and things like iTunes library sharing really help – because they conveniently tell you whose library is being shared.
It's quite possible that somebody who knew who she was and who knew her MAC address could have done this. That could have been somebody sat in the same class. It's also entirely possible that she had the technical skills to pull of the technical side of the hack (bypassing 2fa) and didn't know a thing about networking.
It also sounds like they have figured out the IP address that she has used to connect to her own university intranet account and found that it matched the IP that accessed the hijacked account. That's again pretty inconclusive.
From reading the article, the technical side of the attacks seems to be illegitimately using an administrators password. There are no details of how the hacker obtained the password, perhaps they just glanced over the shoulder of the library staff member as they entered it?
Even so, if she knew when she hacked the accounts she could create edited photos without them telling her when she hacked them (assuming she recalled when she did it)
If she were guilty of hiring somebody to do the hacking but not actually doing it herself, then she might not know when the sensitive times were and would therefore be unable to fabricate evidence covering the sensitive times. That's what you pointed out, however it's not particularly relevant. The possibility that she was the technically competent hacker who was capable of fabricating EXIF data is a strong enough possibility for the university to meet their low standard of proof, and consequently determine she's guilty.
Far too emotional and completely out of place for a Dean writing an official letter.
The glaring question is what evidence is there that this was not done with a remote-access trojan on her computer? The article says that other students' grades were changed, and I can think of no better cover than making sure the blame falls on someone else.
Very true. During my onboarding at Gatech, they clearly told us (in similar words): "Unlike courts, the burden of proof is on you, not on us. If caught hacking, you'll serve jailtime then come back to find us waiting."
By the way, the reason to retain a lawyer is so that you don't unwittingly say something that could create criminal liability. Nobody has a right to attend Tufts and as long as they follow their policies a lawyer or court is not going to stop them expelling you.
This is pretty normal for K-20 committees though, they operate as extrajudicial kangaroo courts that can easily acrew students out of their education and labor.
now that you mention it, that's a starkly direct conflict of interest.
The K-20 education sphere loves its kangaroo courts though, most LGBTQ+ people I know have been cheated of their high school diploma by this scam perpetuated by school administrators.
Don't be different in any way, lest an administrator chooses to boot stomp you amd refuse to acknowledge you ever took courses at their school.
I know one trans person who was set to go to an Ivy League school (incrediby adept at mathematics) that got outed and has been relentlessly harassed by both their parents and school.
I've been trying to encourage them to fire high school and go all Running Start, cause it ain't gonna get better wrt the school administrators being horrid. They likely won't graduate if things fail to improve.
Edit: This is in Seattle Public Schools proper, Bellevue, Northshore and other districts are on point about expelling those that cop to not being straight or cis. Its been painful to watch bright kids get needlessly ejected from the system that is supposed to provide them an education.
Shorter version: preponderance of evidence, which is usually the burden schools are most prone to adopting, isn't it?
Anyway, I got caught because I used the tool to remove some of the kids I didn't like from classes I was in... but for every person I dropped I had to add another... and I probably had to change about 300 people around to make it all work out. The school kept the classes the way I left them, and my "punishment" was that from then on I had to be "on call" for add / drop periods every semester to help the administrators handle requests from other students.
Let me tell you, I hated the first half of 6th grade, but 7th & 8th were pretty cool since I got to pick all the people I went to class with.
Oh, and I called in a snow day once... you just had to know the verification word associated with the school when you called the news. That word was also written on the bulletin board. I miss how simple things were back then.
I did something very similar to this in highschool, I believe after reading about RMS doing the same, to give myself some sort of plausible deniability.
That's the most implausible thing about this - the university is suggesting that a vet is some kind of l337 hacker. In my experience vets and hackers are about the most distant groups of people possible.
However, it is plausible that someone else stole the librarian's password, created the account and sold access to her.
Countless engagements I have spoofed my MAC to 11:22:33:44:55:66 with a hostname of 'you're being hacked'
I'm sure, some intel people would love to have that knowledge
It seems to me the quality of that sort of evidence really depends on the nature of the accusations. If somebody is accused of being a technically proficient hacker, this sort of technical evidence of their innocence may have a lower value than if somebody is accused of murdering their business rival in some mundane non-technical way.
In other words "accused is a murderer and a hacker" is less likely than "accused is a hacker and a hacker"
As an example, macOS maintains a separate, hidden resource fork on every file downloaded via the browser. There’s a corresponding SQLite database of such “quarantined” files, providing some redundancy. I’d be curious about whether the discovered RATs had quarantine entries. I’d also be curious about what the system logs say.
Um, separate from this case, that's a bit worrying from a privacy perspective.
In addition to https://news.ycombinator.com/newsguidelines.html, you might also find these links helpful for getting the spirit of this site:
Well, I don't intuitively see a huge difference between my browser history being kept in a database I can't clear (short of nuking the whole system) and my download history being kept in a database I can't clear. I think we'd agree that one would be a problem, so isn't the other? Could a malicious program read this, for instance?
However the fitness tracker defense in conjunction with mac-user and going to apple store for help tells me she's tech dumb, location data turned on for pictures. I highly doubt there has ever been another PHD veternarian who is also a skilled hacker with this level of techdumb still happening.
She might be dating or know someone who is hacking... but you don't get to being a PHD student without knowing your field. Your teachers would know if you're dumb.
Just another theory I thought could be plausible.
Guess she better default on those then. good luck collecting from someone in Toronto
Better to move to a country where charging tuition is some kind of crime.
Is this actually considered hacking? My mental model of hacking has always involved discovering and exploiting security vulnerabilities in a software system, not just finding and using somebody's password.
I doubt the public will learn what actually happened but just from that article we can conclude that all parties to that investigation were remarkably lax in their approach to DFIR and I've seen several people on twitter say she would have been better off under an FBI investigation with people who actually know the job than Tufts.
My guess; gender based harassment by a member of the Tufts IT staff who thinks he was extremely clever and will not be caught since he ran the investigation as well as the crime.
And we know what happens to people who think they are clever; they boast and it is their undoing.
Does iPhone have location history option like Google maps does on android?
How did she get there? Did she just drive herself 70 miles? Does she own a car or did she rent one? Did she take a train or bus and still has the ticket? Did she go with a friend? Did she eat a meal and pay with a credit card there? Did she buy gas?
How about checking in the provided photos if features present in the photos match what would be there at the date in question. Does the forecast show it was rainy there but it's sunny in her provided pictures? You could measure shadow length if it may have been faked at a particularly different part of the year. You could search social media for tagged pictures from others which may show her in the background. Were there displays or construction that was modified between the date of the alleged hack and when she could fake a photo there?
Does the xiaomi tracker differentiate between (on a human and human sleeping) vs (not on a human and sitting on a nightstand)?
Did any other student grades get modified upwards?
Also please note that I did not day that not having social media updates is indicative of guilt in itself. Absence of evidence isn't evidence of a crime. Even if she was an obsessive social media user, maybe her phone died and she couldn't post that day.
It’s too bad her Mac was wiped. It’s clear Tufts messed this up, and they should forgive her loans; it’s not clear she’s innocent.
We asked Jake Williams, a former NSA hacker who founded cybersecurity and digital forensics firm Rendition Infosec, to examine the metadata embedded in the photos. The photos, taken from her iPhone, contained a matching date and time for the alleged hack, as well as a set of coordinates putting her at the Mark Twain House.
While photo metadata can be modified, Williams said the signs he expected to see for metadata modification weren’t there. “There is no evidence that these were modified,” he said.
Assuming the person changed all data/time fields including those in the file system, what other signs of modification would there be? I poked around online and didn't find anything.
TFA says he looked at the [EXIF] metadata of the photos. There’s nothing in here to suggest a comprehensive forensic analysis of the cellphone itself (eg from a Cellebrite extraction). A phone is a treasure trove of SQLite databases.
This is so true. I've thought for a long time that a cool art experiment would be a blackbox with a lightning cable protruding out of it. You plug your phone in and answer "Do you trust this computer?" And if you do, those "SQLite databases" you mention get projected on the wall. A bit like the wall of sheep, I guess, but more for the purpose of educating people just how much data is actually on their phone.