SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Tufts expelled a student for grade hacking. She claims innocence
As she sat in the airport with a one-way ticket in her hand, Tiffany Filler wondered how she would pick up the pieces of her life, with tens of thousands of dollars in student debt and nothing to show for it.
A day earlier, she was expelled from Tufts University veterinary school. As a Canadian, her visa was no longer valid and she was told by the school to leave the U.S. “as soon as possible.” That night, her plane departed the U.S. for her native Toronto, leaving any prospect of her becoming a veterinarian behind.
Filler, 24, was accused of an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.
The case Tufts presented seems compelling, if not entirely believable.
There’s just one problem: In almost every instance that the school accused Filler of hacking, she was elsewhere with proof of her whereabouts or an eyewitness account and without the laptop she’s accused of using. She has alibis: fellow students who testified to her whereabouts; photos with metadata putting her miles away at the time of the alleged hacks; and a sleep tracker that showed she was asleep during others.
[...] Tufts said she stole a librarian’s password to assign a mysteriously created user account, “Scott Shaw,” with a higher level of system and network access. Filler allegedly used it to look up faculty accounts and reset passwords by swapping out the email address to one she’s accused of controlling, or in some cases obtaining passwords and bypassing the school’s two-factor authentication system by exploiting a loophole that simply didn’t require a second security check, which the school has since fixed.
Tufts accused Filler of using this extensive system access to systematically log in as “Scott Shaw” to obtain answers for tests, taking the tests under her own account, said to be traced from either her computer — based off a unique identifier, known as a MAC address — and the network she allegedly used, either the campus’s wireless network or her off-campus residence. When her grades went up, sometimes other students’ grades went down, the school said.
In other cases, she’s alleged to have broken into the accounts of several assessors in order to alter existing grades or post entirely new ones.
The bulk of the evidence came from Tufts’ IT department, which said each incident was “well supported” from log files and database records. The evidence pointed to her computer over a period of several months, the department told the committee.
[...] A month later, the committee served a unanimous vote that Filler was the hacker and recommended her expulsion.
[...] Many accounts were breached as part of this apparent elaborate scheme to alter grades, but there is no evidence Tufts hired any forensics experts to investigate.
(Score: 2) by BsAtHome on Sunday March 10 2019, @04:18PM (12 children)
incompetence...
The entire story shows how clueless people are. The IT department is clueless. The committee is clueless. Normal people are clueless.
Computer: noun, "A magical box performing miracles". (with wink and thanks to Arthur C Clark)
They call themselves "educate men" at that university. I'd say, the diploma cannot be worth the paper it is written on when the "higher-ups" are such idiots.
(Score: 2) by bzipitidoo on Sunday March 10 2019, @05:05PM (11 children)
Entire story? No, I'd say part 2, in which "Expelled student sues the shit out of her university and wins a huge settlement" is coming soon, to a news feed near you. Unless Tufts suddenly figures out that they screwed up, and hastens to fix things. That this happened in a political climate that has already hustled her out of the nation is all the more reason for the school to have exercised great care, and now makes it more difficult to patch this up.
This shows all the hallmarks of a rush to judgment. They seem more interested in lynching someone for a crime, making an example out of a supposed low life, showing their tough-on-crime chops, scaring fence sitters into climbing down on the right side, than making sure they have the right person.
> They call themselves "educate men" at that university.
Perfection is too much to expect of any organization. Universities make blunders too-- Aaron Swartz springs to mind-- but I would hope they are better than average.
(Score: 4, Informative) by AthanasiusKircher on Sunday March 10 2019, @06:05PM (7 children)
You're making an awful lot of assumptions here. Techcrunch has clearly put their own spin on the story, and they're clearly going for outrage at a rather clickbaity level given how little information they actually have.
Let's be clear here: we're hearing only her side of the story, along with her understanding of the facts. We have very little understanding of what Tufts's IT department may or may not have or what their evidence looks like. TFA explicitly says Techcrunch reached out to Tufts, and they were told (quite rightly) that federal law prohibits releasing information about student records like this. There's this thing called FERPA, and unless/until a court hearing takes place, it's rather unlikely Tufts will say anything more, because it puts them in a very bad legal situation potentially if they reveal anything that jeopardizes student privacy.
So again, we have only one side of the story. That in itself is a good reason to at least suspend judgment rather than conclude definitively that Tufts "screwed up."
Then we need to take a step back and ask what actually happened, if this student was not doing the hacking herself. Why was someone using her computer or spoofing it to change her grades? The alleged hacks apparently happened over several months, so it's difficult to claim this was some one-off thing where a hacker one day used her computer to do something more nefarious, but just changed a single grade or something to cover tracks. This was an ongoing thing -- why?
Again, maybe there's some more evidence that Tufts has -- maybe other things went on in the hacks that we don't know about, perhaps that give another motive for the attacks. But we have nothing like that, and Techcrunch offers no insight. At best, they subtly point the finger at someone who knew this person and had a grudge about something (it's not clear), but Techcrunch doesn't claim that person has superior hacking skills... nor why said person might engage in a multi-month campaign to smear this student and get her expelled. If said person just wanted her expelled, surely they could do so with a single hack and grade change -- why do this over a period of months??
So, if this person is innocent, you have to ask who was doing the hacking and why. And we have absolutely no evidence to debate about that. We just have Techcrunch writing a clickbaity article, knowing that Tufts couldn't possibly respond in detail to the charges because of student privacy laws, and Techcrunch offers no alternative explanation of the facts or motive.
Huh. Sounds pretty flimsy to me. But I'm not a journalist. I'm not trying to sell clicks. If this student turns out to be guilty as sin, there's not much downside to Techcrunch -- they have almost no actual technical evidence to go on, so if anything is revealed from IT that demonstrates how guilty this student is, Techcrunch can just say, "Oh, we didn't know. Too bad. But we couldn't know, because Tufts wouldn't tell us anything."
Basically, regardless of whether this student is guilty or not, Techcrunch gets a win for publicity, all the while depending on outrage from the type of person who visits this site.
And maybe this student IS innocent, and maybe there was a horrific miscarriage of justice. But I haven't even gone into the several fishy things she said in TFA -- I'm just talking about the profound lack of evidence or explanation that you're using to assert that Tufts clearly screwed up. (Some weird things: it's true that universities don't have to grant "due process" in internal proceedings, but as someone who has actually been involved with disciplinary committees at multiple higher-ed institutions, I can tell you her description of the process sounds weird. She claims to have been pulled with no notice in front of a committee of eight "senior academics" and questioned for three hours with no recourse, no advocate, no access to any evidence used against her. That's a very unusual thing to happen for all sorts of reasons. It's also quite fishy that she claims the list of "charges" against her reads like a criminal trial, but it apparently lacked basic details like the actual dates and times of the hacks. I could go on, but most of this is speculating... AND most of it is stuff she and Techcrunch know that Tufts likely can't talk about publicly, leaving the student to claim whatever she wants to for the moment to try to gain the court of public opinion.)
Again, I'm not saying she's guilty. I'm saying there's an incredible amount we don't know. Sure, Tufts IT could be full of idiots who royally screwed up here -- a lot of university IT departments are full of people without a huge amount of competence. But it's also very possible, based on evidence here so far, that we've only heard one distorted side of a very complex story, and the student is not innocent.
(Score: 1, Touché) by Anonymous Coward on Sunday March 10 2019, @06:12PM (6 children)
Either she is innocent or not (guilty), there is no middle ground.
If she is not innocent, she must be guilty. Simple logic*.
*Unless you are a bayesian, then facts don't matter to you.
(Score: 3, Informative) by AthanasiusKircher on Sunday March 10 2019, @07:03PM (5 children)
Sure there is. She might have done some things wrong but not have done other things they claim. She may have facilitated the hacking in some way, but it went farther than she had intended. She may have given access to her computer to someone for a bad reason, which ultimately allowed the hacking to take place, but ultimately she knew nothing of the hacking and wouldn't endorse it even if she facilitated it by taking a bad action.
There are lots of levels of responsibility and potential guilt here.
Even for your oversimplified assumptions, I'm not sure what your point is. The point of my post is that I certainly don't have enough information to evaluate the possibility of her guilt, nor do I think anyone here does unless they work for Tufts or at least know a lot more than TFA gives us.
So, even if the dichotomy is as you suggest, to us, based on current information, the situation is indeterminate.
(Score: 3, Interesting) by bzipitidoo on Sunday March 10 2019, @08:23PM (4 children)
Yes, I realize I'm presuming that the student is innocent. However, there seems a lot of reason to suppose she is innocent. First, innocent until proven guilty is the principle. From what I've read, there doesn't seem enough evidence to definitively say she is guilty. Therefore, she should be presumed innocent. Next, the university has made their judgment. For them now to hide behind privacy concerns just smells. Courts can't do that. Much of their reasoning and decision making are matters of public record. Public records are for us, to check that there wasn't fraud, perjury, blackmail, extortion, railroading, sloppiness or laziness, or whatever else going on in the courtroom.
And now, the circumstantial evidence in her favor is firstly, that she doesn't seem the type. She was studying to be a vet, not an engineer. To suppose that she has the skill to pull this off raises a lot of questions. Like, how could she be smart and knowledgeable enough to hack in, but too stupid to better cover her tracks? Why can a hacker break in at all, why is university security so bad? Second, the massive imbalance of power. She is one young student, up against a bureaucracy. We know all too well what the powerful do when they are not checked. They will frame and blame others to cover up their own mistakes. Schools have been known to levy overly harsh punishments when the alleged crimes involve computers and hacking.
What I wonder though is could the student be guilty of a little contributory negligence? That is, maybe she noticed something funny going on with her grades? If her grades were handwritten on papers as well as recorded electronically, and they didn't match, what should she do about it? But as the apparent errors seemed to be in her favor, she made the serious mistake of keeping quiet. Doesn't seem deserving of expulsion. Now if she did more than that, if she, say, conspired with someone else, someone capable of doing the dirty work, then yes, she should be expelled. But again, if that is so, it goes back to the question of why were they so stupid as to use her computer to do this?
(Score: 3, Insightful) by mattTheOne on Monday March 11 2019, @02:38AM (2 children)
I'm skeptical, it reminds me of when I was very young, I'd fake taking a shower rather than taking one, and I realized it was easier/faster to take one than try to trick my parents.
If she could do all this (as a vet and not a CS engineer), wouldn't it just be easier to get the better grades rather than this elaborate scheme of hacking? Just my 2cents.
(Score: 0) by Anonymous Coward on Monday March 11 2019, @03:59AM
Assuming vet school is like med school, hacking and being a vet require totally different skills. Hacking requires understanding, cleverness and ingenuity. Med/vet school requires rote memorization and paying the right people hundreds of thousands of dollars.
(Score: 2) by All Your Lawn Are Belong To Us on Monday March 11 2019, @10:40PM
Who said that she personally did all the hacking? She hired someone to do a scan of her computer.... could she not have hired someone to do the break-in? (Someone who didn't give a shit about her, took the money, and did the work through her account and/or with her MAC address for authentication to the network in a way that would finger her sooner or later?) I'm not saying she did that, only that it's possible. Equally possible that a classmate broke her machine (and/or watched her type her password in) and did the stuff too. At least, from the knowledge we have.
This sig for rent.
(Score: 2) by All Your Lawn Are Belong To Us on Monday March 11 2019, @10:43PM
From the evidence we've read. Not the evidence the school actually has in its possession.
Courts do not have to comply with FERPA. FERPA does mandate that student privacy is protected. She would have to provide the school with some kind of blanket permission to discuss everything about her, and even then the school wouldn't have to comply.
I'm not saying she's guilty. Just that she's not necessarily innocent, either, and we don't have the information to make a final judgment whether the school was correct or not.
This sig for rent.
(Score: 2) by sjames on Sunday March 10 2019, @06:19PM (1 child)
It's not uncommon for institutions to use administration as a dumping ground for problem professors who, due to tenure or knowing where the bodies are buried, can't be fired.
(Score: 2) by bzipitidoo on Sunday March 10 2019, @07:30PM
I have the impression that these days, particularly at these private, for profit schools, many administrative posts have devolved into sinecures, used to reward cronies. They've even created additional posts with vaguely defined duties, to make more sinecures. Possibly that would lead to even worse decisions than an administration packed with problem professors.
(Score: 1) by khallow on Monday March 11 2019, @01:19PM
Unless, of course, Tufts has enough evidence to support its side in this case.
A surfeit of alibis is suspicious as well. And they don't work, if she paid someone to hack for her. Then the absence of her laptop "in almost every instance" is a stinker.