digg

Facebook Connect Join Digg About

College Student Uses Brute Force PASSWD on School Computer to Change Grade

linuxelectrons.com — You Li, age 21, a Chinese national living in Utah while pursuing an undergraduate degree in computer science at the University of Utah, has been indicted by a federal grand jury for hacking into a University of Utah computer in an attempt to change a grade in a math class. The indictment also alleges he accessed other personal information.

Who dugg this? Made popular Mar 1, 2006

Add a friend

submitted by

dirtyfratboy Mar 1, 2006

1473 diggs
digg

What is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

Top in Programming

Programmer 101: Teach Yourself How to Codethumb

1135

Google Launches Its Own 'Go' Programming Language

879

The Go Programming Languagethumb

463

Software That Fixes Itself?thumb

384

Interview with a Digg.com Software Engineer: Kurt Wilmsthumb

333

People Who Dugg This Also Dugg

The Coolest Gadgets Of The Month

1890

Schools banning Myspace because its "everybody's nightmare"

1257

Professor assigns hacking homework to students

1601

Top 10 peeves of a support tech

2010

The Top 10 Video Game Weapons!!

1353

96 Comments

Urusai, on 10/12/2007, -2/+14"Man Finds Stick"

Now there's a diggable article. Where did he find this stick? What kind of stick was it? Will he use the stick for good, or for awesome? Will his rocket backback incorporate the fledgling "stick" technology, or will he continue to use twigs? I NEED TO KNOW!!
tuxidomasx, on 10/12/2007, -0/+12wow. thats crazy. i think most universities are vulnerable to this kinda thing tho. i think Li made a bad decision. even if he were up to no good, he shouldnt have attempted to change the grade. there are too many unknowns:

is there a backup? wont changing your grade throw off the "average" and "median" values for the class? wont your changes be timestamps? ,etc.

instead, if he wanted to have an unfair advantage, he could have simply been patient and waited for the professor to upload something to his directory. such as "tomorrow's exam" or "Tuesday's pop quiz". Also, teachers are notorious for sending copies of exams to TAs or keeping backups on the network.

There would have been very little risk in just reading data, but by actively changing it, Li was putting himself in a BAD situation. Not only that, but connecting from his home computer without bouncing off other systems anywhere was just setting himself up for an arrest.

aside from that, i think the universities weak security is also to blame. a world readable "passwd" file is a disaster waiting to happen. Also, failure to enforce strong passwords also contributed. either way, Li made a big mistake, and so did the administrators (w/ their weak security).

the moral of the story. "the best way to not be seen is to not be heard"

and that's an original quote ^ ^
Hortnon, on 10/12/2007, -2/+5"So a kid hacks a computer, and it gets in trouble. How is this on the front page?"

It's a good thing we have the Front Page Police on the case.
riah, on 10/12/2007, -0/+2why does it take them 2 months to correct my grade they flubbed on... i need to get this kid on the job.
kylemeans, on 10/12/2007, -0/+2damn... Ferris Bueller look out! Here come the Feds!
dragazis, on 10/12/2007, -0/+2A+ for the effort
F for failing and getting arrested
B- for his hacking skills

so thats a B- (You could do better. Please see me after class)
PaulOwen, on 10/12/2007, -2/+4Even the title sounds a little bit parochial, a bit like:

"Dog Befriends Parrot, Onlookers Say 'Aaah'."
"Boy Eats Worm. Feels Uncomfortable For A While"
"Man Finds Stick."

Being liberal with posting rights is a double-edged sword.
lightningrod220, on 10/12/2007, -0/+2Here's what you do... deport him... but not back to China. Instead, find a poor country in Africa, where there aren't any computers, and the nearest airport is 1,000 miles away. If he can make it out alive, he deserves to live.
gabbagabbahey, on 10/12/2007, -0/+2So the professor used the same password at work, at Yahoo and possibly at his bank.

Good job.

They make it sound like he was dumb enough to brute force on the system he was trying to compromise, not a good move. If he had done the brute force at home, used the account only at college and not used it everywhere else he might not have got caught.

Some basic lessons to be learned here.
tjtwkr, on 10/12/2007, -0/+1I hope they throw the book at him. I love hearing about knuckle heads like this. And when the press gets pictures of them getting arrested or escorted by law enforcement, they always look like they're about to cry. LMAO!
beejay, on 10/12/2007, -0/+1I'm in the CS undergrad program at the U...I think this guy is in one of my classes.
the1casey, on 10/12/2007, -0/+1I bet the guy did something stupid like Brute Forced his way in using non-anonymous proxies or something. What an ass-hat, just send him back to China.
Grodius, on 10/12/2007, -0/+1I would have changed every grade in the entire class or like 50 other people's so that no one knew it was me.
officialchicken, on 10/12/2007, -0/+1I hate the press misnomer known as "hacking".

Hacking is not a crime. Hacking is something like making a toster run bsd... it's an ethic, a lifestyle, or frame of mind. Hacking is modifying a system. It is a good thing.

Unlawfully breaking into a computer system (and not covering your tracks) is CRACKING.
conto1987, on 10/12/2007, -0/+1Why doesnt he cheat like normal peeple
thyratron, on 10/12/2007, -0/+1I hearby sentence you to FIVE YEARS of using Windows ME
xst4t1kx, on 10/12/2007, -1/+2Brute force pass 1:

username: admin
password: password

Login successful. Time elapsed: 00:00:00.03
chrisc2, on 10/12/2007, -0/+1I hate to stereotype, but he's Chinese and he needs to change his MATH grade? I thought the Chinese were good at Math...
m99stump, on 07/29/2008, -0/+1*****.

Not that I don't think he should be punished, but grand perjury? Sony had to pay 7.50.
dirtyfratboy, on 10/12/2007, -0/+1its actually pronounced something like "yo-lee" ...close enough
Broncho24, on 10/12/2007, -0/+1Brute force? Talk about obvious and really stupid.
gekkokid, on 10/12/2007, -0/+1yeah he cracked/hacked it but got caught! i could change my grades, walk in with a gun and put it againsted the exam boards head and tell them to change it - i would get caught, same thing, if it was a uni saying "our system has been hacked and all the students grades were changed" that would be a story, actually if i did the gun approach that would be the better story lol
slackerhobo, on 10/12/2007, -0/+01) I laugh at the school

Showing glaring flaws in their security if someone can remote brute force attack like that

2) Idiot ... home computer
peerk, on 10/12/2007, -0/+0Looks like there is going to be a job opening for Unix sysadmin at the University of Utah.
Phieudu, on 10/12/2007, -0/+0Sound like he was able to brute force the passwd file in those 'Nix OS.
Can't image nowadays the administrator does not use some kind of shadowing methods to protect it.
nargilamonster, on 10/12/2007, -0/+0I've had a CS professor offer extra credit for cheating successfully on assignments because it'd require such a sophisticated knowledge of code, but to be able to do so with a brute force attack? Well, chalk this one up to non-creative types over in the school's IT secuirty department.
nogami, on 10/12/2007, -0/+0Wouldn't do squat to grades for our students - ya, the security isn't all that hot (someone really determined could probably break-in), but the system logs each access to the grades system (IP, time, date, etc), and we always double-check the final marks (from a computer that's not accessible over the network) on paper at our end-of-term meeting, so such things are futile in the longrun - as soon as we spotted a difference between the paper marks and the marks we entered into the database, there'd be an investigation.
SolidGun1, on 10/12/2007, -0/+0Yeah, poor kid. I hope he at least got a diploma in those two years. Couldn't get a transcript, but that paper should look good on a wall after he gets kicked out of country.
aznboi04k, on 10/12/2007, -0/+0he's my hero!
warez, on 10/12/2007, -0/+0if u know how to use a brute force attack u would probobly know what a proxy server
fastfood15, on 10/12/2007, -0/+0can u say deported??
soogy, on 10/12/2007, -0/+0Was that part of his PhD thesis?
Galaeron, on 10/12/2007, -0/+0djwk1928 - "And @ o0joshua0o
The most logical way he would of got caught is from multiple incorrect login logs since it was a brute force attack."

Again I ask the question, if he did this over a year ago(article says 2004) why take so long to act on it?
Pureeviljester, on 10/12/2007, -0/+0Owned
WiFi, on 10/12/2007, -0/+0I don't know why people are claiming he 'hacked' anything. Running someone else's program to -guess- a password hardly requires more than a few brain cells. Only a complete moron would brute force something which keeps logs.. and then not delete them.
tmcleroy, on 10/12/2007, -0/+0poor kid
stoops, on 10/12/2007, -0/+0Let's all sign up for Ethics 101. I'll be in the courtyard before class starts so join me if you can.
capajc, on 10/12/2007, -0/+0"Defendants charged in indictments are presumed innocent unless or until proven guilty in court."

They're only supposed to be presumed innocent by "the system". Not by any actual person within the system. Ah, the naivety.
Anth, on 10/12/2007, -0/+0Why the ***** was the PASSWD file not shadowed? You ALWAYS shadow the PASSWD file and have a very strong root password (10+ charecters) so it cant be brute forced. The admins should be fired for being too lax in security.
twinklyJesus, on 10/12/2007, -0/+0tuxedomasx: It's the university's fault for not having enough security???
Hey! Here's a clue...if you know your grades or other info are on a computer you don't have physical access to, or don't have the passwords for...you're not supposed to access them. It's a no-no. Just because they don't have a wall down the middle of the street doesn't mean it's ok to drive on the wrong side of the road.

He knew what he was doing was wrong... I agree, deport his ass. This seems to be a recurring theme with the Chinese.
autumntial, on 10/12/2007, -0/+0"Any word on how exactly he got caught? That would be the most interesting part of the story."
Quoted for truth.
o0joshua0o, on 10/12/2007, -0/+0Any word on how exactly he got caught? That would be the most interesting part of the story.
saddad, on 10/12/2007, -0/+0Not all math courses are algebra/matrices. There is number theory, ring theory, proofs, etc....
tdaddy11, on 10/12/2007, -0/+0liz4rd,

I now see why my comment made you so mad. You're last name is Marxx. I know, your last name has an additional "x", but I still got a kick out of it. Thanks!
mhl12, on 10/12/2007, -0/+0+digg just because my last name is Li as well. lol
Codebender, on 10/12/2007, -0/+0A federal grand jury? FBI special agents? Only because he's a foreign national, clearly. Doesn't the FBI have more important things to be investigating than script kiddies changing their grades? I would think that local law enforcement could handle it, it's not like he's leading an Al-Qaida cell or anything.
SWGreg, on 10/12/2007, -0/+0"Straight up WarGames style bay-bee!! Tell me, who didn't want to do that when they saw Mathew Broderick do it so effortlessly??"

Exactly what I was thinking of. Great film.
Dufresne, on 10/12/2007, -0/+0even if he did everything successfully, wouldn't a teacher notice?
RyeBrye, on 10/12/2007, -0/+0"aside from that, i think the universities weak security is also to blame. a world readable "passwd" file is a disaster waiting to happen. Also, failure to enforce strong passwords also contributed. either way, Li made a big mistake, and so did the administrators (w/ their weak security)."

Agreed. The grand jury needs to indict the sysadmins at the U of U next, for being so stupid.
rafgar, on 10/12/2007, -0/+0"wait he hacked the damn thing

shouldent he be passing math?"

Programming/hacking ability does not require high math skill, despite what educators like to say. It HELPS, true, but it's not essential.
Show 51 - 96 of 96 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.