Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oxford Temporarily Blocks Google Docs To Fight Phishing

timothy posted about a year and a half ago | from the you've-been-cloud dept.

Google 128

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."

cancel ×

128 comments

Sorry! There are no comments related to the filter you selected.

PI IS EXACTLY THREE (-1, Offtopic)

Antipater (2053064) | about a year and a half ago | (#42946755)

And now that I have your attention...

Re:PI IS EXACTLY THREE (-1)

Anonymous Coward | about a year and a half ago | (#42947385)

You could have least put the word 'nigger' somewhere in your post

Report Abuse (5, Informative)

RedACE7500 (904963) | about a year and a half ago | (#42946765)

As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.

Re:Report Abuse (3, Interesting)

BlkRb0t (1610449) | about a year and a half ago | (#42946839)

How is Google Docs employed for phishing? Can anyone enlighten me here? I've used Google Docs at certain times and don't see how it can be used to tricking users to believe that it is the original site they're entering the data into. Or am I missing something here? Unless the users are really that dumb to enter their info.

Re:Report Abuse (5, Informative)

bruce_the_loon (856617) | about a year and a half ago | (#42946889)

You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.

Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.

Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.

Re:Report Abuse (0)

Anonymous Coward | about a year and a half ago | (#42947009)

there used to be this thing called IT infrastructure... maybe it will make a come back

cloud cloud, cloud cloud cloud... cloud

Re:Report Abuse (3, Funny)

Anonymous Coward | about a year and a half ago | (#42947323)

Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

Re:Report Abuse (0)

Anonymous Coward | about a year and a half ago | (#42947469)

Unable to remember his ever-changing password, Bob simply leaves a sticky note on the corner of his monitor as a reminder. When again chastised by IT, he makes his best effort to remember, which results in him locking out his account multiple times per day and calling help desk. Help desk is busy because Bob isn't the only person needing a password reset, so Bob has to wait on hold for 15 minutes. Because of this, Bob misses the notice for a last-minute meeting with an important client and the client is lost. After much yelling, Owen, the owner of the company storms into the IT department and has a little talk.

Re:Report Abuse (3, Insightful)

Archangel Michael (180766) | about a year and a half ago | (#42947587)

Or they will come up with a new password Scheme that is completely insecure.

Old Password: password
New Password: password19 (todays date)

Tomorrow ....

Old Password: password19
New Password: password20

that way, I can have 28-31 different passwords every month, without having to remember any one in particular.

Re:Report Abuse (1)

slartibartfastatp (613727) | about a year and a half ago | (#42947769)

If they would come up with this kind of idea, they wouldn't be filling phishingh forms in the first place, I guess.

Re:Report Abuse (2)

davidbrit2 (775091) | about a year and a half ago | (#42948425)

Not if you enforce a minimum Levenshtein distance between the new password and the user's entire password history.

Re:Report Abuse (2)

KPU (118762) | about a year and a half ago | (#42951053)

Now you're either storing all the users' past passwords. Or maybe some clever hash of those passwords that preserves efficient computation of Levenshtein distance. However, given an oracle that computes Levenshtein distance, one could easily extract the password.

Re:Report Abuse (0)

Anonymous Coward | about a year and a half ago | (#42947575)

I'd love to see you try that on someone who matters. Don't know how it works in universities, but in the real world getting ideas above your station as a replaceable cost centre peasant, by getting in the way of the grown ups sounds like an awesome way to get free supplies of pink paper.

Re:Report Abuse (1)

hazah (807503) | about a year and a half ago | (#42948809)

In the same paragraph you describe the real children and call *them* grown up. Irony abound.

Re:Report Abuse (2)

hawguy (1600213) | about a year and a half ago | (#42948159)

Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

Why not just issue him a two-factor authentication token, then you can actually solve the problem instead of a bandaid approach that won't really help. (even if he has to do daily password resets, if he gives up his password in the morning, the hacker has 24 hours to use it).

The tokens are cheap (even cheaper when it is a smart-phone app), every company with data worth stealing should use them.

Re:Report Abuse (1)

Brandon Hume (73471) | about a year and a half ago | (#42950605)

Many universities aren't even willing to spend the money for a mail server anymore, I don't see how you could convince them to spend a quarter million dollars for tokens (assuming $1/user). And yes, that includes alumni, who likely wouldn't use the 2-factor because it's too much hassle, which would sink the entire project.

Yes, universities want alumni to keep their accounts, because that's the easiest way for them to beg for money.

Re:Report Abuse (2)

swillden (191260) | about a year and a half ago | (#42948317)

When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.

The victims tend to learn from all the inconvenience caused by the attack itself. It's everyone that didn't get phished you need to reach.

Perhaps the solution is to send out a university-sponsored phishing attack, then conduct an Internet-safety education seminar for everyone who falls for it.

Re:Report Abuse (1)

Darinbob (1142669) | about a year and a half ago | (#42947723)

But why Google Docs? A form is a form, no matter what generates it. How is this different from using Word or even vi?

(and actually I am surprised enough people use Google Docs that there would be an uproar of a short shutdown)

Re:Report Abuse (1)

countach (534280) | about a year and a half ago | (#42948483)

I'm guessing it makes phishing ridiculously easy by hosting a form service on the web where you can easily and anonymously get the results back over the net.

Re:Report Abuse (1)

jbmartin6 (1232050) | about a year and a half ago | (#42947935)

We've worked out a way to use our HTTP proxies to deny POSTing of information to Google docs/drive. This way, folks can still access information, they just can't use POST or PUT commands to send any. It isn't too hard to determine the necessary POST URLs to whitelist for logon, logoff, password change, and other operations. It's not perfect but a lot better than nothing. Maybe you could take a similar approach. Does require a proxy that intercepts SSL traffic.

Re:Report Abuse (3, Interesting)

Brandon Hume (73471) | about a year and a half ago | (#42950651)

I'm the same for

What I've done is written a script that generates random usernames and passwords and submits them to the form. The phishers then need to pick out the real stuff from the garbage I pumped in.

I've had phishers delete a form before Google did, simply because I pissed them off too much. *Very* satisfying, let me tell you. :)

Here's a phish I received just two hours ago: https://docs.google.com/forms/d/1RPht7SPAZywd3L13_lLMeB1pCAz6ufe6LX-S7YKtaR8/viewform [google.com]
Feel free to join in the fun and type some garbage! The spam that contained the link was even written to spoof the quarantine message from our own antispam appliances.

It's a Google problem (4, Insightful)

SSpade (549608) | about a year and a half ago | (#42946773)

Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.

If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.

Re:It's a Google problem (2)

bruce_the_loon (856617) | about a year and a half ago | (#42946905)

They've gotten better. If I hit the Report Abuse link at the bottom of the document, it normally disappears inside three hours.

Re:It's a Google problem (0)

Anonymous Coward | about a year and a half ago | (#42948375)

Hmm, sounds like it isn't hard for a very small group of people to denial-of-service attack a Google Document by simply reporting abuse on a legit document.

that's a misrepresentation problem (1)

poetmatt (793785) | about a year and a half ago | (#42946909)

Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

Re:that's a misrepresentation problem (0)

Anonymous Coward | about a year and a half ago | (#42947101)

"Blame the people who suddenly decided phishing was a good idea."
Phishing is not a new concept...

i would blame the people (IT/execs) that decided that giving up control of docs/email to an outside entity was a good security decision.

Re:that's a misrepresentation problem (4, Interesting)

hawguy (1600213) | about a year and a half ago | (#42947153)

Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

Because they are providing the tool that is so easily abused by phishers.

It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.

If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.

You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.

Re:that's a misrepresentation problem (1)

Anonymous Coward | about a year and a half ago | (#42947301)

So if I sell a knife to someone who uses it to rob a bank, I am responsible? Don't forget to indite the car manufacturer for providing the get-a-way car, and the hat manufacturer for making the ski mask.

Re:that's a misrepresentation problem (0)

Anonymous Coward | about a year and a half ago | (#42947511)

Imagine if the knife granted the person the ability to simultaneously attempt to rob 1000 banks anonymously with no physical risk and little chance of consequences. That's be a crazy awesome knife, right? It's also why your analogy fails.

Re:that's a misrepresentation problem (0)

Anonymous Coward | about a year and a half ago | (#42948199)

Then why not blame the computer maker, and the builders of the Internet too?

Re:that's a misrepresentation problem (0)

Anonymous Coward | about a year and a half ago | (#42947555)

Knife wielding bank robber shot dead by police. The rest at 11.

Re:that's a misrepresentation problem (0)

sunderland56 (621843) | about a year and a half ago | (#42947839)

So if I sell a knife to someone who uses it to rob a bank, I am responsible?

The first time, no.

Around about the 100th time, if you don't start instituting some security measures - such as requiring a photo ID of knife purchasers, and saving a copy of the ID and a bill of sale for every purchase - then yes, you could be held responsible.

Re:that's a misrepresentation problem (2)

jbmartin6 (1232050) | about a year and a half ago | (#42947965)

All the phishers are doing is using Docs in the way it is meant to be used. If Google sees a form to enter information for ABC corp's Mr John McNobody, there's no way for Google to know if this is legitimate or not, other than actually trying to find Mr John McNobody and ask if it was legit.

Re:that's a misrepresentation problem (1)

AdamWill (604569) | about a year and a half ago | (#42951833)

There is absolutely no legitimate use for a Google Docs form for the username and password of an external mail system. Go on, try and think of one. I'll wait.

"The Tool" (1)

nuggz (69912) | about a year and a half ago | (#42948173)

You mean the university email system that delivers the malicious email?

I have a crazy idea, tell users not to give personal information out by email. It's that simple.

NEVER give out personal information by email.

Re:"The Tool" (3, Insightful)

hawguy (1600213) | about a year and a half ago | (#42948397)

You mean the university email system that delivers the malicious email?

I have a crazy idea, tell users not to give personal information out by email. It's that simple.

NEVER give out personal information by email.

The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.

After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".

Re:"The Tool" (1)

Brandon Hume (73471) | about a year and a half ago | (#42950571)

The bluntest, least-energy thing I've been telling people is that the "From" address of ANY email is cosmetic. It can say anything. "But the email came from our domain!" "No, it SAID it came from our domain. There's a difference." Go into Outlook and change it to spoof the university president... it's four clicks.

True story: We sent out an email letting people know that a phishing attack was going on. We even provided a sample of the phishing email, which was your typical "Confirm your account, please reply with your username and password" template.

People responded to the warning with their usernames and passwords. They SKIPPED OVER the "READ THIS!" part and only read the example, and then proceeded to do exactly what we told them not to.

Yes, we reset their passwords because they put them into an email. But if you thought I had the opportunity to disable those accounts forever because their owners were criminally stupid, you'd be wrong. The highest levels of management explicitly forbid such action.

Re:"The Tool" (1)

AdamWill (604569) | about a year and a half ago | (#42951845)

So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.

That's the whole point: you cannot rely on user education. There will always be a couple of idiots who send out their password. You can't go around every single flipping one of them and do the spoofing illustration in person, and even if you could, some of them would forget it a week later, or just not pay attention in the first place.

Re:that's a misrepresentation problem (0)

Anonymous Coward | about a year and a half ago | (#42950265)

I've (IT manager for dept at university) seen quite a few of these forms, google and otherwise. I can say that the google versions of the form tend to be rather simple and would seem to be easy to scan for. They are almost always 3 fields, something like "email address:", "password:", "userid:". In the past it used to be a lot of "reply to this hotmail address". I added spamassassin points for that, now I add spamassassin points for links to google forms.

Re:that's a misrepresentation problem (1)

SSpade (549608) | about a year and a half ago | (#42948369)

Google offers free services. People will attempt to abuse them. That's no great surprise, nor is it specific to Google.

When someone abuses Googles services in a way that's a threat to other users there are only two ways to mitigate the incident. The best, by *far*, is for Google to stop the abusive behaviour. The other is for the affected parties to block access to (some subset of) Google. Those are really your only options.

Google is (based on externally visible behaviour) worse at mitigating abuse up-front by discouraging attempts to abuse their service, and at responding to reports of abuse, than other companies - and this appears to be an intentional choice by Google, based on their corporate culture. The tradeoff there is that people are more likely to just block Google servers, in response to the never ending trickle of abusive behaviour.

That's Google's problem. Well, actually, Google don't generally appear to think any of this is a problem at all - and *that's* the real problem as far as the rest of the Internet is concerned.

How is it used for phishing? (3, Interesting)

Sedated2000 (1716470) | about a year and a half ago | (#42946897)

I, like others, would like to know exactly how Google Docs is used for phishing. I've used Google Docs off and on since it was made available. I can't think of a particular feature that would make it an enticing service to use for phishing.

Can anyone offer an example or offer up an anecdote where they've encountered it?

Re:How is it used for phishing? (4, Informative)

bruce_the_loon (856617) | about a year and a half ago | (#42946947)

My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/ [gfi.com]

It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.

Re:How is it used for phishing? (1)

Sedated2000 (1716470) | about a year and a half ago | (#42947191)

Thanks for the response. I guess it's been longer than I thought since I've used Docs. I didn't even think of the form angle. I'm sure this is causing more than a few "staff training" sessions. I suppose it's only worse since even if you have your own domain, you're still redirected to "docs.google.com", so it won't be immediately apparent that it did not come from a legit source (completely aside from the fact that a legit source wouldn't ask for that information in the first place).

Oh, Passwords are Broken (1)

bill_mcgonigle (4333) | about a year and a half ago | (#42947261)

ah, thanks for the link - now the story makes sense for me.

Something will someday push people over the edge and get them to give up on single-factor symmetric authentication. I know, breaking news...

Re:How is it used for phishing? (1)

Darinbob (1142669) | about a year and a half ago | (#42947753)

Still baffled. Google Docs is a mail server? To use it, don't you still have to create the form, download it, then mail it out from your own account?

Re:How is it used for phishing? (0)

Anonymous Coward | about a year and a half ago | (#42948017)

This one [google.com] looks like a current scam. Try it and let me know how it works. BTW, no to both of your questions.

Re:How is it used for phishing? (2)

CKW (409971) | about a year and a half ago | (#42947061)

It sounds like end users simply "trust google", and thus ANYTHING on google docs is "trustworthy", because hey, "it's google".

I know, it's stupid as baloney. It's like trusting a billboard down the street that says "City Billboard" just because you trust your City government, totally being ignorant that any nutjob can post something to the billboard.

Some. People. Don't. Understand. Technology. AT ALL.

Re:How is it used for phishing? (3, Informative)

Incadenza (560402) | about a year and a half ago | (#42947513)

These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.

One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!

What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.

Re:How is it used for phishing? (1, Funny)

Anonymous Coward | about a year and a half ago | (#42948129)

Why wouldn't you trust Google [google.com] ?

Re:How is it used for phishing? (0)

Anonymous Coward | about a year and a half ago | (#42951069)

+1 funny on my first try. That's awesome.

Re:How is it used for phishing? (1)

jader3rd (2222716) | about a year and a half ago | (#42948373)

Some. People. Don't. Understand. Technology. AT ALL.

That's kind of the point of a lot of technology. It's a solution to fix a problem. The end user doesn't care how it gets done, it only matters that it gets done. I'm sure there's technology that you use, and yet you don't understand all of details of every functioning piece in the process.

Here's a live example. (1)

Animats (122034) | about a year and a half ago | (#42947955)

Here's a typical Google-hosted phishing page. [google.com] Note that the page is long enough that the Google disclaimers at the bottom are pushed "below the fold", and some users won't notice. Such pages are used in conjunction with spam emails. Since the URL in the spam will be on Google, it makes it through most spam filters.

Google's own phishing detection catches some of these. Ones that mention "Microsoft Outlook" tend to be caught. This suggests that Google is using a simple classifier but needs a better training set. There's enough similarity between most of the fake login pages that many are clearly coming from the same sources or the same toolkits. It looks like there are only about two or three different attackers exploiting Google, and they're not working very hard at making convincing fake login pages. Or maybe the better-funded attacks aren't being detected by this approach.

Here's the list of Google-hosted phishing sites. (5, Interesting)

Animats (122034) | about a year and a half ago | (#42946945)

One of the things our SiteTruth system does is report on major sites that host phishing scams. [sitetruth.com] There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

Here's the list of all known phishing sites currently hosted by Google. [sitetruth.com] . Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts. [phishtank.com]

Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

Here's the oldest phishing site hosted by Google. [google.com] On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

Really? (4, Insightful)

Mullen (14656) | about a year and a half ago | (#42946969)

I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.

Re:Really? (5, Funny)

ravenswood1000 (543817) | about a year and a half ago | (#42946987)

Expel them for being too stupid to be in Oxford

Re:Really? (1)

smartsheep (1285138) | about a year and a half ago | (#42947069)

maybe on the second offense

Re:Really? (1)

squiggleslash (241428) | about a year and a half ago | (#42947235)

It's OK, the Magdalene Bridge normally takes care of "people too stupid to be at Oxford" on the 1st of May.

Re:Really? (0)

Anonymous Coward | about a year and a half ago | (#42948421)

They are at Oxfored because they can pay up nicely or their parents can pay up and/or have an important function that facilitates the cash flowing into some important person's pockets.

Most of them are dumb as crap, but their parents have some sort of "social" intelligence which made them "relevant". If not, they would not fall for this kind of stuff.

Re:Really? (1)

zlives (2009072) | about a year and a half ago | (#42947113)

wow,
there are days i wish we had "your" policy in place... but then it would make for a very deserted office ;)

or emeritus professors.... (4, Interesting)

fantomas (94850) | about a year and a half ago | (#42947497)

Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.

I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)

Re:or emeritus professors.... (0)

Anonymous Coward | about a year and a half ago | (#42947681)

Clearly the people at Oxford are stupid if they are giving their email account credentials away to a random email. I got my education from a simple State School in Pennsylvania, USA. I was not stupid enough to get into Oxford.

Re:or emeritus professors.... (1)

John Hasler (414242) | about a year and a half ago | (#42949561)

This has nothing to do with expertise in IT. You don't need to know how the telephone system works to know not to give your bank account information to some guy who calls you up and asks for it.

Re:Really? (0)

Anonymous Coward | about a year and a half ago | (#42947957)

You are shocked at how stupid people can be? How stupid would THAT be? Stupidity is to be expected.

Re:Really? (0)

Anonymous Coward | about a year and a half ago | (#42949703)

Or if firing them is too harsh, hold back a months pay . . .

Filter outbound email? (1)

Bill, Shooter of Bul (629286) | about a year and a half ago | (#42947003)

Why wouldn't oxford have just set up outbound email scanning? Once they detect an email account is spamming, cut off the user.

Re:Filter outbound email? (1)

PRMan (959735) | about a year and a half ago | (#42947187)

They're wise to this. Many spam e-mails have a different e-mail address for every e-mail.

Re:Filter outbound email? (1)

Predius (560344) | about a year and a half ago | (#42947271)

Worse, it only takes a few emails tripping the right filters or customer complaint bins before Hotmail decides to never accept email from that relay's IP ever again. No appeal, no cooling off, no support assistance, that IP goes into their blacklist and there is no digging it out afterwards.

Re:Filter outbound email? (1)

Bill, Shooter of Bul (629286) | about a year and a half ago | (#42948087)

I can't tell if you misunderstood me, or are just wrong. They are harvesting email addresses from students, profs, etc. There is a limited resource of available oxford.edu addresses. They wouldn't be able to send many emails if they used a different account for each one. Even if they did, the filter should just usie ranking system like spam assasin to red flag outgoing emails likely to be spam. One bad email sent, block that message, send notice to user. five sent, block account. Even if there are a lot of false positives, you would only punish those doing something kind of wrong (sending out messages that look like spam) , rather than punishing everyone by blocking Google docs. It seems like a no-brainer to me.

Re:Filter outbound email? (1)

Brandon Hume (73471) | about a year and a half ago | (#42950347)

They're not harvesting email addresses, they're harvesting *accounts*, which grant access to the outbound SMTP server. A "limited resource" numbering in the hundreds of thousands, and adding a few thousand every year.

At the university I work at, we do exactly what you suggest. The spamming still happens. Why? Because the spammers (a group of guys located in Laos, Nigeria, and a few spots in Malaysia and Israel) will use a stolen "test" account to trickle a spam email or two through to see what gets through. Do you expect us to kill an account based on a SINGLE suspicious email? Do you expect us to read your personal email to make sure it's spam or not (very not-kosher in the province I'm in)? And the number of false positives is atrocious! People really do run mailing lists from their PC, even when we provide a proper listserv for the purpose, and they really do "Reply to all" with a 300+ CC'd email. Would you stomp on every one of these people?

What you're describing is nothing less than making the IT department "the enemy", an organization that should be circumvented at every opportunity.

Meanwhile, the level of intelligence you're suggesting is very expensive for the volumes of email we deal with, when management is already trying to kill off on-premises email. (They've succeeded... we're soon switching to Office 365, and it won't be our problem for much longer...) I've already designed the system you suggest, but I can't get the money or the time - university IT, understaffed and overworked - to implement it. And while I think our system is fairly large, I wouldn't claim to approach the level of an institution like Oxford.

And to add: the spam is the tiniest portion of the problem from my point of view. If I can send email via your account, I can probably read the email that's already there. That means I can harvest the email addresses of all your friends and family. I can glean personal details about you that I can use for the "send money plz" scams. How about if you're a doctor? Got any patient information in your email? If that gets loose, you're looking at a very unpleasant conversation with your Director about privacy law. How about grant numbers? Credit card numbers?

What about the other resources that the same username and password probably grants access to? Online storage? Personal websites? Hell, what about other sites that users reuse their passwords with?

I know what you're trying to say, but your solution is naive and doesn't stand up to the real world. *Especially* in academia, where there's a lot of entitlement on the part of the users, and very little money for the Oompa Loompas who make it happen.

Re:Filter outbound email? (0)

Anonymous Coward | about a year and a half ago | (#42947403)

In TFA it indicates that Google Docs can use HTTPS connections, which is another reason it is so attractive to phishers

Re:Filter outbound email? (1)

datapharmer (1099455) | about a year and a half ago | (#42947601)

Yes, since there is clearly no way to check an https connection for dangerous content. It would be wonderful if administrators of intranets had a tool that could look Deep into the Packets flowing through their network and Inspect them for malicious content... we could even call it something like "DPI" for short.

Re:Filter outbound email? (1)

DeepLinux (233509) | about a year and a half ago | (#42950757)

This is not an 'intranet' it's a metropolitan scale network with tens of thousands of users personal machines connected to it.

Of course they use DPI for a variety of things however it does not help for this specific instance as because they are *personal* machines you can't MITM the https by installing trojan certificates on the client machines.
Which morally you shouldn't be doing anyway even if you are running a locked down corporate network.

Also the stuff required for doing DPI at line speed on 20Gbit/s links is expensive.

Re:Filter outbound email? (0)

Anonymous Coward | about a year and a half ago | (#42950711)

On my freebsd mail server I run sma, which is a mail log parser

then I run from crontab hourly

#!/usr/local/bin/bash
# script to send sma maillog reports
SUBJECT="maillog report for mail.dept.institution.edu"
EMAIL="computer-support@dept.institution.edu"
EMAILMESSAGE="/tmp/emailmessage.txt" /usr/local/bin/sma -l 30 -r 30 /var/log/maillog > $EMAILMESSAGE /usr/bin/mail -s "$SUBJECT" "$EMAIL" $CHECKSTRINGFILE

    EMAILSUBJECT="Phlog alert for $HOSTNAME ($MAXNUMBEREMAILSSENT)"

    $CAT $HORDELOG | $PHLOG -svc > $EMAILMESSAGE

    $MAIL -s "$EMAILSUBJECT" "$EMAILADDRESS" $EMAILMESSAGE

fi

Also you change the horde settings to not allow setting the from address different than the authentication credentials. Can't remember exactly how to do that but it's trivial.

Why is this a big deal? (1)

guanxi (216397) | about a year and a half ago | (#42947015)

Why is an organization somehow obligated to provide access to this application? Maybe they have promised something to their users, but otherwise Google Docs is not a universal human right; it's just another application offered by another company.

Re:Why is this a big deal? (1)

timmyf2371 (586051) | about a year and a half ago | (#42947143)

It's a big deal because students on a limited income are more likely to use free tools such as Google Docs, than they are to use paid software.

And at a university, these students typically submit coursework which may often be written using a word processing tool.

If said word processing tool is subsequently blocked for a few hours without prior warning, it's quite easy to see how this could well pose an issue for students making last minute changes to their course work.

Re:Why is this a big deal? (1)

im_thatoneguy (819432) | about a year and a half ago | (#42947351)

Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.

Re:Why is this a big deal? (0)

Anonymous Coward | about a year and a half ago | (#42947535)

Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.

That's some pretty vague information you're providing there. What is a "notable university" and why on earth would the ones you've "heard of" have any consequence to the vast majority of folks reading here?

Re:Why is this a big deal? (1)

DeepLinux (233509) | about a year and a half ago | (#42950707)

Typically UK universities don't have the kind of agreements with Microsoft that would give all their students 'free' access to MS office.

MS do have a discounted program directly for students in higher education where office is around £28.

Re:Why is this a big deal? (0)

Anonymous Coward | about a year and a half ago | (#42947359)

Surely "I couldn't get access to Google Docs for a couple of hours" is right up there with "the dog ate my homework"?

It's the student's choice to rely on a service without any sort of guarantee that it'll stay around, so it's the student's fault that it's not available. This is what we call a Learning Experience.

staff using it to avoid IT politics as well (3, Informative)

fantomas (94850) | about a year and a half ago | (#42947589)

I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.

I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...

Re:staff using it to avoid IT politics as well (1)

isorox (205688) | about a year and a half ago | (#42949415)

I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.

I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...

This is nothing to do with universities, it happens in corporations too. IT departments think they're in charge, while the business works around them to get stuff done.

Unfortunately this all comes to a head when there's a data protection leak. I lay the blame at the door of IT, who will no doubt claim they're underfunded and understaffed, for not providing the right tools in the right timeframe.

It's mainly an attitude problem.

Re:Why is this a big deal? (1)

xaxa (988988) | about a year and a half ago | (#42947421)

I expect staff also use it for collaborative work.

Computing staff (and some others) might use a shared version control system and LaTeX or similar, and many others will email round MS Word documents, but Google Docs can be superior to both.

(One of the few Google Documents I have was sent to me by an academic at Oxford, he is collaborating on a project with one of my colleagues in London.)

Oxford (1)

smartsheep (1285138) | about a year and a half ago | (#42947035)

Good for Oxford U. If students and faculty will not take security seriously they should be denied the service in the same way as you would take the car keys from a drunk driver or matches from a child. Would you uses a bank that did not take security seriously? or a car that was not safe? I don't see the difference. Best David

Re:Oxford (1)

DarwinSurvivor (1752106) | about a year and a half ago | (#42947719)

Would you uses a bank that did not take security seriously?

Yes, because NON of them have adequate security for their customers. They protect their own servers with billions of dollars of protection, then let you pay by waving a card in the air or *shudder* sending a text message.

Re:Oxford (1)

DarwinSurvivor (1752106) | about a year and a half ago | (#42947735)

s/non/none/

Re:Oxford (0)

Anonymous Coward | about a year and a half ago | (#42947987)

i do not understand this

Re:Oxford (1)

rk (6314) | about a year and a half ago | (#42948293)

Then this may not be the right site for you.

Re:Oxford (1)

Fwipp (1473271) | about a year and a half ago | (#42947797)

If my bank shuts down my debit card for two hours without warning because my neighbor keeps leaving his at the bar? Yeah, that's an awful thing.

*facepalm* (1)

Bobfrankly1 (1043848) | about a year and a half ago | (#42947181)

It's interesting to see the Michael Morisy "security through no using internets". Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...

Re:*facepalm* (1)

whoever57 (658626) | about a year and a half ago | (#42947487)

Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...

There are probably thousands of scripts around the world that ping 8.8.8.8 or some other well known Google IP address on a regular basis to test their Internet connectivity. For example, this script [blogspot.com]

How about (1)

Hentes (2461350) | about a year and a half ago | (#42948481)

suspending accounts sending spam? Punish those who deserve it, not everybody.

It is googles fault professors are stupid. (0)

Anonymous Coward | about a year and a half ago | (#42948551)

It is googles fault professors are stupid.

The solution is.... (1)

countach (534280) | about a year and a half ago | (#42948555)

The Oxford administrators should phish their own students. Any student stupid enough to fall for it must attend compulsory remedial training. Rinse, repeat, rinse repeat until nobody falls for it anymore.

Re:The solution is.... (1)

rs1n (1867908) | about a year and a half ago | (#42949365)

Mod parent up -- until users learn to not fall for even the more advanced phishinig schemes, we will never be rid of the problem.

Re:The solution is.... (2)

Brandon Hume (73471) | about a year and a half ago | (#42950415)

I can't speak for Oxford, but I know at my workplace, traditionally it's the students who fall for it the *least*. Their numbers even out, but that's only because there's a hell of a lot more students. In general, the kids coming in today are reasonably technically-savvy and sceptical.

In terms of percentages, the people you need to watch out for are the faculty. They're older, less experienced with modern technology, and frequently believe that a PhD in Aztec basket weaving means they've mastered life.

I am an IT professional but I dont give a fsck (0)

Anonymous Coward | about a year and a half ago | (#42948933)

I dont care and it doesnt matter to me what IT does at oxford for all I care they can shut off what they want to celebrate gay rights or promotoe some feminist agenda. Fuck them and why should I care.. we dont use google at all.

This is why University IT sucks in general... (2)

RocketRabbit (830691) | about a year and a half ago | (#42949317)

In the olden days (and I am thinking as recently as the late 1990s) the universities would bake their own IT solutions. It was considered an academic challenge, and each campus had its own peculiar requirements, culture, etc. In those days, you had two tiers of IT - the local lab support, which was generally a grad student in the department who had undergone a short training course - if they even needed it - to help lusers figure out which part of the computer is the screen, which is the keyboard, and where the any key was. Sometimes these people, despite being English majors or what have you, would write good software that might be used in the university, or even across the world, while they sat there watching the herd of cattle called students and tenured professors prance across the keyboards. OK, I jest a bit, but not much.

Then, in the old days, you had the upper tier IT folks. These were people who essentially created and maintained the university's infrastructure. At the mid-sized midwestern university that I attended, the machine room contained a few IBM Power-based systems, running a redundant hardware / software stack, all of which connected to a dedicated user store. You could log into any of the servers and it would appear to be identical from the user's view. If one went down, the other could handle the load, and your full suite of Unix software was provided. It was beautiful. The entire infrastructure (minus the cabling running around campus, that was handled by union labor scrags) was maintained by about 4 people, and this was on a campus that included about thirty thousand students and faculty! Thousands of logged-in users at once, comfortably using a couple of computers that, if you added their processing capabilities together today, wouldn't be able to outdo an iPod Touch.

Many of the classic software packages that people use today were created by and for the academic campus. TeX, BSD, the easy to use (suitable for non-techie) Pico editor, and so forth, all combined to make a system that with minimal training, one could get started on, and with man pages, one could learn about on the fly. It was good for the university that created the software, in the firm of heightened prestige and perhaps lucrative government sheckel rainstorms, and it was good for the community because most of this software was then just given away, meaning that the academic community in general benefited. Smaller schools could use the software on smaller hardware, and wouldn't have to shoulder a massive IT cost beyond some dumb terminals, some Macintoshes, and a mid-sized "super-mini." The idea that sharing and helping the broader academic community was something to be proud of, and was useful to academia as a whole, was dominant.

Let's look at the situation now. IT services are managed by geniuses called "administrators" who probably couldn't code a "hello world" in BASIC, who hold MBAs, and who get all their IT information from Gartner or other such shill operations. The services they provide on-campus are shockingly similar to those one might have accessed over a 2400 baud modem in the early 1990s, except these services represent an enormous, ongoing cost. These campuses are entirely self-insufficient. Without access to external services, nothing would work, from payroll to class registration even down to the damn door locks in some cases! IT costs are an ever-increasing drain on the school's limited coffers, and the benefits are shrinking with the dollars spent. There is no incentive to create better software for the campus or academic IT in general, and thereby the whole academic world suffers. Just shoveling dollars into Google or MS Cloud or whatever hare-brained bullshit that the MIS types read is hot this week is destroying a lot of the in-built innovative potential of the university IT department.

My wife is in the math department at a major school in the Pacific Northwest. Her school (one of the biggest in the PNW!) has changed its entire campus management software stack 3 times in the 5 years that she has been there. Other universities have similar records. I would consider this to be a monumental failure and it should be a wake-up call for universities everywhere.

Re:This is why University IT sucks in general... (2)

isorox (205688) | about a year and a half ago | (#42949497)

I completely agree. Same in corporations. The people with the purse strings will lap up the sales pitch from companies like ATOS and Capita, and flush the money down the toilet.

In parallel, the people that have responsibility for IT in the company have it locked down tighter than fort knox. At least on paper. Noone is allowed to create useful tools to fix problems in their department, it needs to go out to tender via a central funding pot.

Eventually you get people that, on paper, are "sales", but in reality are the department "techie", who will build his own infrastructure running on tin cans and 3G dongles, outside of the corporate IT structure. This is great, the problem is the 4 centralised masterminds in your university of old aren't there to provide the guidance and oversight, so eventually department techie makes a misstep and the company gets big problems.

Corporate IT needs to die, to be reborn with most of the work coming from people that are in the business.

Re:This is why University IT sucks in general... (1)

RocketRabbit (830691) | about a year and a half ago | (#42950701)

The problems all started with the MIS types, who are more bean-counter than wizard. They got it into the organizational culture of both universities and business that IT is an expense instead of a place to save money and provide services. In the old days, we'd look at the cost of mailing a bunch of fucking papers around everywhere, and drafting on draft tables etc, add up the cost of all the shit and then compare it with an IT solution that was designed to increase the speed of the whole organization while also eliminating a lot of the recurring overhead like papers, stamps, etc. The IT solution was usually both cheaper in the long run, and eliminated organizational lag. It was a net savings, and everybody was happy. Now it's the opposite, there is no benchmark of "how do we do this thing without using computers" to compare the IT cost to, so any IT spending is labeled a loss inside the organization.

It's all basically a giant money farming operation at this point, with the tech-clueless people who somehow got put in charge of IT ("diversity" hires and nepotism are the real issue here) don't look at the long-term losses to the organization when they outsource everything.

Just this year here in Oregon, OSU in Corvallis has been trying to get a new Wifi system running, and the bids are into retarded money territory and it looks like they will be getting even bigger. If the system was run more like the 1990s campus mail would be handing out some Apple Airport Extremes or some similar easy to use product and a set of metal straps and screws to stop theft, with instructions to screw it to the wall and run a wire to it. A couple higher-powered Wifi units would be stuck up on some poles around campus as well. It would work fine, it would be decentralized, and the costs would be hardware alone. Now, instead, we have fuckin' Sprint and ATT and such operations wanting millions of bucks just to STUDY the problem before they even get going on actually doing a damned thing!

If I wanted to destroy the US's economy with sabotage I wouldn't have to do a damned thing, other than let the MIS types and their clueless PHBs do exactly what they are doing, at the pace that they are doing it, right now.

There is no campus at Oxford... (0)

Anonymous Coward | about a year and a half ago | (#42951521)

..apaert from Brookes (former polytechnic to the east of the city).It is colleges dotted around the city centre with shared faculty buildings. Always a joy directing tourists to "the university" when they are standing in the middle of it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>