Have you ever done so poorly in a class that you would risk it all to change your grade? Reporter Daniel Gross finds out if there is a secret ‘hack’ to acing your classes.
This story originally aired as part of our WNUR News: Unsolved special broadcast.
[REPORTER] AT NORTHWESTERN, IT’S ALWAYS MIDTERM SEASON. EVERY QUARTER, UNLUCKY STUDENTS GET GRADES THEY ARE UNHAPPY WITH. BUT WHAT IF A STUDENT WANTS TO TAKE MATTERS INTO THEIR OWN HANDS? CAESAR IS THE SOFTWARE NORTHWESTERN PROFESSORS USE TO ENTER STUDENTS’ OFFICIAL GRADES AT THE END OF THE QUARTER. I WAS TOLD TO SAY WNUR NEWS DOES NOT CONDONE HACKING … BUT WITH SO MANY COMPUTER SCIENCE MAJORS, SOMEONE’S AT LEAST THOUGHT ABOUT IT, RIGHT? SO … HYPOTHETICALLY … WHAT WOULD IT TAKE TO CHANGE YOUR GRADE??
NOW IT’S WORTH NOTING THAT THIS IS NOT AN ORIGINAL IDEA. IN FACT, THE CONCEPT OF HACKING INTO A SCHOOL’S COMPUTER SYSTEM TO CHANGE GRADES WAS SEEN IN POP CULTURE AS EARLY AS 1983 IN THE MOVIE ‘WAR GAMES’.
< AUDIO FROM MOVIE CLIP I FOUND>
‘WAR GAMES’ GOT AMERICA TALKING ABOUT COMPUTER SECURITY, AND IS CREDITED WITH INFLUENCING MULTIPLE LAWS ON CYBERSECURITY, INCLUDING THE COMPUTER FRAUD AND ABUSE ACT OF 1984. UNLIKE IN THE FILM, YOU CAN’T ACCESS NORTHWESTERN SERVERS WITH JUST A PHONE CALL. TO GET TO YOUR GRADES, YOU’LL HAVE TO GET PAST A TEAM OF PROFESSIONALS AT THE NORTHWESTERN INFORMATION AND SECURITY OFFICE.
[GRILL] WE SUPPORTED OVER 26 AND A HALF MILLION SINGLE SIGN ON LOGINS LAST YEAR. AND 8.3 OVER 8.3 MILLION MULTIFACTOR TRANSACTIONS. OVER 669 MILLION THREATS BLOCKED BY UNIVERSITY FIREWALLS LAST YEAR. THE SECURITY OPERATIONS TEAM IS TRIAGING EVENTS AND LOOKING AT EVENT TRAFFIC EVERY DAY, AND WE HAVE A, A PARTNER ORGANIZATION THAT KIND OF TAKES THE THE OFF HOURS. SO THERE ARE EYES ON ON EVENT LOGS 24/7 365.
[REPORTER] THATS BRANDON GRILL
[GRILL] I’M THE SENIOR DIRECTOR FOR TECHNOLOGY PLANNING AND SECURITY. AND I LEAD THE INFORMATION SECURITY OFFICE HERE IN NORTHWESTERN IT
[REPORTER] SOMEONE TRYING TO HACK INTO CAESAR WOULD HAVE TO GET PAST THE SECURITY MEASURES GRILL AND HIS TEAM OPERATE AND MAINTAIN.
[GRILL] FROM A TECHNICAL PERSPECTIVE, THOSE SYSTEMS ARE MAINTAINED BY THE NORTHWESTERN IT INFRASTRUCTURE GROUP. AND HAVE ALL OF KIND OF THE INDUSTRY STANDARD PROTECTIONS AROUND THE THE TECHNICAL SYSTEMS FOR, YOU KNOW, PATCHING VULNERABILITY MANAGEMENT INCIDENT, WE LEVERAGED A KIND OF HATE TO USE THE TERM STATE OF THE ART, BUT ONE OF THE BEST IN THE MARKET FROM A ENDPOINT DETECTION AND ANTI MALWARE ANTIVIRUS SYSTEM, AND THAT’S RUNNING ON ALL OF OUR ON CAESAR AND THE STUDENT, THE INFRASTRUCTURE RUNNING THAT. AND THEN WE HAVE A BUNCH OF PHYSICAL PROTECTION LAYERS AS WELL.
[REPORTER] IF YOU MANAGE TO GET PAST THAT SECURITY GAUNTLET, IT STILL WOULD NOT BE SMOOTH SAILING.
<SECOND SOUND BITE FROM THE MOVIE>
AS MENTIONED BEFORE, THERE ARE LAWS AGAINST HACKING. MANY LAWS, IN FACT.
[SUNOO] I GUESS IT DEPENDS A LOT ON THE SITUATION. THERE ARE DATA BREACH LAWS, WHICH REQUIRE THE THE OPERATORS OF BREACH SYSTEMS TO TAKE MITIGATING MEASURES AND NOTIFY USERS AND VARIOUS THINGS LIKE THAT, WHICH VARY FROM STATE TO STATE AND VARY IN THEIR EXACT PROVISIONS.
[REPORTER] THATS SUNOO PARK
[SUNOO] MY BACKGROUND IS IN COMPUTER SCIENCE AND LAW, I HAVE A PHD IN COMPUTER SCIENCE AND A JD AFTER THAT. AND I DO RESEARCH IN SECURITY AND PRIVACY AND TECHNOLOGY LAW MORE BROADLY.
[SUNOO] THERE ARE COMPUTER CRIME LAWS, SUCH AS THE COMPUTER FRAUD AND ABUSE ACT,
[REPORTER] YES, THE SAME LAW FROM EARLIER THAT WAS INFLUENCED BY WAR GAMES
[SUNOO] WHICH TRY TO MITIGATE SOME OF THE HARMS AND MAKE LEGALLY ACTIONABLE SOME OF THE SOME OF THE DAMAGE THAT MIGHT BE DONE. THE SCOPE OF THESE LAWS IS ACTUALLY A BIT VAGUE AND TOO BROAD. THE MOTIVATING IDEA IS THAT IF YOU DO GAIN UNAUTHORIZED ACCESS TO A SYSTEM AND POTENTIALLY DO DAMAGE, THEN THAT SHOULD BE LEGALLY ACTIONABLE. IN PRACTICE, THIS LAW CAN BE USED LIKE THAT AND CAN ALSO BE USED BECAUSE OF THE WAY THAT IT’S AMBIGUOUS TO TO CAUSE LEGAL LIABILITY FOR A RANGE OF OTHER ACTIVITIES, INCLUDING RESEARCH ACTIVITIES, ACTUALLY, WHICH IN A HARMFUL WAY, BECAUSE IT THE SCOPE IS SORT OF OVERBROAD. IT’S COMPLICATED, BECAUSE THIS LAW IS QUITE CONTROVERSIAL.
[REPORTER] THE COMPUTER FRAUD AND ABUSE ACT PROHIBITS, KNOWINGLY ACCESSING A COMPUTER WITHOUT AUTHORIZATION OR EXCEEDING AUTHORIZED ACCESS AND OBTAINING INFORMATION. THIS IS A FELONY, AND CARRIES A MAXIMUM SENTENCE OF 10 YEARS IN PRISON. AS PARK MENTIONED, THE LAW IS THE SUBJECT OF MAJOR CRITICISM, USUALLY FOR BEING TOO SEVERE, WHICH WOULD MAKE IT HARD TO WIN A CASE AGAINST.
THERE ARE ALSO NORTHWESTERN SPECIFIC POLICIES TO TAKE INTO ACCOUNT. ACCESSING YOUR GRADES WOULD FALL UNDER THE JURISDICTION OF FERPA, OR THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT. THE OFFICIAL NORTHWESTERN POLICY STATES THAT TO ACCESS STUDENTS DATA, YOU NEED WRITTEN CONSENT FROM THE STUDENT IN QUESTION. HACKING INTO CAESAR TO CHANGE YOUR GRADES WOULD POTENTIALLY VIOLATE THIS, AND MIGHT INCUR A SIGNIFICANT PUNISHMENT.
IF NONE OF THIS IS ENOUGH OF A DETERRENT, THEN THE QUESTION REMAINS: IS THIS EVEN POSSIBLE?
[SUNOO] THE BOTTOM LINE IS ESSENTIALLY THAT WE DON’T KNOW HOW TO BUILD PERFECT SYSTEMS. AND THIS IS HARD BOTH BECAUSE OF THE SYSTEMS SECURITY QUESTIONS INVOLVED. BUT ALSO BECAUSE THERE ARE ALWAYS HUMANS INVOLVED IN COMPUTING SYSTEMS AND HUMANS ARE FALLIBLE. AND SO ACCOUNTING FOR ALL POSSIBLE ATTACK VECTORS IS IS WE DON’T KNOW HOW TO DO THAT YET. AND SO FOLLOWING INDUSTRY STANDARDS, HELPS A LOT TO MITIGATE, MITIGATE RISKS, BUT IT WON’T MAKE A SYSTEM FOOLPROOF.
[GRILL] I WOULD SAY THAT WE HAVE MULTIPLE LAYERS OF PROTECTION AGAINST THAT HAPPENING.
[REPORTER] REPORTING FOR WNUR NEWS, I’M DANIEL GROSS.
