- Joined
- Mar 15, 2014
- Messages
- 123
- Reaction score
- 164
A 4th year veterinary student at Tufts was expelled this past January due to suspected grade hacking. What are y'all's thoughts? Has anyone heard of this?
I mean I was following that untilBy the way, if anyone wants to voice their support for this former student, you can leave your signature here: We Demand Due Process for Deported Tufts Student, Tiffany Filler
Interesting. I know little about computers. I sent it to my partner who is a software developer and he said;My husband (networking engineer) read the article, and here is his input.
He says this would be HIGH level ‘hacking’ and would require quite a lot of knowledge and experience to pull off. Do you think she had that level of knowledge and no one knew about it? Heck, if she were that good, would she have been in vet school to start with? It’s not something most (or many) people could do.
Also, having worked with and for IT/Networking on a large campus, they don’t generally have employees capable of figuring this sort of stuff out definitively.
Something is weird.
These were my immediate thoughts. No way would she be bothering with vet school if she had those skills. hahaMy husband (networking engineer) read the article, and here is his input.
He says this would be HIGH level ‘hacking’ and would require quite a lot of knowledge and experience to pull off. Do you think she had that level of knowledge and no one knew about it? Heck, if she were that good, would she have been in vet school to start with? It’s not something most (or many) people could do.
Also, having worked with and for IT/Networking on a large campus, they don’t generally have employees capable of figuring this sort of stuff out definitively.
Something is weird.
Schools can kind of do whatever the hell they want in these cases. They didn’t even give her the reasons why they felt it was her before she was expelled, and despite multiple people saying she wasn’t at her computer at times they say the grade changes occurred, the school is refusing to investigate it further. Schools aren’t aren’t like a court, they don’t have to prove a student did something to take action. It’s on you to prove you’re innocent in these cases.But expulsion is the nuclear option. I’m not going to assume that Tufts is absolutely right and there’s no chance that they messed up and expelled the wrong person. However, I’d think that they would put in their due diligence and make 100% sure they had the right person before doing something that would blow up as much as this has. I’m sure they weren’t just like “your grades are a little higher? EXPELLED!” There has to be more to this than the article is explaining.
Fell asleep at 7:38 PM and woke up at 6:33 AM. What vet student has time to sleep that much?
I mean I was following that until
"Furthermore, we are concerned that Ms. Filler may have been treated differently by the Cummings School because of her immigration status and national origin. While several other students (all of whom are U.S. citizens) in Ms. Filler’s course also had their final grades slightly altered, only Ms. Filler was punished and deported for allegedly cyber-hacking."
Ummmm. No. If she is a white Canadian, that is absolutely absurd.
I found the comment a bit off based on the fact that the article said the one individual was investigated because all grade changes came from her computer....not anyone else’s. If there had been alterations that were traced to multiple computers and the other people were not investigated, then I would consider the statement more truthful. In this case (if everything in the article is true), it makes sense that they wouldn’t expel the other students if changes were not traced to their computers and that’s why I didn’t fully agree with that part of the petitionHow is it patently absurd to consider this?
Let's say the school thought an American student may have committed the exact same offense. Other students grades were changed but it seems that no other investigations or punishments occurred. Why? Maybe the school officials avoided investigating or punishing an American because they thought it would be more difficult to expel a one. An American wouldn't be immediately deported after expulsion so they could potentially draw out the process. Maybe the officials felt that Americans would be more likely to sue the school because they wouldn't need to travel internationally for court dates. If an American and a Canadian were treated differently during this investigation based on their National Origin, it seems to me that would most definitely be a violation of discrimination laws.
I'm not saying that happened, but there is a reason that race, color, and National Origin are separate protected categories in the Civil Rights Act. A white Canadian may be able to avoid many types of overt discrimination because of the way they look and speak, but being a visa holder can make them vulnerable in a way that Americans are not.
What I was primarily objecting too was the comment that the discrimination claim was "patently absurd" specifically because the student was a white Canadian. Any foreigner, especially a visa holder, can face discrimination and abuse.I found the comment a bit off based on the fact that the article said the one individual was investigated because all grade changes came from her computer....not anyone else’s. If there had been alterations that were traced to multiple computers and the other people were not investigated, then I would consider the statement more truthful. In this case (if everything in the article is true), it makes sense that they wouldn’t expel the other students if changes were not traced to their computers and that’s why I didn’t fully agree with that part of the petition
That's why I'm so highly annoyed that the article is lacking in details -- something I see in a lot of garbage journalism these days. There's nothing at all to go off of in the article re: actual technical details, at least what I expect to see.But expulsion is the nuclear option. I’m not going to assume that Tufts is absolutely right and there’s no chance that they messed up and expelled the wrong person. However, I’d think that they would put in their due diligence and make 100% sure they had the right person before doing something that would blow up as much as this has. I’m sure they weren’t just like “your grades are a little higher? EXPELLED!” There has to be more to this than the article is explaining.
I don't like this, since they're blindsiding her with the Spanish Inquisition (no one expects it!) and steamrolling her in the process.Article said:For three hours, she faced eight senior academics, including one who is said to be a victim of her alleged hacks. The allegations read like a court docket, but Filler said she went in knowing nothing that she could use to defend herself.
I don't understand this. A librarian is a user. Any competent organization would follow the principle of least privilege and users would only get the level of access to what their immediate job duties entailed. Why the **** would a librarian have domain admin credentials that would allow the creation of another user? I need way more details. Domain environment, their AD forest topology, the university policy and procedures. If I had to speculate, education (both K-12 and university) shops are run like small/medium businesses and are generally very low paying compared to the market, meaning you'll only get straight up beginners, burn-outs, dummies, or lazy idiots looking for a slow-paced, low-stress job. I've never worked in a technical capacity for a university and never would considering how disgusted I am with their processes. So maybe Tufts doesn't follow strict security procedures and throws stuff together with untold amounts of "one-offs," so maybe this librarian was some old crusty person who for whatever idiotic reason was domain admin. OK, let's take that devil's advocate further: how did she obtain the librarian's user password? Social engineering? The article doesn't discuss jack squat, so we the readers are expected to simply swallow it as truth.Article said:Tufts said she stole a librarian’s password to assign a mysteriously created user account, “Scott Shaw,” with a higher level of system and network access.
Again, the article doesn't give details. WHAT creds are we talking about here? AD? Does Tufts have self-service for password resets for AD that would even allow this? Is this specifically the grading system that isn't integrated with the university's AD environment? When I worked at a university alumni association in a more business analyst role, I learned that "Sungard Banner" was popular at many universities and handled lots of the student/staff/faculty/financial/development/class enrollment/grading systems. It's now called Ellucian. But my question remains: WTF is the article talking about?Article said:Filler allegedly used it to look up faculty accounts and reset passwords by swapping out the email address to one she’s accused of controlling,
Same question and frustration: Password to what system?Article said:or in some cases obtaining passwords and bypassing the school’s two-factor authentication system by exploiting a loophole that simply didn’t require a second security check, which the school has since fixed.
I need details for every sentence here. I'm getting intellectual blue balls.Article said:Tufts accused Filler of using this extensive system access to systematically log in as “Scott Shaw” to obtain answers for tests, taking the tests under her own account, said to be traced from either her computer — based off a unique identifier, known as a MAC address — and the network she allegedly used, either the campus’s wireless network or her off-campus residence. When her grades went up, sometimes other students’ grades went down, the school said.
I'm from Missouri: Show Me.Article said:The bulk of the evidence came from Tufts’ IT department, which said each incident was “well supported” from log files and database records. The evidence pointed to her computer over a period of several months, the department told the committee.
I've heard of FIRE before for past campus incidents, but I don't remember what they were. I hope they provide free legal services to Ms. Filler.Article said:“Universities can operate like shadow criminal justice systems — without any of the protections or powers of a criminal court,” said Samantha Harris, vice president of policy research at FIRE, a rights group for America’s colleges and universities. “They’re without any of the due process protections for someone accused of something serious, and without any of the powers like subpoenas that you’d need to gather all of the technical evidence.”
Provide the dang documents to we the readers, TechCrunch. Embed them as PDFs or whatever at the bottom of the article.Article said:Harris reviewed documents we provided outlining the university’s allegations and Filler’s appeal.
This is where I think Discovery secondary to a lawsuit would be beneficial. It's infuriating to basically say, "You did it! Not gonna provide evidence supporting our accusation even when people ask about it in good faith!" Reminds me of an incident in the Lounge recently, where I asked multiple times in good faith for someone to take a few seconds to explain what he was thinking, but this person would rather spend multiple posts saying "nah" when it would have been faster to just explain what he/she meant. It's. So. Incredibly. Cowardly. To not explain what you mean when someone asks in good faith to try to understand you.Article said:“It’s troubling when I read her appeal,” said Harris. “It looks as though [the school has] a lot of information in their sole possession that she might try to use to prove her innocent, and she wasn’t given access to that evidence.”
A committee consisting of what 3rd party forensics firm?Article said:A month later, the committee served a unanimous vote that Filler was the hacker and recommended her expulsion.
Need more details:Article said:Struggling for answers and convinced her MacBook Air — the source of the alleged hacks — was itself compromised, she paid for someone through freelance marketplace Fiverr to scan her computer.
Need more details.Article said:Within minutes, several malicious files were found, chief among which were two remote access trojans — or RATs — commonly used by jilted or jealous lovers to spy on their exes’ webcams and remotely control their computers over the internet. The scan found two: Coldroot and CrossRAT. The former is easily deployed, and the other is highly advanced malware, said to be linked to the Lebanese government.
I agree. It's weird, to me at least, to see multiple RATs. That's why I'd really love to see details.Article said:Evidence of a RAT might suggest someone had remote control of her computer without her knowledge. But existence of both on the same machine, experts say, is unlikely if not entirely implausible.
TechCrunch interviews a Malwarebytes director: how did he get access to the scan logs? Provide them to us the reader, TechCrunch! Throw us a dang forensic bone here.Article said:Thomas Reed, director of Mac and Mobile at Malwarebytes, the same software used to scan Filler’s computer, confirmed the detections but said there was no conclusive evidence to show the malware was functional.
“The Coldroot infection was just the app and was missing the launch daemon that would have been key to keeping it running,” said Reed.
Derp, that's what I just said above in the devil's advocate.Article said:Even if it were functional, how could the hacker have framed her? Could Filler have paid someone to hack her grades? If she paid someone to hack her grades, why implicate her — and potentially the hacker — by using her computer?
See, this is pretty interesting and we're lacking in answers. If a former roommate/housemate had an axe to grind... let's look into this, especially if she's dumb enough to have her password(s) in plain view for roommates to see.Article said:The landlord told me a staff resident at Tufts veterinary school, who has since left the house, “has bad feelings” and “anger” toward Filler. The former housemate may have motive but no discernible means. We reached out to the former housemate for comment but did not hear back, and therefore are not naming the person.
Oof. Don't step foot in an Apple Store, and for the love of G*d don't consult their "Geniuses." Look up "Louis Rossman" on YouTube for exact details on just how slimy the Apple Store Geniuses are and their motivation to basically just sell you a new iPhone/iPad/MacBook/whatever rather than fix something for $1 or whatever.Article said:Filler took her computer to an Apple Store,
Destruction of evidence. Devil's advocate: she's doing all this to play dumb and have Apple "Geniuses" do the destruction of evidence that would incriminate her.Article said:claiming the “mouse was acting on its own and the green light for the camera started turning on,” she said. The support staff backed up her files but wiped her computer, along with any evidence of malicious software beyond a handful of screenshots she took as part of the dossier of evidence she submitted in her appeal.
Doesn't this essentially exonerate Ms. Filler the vet student? The university's own IT department says it's highly unlikely that the attack was executed by someone without "extensive hacking ability."Article said:“Feedback from [IT] indicated that these issues with her computer were in no way related to the alleged allegations,” said Angie Warner, the committee’s acting chair, in an email we’ve seen, recommending Filler’s expulsion. Citing an unnamed IT staffer, the department claimed with “high degree of certainty” that it was “highly unlikely” that the grade changes were “performed by malicious software or persons without detailed and extensive hacking ability.”
This makes no ****ing sense. Timings are everything. This just reeks of a gaggle of idiots like some nursing home knitting and quilting club speaking on matters that are out of their wheelhouse. This highly reeks of emotional and irrational thinking.Article said:Filler thought she could convince the committee that she wasn’t the hacker, but later learned that the timings “did not factor” into the deliberations of the grievance committee, wrote Tufts’ veterinary school dean Joyce Knoll in an email dated December 21.
Probably because Tufts had already made up their mind and had closed their mind to any facts.Article said:All of the students we spoke to said they were never approached by Tufts to confirm or scrutinize their accounts.
I need way more details on why Tufts is accusing Filler of having an iPhone 5s. Where are they getting this info?Article said:Tufts said on that occasion, her computer — eight miles away from the restaurant — was allegedly used to access another staff member’s login and tried to bypass the two-factor authentication, using an iPhone 5S, a model Filler doesn’t own. Filler has an iPhone 6. (We asked an IT systems administrator at another company about Duo audit logs: They said if a device not enrolled with Duo tried to enter a valid username and password but couldn’t get past the two-factor prompt, the administrator would only see the device’s software version and not see the device type. A Duo spokesperson confirmed that the system does not collect device names.)
Then show us more details than just the high-level screenshots showing the start and end times of her sleep activity. Show me her body movement graph and her heart rate graph. This will help me believe that she didn't manually fake her sleep activity as part of her alibi.Article said:Filler, who wears a Xiaomi fitness and sleep tracker, said the tracker’s records showed she was asleep in most, but not all of the times she’s accused of hacking. She allowed TechCrunch to access the data in her cloud-stored account, which confirmed her accounts.
I'd like to see the photos in question, but I'll give the benefit of the doubt to Jake Williams's analysis. He has no incentive to lie about this.Article said:While photo metadata can be modified, Williams said the signs he expected to see for metadata modification weren’t there. “There is no evidence that these were modified,” he said.
Article said:Yet none of it was good enough to keep her enrolled at Tufts. In a letter on January 16 affirming her expulsion, Knoll rejected the evidence.
“Date stamps are easy to edit,” said Knoll. “In fact, the photos you shared with me clearly include an ‘edit’ button in the upper corner for this exact purpose,” she wrote, referring to the iPhone software’s native photo editing feature. “Why wait until after you’d been informed that you were going to be expelled to show me months’ old photos?” she said.
“My decision is final,” said her letter. Filler was expelled.
HURR DURR, I'm a twit.Article said:“My decision is final,” said her letter. Filler was expelled.
Exactly. All these details matter. Saying that it's "irrelevant" if she created the Scott Shaw account is since it's material to the entire case, since that appears to be the entry point for penetration -- everything else was lateral movement from there, no?Article said:But even the little things don’t add up.
Tufts never said how it obtained her IP address. Her landlord told me Tufts never asked for it, let alone confirmed it was accurate. Courts have thrown out cases that rely on them as evidence when others share the same network. MAC addresses can identify devices but can be easily spoofed. Filler owns an iPhone 6, not an iPhone 5S, as claimed by Tufts. And her computer name was different to what Tufts said.
And how did she allegedly get access to the “Scott Shaw” password in the first place?
Warner, the committee chair, said in a letter that the school “does not know” how the initial librarian’s account was compromised, and that it was “irrelevant” if Filler even created the “Scott Shaw” account.
Because they're incompetent and evil.Article said:Many accounts were breached as part of this apparent elaborate scheme to alter grades, but there is no evidence Tufts hired any forensics experts to investigate. Did the IT department investigate with an inherent confirmation bias to try to find evidence that connected Filler’s account with the suspicious activity, or were the allegations constructed after Filler was identified as a suspect? And why did the university take months from the first alleged hack to move to protect user accounts with two-factor authentication, and not sooner?
I agree entirely. They tanked her career moments before she earned her DVM and didn't have the decency to say why, like toddlers throwing a temper tantrum.Article said:But we know two things for certain. First, Tufts expelled a student months before she was set to graduate based on a broken system of academic-led, non-technical committees forced to rely on weak evidence from IT technicians who had no discernible qualifications in digital forensics. And second, it doesn’t have to say why.
Or as one student said: “We got her side of the story, and Tufts was not transparent.”
Spanish Inquisition (no one expects it!)
I wondered the same thing. But I can tell you personally, it affected mine. I was wait-listed and removed my name from the wait-list yesterday. I loved Tufts, but I have dealt with this administration drama in the past and want no part!I wonder if this will impact anyone’s decision to attend Tufts
IMHO, I would not let this affect your decision. There are administrative issues at every school, some more than others. Tufts is unfortunate enough to have had this published, while similar things likely occur at other schools with less press. This article, as others have said, doesn't really give the full picture and is really murky.Piggybacking off a few other comments...should this be something that admitted students weigh heavily before deciding? I've been really considering Tufts as my top school, and now I'm conflicted with this information. Everything in the article is so murky that I don't 100% know how to feel, but it's been in the back of my mind for the past few days and I'm not sure how to proceed with making a decision now
This is a really crappy situation. The one thing I find ironic is that Tufts told her to leave ASAP and then started trying to collect loan money from her. If I was unjustly expelled I wouldn't be paying the school jack squat. Especially if I had to leave the country because of it.
Ok, this isn't how student loans work. Tufts isn't asking her to pay back her loans.... either the bank or the federal government who gave her the loans is requesting payback since she's no longer enrolled in school.
Right, but like you said she's Canadian so Idk how that would work. Though this was written in the article:
"Filler is back home in Toronto. As her class is preparing to graduate without her in May, Tufts has already emailed her to begin reclaiming her loans."
Which makes it sound like Tufts was lending her the money/paying her tuition for her. If they were private loans from another institution then I'd say she should pay them back and sue Tufts. If Tufts was paying her tuition she could probably sue, but if she wasn't able to or was unsuccessful I'd tell them 'bye Felicia'.
Schools don't pay a students tuition or provide loans. This is called crappy journalism.
Tufts does do private loans through the institution. The financial aid info they sent me had a part for federal loans and another part for loans through tufts directly.
I'll say up front that I 100% agree with you that the article is skewed and biased to her side. I don't think any reasonable person here has drawn the conclusion that she's completely innocent.Not only is the article heavily skewed towards Filler's side, and as others have noted, remiss in alluding to but not actually including some of the evidence cited, but no other theory besides her adjusting her own grades (or paying someone to do it for her) really makes any sense to me.
Call me naive, but they're just human beings (and veterinarians themselves) who I personally can't imagine remorselessly steamrolling over an innocent student the way some people on the internet seem to suspect.
I don't think it's blown out of proportion considering a professional student got expelled just a few months prior to graduation. I agree that this could happen at any school. Doesn't mean that anything anyone has said in this thread is out of proportion. This isn't about bombing a quiz, for example, it's expulsion and not providing evidence.Overall, I agree with ziggy that this is something that could have happened at any school and is now being blown out of proportion.
My undergrad offered private loans... like 8% fixed APR, totally evil.I'm kind of surprised they do even this because you need certain credentials and certificates to act as a loan provider, it is why mostly banks provide loans.
My undergrad offered private loans... like 8% fixed APR, totally evil.
Yeah but federal loans offer IBR/IDR/deferment/forbearance. When schools get into the private loan game, the terms are quite nasty.Meh, that's what the federal loans are up to now.
Or don't go to expensive schools thinking that the education is that much better.Don't go to school, kids, it'll ruin you financially forever.
Yeah but federal loans offer IBR/IDR/deferment/forbearance. When schools get into the private loan game, the terms are quite nasty.
Or don't go to expensive schools thinking that the education is that much better.
Edit: Frick. I was trynna just copy the first image, but they're all together.
Yeah but federal loans offer IBR/IDR/deferment/forbearance. When schools get into the private loan game, the terms are quite nasty.
Or don't go to expensive schools thinking that the education is that much better.
Edit: Frick. I was trynna just copy the first image, but they're all together.
Some people might be into that. Besides, kink shaming is @finnickthedog's job.IBR is only great for 25 years, then the tax bomb explodes in your face.
Schools don't pay a students tuition or provide loans. This is called crappy journalism.
Sdn only lets me have one image in my signature so I had to combine themOr don't go to expensive schools thinking that the education is that much better.
Edit: Frick. I was trynna just copy the first image, but they're all together.
Probably, there are other possibilities though. Some schools offer X dollars of aid assuming you finish or complete a certain track. If you drop out or change tracks then you owe the full amount. HPSP scholarship is like this as well as most med schools that offer tuition credits for staying in state afterwards. My guess is Tufts vet school isn't one of those programs as it was bad journalism, but idk.
(Also @lioness2408, since you're a student, do you have any idea what systems they're even talking about?? What "librarian" would have admin access to IT systems?)
1) "Warner, the committee chair, said in a letter that the school “does not know” how the initial librarian’s account was compromised, and that it was “irrelevant” if Filler even created the “Scott Shaw” account."
Saying that material evidence of an attack is "irrelevant" is infuriating to me and essentially throws the entire case out the window. In other words, from my read, stealing the librarian's password and somehow using it to create a "Scott Shaw" dummy account with lots of admin permissions is kind of how the penetration into the school's systems took place to begin with.
That's akin to saying, "Oh, it's irrelevant how you actually broke into my house. All I know is some things are missing, but I know you were the one who did it!"
The iPhone 5s/6 thing doesn't make sense to me. Neither do other details.
Then they can cut the crap and provide their evidence that led to their decision. If not, sue and subpoena it. If my school said, "We're kicking you out, but we aren't saying how we came to this conclusion," I'd like to think I'd make it my life mission to sanction them if only so that they cannot hurt anyone else again.
This isn't about bombing a quiz, for example, it's expulsion and not providing evidence.