Students go 'phishing' for user info
April 27, 2005 11:57 AM   Subscribe

Corrected hyperlink - a blog.
posted by ericb at 12:00 PM on April 27, 2005

Ha, the comments section reads like Metafilter for teens.
posted by Peter H at 12:23 PM on April 27, 2005

In all fairness, the most teen-like of those comments started appearing once Slashdot posted the story....
posted by mr_roboto at 12:34 PM on April 27, 2005

1. Are there any statistics available? Wouldn't statistics make people feel better?

2. Does their "now we'll comfort you" blog really not explain that automatic authenticators were used to check the id/passwords and that no human being has seen or will ever see their sensitive information?

3. And they haven't posted full examples of the emails sent and the websites linked to?
posted by nobody at 12:34 PM on April 27, 2005

There are an awful lot of people out there who fall for spoof e-mails. I suspect that the anger of many of the students in the comments is more based on their realization that somebody could spoof their e-mail (or their friend's e-mail) than on the experiment itself. For the students who fell for it, as angry as they are, they will think twice about clicking on any link sent to them via e-mail now. Isn't that a positive thing?
posted by Joey Michaels at 12:37 PM on April 27, 2005

Joey, my thoughts exactly.
posted by knave at 12:40 PM on April 27, 2005

What the hell was the Human Subjects committee thinking? Not only does this violate the privacy rights of the students who received the messages (if you steal my credit card number and use it, I don't care if a human being never sees it and it only gets used by a machine, same with my email ID and password), it's damned unfair for the people they pretended sent them, as well.
posted by jacquilynne at 12:53 PM on April 27, 2005

As an IU student who didn't fall for it, I'd like to take a moment to congratulate myself for not falling for it. Though I should mention I never got any phishing emails in the first place.

That being said, I think the whole thing was a bad idea. Mining personal information about students then spoofing emails from them, eh, that sucks.
posted by thirteenkiller at 12:58 PM on April 27, 2005

This sort of thing happens all the time with malicious intent. If it can't be studied, how can it be prevented? I understand feeling angry because you were tricked, but it seems that no harm was done and, maybe, some folks will have a better understanding of computer security.

As far as privacy goes, on the Internet most privacy is an illusion. Clinging to that illusion is maybe more dangerous than having somebody remind us of its illusory nature.
posted by Joey Michaels at 1:14 PM on April 27, 2005

Mining personal information about students then spoofing emails from them, eh, that sucks.

Why? Assuming this was a legitimate experiment whose results will be put to good use to help protect the community (which, from seeing the webpages linked, I'm not so sure of), then where's the harm? Some people feel duped and perhaps they won't be duped in the future.

if you steal my credit card number and use it, I don't care if a human being never sees it and it only gets used by a machine, same with my email ID and password

But there's a huge difference between a machine stealing your credit card number and using it (presumably to buy things for itself) and a university-created password-checker checking to see if you've filled in valid id/password information. In theory, the little program used to do this is the very same program used by the university to check legitimate login attempts.

it's damned unfair for the people they pretended sent them, as well.

Now, this is a good point, especially if you assume that the victim might think the scam was actually perpetrated by the friend or with the friend's knowledge. The "we're sorry; thank you for participating" emails the experimenters sent to the duped students definitely should have been sure to clear this up. Seeing the blog they set up, I doubt they bothered to think of it.
But didn't it used to be common to get spam spoofed from a friend's account? (I don't get spam anymore, but I think I remember this).
posted by nobody at 1:15 PM on April 27, 2005

I fail to see what the problem is here. The only personal information "mined" was publicly available. The study took pains (and succeeded) to find a way to verify the success of the ploy without actually compromising the "victim's" password security in any way. At the end of the day, no one involved was harmed in any substantive way. No, not even those whose addresses were spoofed, because everyone, both purported senders and recipients, were notified in a timely and thorough fashion. Oh, your trust was violated? GOOD, that was the point of the whole thing. Silly buggers.
The question being asked by the study is valid and important, and could not be answered effectively in any other way. In human behavior studies, the humans being studied will usually need to be deceived on some level during the course of the study.
posted by BigLankyBastard at 1:22 PM on April 27, 2005

I'm also surprised it was approved by a human subjects committee, not because it's so out of line, but just because human subjects committees are, in my experience, whiny and uptight. I'm at Wisconsin and suspect this would never fly here.
posted by aaronetc at 1:34 PM on April 27, 2005

Maybe the HSC really didn't understand what the wording meant. I mean, from my quick read of their website, it seems that the restriction was as long as the data mined was available in the "public sphere." This seems to be a very gray area. I have a suspicion that the proposal did not clearly spell out what was going to happen. I personally don't see the problem with the study, but like aaronetc, I question why the HSC would have approved it.
posted by odinsdream at 9:27 PM on April 27, 2005