School is canceled

In the middle of the night, I learned about a mysterious and FAKE message canceling class for all Villanovans:

Anthony Romano: will
Full Decent: I’m not away… I’m idle!
Anthony Romano: will
Anthony Romano: will
Anthony Romano: will
Anthony Romano: will
Full Decent: yo
Anthony Romano: did you spoof that email?
Full Decent: >-)
Anthony Romano: yes or no
Anthony Romano: I wont tell anyone
Anthony Romano: I just want to know
Full Decent: what difference does it make?
Anthony Romano: well if its fake I have to constantly check my emai
Anthony Romano: to see if he found out
Anthony Romano: and uncanceled class
Anthony Romano: if its real, I can go home and sleep all day
Full Decent: then that would suck if I didn’t tell you
Anthony Romano: :/
Full Decent: how much would that information nbe worth to you?
Anthony Romano: oh geez
Anthony Romano: dont be a dick

(Update 2009-08-29) Then a little bit later, a second email from the school president went out:

From: Edmund Dobbin
To: students@villanova.edu
Subject:
Sent: April 20, 2004 2:40 am

Dear students,

Please be aware that I did not send the message sent to all students last night. THERE WILL BE CLASS ON TUESDAY APRIL 20, 2004. The message was sent by some hackers, and not myself.

I apologize for any inconvenience this may have caused,
Edmond Dobbin O.S.A.

442651724acc96ad90bbf6f07a79566f

(Update 2013-12-20) And all the context.

The president has access to mail all students/faculty/staff at once.

It turns out that the Villanova email system required you to login to access your emails. But no password was required to send emails (IP-address based SMTP authentication) from certain physical locations. That means anybody could send emails as anybody, including the university president.

I presented a post-mortem of this to my cryptography class, the slides are still at https://docs.google.com/presentation/d/1qND8ihiCSufuqDTC__EobFzJ_h3RpxrdzDPcqgSVZE8

I found out that the original, malicious email was sent by somebody using guest login at Falvey Library who set up an email account using Thunderbird, setting the “from” address as the president… which of course has send access to the “all students” email list. The second email was sent using a more crude telnet session to the SMTP server, which obviously did not support spell check!

Recently, Villanova fixed this problem by switching email hosting and SPF to Gmail.

ℹ️ The 442651724acc96ad90bbf6f07a79566f part of the message is an MD5 hash of something like “Will and Chris sent this” so that we could later take ownership of this favor. Unfortunately (?) that was a long night and we forgot the unencrypted message.

⚠️ Yes, although we were the “good guys” here, doing something like this can get you ten years in jail nowadays. For another story on police/security trying to throw the book at you, see how we hacked in and changed our grades at Villanova https://fulldecent.blogspot.com/2005/03/so-public-safety-comes-into-my-room.html

I do not admit to any crimes here and this blog post may be fiction.

▧

Comments

Discuss and share this topic anywhere. May we recommend:

• There is no official X thread yet. Hit me up and I will make one.
• Please let me know any other good media coverage I should link here.
• Talk with me live every Tuesday 6pm (New York) at Community Service Hour.