In the middle of the night, I learned about a mysterious and FAKE message canceling class for all Villanovans:
Anthony Romano: will
Full Decent: I’m not away… I’m idle!
Anthony Romano: will
Anthony Romano: will
Anthony Romano: will
Anthony Romano: will
Full Decent: yo
Anthony Romano: did you spoof that email?
Full Decent: >-)
Anthony Romano: yes or no
Anthony Romano: I wont tell anyone
Anthony Romano: I just want to know
Full Decent: what difference does it make?
Anthony Romano: well if its fake I have to constantly check my emai
Anthony Romano: to see if he found out
Anthony Romano: and uncanceled class
Anthony Romano: if its real, I can go home and sleep all day
Full Decent: then that would suck if I didn’t tell you
Anthony Romano: :/
Full Decent: how much would that information nbe worth to you?
Anthony Romano: oh geez
Anthony Romano: dont be a dick
(Update 2009-08-29) Then a little bit later, a second email from the school president went out:
From: Edmund Dobbin
To: students@villanova.edu
Subject:
Sent: April 20, 2004 2:40 am
Dear students,
Please be aware that I did not send the message sent to all students last night. THERE WILL BE CLASS ON TUESDAY APRIL 20, 2004. The message was sent by some hackers, and not myself.
I apologize for any inconvenience this may have caused,
Edmond Dobbin O.S.A.
442651724acc96ad90bbf6f07a79566f
(Update 2013-12-20) And all the context.
The president has access to mail all students/faculty/staff at once.
It turns out that the Villanova email system required you to login to access your emails. But no password was required to send emails (IP-address based SMTP authentication) from certain physical locations. That means anybody could send emails as anybody, including the university president.
I presented a post-mortem of this to my cryptography class, the slides are still at https://docs.google.com/presentation/d/1qND8ihiCSufuqDTC__EobFzJ_h3RpxrdzDPcqgSVZE8
I found out that the original, malicious email was sent by somebody using guest login at Falvey Library who set up an email account using Thunderbird, setting the “from” address as the president… which of course has send access to the “all students” email list. The second email was sent using a more crude telnet session to the SMTP server, which obviously did not support spell check!
Recently, Villanova fixed this problem by switching email hosting and SPF to Gmail.
ℹ️ The 442651724acc96ad90bbf6f07a79566f
part of the message is an MD5 hash of something like “Will and Chris sent this” so that we could later take ownership of this favor. Unfortunately (?) that was a long night and we forgot the unencrypted message.
⚠️ Yes, although we were the “good guys” here, doing something like this can get you ten years in jail nowadays. For another story on police/security trying to throw the book at you, see how we hacked in and changed our grades at Villanova https://fulldecent.blogspot.com/2005/03/so-public-safety-comes-into-my-room.html
I do not admit to any crimes here and this blog post may be fictional.
▧
Comments
The official X thread
@fulldecent
Another Wildcat's analysis of this night
Villamova
Hacker attempts class cancellation via e-mail
The Villanovan
Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.