Oxford Temporarily Blocks Google Docs To Fight Phishing 128
netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."
Report Abuse (Score:5, Informative)
As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.
Re: (Score:3, Interesting)
Re:Report Abuse (Score:5, Informative)
You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.
Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.
Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.
Re: (Score:3, Funny)
Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...
When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.
Re: (Score:3)
Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...
When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.
Why not just issue him a two-factor authentication token, then you can actually solve the problem instead of a bandaid approach that won't really help. (even if he has to do daily password resets, if he gives up his password in the morning, the hacker has 24 hours to use it).
The tokens are cheap (even cheaper when it is a smart-phone app), every company with data worth stealing should use them.
Re: (Score:2)
Many universities aren't even willing to spend the money for a mail server anymore, I don't see how you could convince them to spend a quarter million dollars for tokens (assuming $1/user). And yes, that includes alumni, who likely wouldn't use the 2-factor because it's too much hassle, which would sink the entire project.
Yes, universities want alumni to keep their accounts, because that's the easiest way for them to beg for money.
Re: (Score:3)
When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
The victims tend to learn from all the inconvenience caused by the attack itself. It's everyone that didn't get phished you need to reach.
Perhaps the solution is to send out a university-sponsored phishing attack, then conduct an Internet-safety education seminar for everyone who falls for it.
Re:Report Abuse (Score:4, Insightful)
Or they will come up with a new password Scheme that is completely insecure.
Old Password: password
New Password: password19 (todays date)
Tomorrow ....
Old Password: password19
New Password: password20
that way, I can have 28-31 different passwords every month, without having to remember any one in particular.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Now you're either storing all the users' past passwords. Or maybe some clever hash of those passwords that preserves efficient computation of Levenshtein distance. However, given an oracle that computes Levenshtein distance, one could easily extract the password.
Re: (Score:2)
I might be mistaken about the numbers, but they are in that ballpark.
Re: (Score:2)
Passwords should (and usually are) stored as hashes which means you can very quickly hash the user's entry and compare if it is exactly the same as the password, but by design can't infer any other details about the password if the entry is wrong.
Anything that allows you to compare how 'close' an entry is to the users current password is obviously makes guessing that password far easier.
If your passwords are securely salted and hashed then storing additional old entries shouldn't lower security, and as you
Re: (Score:2)
Re: (Score:3)
That's a good point. Maybe it would be more feasible to have the server cache the current password in RAM during the mandatory password change process, so it can at least compute edit distance from the previous password.
Or for added fun, have a server dedicated to brute force password cracking. When it gets somebody's password, their account gets flagged for a mandatory password change.
Re: (Score:2)
Re: (Score:2)
But why Google Docs? A form is a form, no matter what generates it. How is this different from using Word or even vi?
(and actually I am surprised enough people use Google Docs that there would be an uproar of a short shutdown)
Re: (Score:2)
I'm guessing it makes phishing ridiculously easy by hosting a form service on the web where you can easily and anonymously get the results back over the net.
Re: (Score:2)
Re:Report Abuse (Score:4, Interesting)
I'm the same for
What I've done is written a script that generates random usernames and passwords and submits them to the form. The phishers then need to pick out the real stuff from the garbage I pumped in.
I've had phishers delete a form before Google did, simply because I pissed them off too much. *Very* satisfying, let me tell you. :)
Here's a phish I received just two hours ago: https://docs.google.com/forms/d/1RPht7SPAZywd3L13_lLMeB1pCAz6ufe6LX-S7YKtaR8/viewform [google.com]
Feel free to join in the fun and type some garbage! The spam that contained the link was even written to spoof the quarantine message from our own antispam appliances.
Re: (Score:2)
Re: (Score:2)
You'd think. Or maybe the broken english, or the generic terms ("Dear Account User:"), or the vague threats ("Do this or you lose your email forever")... or any number of things.
You'd think they'd pick up on those. Then you see that they don't. Then you become sad. Or angry. Sometimes both.
It's a Google problem (Score:5, Insightful)
Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.
If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.
Re: (Score:3)
They've gotten better. If I hit the Report Abuse link at the bottom of the document, it normally disappears inside three hours.
that's a misrepresentation problem (Score:2)
Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.
Re:that's a misrepresentation problem (Score:5, Interesting)
Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.
Because they are providing the tool that is so easily abused by phishers.
It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.
If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.
You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.
Re: (Score:1)
Re: (Score:1)
So if I sell a knife to someone who uses it to rob a bank, I am responsible?
The first time, no.
Around about the 100th time, if you don't start instituting some security measures - such as requiring a photo ID of knife purchasers, and saving a copy of the ID and a bill of sale for every purchase - then yes, you could be held responsible.
Re: (Score:3)
Re: (Score:2)
There is absolutely no legitimate use for a Google Docs form for the username and password of an external mail system. Go on, try and think of one. I'll wait.
Re: (Score:2)
Re: (Score:2)
oh hey, please prove a negative! That can't go wrong at any time, right?
Go ahead, make an actual argument for why creating a strawman argument asking to prove a negative is even relevant. Go on, try and think of one. I'll wait.
"The Tool" (Score:2)
You mean the university email system that delivers the malicious email?
I have a crazy idea, tell users not to give personal information out by email. It's that simple.
NEVER give out personal information by email.
Re:"The Tool" (Score:4, Insightful)
You mean the university email system that delivers the malicious email?
I have a crazy idea, tell users not to give personal information out by email. It's that simple.
NEVER give out personal information by email.
The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.
After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".
Re: (Score:2)
The bluntest, least-energy thing I've been telling people is that the "From" address of ANY email is cosmetic. It can say anything. "But the email came from our domain!" "No, it SAID it came from our domain. There's a difference." Go into Outlook and change it to spoof the university president... it's four clicks.
True story: We sent out an email letting people know that a phishing attack was going on. We even provided a sample of the phishing email, which was your typical "Confirm your account, pleas
Re: (Score:2)
So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.
That's the whole point: you cannot rely on user education. There will always be a couple of idiots who send out their password. You can't go around every single flipping one of them and do the spoofing illustration in p
Re: (Score:2)
So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.
How did I contradict myself? I said it was the least-energy thing I could tell them. I didn't make any claims to its efficacy. Nor did I connect the two together. As point of fact, that explanation usually comes after a particular user has already been victimized.
I used to give detailed explanations. It didn't work. Then I tried less-detailed. Then even less detail. The "From address is useless" is just the latest thing I'm trying in our sound-bite society. Ask me again in a year if it actually has any effect (probably not). Perhaps by then I'll have simplified down to just an angry grunt.
I'm not disagreeing with your comments on the futility of trying to educate, mind you, as cynical as it is.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I looked at it seriously a couple of years ago, when it seemed like everything was set to "soft-fail" SPF checks, which was next to useless. There was also a lot of resistance from people using Gmail, Hotmail, etc. I'd look at it again, except now the spammers have given up spoofing our domain... they've discovered that mail coming in from *outside* claiming to be from us sets off more alarms than any garbage value they could think up. Now they just rely on the free-text part of the address, eg:
Re: (Score:3)
It's even worse than this. Occasionally, our University's IT actually does send out emails that sound like a phishing attack. The only difference is that they link to a legitimate website. However, because of the general mess of different sign-ons (e.g. billing, payroll, course schedule, parking, etc...) it takes me a while to remember if this is a real service or a fake one.
I think, somewhat optimistically, that people can be trained to not send username/password over email. However, far too many thin
Re: (Score:2)
Google offers free services. People will attempt to abuse them. That's no great surprise, nor is it specific to Google.
When someone abuses Googles services in a way that's a threat to other users there are only two ways to mitigate the incident. The best, by *far*, is for Google to stop the abusive behaviour. The other is for the affected parties to block access to (some subset of) Google. Those are really your only options.
Google is (based on externally visible behaviour) worse at mitigating abuse up-front
How is it used for phishing? (Score:4, Interesting)
Can anyone offer an example or offer up an anecdote where they've encountered it?
Re:How is it used for phishing? (Score:5, Informative)
My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/ [gfi.com]
It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.
Re: (Score:2)
Oh, Passwords are Broken (Score:2)
ah, thanks for the link - now the story makes sense for me.
Something will someday push people over the edge and get them to give up on single-factor symmetric authentication. I know, breaking news...
Re: (Score:2)
Still baffled. Google Docs is a mail server? To use it, don't you still have to create the form, download it, then mail it out from your own account?
Re: (Score:3)
It sounds like end users simply "trust google", and thus ANYTHING on google docs is "trustworthy", because hey, "it's google".
I know, it's stupid as baloney. It's like trusting a billboard down the street that says "City Billboard" just because you trust your City government, totally being ignorant that any nutjob can post something to the billboard.
Some. People. Don't. Understand. Technology. AT ALL.
Re:How is it used for phishing? (Score:4, Informative)
These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.
One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!
What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.
Re: (Score:1, Funny)
Re: (Score:2)
Some. People. Don't. Understand. Technology. AT ALL.
That's kind of the point of a lot of technology. It's a solution to fix a problem. The end user doesn't care how it gets done, it only matters that it gets done. I'm sure there's technology that you use, and yet you don't understand all of details of every functioning piece in the process.
Here's a live example. (Score:2)
Here's a typical Google-hosted phishing page. [google.com] Note that the page is long enough that the Google disclaimers at the bottom are pushed "below the fold", and some users won't notice. Such pages are used in conjunction with spam emails. Since the URL in the spam will be on Google, it makes it through most spam filters.
Google's own phishing detection catches some of these. Ones that mention "Microsoft Outlook" tend to be caught. This suggests that Google is using a simple classifier but needs a better trai
Re: (Score:2)
Re: (Score:2)
Here's the list of Google-hosted phishing sites. (Score:5, Interesting)
One of the things our SiteTruth system does is report on major sites that host phishing scams. [sitetruth.com] There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.
Here's the list of all known phishing sites currently hosted by Google. [sitetruth.com]. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.
Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts. [phishtank.com]
Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.
Here's the oldest phishing site hosted by Google. [google.com] On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.
When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.
Re: (Score:2)
Thanks so much for doing this.
Really? (Score:5, Insightful)
I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.
Re:Really? (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
wow, ;)
there are days i wish we had "your" policy in place... but then it would make for a very deserted office
or emeritus professors.... (Score:5, Interesting)
Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.
I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)
Re: (Score:2)
This has nothing to do with expertise in IT. You don't need to know how the telephone system works to know not to give your bank account information to some guy who calls you up and asks for it.
Re: (Score:1)
Re: (Score:1)
As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might
I understand your point and I partially agree with it, but IMHO a doctor that only knows about medicine, will never be a good doctor.
Don't you think is valuable for a doctor to know some basic knowledge about psychology and/or sociology for example? I think it is. Not a Phd in those fields, but some basic knowledge sure will be useful in his career and make him a better doctor.
Back on topic, I think that the PC and the Internet are amazing tools, which knowing how to use them will make you a better prof
Filter outbound email? (Score:2)
Why wouldn't oxford have just set up outbound email scanning? Once they detect an email account is spamming, cut off the user.
Re: (Score:2)
Re: (Score:2)
Worse, it only takes a few emails tripping the right filters or customer complaint bins before Hotmail decides to never accept email from that relay's IP ever again. No appeal, no cooling off, no support assistance, that IP goes into their blacklist and there is no digging it out afterwards.
Re: (Score:2)
I can't tell if you misunderstood me, or are just wrong. They are harvesting email addresses from students, profs, etc. There is a limited resource of available oxford.edu addresses. They wouldn't be able to send many emails if they used a different account for each one. Even if they did, the filter should just usie ranking system like spam assasin to red flag outgoing emails likely to be spam. One bad email sent, block that message, send notice to user. five sent, block account. Even if there are a lot of
Re: (Score:2)
They're not harvesting email addresses, they're harvesting *accounts*, which grant access to the outbound SMTP server. A "limited resource" numbering in the hundreds of thousands, and adding a few thousand every year.
At the university I work at, we do exactly what you suggest. The spamming still happens. Why? Because the spammers (a group of guys located in Laos, Nigeria, and a few spots in Malaysia and Israel) will use a stolen "test" account to trickle a spam email or two through to see what gets thro
Re: (Score:2)
My solution sucks as a long term solution, but as a short term solution its better and more effective than what oxford did. Ban or warn users after one suspicious email. Turn that on for one day out of every month to get people's attention. IT will become the enemy, such that people that don't *have* to use university email, won't. Which will keep out the rifraff who are most likely to get their accounts compromised. Which will reduce the odds of being labeled as a spam domain. Which will improve the qualit
Re: (Score:2)
Short-term solutions can be worse because you don't have time to warn people, and the results are often slap-dash.
For example, to do as you propose:
- I'd have to block all direct outbound SMTP connections, just to keep people from circumventing the protections. I'd *love* to do this, seriously. But you wouldn't believe the hostility from the user community for thinking about it, even if they don't *use* any off-site mail servers. Hell, right here on Slashdot, I'd be called a
Re: (Score:2)
Yeah, you don't quite understand what I'm suggesting. I don't really want to specify it any further. But basically I was imagining something less comprehensive. The goal of Oxford was to raise awareness. My suggestion still has that in mind, raise awareness about phishing, but punish fewer people.
Re: (Score:2)
Re: (Score:1)
This is not an 'intranet' it's a metropolitan scale network with tens of thousands of users personal machines connected to it.
Of course they use DPI for a variety of things however it does not help for this specific instance as because they are *personal* machines you can't MITM the https by installing trojan certificates on the client machines.
Which morally you shouldn't be doing anyway even if you are running a locked down corporate network.
Also the stuff required for doing DPI at line speed on 20Gbit/s l
Why is this a big deal? (Score:2)
Why is an organization somehow obligated to provide access to this application? Maybe they have promised something to their users, but otherwise Google Docs is not a universal human right; it's just another application offered by another company.
Re: (Score:2)
And at a university, these students typically submit coursework which may often be written using a word processing tool.
If said word processing tool is subsequently blocked for a few hours without prior warning, it's quite easy to see how this could well pose an issue for students making last minute changes to their course work.
Re: (Score:2)
Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.
Re: (Score:1)
Typically UK universities don't have the kind of agreements with Microsoft that would give all their students 'free' access to MS office.
MS do have a discounted program directly for students in higher education where office is around £28.
Re: (Score:2)
I expect staff also use it for collaborative work.
Computing staff (and some others) might use a shared version control system and LaTeX or similar, and many others will email round MS Word documents, but Google Docs can be superior to both.
(One of the few Google Documents I have was sent to me by an academic at Oxford, he is collaborating on a project with one of my colleagues in London.)
staff using it to avoid IT politics as well (Score:4, Informative)
I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.
I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...
Re: (Score:2)
I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.
I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...
This is nothing to do with universities, it happens in corporations too. IT departments think they're in charge, while the business works around them to get stuff done.
Unfortunately this all comes to a head when there's a data protection leak. I lay the blame at the door of IT, who will no doubt claim they're underfunded and understaffed, for not providing the right tools in the right timeframe.
It's mainly an attitude problem.
Oxford (Score:1)
Re: (Score:2)
Would you uses a bank that did not take security seriously?
Yes, because NON of them have adequate security for their customers. They protect their own servers with billions of dollars of protection, then let you pay by waving a card in the air or *shudder* sending a text message.
Re: (Score:2)
Re: (Score:2)
Then this may not be the right site for you.
Re: (Score:2)
You can pay a maximum of $50 by 'waving a card in the air', and any 'wave-a-card' transaction you challenge will just be resolved in your favour.
They don't _claim_ there's anything particularly secure about PayPass etc. They're just playing a numbers game. They have figured that the revenue increase that results from the increase in security is greater than the loss that results from a) actual fraudulent usage of such systems and b) fraudulent *claims* of fraudulent usage of such systems.
It's exactly the sa
Re: (Score:2)
Sigh. I meant 'increase in convenience', not 'increase in security'. Damn you, lack of an edit button.
Re: (Score:2)
They don't _claim_ there's anything particularly secure about PayPass etc.
When I got my new credit card I actually phoned the company and specificaly requested (quite firmly) that they deactivate the feature on my card. I know they can't "special make" me a card that doesn't have the chip, but they absolutely REFUSED to deactivate such payments on my credit card account. They also kept repeating (as if they were reading) that it is completly secure.
Re: (Score:2)
If my bank shuts down my debit card for two hours without warning because my neighbor keeps leaving his at the bar? Yeah, that's an awful thing.
*facepalm* (Score:2)
Re: (Score:2)
There are probably thousands of scripts around the world that ping 8.8.8.8 or some other well known Google IP address on a regular basis to test their Internet connectivity. For example, this script [blogspot.com]
How about (Score:2)
suspending accounts sending spam? Punish those who deserve it, not everybody.
The solution is.... (Score:2)
The Oxford administrators should phish their own students. Any student stupid enough to fall for it must attend compulsory remedial training. Rinse, repeat, rinse repeat until nobody falls for it anymore.
Re: (Score:2)
Re: (Score:3)
I can't speak for Oxford, but I know at my workplace, traditionally it's the students who fall for it the *least*. Their numbers even out, but that's only because there's a hell of a lot more students. In general, the kids coming in today are reasonably technically-savvy and sceptical.
In terms of percentages, the people you need to watch out for are the faculty. They're older, less experienced with modern technology, and frequently believe that a PhD in Aztec basket weaving means they've mastered life.
Re: (Score:2)
This is why University IT sucks in general... (Score:2)
In the olden days (and I am thinking as recently as the late 1990s) the universities would bake their own IT solutions. It was considered an academic challenge, and each campus had its own peculiar requirements, culture, etc. In those days, you had two tiers of IT - the local lab support, which was generally a grad student in the department who had undergone a short training course - if they even needed it - to help lusers figure out which part of the computer is the screen, which is the keyboard, and whe
Re: (Score:3)
I completely agree. Same in corporations. The people with the purse strings will lap up the sales pitch from companies like ATOS and Capita, and flush the money down the toilet.
In parallel, the people that have responsibility for IT in the company have it locked down tighter than fort knox. At least on paper. Noone is allowed to create useful tools to fix problems in their department, it needs to go out to tender via a central funding pot.
Eventually you get people that, on paper, are "sales", but in reality
Re: (Score:1)
The problems all started with the MIS types, who are more bean-counter than wizard. They got it into the organizational culture of both universities and business that IT is an expense instead of a place to save money and provide services. In the old days, we'd look at the cost of mailing a bunch of fucking papers around everywhere, and drafting on draft tables etc, add up the cost of all the shit and then compare it with an IT solution that was designed to increase the speed of the whole organization whil