Become a fan of Slashdot on Facebook


Forgot your password?
Google Security Technology

Oxford Temporarily Blocks Google Docs To Fight Phishing 128

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."
This discussion has been archived. No new comments can be posted.

Oxford Temporarily Blocks Google Docs To Fight Phishing

Comments Filter:
  • Report Abuse (Score:5, Informative)

    by RedACE7500 ( 904963 ) on Tuesday February 19, 2013 @02:27PM (#42946765)

    As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.

    • Re: (Score:3, Interesting)

      by BlkRb0t ( 1610449 )
      How is Google Docs employed for phishing? Can anyone enlighten me here? I've used Google Docs at certain times and don't see how it can be used to tricking users to believe that it is the original site they're entering the data into. Or am I missing something here? Unless the users are really that dumb to enter their info.
      • Re:Report Abuse (Score:5, Informative)

        by bruce_the_loon ( 856617 ) on Tuesday February 19, 2013 @02:43PM (#42946889) Homepage

        You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.

        Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.

        Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.

        • Re: (Score:3, Funny)

          by Anonymous Coward

          Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

          When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
          Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

          • by hawguy ( 1600213 )

            Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

            When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
            Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

            Why not just issue him a two-factor authentication token, then you can actually solve the problem instead of a bandaid approach that won't really help. (even if he has to do daily password resets, if he gives up his password in the morning, the hacker has 24 hours to use it).

            The tokens are cheap (even cheaper when it is a smart-phone app), every company with data worth stealing should use them.

            • Many universities aren't even willing to spend the money for a mail server anymore, I don't see how you could convince them to spend a quarter million dollars for tokens (assuming $1/user). And yes, that includes alumni, who likely wouldn't use the 2-factor because it's too much hassle, which would sink the entire project.

              Yes, universities want alumni to keep their accounts, because that's the easiest way for them to beg for money.

          • When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.

            The victims tend to learn from all the inconvenience caused by the attack itself. It's everyone that didn't get phished you need to reach.

            Perhaps the solution is to send out a university-sponsored phishing attack, then conduct an Internet-safety education seminar for everyone who falls for it.

        • But why Google Docs? A form is a form, no matter what generates it. How is this different from using Word or even vi?

          (and actually I am surprised enough people use Google Docs that there would be an uproar of a short shutdown)

          • I'm guessing it makes phishing ridiculously easy by hosting a form service on the web where you can easily and anonymously get the results back over the net.

        • We've worked out a way to use our HTTP proxies to deny POSTing of information to Google docs/drive. This way, folks can still access information, they just can't use POST or PUT commands to send any. It isn't too hard to determine the necessary POST URLs to whitelist for logon, logoff, password change, and other operations. It's not perfect but a lot better than nothing. Maybe you could take a similar approach. Does require a proxy that intercepts SSL traffic.
    • Re:Report Abuse (Score:4, Interesting)

      by Brandon Hume ( 73471 ) on Tuesday February 19, 2013 @08:07PM (#42950651) Homepage

      I'm the same for

      What I've done is written a script that generates random usernames and passwords and submits them to the form. The phishers then need to pick out the real stuff from the garbage I pumped in.

      I've had phishers delete a form before Google did, simply because I pissed them off too much. *Very* satisfying, let me tell you. :)

      Here's a phish I received just two hours ago: []
      Feel free to join in the fun and type some garbage! The spam that contained the link was even written to spoof the quarantine message from our own antispam appliances.

      • by HJED ( 1304957 )
        Wow, they don't even bother to make the password field not clear text. You'd think some users would pick up on that?
        • You'd think. Or maybe the broken english, or the generic terms ("Dear Account User:"), or the vague threats ("Do this or you lose your email forever")... or any number of things.

          You'd think they'd pick up on those. Then you see that they don't. Then you become sad. Or angry. Sometimes both.

  • by SSpade ( 549608 ) on Tuesday February 19, 2013 @02:28PM (#42946773) Homepage

    Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.

    If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.

    • They've gotten better. If I hit the Report Abuse link at the bottom of the document, it normally disappears inside three hours.

    • Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

      • by hawguy ( 1600213 ) on Tuesday February 19, 2013 @03:14PM (#42947153)

        Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

        Because they are providing the tool that is so easily abused by phishers.

        It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.

        If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.

        You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.

        • by Anonymous Coward
          So if I sell a knife to someone who uses it to rob a bank, I am responsible? Don't forget to indite the car manufacturer for providing the get-a-way car, and the hat manufacturer for making the ski mask.
          • So if I sell a knife to someone who uses it to rob a bank, I am responsible?

            The first time, no.

            Around about the 100th time, if you don't start instituting some security measures - such as requiring a photo ID of knife purchasers, and saving a copy of the ID and a bill of sale for every purchase - then yes, you could be held responsible.

        • All the phishers are doing is using Docs in the way it is meant to be used. If Google sees a form to enter information for ABC corp's Mr John McNobody, there's no way for Google to know if this is legitimate or not, other than actually trying to find Mr John McNobody and ask if it was legit.
          • There is absolutely no legitimate use for a Google Docs form for the username and password of an external mail system. Go on, try and think of one. I'll wait.

            • Enjoy your wait. Perhaps you might respond to my point, which was that Google has created an online automated system that (in part) allows people to create forms that other people can use to submit data. What do you expect Google to do, somehow magically tell the difference between legit and fake forms? Or do you think simply forbidding a field named "password" would address the problem?
            • oh hey, please prove a negative! That can't go wrong at any time, right?

              Go ahead, make an actual argument for why creating a strawman argument asking to prove a negative is even relevant. Go on, try and think of one. I'll wait.

        • You mean the university email system that delivers the malicious email?

          I have a crazy idea, tell users not to give personal information out by email. It's that simple.

          NEVER give out personal information by email.

          • Re:"The Tool" (Score:4, Insightful)

            by hawguy ( 1600213 ) on Tuesday February 19, 2013 @05:03PM (#42948397)

            You mean the university email system that delivers the malicious email?

            I have a crazy idea, tell users not to give personal information out by email. It's that simple.

            NEVER give out personal information by email.

            The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.

            After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".

            • The bluntest, least-energy thing I've been telling people is that the "From" address of ANY email is cosmetic. It can say anything. "But the email came from our domain!" "No, it SAID it came from our domain. There's a difference." Go into Outlook and change it to spoof the university president... it's four clicks.

              True story: We sent out an email letting people know that a phishing attack was going on. We even provided a sample of the phishing email, which was your typical "Confirm your account, pleas

              • So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.

                That's the whole point: you cannot rely on user education. There will always be a couple of idiots who send out their password. You can't go around every single flipping one of them and do the spoofing illustration in p

                • So, you just completely contradicted yourself. First you tell an anecdote about how easy it is to teach people not to respond to phishing requests. Then you tell a story about how your idiot users thought your email about a phishing request was a phishing request, and happily responded to it.

                  How did I contradict myself? I said it was the least-energy thing I could tell them. I didn't make any claims to its efficacy. Nor did I connect the two together. As point of fact, that explanation usually comes after a particular user has already been victimized.

                  I used to give detailed explanations. It didn't work. Then I tried less-detailed. Then even less detail. The "From address is useless" is just the latest thing I'm trying in our sound-bite society. Ask me again in a year if it actually has any effect (probably not). Perhaps by then I'll have simplified down to just an angry grunt.

                  I'm not disagreeing with your comments on the futility of trying to educate, mind you, as cynical as it is.

              • And thus lies another example of IT being put between a rock and a hard place. SMH -____- I'd laugh at your story if I didn't think it was completely true. It's a shame, really.
              • by HJED ( 1304957 )
                Out of interest have you tried implementing something like SPF to stop spoofing of your own domain, a lot of spam filters pick it up now.
                • I looked at it seriously a couple of years ago, when it seemed like everything was set to "soft-fail" SPF checks, which was next to useless. There was also a lot of resistance from people using Gmail, Hotmail, etc. I'd look at it again, except now the spammers have given up spoofing our domain... they've discovered that mail coming in from *outside* claiming to be from us sets off more alarms than any garbage value they could think up. Now they just rely on the free-text part of the address, eg:

            • It's even worse than this. Occasionally, our University's IT actually does send out emails that sound like a phishing attack. The only difference is that they link to a legitimate website. However, because of the general mess of different sign-ons (e.g. billing, payroll, course schedule, parking, etc...) it takes me a while to remember if this is a real service or a fake one.

              I think, somewhat optimistically, that people can be trained to not send username/password over email. However, far too many thin

      • by SSpade ( 549608 )

        Google offers free services. People will attempt to abuse them. That's no great surprise, nor is it specific to Google.

        When someone abuses Googles services in a way that's a threat to other users there are only two ways to mitigate the incident. The best, by *far*, is for Google to stop the abusive behaviour. The other is for the affected parties to block access to (some subset of) Google. Those are really your only options.

        Google is (based on externally visible behaviour) worse at mitigating abuse up-front

  • by Sedated2000 ( 1716470 ) on Tuesday February 19, 2013 @02:44PM (#42946897)
    I, like others, would like to know exactly how Google Docs is used for phishing. I've used Google Docs off and on since it was made available. I can't think of a particular feature that would make it an enticing service to use for phishing.

    Can anyone offer an example or offer up an anecdote where they've encountered it?
    • by bruce_the_loon ( 856617 ) on Tuesday February 19, 2013 @02:52PM (#42946947) Homepage

      My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. []

      It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.

      • Thanks for the response. I guess it's been longer than I thought since I've used Docs. I didn't even think of the form angle. I'm sure this is causing more than a few "staff training" sessions. I suppose it's only worse since even if you have your own domain, you're still redirected to "", so it won't be immediately apparent that it did not come from a legit source (completely aside from the fact that a legit source wouldn't ask for that information in the first place).
      • ah, thanks for the link - now the story makes sense for me.

        Something will someday push people over the edge and get them to give up on single-factor symmetric authentication. I know, breaking news...

      • Still baffled. Google Docs is a mail server? To use it, don't you still have to create the form, download it, then mail it out from your own account?

    • by CKW ( 409971 )

      It sounds like end users simply "trust google", and thus ANYTHING on google docs is "trustworthy", because hey, "it's google".

      I know, it's stupid as baloney. It's like trusting a billboard down the street that says "City Billboard" just because you trust your City government, totally being ignorant that any nutjob can post something to the billboard.

      Some. People. Don't. Understand. Technology. AT ALL.

      • by Incadenza ( 560402 ) on Tuesday February 19, 2013 @03:50PM (#42947513)

        These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.

        One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!

        What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.

      • Re: (Score:1, Funny)

        by Anonymous Coward
        Why wouldn't you trust Google []?
      • Some. People. Don't. Understand. Technology. AT ALL.

        That's kind of the point of a lot of technology. It's a solution to fix a problem. The end user doesn't care how it gets done, it only matters that it gets done. I'm sure there's technology that you use, and yet you don't understand all of details of every functioning piece in the process.

    • Here's a typical Google-hosted phishing page. [] Note that the page is long enough that the Google disclaimers at the bottom are pushed "below the fold", and some users won't notice. Such pages are used in conjunction with spam emails. Since the URL in the spam will be on Google, it makes it through most spam filters.

      Google's own phishing detection catches some of these. Ones that mention "Microsoft Outlook" tend to be caught. This suggests that Google is using a simple classifier but needs a better trai

  • by Animats ( 122034 ) on Tuesday February 19, 2013 @02:52PM (#42946945) Homepage

    One of the things our SiteTruth system does is report on major sites that host phishing scams. [] There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

    Here's the list of all known phishing sites currently hosted by Google. []. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

    Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts. []

    Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

    Here's the oldest phishing site hosted by Google. [] On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

    When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

  • Really? (Score:5, Insightful)

    by Mullen ( 14656 ) on Tuesday February 19, 2013 @02:55PM (#42946969)

    I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.

    • Re:Really? (Score:5, Funny)

      by ravenswood1000 ( 543817 ) on Tuesday February 19, 2013 @02:58PM (#42946987)
      Expel them for being too stupid to be in Oxford
    • by zlives ( 2009072 )

      there are days i wish we had "your" policy in place... but then it would make for a very deserted office ;)

    • by fantomas ( 94850 ) on Tuesday February 19, 2013 @03:48PM (#42947497)

      Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.

      I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)

      • This has nothing to do with expertise in IT. You don't need to know how the telephone system works to know not to give your bank account information to some guy who calls you up and asks for it.

        • Exactly. In fact I see so often how people are wary of the things they see and people they interact with on the'd think this would also be a no-brainer.
      • As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might

        I understand your point and I partially agree with it, but IMHO a doctor that only knows about medicine, will never be a good doctor.
        Don't you think is valuable for a doctor to know some basic knowledge about psychology and/or sociology for example? I think it is. Not a Phd in those fields, but some basic knowledge sure will be useful in his career and make him a better doctor.

        Back on topic, I think that the PC and the Internet are amazing tools, which knowing how to use them will make you a better prof

  • Why wouldn't oxford have just set up outbound email scanning? Once they detect an email account is spamming, cut off the user.

    • by PRMan ( 959735 )
      They're wise to this. Many spam e-mails have a different e-mail address for every e-mail.
      • by Predius ( 560344 )

        Worse, it only takes a few emails tripping the right filters or customer complaint bins before Hotmail decides to never accept email from that relay's IP ever again. No appeal, no cooling off, no support assistance, that IP goes into their blacklist and there is no digging it out afterwards.

      • I can't tell if you misunderstood me, or are just wrong. They are harvesting email addresses from students, profs, etc. There is a limited resource of available addresses. They wouldn't be able to send many emails if they used a different account for each one. Even if they did, the filter should just usie ranking system like spam assasin to red flag outgoing emails likely to be spam. One bad email sent, block that message, send notice to user. five sent, block account. Even if there are a lot of

        • They're not harvesting email addresses, they're harvesting *accounts*, which grant access to the outbound SMTP server. A "limited resource" numbering in the hundreds of thousands, and adding a few thousand every year.

          At the university I work at, we do exactly what you suggest. The spamming still happens. Why? Because the spammers (a group of guys located in Laos, Nigeria, and a few spots in Malaysia and Israel) will use a stolen "test" account to trickle a spam email or two through to see what gets thro

          • My solution sucks as a long term solution, but as a short term solution its better and more effective than what oxford did. Ban or warn users after one suspicious email. Turn that on for one day out of every month to get people's attention. IT will become the enemy, such that people that don't *have* to use university email, won't. Which will keep out the rifraff who are most likely to get their accounts compromised. Which will reduce the odds of being labeled as a spam domain. Which will improve the qualit

            • Short-term solutions can be worse because you don't have time to warn people, and the results are often slap-dash.

              For example, to do as you propose:

              - I'd have to block all direct outbound SMTP connections, just to keep people from circumventing the protections. I'd *love* to do this, seriously. But you wouldn't believe the hostility from the user community for thinking about it, even if they don't *use* any off-site mail servers. Hell, right here on Slashdot, I'd be called a

              • Yeah, you don't quite understand what I'm suggesting. I don't really want to specify it any further. But basically I was imagining something less comprehensive. The goal of Oxford was to raise awareness. My suggestion still has that in mind, raise awareness about phishing, but punish fewer people.

  • Why is an organization somehow obligated to provide access to this application? Maybe they have promised something to their users, but otherwise Google Docs is not a universal human right; it's just another application offered by another company.

    • It's a big deal because students on a limited income are more likely to use free tools such as Google Docs, than they are to use paid software.

      And at a university, these students typically submit coursework which may often be written using a word processing tool.

      If said word processing tool is subsequently blocked for a few hours without prior warning, it's quite easy to see how this could well pose an issue for students making last minute changes to their course work.
      • Typically every notable university I've ever heard of gives their students a "Free" copy of Microsoft Office.

      • by xaxa ( 988988 )

        I expect staff also use it for collaborative work.

        Computing staff (and some others) might use a shared version control system and LaTeX or similar, and many others will email round MS Word documents, but Google Docs can be superior to both.

        (One of the few Google Documents I have was sent to me by an academic at Oxford, he is collaborating on a project with one of my colleagues in London.)

  • Good for Oxford U. If students and faculty will not take security seriously they should be denied the service in the same way as you would take the car keys from a drunk driver or matches from a child. Would you uses a bank that did not take security seriously? or a car that was not safe? I don't see the difference. Best David
    • Would you uses a bank that did not take security seriously?

      Yes, because NON of them have adequate security for their customers. They protect their own servers with billions of dollars of protection, then let you pay by waving a card in the air or *shudder* sending a text message.

      • s/non/none/
      • You can pay a maximum of $50 by 'waving a card in the air', and any 'wave-a-card' transaction you challenge will just be resolved in your favour.

        They don't _claim_ there's anything particularly secure about PayPass etc. They're just playing a numbers game. They have figured that the revenue increase that results from the increase in security is greater than the loss that results from a) actual fraudulent usage of such systems and b) fraudulent *claims* of fraudulent usage of such systems.

        It's exactly the sa

        • Sigh. I meant 'increase in convenience', not 'increase in security'. Damn you, lack of an edit button.

        • They don't _claim_ there's anything particularly secure about PayPass etc.

          When I got my new credit card I actually phoned the company and specificaly requested (quite firmly) that they deactivate the feature on my card. I know they can't "special make" me a card that doesn't have the chip, but they absolutely REFUSED to deactivate such payments on my credit card account. They also kept repeating (as if they were reading) that it is completly secure.

    • by Fwipp ( 1473271 )

      If my bank shuts down my debit card for two hours without warning because my neighbor keeps leaving his at the bar? Yeah, that's an awful thing.

  • It's interesting to see the Michael Morisy "security through no using internets". Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...
    • Google is not the internet, no matter how hard they try, and yet a large population thinks that if you can't reach google, the internet is down...

      There are probably thousands of scripts around the world that ping or some other well known Google IP address on a regular basis to test their Internet connectivity. For example, this script []

  • suspending accounts sending spam? Punish those who deserve it, not everybody.

  • The Oxford administrators should phish their own students. Any student stupid enough to fall for it must attend compulsory remedial training. Rinse, repeat, rinse repeat until nobody falls for it anymore.

    • by rs1n ( 1867908 )
      Mod parent up -- until users learn to not fall for even the more advanced phishinig schemes, we will never be rid of the problem.
    • I can't speak for Oxford, but I know at my workplace, traditionally it's the students who fall for it the *least*. Their numbers even out, but that's only because there's a hell of a lot more students. In general, the kids coming in today are reasonably technically-savvy and sceptical.

      In terms of percentages, the people you need to watch out for are the faculty. They're older, less experienced with modern technology, and frequently believe that a PhD in Aztec basket weaving means they've mastered life.

    • by HJED ( 1304957 )
      Or they could just change the passwords on accounts they phish and require users to wait a day or so to reset their password.
  • In the olden days (and I am thinking as recently as the late 1990s) the universities would bake their own IT solutions. It was considered an academic challenge, and each campus had its own peculiar requirements, culture, etc. In those days, you had two tiers of IT - the local lab support, which was generally a grad student in the department who had undergone a short training course - if they even needed it - to help lusers figure out which part of the computer is the screen, which is the keyboard, and whe

    • by isorox ( 205688 )

      I completely agree. Same in corporations. The people with the purse strings will lap up the sales pitch from companies like ATOS and Capita, and flush the money down the toilet.

      In parallel, the people that have responsibility for IT in the company have it locked down tighter than fort knox. At least on paper. Noone is allowed to create useful tools to fix problems in their department, it needs to go out to tender via a central funding pot.

      Eventually you get people that, on paper, are "sales", but in reality

      • The problems all started with the MIS types, who are more bean-counter than wizard. They got it into the organizational culture of both universities and business that IT is an expense instead of a place to save money and provide services. In the old days, we'd look at the cost of mailing a bunch of fucking papers around everywhere, and drafting on draft tables etc, add up the cost of all the shit and then compare it with an IT solution that was designed to increase the speed of the whole organization whil

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears