The University Record, April 18, 1994

Password theft, racist message deplored

The recent theft and subsequent use of a U-M student’s computer password to send a racist message on the Internet prompted a flood of complaints to the University from individuals worldwide.

On the evening of April 5, someone used a modem to connect their computer to one at a campus computing site. The individual then used the computer, stolen computer account and password, The recent theft and subsequent use of a U-M student’s computer password to send a racist message on the Internet prompted a flood of complaints to the University from individuals worldwide.

On the evening of April 5, someone used a modem to connect their computer to one at a campus computing site. The individual then used the computer, stolen computer account and password, and the Internet computer network to send a racist electronic message to the international electronic conferencing/bulletin board system called Usenet News.

People worldwide subscribe to Usenet Newsgroups and saw the message. Within hours, hundreds of complaints were received by the Information Technology Division (ITD) and other University offices.

University officials immediately began an investigation, and sent a cancellation of the original message with an apology to all those who received it.

In condemning the action, President James J. Duderstadt said: “On behalf of the entire University community, I want to offer my apologies to everyone who has been subjected to the content of this vile message. I condemn this behavior and want to offer my assurance that we are doing everything possible to discover who sent this message.

“This is a monstrous act that has made a mockery of the values of civility that we hold so dear at this University. We support freedom of expression by members of our community. But we deplore expressions that demean individuals and create a hostile environment.”

How it happened

Early the week of April 4, a student noticed that as he typed in his password, the computer displayed it rather than keeping it hidden. Normally, the computer does not display passwords in order to prevent account theft. The student assumed that the computer was just acting strangely and did not report the incident.

U-M officials now know that someone at that computing site had for a time installed a program that stole computer account names and passwords, including those of the student. The crude password capture program was installed sometime April 3 at the Michigan Union computing site, and the offensive messages were sent via remote dial-in access through a Unix machine at the Church Street site, according to Laurie Burns, Information Technology Division (ITD) manager for partnerships and planning in the user services unit.

ITD officials are convinced that the student whose name was used did not send the messages, Burns says. In addition to the evidence that a password capture program was run, the student was interviewed and ITD computing experts are poring over detailed computer records in the hopes of identifying the true sender of the message by searching connection and networking information that is retained in computerized records.

The student whose name was used to send the message has said that he also feels victimized by the incident, that the racist views in the message falsely sent under his name are in no way his own, and that he will cooperate in any way he can to help apprehend the person or persons who used his name in this way. He has sent a message to the recipients of the racist slur condemning both the act and the content.

Policies on use of computers

The University has extensive policies governing the use of information technology resources. Unauthorized use of someone else’s name and accounts carries severe penalties, from temporary or permanent termination of all access to computing on campus to extensive academic and legal penalties.

“We take misrepresentation and unauthorized access very seriously,” says Douglas Van Houweling, vice provost for information technology. “Behavior such as this is not tolerated by those in the business of providing resources to the University community, nor by the international computing community. We intend to take the strongest action possible against the individual or individuals who sent the message and injured the reputation of a U-M student in the process.”

U-M officials are continuing their investigation of the incident and will provide further information as it becomes available. Anyone who has information about this incident or has questions should contact ITD User Advocate by sending electronic mail to: user_advocate @umich.edu.

ITD staff are again cautioning U-M computer users to keep their computer passwords private. Users are encouraged to change their passwords any time they think someone else might have learned it. Signs that someone may have seen your password are a sudden decrease in available computing funds in your account or display of your password on the screen when you type it in.

Burns cautions that there are more sophisticated programs that guess passwords or capture them that cannot be detected by the user, and it is not possible to make your computer account entirely secure from break-ins. Making sure your password is at least six characters long, is a combination of letters and numbers, and is not a dictionary word will help maintain security on your account.

ITD also asks users to report anything unusual concerning use of their computing accounts or password to the monitors or consultants at the Campus Computing Sites, or by calling 764-HELP, the campus computing hotline.