To tell or not to tell?
Many of you are upset because you feel you were not asked for perminssion beforehand. I understand that this feels strange.
Now, imagine that we did ask you for permission. “Is it ok with you that we spoof an email from a person you trust, in order to make you go to a webpage that could have had stolen your password? We promise that we will not actually steal your credentials.”. Assuming you agreed, what are the chances that you would have actually followed the link in the email you received? It is easy to see that by informing participants of the experiment, we alter the outcome of the same. That makes the experiment useless.
Now, you may say that the experiment is useless, no matter what. I beg to disagree. The recent trend in the area of phishing (online identity theft) is rather shocking, and any information that can shed light on people’s reactions is important. This is particularly the case when one designs technical counter-measures to attacks, or attempts to craft educational campaigns to make computer users less likely to fall victim. (I am part of both types of efforts.)
The attack you have become aware of is of a type that we refer to as a “context aware” attack. You can read more about these attacks, and their counter-measures at www.markus-jakobsson.com/papers/phishing_jakobsson.pdf . In that publication, you can see how an experiment on eBay was used to assess the approximate threat of a context aware attack on eBay users. You can also find a description of proposed counter-measures. These suggestions were given to Howard Schmidt, chief security offficer at eBay; he later described them in a testimony to congress. The attack, therefore, can have an impact both on the security of eBay, and on political decisions made to secure our society. Similarly, the experiment you may have taken part in will hopefully have a positive impact on the security of our infrastructure.
The experiment you may have been a participant in was performed using only publicly available data. It is truly astonishing what is publicly available. We should all be more careful about what we let others know about us, lest we want to open ourselves up to attacks. In a recent paper, a student of mine and I show how one can obtain mother’s maiden names of a huge portion of the population, given only public records. If you are interested in this study, you can look it up at www.markus-jakobsson.com/papers/mmn.pdf
What can we learn from this? We must be careful not to make private information public. We must be cautious when receiving emails suggesting that we perform actions, such as logging in to various resources.
I hope that you will bring this up to discussion with friends and family, with administrators, faculty members, politicians, and journalists. This time, nobody was hurt (only the pride of those who felt taken advantage of was hurt). The next time, this may be for real. The next time, the victims may lose access to their bank accounts, or have somebody log in to their network account to install keyboard loggers, malware, or merely to snoop around. These attacks can be mounted from anywhere on earth, and by anybody. Let us not let that happen.
Markus Jakobsson
www.markus-jakobsson.com
April 25th, 2005 at 12:58 am
Those of us who are angry will talk about this, but we are probably not the ones who give away our passwords or other security information to sources we do not know. The segment of the population who fell for your email’s directions will probably not read any of the information posted here. This experimen is not a public service announcement: it is a prime example of “preaching to the choir.”
April 25th, 2005 at 1:46 am
I would definitely agree with that previous comment. It is right on the mark. Anyone dumb enough to fall for a scam such as the one, in my opinion, SHOULD have their information stolen. It’s a simple matter of knowing how to protect yourself and how to use a computer. It’s nothing new to ever the average computer user.
April 25th, 2005 at 12:19 pm
You both have totally missed the mark — way to pay each other on the back. The point is that this class project violated the privacy of individuals by forcing them to participate in a research study of which they were not made aware.
An email could have gone out at the beginning of the semester asking for volunteers to receive a message at a late, unannounced time. They chose not to do that — that waiver doesn’t mean squat and someone will be packing up a carboard box full of their farside calendars by the time this gets sorted.
April 25th, 2005 at 12:21 pm
Oh gee, I think your soapbox is folding. Also, is the oxygen getting thin there on your high horse? Give me a fucking break. You stole information, and that’s that. You used a recreational service (thefacebook.com) and compromised people’s security. Your justification is like me kicking you in the face, and then telling you that I did it to show you how easy it is to kick someone in the face, and advising that you wear a face mask from now on. Does that sound ridiculous? Because that’s exactly what you did.
April 25th, 2005 at 12:43 pm
Really, no, seriously…thanks so much for stealing the identity of one of my friends to try and “teach me a lesson” so it wouldn’t happen in the future. I mean geez, THANK YOU SO MUCH! What would I ever do w/out you guys?!
Are you fucking kidding me? I was on the recieving end of one of these emails and needless to say I wasn’t dumb enough to click on a random link that appeared to originate from an email that I had sent MYSELF! Seriously, this pathetic excuse for a study has no business on IU’s campus.
Thanks again for compromising mine and many other of my fellow students’ security, I’m so sure this ‘lesson’ is going to make me think real hard the next time I really want to click on a random, suspicious looking, link.
April 25th, 2005 at 2:18 pm
The most disappointing part of this for me is that the IT Security Office was playing along. All we here in the support center got was some “appreciation and apologies.” I was hoping that Markus had done this all himself without ITSO permission, and that it would end up in a slap on the wrist from him. Really I was deriving sick pleasure in waiting for an answer about this whole thing when we reported it to ITSO. Too bad they were in on it. Too bad we had increased work volume, and time wasted on something that wasn’t actually a real security threat at all. We could have spent that time helping callers with real problems.
April 25th, 2005 at 2:50 pm
Although it was extra work for the UITS phone consultants, they were excellent: professional, very helpful, and wonderfully assuring to us users as we encountered the phishing emails.
April 25th, 2005 at 4:25 pm
“Your justification is like me kicking you in the face, and then telling you that I did it to show you how easy it is to kick someone in the face, and advising that you wear a face mask from now on. Does that sound ridiculous? Because that’s exactly what you did.”
Except a kick in the face is harmful, this study wasn’t. So no, that wasn’t exactly what the investigators did. Thanks for playing.
April 25th, 2005 at 4:41 pm
Without question, this was the dumbest thing ever done with computers at IU EVER.
“Now, imagine that we did ask you for permission. “Is it ok with you that we spoof an email from a person you trust, in order to make you go to a webpage that could have had stolen your password? We promise that we will not actually steal your credentials.”. Assuming you agreed, what are the chances that you would have actually followed the link in the email you received? It is easy to see that by informing participants of the experiment, we alter the outcome of the same. That makes the experiment useless.”
This assumes only one way of informing a potential participant. There are other ways. But what if there were no good ways? On which side should we expect something called the “IT Security Office” to err?
Dumbest ever.
April 25th, 2005 at 4:54 pm
“Without question, this was the dumbest thing ever done with computers at IU EVER.”
What about the several high profile computer break-ins where *thousands* of social security numbers and other identity information was stolen by hackers? I don’t know maybe that was negligence and not dumb-ness.
April 25th, 2005 at 5:48 pm
cmon guys, GIVE US THE STATISTICS!!!!
i’im intersted in the stats, not that you just performed the experiment, where is the ratio of those who actually did enter their username / password info, to those who didn’t?
and how many did as i usually do on such phishing emails, which is enter something like ‘username = eatshit’ and ‘password = anddie’ ?
April 25th, 2005 at 6:33 pm
The only problem I have with this is that I don’t think it effectively teaches users how to identify a phishing scam. Most of the scams people fall for are spoofed emails from Ebay, Paypal, and various banks asking the user to confirm their account information. I can totally see how someone would find a “hey check this out! OMg!!!” email suspicious, and ignore it, and yet those same someones would still fall for an official-looking email from a financial institution. Markus’s scam should have been set up that way to really prove a point, perhaps asking people to change a password by clicking here, or something more official than “hey check this out this is cool.” I realize there are different types of phishing scams, and the social network one is different than the bank one, but they’ve got to realize one phishing scam avoided doesn’t mean all scams avoided in the future
April 25th, 2005 at 9:18 pm
> and how many did as i usually do on such phishing emails, which is enter
> something like ‘username = eatshit’ and ‘password = anddie’ ?
Whereas we did not save any of the credentials, all that were counted were first checked against IU’s kerberos authenticator. I am sorry that the stats are not yet available, we are working on it.
About 70% of recipients fell victim to the attacks using contextual information from social networks; this is an increase by a factor of 23 compared to known phishing attacks, and by a factor of four compared to the case where the sender is unknown but appears to be in the same domain as the victim
The reason it is taking a while to present the stats is that three different types of experiments were performed, and there were some incorrrectnesses in some of these (these incorrectnesses largely gave away to the corresponding recipients that it was a phishing email — these mistaken attempts has to be manually subtracted in order to get the correct stats.)
April 25th, 2005 at 11:27 pm
Your justifications aren’t clear. No one thinks you’re heroes or even decent researchers. Look for the front page IDS story. I’m told it’s going to be quite interesting.
April 26th, 2005 at 9:34 am
I’m not sure that the people who are complaining that you didn’t ask them permission would have rather you performed the experiment with thier permission. Your second paragraph speaks of a strawman who is actually this stupid, and you attempt to reduce all your detractors to this level. This is not what is going on, and I find it insulting. Some of these people feel that you should not run an experiment like this because people can’t give you thier permission. If that means there is no alternative, then you’re either not being creative enough or there is no way to do this experiment without violating the wishes of your unwitting participants.
Perhaps you should have just used some javascript that would ask them, as soon as they typed in thier password, that thier password has not been transmitted and that this isn’t an actual university webpage. That way thier information would never pass through your program, and there is no invasion of privacy. The script could register attempts at logging in, but not any private information, so you could still get data out of it. You could even ask if people would like to answer some voluntary questions afterword. I think a lot of people don’t like the fact that you actually used thier information, but if it never leaves the client-side, that might be different.
That’s just a suggestion (not to say people would necesarily be happy about this one either, though this seems like less of a violation to me). There’s probably a lot more you could do without actually having your hands on thier password.
Also, as far as spoofing friends emails: I’d think most people trust them because they’re not aware that email can be spoofed. They probably imagine that false email from thier friends can only be sent if thier friend was “hacked”. Not many people realize that email isn’t secure.
April 26th, 2005 at 9:49 am
The comment about them not being decent reseachers….yeah, I wonder if you’d have a better idea on how to research the area. It’s easy to be a critic, how about trying to contribute for once?
April 26th, 2005 at 9:57 am
Wake up, world. Emails are spoofed every day. Who says you can only spoof emails from strangers?
April 26th, 2005 at 10:28 am
Frankly, it seems as though the only people up in arms about this are the people who were had by the experiment. First off, Marcus didn’t just up and decide to do the experiment. He got a green light from the human subjects committee here on campus to perform the experiment; a body of people whose job it is to say what is and is not ethical in experimentation. The fact of the matter is that there was no harm done and this experiment IS ETHICAL. Anyone whose tried to get such a blessing from the committee knows that they don’t just okay anything that comes their way. I had to go through 3 rounds of revisions for my proposal simply to have 12 people sit down and test a piece of software. The fact is he went through the appropriate channels and was given permission to do it.
Besides, how do you think people in an apirin study felt when they were later told that they were part of a control group and that their headache had gone away simply by taking a pill consisting primarily of sugar and water?
As for the “kicking in the face” comparison. Let me elaborate this in such a way that it actually applies to this experiment. What if there was a growing problem of malicious people kicking you in the face. Serveral times a year, someone makes an attempt at kicking you in the face (whether you know it or not). The ones most commonly affected by the face kicking are those who refuse to walk upright. Jarkus Makobsson decides to conduct a study where he kicks in the direction of your face. He doesn’t make contact… just gets close enough to make you flinch. Afterwards he hands you a note saying that you should be more careful where you put your face. He tells you most people that actually swing their foot are looking for solid contact. He didn’t actually do you harm… he didn’t make contact… had no intent on it, but he now has done some actual research (warning some foolish individuals in the process) about the dangers about how easy it is to get your face kicked because you leave it where the truly malicious people can kick it.
You weren’t harmed. You were duped by someone a lot smarter than you. Get over it. And take it to heart otherwise the next time it’s going to be someone who isn’t nice enough to delete the data that you gladly gave to him.
April 26th, 2005 at 10:32 am
Dude… where’s the login? I don’t want to post anonymously.
Cynthia
April 26th, 2005 at 10:40 am
I commend the actions of the two graduate students. For those of you here preaching, you might as well walk out and shoot the police officer who provides you with the security you need and desire. The problem is real and people need to be aware. I sit and read about student so sarcastically thanking these fellows for taking their identity, and aside from the sarcasm, everything they are saying is correct.
One contributor states “I’m so sure this ‘lesson’ is going to make me think real hard the next time I really want to click on a random, suspicious looking, link.”
And he’s completely correct. This sentence, spoken through the teeth of cynicism, simply sums up the success of this project. No injustice was committed and no wrongful actions have been taken.
For those of you seeking legal action, your minds have more than likely been made and no amount of rebuttal will likely change your course. But I ask that you step back and take all measures of fully informing yourselves before your begin your battle. Go, speak to these gentlemen in person. Learn their truest intentions face to face. Written words can easily become harsh when the reader draws out what they want rather than what was intended.
These men have taken drastic measures to exploit the faults of our system of knowledge. Great faults can only be overcome by even greater measures. If you take nothing from this experiment, understand that at the least, you can consider yourself informed.
I do not attend IU or live in the city of Bloomington. I bring an unbiased opinion.
April 26th, 2005 at 10:41 am
I think they left it off (the login) for that specific reason. Dude
April 26th, 2005 at 11:32 am
While I agree with the overall legitimacy of the project, I don’t think that the researchers should be so dismissive the their subjects damaged pride. A “kick to the face” as it were, is often more damaging for its the psychological effects than it physical results. If one can ignore the pschological effect, then the same logic could classify date-rape as a less severe crime. This was not a harmless experiment because it shamed hundreds of victims, albeit in a minor way.
April 26th, 2005 at 11:48 am
“This was not a harmless experiment because it shamed hundreds of victims, albeit in a minor way.”
So I must have missed the page where they posted the name of everyone who was fooled by the the study, under the heading “EVERYONE HERE IS AN IDIOT.”
If there is, indeed, no such page, then I don’t see how the researchers shamed anybody.
April 26th, 2005 at 11:53 am
A rape victim can feel violated even though the act may only be known by two people.
April 26th, 2005 at 12:25 pm
“A rape victim can feel violated even though the act may only be known by two people.”
I’m missing your so-called “point” here. This wasn’t rape, nor anything comparable to rape.
April 26th, 2005 at 12:28 pm
This forum itself (and the other popular thread on this blog) possibly could be turned into a study within itself on the hatred flowing so freely through our society. I was a student of Informatics and have been working in the field for a year. I will be returning to the program to attain my Masters degree in the fall, so I come with a more biased approach than many of the others. I rather enjoyed the idea. Bravo.
But reading through the pure hatred and “one-ups-manship” that seems to be so prevalent on both sides of the argument, I see problems bigger than personal security. People consistently find themselves in poor arguments (on BOTH sides!!) because they fail to inform themselves of all that occurred. This so very well mirrors the political divide our country is currently facing. More often then not, people too thick headed to accept the opinions (and facts) presented from opposing positions lead everyone involved into overwhelming feelings of hatred. No one is ever willing to back down because they’re too “proud”. I can tell you that while there are some proud people amongst us, for most, this feeling of “proud” is nothing more than the presentation of laziness we have come so accustomed to in our society. Without the “whole story” one cannot make in informed statement.
Like several others have, I will challenge those in attendance to take the time to read not the opinions, but seek out the facts. Listen not to your friends, but listen to the truth. For without the truth, we will surely fall. Look to our government as example of this. Not specifically to Republicans or Democrats, but look at the methodology as a whole. We are stronger than what the world perceives us as being but to show then, we have to begin by helping others around us to become truly informed. Only then will the hatred subside.
April 26th, 2005 at 12:34 pm
For more information on a how serious a problem phishing is, see: http://www.antiphishing.org/
April 26th, 2005 at 12:37 pm
To the person who commented at 12:25: Not sure if you are rebutting against something that you yourself said in the past or not, but you might want to take a gander at the post about not being informed that was written just past yours at 12:28. Because that person was making a pretty good point commented from the post just prior to that. Information; it’s all there, but damn… people only see what they want.
April 26th, 2005 at 2:35 pm
This is a fascinating forum. One could probably write a dissertaion about the reactions to this experiment! Now, having a visible attack that can be attributed to somebody … that makes it easy to discuss. But let’s talk about phishing in general. Is that not a problem? What shall be done? What CAN be done? I’d like to see a discussion of that as well!
April 26th, 2005 at 3:55 pm
LOL…Get ready for this site to be slashdotted. I find it amusing how so many people who fell for the phishing attack are so angry. I can’t count the amount of times some of my co-workers have forwarded me get rich quick schemes…. They ask me, is this for real? The same person reads those pop-up ads, click here to claim your prize, you have just won!
Live and Learn students of indiana!
April 26th, 2005 at 3:59 pm
You are about to get slashdotted.
April 26th, 2005 at 4:01 pm
you have been slashdotted… and will most likely be farked within a day or so as well.
link to slashdot article: http://it.slashdot.org/it/05/04/26/1959256.shtml?tid=172&tid=146&tid=95
April 26th, 2005 at 4:05 pm
LOL!
Well at least I know im not going to IU, I rather go to a school with intelligent individuals.
April 26th, 2005 at 4:06 pm
heh. Good job to IU, their server survived a slashdotting.
April 26th, 2005 at 4:07 pm
And thus ends any relevant comments you may have recieved. Go Slashdot!
April 26th, 2005 at 4:08 pm
welcome to the slashdot experience…
April 26th, 2005 at 4:08 pm
As a PhD student (free-and-clear now, I defended my MS thesis a couple weeks ago), I have to ask… What did IRB at IU think about the deception used in the study? As I understand it, phishing emails were sent; this is the element of deception. From what I have personally seen at many organization’s IRB / Human Subjects forms, debriefing is an absolute must, as well as providing resources to help put right any subject who is harmed (directly or by proximal cause of) by the research.
By the way, my MS was in Information Assurance. I can appreciate what was attempted here. However, without knowing more about IRB at IU (I’ll admit it - I know zippo about it), I would worry that this either flew under the radar, or the subjects got an unfair “shake”, as it were. I again want to point out: I do not know what was on the Human Subjects form - if IRB blessed it, then all is well - prima facie - but putting subjects “right” should still be examined.
Just my (rather lengthy for a comment) 2 cents.
G’luck with your continuing graduate work.
April 26th, 2005 at 4:08 pm
You have to admire the people up in arms, it’s so easy to take action when your stupidity is pointed out to you (in this case.. threatening to sue hahaha) but you would have preferred it if the first time you knew you had just been ‘phished’ was when $1000 was taken out of your bank account, or your credit cards were all maxed out?
It is your job to keep informed about what is going on in society, everyone has a responsibility unto themselves. You should think yourselves lucky that this experiment has now educated you about an issue that millions of people have been aware of for years.
April 26th, 2005 at 4:09 pm
The methodology and thought process behind this study are poor in my opinion. First the individuals behind the study are lucky not to have had any sort of legal action against them. Also I have to wonder how the information that they stole during this experiment was protected (or is being protected currently if that data has not been sanitized). Phishing attacks have been highlighted in the media so much recently I have to wonder what these people were trying to accomplish with this. Now if an IU student happens to get their identity stolen by a more malicious entity who wants to bet that they are going to initially point their finger right at the individuals behind this and say “Prove you didn’t sell or use my personal information that you stole!”
April 26th, 2005 at 4:09 pm
oh noes !! teh slashd0ttink !
April 26th, 2005 at 4:10 pm
I personally think it is much better for society, as a whole, to remain uneducated, than to suggest that there is more we humans can learn about ourselves via non personally identifyable aggregated data.
By some of the reactions here, it sounds like people would rather have their money stolen than to admit they were duped out of it in the first place. Boo-hoo! Might as well post all your personal information now and get it over with.
April 26th, 2005 at 4:10 pm
Point 1 - No one was “forced” to participate. The only crime comiteed was the crime of stupidity on the part of those who actually gave up their info.
Point 2 - There was no way to give any forknowledge of this study without tainting the results.
Point 3 - The fact that this study was conducted out in the open will likely benifit society… not dammage it.
Point 4 - The Univesity should kick everyone who gave up their personal info out of school. You are too stupid to be labled as a “graduate.”
April 26th, 2005 at 4:12 pm
I feel just betrayed and offended and I can’t believe that any good can come of this.
April 26th, 2005 at 4:14 pm
you are officially ./
April 26th, 2005 at 4:15 pm
/. too
April 26th, 2005 at 4:17 pm
“Anonymous Says:
April 26th, 2005 at 3:55 pm
LOL…Get ready for this site to be slashdotted. I find it amusing how so many people who fell for the phishing attack are so angry. I can’t count the amount of times some of my co-workers have forwarded me get rich quick schemes…. They ask me, is this for real? The same person reads those pop-up ads, click here to claim your prize, you have just won!
Live and Learn students of indiana!”
Incidentally, in a recent course on Information Warfare, an email went out from the professor saying that a box on the network went down, and we’d have to take our username and passwords to a website (on the same intranet) in order to restore our accounts. Needless to say, while I did not fall for it (I’m paranoid and savvy, which is a good combination), a lot of the class did. So, to dismiss the above out-of-hand is a bit naive: even up-and-coming professionals at an NSA-certified center of academic excellence in Information Assurance can slip up.
April 26th, 2005 at 4:17 pm
grow up babies
April 26th, 2005 at 4:18 pm
What’s the matter with the Fingledork guy?
Someone call his mommy and let her know he overdosed on children’s motrin.
April 26th, 2005 at 4:19 pm
Those of you who fell for the phishing attempt and think this experiment served no purpose … tell me, if they were to send you another similar email, would you fall for it again and give away your password? If not, then the experiment taught you a lesson you will never forget.
April 26th, 2005 at 4:20 pm
hahah check it out - some pseudointellectual feminist dyke is trying to equate this to date rape —- of course to them EVERYTHING is rape
www.savethemales.ca
im embarassed to be from indiana right now
April 26th, 2005 at 4:20 pm
I’m amazed at the amount of self-righteous frothing going on here by people who received these emails. I could understand people getting upset ten or fifteen years ago, when the Internet was a cozier place and when email was a novelty to most people. But is it possible that students today don’t know that they shouldn’t trust everything that arrives in their inboxes?
I’m especially entertained by those that wanted to be warned first, and those that suggested the experimenters should have waited until students had more free time. Is their theory that the spammers, phishers, and malware authors out there are big on fair play, so the experimenters should be, too?
April 26th, 2005 at 4:21 pm
whats most interesting is how they are crying about it like they were personally violated. immature children.
GO PURDUE!!!!!
this PROVES once and for all that IU is for the stupid people.
April 26th, 2005 at 4:23 pm
The town that I live in has had several campaigns regarding drink-spiking in bars. General thing was to have batches of stickers warning people that they could have been spiked, and to stick them on drinks glasses when their owners weren’t paying attention.
I’d be interested in what people who felt that the “justification is like me kicking you in the face, and then telling you that I did it to show you how easy it is to kick someone in the face” would think of that campaign. I myself see little difference. In the drink-spiking example, drinks were not spiked, they only only warned that they could have been. In this example, passwords were not collected (meh, you can argue that one back and forth, but as far as I’m concerned, they weren’t stored), there was only the demonstration that they could have been.
April 26th, 2005 at 4:23 pm
Its quite amazing to see such reactions to your experiment. Those of you who were caught deserved it. You should NEVER EVER give out your personal information to souces you even think might be illegit. There have been internet scams ever since it was opened to the general public and there will always be internet scams. In fact the famous Nigerian scam started out with snail mail! People have always been and will always be gullable. Thats just the way it is. Getting angry at people who catch you in your gullability is a waste of time. You should only get angry at yourself for letting yourself get caught!
Why would you give your personal information out in the first place? Why do you trust complete strangers? You should all know better!
Good luck in life people if you think you are “safe” from those who might do you harm! you need to learn to protect yourselves.
April 26th, 2005 at 4:24 pm
Nah, if it’s like every other slashdot story, no one will actually read the link…
-Nick
April 26th, 2005 at 4:25 pm
Boy, if the whiners here are complaining like this about nothing more than losing their dignity due to BENIGN phishing, imagine how loud their whining will be when they’ve lost their banking information and social security information due to REAL phishing.
It seems their primary complaint is that, GASP, “evil” email looked like it was coming from people they know. WAKE THE HELL UP!!! All the Slammer and Melissa viruses (and their mutated children) DO THE SAME THING: they scan through the address books of their victims, rewrite the “From” line to be one name in the address book, and then write the “To” line to be you (whose name is also in the address book) — and then there’s a good chance that you’ll then know the person’s name in the “From” line, which (it is hoped) makes you let your guard down and open the infected attachment.
I’ll bet $1028 that 90% of the whiners here have been infected by these viruses in the past, and probably still are. And now they’ve been fooled a second time the same way. How does that old expression go again?
When I find some sympathy for you whiners, I’ll let you know…
April 26th, 2005 at 4:26 pm
if they were that smart they wouldnt be in bloomington
April 26th, 2005 at 4:27 pm
I think it was a great idea and all the cry babies should shut the fuck up. Throw your computers away, you shouldn’t own one if you are that stupid.
April 26th, 2005 at 4:29 pm
What is wrong with you whiners? You gave out your personal information to a blatant phishing attempt, that you were lucky was only a research project and not a real scam. Instead of being ripped off and having your credit ruined, you were told you were stupid. Next time, be less stupid. What’s the problem with that? And for the moron who compared it to being kicked in the face-that’s such a stupid comparison, you deserve to be kicked in the face.
April 26th, 2005 at 4:29 pm
Not that I know any of you, and not that it matters, but I haven’t a shred of respect for any individual threatening to ’sue’ these students. However, it’s nice to see some intelligent individuals.
April 26th, 2005 at 4:32 pm
I have to say… all the people saying “Oh no, you violated us!” need to look closer.
Be lucky that you were only fooled by an experiment. Had you been fooled by an actual Phisher, your bank account would be drained, your identity stolen, and don’t think you’re EVER going to get your credit back online.
I am annoyed by that “BEEEEEEEEP” from the Emergency Broadcast System, but it’s a helluvalot better than being sucked into a tornado unwittingly.
Think long-term, not college term, and be thankful for a harmless lesson. Idiots.
April 26th, 2005 at 4:32 pm
permission: P-E-R-M-I-S-S-I-O-N permission.
April 26th, 2005 at 4:33 pm
This is the stupidist study ive ever seen. No matter how alarmed you are sir, The study comes down to one question: are people morons? The Result: Yes they are. Society is has gotten so guillible that people believe anything that is told to them. Which is a real shame. This same behavior directly translates into the phishing activity. If you are going to make any real progress, try making a study on the gullibleness of America in general.
April 26th, 2005 at 4:35 pm
I stupidly gave my information for a 30% stake in $20m and now I live under a bridge with my fuckbuddy Herman.
Learn from my mistake children…
…and quit your moaning. The whole world is a social experiment so either get over it or kill yourself now.
April 26th, 2005 at 4:35 pm
yah some people actually believe 19 dudes stole 4 jumbo jets (with box cutters) and flew them around for an hour with no response.
yah people are stupid as fuck. about as stupid as you can get them and still be functional.
hey kids, just a suggestion - dont drop out of school if you dont like to be drafted
April 26th, 2005 at 4:36 pm
You gave out your personal information to a blatant phishing attempt, that you were lucky was only a research project and not a real scam. Instead of being ripped off and having your credit ruined, you were told you were stupid. Next time, be less stupid.
Right on. Get a brain. I’m sick of telling people not to give out personal information over the net. It’s not like your personal information is being used for anything, although maybe some of the sillier things should be published for the sake of public humiliation, such as the retarded passwords you are using, etc. Hope you all have some cheese to go with that whine.
And one more thing: Go ahead and sue the researchers doing this project, who are actually helping out people all over the planet by bringing attention to phishing scams. Sometimes you have to take a bullet if you want to win the war. Wussies.
April 26th, 2005 at 4:37 pm
GO PURDUE!
April 26th, 2005 at 4:38 pm
BOILERS ARENT THIS STUPID HAHAHAHAHAHA
April 26th, 2005 at 4:38 pm
www.infowars.com
April 26th, 2005 at 4:39 pm
So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects.
(from http://www.idsnews.com/subsite/story.php?id=29400)
Looks like any “lack of follow-up” issues now are between the HSC and students (subjects).
April 26th, 2005 at 4:39 pm
For anyone that wants to see just how easy it is to spoof an e-mail address, I suggest downloading Mozilla Thunderbird and getting the Virtual Identity extension. You can spoof any e-mail address you want.
(Not sure about the legallity of this. Use at your own risk)
April 26th, 2005 at 4:44 pm
Until the /. crowd came in here, this was a fascinating forum: anger, sadness, pride…
It’s too bad there were only a few people who refrained from name-calling. Studies like this (anything involving secret/personal information) are extremely difficult to do. Knowing that you’re being watched completely taints the study. It’s the same reason you slow down around a cop or talk more politely in front of your parents. If the subjects know that they’re being decieved, then they won’t behave like they would if everything were normal. If you get a chance, take a psychology class. Pretty much all of them cover the difficulties of conducting a study.
I notice lots of criticism on the methods, with little suggestions on a better way to conduct the study. Overall, I applaud the study. Angry or not, those subjects will be more dubious of email links from now on.
April 26th, 2005 at 4:45 pm
“permission: P-E-R-M-I-S-S-I-O-N permission.”
…. is not necessary. Take a look at literature on the Human Subjects Committee website. When permission interferes with the very nature of the study, it’s completely ethical to perform the study without it.
The only ethical issue arrises when you are overlapping “lack of permission” and “harming the test subject”. There was no harm at all in this experiment. I’m sorry but “my feelings are hurt” doesn’t count.
Also, kiddies… you’re not in grade school anymore. It’s time to get over “he hurt my feelings” and move on with your life. You’re in college, act like it.
Oh well… there’s always nepotism, I guess.
April 26th, 2005 at 4:45 pm
All the people coming here and throwing insults around to those who fell for the deceit to boost their own egos need to be silent. Especially the /. sheep.
Those who fell for the deceit really should just be glad they /learned their lesson/ in a mostly harmless way instead of through someone with more hurtful motives. That doesn’t negate the right to be angry, though.
The study itself does show how these types of information attacks can be performed and how deceptive and effective they can be. There’s no way it would have worked if the people that were targetted knew about it beforehand, that’s clear.
Away with the /. children, plague of the internets.
April 26th, 2005 at 4:46 pm
Those of you who are mad about being “used”. Get a f***ing clue. A real phisher would do much worse than use you in a study. People need to wake up and start taking online security more seriously. Even avid computer users can use a friendly reminder like this to keep them on their toes.
Getting permission from the subjects would totally ruin the experiment. The owners of the e-mail addresses being spoofed should have been informed, but I can’t see why anyone would be too upset with being fooled. People are just upset because they aren’t as computer savy as they thought they were. Just be happy your bank accounts are left untouched and your passwords are still private. You should thank the people that are trying to educate you about phishing scams.
April 26th, 2005 at 4:47 pm
Kudos to the students who performed this survey, and to the poster on 12:28pm, 4/26/2k5. I agree completely with the sentiments of the students. To inform them prior would drastically alter the results of the experiment. after all, no such warning is given to you in the real world..
I’ve long thought that the whole “social networking” phenomena could be used for such attacks. There’s an acronym for this kind of research in the military, OSINT (open source intelligence). People who will freely release such personally indentifying information about themselves AND their friends deserve what they got out of this experiment. Remember, once you hit the “enter” key, and the submitted data flies accross the ‘net, you completely lose total control over who receives it.
Given that these guys did this study in the open and welcomed such comments, I doubt seriously they would have kept any personal information beyond the aggregate statistics collected after the login verification was complete. Perhaps we could see the code to be sure?
— Nick
April 26th, 2005 at 4:47 pm
If you think this is bad, you are stupid.
April 26th, 2005 at 4:48 pm
You people got PWNED!! LOL. Guess that’s why your students: you’ve got alot to learn
April 26th, 2005 at 4:51 pm
social networks are primarilly a tool by the security services
April 26th, 2005 at 4:52 pm
I feel so violated that I simply want to die.
April 26th, 2005 at 4:55 pm
Point 4 - The Univesity should kick everyone who gave up their personal info out of school. You are too stupid to be labled as a “graduate.”
Here here! If you’re ranting about this experiment, then you really should consider ending your academic endeavors and accept the fact that McDonald’s is hiring.
Michael
April 26th, 2005 at 4:56 pm
HELLO STUDENTS OF INDIANA UNIVERSITY. THIS IS THE IT DEPARTMENT. WE BELIEVE YOUR ACCOUNT HAS BEEN COMPROMISED. IN ORDER TO VERIFY YOUR ACCOUNT DETAILS AND REACTIVATE YOUR STUDENT ACCOUNT PLEASE ENTER YOUR USERNAME AND PASSWORD BELOW. THANK YOU. IT DEPARTMENT.
April 26th, 2005 at 4:59 pm
A real phisher would do much worse than use you in a study. People need to wake up and start taking online security more seriously. Even avid computer users can use a friendly reminder like this to keep them on their toes.
This guy is 100% correct. You’re lucky that some Korean phisher isn’t running up Mommy and Daddy’s credit card buying kiddie porn from Russia after your “date rape” phishing experiment exposure.
ATTENTION — ALL STUDENTS WHO “PARTICIPATED” IN THIS EXPERIMENT — YOU HAVE NOW BEEN INTRODUCED TO THE REAL WORLD. WELCOME, AND BEWARE.
And I thought Bobby Knight was the only dumbass at IU.
IronChefMorimoto
April 26th, 2005 at 4:59 pm
OWNED!
April 26th, 2005 at 5:02 pm
What a bunch of whiners! If you know how to handle an email like that, then why cry about the experiment? Maybe those crying are those who clicked the link?? Learned a lesson, eh?
April 26th, 2005 at 5:03 pm
No comment.
April 26th, 2005 at 5:04 pm
>By some of the reactions here, it sounds like people would rather have their >money stolen than to admit they were duped out of it in the first place. Boo->hoo! Might as well post all your personal information now and get it over with.
One of the biggest problems that authorities have when trying to prosecute con men is finding victims who are willing to testify against their victimizer. There is something in the human psyche that fights tooth and nail to prevent a person from admitting that he/she was duped.
People who have lost huge sums of money to fraudsters simply will not admit that they were conned. They will argue, they will rationalize, but they will never admit they were taken.
The attitudes of many of the students here are textbook examples. No harm was done, no names were named, and hopefully many of them are now a bit wiser about handing out personal information online. Yet they are furious because they are being forced to admit to themselves that they were fooled.
The threats of lawsuits are also amusing - I leave it up the plaintiffs to argue to the court how they were personally harmed in any way, shape, or form by this study.
April 26th, 2005 at 5:05 pm
ATTENTION IU STUDENTS:
YOU ARE A BUNCH OF RETARDS
THAT IS ALL
SINCERELY,
THE INTERNETS
XXOO
April 26th, 2005 at 5:08 pm
BOOBIES!
April 26th, 2005 at 5:09 pm
MORE BOOBIES!
April 26th, 2005 at 5:12 pm
On one side you have the researchers showing some ppl “You are stupid” in the nicest possible way. Then these stupid ppl are saying “OMFG you showed me my own stupidity, where is my mommy, my mommy never lets anyone or anything make me feel bad and i’m sure that’s how the whole world must be.” Ppl like above saying “I feel so violated that i simply want to die” should either mean it or SHUT THE FUCK UP! Thanks.
BTW, you’re still stupid after this.
April 26th, 2005 at 5:13 pm
Hey this got posted on /. because so many of you are retarded!
April 26th, 2005 at 5:15 pm
Also you are getting mocked by the slashdot nerds of which i am a part of. And rightfully so. I bet that doesn’t fit in your universe.
April 26th, 2005 at 5:17 pm
Quit crying, y’all!
April 26th, 2005 at 5:18 pm
The poster at 5:12 2005.04.26 includes him/herself in their own analysis because the person who posted that they ’simply want to die’ was clearly also a /. lemming being condescending just to get a self-esteem boost.
April 26th, 2005 at 5:19 pm
Apparently the only people here getting upset are the ones that are too “smart”. Now, this experiment shows how gullible people are and their willingness to do what they are told. Instead of coming here and flaming the authors of this article shouldn’ t you go out and educate your friends? Instead of “OMFG YOU STOLE MY FRIENDS IDENTITY”. Now that I think about it, how are we sure it wasn’t these individuals that fell for it and are looking for a way to justify their on mistakes? Just my two cents.
April 26th, 2005 at 5:19 pm
IU needs disconnected from the Internet, since apparently they cannot use it properly.
April 26th, 2005 at 5:24 pm
GO PURDUE!!!
April 26th, 2005 at 5:29 pm
Isn’t it a bit ironic that so many duped people are complaining at you for this study. Do any of them forward the REAL phishing scams they receive to fraud@phishfraud.com, reportphishing@antiphishing.org, and/or the companies being spoofed? Are they even capable of telling that something is a phishing scam? Probably “no” on both counts. They aren’t expelling their vitriol at the actual defrauders and scammers that are sending them real scams… no, they’re wasting their barely post-adolescent bitching at you guys, who are probably the first to get real numbers on how effective phishing scams are, or more to the point, of just how trusting people are of anything that comes up on their computer screen.
April 26th, 2005 at 5:34 pm
Stop whining. This experiment was for your own good. It just shows that even gullible people attends University. Just imagine if this wasn’t an experiment… then you would be owned. Would that feel better? See it as one of the lessons in life. Question what people says or writes, whether it’s a politician, a preacher or your friend. If you don’t do this, you’ll just be yet another gullible sheep that follows the herd.
Keep up the good work Markus!
April 26th, 2005 at 5:35 pm
Sounds like sour grapes from people who fell for it. A Facebook account breach is far the most serious. All of you who fell for it go change your passwords and be thankful the people do the research didn’t malicious intent.
This study is useful in that it will show of careful or reckless people are with personal and potentially sensitive information. Judging from the number of ranting I’d say a lot of you need to get a crash course in security 101. The first lesson should be don’t login into your accounts through links sent you in email or IM.. manually goto the page and login that way.
Hoefully you’ll be more cautious next time.
My two cents.
April 26th, 2005 at 5:36 pm
You morans!
GO JEW$A!
April 26th, 2005 at 5:36 pm
Correction.
“A Facebook account breach is far the most serious. ”
should be
“A Facebook account breach is far from the most serious. ”
sorry for the double post.
April 26th, 2005 at 5:39 pm
U g0+ pwn3d!
April 26th, 2005 at 5:44 pm
the internet is serious business guys
April 26th, 2005 at 5:51 pm
Anonymous Says:
April 26th, 2005 at 4:09 pm
“The methodology and thought process behind this study are poor in my opinion. First the individuals behind the study are lucky not to have had any sort of legal action against them.”
What does that comment have to do with methology. Going off on a tangent and speaking about legal action does not address what you may think is methodologically flawed.
It seems that the methodology is fairly sound, although the results were predictable. What I find intersting is the fact that the researchers could find enough information about individuals from public sources on the web to be successful at this. That should make each and every person reconsider how they treat the e-mails that they receive whether they recognize the sender or not.
The same poster continued, “Also I have to wonder how the information that they stole during this experiment was protected (or is being protected currently if that data has not been sanitized).”
From what I have seen, there was no information stolen at all, it was a study to see who would enter their username and password, not a study to store that information. The information they used to put together their e-mails was information that is publicly available, thus accessing it was not stealling, it was completely legal.
Finally the same poster wrote, “I have to wonder what these people were trying to accomplish with this.”
They were trying to show that simply from doing some information searches on a person that a phisher could spoof an e-mail that would successfully phish them in. The value of this should be self evident-it reveals that this is actually the case and that as internet/e-mail users we need to be aware of it.
April 26th, 2005 at 5:51 pm
It sounds like someone has a case of the mondays. Seriously tho, these ’security researchers’ are just doing what has to be done. People have to be taught not to give out information. What better way to do that then to make them feel like small idoits. You should post a webpage with their names — heck put up year book pictures beside them. If we had more public ridicule of the idoits who gave out their information, perhaps we would have fewer idoits.
Jeff Moss
www.defcon.org
April 26th, 2005 at 5:51 pm
What a petulant bunch of children. Those of you complaining about being violated are beyong belief. You’re merely being shown your ignorance, and your violent reaction only shows your unwillingness to take responsibility. Typical of the immaturity of a lot of college students. Life is tough. Get your shit together or someone IS going to kick you in the face. Don’t shoot the messenger for warning you.
Oh, and did a bunch of you skip science class in high school to go smoke joints out back of school? It’s standard procedure in conducting a proper experiment like this that the participants cannot be aware it’s happening. There is NO way to avoid coloring the results if they have the slightest inkling that it’s coming, or it may be under observation. There were a bunch of respondents indicating that the researchers had no imagination. None of them appear to offer a viable alternative to how this should have been done in a manner that would not have tainted the results. One suggestion was to inform people well ahead that this could happen, and they could choose to participate. Yeah, that’s scientific. First we weed out the paranoid who refuse to participate, then we set the rest on alert to watch out for every potential phish email because they’re definitely going to be deliberately targeted.
April 26th, 2005 at 5:52 pm
ATTENTION IU STUDENTS:
THE IT DEPARTMENT HAS SET UP A FUND TO COMPENSATE STUDENTS WHO FEEL THEY WERE EXPLOITED BY THIS EXPERIMENT. WE WILL COMPENSATE EACH STUDENT $200 PLUS ACTUAL DAMAGES, IF ANY. TO SIGN UP FOR THIS PROGRAM, GO TO:
http://www.goat.cx
THANK YOU.
IU ADMINISTRATION
April 26th, 2005 at 5:54 pm
Hot tip to those whose addresses showed up in the “From” field of the phishing bait emails: No, your computer wasn’t taken over.
Hot tip to those who thought their computer was taken over: Yes, it probably is taken over, by malicious spammers who send out their spam with it, not by those conducting the study. Unplug your computer now and contact the IT department about updating it and getting rid of the viruses and other “malware” that you have unwittingly installed. Only then start thinking about lawyers. I guess David Boise, Darl McBride and those guys can set you up.
Have a nice day.
April 26th, 2005 at 5:55 pm
I don’t like how you took away people’s right to choose (by using trickery) to participate in an experiment that could leave a lot of people feeling like dumbasses. If I WANT to feel like a dumbass, I’ll go sign up to participate in a research study at the Psych building.
BOO FOR TAKING AWAY THE RIGHT TO CHOOSE TO PARTICIPATE.
April 26th, 2005 at 5:55 pm
actually bobby knight was the smart one.
smart people go to purdue, iu is for white trash and communists.
April 26th, 2005 at 6:01 pm
Right To Choose?
You have the right to choose to NOT click on the link and get scammed.
You have the inaliable right to not be stupid.
You gave up those rights… so why not 1 more?
April 26th, 2005 at 6:08 pm
My personal opinion is that the experiment is unethical.
The e-mails were sent to people who did not volunteer to be in the experiment. I don’t really have a problem with that.
But the “from” addresses were also spoofed. I think those people should have given their consent - find a group of people who are willing to let their email addresses be used for a fake email. That would not be impossible to find. The experimenters could have used their own email addresses to send a spoofed email to their friends to start with.
If I find out someone was sending fake “get-rich-quick” letters to my friends (e.g. “Sign up for Amway! I’ve made millions with it”) with my return address on it, I would be upset with them even if it was an experiment by a noted university researcher.
April 26th, 2005 at 6:12 pm
An experiment that takes place without the permission of the participants is hardly justifiable and completely unethical.
Travis Walls
“Greetings from /.”
April 26th, 2005 at 6:16 pm
The problem with the complaints listed here is that in real life, the scammers and people running real phishing scams aren’t going to care if you’ve signed a waiver. They’re going to spoof your email address any way they can. If I were a person who either fell for this scam (which I wouldn’t) or had my email spoofed, I would be thankful that my shortcomings were pointed out by a colleague at the university and not by an actual phishing scam.
-Keith Stevens
April 26th, 2005 at 6:17 pm
So if I’m sitting in front of Wal-Mart handing out toy dough-nuts that like exactly like real dough-nuts to see how many people will actually bite into them and then mark down how many people do..
That’s unethical?
April 26th, 2005 at 6:25 pm
A few weeks from now I’m sure will be hearing about how the harddrive containing all the participate’s personal information was “misplaced”.
April 26th, 2005 at 6:26 pm
thats as stupid as the fembot calling it rape
April 26th, 2005 at 6:43 pm
You make a case for those being involved being blind to the fact they are particpating in the expierement because notification would have altered the results. But didn’t you already alter the results by notifying IT that the expierement was taking place. How quickly would IT discovered and put a stop to the phishing if they where also kept “blind”?
April 26th, 2005 at 6:43 pm
There is a problem in the academic community where people think that scientific knowledge or public awareness is worth the most depraved acts imaginable. (Not that this particulare exercise merits that description, but this one does seem to be in a grey area.)
Is it right that a person can label their crime a “scientifc experiment” and get away with it? How many experiments are inflicted on uninformed and unwilling human giunea pigs? Where is the line drawn?
April 26th, 2005 at 6:45 pm
I was on slashdot.org and found this blog. AND I’M UPSET….. I don’t know why I’m upset but I figured since everyone else was UPSET…. I would be too. How dare you cause me to be UPSET…. I was happy just looking at the Longhorn pics and next thing I know I’m UPSET….. Why on earth would anyone be UPSET as me. I didn’t get my identity stolen. Heck I don’t even live in INDIANA…. Which makes me UPSET……
HAVE A NICE FREAKING UPSET DAY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-Anonymous Coward
April 26th, 2005 at 6:56 pm
“But the “from” addresses were also spoofed. I think those people should have given their consent - find a group of people who are willing to let their email addresses be used for a fake email.”
Agreed. Although getting consent from the “victims” would have invalidated the study, those whose email addresses were spoofed should have been contacted.
April 26th, 2005 at 7:08 pm
Indiana University’s finest got ePownz’d… Hopefully you have learned a lesson or two. Now go wash the phish smell off of you and move on.
P.S. Stop blaming others for your stupidity. Security by Obscurity = BAD Security
April 26th, 2005 at 7:10 pm
Boe-Boe.
April 26th, 2005 at 7:11 pm
Wow most people here are ignorant fools who really shouldn’t be on campus. I think this was a great study and shows just how easy it is to have your identity stolen. You are lucky it was just a study. Instead of bashing them for trying to help you, you should thank them for showing you how stupid you are.
Mr. April 26th
April 26th, 2005 at 7:12 pm
Complainers:
Thanks the nice experimenters for raising awareness and waking some few of you up.
The rest deserve to be phish bait.
April 26th, 2005 at 7:44 pm
It is not strange. I’m well aware that unethical people exist and am now aware that you two and the Human Subjects Committee will engage in conduct I consider to be unethical.
Do not use my identity to pretend to be me for the purpose of misleading others, thereby harming my own reputation, a valuable property solely owned by me.
Those whose identities were used and whose reputations have been harmed may wish to gather together to pool their legal resources and prevent further misuse of and harm to their reputations.
Those commenting that there was no way to carry out the experiment without harming the reputations of those whose identities were involved are correct. The experiment should not have been carried out. That it can be done is not sufficient reason for doing it. Both the investigators here and the Human Subjects Committee should be aware of that and failed to act in a responsible manner.
Others might also note that postings here should not be asumed to really be anonymous. The hosts here have already demonstrated a willingness to lie when it serves their purpose. Something for any potential future employers to note.
The value of this exercise seems minimal. It’s widely known that phishing exists, that people fall for it and that people will trust friends and can be abused, as the researchers did here and what the Human Subjects Committee endorsed.
Anyone contemplating attending this school, please consider picking one with decent ethical standards instead.
The above are my persoanl opinions of the conduct of the persons involved in this activity, the Human Subjects Committee and Indiana University, all of which I consider to have demonstrated themselves to be unethical.
Please promptly publish all communications with the Human Subjects Committee about this exercise and relay a request that the Human Subjects Committee post a full record of its deliberations on this matter. At first examination it appears that the Human Subjects Committee has failed to adequately review this item and needs guidance from those not in this field about what is and is not ethical conduct.
Where can I find a copy of the university policy on providing academic credit, or not, for unethical course work?
April 26th, 2005 at 7:49 pm
Your claim that “nobody was hurt” is inaccurate. Those hurt include:
You and your partner, who have established a reputation for engaging in unethical activities and acting improperly
The reputation of Indiana University.
The reputation of the Human Subjects Committee and opinions about its ability to prudently do its job.
Those whose identities were misused and reputations harmed by being falsely identified as the originators of the emails.
April 26th, 2005 at 7:50 pm
You, Mr. Jakobsson, are an idiot. There is no way for me to say that politely. I think you understand that from the nature of your rushed post, yet you did not apologize.
“The experiment you may have been a participant in was performed using only publicly available data.”
Your home address is “publicly” available. Say I show up at your house in a perfect disguise (just assume, since almost all of the recipients in your case would believe a perfect impersonation) as one of your friends, then put a gun to your head and tell you “You should be more careful next time.” I haven’t caused you any physical harm. Do you take this episode as a learning experience?
“I hope that you will bring this up to discussion with friends and family, with administrators, faculty members, politicians, and journalists. This time, nobody was hurt (only the pride of those who felt taken advantage of was hurt).”
I assume this statement a bluff, since you already sent apologies to students. You must realize in some sense that you were in the wrong, even if you deny it in writing.
April 26th, 2005 at 8:01 pm
PURDUE WOULD NEVER FALL FOR THIS!!!!!
April 26th, 2005 at 8:04 pm
stop complaining, hoosiers, and go back to making porn videos in your dorms.
April 26th, 2005 at 8:14 pm
Amen. More IU Pron.
April 26th, 2005 at 8:29 pm
This experiment proves IU is only good for pornography, booze, and shitty basketball.
April 26th, 2005 at 8:36 pm
Anonymous said: «The comment about them not being decent reseachers….yeah, I wonder if you’d have a better idea on how to research the area. It’s easy to be a critic, how about trying to contribute for once?» (see below)
and «The e-mails were sent to people who did not volunteer to be in the experiment. I don’t really have a problem with that.» (I disagree also but not as strongly as with the first person)
It has already been pointed out that getting the permission of some people to have emails sent out on their behalf might have been possible without compromising the experiment. I think that it would have been possible to get the permission of the recipients also without compromising the experiment.
Ask students if they are willing to participate in a research project conducted via email. Include a disclaimer saying to be careful with any email you read. De-emphasize the disclaimer in the standard way (smaller font size, try to give the impression that it is a “standard” disclaimer included at the bottom of any form.)
e.g. some sample text:
“Do you agree to participate in research project X? Your time commitment will be minimal. In the course of this project, you agree to be contacted one or more times (less than 10) via email. Your email address will not be published to any third party or commercial mailing list.
etc.
(in small type at the bottom)
Terms, Conditions, and Disclaimers
Please read these terms, conditions, and disclaimers carefully. By participating in this project, you declare that you are aware all of these terms and conditions.
Although we will try to provide accurate and timely information, the content of any e-mails you receive may not be accurate, complete or current and may include technical inaccuracies or typographical errors. The information contained in any emails is for informational purposes only. You should verify all information before relying on it and decisions based on information contained in any emails are your sole responsibility. If you need specific details about this research project, you should contact …
April 26th, 2005 at 8:37 pm
As a 5th year psychology student on the other side of the Atlantic, it surprises me to see so much hair pulling about something so trivial.
It has been common practice in psychology to conduct large scale experiments without prior permission for decades. There is a long approved eithical code that when an experiment cannot be conducted with permission, it is only conducted if no harm is done to the subjects.
I find the claims about them keeping personal information preposterous. Like all studies in human sciences, all data kept is the data used for statistical analysis. No personal data that can be used to unveil a test subject’s identity is ever kept. The only personal data an experimentor is likely to keep is your average demographical data: age, sex, possible prior studies linked to the experiment. But of course non of that would have been kept at all in this study.
It seems nobody even took a second to read comment #13, where one of the students conducting the research replied. Allow me to quote:
Whereas we did not save any of the credentials, all that were counted were first checked against IU’s kerberos authenticator. I am sorry that the stats are not yet available, we are working on it.
They performed a quick computerised check to see if the information given was actually correct information, to validate people actually believing the email. According to that quote, and the experiment would never have gone ahead had it been otherwise, they never had access to any of the credentials, once the computer had checked, it erased them.
Also, the point of this study was not to show people how stupid they are, nor to raise people’s awareness. The point of this study was to evaluate the receptivity of general public to advanced phishing techniques using publically available data.
I hope the students are planning on publishing the results of their analysis and their methodology, I’m really quite curious.
Oh, and thanks to slashdot for the link, who, despite the ambient xenophobia in the comments on their articles, do post some interesting links sometimes.
April 26th, 2005 at 8:43 pm
Hey everybody.
Whilst I sympathise with those who feel their privacy has been interfered with (and yes, it has), I do have this analogy to make - if you walk down the street holding your wallet in an outstretched arm whilst looking in the other direction, can you really expect it not to get stolen? If you leave your front door open with an iBook on the front table, can you really expect it not to get pinched?
Whilst many may not realise it, these are the rough equivalents of trusting and using insecure e-mail on the Internet. As much as you may complain about the lack of privacy, if you were practising truly safe computing practices, you would not have a problem.
Some suggestions:
* pgp sign all outgoing mail
* request all incoming mail from friends be pgp signed also
* verify all non-pgp-signed mail in person (e.g. phone call to verify info)
* set up automated systems requesting confirmation of all e-mail sent from non-pgp sources (i.e. have a bounce-back to the sender that includes something like:
“You have apparently sent me the following email . If you did in fact do this, please reply with a subject of “DDGSGDH34234 verify” (automate that link). If you did not send this email, please disregard this message” or somesuch
* pgp encrypt sensitive information
* be consciously aware of what information can be used to launch an identity theft attack, and be very careful about where and how you give it out
And lastly, email is such an incredibly insecure method of communication. Whilst you can do nothing to prevent people pretending to send from you, if all legitimate mail from you were pgp signed with a notice stating that all such non-signed mail is forged, then people would soon come to expect it.
These sort of measures should be more widely used in the Internet community.
DRK
April 26th, 2005 at 8:44 pm
To all you dumb shits complaining about “OMG MY IDENTITY WAS STOLEN BECAUSE OF YOU,” please shut the fuck up. They didn’t steal your identity: they collected information in a study they were performing with information all of you made PUBLICALLY available. Were they to open bank accounts, apply for credit cards, loans, etc. then they would be STEALING your identity.
Let’s consider the following:
1. You fuckers publicize information in the public domain.
2. This information is harvested and used to send an email address to you containing a link to a nefarious website.
3. You actually open this link.
4. The lot of you whine and bitch about doing something entirely stupid which banks, the Federal Government, various organizations and several universities have been warning you about for the past 2 years.
So please shut the hell up and thanks for participating in these guys’ study, which has proven that the majority of you are too fucking stupid to have, let alone operate, a computer.
April 26th, 2005 at 8:49 pm
Oh how rediculouse!
“Say I show up at your house in a perfect disguise (just assume, since almost all of the recipients in your case would believe a perfect impersonation) as one of your friends, then put a gun to your head and tell you “You should be more careful next time.” I haven’t caused you any physical harm. Do you take this episode as a learning experience?”
No, cause youre AN IDIOT. Now, if the person in disguise asked you to give the keys to your house to him, that would be an analogouse. What the hell does a threat with a gun has to do with this anyway? Christ, why do they admit those stupid people to school?! Educated idiots are like monkeys with guns… (note for idiots: knowing and thinking a diffrent things, one doesn’t substitute the other.)
April 26th, 2005 at 9:07 pm
To the poster at 7:50 pm talking about disguises and guns - the situations are not analagous. If “guns” were pointed in the experiment, it was the “phished” applying them to their own feet. No one was placed in danger by this experiment. Just embarrased a little.
To those who say “this was unethical” - you are misinformed as to the meaning of unethical, which is why you are students, of course. You are at IU to learn, although many of you will emerge from the other end of the process having learned nothing. Learn from this. Your opinion (that this was unethical) means little when put up against the decisions of those that have power within your environment. Until you have power yourself, it’s only your opinion. And everyone knows opinions are like armpits - everybody has a couple and most of them smell bad on a hot day.
To those muttering darkly of “legal action” - put up or shut up. I realise your country is a litigation nightmare, but I’m having difficulty in seeing what legal basis you would have for any suit out of this.
To the /. crowd - c’mon, this is shooting fish in a barrell.
April 26th, 2005 at 9:36 pm
Maybe these students should read their “Student Handbook” for their contract with the University. At least at my University, you don’t *need* to ask for any further consent if the research study is approved by such and such committe and classified as such and such category (basically non-harmful but potentially hurting people’s feelings).
How can you have any beef with Researchers? They took all the appropriate steps — they got a faculty advisor, had their research study approved by the ethics committe, and informed the IT security department.
All of your anger is misdirected — if you have any beef, it’s with your University’s ethics committe for choosing to approve the study. The researchers did everything they were supposed to.
April 26th, 2005 at 9:43 pm
Wow.
Why did you click the link?
April 26th, 2005 at 10:03 pm
You is stupid for clicking on the link.
That is all.
April 26th, 2005 at 10:25 pm
The ethics committee aided and abetted three felonious violations of Indiana code, and up to perhaps nineteen federal statutes. But hey- Tom DeLay is still speaker of the US House.
April 26th, 2005 at 10:27 pm
Legal basis:
Phishing is a crime. The emails gave the impression that the sender was attempting a phishing crime and there were apparently a significant number of phone calls to computing support where that impression had resulted from these activities.
Causing someone to appear to be engaging in a crime is not a trivial matter - it’s usually libel at least to even falsely say someone was engaging in a crime.
I’ll be most interested in finding out whether that was disclosed to the Human Subjects Committee and the university legal counsel and whether they approved making students look like criminals.
April 26th, 2005 at 10:29 pm
Y’all are a bunch of Milsaps!
April 26th, 2005 at 10:30 pm
They clicked the link. It seems that this fact escapes most people. In fact not only did they click the link, they then entered their login information. Government is not intended to protect people from their own stupidity.
April 26th, 2005 at 10:31 pm
I never get the good emails. I never get the viruses. I’ve never seen one come into my inbox. Sad.
April 26th, 2005 at 10:58 pm
The /. crowd is the most heartless group of misguided self-righteous pricks in the universe. Let them learn their lesson without being insulted into the ground and asked to be sterilized, thrown out of school, flogged, etc etc. Children.
April 26th, 2005 at 11:43 pm
Yeah, this is cool and all, but when is the next Girls of the Big 10 Playboy?
April 26th, 2005 at 11:43 pm
I can fix that… What’s your address?
April 27th, 2005 at 12:05 am
Once a long time ago i was stupid enough to run IIS(a microsoft webserver). I got hacked. I freaked out, but when i looked at my logs, i noticed only a few files were changed, though the hacker could have trashed my whole system. When i examined these files, i found a message telling me how to properly patch my system so that i could not be attacked again. Thats it, nothing else, just a message telling me how to fix the problem.
Did I feel violated? A little. Did I try to backtrace the IP and find the person? No.
They did me a favor. I owe that cracker big time. If it werent for them, i probably would have been hit by someone or something who really wanted to do damage.
And i LEARNED from it. this is the whole point. Like you folks who fell for this phishing thing, i was at that time NOT knowledgeable enough to be running a webserver on my home computer. This hacker helped me learn a vital lesson, and i am a better person for it. If you fall for a phishing scheme, you are not knowledgeable enough to be using email, or even the internet in general for that matter. This is not meant as an insult, this is just a fact. If you dont want your computer to have viruses and spyware on it, and if you dont want your identity stolen in a increasingly digital world, you have a LOT of learning to do.
It is sad what personal computing has come to.
What happened to “user friendly”? What happened to “idiot proof”? What happened to “maintenance free”?
These were all dreams of personal computing, and progress was being made, but now with most computers on high speed internet connections and microsoft products running on them, we are going backwards ten times faster than we are going forward.
The truth is, most computers these days just CANT be used by the majority of people. People expect computers to do everything for them. People dont expect to have to learn all the ins and outs of computer security just to keep their system running cleanly.
These folks who scammed you taught you a valuable lesson that WILL help you in the future, and they did it without actually harming you.
Trust me, some day you will thank them.
April 27th, 2005 at 12:10 am
Nate, Tom,
u guys rock. thanks for helping to educate the ignorant…or at least make some folks more aware.
-m
April 27th, 2005 at 12:17 am
Stupid experiment.
“See, I COULD’VE kicked you in the face. Now wear a mask everyday.”
April 27th, 2005 at 12:18 am
I think a more appropriate example of the “gun and disguise” analogy would be:
I show up to your house looking exactly like your friend, hand you a gun assuring you that it has no live ammunition and tell you to point the gun at your head and pull the trigger saying, “OmG this is SO funny”.
Would you pull the trigger?
Would you click the link asking for your password?
(I don’t know what the point of this post was, I just thought of it while reading the comments.)
April 27th, 2005 at 12:44 am
Things I love:
-”Fuckbuddy” and goat.cx on a university webpage! Who needs to hack the server to deface it? These jokers put up an unmoderated, anonymous “blog” page…Must be IA students.
-That no one was “got” by this e-mail, everyone had a “friend” who did this…Funny shit!
April 27th, 2005 at 12:49 am
I hadn’t heard about the porn…he he he, this commentary on that incident seems topical:
“The reaction of the IU administration has been both amusing and frustrating. IU Chancellor Sharon Brehm was quoted in the October 24th Herald-Times as saying “Our students need to understand there are people and there are organizations out there who will exploit them for monetary gain. They need to be wary and skeptical and careful, because they can be taken advantage of.”
Excuse me? IU students are legal adults, old enough to know right from wrong, and if students were engaging in sexual activity with porn actresses they knew exactly what they were doing. To suggest that these adults were “taken advantage of” is silly and an attempt to deflect responsibility from where it belongs. IU may have a right to be upset at Shane Enterprises but any students who were “serviced” by its representatives were hardly “exploited” or “taken advantage of”. ”
April 27th, 2005 at 1:26 am
Good Job. You made people sit up and take notice of a serious problem.
April 27th, 2005 at 1:27 am
Oh, for the love of God, just destroy all of your computers before they steal your soul!
April 27th, 2005 at 3:17 am
lol at all the angry losers here.
April 27th, 2005 at 4:30 am
The world is full of idiots. Well, this forumn anyway.
April 27th, 2005 at 4:34 am
Ditto to the lol
Seriously, this is painful…. Yeah they didn’t tell you about the study, yeah that is questionable ethically, HOWEVER telling you about the study would have compromised the study itself, as has been said, and the information gathered was not exploited in any way and (I trust) has since been destroyed/deleted/etc.
I’m in Aus by the way, at a totally different uni, but I’m amazed how self righteous people sound about the same the world over. Just pulling words out of their asses because they think they understand how the world works ‘Unethical’, ‘My money paid for’, ’someones going to loose their job over this’. Yeah I’m sure they because you are so incredibly important and effective that you are bitching about your problems on a message board provided by the people that tricked you.
Seriously, lacking the organisation to even congregate in your own space indicates blow-hardness to me.
But hey, I’m just stirring shit because I’m sure this will be lost in the long list of poorly thought out posts (including this one).
The moral of the story is: Guard your Info. If someone has the decency to expose a whole in your security without exploiting it, you shake their goddamn hand and you do something about it.
April 27th, 2005 at 4:36 am
*lose
Damn spelling, making me look uneducated in front of all you erudite individuals.
April 27th, 2005 at 5:58 am
-=-=-=-
Yay for blogs ..
-=-=-=-=
April 27th, 2005 at 6:26 am
All of you people with their knickers in a twist - you are all idiots.
How was your security compromised in any way? Nothing was taken from your systems, and you fell for the trap yourselves. They didn’t do anything magical by faking an e-mail address - that’s proverbial child’s play. YOU followed the link. I think most of the people here are simply angry they were dumb enough to follow the link.
April 27th, 2005 at 7:02 am
Typical teenage American response. I’m unhappy! Who can we sue ma? Get over it and grow up you immature teenage college twats.
April 27th, 2005 at 7:38 am
Lol I agree with above.
You can’t sue someone else because your a moron.
April 27th, 2005 at 7:56 am
Folks,
I’m a third party who has read the newspaper thread and this entire blog. I work in the IT security area. For those that are upset at their “privacy” being invaded, keep in mind that the information was retrieved from the public domain in the same way a hack unit in Romania would. I work for a large company with a public presence. We have a massive customer base that gets phished dozens of times a week. It costs us both money and resources to deal with this not to mention the loss of trust by the customer. That impacts our bottom line. You should step back and rethink this. I would be thankful if someone showed me how I could be lured into a trap like this. The Internet is not a friendly place, unless you’re an AOL user..
April 27th, 2005 at 8:00 am
For all of you idiots on this forum pissed off, drop back to the post made at April 27th, 2005 at 12:05 am. That guy has a real world example you ALL should take note of. Shit, what am I thinking, you people won’t even know that hell he’s talking about. Idiots.
April 27th, 2005 at 8:10 am
Wow. There is NO reason to be pissed off AT ALL. Think of this as a learning experience, nothing bad happened, and you learned something. Sure, maybe you feel violated that someone tricked you, but push back your pride of a second and THINK!! If someone ACTUALLY wanted to steal your identity, you would have been fooled, and they would have gotten away with it. This is just a test, no harm done, so relax.
April 27th, 2005 at 8:19 am
Previous commend it correct - swallow your pride and learn a lesson.
While you sit in your nice safe little place that is almost, but not quite a part of the real world - these things are going on out here in the real world - at an alarming rate. This is real, it happens, and people’s lives are devistated by it.
This one may have cost you some pride, but it has taught you a lesson - better some pride now, than your identity, or your bank account later!
April 27th, 2005 at 8:26 am
I find it hilarious how all these comments about “My friend had…” “Only idiots fall for phising” probably come from people who fell victim to it. I can admit to falling for stuff. On MSN, there was a link that a friend of mine sent me, along with the words, “Awesome stuff, you have to see this” Instead of asking why, I clicked the link. Hey, What do you know, my PC started sending the exact message to everybody on my contact list. Human curiosity and the feeling of security you get from knowing your MSN buddies all contributed to me clicking on a harmful link.
So, kudos to the authors of this study. I think human gullibility is a factor in phising, and research has to be done in this sector. I’m very tech savy, but I still fell for it. I’d like to know more about your work in the area, and your findings.
Cheers,
Carleton University Student
April 27th, 2005 at 9:05 am
To paraphrase Plato’s Republic: Education must be painful. In my opinion, those who were phished should be grateful that they learned about phishing this way, as opposed to having the information stolen by a real hacker. Get mad, threaten the authors of the study- or wise up and go away from this a better and smarter computer user.
April 27th, 2005 at 9:11 am
I once did a “survey” like this at a company I worked at. I found out that 30% of people use their first name as their password…smart huh…
April 27th, 2005 at 9:14 am
Be as mad as you want, but sometime in your life this if this keeps you from getting your identity stolen you will be very thankful. The credit company’s out there don’t care if your identy gets stolen. It doesn’t affect them from buying a car or a house. It only affects the victim. If it was just as easy as picking up the phone and calling the credit company’s to get it fixed everyone would have perfect credit. Getting your identity stolen in the real world is the most painful thing you will ever go through in your life. Be thankful you now understand phishing and how it works. One day you will realize that this one lesson will be well worth your $150,000 collage education.
April 27th, 2005 at 9:16 am
Someone wrote: “You can’t sue someone else because your a moron.” As a lawyer, I can assure that morons sue people all the time. And, contrary, to the common perception, the courts treat moronic claims like moronic claims.
The openess of the legal system is its curse and its beauty: it gives people, even morons, a place where society can evaluate their claims and say, “yup, you’re a moron.” There is a cost to this, but that cost is WAY overplayed by the media.
As to the Phishing expedition, the researchers did what ANY phisher could have done. In fact, they’re doing what phishers are ALREADY doing.
Now, to combat phishing, you have to understanding how it works. You can’t simply look at who gets phished… you have to look at who DOESN’T get phished, and the ONLY way to understand who gets phooked and who doesn’t get phooked is to GO PHISHING.
If you can think of a better way to understand who gets phooked and who doesn’t, then write it up and do the study. Lot’s of people are waiting to hear from you.
Replies here: http://oddlife.cliche-host.net/images/fark/2005/flower_crab.jpg
April 27th, 2005 at 9:33 am
For all of you who were victims of the “phishing” experiment be thankful it was an experiment. I received an email from Paypal mentioning that I should be aware of changes in policy and a link was provided. The link took me to a Paypal sign on page. After signing on I read about changes being made to the payment/collections process. Another link was provided for me to update my account information but on that page I realized there were questions that were NOT on the original account sign up I had done 3 years earlier (thank God I have a good memory). I closed my browser and opened a new browser window to go to Paypal manually. I read about the email fraud going on, that no changes had been made. I immediately changed my Paypal password. In the span of 5 minutes I was $3000 poorer.
Whether it was a trusted friend or a trusted company / resource be leary because you are not always as smart or aware as you might think you are. No matter how much you think you do to keep your computer “secure” you can’t keep up with the ever changing realm of technology and the creative thinking of the greedy. Even houses with security systems still get robbed.
April 27th, 2005 at 10:08 am
students-take a home study course in PC security for teens/kids/ordinary mortals
http://www.hackerhighschool.org/
April 27th, 2005 at 11:17 am
Still laughing. This should keep me entertained for days thank you computer stupid peoples.
This thread is worthless without boobies.
April 27th, 2005 at 12:40 pm
Hahahahaha here is a photo of bchenry
http://img168.echo.cx/img168/9620/bchenry4vh.jpg
Photoshop anyone?
April 27th, 2005 at 12:57 pm
thanks for lying to me and setting my friends against me!
i will take legal action against the students responsable.
i want names of who to go after!
if you know of any, please post them on this board!
These students violated individual and student rites and deserve to be expelle or punished!
Phishing is a crime and those responsable will be prosecuted!
UITS lies, and IU goes along with it!
April 27th, 2005 at 1:26 pm
So… it is ethical to use publicly available information to garner private passwords, for research purposes?
The next step? To see how many would fall for entering their credit card numbers and passwords, with the exact same procedure, for exact same research purposes.
A few years back IU became no. 1 party school, which could have been somewhat positive. This year, I don’t think so…
April 27th, 2005 at 1:57 pm
A few things:
1. The information used in this experiment was public domain.
2. The private information you provided was not stored anywhere.
3. You were taught a valuable lesson.
4. Shut up.
April 27th, 2005 at 2:11 pm
Poster of the comment made at April 26th, 2005 at 4:25 pm here.
Still looking for some sympathy…
April 27th, 2005 at 2:30 pm
Registrant:
Markus Jakobsson
Markus Jakobsson
1203 Garden St
Hoboken, NJ 07030
US
Registrar: NameSecure.com
Domain: WHUFFO.COM
Created on 03-30-2005
Expires on 03-30-2006
Administrative Contact:
Markus Jakobsson
Phone: (201) 876 0261
E-mail: tmjc@yahoo.com
Technical Contact:
Namesecure Inc.
Phone: 570-708-8418
E-mail: support@namesecure.com
Name Servers:
DNS1.NAMESECURE.COM 64.62.166.88
DNS2.NAMESECURE.COM 206.169.98.34
April 27th, 2005 at 2:32 pm
Were only students selected for this study? There are rumors saying that this was not so…
April 27th, 2005 at 2:38 pm
http://www.metafilter.com/mefi/41566
April 27th, 2005 at 3:09 pm
It seems to me that the participants should have at least been told AFTER being duped. I believe that in psychology, it’s a standard practice to give them a debriefing. So while I don’t know the details of your study, after attempting to supply a login and password, I think they should’ve been given a debriefing screen telling them IMMEDIATELY 1) that this was a fake e-mail as part of a study 2) that their information is not actually being harnessed, and 3) that you would like them to (voluntarily) keep the existence of this study a secret for several months until it’s published. If you failed to accomplish the above, then I believe you have indeed committed some unethical acts.
Additionally, from what I read, your study was hosted from within the university’s server. This is not indicative of what real phishing scams are typically like. For example, the e-bay phishing scams are typically held by other servers. Although come to think of it, it would be surprisingly easy to host it on the e-bay server itself without e-bay noticing it. Still, I don’t’ think your result is as widely applicable as you make it sound, because myself for instance, will check what server is actually hosting the REAL link or where it’s forwarded to prior to giving out any information (and am careful about doing so even then). But still, the purpose of your study is of good merit, and the findings are certainly reflective of the truth even despite some extraneous factors like the host. I believe that overall you’re performing a valuable service to society, especially for those more ignorant than myself. I commend you for that. But still, if you failed to debrief your participants, then I consider that both unethical and unforgivable.
Sidenote: as mentioned above, asking the people whose e-mails you spoofed would’ve been nice too.
April 27th, 2005 at 3:11 pm
Clarification: By “as mentioned above” I meant in somebody else’s comment.
April 27th, 2005 at 3:15 pm
> It seems to me that the participants should have at least been told AFTER
> being duped.
They were. Both receivers and (claimed) senders.
> I don’t’ think your result is as widely applicable as you make it sound,
> because myself for instance, will check what server is actually hosting the
> REAL link or where it’s forwarded to prior to giving out any information (and
> am careful about doing so even then).
Your argument is that people who would not otherwise have trusted the site now did, right?
But: It could have been hosted on an owned machine.
And: the name of the webpage was somethingsomething/phishing … that was pretty straighforward, for those who care to see where they go…
So I think that rather than an upper bound, a lower bound was extablished.
April 27th, 2005 at 3:18 pm
anyone that is upset about what happened is just being a sore fucking loser, you were not harmed in any way shape or form so just relax because you learned a lesson and all in all this has made you a stronger person
April 27th, 2005 at 3:27 pm
> anyone that is upset about what happened is just being a sore fucking loser,
> you were not harmed in any way shape or form so just relax because you
> learned a lesson and all in all this has made you a stronger person
Ok. Now, let’s be constructive. We all know that the above is a fact, and it has been said before. Was it a good experiment? What follow-up experiments should be conducted? (If any.) Apart from user education, what are the benefits of this study? How can we stop this from occuring in the wild? Forget PKIs. Forget anything that our moms and little sisters would not do.
April 27th, 2005 at 3:56 pm
If you clicked the link your a dumb ass.
/that is all