In addition to enjoying general practice veterinary medicine and a very busy family life, I am somewhat of a network-technology maven. So, it’s not unusual for me to spend what small amount of free time I do have reading 2600 Magazine, hacker websites, and technology blogs. It was a tweet from cybersecurity journalist Zack Whittaker (@zackwhittaker) of TechCrunch that alerted me to the story I’m about to discuss, about the recent expulsion (and deportation) of a Tufts University senior veterinary student.
I'm talking about "Tufts expelled a student for grade hacking. She claims innocence." Go ahead and read it. I’ll wait here.
It's a remarkable story, isn’t it? After reading it and falling down the internet rabbit hole of associated follow-up tweets, hacker message boards and earnest graduate student union petitions (here's one petition with numerous signatories), I had a lot of questions, which led me to reach out to the VIN News Service in the hope they might have some answers. (Spoiler alert: They don't!)
How would a senior veterinary student, in clinical rotations, have the time to engage in the laundry list of crimes attributed to her? Why would she think that the benefit of raising her grade from 99 percent to 103 percent was worth risking everything for? Not to mention, why would a librarian's account have near-super-user privileges? It seems simply absurd.
But then again, why would Tufts (or any other well-established, well-respected university) take this type of step without rock-solid, irrefutable evidence? It’s very troubling — especially as I prepare to send off my oldest child to start college, and it has just become very clear that universities do not have any burden of proof when it comes to matters like this!
Additionally, multiple cybersecurity experts have been sharing on Twitter evidence that the Tufts network has plenty of ongoing vulnerabilities. From the available evidence, it's clear that there was a chain of human and technical vulnerabilities exploited. What's not so clear to me is who did the exploiting.
If the Tufts internet technology department is in fact qualified to determine that this student is guilty, I'd have imagined they would also secure their network. So, does the Tufts IT department even have the capacity to do the type of forensic investigation that one would expect to happen before the expulsion and deportation of a senior professional student? If so, why are there so many apparent vulnerabilities in their network?
Or, as seems might be the case, is it possible that they are incompetent to do this type of investigation and that they are making assumptions about this student's guilt based on a fundamental misunderstanding about the specificity and/or hack-proof nature of Media Access Control (MAC) addresses? Pro tip: MAC addresses (unique identifiers given to network adapters or network interface cards when they're manufactured) can be changed. They are publicly available to anyone who has ever received a packet from that machine.
Anyone who has the hacking skills to pull off this attack could certainly spoof a MAC address. People clone MAC addresses all the time, for example on airplanes, so their device can masquerade as the one in the next row whose owner just bought in-flight wifi that authenticates that way.
So again, I don’t know why they are so sure this wasn't done by someone (the disgruntled housemate?) who had it in for the student. Could this be the work of someone inside Tufts' IT department who was changing grades for money, realized he was going to get caught, and decided to make this student the scapegoat?
Why has no one from Tufts made a substantive statement about this case? Here's what Patrick Collins, executive director of public relations for Tufts, reportedly said in an email to The Tufts Daily campus newspaper:
"We understand that the story — and the social media attention it has received — has upset a number of people, including students, alumni, and others, who have raised concerns about the university’s review. We are confident in our determination, which was based on the totality of evidence uncovered during our extensive review. We recognize the gravity of student disciplinary decisions, and we take action only after thorough and thoughtful deliberation."
I am not terribly impressed by Tufts' position here. Sounds to me like they are saying "move along, nothing to see here." I'd be more impressed if the university offered to allow an independent forensic network security investigation to occur. Seems to me this student's life is ruined. They've already sent her into loan repayment and she hasn't earned her degrees. And if in fact she didn't do it, well — it's horrifying. It's a clear demonstration of the very low burden of proof these universities are required to meet, and it is not at all reassuring to me that the people who make the rules are the same people who interpret and administer the rules, without making any apparent effort at impartiality.
I'm left hoping that despite the dearth of evidence made public, this student is in fact guilty or that she will soon be reinstated and issued an apology. The possibility that Tufts has just unreasonably destroyed this young woman's life, and she has zero recourse, is haunting.
About the author: Rachel Katz is the pseudonym of a general practice veterinarian in an American suburb who worked in network user support and systems administration before becoming a veterinarian. She requested anonymity to protect certain family members affiliated with Tufts University from any potential repercussions for expressing her opinions.