More Michigan Cheating

[MAIZEandBLUE09]

While working at Michigan, he used university-owned equipment to perpetrate his crimes.

When I was working, a person was fired for just connecting his phone to his work computer (he was listening to music through his computer speakers).

At Michigan, there were apparently no security measures nor surveillance monitoring which is very odd in the world of computers. These students are about to get paid.

You can continue to live in the fantasy world where Michigan has no culpability and every accusation ever hurled their way has been made up out of thin air. The rest of us will reside in reality.

It really isn’t. At a university it’s not a private business. The internet is entirely open to facilitate any kind of research or student activity.

 

[cwerph]

It really isn’t. At a university it’s not a private business. The internet is entirely open to facilitate any kind of research or student activity.

Did it hurt when you pulled that out of your ass?

Network Security | Office of the VPIT-CIO | University of Michigan

it.umich.edu

This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

In today’s digital world, U-M networks are vital to university operations and life on campus. They support open access to resources across a diverse academic environment, while protecting the university’s valuable digital resources and data. This standard describes the requirements that help to ensure the confidentiality, integrity and availability of network resources. It is essential to:

• Monitor and protect the university’s networks, and associated systems, services, and applications, from abuse, attacks, and inappropriate use;
• Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
• Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
• Effectively balance operational concerns and security challenges.

The underlying principle of this standard is that there is a designated Network Service Provider for each of the three U-M campuses and Michigan Medicine that is responsible for running and approving all network and network security infrastructure components on their campus.

 

[Red_Alert]

Did it hurt when you pulled that out of your ass?

Network Security | Office of the VPIT-CIO | University of Michigan

it.umich.edu

This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

In today’s digital world, U-M networks are vital to university operations and life on campus. They support open access to resources across a diverse academic environment, while protecting the university’s valuable digital resources and data. This standard describes the requirements that help to ensure the confidentiality, integrity and availability of network resources. It is essential to:

• Monitor and protect the university’s networks, and associated systems, services, and applications, from abuse, attacks, and inappropriate use;
• Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
• Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
• Effectively balance operational concerns and security challenges.

The underlying principle of this standard is that there is a designated Network Service Provider for each of the three U-M campuses and Michigan Medicine that is responsible for running and approving all network and network security infrastructure components on their campus.

We gonna need some good ol' fashioned maze&blew mental gymnastics here.

 

[MAIZEandBLUE09]

Did it hurt when you pulled that out of your ass?

Network Security | Office of the VPIT-CIO | University of Michigan

it.umich.edu

This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

In today’s digital world, U-M networks are vital to university operations and life on campus. They support open access to resources across a diverse academic environment, while protecting the university’s valuable digital resources and data. This standard describes the requirements that help to ensure the confidentiality, integrity and availability of network resources. It is essential to:

• Monitor and protect the university’s networks, and associated systems, services, and applications, from abuse, attacks, and inappropriate use;
• Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
• Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
• Effectively balance operational concerns and security challenges.

The underlying principle of this standard is that there is a designated Network Service Provider for each of the three U-M campuses and Michigan Medicine that is responsible for running and approving all network and network security infrastructure components on their campus.

You really have no idea what you’re talking about. Notably, you’d have to prove UM didn’t take appropriate action here or a lapse in inaction lead to this going on longer. And that’s a pretty hard sell given it went on for 6 years at the Ravens undetected.

What you quoted is exactly what UM used to uncover and fire the employee; which is all they can actually do here. Unless you can point to something UM did that allowed it to go on for longer than it should you have no argument here (that is, unless other information comes out).

#1- this was not university data. This was private data, accessed through a third party. Was the third party affiliated with UM in any way? That changes a lot.

#2 So long as UM can demonstrate they had appropriate levels of safeguards in place then there is no winnable lawsuit here.

Now, will UM pay out because it’s easier or cheaper? Maybe. But if this actually went to court, unless there’s some bombshell we don’t know about, UM is not responsible for criminal activity that took place via their network unless there’s provable negligence.

With the kind of criminal activity we’re talking about, which essentially boils down to stolen logins, that would be incredibly hard to detect through simple network monitoring. This may have turned up in a quarterly scan of a university computer for flagged data (passwords, SSN’s, ect) but there’s nothing that’s going to ping if I take your Hoopla login and log into your account via the UM network.

 

[MAIZEandBLUE09]

We gonna need some good ol' fashioned maze&blew mental gymnastics here.

Ahh. Another topic where you blindly take the wrong side. Congrats.

 

[cwerph]

You really have no idea what you’re talking about. Notably, you’d have to prove UM didn’t take appropriate action here.

What you quoted is exactly what UM used to uncover and fire the employee; which is all they can actually do here. Unless you can point to something UM did that allowed it to go on for longer than it should you have no argument here (that is, unless other information comes out).

#1- this was not university data. This was private data, accessed through a third party. Was the third party affiliated with UM in any way? That changes a lot.

#2 So long as UM can demonstrate they had appropriate levels of safeguards in place then there is no winnable lawsuit here.

Now, will UM pay out because it’s easier or cheaper? Maybe. But if this actually went to court, unless there’s some bombshell we don’t know about, UM is not responsible for criminal activity that took place via their network unless there’s provable negligence.

My 20 years in software development and 6 years in legal/compliance says I know lots more than you think.

Let's go to court. Jury trial. Put 5 girls from Michigan on the stand, crying about how they were violated and have been in therapy since this was revealed, living in fear that someone who receive the photos from Weiss will make them public. His actions were inappropriate and it took far too long for him to be caught even though Michigan's own policy claims they monitor for inappropriate use of university resources.

Michigan lawyers will be begging to settle this thing before discovery begins. They are way smarter than you.

 

[cwerph]

We gonna need some good ol' fashioned maze&blew mental gymnastics here.

It was a floor exercise worthy of Simone Biles. He doesn't disappoint.

 

[MAIZEandBLUE09]

My 20 years in software development and 6 years in legal/compliance says I know lots more than you think.

Let's go to court. Jury trial. Put 5 girls from Michigan on the stand, crying about how they were violated and have been in therapy since this was revealed, living in fear that someone who receive the photos from Weiss will make them public. His actions were inappropriate and it took far too long for him to be caught.

Michigan lawyers will be begging to settle this thing before discovery begins. They are way smarter than you.

I’m not doxing myself, but I know more than you on this topic. And a lot.

This is what the lawsuit claims

"As a result of the University’s recklessness, the recklessness of the Regents, and the gross negligence of Keffer, Weiss downloaded personal, intimate digital photographs and videos of Plaintiffs and others, all of which Plaintiffs and other class members entrusted to the Non-Individual Defendants," the lawsuit reads. "Because the Non-Individual Defendants negligently and recklessly failed to exercise any control over Weiss, Weiss, in furtherance of performance of his job duties, was able to successfully target athletes such as Plaintiffs and others similar to them and download, obtain, and use their private information, images, and videos."

And again, they have to prove this. What was the recklessness. If there was some, then they have a winning case. Id there wasn’t and it was simply Weiss using a university computer to accomplish his criminal activity, then they don’t; at least against the university. If there entire argument is that the university didn’t “control” Weiss from committing a crime, they don’t have an argument. Hard stop.

But we still don’t know a lot. Was the third party affiliated with the university? Again, that’s huge here. And specifically, how Weiss was getting the data is important.

And are you also then suggesting all the people with data stolen could sue both the Ravens and UM?

There’s a lot we don’t know. But the main point is if there’s no negligence and it was just an employee committing a crime via UM resources, then there’s no case here. And the connection to “personal accounts with intimate photos” is a wildcard here. How did he get that and why did 3rd party data help him with that?

 

[MAIZEandBLUE09]

This article seems to offer more detail

2 former UM athletes sue ex-Michigan coordinator, accuse him of stealing 'intimate' photos

The lawsuit came one day after Matt Weiss was charged with stealing intimate photographs and videos of athletes.

www.detroitnews.com

The government alleges Weiss hacked the databases by compromising the passwords of accounts belonging to trainers and athletic directors. He downloaded the passwords — which the lawsuit alleges were poorly encrypted — the students used to access Keffer's system, then allegedly used that and information he gained from Keffer to obtain access to their social media, email and cloud storage accounts by guessing or resetting their passwords.

"His ability to do so was aided by the University and the Regents, both of whom permitted him to have access and use of electronic credentials that were means of viewing and downloading personal, private, and intimate images of Plaintiffs and others similar to them," according to the lawsuit. "The recklessness and negligence and misconduct of the Regents, the University, and Keffer in these respects enabled Weiss to target female college athletes to obtain their private and sensitive information without authorization, including but not limited to Plaintiffs."

Their entire argument seems to be that the university gave him credentials to log into this database?

Again, an extremely loose case here.

 

[cwerph]

I’m not doxing myself, but I know more than you on this topic. And a lot.

This is what the lawsuit claims

And again, they have to prove this. What was the recklessness. If there was some, then they have a winning case. Id there wasn’t and it was simply Weiss using a university computer to accomplish his criminal activity, then they don’t; at least against the university. If there entire argument is that the university didn’t “control” Weiss from committing a crime, they don’t have an argument. Hard stop.

But we still don’t know a lot. Was the third party affiliated with the university? Again, that’s huge here. And specifically, how Weiss was getting the data is important.

And are you also then suggesting all the people with data stolen could sue both the Ravens and UM?

There’s a lot we don’t know. But the main point is if there’s no negligence and it was just an employee committing a crime via UM resources, then there’s no case here. And the connection to “personal accounts with intimate photos” is a wildcard here. How did he get that and why did 3rd party data help him with that?

Ok, Perry Mason. You win. We shall see what happens.

 

[cwerph]

This article seems to offer more detail

2 former UM athletes sue ex-Michigan coordinator, accuse him of stealing 'intimate' photos

The lawsuit came one day after Matt Weiss was charged with stealing intimate photographs and videos of athletes.

www.detroitnews.com

Their entire argument seems to be that the university gave him credentials to log into this database?

Again, an extremely loose case here.

Their argument is that, per university policy, anyone with login credentials for the university should have been monitored to ensure that university resources were not used for inappropriate purposes.

Weiss was not adequately monitored.

Duty. Breach of Duty. Causation. Damages. The four elements of any tort. Civil case only rests on preponderance of the evidence. This isn't criminal where it is beyond reasonable doubt.

 

[MAIZEandBLUE09]

Their argument is that, per university policy, anyone with login credentials for the university should have been monitored to ensure that university resources were not used for inappropriate purposes.

Weiss was not adequately monitored.

Duty. Breach of Duty. Causation. Damages. The four elements of any tort. Civil case only rests on preponderance of the evidence. This isn't criminal where it is beyond reasonable doubt.

No. That’s not UM policy. UM does not monitor the basic internet activity of users. UM does not monitor the computer usage of faculty and staff. In the SPG you posted, it details a set of expectations of both users and the university. End Users are responsible for appropriate use. See your own link:

• Not attempt to cause harm or do anything that can be reasonably perceived as malicious while on a campus network.
  In addition, students who live in university housing must adhere to the U-M Network Responsible Use Agreement.

I suspect that the quantity of personal data downloaded to a non private folder on his university machine was ultimately flagged through the roughly quarterly scans of university machines for exposed personal data.

But no, the responsibility of appropriate use relies entirely on end users. And violations of such, as very nicely displayed in your own link, can lead to disciplinary action. Which is exactly what happened.

 

[Voltaire]

Their argument is that, per university policy, anyone with login credentials for the university should have been monitored to ensure that university resources were not used for inappropriate purposes.

Weiss was not adequately monitored.

Duty. Breach of Duty. Causation. Damages. The four elements of any tort. Civil case only rests on preponderance of the evidence. This isn't criminal where it is beyond reasonable doubt.

Michigan can absolutely be held culpable for actions of it employees. I can honestly say that no one posting here has any evidence worth anything. Usually, a criminal case is first, because you can use all the evidence in the civil case. I have much more to say, but shoulder surgery prevents me from typing too much, and I don't have any evidence like y'all.

 

[MAIZEandBLUE09]

Michigan can absolutely be held culpable for actions of it employees. I can honestly say that no one posting here has any evidence worth anything. Usually, a criminal case is first, because you can use all the evidence in the civil case. I have much more to say, but shoulder surgery prevents me from typing too much, and I don't have any evidence like y'all.

Right. If there’s negligence. I haven’t seen any evidence of negligence on behalf of the school yet. From where it stands it seems like the university found and responded to this incident appropriately.

 

[cwerph]

No. That’s not UM policy. UM does not monitor the basic internet activity of users.

I quoted from the UM website exactly what their policy is. Did you miss it?

UM does not monitor the computer usage of faculty and staff. In the SPG you posted, it details a set of expectations of both users and the university. End Users are responsible for appropriate use. See your own link:

I suspect that the quantity of personal data downloaded to a non private folder on his university machine was ultimately flagged through the roughly quarterly scans of university machines for exposed personal data.

But no, the responsibility of appropriate use relies entirely on end users. And violations of such, as very nicely displayed in your own link, can lead to disciplinary action. Which is exactly what happened.

 

[MAIZEandBLUE09]

I quoted from the UM website exactly what their policy is. Did you miss it?

You don’t seem to understand what that policy means. You seemed to fail to scroll on down where they very specifically list HOW they monitor the systems and network. You mistakenly understood that as monitoring individual usage; which does not go on.

I suggest you start here and continue reading

III. Standard​

U-M deploys a variety of network monitoring and protection mechanisms that are critical to network security and early threat detection and are designed to:

• Prevent exfiltration or the unauthorized transfer of data;
• Restrict network access to specific hosts and services with failsafes; and
• Limit the attack surface of networked devices.

UM monitors the broader network, it doesn’t monitor individual usage; especially in the context of policing that individual usage. UM monitors the network for breaches and attacks, not from Weiss using his issued laptop to log into a 3rd party vendor.

 

[cwerph]

You don’t seem to understand what that policy means. You seemed to fail to scroll on down where they very specifically list HOW they monitor the systems and network. You mistakenly understood that as monitoring individual usage; which does not go on.

I suggest you start here and continue reading

UM monitors the broader network, it doesn’t monitor individual usage; especially in the context of policing that individual usage. UM monitors the network for breaches and attacks, not from Weiss using his issued laptop to log into a 3rd party vendor.

It is not either/or.

I suggest you re-read what I posted, where BOTH things are mentioned.

• Monitor and protect the university’s networks, and associated systems, services, and applications, from abuse, attacks, and inappropriate use;
• Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
• Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
• Effectively balance operational concerns and security challenges.

If you state that Michigan has no monitoring to make sure users aren't utilizing their network for nefarious purposes, you are admitting their negligence.

Cybersecurity is a wide-ranging subject and includes both internal and external monitoring. This is not a guess.

 

[MAIZEandBLUE09]

It is not either/or.

I suggest you re-read what I posted, where BOTH things are mentioned.

• Monitor and protect the university’s networks, and associated systems, services, and applications, from abuse, attacks, and inappropriate use;
• Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
• Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
• Effectively balance operational concerns and security challenges.

If you state that Michigan has no monitoring to make sure users aren't utilizing their network for nefarious purposes, you are admitting their negligence.

Cybersecurity is a wide-ranging subject and includes both internal and external monitoring. This is not a guess.

Again, you should keep reading. You still don’t seem to understand the extent of what that covered. It’s described for you in plain text. Michigans internet is open. Michigan provides security and monitoring on a macro scale, not a micro scale.

Michigan, nor basically any other university, has monitoring systems in place that would catch a user logging into a 3rd party database with credentials that either weren’t theirs -or- using valid credentials and using the data illicitly. This isn’t a business where certain sites, keywords and activity is blocked or flagged. Individual user activity is not logged.

Moreover, an athletic staff member logging into an account that tracks athletes would absolutely not raise and flags. Again, I think the stored data he downloaded ultimately got caught by the university via a regular scan for unprotected data.


Ultimately, users (including students) are responsible for not committing crimes while on the university network. They’re not monitoring student tik tok activity against cyber bullying and they’re not monitoring the 3rd party site login activity of a random athletic staffer.

 

[cwerph]

Again, you should keep reading. You still don’t seem to understand the extent of what that covered. It’s described for you in plain text. Michigans internet is open. Michigan provides security and monitoring on a macro scale, not a micro scale.

Michigan, nor basically any other university, has monitoring systems in place that would catch a user logging into a 3rd party database with credentials that either weren’t theirs -or- using valid credentials and using the data illicitly. This isn’t a business where certain sites, keywords and activity is blocked or flagged. Individual user activity is not logged.

Moreover, an athletic staff member logging into an account that tracks athletes would absolutely not raise and flags. Again, I think the stored data he downloaded ultimately got caught by the university via a regular scan for unprotected data.


Ultimately, users (including students) are responsible for not committing crimes while on the university network. They’re not monitoring student tik tok activity against cyber bullying and they’re not monitoring the 3rd party site login activity of a random athletic staffer.

Why do they bother to mention monitoring and protecting from inappropriate use?

Seems like you are saying they do not monitor for inappropriate use.

If they had no monitoring in place, how was he caught?

 

[Red_Alert]

Why do they bother to mention monitoring and protecting from inappropriate use?

Seems like you are saying they do not monitor for inappropriate use.

If they had no monitoring in place, how was he caught?

"JuSt BeCaUsE iT SaYs iNaPPrOpRiAtE uSe, dOeS NoT mEaN iT AppLiEs tO iNaPPrOpRiAtE uSe" - maze&blew