WiFi Exposes Sensitive Student Data

cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."

California's new notification provisions: July 1

[NumberField]

They just squeaked by on the calendar. Under the new California Law that goes into effect on July 1, they would have to notify each of the potentially-affected students after a breach like this.

Should be fascinating to see how people react as they start to find out how often security problems actually occur...

Nice tactics

Right way to get attention ....

Wrong way to do it without going to jail.

Re:Nice tactics

[nomadic]

But...they didn't go to jail. So they did it the right way, eh? I swear, sometimes I just don't understand slashdotters...

Upside

[The_Rippa]

I guess Match.com and Yahoo Personals will have plenty of photos of young nubile girls to fill the fake ads on their service with.

Re:Upside

[mrpuffypants]

fake? you mean there aren't 50 hot coeds out there looking for a guy who put FreeBSD and Mac OS X in his profile?

damnit.

Re:Upside

That's not funny. What if it were your sister/daughter?

Now this is funny!!!

[NEOtaku17]

Who's bright idea was it to Wifi sensitive files...Real bright people these schools have.

Security is still sub-par with wifi

[mao+che+minh]

WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.

WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.

Attacks against the WAP WTLS protocol (PDF): Source one, Source two

Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek

Re:Security is still sub-par with wifi

[Bull999999]

From reading the article, it looks like they didn't even bother using WEP. It's sad that even with large amount of out of job IT workers, the district can't find someone with network security experience.

Re:Security is still sub-par with wifi

Universities pay less than the unemployment office...

Re:Security is still sub-par with wifi

[PD]

The downloadable pdf of this document is an EXE file. Nice try, but I am not fooled. I'm running Linux anyway.

Re:Security is still sub-par with wifi

[bobthemonkey13]

The key to understanding WEP is the phrase "Wired Equivalency". The theory is that WEP, although a fairly weak cypher, provides the same level of privacy as unencrypted wired Ethernet. That is, breaking WEP is judged to be approximately as difficult as finding somewhere to jack into a wired Ethernet (i.e. not very). WEP never was intended to take the place of encryption systems such as SSL and IPSec that are conventionally used to secure connections over wired networks. Rather, it brings WiFi security to the level of security inherent in wired Ethernet. Thus, WiFi using WEP is insecure only because of the way it is marketed: users see it as a catch-all encryption system, rather than a replacement for the (fairly weak) security inherent to wired Ethernet's physical-access requirement.

Re:Security is still sub-par with wifi

[aschlemm]

Other things that make it difficult for people to even bother with WEP is that unless someone is using a wireless NIC and access point/wireless router from the same vendor there's no common passphrase mechanism that allows WEP keys to be easily set. Instead people have to enter cryptic keys into their wireless profiles to access a network that has WEP enabled. I've seen a number of quick start guides that ship with 802.11 gear that says use the "default" values for everything so it just works. That means the factory default SSID is broadcast and WEP is disabled.

From sitting in my home with my laptop on with a wireless card, I pickup no less than 3 of my neighbor's networks and several of them don't have WEP enabled and in some cases they're still using the factory default SSID. Perhaps they've turned on MAC address filtering I don't know since I only survey the networks and never try to connect to any of them.

Re:Security is still sub-par with wifi

[jtdubs]

Don't know what file YOU downloaded, but I just downloaded both sources for the pdf and went to the download link for the other site and downloaded that pdf.

They were all (surprise) pdf's.

Justin

Re:Security is still sub-par with wifi

[The_K4]

And this is a school district (read K-12) which pay even less!

Re:Security is still sub-par with wifi

[sholden]

The SSID (Service Set ID) is sent over the wire

And all this time I thought the idea was you didn't need wires (hence the term wireless).

Re:Security is still sub-par with wifi

[Bull999999]

I guess this explains why U.S. tech jobs are getting farmed out to India.

Re:Security is still sub-par with wifi

[willtsmith]

This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.

The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.

Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.

There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.

PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district ... BUT went unheeded. School districts don't listen to teachers. School administrators are mostly in a world of their own which mainly consists of saving their own asses by kissing the asses of parents (mainly the parents of noisy, disruptive, sociapathic kids (where do you think they get it from)).

Re:Security is still sub-par with wifi

[Saucepan]

And of course "Wired Equivalency" is total BS. Someone sitting in a van half a block away (or renting a suite next to yours) can spend as much time as they need to attack your WEP point -- days or weeks, even -- during which time someone physically in your building would (hopefully) have been noticed and challenged.

Re:Security is still sub-par with wifi

over the wire is an old term used to describe the transmission of information, doesn't mean over a physical wire

Re:Security is still sub-par with wifi

[willtsmith]

Yes,

Because we underfund our education system and treat teachers like shit. In the east, teaching is the most revered of positions.

Beyond that, a brat in the orient would be taken out of class and whipped with a cane. Yeah, I know your thinking, a swat .. right. No this is something completely different. See "Farewell My Concubine" for reference ;-)

They learn quick to keep their mouths shut and listen to teachers. A parent in the orient would suffer great shame if they got a note about their kids behavior. The community would shun the parents until they fixed the problem.

This is the primary problem with US education today. The kids won't keep their mouths shut, and neither the parents nor the administrators will remove them.

Re:Security is still sub-par with wifi

[kilgore_47]

From reading the article, it looks like they didn't even bother using WEP

Aside from the fact that WEP is breakable and thus useless, if they had used WEP (and it wasn't broken) the data still would have been accessible to the legitimate wifi users (unless this was a special AP for people who need to see this data). They said the data was accessible to unauthorized users inside the network, too. And they fixed it by turning off the AP?

I salute the newspaper for taking the initive (and, perhaps, the risk) of accessing the data themselves. But I wish they would have spun it more as a "piss poor security" issue than a "wireless security" issue. As far as I can tell, this has hardly anything to do with wireless at all. It's certainly not a reason for schools to not run open networks. They just need to secure their wired networks just like they should have before wireless!

Re:Security is still sub-par with wifi

[pmmay]

At least someone else noticed this too. They logged on from a regular workstation in a class room.

At least random people on the street can't get the data. I'm just more worried about students. Just wait till Little Johnny finds out that Little Billy is a nut case.

Maybe we should see if there is a book "Network Security for Dummies" and send it.

Re:Security is still sub-par with wifi

[Beryllium+Sphere(tm)]

802.1x doesn't fix things either, because it doesn't authenticate the access point to the client. Wireless Protected Access, and later on 802.11i, look more promising whenever they actually come on to the market.

None of which would have helped the school district, because this breach was a pure example of the human factor at work. They gave all the wireless clients password-free guest access, don't seem to have even turned on WEP (which at least keeps people from connected to your network by accident), and didn't limit access to servers with protected student data.

Then the people who saw a problem say they couldn't act because there wasn't a policy in place. From the article: "Grant recommended locking down the wireless network, but was told the district was waiting for the school year to end and the board to approve the technology-use policy. ".

Pathetic, but a good illustration that technical security only helps once administrative security is up and running.

Re:Security is still sub-par with wifi

[TedCheshireAcad]

...so therefore, unsecured wireless networks?

Let's try to stay on topic, here.

Re:Security is still sub-par with wifi

[sholden]

The term "joke" is also pretty old.

Re:Security is still sub-par with wifi

[okvol]

I prefer the simple method - hammer and chisel style. Two networks, with a cheap Linux (or even Linksys) firewall between. Secure net can get out, unsecure can't get back in. Wi-Fi only on the unsecure. A hint of red/black syndrome.

What is the crying shame is the tonnage of knowlegable IT folks that live within 30 minutes drive of Palo Alto. This is the southern end of Silicon Valley. Surely someone could donate time to help the school. I'd rather donate time than pay higher taxes for a cheapest bid contractor to mangle the school network.

And, don't forget the high cost of living in Palo Alto. Even a "well paid" teacher can just be barely breaking even.

Re:Security is still sub-par with wifi

[God!+Awful+2]

The theory is that WEP, although a fairly weak cypher, provides the same level of privacy as unencrypted wired Ethernet. That is, breaking WEP is judged to be approximately as difficult as finding somewhere to jack into a wired Ethernet (i.e. not very).

Yeah, I'm sure they made it weak on purpose... They were all set to publish a stronger algorithm, but then someone said "Hey! This isn't wired *equivalent*, this superior to unencrypted Ethernet."

Unfortunately by that point they were already set on the name. [It was already in all the marketing materials and WEP just has a better ring to it than BWP (Better than Wired Privacy).] So the only solution was to introduce an arcane security flaw.

Yeah, that's so much more plausible than "They fucked up!"

-a

Re:Security is still sub-par with wifi

[Realistic_Dragon]

This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.

But if you turn up in a suit carrrying a laptop you will have little trouble finding yourself a quiet conference room. Less chance of getting caught then WiFi attacks as well, because they won't be expecting it.

Got to admit that even on my LAN+WiFi-LAN the weak point is the wired section - the WiFi net is encrypted, authenticated and heavily monitored and the wired LAN even has a DHCP server handing out public IP addresses to all and sundry! Probably ought to fix that one sharpish.

Re:Security is still sub-par with wifi

[NoodleSlayer]

You'll be surprised how easy it is to jack into an ethernet port at a public school. Walking into the library you should see a couple open ethernet ports. If you're really inventive you might see some ethernet cables running along the walls outside that could provide for not so quick access in a pinch.

Although that really isn't the big issue, wireless networks are inherrently insecure, and if all you're giving out is free bandwith its not really a big deal. However the concern is that the district had left this information without a single password: (and I blockquote)

Unauthorized users could copy many of those sensitive files, as well as upload their own files onto one of the district's servers, Fuji, the Weekly found. Unlike the majority of the district's information, the documents were not password protected.

The same information was also accessible to individuals using district computers within school sites.

The problem here is that we have some idiot that left the files on a public share, evidently according to the paper they were also able to get into the SASIxp system, which for those of you who are unfamiliar is a popular (in the eyes of the people who sell it, not those who use it) bulky, slow, unstable and generally horrid student, grade and attendance management system. With the click of a button on an account that some teacher carelessly left open, students can access their peers grades, attendance records and permanent record including any criminal offenses and mental analysis.

This is a system that is being implemented in schools across the nation at an alarming rate. Why? Is it because it works? Hardly. At the two schools I've seen it used both the SASI servers were down half the time. Is it because its user friendly? Definately not. Many teachers are afraid to touch it, others flat out refuse because it takes too much time out of class for them to have to sit down at the computer and take attendance. But like I said, this system has its perks, it gives teachers access to information which they themselves are not supposed to know.

So you are probably right, it almost certainly was a disgruntled teacher that reported this, maybe even a disgruntled student. Good for them. If the district office won't listen the first time around they deserve to get themselves embarassed. Hopefuly this will serve as a shining example for the other lazy, beuracratic waste of money district administrators out there.

Re:Security is still sub-par with wifi

This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.

That isn't true. Vancouver International Airport had exposed 100BaseT ethernet running out to their parking meters, all on an unswitched network. This isn't the case anymore, but at the time a lot of interesting traffic was running outside.

Re:Security is still sub-par with wifi

[CoolCash]

You have a good point. But you also have one flaw, you are assuming that WEP was enabled on this router. Most "average users" don't know or care what WEP is.

Re:Security is still sub-par with wifi

[Slack3r78]

This is understandable for an individual, but absolutely no excuse whatsoever for a network which contains students' private information.

They did it with p2p...

[c0dedude]

Remember a week ago when at Senate hearings RIAA people said Peer to Peer that it could put inexpierenced users personal information at risk? My guess is there'll be a similar "Ban the Technology" movement against this for government use because of the potential danger. Except in cases where it would logically be needed, like free public internet access points. Of course, I could be wrong, but it's a thought.

Re:They did it with p2p...

WiFi should be banned. In fact there was talk of a congressional hearing on the sad state of security in WiFI. It is insecure by default and the maximum secuirty you can apply to it is flawed and easily hackable.

If this does anything, it should make the gov. smack the hell out of all WiFi consortium members by preventing them from selling any more equipment till they actually get it right. (And giving refunds for all faulty equipment already sold)

Re:They did it with p2p...

[hopbine]

No, there should not be a "ban the technology" movement, but people who don't understand the technology should be banned. I was lucky enough be be born in an age when you needed a lock pick to look at my school records and most people at least understood them even if they didn't know how to use them.

Re:They did it with p2p...

[lucifuge31337]

It is insecure by default and the maximum secuirty you can apply to it is flawed and easily hackable.

Really? You mean that the AP's I deploy on their own network segment that have 128 bit WEP on them are insecure? Oh..that maximum security I apply is that "own network segment" thing. It's as trusted as Internet traffic. Meaning users must VPN from that network to get to the real network.

I think you need to learn more about network before declaring a technology "flawed and easily hackable".

Oh yeah...the VPN client pushes mandatory personal firewall rules to each client keeping any wifi user from rooting another in an effort to gain access.

Re:They did it with p2p...

[halo8]

to all you young script kiddies and 31337's and the people that just want to "learn by doing"

JOIN YOUR SCHOOLS NEWSPAPER

Re:They did it with p2p...

[loraksus]

oh shut the fuck up and use ipsec or something equivalent. God.

Excellent felony!

[Geminus]

Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?

Re:Excellent felony!

[Skyshadow]

It's only a felony if they get convicted, and no jury in the land is going to convict a newspaper that discovered that a school was spooging out private information of minors to the world. That's why we have juries -- to provide a check on the government.

Of course, they might just be declared enemy combatants and all this silly due-process thing could be avoided...

Re:Excellent felony!

[mjmalone]

A friend of mine in the San Diego area got arrested for doing the same thing at a local community college. Of course the police had no idea how to handle it and the charges were eventually dropped, but last I checked they still had his laptop (its been about 8 months).

Re:Excellent felony!

[garymm]

well, it's not like they exploited it. laws are not flexible enough sometimes. Wow, I hope this doesn't happen at my school. Of course, they're too low-tech to install Wi-Fi, but if they did, I'm sure they would forget to install WEP.

Re:Excellent felony!

[fdawg]

This is probably offtopic, but how did he get caught? Did they track him down via his MAC? Was he doing something mischievous?

Things like this bother me. Its getting to the point where if you have a laptop and you're outside or if you're on a cablemodem doing something other than web surfing, you're going to get arrested. The media isnt helping the witch hunt. Uninformed press always make things seem worse than they are just to boost sales and preserve position.

Re:Excellent felony!

[LionMage]

Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, [snip]

I'm not familiar with the laws, but which part is the felony exactly? How can "just" getting the IP address constitute a felony? We don't even know whether the newspaper had to crack encryption to get into this network. Maybe the access point was being run wide open, as another poster suggested.

Certainly, if they had to break in, then it's a felony; on the other hand, if the school ran the access point wide open, then there's more of a gray area.

I have a particular interest in this. You see, I recently got in trouble with H*neywell for using their WiFi without permission. I do consulting work for a small company, and there's a H*neywell office just down the hall from where I work. Someone at that office installed a WiFi access point, apparently contrary to company policy. That access point stayed up for many months, then recently came down, and I never thought anything of it. The access point was being run entirely without security of any kind -- no WEP, no password, nothing.

I was only using this to surf the web and download some software updates/patches to my iBook. I didn't go out looking for this access point, but my iBook is configured to find the nearest access point as soon as it wakes up from sleep (or boots up).

Then about a week after the access point went down, I got a call from my consulting firm. It seems that H*neywell had somehow traced my use of their WiFi access point, and wanted to do something about it. I almost lost my job, but ultimately, a deal was struck whereby I surrendered my laptop to have the hard disk imaged; the laptop was returned to me less than 2 days later, fully intact.

The official story I got was that H*neywell hired an outside firm to check their network security, and they identified the WiFi access point as a security hole; the employee who set it up was fired. Then the security firm traced all who had used the access point, and found my "digital fingerprint."

The unofficial story I got from some other folks in-the-know is that I had posted about my discovery in my LiveJournal, and someone did a Google search and found the entry. Apparently, I forgot to make this a non-public entry. So that's how I was really found out. (That entry has been made friends-only now.) I'm still not 100% sure how Google indexed my journal, since I have my prefs set up to prevent indexing, but not all spiders respect that.

I know H*neywell is a defense contractor, so I had assumed, when I discovered the access point, that it must be some sort of public access point for the convenience of vendors, put in a DMZ on their network. Surely, I thought, they wouldn't be dumb enough to put a wide-open WiFi access point behind their firewall! As it turns out, the access point was behind their firewall, and I could have accessed a whole bunch of material I wasn't supposed to. Scary thought.

I think the real reason I got in trouble was that I embarrassed H*neywell. They could have conceivably taken legal action against me personally, but that would have created a weird situation for them, since it would expose them to government scrutiny. And they might lose some favorable government contracts if that happened. Moral of the story: Always check to see what you're connecting to. That hot-spot might not be safe to connect to after all!

Re:Excellent felony!

[Blue+Stone]

"Of course, they might just be declared enemy combatants..."

Who, the newspaper reporters or the jury members that don't return a verdict the government likes?

Re:Excellent felony!

[Billy+the+Mountain]

Of course, they might just be declared enemy combatants and all this silly due-process thing could be avoided...

And of course they won't mind because they'll get an all-expenses-paid-permanent vacation in sunny Cuba.

Re:Excellent felony!

[VCAGuy]

Who, the newspaper reporters or the jury members that don't return a verdict the government likes?

I don't think that's an or question.

Re:Excellent felony!

[mjmalone]

He had been at the site before and the admins on the network had noticed him connected. They noted his MAC address and when they saw him connect again called the police. When the police got there the admins came out and took his NIC and read off the MAC address so they knew it was him. They had logs of all the times he had connected and what he had done, etc.

Re:Excellent felony!

Okay, I'll bite. Keep in mind, I'm NOT trying to be an asshole.

So. There's a WAP that you find one day, that doesn't belong to you. So you authenticate against it, and proceed to use it like it was your own? You KNOW it doesn't belong to you or your company. You KNOW it's not there for YOU to use - secured or not, behind a firewall or not. I'm not defending H*neywell because they are at fault. But you would have to be a moron to think that "hey someone put up this AP and they must be okay with me using it, since I can see it."

How does the fact that you *could* connect to it make it okay to connect to it? Really, why were you surprised you got in trouble?

I've had consultants do the same thing at my company. Mostly, they have zero respect for anyone else's proptery (network/bandwidth/whatever.) Yeah, when I come in on Monday and notice a whole bunch of laptops on MY network without MY permission, I get pissed. Hey, just because there's a jack in the wall doesn't mean you can use it. Have some respect.

What's worse, is that when I get bored and go warwalking and *huh* would you look at that...an unsecured AP that I didn't install. Okay...hunting...signal strength..getting stronger. Oh. The bunch of consultants that just came in this week. They're all out to lunch. I'll just look in their cubes. Huh. Yep, there's an AP under their desk. Gee, nobody told me. I'll just go into the *locked* switch closet and unplug all of their jacks. Then I'll leave a note at all of their cubes. "Dear asshole(s). I will be back to restore connectivity to your desks as soon as you can explain what this AP is doing here. Also, keep in mind that I will be watching you and your traffic like a hawk. Thanks."

Silly thing. I probably would have bent over backwards to accomidate them, had they at least had the decency to ask.

Moral of the story: When you take matters into your own hands, *knowing* that someone else *might* find out and *just might* not be happy with what you're doing - BE PREPARED TO BE RESPONSIBLE FOR YOUR OWN ACTIONS.

Re:Excellent felony!

[willtsmith]

I'd have to say that this is a "Black Hat" activity.

When you discover a security venurability ethics dictate that you report it. Otherwise, all that probing is for you cynical interests.

You knew that it was a Honeywell network and that access to it was not permitted without permission. In general, you just don't go around taking other peoples stuff and using it without permission.

Think of it this way. If someone puts a couch on their yard near the road, that doesn't necessarily mean it's free. For all you know they might put it there and sit on it to wait for the bus. If they put a sign on it saying "free" than you can take it. (You'd be VERY surprised how quickly stuff like that gets snatched up. There are people driving around all day looking for free "anything".

I'm a bit surprised your talking about this. Usually when people strike deals like that, they make you sign a non-dislosure agreemant. Ultimately, if you didn't hack into any of there resources, I don't think they could have had you prosecuted for anything.

Re:Excellent felony!

I guess you didn't read the article; the school made the network publicly available. I would consider that permission to use the network.

Re:Excellent felony!

Mostly, they have zero respect for anyone else's proptery

Maybe because people are starting to catch on that private ownership of property and resources is THEFT?

Re:Excellent felony!

[LionMage]

When you discover a security venurability ethics dictate that you report it. Otherwise, all that probing is for you cynical interests.

You're right, I should have reported the vulnerability, but I have no personal relationship with H*neywell. My consulting firm does, however. Ethically, I should have reported it anyway, but I wasn't legally obligated to tell them that their barn door was open.

You knew that it was a [H*neywell] network and that access to it was not permitted without permission. In general, you just don't go around taking other peoples stuff and using it without permission.

I knew well after my laptop connected to it that the access point belonged to H*neywell. And I did not know that access to that hot spot was not permitted. How many places run hot spots without security of any kind whatsoever? Of those, how many places do so and demand that you not access their hot spot without permission? Right. Most places that run a WiFi hot spot with no security are coffee shops and neighborhood co-ops.

"Taking people's stuff" implies taking a physical item or information. I did neither. That I used their bandwidth is no different than if I borrowed a phone in their office's reception area.
A better analogy to use is that what H*neywell did is tantamount to someone leaving their front door unlocked, and then putting a neon sign above their front door advertising this fact. They might get upset if someone walks into their house from the street, but it's highly questionable whether you could even call it trespassing.

If someone puts a couch on their yard near the road, that doesn't necessarily mean it's free. For all you know they might put it there and sit on it to wait for the bus. If they put a sign on it saying "free" than you can take it.

That's called abandonment. In most municipalities, if you leave something in your yard and it's not secured in any way, especially if it's placed right near a right-of-way (such as a road), it's assumed that the object is either trash or abandoned. Local regulations may dictate whether you or the trash collector has a right to take it, and under what circumstances. In some areas, it isn't free for the taking until it winds up in the trash vehicle. But IANAL, so consult yours before taking any of this as gospel. I already talked to my lawyer, and I'm pretty secure in my position that I violated no laws.

I'm a bit surprised your talking about this. Usually when people strike deals like that, they make you sign a non-dislosure agreemant. Ultimately, if you didn't hack into any of there resources, I don't think they could have had you prosecuted for anything.

I was not forced to sign anything, and I did everything H*neywell asked me to do, so they really have nothing to bitch about. I didn't hack into any of their resources, as they can plainly see by looking at the image of my laptop's hard disk. So no, they had nothing on me to prosecute me with.

Re:Excellent felony!

What?

Maybe I'm drunk. I don't understand what you're saying here.

Re:Excellent felony!

[willtsmith]

Regarding the laptops connected to the wall-jacks. Isn't presumed that if they are consultants that they'll need certain local resources.

This is probably an issue of communicating properly with the person who brought them in. I would actually hold HIM responsible before the consultants. Their "host" should make sure they have the proper work environment, etc... If they do something inappropriate, it's the responsibility of their "host".

The wireless AP IS absoluetly out of line. Thats effectively redistributing a companies private LAN EXTERNALLY.

I dunno, if there are contracters in the building, I think an IT person should make sure that they have what they need to work. Those folks don't work cheap and if they can't get stuff done, it's your organization that will pay extra. Everybody in an organization typically has internal customers that they need to serve. I've dealt with IT people who thought that they had to clear everything under the sun with them and it's really annoying. At some point you have to recognize users as customers that you must enable, not as enemies you must defend against.

Re:Excellent felony!

[LionMage]

How does the fact that you *could* connect to it make it okay to connect to it? Really, why were you surprised you got in trouble?

The same way that a cop walks into a person's house without explicit verbal or written permission, if the cop finds that the person's front door is unlocked and if they have a reason to be at that person's house in the first place.

OK, I may not have had a reason to enter H*neywell's "house," but what they did is tantamount to leaving the barn door open, or leaving their front door unlocked and putting a big neon sign over it that says "this door is unlocked." (My lawyer, incidentally, agrees with me, and not because I paid him to. He helped me with this pro bono.) What I did was stupid, granted, but not technically illegal.

Also keep in mind that, as I stated very clearly, my iBook is configured to automatically connect to any available base station upon waking up, or upon boot. I found out this access point belonged to H*neywell after the (metaphorical)damage was already done. I initially thought that it belonged to the company I am consulting for.

H*neywell might not have been happy, but they have only themselves to blame for running a loose operation at this particular office. I certainly had no way of knowing there was a problem, since I tend to interpret unlocked doors as invitations to entry. If they had put even minimal password protection on their access point, that would have raised a flag saying "Do Not Enter," and I wouldn't have. Simple as that.

Re:Excellent felony!

[weeeee]

Well he has to report it to the police somehow.... After that, its pretty simple.

Re:Excellent felony!

[willtsmith]

So if some kids leave some bikes in a front yard, near a side walk (a right of way) then they are free for the taking. I can gauruntee you this is wrong in ANY jurisdiction. It's just un-neighborlike.

How about if I left a pressurized hose with a spigot near my neighbors lawn. Does that give him the right to take the hose and water his lawn for an hour. Same thing with a power cord. If I leave a power cord out, does that give you the right to run machinery off it.

I DON'T THINK SO!!!!!!

Likewise, with an airborn signal, just because it's there, doesn't necesarily give you permission to use it. It may not be illegal in some instances, but it certainly is RUDE!!!!

Regarding borrowing the phone ... WOULD YOU ASK FIRST?? Or would you just stroll in and presume to use their equipment and their lines. In most cases someone won't mind after you ask, but if you walk in and pick of their phone without permission they're likely to be unhappy about it.

Re:Excellent felony!

God, people like you make me want to puke.

What kind of work ethic do you have? Do you not care that you made YOUR employer look like a total shithead? "I wasn't legally obligated to tell them that their barn door was open." What a bunch of crap.

Unless the halls of whatever office building you were in are lined with Starbucks, then the "coffee shop" idea is total BS. You had to have known it belonged to a business or something similar. Denying that is just stupid - you are either really fucking dumb, or lying.

""Taking people's stuff" implies taking a physical item or information. I did neither. That I used their bandwidth is no different than if I borrowed a phone in their office's reception area." Yeah, fucktard! They PAY for the bandwidth. You're not an employee, therefore it is theft. Your phone analogy is bullshit. You didn't "borrow a phone in the reception area", you tapped the line and proceeded to call all of your friends thinking that it was okay.

Additionally, if you take anything off my property because it is "near the road" you will be beaten and arrested. There is a gas grill in my driveway "near the road." I dare you to take it, thinking it's free.

The contents of your laptop won't prove shit about what you may or may not have accessed during your extended visit on their network. The fact that you totally complied with them means that you know they were right. Otherwise, you would have told them to go fuck themselves, right?? BTW - after watching traffic on your node for 5 seconds, they would have enough to "prosecute" with.

You get all high and mighty, yet there are real big fucking holes in your argument. You knew what you were doing was wrong - get over yourself. I'm not saying whatever netadmin at H*neywell that let that slide didn't fuck up.

Quit passing the buck. You know you were in the wrong. Either you didn't care, or you're an idiot who didn't know better.

Re:Excellent felony!

Hey man, I totally agree that H*neywell dropped the ball. Big time.

But your unlocked-door-analogy does not work. If you saw a service entrance at H*neywell open, would you walk in just because you can? No, of course not. Yeah, sure you didn't steal anything/kill anyone/cause trouble, but it's trespassing nonetheless.

You knew you shouldn't have been on that access point. The cop sees the open door as a possible sign of foul play, depending on the circumstances.

Re:Excellent felony!

They noted his MAC address and when they saw him connect again called the police. When the police got there the admins came out and took his NIC and read off the MAC address so they knew it was him

Of course, it's trivial to change/spoof a MAC address. Is that really all the 'evidence' they need these days to stea^h^h^h^hconfiscate your laptop????

Re:Excellent felony!

What I neglected to tell you was that I had set up PC's for every one of these consultants, complete with the network access they needed.

My IT shop doesn't allow Joe Schmoe to walk in and plug his laptop in. If we did, we would have zero control over anything on those laptops. Are they running virus scanning? Are they running illegal software? Blah blah blah.

I told this to the "host" for these consultants. The host originally asked for them to be able to use their laptops and AP, but I said no. The host agreed to IT's long-standing policy and was fine with me setting up a PC for every consultant.

These high-and-mighty fuckers come in and slap me in the face? I don't think so.

I'm not one of those guys with the control complex - you don't have to call me for every friggin little thing. Just don't go behind my back *after making an agreement with me* and do whatever the fuck you want. On. My. Network.

Okay, I have a small complex.

Re:Excellent felony!

[BiggerIsBetter]

It's only a felony if they get convicted, and no jury in the land is going to convict a black dude that raped a drunken ho who was spooging out her boobies for even the minors to the world to see. That's why we have juries -- to provide a check on the government.

I don't give a rats ass if it was a newspaper. They openly broke the law to get their story, and they should get done for it like anyone non-media (ie, lower political embarresment capability) person would.

If they had quietly said to the school, "We've heard of/found a security flaw and if you don't fix it for the students asap, we'll go to press with it" I might have some respect, but they didn't. They got went for gold, and if they go down, then that's fine by me.

Re:Excellent felony!

[Tony-A]

A better analogy to use is that what H*neywell did is tantamount to someone leaving their front door unlocked, and then putting a neon sign above their front door advertising this fact. [Emphasis added]

Seems to me that the "neon sign" is more your doing. Publicizing it.
If my neighbor likes to keep his fron door unlocked, that's his business. It is not my business to even discuss the matter with anyone else.

Re:Excellent felony!

Sounds like you used to work for Honeywell up until a short time ago. ;-)

Dude, chill out. LionMage was totally in the right here. Rudeness does not equal illegality.

I don't even think it was rude to use Honeywell's wi-fi. It was totally Honeywell's fault. If I had found this open wi-fi I would have assumed the same thing that LionMage thought: That it was a courtesy network for their vendors and consultants.

Incidentally, I work in Palo Alto. I think I'll take my laptop to work tomorrow and go war driving over lunch. ;-)

Re:Excellent felony!

[sedmonds]

They shouldn't have to put a flag saying 'Do Not Enter' for the same reason I don't have a flag saying 'Do Not Enter' on the gate to my back yard, on either garage door, or on either entrance to the house. These are my resources, and decent law-abiding folks don't try to enter without my permission.

A closer analogy might be a parking stall at an office building. I generally assume that off-street parking is private, unless otherwise marked. So sure, I could probably use that off-street parking if I wanted to, and maybe nobody would notice or mind, but that doesn't make it right for me to do so. Likewise, if I connect to a wireless access point, unless I know that I have permission to do so, I don't. I probably could, and I might not get caught using their resources, but that doesn't make it right.

In your case, your laptop being configured to automatically connect to any base station upon waking or boot is your problem, not H*neywell's. Your configuration options represent your decision to use resources whether or not you have permission.

In the case of consulting or contracting, you and your employer are responsible for negotiating what resources you should have access to, and how those resources may be used. In the case of an office building, for a laptop user, this should cover wireless usage. Since you 'stumbled upon' H*neywell's network, and assumed that it was a resource of the company at which you were working, its obvious that you and your employer neglected to do this.

I'm more inclined to believe that although H*neywell should have taken better precautions, you (not them) are to blame for your intrusion into and use of their network.

Re:Excellent felony!

[Chanc_Gorkon]

You are so lucky. Thats all to got to say! NEVER unless it's frickin obvious....log in to a unsecured AP. You will be labeled a hacker even though they were stupid.

Re:Excellent felony!

[Chanc_Gorkon]

Also, why be so dumb by disguising it as H*neywell.....just type Honeywell. It's childish and stupid form of disguising the neteork you stole from.

Re:Excellent felony!

[Chanc_Gorkon]

And this would be a wrong assumption. Vendors courtesy ports in our company get all the same priority security wise as company employee ports would. By vendors, I mean consultants. The Pepsi guy that fills our pop machine does not get a jack! :)

Re:Excellent felony!

[poot_rootbeer]

Just getting an IP address constitutes committing [a] felony...

So if I go up to a guy on the street and ask him for $5, and he says 'okay' and gives it to me, I've just committed a felony?

Asking for something and taking it are not the same.

Re:Excellent felony!

Hahah! Fucking dumbass. He deserved to get caught leaving a trail like that behind him. Fucking amateur.

Re:Excellent felony!

[palewhitemale]

indeed, it seems that inherent in the name of this familiar activity is the ability for these journalists (and I use the term losely) to be held as enemy combattants. They are indeed wardrivers committing acts of privacy invasion against children.

-p4l3wh1t3m4l3

1337 sp34k m4k3s m3 h4ppy

Re:Excellent felony!

I'm saying that the idea of private ownership of resources is wrong, and people are catching on, so that's why people aren't "respecting" other people's "property". Besides, all things deserve respect, and shouldn't be abused, no matter who owns it.

Re:Excellent felony!

I see. You do have a point there.

Well...

[Bob+Vila's+Hammer]

The district has known about some aspects of this vulnerability for nearly nine months, but failed to take action until the Weekly informed officials of the situation late last week -- a somewhat ironic development given the school board's recent adoption of a technology-use policy.

Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.

Liability

[Skyshadow]

I've said it before, and it's generally gotten a negative (or even angry) response, but let me say again:

It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.

The simple truth here is that pointy-hairs and beaurocrats understand one thing: Money. If you threaten to kick them in their budget, they'll respond; otherwise, you'll just keep seeing these articles.

I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail. These institutions with faulty IT -- and it's not as if this was some complex cracking job, this is just carelessness -- need to be taught a serious lesson.

(shakes head) It kills me that a college can lose piles of cash for buying shoes for one of their basketball players and a business can get fined for having workers like a box that's 5 lbs. too heavy, but when they expose the private, valuable data of their students/customers, there's no sanction whatsoever....

Re:Liability

[geekoid]

the sticl bit is:
"...allow sensative data to be stolen."

'not well secured' does not, nor has it ever, mean 'allow'

If it is negligence, really hard to say based on the info given, then they can, and should, be sued.

Re:Liability

I've said it before, and it's generally gotten a negative (or even angry) response, but let me say again:

It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.

Does the usual negative/angry response draw a parallel between this opinion and blaming a computer user whose system is compromised by a virus/worm/cracker? Just a guess.

Re:Liability

[bethanie]

I agree. Allowing sensitive information about *children* to be this vulnerable is criminal. If I were a parent in that district, I'd be calling a lawyer and strongly considering my private/homeschooling options.

....Bethanie....

Re:Liability

[anthony_dipierro]

It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.

I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail.

Companies are already accountable for negligence. But in order to win a case, you have to show damages. I don't see any damages caused by this particular negligence.

Re:Liability

[56ker]

Here in the UK it would be a breach of the Data Protection Act 1998 and possibly the Computer Misuse Act 1990. Oh and the psychological evaluation would fall under the Access to Health Records Act. These carry serious fines (but not jail sentences) if organisations disobey them. The DPA '98 is based on an EC directive and came into effect a few years ago. It's run by the Information Commissioner. Of course - here you might run up against Crown immunity - which simply put means that the government can't be held liable for breaking one of its own laws. The problems of insecure wi-fi networks have been well highlighted here - especially in London - there've been many cases of drive by hacking via laptops.

Re:Liability

[willtsmith]

The worst offenders of data security is the credit buereaus. Their standards of security are farsicle. Tens of thousands of people have their lives wrecked every year because the financial industry doesn't want to pay to secure their systems.

I agree. It's time for congress to introduce comprehensive data privacy laws. Corporate executives who set the standards must be held accountable if things go wrong.

Personally, I feel that "club fed" is way to easy for them. I think that every corporate criminal should be paired with a "hardened" felon so that the executive can share their "business" sense with the felon. They do claim to be so bright and wonderful and smart and stuff to justify their monstress salaries which exceed ours 200 to 1. I think both parties would benefit in the "end".

Re:Liability

[gizmonic]

First off, let me say that I whole-heartedly agree with you.

Here is my question though. At what point does an institution move from being a victim of an attack to being responsible for it?

Don't get me wrong here, from reading the article, I would definitely agree the school was somewhat negligent. I mean, if I leave my keys in my ignition, and the car is stolen, my insurance policy has a clause stating that I am at fault for not securing my vehicle, and they don't have to pay. That makes sense to me. And the school having sensitive data in the open is like me leaving my keys in the car. They are responsible for not securing their system.

However, a determined thief with the right skills can eventually steal my car, and a determined hacker with the right skills can eventually break the system. At what point would you say an institution has done all it could reasonably do to prevent the attack, and should be held blameless?

If we are going to hold institutions liable, we need some standards regarding the sensitivity of data, and what levels of security are required for those varying levels of sensitive data. I've honestly got no idea what those should be, only that if we are going to hold people accountable, as you suggest (and I agree with you, remember), we need some codified rules to apply, not just some arbitrarily vague notion of the word "secure."

Any ideas? Am I way off-base here?

Re:Liability

I don't see any damages caused by this particular negligence.

Seriously?

No harm done if your little girl's picture, name, address and psychological information are made available to all?

Re:Liability

[anthony_dipierro]

No harm done if your little girl's picture, name, address and psychological information are made available to all?

Correct. The mere availability of information does not cause harm. Now if someone used that information in a way which caused harm (for instance, if someone kidnapped my daughter using her address information), then there would be a case for negligence.

In the mean time you could try emotional distress, but that's likely to fail.

Re:Liability

[fermion]

If this were a business I would agree with you. The fact that it was not well secured would not be negligence. However, this is a University. Universities, from what I have seen, have much stricter rules about what they can do with student data, and in general they take, or should take, the protection of student data much more seriously. The reality is that allowing strangers into the school computer is equivelent to allowing strangers into the secure room where the physical information is stored. Doing either is negligence, and doing either is allowing the data to be stolen.

Re:Liability

Agreed, but I think the case is pretty clear from the article that *no* security was enabled.

First flaw: Insecure wireless network. If the WAP was broadcasting its SSID, had no WEP enabled, no MAC address filtering, and had no firewall between the WAP and the servers, then any idiot with a wifi card and a laptop could get in. Not a techie or a hacker: a two-year-old could set any wireless-capable machine within range of this WAP and the software will immediately detect it and connect.

Second flaw: Insecure general network. No userid is required (or even prompted) for wireless connections.

Third flaw: Non-secure network used for storing secure documents. Secure servers exist, which we are led to believe do their job, but the "Fuji" server used for sharing files was not on this secure network. Documentation should have been written to demand users keep sensitive information on secure servers only, and the IT department should have monitored use of shared directories.

Bad IT department. No donut.

-Alchemy-

Re:Liability

[Realistic_Dragon]

Im fairly sure that in the UK any and all personal data is covered by the data protection act, which amongst other things covers good practice _and_ fines/punishments for offenders.

Because it's a criminal offense you can't insure against it either, in the same way that you cannot insure against earnings lost due to being jailed for manslaughter or parking fines.

Re:Liability

[lpret]

I agree with you completely. I guess the thing I would look for is at least some attempt at security. If you look your car doors, that's about as much as you can do. However, you don't leave your windows rolled down when you do this. The same goes for computers I would think. As long as you have at least something (WEP) you've then made it necessary for someone to force their way in -- but don't leave a backdoor.

However, this should all be bypassed with this: Never put sensitive data on a wireless network. Until we have something that is fool-proof (which even a LAN isn't really), why risk it? Perhaps 802.1x will bring us closer to this ideal, but I'm sure we'll find issues with it soon enough.

Re:Liability

'not well secured' does mean 'allow'

It's fits the first definition of allow. Other definitions talk about "make provisions for" and things you're probably thinking.

Confidential information on WiFi ??

[ThomasFlip]

The last thing schools need are wireless networks let alone access to confidential information via a wireless network.

Interesting...

[Trent+Polack]

I wish my old high school would've had something like that happen to them. I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!

Re:Interesting...

No, you don't want to see it. Really.

Re:Interesting...

[mrseigen]

Hell, I've talked to you enough on IRC, I can probably give you one at this point.

Re:Interesting...

[IronChef]

I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!


Didn't anyone tell you? If you want to see it, you are crazy.

Please lie down on the floor. The van will arrive shortly. Don't argue with the officers -- they are just doing their job.

Thank you.

Re:Interesting...

[marshac]

Actually, by allowing THOSE records to be avail, the school district violated HIPAA privacy rule. They COULD get into some trouble over this. Also, another fedreal law that was broken is FERPA which basically prohibits student records from ging outside the school system (or to military recruiters... go figure that one out...)

Re:Interesting...

I am wondering which teachers are compelled to play amature psycologist.

Probably the ones that have a 15-20% of school childern on ridalin.

Re:Interesting...

[1WingedAngel]

My Psych profile was always brief:

Be Afraid!

Re:California's new notification provisions: July

[lommer]

Well, given that it's a newspaper that found this, I can't see that there'll be a big problem as far as non-disclosure on this one. Not to mention the fact that it's been posted to slashdot of course :-)

On a side note, could the newspaper be held liable for this, given that they were intruding on the network without permission? If the newspaper gets screwed over this, it could generate some much-needed publicity and the following public backlash over this BIG problem in the current internet legal scene (namely that if someone finds an insecure network, they usually can't disclose it without getting whacked. Sometimes even if they only tell the company concerned, the company fixes it and then whacks them).

more to learn

[dema]

This just goes to show we have a lot more to learn about wirless technology. To a lot of people it may seem like simple common sense to use WEP or some other serious form of protection for sensitive records like that. But getting wiresless is becoming just as easy as getting a cable modem hooked up so more people are doing it at a faster rate and not researching the risks that come with it.

I read an interesting (all be in short) article not too long ago about the risks that does a nice job of explaining things.

Re:more to learn

[pi_rules]

common sense to use WEP or some other serious form of protection for sensitive records like that.

You do realize that putting WEP on your WLAN is about as effective as putting 6 layers of duct-tape over your lock thinking that nobody with a key can get in now, right?

WEP is useless unless you want to keep people out that wouldn't spend 30 minutes or less trying to crack the key.

Re:more to learn

[syukton]

more people are doing it at a faster rate and not researching the risks that come with it.

Thank you for hitting the nail on the head. This is the main problem with just about every aspect of human society: everybody is doing more and thinking less.

Everything is risky. Alcohol is risky, driving is risky, wireless networks are risky; hell, getting out of bed is risky. But more people are willing to just jump right in and figure things out as they go along instead of planning ahead and doing the research. Maybe they see it as reinventing the wheel to spend all that time thinking instead of doing, but I'd rather have a museum of reinvented wheels than a museum of really dumb people.

People don't think before they act anymore, unless there's some large amount of money on the line. If (as another commenter suggested) there were harsh financial penalties for allowing sensitive data to be stolen, then more people would take the issue seriously. (by "allowing" I mean "making available to access without a key or other form of secure authorization")

It's really a shame that an incident like this has to pop up and remind us that the majority of people in control of sensitive information are too stupid to police their own actions and treat responsibly the sensitive information that they have been given in confidence.

Re:more to learn

30 minutes? Maybe if your AP or wireless cards are using the weak IVs. Now go find one with somewhat newer firmware. You'll find that they skip the IVs with FF in the middle (the easiest set), and a bunch of other ones that things like Airsnort know about.

I haven't managed to listen long enough to know if the final set where the first and second (not sure offhand) bytes of the IV add to 253 are skipped by recent cards, but I bet they are.

I speak from experience. Some neighbor got a new AP that's surprisingly strong in my house, so I left a sniffer running for a couple of weeks to see if any weak IVs went by. A few did, but not enough for Airsnort to start cracking.

Then I kept the sniffer running and fired up an Airport card in my Mac (running Linux) and started hammering the air with packets. Simple tiny flooded pings to increment the IV. Guess what - the IVs skipped all the fun ones. It went from 00:00:00 to 10:00:00 and so on, missing all the ones you need for your 30 minute crack.

WEP is still broken, but there are ways to make it suck less.

i wouldn't get in

[null-sRc]

... psychological evaluations?

what kind of school is this?

i would never let my school asses me mentaly, that's a major privacy violation if u ask me ;)

besides, im a little crazy...

Re:i wouldn't get in

[rodgerd]

Oh, hell, plenty of workplaces do it, too. Along with IQ tests and such. Everyone I know or work with finds it hilarious when I tell them my psych profile suggested I was slightly to the female side of the male norm, but was pretty much, well, normal.

Re:i wouldn't get in

well as one of my teachers has said before. By going to a public school students wave any civil rights they have.

random searches of backpacks without probable cause (though this is something i agree with)

No freedom speech. No freedom of expression. (at our school boys couldnt wear hats or earings, certain colors of garments, no "extreme hairstyles" or shorts during winter or spring) No -everyone is equal-: girls could wear all those things that boys could not.

the only constitutional ammendment upheld in public schools is the separation of church and state.

Re:i wouldn't get in

the only constitutional ammendment upheld in public schools is the separation of church and state.

Rather ironic, given that that isn't part of the constitution.

Re:i wouldn't get in

[PCM2]

It's sort of ironic. People here are saying the school district should have some sort of financial liability for the negligence of allowing public access to this psychological/medical data. I'd tend to agree -- plus, I'd concur with those who say they have no business conducting (almost assuredly bogus) "psychological examinations" of students to begin with.

On the other hand, the reason they started doing psychological examinations of students is probably because, after the Columbine shootings, they'd probably risk financial liability if they didn't.

Re:i wouldn't get in

That probably has something to do with the fact that nobody under 18 has any rights under the Constitution. It only applies to citizens, and since you're not a citizen until you're 18, it doesn't apply to minors. They only have laws to protect them.

Re:i wouldn't get in

[willtsmith]

You're there to listen and learn how great thinkers have expressed themselves in the past.

You yourself (as a high school student) are not yet completely educated yet. Best to close your mouths, open your ears and let the educated people do the expressing. I'm sure they'll give you opportunities and gently assist when your making an ass out of yourself.

Regarding civil rights ... You have as much civil rights in school as you do in your parents house. You are a legal dependent and are therefore subject to the whims of your gaurdians. When you go to school, the adults their are responsible for your safety and education. There cannot be responsibility without authority.

When kids get it out of their head that they're somehow there to teach the ADULTS something, things will go right. All that other shit: clothes, hair, makeup, shit is a waste of time, EVERYBODY's, including yours.

All that SHIT makes it harder to keep things running smoothly, get kids educated, and keep them from killing each other.

Re:i wouldn't get in

[willtsmith]

Amendment I

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Public schools are a byproduct of public legislation and public funding. Therefore they may not formally pay respect to an institution of religion. Nor may they sanction any such institution formally or informally.

Hence the term "Separation of church and state". Deep down, I'm sure if a school started saying morning prayers to allah you'd get pretty pissed off and that's exactly the point. If Allah don't get in, neither does Jaweah (Jehova properly translated).

Re:i wouldn't get in

[willtsmith]

Not true. Persons under 18 DUE have rights.

However, the authority to pursue those rights are delegated to their gaurdians. In some cases the law allows legal authorities to pursue those rights on behalf of the child and take the child from custody of a gaurdian.

For example a child of reasonable age has the right to freedom of speech and assembly. Where do you think all those Mallrats come from. You think the Malls really WANT them there :-)

Likewise, a minor arrested at the mall for loitering has the right against illegal search and seizure (although it rarely works out that way). I this instance, courts have held that searching individuals suspected of shoplifting (strip searches) are a constitutional violation. A search must be done with probable cause by an officer of the law (not a security officer).

Re:i wouldn't get in

The jump from the first amendment to "seperation of church and state" is a shaky one at best. The current interpretation of it (that nobody, in any official position, may participate in religious activities) is completely contrary to the spirit of the amendment.

Re:i wouldn't get in

[cyril3]

As others point out, you don't have to agree. The teaacher sdo it anyway.

And even better, it all goes into your Terrorist Information Awareness profile when you go looking for a job or buy airline tickets.

WarGames

[Atario]

David Lightman, Jr.'s weapon of choice.

How much is the school responsible?

[arcanumas]

I think this raises an interesting issue.
Where does responsibility lie? Can the school claim it has been hacked and has no responsibility , or is there some law that defines some measures they should have taken?
Are there security standards that everybody should uphold?

Not that the one who stole the data is innocent but can the school be prosecuted by some negligence law? After all ,it is easy to say "We've been hacked!"

Boy, my school holds a lot of data on me and it is a bussiness school with complete idiots on the technical department. Now i am worried.

Re:How much is the school responsible?

IANAL, but it seems to me that if the previously mentioned "psychological evaluations" actually are indeed psychological evaluations performed by a licensed clinician, then HHS should come down hard on this school for a major HIPAA violation.

Re:How much is the school responsible?

[willtsmith]

As long as they're not trying to formally "treat" kids, they should be fine.

Everyone should know that their conduct is ALWAYS being evaluating irregardless of whether they're writing it down. The biggest issue is confidentiality.

BTW, this is a two-edged sword. I strongly believe that kids behavior problems should NOT be considered confidential. A community has a right to know when a kid is causing havoc in a school and taking away the educational opportunities of others.

This is where really small school districts are good. Everybody knows whats going on so parents get really embarassed if their kid's are causing problems. The kid get's an earful, the teacher and principal gets apologies. In large school districts it's the other way around. The kid pleads innocent and the parent goes ballistic on the school and thteatens to sue. Hence the principal backs down and the kid learns he can do whatever he wants as long as he lies well.

WiFI? It was easier at my school;

[metalhed77]

Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.

Re:WiFI? It was easier at my school;

[kalidasa]

You guys have it easy. In our day, the grades were kept on a floppy (for use in a TRS-80), and you actually had to liberate the floppy from the teacher's briefcase to check it.

Not that I ever did.

Re:WiFI? It was easier at my school;

[topham]

I was in a CompSci class where a student lifted an exam from the teachers briefcase.

unlike the usual scenario where the teacher never finds out this one did. He noticed a number of otherwise lackluster students get significantly higher grades than usual.

So we were all forced to write another exam, we were warned that if any students didn't get a similar mark to the first exam they would be suspended. It worked. 4 of the students involved were suspended and the rest learned the course material so they could pass the second exam. Pretty much a win-win in my books.

Re:WiFI? It was easier at my school;

[mike_the_kid]

You'll find that the bigger organizations -- be it schools, universities, corporations, governments, non-profits -- don't always have it together the way that a small, tightly run organization can.

Everybody thinks that they want to go to the biggest school, work for the biggest company, give money to the biggest charities, etc. You have to look a little harder, but there are plenty of examples of bigger is not better.

There are certainly economies of scale that work in favor of the big ones, true. However, a ton of beauracracy does not match well placed trust in a focused, motivated small group. There is no economy of scale in trust.

It may be a little against the grain, or it may go against your intuitive perception, but there is a lot of evidence supporting this, if you have your eyes open.

Re:WiFI? It was easier at my school;

[Shadow99_1]

Well as far as the "letting us junior admins do all the grunt work." thing goes, I think all schools pretty much do this... I know mine did, though we weren't called 'junior admins'... I guess officially we were just the 'computer club' once the computer programming teacher (taught Basic... or was supposed to) decided we need official 'recognition'. But if a computer stopped working it was our task to fix it, heck if the server went down (my last year we had 'new' hardware which included a PowerMac 'Server'). Grades were stored on the server, but no one thought it was odd that we should have access to it... If I'd wanted to I could have changed all sorts of confidential info, but I never did.

Fake?

[CaptainSuperBoy]

What do you mean fake? I met my Thai love slave on Yahoo Personals. How much more real could you get?

Re:Fake?

[cryms0n]

Where can I get one of those?

Hook a brotha up!

School Districts are generally clueless

when it comes to networks.

Not only do they expose sensitive information,
but they run generally insecure servers, and
they pay mercenary network installation contractors
1000 cents on the dollar for old crappy network
hardware.

And the web pages set up by school districts for
employess to use are brain dead.

This one:

http://www.teachinla.com

has a link on the NCLB teacher profile logo
that sends you to a page that will let anybody
that can get a teachers employee number and
birthdate change their professional credentials.

Well, it would, except the form page doesn't work!

Re:School Districts are generally clueless

You bring up a good point about things not working.

I received an email from my ISP, Pacbell.net, regarding changes in my service as they are getting into bed with Yahoo, which will require me not only to use a windows-based machine but also install some proprietary software that I am restricted by law from understanding what its real function is, or even discussing it with others. I have no idea what this software is going to place onto the net or demand me to do once I install it.

They included a feedback link.

It doesn't work with my Netscape browser.

Uh huh.. statistics at work again. If I am not one of their team players, willing to do whatever they tell me to do, they dont want to hear about it.

I don't think its just the schools. Its big companies. They get big enough they don't need the little guy who sends them a measly $30 or so in the mail every month. Face it, we little people that just send them checks every month aren't worth that much these days. We are a dime a dozen. And treated as such. What business wants and are willing to pay the big bucks in salary and pension benefits are people who know how to make us fall in line and do what they say. The fact we little people go somewhere else is really not all that important to the big guys. They'll just play the statistics and run another big advertising campaign to recover their lost subscriber base.

Why try to keep what you have if you can get more? At least if you are spending money, you can show you are "doing something".

Re:School Districts are generally clueless

Well, it would, except the form page doesn't work!

Sounds secure to me then =)

Was it just a wide open access point?

[sgarrity]

From the article, it almost sounds as though it was a wide open access point (no WEP encryption or MAC filtering). If this is the case, there should be no demonizing WiFi - just a sloppy sysadmin.

So, it's funny...

[thenextpresident]

...that they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.

Re:So, it's funny...

[anthony_dipierro]

But the moment a student would try the same thing, he would be expelled.

What are you suggesting, that they expel the newspaper? If they're not a student, they can't be expelled.

Re:So, it's funny...

[retto]

Actually it wouldn't surprise me in the least if the students knew all along. I wonder if the average grade was higher there than elesewhere.

Re:So, it's funny...

[phraktyl]

You think that's bad. Wait until the RIAA finds out they cracked into the school district computer and downloaded an MP3 file...

Re:So, it's funny...

[Aadain2001]

But where is the "cracking"? If you post all your imporant information on a big board and then put it in a room with a lock, but leave the door open all the time, is it any wonder that someone will walk in and take a peek? And would they have done anything really wrong? Better analogy might be to have the board in the window with the blinds open. Then people just walking by can take a look, they don't even have to enter a room (which would be tresspassing).

I think the school was not "cracked" but just viewed, which is not and should not be illegal.

But you are right, if a student had done this they would have been expelled, no questions asked.

[sarcasm]Any student that proves they are smarter than the administration must be a terrorist/criminal and should delt with harshly.[/sarcasm]

Re:So, it's funny...

[dasheiff]

...that they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.

SO funny, it's true. We had an open finger access at Brandeis University and I was a bash script to collect everybody's information, then I posted it to the pre-freshmen forum, all the freshmen loved me... as for the administration... let's just say I'm not enrolled there any more.

Re:So, it's funny...

[sexecutioner]

Sorry, but I don't think the analogy quite holds.

How about:

A bank leaves a million dollars on the pavement outside its front door with a little sign saying, "Property of Bank", just to ensure that passing people understand that it's not "lost" money.

Now **no one** has the right to pick it up and walk away, it's not theirs, regardless of how easy it would be do to.

It's the same here, information is a real and tangible property.

Yes, you could look at the information that the school has made easily accessable (like you said, sign in the window), but if you do (and this was hardly "accidental") then you are knowingly committing a wrong (I won't say crime because I don't know the legal status of such things).

I agree that the school should not be making their information so easily available, but if someone steals it then it's the fault of the stealer, not the school.

Re:So, it's funny...

[DMDx86]

Obviously they can't expel the student, but you would expect SOME level of anger that is equivalent to what they would do to the student in the same situation.

Re:So, it's funny...

[anthony_dipierro]

I'm surprised there's no anger, but maybe this school is really cool about such things. Maybe they wouldn't have been angry if a student did this and then published it in the school newspaper... You're probably right, though...

Re:So, it's funny...

[mosschops]

But the moment a student would try the same thing, he would be expelled.

Thankfully Ferris got away with it :-)

Re:So, it's funny...

[poot_rootbeer]

they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.

There's a crucial difference here.

The newspaper's motive for accessing the school's computer is to serve the public interest.

The student's motive is to serve his own interests -- dig up some dirt on classmates, maybe change a couple grades.

Re:So, it's funny...

The "stealer"? I'm guessing you went to an American school .

Exactly

Check out what the person in charge at the school said:

"I don't see this as such a huge news story," Superintendent Mary Frances Callan said the day after the district office abruptly shut down its wireless network and student information program. The real news, she added, was the great progress the district has made to its network plans, thanks to new software purchases, planned employee training sessions and the technology-use policy.

She has absolutely no sense of responsibility of the damage she could have/has caused. Money is the only thing that will get them to take notice.

Re:Exactly

[Keeper]

Except the only thing that will do is either make the school more expensive to go to (tuitions rise) or cause the quality of the education its current students receive to decrease.

Re:Exactly

[Saucepan]

Your doomsday scenario could only come true if the institutions decided en masse that their money was better spent paying fines than improving their security. Policy makers could affect this decision by adjusting the amount of the fines accordingly.

What would probably happen is that organizations would spend a relatively small amount of money purchasing a new kind of liability insurance, the terms of which would require them to take at least basic steps to secure their systems (ie, stunning incompetence of this private-files-on-open-WEP variety would be disallowed).

Re:Exactly

[LoztInSpace]

This is a good example of a point that book review a few articles ago was trying to make.

âoeConsequence-Based Thinkingâ in Chapter 2, a concept that promotes decision-making based on desired business results, rather than on the IT problems you face.

(Unfortunately) most IT isn't about messing around with cool new stuff, it's implementing specific requirements, no matter how mundane. How she thinks the severity of loss of extremely private data can be mitigated with "look at my cool network" I don't know.

Re:Exactly

[callipygian-showsyst]

I live in "Shallow Alto"

It's a bizzare place where people drive SUVs with "Greenpeace" stickers on them. When I ask them how do they justify it, they say "We need 4wd when we go skiing"

People usually say folks in LA are shallow, but down there they drive their SUVs and won't try to rationalize it with lame excuses.

Anyway, all the women in Palo Alto are stupid "executive wives". That probably includes Mary Frances Callan.

Re:Exactly

[Lord_Dweomer]

""I don't see this as such a huge news story," Superintendent Mary Frances Callan "

Hmmmm, wanna show her one of the things that can happen when your personal information gets into lots of peoples hands? Someone wanna post her personal information and we'll commit the first ever physical Slashdotting of a school.

Re:Exactly

[Keeper]

The problem isn't that a bad network admin doesn't configure the system correctly, it's that a single employee plugs in a linksys router into a hub. You can say all you want about making policy to require that people don't, but it won't solve the problem.

So now institutions will be spending money on "insurance", which is an added cost that every place will have to put up with, because it's not possible to completely tie down a network. So now we're making everyone suffer and pay more for an education because you think that fines will solve the problem.

Historically

[geekoid]

the press has been held 'above the law' in such cases. Look at Watergate for a prime example.
That is a good thing, as long as the integrity of the information is held to a high standard. For example, if the published all the information they got, that would eb bad and they would be held accountable. If not by a law enforcement agency, then by a civil court. probably both.

Re:Historically

[anthony_dipierro]

The newspapers never admitted to stealing the Watergate documents. They at least claimed that the documents were stolen by an anonymous informant. This case is different, because the paper admits to committing the felony itself, not through an anonymous informant.

I see no reason to hold this paper to any different of a standard than Kevin Mitnick. Personally I'd like to see all hackers pardoned, but until then the law is the law.

Re:Historically

[geekoid]

recieving known stolen goods is a crime.

First because if the press was convicted for this sort of crime, nobody would ever report this sort of crime could happen.

What they did was nowhere near what Kevin Mitnik did. Kevin committed several different crimes illegally breaking into systems, telephone fraud, and B&E.
Was his punishment overly severe? absolutly, but don't go comparing him to the press.

Re:Historically

[anthony_dipierro]

recieving known stolen goods is a crime.

Perhaps they didn't receive the stolen goods themselves, but rather photocopies of the stolen goods.

First because if the press was convicted for this sort of crime, nobody would ever report this sort of crime could happen.

Yes, and that's a good reason to get rid of hacking crimes completely. There should be no distinction between organized press and unorganized press.

What they did was nowhere near what Kevin Mitnik did.

I think it was rather similar. In both cases, no one got hurt.

Wireless is not the core issue

[vchoy]

...the documents were not password protected.

The same information was also accessible to individuals using district computers within school sites.

This case shows who or what department that was incharge had concrete policy with regards to information and IT security.

Security was fundamentally flawed, little or no security mechanisms in place, even lan connections had access to the files! Wireless connection only exacerbated the situation.

Re:Wireless is not the core issue

[vchoy]

correction: "
This case shows who or what department that was incharge had very little or no concrete policy with regards to information and IT security."

Re:Wireless is not the core issue

[WuphonsReach]

Exactly - the fact that the files were accessible without authentication is the core issue. 20 years ago, someone would have gotten access to them via dial-in and it would have had the same news "splash". Probably with some spin about war-dialing, etc. or whatever the current boogieman of the day was. Wireless just happens to be the current whipping boy. Personally, we put our WiFi users on the outside of a firewall that they have to VPN through to get into the LAN. This takes care of authentication as well as ends up encrypting all data flowing from the laptop to the LAN due to the VPN tunnel. To the end-user, it's just like VPN'ing into the LAN from outside the office - so it takes little training.

Out of sight, out of mind.

[rossy]

Well you see, this Wi-Fi stuff is invisible... that is, you can't really "see" those bits. And anyway, if you could "see" them, they certainly don't look recognizable. Now, if you had a stack of papers with this stuff sitting in front of the school with a sign on it, well, THAT we could fix. Maybe we can fund a study to get someone to print out all of this insecure data so we could see if we really have a problem or not? Surly there is some consultant we could hire to investigate the feasablity of this?

This isn't a problem with WiFi

[grahamsz]

This is a general network security issue.

Confidential data needs to have strictly managed flows and storage. It'd worrying enough that this information could be accessed anywhere on campus even without the wireless threat.

When it comes to something like a psych evaluation I cant see why that information isn't kept 'offline' or on a small secured network. There is *no* justification even for allowing all staff members direct access to this sort of thing - it's ripe for abuse. I also cant see any reason why you'd need access to such a report instantly.

Re:This isn't a problem with WiFi

[anthony_dipierro]

I agree with you completely, but at the same time, what do you expect? If you want someone competent working on your network, you have to pay them. Cut the budget by $17 million, and devastation will result.

Re:This isn't a problem with WiFi

[daliman]

wtf do they have psych evuations for at all? I never had any of that shit done at my university, my sanity (or lack thereof) is nobody's business but my own!

Re:This isn't a problem with WiFi

One word. Columbine

Remember, this is a school system

[Veovis]

I've came to the conclusion that schools are exempt from laws and are not held liable for their own mistakes, hell, Livonia Public Schools (Livonia, MI) Livonia Public Schools" the staff there actually tries to hack into students (and former students) computers.

Re:Remember, this is a school system

[buck_wild]

I browsed the page, but didn't see mention of the staff hacking into student's computers. Well it has been a really long day, so can you clarify?

Re:Remember, this is a school system

[Veovis]

The website wasn't posted to really explain what they did, I took the domain and put everything on there to basically piss them off (although its the truth) however they did make several hack attempts against my server from their IP address (204.39.65.159, 204.39.64.2) Someone else attacks their IPs and they try to blame me for doing it (even filing a fraudulant police report riddled with false statements), hah, then when I posted their IP addresses to another webpage they called my ISP and complained about it, oh well, somebody will kick their ass someday, but anyway when I used to go to school there they LOVED to blame all their problems on me (hacked phone system, computer/network viruses) yes I was the easiest target for them (knowing more about their IT setup then the whole district combined)... I spent most of my high school there constantly in trouble for various things, they tried everything they could to piss me off (including not letting me have access to telephones (including payphones, as having voice2email access was a threat to them), hiring hall monitor staff to follow me around from classroom to classroom throughout the day, I was rarely permitted on the computers at school, overall it was just a f*cked up school system, http://www.livonia.k12.mi.us is their offical page, anyone wanting more details (ACLU Lawyers or anyone related feel free to contact me, as I still wish to mount a legal challange against them) can contact me at veovis ( at ) mysticunderground (dot) net

Re:California's new notification provisions: July

[GMontag]

In time the it will get past the embarassment and all will be well again. Nothing more volitile than blushing data,

How long did the paper sit on this?

And you notice, the school didn't fix it until AFTER the paper went public. Where have we seen this before? hint: MS wingeing

And what is a school doing psychological profiling anyway? Like little Jose goes to a Catholic Church, he's used to having his penis touched by priests, hey GLSEN, got a hot one for you! Teenage Jose can't read or write, but he's in touch with his sexuality.

Solution: lawsuit?

[Quixote]

However much I might hate lawyers (and IANAL, obviously), I think, sadly, things like this can only be fixed by lawsuits filed by the affected students. This is just too stupid on the school's part.

This takes the cake: "I don't see this as such a huge news story," Superintendent Mary Frances Callan said ...

'nough said.

Re:Solution: lawsuit?

This takes the cake: "I don't see this as such a huge news story," Superintendent Mary Frances Callan said ...

'nough said.

Someone should go hunt down all the personal information that they can find on that Superindendant, post it on the Internet and see how she reacts.

And maybe add in the response that she had just for kicks.

psych evaluations, eh?

[Tumbleweed]

I wonder if any of those evaluations concluded that someone would 'violate' someone who invaded their privacy. I know mine would. :)

Check _this_ privacy policy!

Re:California's new notification provisions: July

[mcdrewski42]

Did the newspaper bypass security and illegally access copyrighted material?

If so, didn't they violate the DMCA - no matter what their intent?

After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?

Shallow Alto

If you were a parent in that district, you probably would have spent well over $1M for a home so you could have been in a "nice school district." Unlikely that you'd also be able to afford private school.

Comment removed

[account_deleted]

Comment removed based on user account deletion

And school districts even less

[maugt]

And you don't get unemployment over the summer. Hardly worth your time volunteering, really.

Just go down to the district office.

[sideshow]

After you turn 18 you can at any time look into your permament record. Prepared to be shocked though. I was a slight rebel but nothing to serious and my consuler describe me, and I shit you not, as the NEXT HITLER!. Serious, she said: And in this report Nick sounds somewhat like the next Hitler (I wrote a paper saying academic proformence should determe which students got to go to Disneyland.)

Re:Just go down to the district office.

[Q+Who]

Psychology is a pseudo-science... A report that some shithead counselor wrote is not something to be offended with.

Re:Just go down to the district office.

[mattkime]

well, was she right?

yeah, welcome to the red tape.

[c64k]

I'm a district over from Palo Alto, and it's not surprising to me that the wifi was open. That SasiXP and server shares were open is frightening. But this is what happens when parents are allowed to come in and run roughshod over the plans of the admins. Or when random parents are your admins. Palo Alto has tech people, they should get in trouble for leaving things unsecure, but the parent group that came in and blew a big hole in the existing security needs a solid slap on the knuckles too.

The tech staff that school have are usually underpaid and overworked, or contractors who are juggling the detail of 10-15 districts. I'm still cleaning up from the last time parents got involved, getting everyone connected to the internet.

To every tech minded parent out there: don't give us your used crap, don't come in and 'help,' just stay out of the way. We have a clue (well a lot of us do), but we spend 98% of our time cleaning up the messes left by helpful parents, clueless teachers, and malicious kids. We're trying to get the teachers up to speed, and we're working on making it hard for the kids to purposefully or accidentally fsck things up. But parents are totally deaf to the idea that the help they're offering is really hindering things.

How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?

Re:yeah, welcome to the red tape.

[Rysith]

I agree. I am a student in the PAUSD who happens to run a lot of the computer stuff at one of the high schools. Many times, parents (with what I hope are good intentions) try to give us stuff. Usually, it compleatly fails to work well with what is already in place, although they insist that it is perfect for whatever we want to do with it. What is more, we have so many tech parents that all want to set things up their own way, regardless of what anyone else is doing, because they want to "Help the school" that even the tech people for the school don't know how a lot of our equipment is set up. It has gotten so bad that I know of at least two teachers at my school who have said that nobody gets to do anything to their computers without their permission (fortunatly, they both know what they are doing). There are many times when I wish that all the helpful parents would go away and be helpful to somebody else, instead of giving us their old apple 2s or offering to set up that new campus-wide wireless network that is crucial to their child's learning environment.

Sigh. My rant is over now.

Re:yeah, welcome to the red tape.

Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?


Aren't some of those moms good-looking? Just a thought...

Re:yeah, welcome to the red tape.

[bobthemuse]

A good job for parents? Well, you can never have enough patch cables.

Mr. Parent, meet Mr. Crimper.

Re:yeah, welcome to the red tape.

[willtsmith]

Yes, the education system would be much better off without the meddling parents.

Security causes configuration problems and access restrictions. Thats unavoidable and necessary. Our current computer systems are WAY to secure and fragile to let kids run rampant over them. Office IT staff dealing with ADULTS have a hard enough time.

I don't know why everybody thought it was so damn important for kids to get connected to the internet. There's really not much there in terms of educational resources. I can agree with getting teachers connected. In that way they can get material and even maybe have teachers share lesson plans (hopefully one day we'll get decent texts written by teachers instead of commitees).

Most kids using internet at school are just screwing around. I was completely flabergasted subbing one day in a computer lab. The VB kiddies thought they were really slick. Like, I didn't know what 'Alt-Tab' meant when I was walking by. Other kids were playing with console emulators and claimed it was their 'project'. They were quite shocked when they discovered they were dealing with a professional programmer. They are so used to teachers being clueless about technology.

Re:yeah, welcome to the red tape.

[naelurec]

I was offered a position to be the tech guy at a school.. after learning about the parent tech committee (which the principal thought was a great idea), I decided to decline the position. I'm glad to see that my intuition was right about the meddling of parents and their inability to deal with network security even though they "work in technology"

Re:yeah, welcome to the red tape.

[Beryllium+Sphere(tm)]

>How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?

You must have a backlog of projects, if you're like most IT people. Turn those into requirements documents, and the next time a parent asks to help hand him/her a requirements doc.

Re:yeah, welcome to the red tape.

That was pure gold, mod this guy up!!!

Re:yeah, welcome to the red tape.

[Soda+the+Brew]

Hi, I just added you to my friends list. Please contact me directly, I'd like to ask you a few questions about your experience with the schools.

Re:yeah, welcome to the red tape.

[Soda+the+Brew]

Hi, I just added you to my friends list. Please contact me directly, I'd like to ask about your district!

Re:yeah, welcome to the red tape.

What is more, we have so many tech parents that all want to set things up their own way, regardless of what anyone else is doing, because they want to "Help the school" that even the tech people for the school don't know how a lot of our equipment is set up.

I haven't been in high school in a few years (graduated in '97 in from a big HS in N. Calif. Valley), but if you really let the parents come in and setup computers, then you are really asking for trouble, and frankly your administrator is a dumbass. At my school, I was teacher assistant for just about every computer class I took (all but 1 of the comp. classes, I eventually filled in the position for other clueless students). At the time, I don't know what we really had that resembled a network, but all the administrator computers were very hard for students to get their hands on. Even if the students got their hands on the teachers computer, they definitely wouldn't have been able to go change some grades. But as suggested, parents want to do things their own way, and in alot of cases they don't know how the school normally runs things, so just letting them come in and set up their equipment can lead to alot of trouble down the road.

Another thing I would never do is let a PARENT of a STUDENT at one of my schools have access to grades. Yes, I know most of them wouldn't even think about changing anything, but I wouldn't want to even give them the opportunity to consider it.

Re:yeah, welcome to the red tape.

[chialea]

I used to be in PAUSD, at Gunn actually, and helped run the whole system. It started out fairly decent when I got there, with some sort of reasonable security (and the grades not accesible to students), but a certain physics teacher (who I beleive has been demoted since I left) who was supposed to be running this decided it would be a good idea to try to add random new stuff, and not more of the same unix boxen. It became a bit of a mess, since he also pissed off the people who were running the network and acting as tech support for the teachers and he didn't know how to do so himself.

Parents actually have done good stuff for the school, but in a lot of cases this is either a) money or b) help cabling. I suppose it's part of the problem to separate the parents with clue and will out and get them to help.

Lea

Re:yeah, welcome to the red tape.

[poot_rootbeer]

How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?

"I'm sorry, but the district security policy forbids anyone except network admin staff from working on the network. I'm sure you can understand why. Please leave your equipment donations on that shelf and I'll take it from there."

Re:yeah, welcome to the red tape.

[c64k]

That's what we try and do, as well as reviewing donations before accepting them. However, principals, teachers, and staff all roll over when a parent shows up with something, instead of sending them our way.

Often we'll find new donations when we get a call because something is not working, like the "new" computer can't see the network. Goes a little like this:
us: what new computer?
teacher: well, bobby's dad dropped it off for me.
us: why didn't you send him to us?
teacher: I wanted the computer to be in my room!
us: if it had been up to our spec, you would have.
But you see, this is a broken 386 with no hard drive or network card. We don't want anyting below pentium II's anymore. Now we'll be taking this to the recyclers, and it'll cost us $25 to dispose of the monitor. In future, please send all requests to donate computers to the tech dept.
bye...

joy.

Re:yeah, welcome to the red tape.

[c64k]

Uhm, yeah. Sorry, I don't talk about specifics of my work.

Re:California's new notification provisions: July

As the purpose of copyright is to increase the amount of publication that enters the public domain, *can* they actually copyright something that is never published? And school district's .. that sounds suspiciously like Government, who cannot copyright documents either. No Copyright, no DMCA?

Was it just me ...

[theuglykid]

or did someone else just glance at the headline and read:

"WiFi Exposes Insensitive Clod Data"

I think I need to lay off on reading posts for a while.

wait wait wait

So it's *illegal* for me to mooch net access off of my neighbors? Better go take down that antenna...

Most schools...

[HaloZero]

Do psychological evaluations. Based on visits to your guidance councilor, and how he or she feels about you. Sometimes your teachers are brought in to further refine the exam. If you never see your guidance councilor, then the evaluation is based purely on your teachers composited feelings.

Which is really, really sad.

Re:Most schools...

[Dylan+Zimmerman]

I only saw my guidance counselor twice. The first time was to check that I had all of my required classes taken care of so that I could take whatever I wanted to my senior year. The second time was her telling me that I hadn't and would, therefore, need to switch a few classes around.

I specifically asked about technology credits and whether I had enough. She told me that I did. Then, part of the way through the first trimester, she called me in and said that I needed to drop a non-essential class and take a technology credit. At first, she was adamant that I take Business Computer Information Systems (read: How To Use Microsoft Word, Excel, and Access), but I quickly got that changed to computer programming. I never want to use another console based development environment again, but at least I didn't have to deal with people putting carriage returns after every line in Word.

Anyway, she maintained throughout that she never told me that I didn't have to take any more technology credits. She probably put something like "Paranoid delusional - thinks that I'm out to get him. Next Hitler!" or something equally crazy. I should really go and get that from my high school. If nothing else, it'll give me something to laugh at.

Re:Most schools...

[madcow_ucsb]

It's probably considerably less interesting than that. When I graduated from high school, the school sent a letter saying I had 90 days or something to pick up my permanent record from the district office before it was destroyed. I was curious about this mythical folder, so I got it. Borrrring. Mostly all my report cards (from all the districts I had gone to from several cities and two states) and little notes about personality, etc. Nothing I'd call an "evaluation". It seemed more to give the next teacher you got (particularly in elementary school) and idea if you had a reputation for being a jackass or not. It had its interesting bits, but nothing special.

Newspapers arent evil hackers

DAs know better than to wreck perfectly good laws they can use for selective prosecution by going after popular prey.

profiling

[c64k]

Schools have counsellers, and psychiatrists. They write up profiles of the students they see, and keep notes on them.

How strange is this?

Re:profiling

[IWannaBeAnAC]

In my experience, it is very strange for a school to have a phyciatrist.

However, I am not from the US, I guess things are different there...

Re:profiling

[dnoyeb]

All schools have them AFAIK. Its not necessarily 1 per school. They have therapists as well. I think the americans with disabilities act would make schools have even more than that. But it could be a handful per school district or something like that.

Re:profiling

The practice is certainly widespread. Every (US) school I attended had at least one of these people. Bigger schools had multiple instances of them, and typically separated them alphabetically.

Of course, nothing really compares to tracking down your 'alphabet counselor' on IRC with /who and discovering that he's in something like #momsonsex and is actively trading files. His client didn't set +i and the rest is history.

Back to the topic at hand: I have 5 APs hooked to a public school district's network. I'm sure they'll show up on something like wifimaps.com sooner or later. The difference here is that my users have to do everything through a VPN tunnel. It raises the bar, but nothing is totally secure.

Even with my iron fist policy for wireless networks, we still have to deal with lusers who get a new toy and plug it in. Sooner or later, someone is going to get an AP for their office and classroom, will plug it into their drop, and all hell will break loose once someone else finds it.

It's to the point where I'm thinking about port-level security for ALL exposed ports. That way, you can plug in an unauthorized AP, but someone who associates with it won't be able to go anywhere. I bet other organizations are having this problem too.

How about in a hospital

WiFi is now commonly used throughout hospitals transmitting unencrypted patient information to mobile carts and charting hand helds. Imagine what you could grab just by sitting in the lobby.

Far worse abuses of this data

[coyote-san]

With pictures and family contact information, e.g., the names of the parents or relatives authorized to pick up the child at school, identity theft is nothing compared to the other abuses that are possible.

E.g., a pedophile could go "shopping" for a victim, then use the information in the file to convince the kid that a trusted adult sent them to pick them up.

Or they could be even more aggressive and add an alias to the list of people authorized to pick up the kid at school. Then they show up and breeze past security that would normally extend from classroom to doorstep.

My question is...

Why aren't they using passwords are anything? Let's suppose they are using a Windows Network (don't jump all over me, if they can't secure a WiFi connection, let's assume Linux is way out of their range) Are they stupid to have the server freaking make sure everyone trying to connect is a valid user. Even a paper MCSE knows this. You have to be freakin retarded to let this happen. Not securing your access ports to leaving sensitive data open to anyone who connects. The only way I see is that they sniffed a valid user name and password over the WiFi while hacking it. If it's open to the world without a password, IT department is totally retarded. (I do realize that it's a government organization) DMCA here we come.

underpaid teachers? put down the doobie

visit www.thechampion.org

The average teacher pay in Illinois is $55,000 per year, for 9 months work. Not bad. The tech, disability teacher, and mental health end averages $90k a year. More averages on aft.org.

Overpaid, if anything. And this breach went on for a whole year? Nobody fired? Cushy work, isn't it?

Tsk, Tsk, Tsk....

[curtlewis]

Those who can set up networks, do.

Those who can't, do it anyway.

It takes 3 seconds to set up an access point and about 2 minutes to set it up and secure it. Even my neighbor (who apparently has wi-fi going on I see) was smart enough to secure their network (so much for the extra bandwidth for those huge game demo downloads, while I play online with no latency or packetloss!)

besides

[_avs_007]

If your network doesn't at least have a WEP kep, how the hell is someone supposed to differentiate your network from any other wide open hotspot? Perhaps he thought you had a hotspot with convenient network shares to store files :)

This is the problem...

[Penguinshit]

"Andrew Hannah, a network administrator for the district, admitted security was an afterthought when the first open wireless networks were installed at the Jordan and Jane Lathrop Stanford middle schools and the district office between 2000 and 2002."

This is the problem with DeVry's, et al, ginning millions of Win32-morons out into the world of computer administration. You get a bunch of clownpunchers who know how to press shiny buttons but who don't have a clue about the underlying principles (and responsibilities) of the computer networks they are in charge of administering.

Mod me troll, but I'm tired of the polluted job market, and absolutely sick to death of cleaning up the puke left behind at countless small companies by these nimrods.

Re:This is the problem...

[wifitek]

I SIMPLY MUST AGREE!!

Re:This is the problem...

[willtsmith]

Yes,

It's a good reason to insist on personell with Computer Science degrees instead of MCSEs. There are plenty of us available now since all the H-1Bs have arrived.

Re:This is the problem...

A moron with a degree is still a moron.

It doesnt take INTELLIGENCE to get a degree. Moreover any idiot can jump through the hoops to get a degree (at any level from any school) should they be inclined to.

lets just get this out there. There is no effective means of teaching professional computing. Its far too large a subject to be covered in a 1, 2 or 4 year diploma/degree program.

A person will only gain a truely useful education in computer use, programming and or networking if they have a good reason to go out, read the articles, participate in the community and LIVE THE LIFE.

Colleges, Universities et all try to sell computing as a "way to make money in the digital economy". Well im sorry. But professional computer use beyond that of a secretary is not a "job" its a lifestyle.

No degree program can screen this.

Instead, I would suggest to other employers that they look for. A) a personal website with some kind of MEANINGFUL content, (oss libraries writings, anything useful to the general public) and B) a clear commitment to keeping up with the times. Ask a prospective candidate about the latest sendmail vulnerability, or the latest hostile takeover attempt by oracle etc. A person who is passionate and commited to computing will know all about it and probably be enjoyable to work with in the future.

A candidate should NOT be screened because they do or DO NOT have a degree (even of any kind). A highschool droppout can often make your engineer with a masters degree look like crap when it comes to getting the job done.

To any professional employer it should be all that matters.

Now quit whining about the polluted job market perform your nuans search and start contracting. Theres more than enough work out there _IF YOU ARE AS HOT AS YOU THINK YOU ARE_

If you're like me within 6 months you should have at least a couple people subcontracting for you.

Re:This is the problem...

[Shadow99_1]

Maybe that was the case at one point in time, but uh I used to go to a DeVry location (there is like a dozen of them aroudn the US). It was nromally a problem of the students wanting to get a degree to 'make it big without working' in the tech field back in the day. It doesn't quite work that way anymore & things have toughened back up... Well at least here on the east coast. Of course bakc when I started my location still taught RPG, COBOL, CICS, Systems Anlysis, Assembly, & near the end C/C++. By the time I was about to leave there (since I'd decided I wasn't a good programmer & had noticed I liked Networking), they had just started the wave of dot com workers who wanted to show enough skill to get some half assed job making huge money and the school complied with their wishes by teaching them VB, Java, HTML (went from a brief 2 day lecture to a full semester class go figure), C, C++, Visual C, OOP... No substance really just fluff... But I can't blame them that's what most of those students wanted... Of course I wonder how many of thsoe students now live in alleys & eat out of dumpsters...

BTW my SO has a degree in BIS (Bussiness Information Systems) and is quite competent with all types of technology. Came as quite a schok after most of the BIS types I knew right before leaving there (my second college didn't offer BIS)...

Re:This is the problem...

[0xA]

Mod me troll, but I'm tired of the polluted job market, and absolutely sick to death of cleaning up the puke left behind at countless small companies by these nimrods.

Part of me agrees with you, hell I mostly agree with you but the other part makes a lot of money doing just that.

It is out of hand though. I have a cousin and 2 friends who have come out of school looking for work right now. They are all completely useless.

What about the hardened students?

[Shadow+Wrought]

WiFi Exposes Sensitive Student Data

There's just no telling how the students will cope after having been labelled "sensitive."

WHAT THE!

[wifitek]

Didn't the Newspaper break some laws here?

eh?

[_avs_007]

Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, [snip]

Just getting an IPAddress? To get an IPaddress, you have to ask for one. Is it your fault they gave it to you? That's like if you knock honeywell's front door, and ask if you can come in, and they say, "OK, come on in", and as soon as you step foot in their premises, have you arrested for tresspassing. I suppose you could say, you did have permission, because you obeyed all network protocols, where the server has the right to accept/reject your requests. If the DHCP server gives you an IPAddress, and the DNS server resolves the host names for you, and the HTTP server fetches the documents for you, you did everything with permission ;)

Now if they had WEP keys, and an IPSec tunnel, that you had to infiltrate, then thats a different ballgame :) What's this you say, the network was wide open? :)

Re:eh?

[LionMage]

What's this you say, the network was wide open? :)

"Was" being the operative word here.

There's no telling who else had access to their network. They just went after me because I was an easy target, and I gave them a black eye.

Re:eh?

[Geminus]

Yes, just getting an IP address is a felony. FCC law says that robbing someone electronically of services or interfering with electronic transmission IS a felony. Although this law may be very broad by concept, the newspaper sealed the case on this one with another facet of law... intent. It was there intention to access the network and they knowingly downloaded files that were sensitive in nature. If you knowingly leave your door unlocked and I willingly open it and walk in, have I committed criminal trespass? According to the law I have... it's called "breaking and entering." By turning the doorknob, I have established intent, by walking in, I have committed a crime.

Re:eh?

[_avs_007]

This is not like you leaving your door unlocked, and me coming in.

In order to get an IP address you have to ask for it. The DHCP server said "ok". In order to fetch documents, you have to ask for them. If the samba server and/or web server obliges, then its your problem not mine. If your DHCP server gave me an IP address, thats your problem not mine. If your DNS server resolved these host names for me, thats your problem not mine. And if you don't lock down your AP, how am I supposed to know you didn't want me to be able to access your network? How do I differentiate your AP from the public hotspot AP across the hall?

This is more like I came to your door, and rang the door bell. Then you open the door. I ask if you have anything to eat, and you invite me into your backyard for a bbq. The next day you call the cops, and have me arrested because I ate your food.

Similarly, its like if I bumped into you on the street, and asked if you could spare any money, and you give me a ben franklin. Then proceed down to the police dept and have me arrested for robbing you. You gave me the money... You didn't have to.

Sounds like an excuse...

[Veovis]

so the school systems can tell the government they need an extra $50,000/school year to "secure" their wireless networks, or network in general (I'll be more then happy to accept $50,000 to enable WEP and set passwords and mac filters)

Re:California's new notification provisions: July

[mcdrewski42]

AFAIK pretty much everything that is created is aturally covered under copyright. It's only once you start assigning copyrights to other people and registering them etc. that the line gets blurry.

If I write a program and keep it on my own (home) PC then it is (c) me, even if I don't have a license attached. If you steal it I get all legal on your ass.

Re:California's new notification provisions: July

[drinkypoo]

I think (IANAL whee) that it they are not possibly liable unless they actually circumvented some security measures somehow. If the files were simply open, then they didn't do anything wrong unless they tampered with files.

Re:California's new notification provisions: July

[willtsmith]

The article noted that the information was on an insecure location on their network.

I agree, we need laws that protect white hat hackers and setup clearing-houses for white-hat hacks. Such clearing houses would give 30-days notice to an organization in order to secure their network. Then the information would be released publicly.

This is a federal matter as well

[danoatvulaw]

Check out 18 USC 2701, the Electronic Communications Privacy Act (and possibly 18 USC 1030) they just violated. So yeah, if this case is getting lots of media attention, just wait for the FBI to ring in.

There is no excuse

[serial+frame]

Dammit, if we're going to move over to 802.11? on everything, we at least need to do it the definitively right way, especially if sensitive data is held in machines on these networks. Simply turning on 104-bit WEP will not magically secure your wireless network; I can attest to this, as I used Airsnort to crack my own WEP keys within the window of 5 or so hours with medium to heavy wifi traffic between my nodes and access point.

System administrators should take measures to not only secure the machines themselves, but the transmission of data. So, on top of 104-bit WEP, perhaps we should also be using PPPoE for authentication, and perhaps IPsec, SSH wrappers, or virtual tunneling. (when I say we, of course, I mean those of us with machines that contain, and transmit potentially sensitive information). Shit like this wouldn't happen in the future; but alas, we're lazy.

Oh yeah, read the Spring 2003 issue 2600 article about Kroger's wifi security deficiencies? Another real-world example of "potentially sensitive data" being available to the world, if you consider Joe Sixpack's family pack of Trojan Magnums to be sensitive and private.

The Hilarity

[Emperor+Tiberius]

In all honesty, we shouldn't have legislation for data leaks and the such. Let's say Joe sysadmin sets up a WiFi network. Joe sysadmin locks down said network, board has difficult time accessing network and "orders" John netadmin to reduce the security and make it more "ease of use-ish." Now in the normal IT world there positions aren't filled with morons. In the educational system where tech jobs are filled @ $5.15 an hour, you have the soccer coach, or the part-time janitor doing IT work. Holes open up, since the net/sysadmin knows nothing of what they're doing, they get by.

The question is, would the hole have been discovered? Generally the answer is no, people don't always go looking for security exploits. Hehe, if I had WiFi when I was in HS, I'd be happier about that than anything. It makes me ponder if the news didn't try and get in, would someone have?

I've also worked for the school IT department at my university but quickly quit when I realized the average intelligence around is no higher than a walnut. The one thing I know however, is we don't want the government responsible for private information. Next thing we know is the government pushing DRM and all that other crap.

How long until they...

[phillymjs]

...shoot the messenger here?

I bet some legal action will be taken against the reporter who did the "hacking," while nobody will even think about holding any school officials accountable for their stunning negligence. I shudder to think what a pedophile with a WiFi-enabled laptop could have done with access to that kind of info. Cripes, it could have really turned into a serious NAMBLA convention out there.

I know this much, if I were a parent of a kid at that school I'd be raising holy hell about this and calling for the heads of people in the school administration. Starting with Superintendent Mary Frances Callan, who was quoted as saying, "I don't see this as such a huge news story." WHAT??? Bitch, you should be on your knees thanking God that this was uncovered by a reporter and not some scumbag who got a kid's address from that wide-open network of yours and found himself an ideal victim!

~Philly

Re:How long until they...

Guess what? I AM A PARENT in this district, and here's the rest of the story. BTW, if the Weakly cares so much about children and parents, do you think they informed the alleged "exposed" child's parents before running with this? Not.

Re:How long until they...

[TrackDaddy]

And of course, the worst part is, since the school demonstrated a profound lack of security... It is an even money bet that they had no logging or auditing of access or changes. Therefore all of the information in the system is now suspect, and there is no telling how many individuals did obtain copies of sensitive documents before this news story broke.

The Superintendent needs to cash a reality check NOW! If nothing else, her attitude shows that she has no understanding of the seriousness of the issue, and should not be allowed to set technology policy, or influence it for that matter, in the future.

Re:California's new notification provisions: July

[JWSmythe]

Hmmm, IANAL, but in most areas, isn't doesn't this fall somewhere under electronic tresspass, or electronic wiretap. Like, accessing a computer system that isn't yours and that you weren't authorized to access? Sounds like not only an admission of guilt, but them bragging about it..

Of course, press like this is rarely very good. It's enough to scare lots of people away from new technologies.. I'd be surprised if someone doesn't make a push to bring them back down to paper files for everything.

It's a SCRATCH DRIVE, people

This PAW story is totally retarded, as usual. I worked for two years at JLS supporting that network on a volunteer basis. Every sixth grader in the district knows that FUJI is a scratch drive and that anything put up there is NOT SECURE and subject to being blown away every so often.

The Weakly even says, "Although the server was not intended for high-security documents ..."

Oh, *although* .... we'll just bury that a safe distance from the headline.

In other words, "Although this is no story at all and all the important stuff is locked down, we thought we'd go rattling door nobs to see who left their doors open, then raid the houses. After all, WE are The Almighty Communityist Press."

The Weakly goes on to describe, "a sub-server known as Fuji, which was designed to allow authorized personnel to share files," on a temporary, non-secured basis (but we'll leave that part out; it's not a lie, just not all of the truth).

So the only issues here are STUPID USERS, and CARPING JOURNALISTS, as usual.

1. Did some overpaid adminstriviators put stuff on the scratch drive that they shouldn't have? It sure looks that way.

2. Is PAUSD leaving it's entire network wide open to the world? Definitely not.

3. Is the Weakly off on yet another cynical tangent, this time by driving around rattling door knobs? Definitely.

Since I live about half a mile from the district office, I'm locking all my windows tonight, that's for sure. After all, if I leave my window open, that means I was just INVITING reports to crawl in, right? Hey, it wasn't locked down ...

Yes, I'm posting as a Coward ... I still have to live in the People's Republic of Palo Alto.

Re:It's a SCRATCH DRIVE, people

[Radi-0-head]

Ok, so who's fault is it that you have stupid users?

data protection

[t_allardyce]

I was looking up my old school on the data protection register (uk) they have so much info on the students!

In the uk (as far as i remember from IT class) we have laws protecting our data and ensuring its stored securely, i dont know what would happen if it got out (my school used wifi too) - i.e who i could sue/prosecute to get that lovely lovely free money.. hmm what if i hacked it and stole my own data just to demonstrate? - i could maybe pay off the hacking charges with the money from suing the same people! (if only i wasnt such a lame script kiddie)

The data protection act has to be my favourite uk law, leading to the tv show where mark thomas snoops around dodgy politicians and bosses and then uses the data protection act to demand a copy of all the data they have on him including memos about how they hate him:)

So yeah if your in the uk, just go and demand that companys/schools etc give you your data (i think they can charge a fixed amount for it though)

agreed

[Hatta]

even if this were a completely physical network not having these files password protected would be just as stupid.

Bring on the law suits...

[node159]

Breach of security in regards to medical and psychological data under the schools care, which was known about but not acted on for 9 months? Sounds like some parents are going to get rich quick. Bring on the law suits.

The attitude of the schools staff appalls me; sounds like the poor admin can't even do his job as everything needs to be rubber stamped before it can go in effect. And since when do they think that by securing the perimeter of the network does it make the files any more secure.

Students do this too

[kavachameleon]

My friend and I recently gave a white paper to our school describing all net vulnerabilities. We were able to access attendance and grade records, as well as the faculty folders because they didn't secure one of their servers. Also, there was an "install" folder with copies (serials included!) of all of the install cds for all the programs ever used at our school. Office, Starry Night, the grade program, etc. It was a treasure trove. But, like responsible people, we gave them the white paper. The sysadmin was unaware of any of this.

Re:Students do this too

[Veovis]

Let me know when you get suspended or expelled because you may have violated a terms of use or acceptable use agreement, school districts LOVE to blame students for their own mistakes (they may turn around and say you caused the insecurities) because they know (the student) usually isn't going to do anything about it, and because schools are an "educational instution" they are (seemingly) exempt against laws regarding computer use or even student rights. Average School's idea of a student: I am the school, you are the student, I am right, you are wrong.

Re:Students do this too

[kavachameleon]

They thanked us profusely, actually. Were very grateful.

Re:Students do this too

[Veovis]

huh? I'm confused...

Re:Students do this too

[Veovis]

ohh wait... nevermind.... I thought I was replying to a different post, I understand now (stupid me for not reading the parent posts)

Re:Students do this too

[Maul]

Honestly, you are lucky as hell that they thanked you. Half of the time people who expose security problems and show the sysadmin out of the kindness of their hearts are accused of being hackers and are (in your case) expelled and often prosecuted.

Re:Students do this too

[willtsmith]

I think they showed the principal, not the sys-admin. Principals are ALWAYS glad to see something that could avoid a possible lawsuit. Thats their full-time job these days.

Re:Students do this too

[front]

Do you know how serious that "white paper" could have been?

That the sysadmin might have tried to cover his/her ass by handing you and your friend to Feds as information terrorists?

The best thing to do, if you want my advice, is to RUN don't walk from the whole building the next time you discover a security vulnerability in any network anywhere and never mention it to anyone.

Zero tolerance high schools means zero tolerance for anything they don't understand.

Good luck anyway...

cheers

front

Re:Students do this too

[kavachameleon]

We actually thought about that, and had the dean sign a "protection contract" on our behalf (before we revealed that there actually *was* an issue), since he really likes us. Then we showed it to the sysadmin.

Psychological Evaluations

[IWannaBeAnAC]

... complete with full-color photos of students and a psychological evaluation.

Does this mean they had a psychological evaluation for everyone? Is this common in US schools? It is unthinkable where I come from!

Re:Psychological Evaluations

[jumpingfred]

It wasn't common where I went to school (in the US).

Out of curiosity

[_avs_007]

How did they find you? I mean, even if they had your MAC address I don't imagine it saying much. I also can't imagine them finding you based on what your Network name was, unless your network name was your actual name or something, (and yes, I've seen wideopen networks whose SSID was the physical address of the owner's house)...

Re:Out of curiosity

[LionMage]

The full story is a couple parents up. Basically, they found a blog entry (specifically, my LiveJournal entry where I wrote about being surprised at finding a wide open WiFi access point being run by H*neywell). At least, that's what one person who's "in the know" told me. The official story they fed me during a meeting was that they'd hired a security consulting group, and that they somehow found my "digital fingerprint" as someone who'd accessed their network via WiFi. But that sounded like BS to me, especially when they told me that they could track what I'd done outside their network (i.e., what web sites I went to), but they couldn't track what I did inside H*neywell's network. Yeahhhh, right.

I have no idea if the iBook transmitted my real name or not over the air, though I suspect not. The fact that H*neywell was able not only to find me, but did so through my employer (whose name was also mentioned in my blog) lends credence to the theory that they found out totally by accident, by doing a Google search and turning up my blog entry.

A cynical person might say that the real moral of the story is, if you do something that might be considered illicit, don't talk about it. But I had no idea I was doing anything "wrong." As I said earlier, I assumed that the access point was running in a DMZ, because I assumed nobody would be stupid enough to run an unsecured access point behind a corporate firewall.

Re:Out of curiosity

But that sounded like BS to me, especially when they told me that they could track what I'd done outside their network (i.e., what web sites I went to), but they couldn't track what I did inside H*neywell's network.

Actually, that's not surprising. I used to work for a lab with defense contracts, and all contact with the outside world was logged and filtered. You couldn't event go to spies.com, presumably because "spies" was on the list of contraband that the filter was looking for.

Given that, they probably have logs for all the activity from the AP to the outside world. They, however, don't have internal logs (or if they do, they're scattered across the network) for access from the AP to the other machines behind the firewall. After all, if it's behind the firewall, it must be friendly, right?

Re:Out of curiosity

[Mr.+No+Skills]

Maybe the lesson is to just play dumb about the whole thing. When questioned, couldn't you just say "I thought it was our network"? Seems that especially with so many laptops starting to come WiFi enabled, turning your computer on and surfing the web could be easily done without spending a whole lot of time thinking about where the connection is coming from.

Your weblog theory seems to make a lot of sense. Probably the moral of the story is to not use specific addresses and company names when taking about security holes!

Re:Out of curiosity

[_avs_007]

especially considering XP connects to wide open networks by default.

Besides, given that most people don't bother to change the SSID, I could've tried to connect to my own AP, but dammit, your AP was physically closer, so the signal strength was greater, and connected to it instead :)

Also, I've heard many times, when asking people about their AP so I can connect to it, they tell me something like, "its the wide open one"... Gee, thats real specific. I can see 5 of them :p

No way.

[mindstrm]

That's toeing the line between "security" and "protection racket"

If you know the data isn't for you, and it's not advertised for you to get, then you can reasonably assume it's private.

Surfing student records over a wireless connection is one of those things that falls under "We knew it was not public information, and that we were accessing information we were not supposed to be"

ANYONE who accesses my network through some kind of security breach does not deserve any kind of protection.

Re:No way.

Does that include when someone working for you at www.getpaydayadvance.com accidently places a folder/directory containing sensitive information in an unsecure area of your web server? And if I accidently find it by browsing to www.getpaydayadvance.com/weeklyprofits , and look at all of your accounting files, I am liable for your information that is in the publicly accessible portion of your network? I don't think so, bub.

Re:No way.

[TinoMNYY24]

I disagree. Companies should be held liable for their own insecurities. If they left their accounting books on the floor behind the toilet at the local gas station, and a competitor read them all, the competitor could not be sued for accessing that information. The same is true of the internet, or computer networks of any form. That network was being broadcasted over public airwaves, and therefore is public property. If it were secured in any way, then it would be illegal to circumvent the security devices. Unfortunately for the school, it was not.

I go there!

I happen to go to this school district. Being into technology, I help administrate our high schools networks, and I have personal experience with the gross incompetence of some of the tech people that work here.

I'd like everyone to know that 99.9% of all the tech stuff is done by us students. Now that we're out for the summer, it looks like the district can't handle it themselves.

Oh well, not my problem. The school doesn't have *any* useful info on me at all. ^_^

Where has all the crypto gone?

[IWannaBeAnAC]

On one hand, the algorithms to do proper WiFi security certainly exist, and would be no more expensive to implement than what we ended up with (probably cheaper in fact, since the algorithms would be 'off the shelf' of the crypto literature).

But we end up with these stupid deliberately crippled algorithms because law enforcement and government security are paranoid about not being able to read everyone's mail, and hold enough sway to dictate what will and will not become stanard.

How long are we going to have to wait for this to change? Will some rebel write a good WiFi protocol suite in the meantime? And if so, will the above-mentioned powers be able to stop it?

Something you should know

[jabber01]

I'm your Thai love slave.

I'm a 46 year old white dude. I weigh in at 332 lbs, and I sell pig manure to soy bean farmers for a living.

Re:Something you should know

Dad!!!???

Re:Something you should know

[orasio]

Pinoccio!!

WiFi Didn't expose it, stupid administrators did.

[OS24Ever]

I grow tired of seeing WiFi get the blame because someone didn't flip a simple switch on a cheap wireless hub that would had prevented 99.99% of the reporters of the world out there from doing this.

WEP exists to stop people like this, it won't stop someone determined, but it will stop the sensationalistic 'news at 11' types

SASIxp Security

[that1guy]

"We also able to view the district's student information system, SASIxp. "

Out of the box SASIxp uses DBaseIV which you can link a table to in MS access or any other DB prog. So security for SASI sucks ass out of the box!

it's not good Trent

[pyrrho]

best not to know! :)

Re:WiFi Didn't expose it, stupid administrators di

[shadoelord]

I do agree that it wasn't WiFi's fault, but I think itâ(TM)s a good thing to have "news at 11" to promote tightening of security. Now that itâ(TM)s been exposed in that district, I'm sure the surrounding area will also investigate their own blatant oversight.

Boiler insurance

[Beryllium+Sphere(tm)]

Would you like a positive response this time?

If there's a liability exposure, institutions will buy liability insurance, and the insurance companies will be a well-funded central source of motivation and knowledge to improve security.

Steam boilers used to blow up and kill people. Insurance companies started demanding boiler inspections. After that, fewer boilers exploded.

The "U" in the UL tag on electrical equipment stands for "Underwriters".

Wrong

[dnoyeb]

They do not need to circumvent any security measures. All they need to do is access data that was not intended for them. At least thats how current court cases are going. Still waiting on that issue to be resolved eventually in the supreme court if it ever gets there.

Remember, honey pots are OPEN WiFi units, not locked ones.

Anyway, I doubt if student records are copywrighted material and I do not think that is the law in question here. Of course if there were a few tests on their or answers from certain software test programs etc..

Re:Wrong

[pod]

It's like putting 'unauthorized access prohibited' on telnet and ftp server banner screene. As long as you know such access is explicitely prohibited, and you are not authorized to access it, you are breaking the law by continuing. Even if all you have to do is press enter at the password prompt.

PAUSD was hacked about 20-25 years ago....

It was done via analog modem, probably 300 baud or so. Some people never learn.......

Look at all the excuses followed by "not to make e

The article has funny quotations by school people, who all seem to say:

Not to make excuses, but my excuse is that someone else did it, or that we were going to get to it eventually, or that I don't see that it matters....

Irresponsibility

[gotr00t]

From the site - District administrators are blaming the security breach on everything from bureaucracy to teacher error to grass-root efforts to establish wireless networks at school sites.

As you can see, they are clearly trying to dodge the blame. Not only is the person with the top position of the school board trying to do so with her "I don't see this as such a huge news story" quote, but also, her underlings are as well. If these "administrators" had half a brain, they would have realized that a wireless network would need some security measures. This is why I claim that most school "tech guys" are incompetent and just too conservative on the use of security.

They fail to realize that these are the records of students at their schools. By doing this, it is nothing short of just opening up their vault of permanant records to the public.

Re:Irresponsibility

[Slack3r78]

I agree with you in that most school IT people are morons, but "conservative" isn't the word to describe them. A truly conservative sysadmin would never let a wireless network in in the first place unless absolutely nessecary (which I don't see how it could have been in this case), let alone leaving it on all the default, wide-open security settings.

Identity Theft

[Helmholtz]

In this age of identify theft, I think Universities should be held to a high standard of privacy. I know when i attended college, I had a real problem with the University using my social security number as my "Student ID" number. I complained to the Dean of Student Affairs, and was told that it was University policy and there was nothing that could be done about it.

I remember strolling by empty offices of professors seeing the green printouts of class rosters at the beginning of each semster, and thinking that all it would take is somebody to duck into one of these rooms, lift that list, and poof, you've got hundreds of names and valid social security numbers.

I realize that many schools are moving away from using the social security number as a form of student identification, but I wonder if this coincides with a shift in the fundamental philosophies of these estabilishments, or if it is simply a method of saving face. I sincerely hope it is the former rather than the latter.

Consider yourself facilitated

[djupedal]

"PAUSD Technology Training"

"The Information Services/Technology Department supports teaching and learning by facilitating communication and productivity. IST keeps the computers and other technology used by students, teachers, administration, and support staff up and running; maintains the student information (SASIxp) and Human Resources systems; and monitors the network infrastructure."

I'd say they got the part about 'facilitating communcation' right, at least :)

Expect SASIxp to be gelded soon, if not already...ouch!

Is there something in the water in Palo Alto?

[irenetheno]

There's gotta be. Niether the laboratories nor the schools are demonstrating active security consciousness.

It's that or the reporters in the area are the nosiest SOBs around.

Re:Is there something in the water in Palo Alto?

Just flouride. But they are putting a referendum on the ballot to take it out. As usual, they are going to completely ignore the fact that State law mandates that the water be flouridated.

That is Palo Alto.

School Security

[Parinioa]

A few years ago I was taking a Cisco course that was offered through out school by the local Tech Institution. I was working on a way to log into a Win2k server box over a modem so that I could do various things from home (never did exactly figure out what as the net connection at the school was crap and the modem never did work), but as I was looking at the network I ran across the schools web page and looked at the server behind it (WinNT 4 with IIS, luckally patched for code red that had been running rampant about that time). I could log onto the sever through FTP as Anonymous and browse through the few files that were there. The one gem I found was a Access database with personal information about every single employee of the district. Beeing the good little boy I told IT (wonderful when the teachers listen to you). The server stoped serving FTP for about a week and then it was back up with the offending file. It didn't get taken back down until they did a major upgrade over the summer and put a Win2k box in its place. (that and half the IT staff got replaced that year). Ahh the stories of our IT staff, I could go on forever.

Kids data unsecure?

[Dr+Reducto]

I bet priests are all over this one. I bet they are going to Wardrive for schools that have this vulnerability, then get the photos and psycological evaluations. They will find the hot kids who are pathological liars. Then, NO ONE WILL BELIEVE THEM!!!! HAHAHAHAHA!!!

Which reminds me.

[dtfinch]

I still need to do something to protect the wireless network where I work. I hope they don't think I did it already.

i met my wife on match.com

she is a very hot half puerto-rican half german girl, she is the best lover i have had and we love each other like a fairy tales happy ending.

and it only cost me 29.95 and 15 minutes of creating my profile.

what have you nerds got to lose? your virginity maybe?

contrary to popular myth a lot of the girls on there are hotties that are tired of players and want a real relationship without the bullshit.

course sometimes you get a real head case, i met one, but she was certainly cute.

Getting an IP is a felony?

[LionMage]

You bring up an interesting point, so I actually called my attorney and asked him about the points you bring up.

Yes, just getting an IP address is a felony. FCC law says that robbing someone electronically of services or interfering with electronic transmission IS a felony.

Well, actually, my attorney says no it isn't in my case... Because of the following argument:

1. H*neywell is a corporate entity with known expertise in electronic communication.
2. H*neywell is on "constructive notice" that they must secure their resources or face the possibility of people "openly and notoriously" using their resources (in this case, wireless network access).
3. H*neywell remains silent as I and others connect to and use their wireless access point, even though they have the capability to monitor such access, and the ability to lock the electronic "gate" that bars access to this resource. (Locking the gate in this case is equivalent to putting some kind of password protection on the access point.)
4. H*neywell has, in effect, waived their rights by not voicing objections and putting me and others on notice, and by not securing their resources.

It was [the newspaper's] intention to access the network and they knowingly downloaded files that were sensitive in nature.

Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.

If you knowingly leave your door unlocked and I willingly open it and walk in, have I committed criminal trespass? According to the law I have... it's called "breaking and entering."

Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.

Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.

Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.

If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)

In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.

Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.

Re:Getting an IP is a felony?

Interesting.

So after having read some of your LiveJournal entries, I realize that you are not computer-illiterate. We'll just leave it at that.

In your parent post:

I know H*neywell is a defense contractor, so I had assumed, when I discovered the access point, that it must be some sort of public access point for the convenience of vendors, put in a DMZ on their network. Surely, I thought, they wouldn't be dumb enough to put a wide-open WiFi access point behind their firewall!

Here's what I'm thinking, and maybe I'm wrong. I see an above-average computer user finding an usecured access point. You know it's not yours, but you proceed to use it for whatever you like, without a care in world, assuming that it's okay for you to knowingly use bandwidth that you're not paying for. Heh heh, free Internet access. Lucky me. Why should I tell anyone? It's not my fault they can't secure their network.

Combine this with your lawyer's 100-acre story. Every time you see an stretch of land with nobody clearly gaurding it, you set up camp? Probably not. I don't suppose that you would assume that it's okay for you to squat on it, would you? Just because the land doesn't have a "no tresspassing" sign every 30 feet doesn't mean that it's not posted.

The if-they-don't-kick-me-off-the-land-within-xxx-amou nt-of-time claim is just bogus. I don't think any court in the land would require a landowner to physically verify that there are not people tresspassing on thier property, do you? [Sarcasm to follow] Well, I'm sorry sir. We're going to have to allow Bob Squatter to build a condo on your back 40 because by not verifying that your land was secured, you gave up all right to it.

Yeah, sure...H*neywell has the "duty" to secure their network. Then again, they also can't very well run to every office/cubicle/closet/desk drawer to verify that Stupid Employee hasn't set up an unsecured AP. The fact that it went unnoticed doesn't mean that they didn't care.

If you really, really thought that what you did was okay - then why the need to consult a lawyer? I think you knew that what you were doing was wrong, and that you got caught. Period.

If I'm wrong, please tell me how. If I am right, then continue to hide behind your lawyer.

Well we weren't actually called junior admins

[metalhed77]

Our real title had escaped my mind when I wrote the post. We were the school, now wait for it ....

IT Squad

Yes the hall passes with that written on them were painful, as was being called the I lowercase t as in It squad by teachers when they checked our passes. I thought I was signing up for a network engineering class, boy was I fucked over.

Re:California's new notification provisions: July

[BJZQ8]

I was involved in a similar situation about 2 years ago. Huge amounts of school information were exposed to the world, and it was all quietly swept under the rug. I was told to keep quiet and to say nothing more of it. I was threatened with termination if I disobeyed. Since I no longer work there, I'm pretty free in saying that their "security system" has a bigger hole than the goatse man. School districts that buy "consultants", which are little more than revolving-door Microsoft salesmen with MCSE's, should be dragged out and shot. All they do is put up a huge line of BS that gets them the sale, then they act like they have done their job. School computer systems are all a total joke.

Re:California's new notification provisions: July

[zakezuke]

I'm not sure how this would qualify on electronic tresspass. It's one thing to physicaly or electronicly attempt entry, but when the radio waves are not encrypted and pass through you body?

I mean... if for example I had a WiFI card and I was on campus, which I would consider perfectly out of the ordinary, and I tripped upon a network connection, I would think "oh neet public WiFi". Just like if I was walking down the street and saw a path to a lake, "Oh neet a public lake".

My point is without notice, how do you expect people to know it's treaspass? Or on the other hand, without encryption, how do you expect people to know it's private? Without notice of private property, I don't think it's tresspass.

Common sence should rule in cases like this, as for radio reasonable attempts should be made to protect private communications, and if they are intercepted it's your own damn fault.

Re:California's new notification provisions: July

you are high

there is no such thing as a natural copyright

copyright must be registered

Suprise?

[rulethirty]

Is anyone suprised by this, because I'm not... definitely not slashdot worthy...

Re:California's new notification provisions: July

Wow, you're a smart one. Try reading that link. Here, i'll do it for you:
In general, copyright registration is a legal formality intended to make a public record of the basic facts of a particular copyright. However, registration is not a condition of copyright protection.

I tried to be helpful

[DMDx86]

My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.

Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.

After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.

As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.

Re:I tried to be helpful

[Artifex]

After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.

As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.

If they're attacking your systems, it's got nothing to do with school. They're breaking laws.

Keep a log of the idiots trying to break in, start publishing the IPs (resolving to adminsbox.fortbendisd.etc), and also send your administration a cease-and-desist letter warning them that you will sue them for attempted illegal trespass of your computer systems.

Start approaching your local school board reps. Ask them why they're letting their admins engage in criminal activity.

If they don't respond immediately, send the information to the local newspaper, ask the local TV station if they want to hear about how the admins are criminals trying to destroy your computer system. Show them the paperwork. Show them how the board does nothing.

The idea is to get as much publicity as possible centered on these idiots, so they can't get away with it. People should know not only who did it, but all the people who let it happen. People should be fired/kicked out of office over this.

Re:California's new notification provisions: July

[bezuwork's+friend]

No fair! Whetting our interest like that and then not telling us your school.

Seriously, though, if your school hasn't fixed the problem, perhaps the local newspaper near your school could pull a similar expose. I'm sure that would get the problem fixed and in the long run it would benefit the students.

As a student at Gunn high school....(PAUSD)

[ZaBu911]

I'm really disappointed with this. Not only is it a violation of my privacy, it's not the first.

It's very easy to get a network drop and access files. This is simply ridiculous. Fortunately, I was able to save the day and alert the network administrator .. who did nothing.

Oh well, at least they opened up port 22 for me

kids these days

[Pootie+Tang]

They just have it too easy. Back in my day if we wanted to change our grades we had to:

1) get in enough trouble to get sent the principal's office
2) make sure secretary gets distracted
3) quickly pull out secret drawer and note password without being noticed
4) go home and bust out the acoustic coupler

Nowadays all you need is to do is get out the laptop...

Don't even get my started on precipitation, inclination and the commute.

Re:It's a SCRATCH DRIVE, people -- Whatever

Does it really matter??? The fact that its a scratch drive is a useless point. The only point that is worth talking about is that a School let private data get out.

Great your a volunteer, and I dont want to offend you living in the peoples republic of Palo Alto, however sensitive data did get out... and you are somewhat responcible for what happened.

I love it when administrators blame stupid users, instead of themselves because its easier to blame them, then accept the blame that they screwed up.

Praise to the Weekly for exposing this mess!

Lets discuss what should be done to the people responcible. :) Hey RIAA, please go after the fools responcible for the... I might actually enjoy watching that happen. :)

Anonymous
Mac/Linux System Admin.

Re:California's new notification provisions: July

[JWSmythe]

Well, logically, ya, you should be able to listen to anything being broadcast at you.. But, look at what they do if you descramble satellite feeds without paying..

But, I don't think they accidently picked up the signal. They said they were sitting just outside of the school's office, with the proper equipment (ya, laptop and wifi card, big deal), but that's intent. Not only that, but sitting outside that office ("Using a laptop with a wireless card outside the district's main office") they sent data to retrieve data ("the Weekly gained access to such data as ...") . They were trespassing, just as much as if they reached in the window to pick up files sitting there. It could be arguable if they happened to walk past with their laptop in hand, and made a connection but did nothing on it, that they were simply receiving passive communications, but the reporters went as far as to connect, and dig through the confidential files of the students. Being that they were students, and not only were there contained school records, but medical records ("emergency medical information complete with full-color photos of students and a psychological evaluation")

Ahhhh, and here we go with the law (I've been busy with work, not much time to play). The summary of this is, yes, they broke the law, and it's punishable by $2,500 and/or 1 year in jail on the first offense, and $10,000 and/or 1 year in jail on the second offense.


PENAL CODE
SECTION 630-637.9


631. (a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, or attempts
to read, or to learn the contents or meaning of any message, report,
or communication while the same is in transit or passing over any
wire, line, or cable, or is being sent from, or received at any place
within this state; or who uses, or attempts to use, in any manner,
or for any purpose, or to communicate in any way, any information so
obtained, or who aids, agrees with, employs, or conspires with any
person or persons to unlawfully do, or permit, or cause to be done
any of the acts or things mentioned above in this section, is
punishable by a fine not exceeding two thousand five hundred dollars
($2,500), or by imprisonment in the county jail not exceeding one
year, or by imprisonment in the state prison, or by both a fine and
imprisonment in the county jail or in the state prison. If the
person has previously been convicted of a violation of this section
or Section 632, 632.5, 632.6, 632.7, or 636, he or she is punishable
by a fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the county jail not exceeding one year, or by
imprisonment in the state prison, or by both a fine and imprisonment
in the county jail or in the state prison.

I won't say that the school didn't fuck up, because honestly they did.. But, as any stumbler/wardriver knows, they're not the only ones. It doesn't take a computer expert to get into most networks. They should have done a better job, but failed. This is barely news, it's just a reporter bragging how they broke the law, invaded the privacy of thousands, criminally trespassed, and are flaunting it as news. It's as criminal as if they broke into a bank and took out cash, even if handing it back in the morning, to prove that it could be done.

With that said, ya, my laptop is set up for stumbling too. :)

Re:California's new notification provisions: July

[JWSmythe]

BTW, here's a nice little list of some of the state laws, just regarding the wiretap portion.

http://www.ncsl.org/programs/lis/CIP/surveillance. htm

Re:California's new notification provisions: July

[zakezuke]

But, look at what they do if you descramble satellite feeds without paying.

Ahh, that's activly *descrambling* the data. That's going above and beyond, theft of services and all that. You need to buy a key of sorts to gain access to these services, unless you are in canada ofcorse.

intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively

I do not claim to be a lawyer, but largly based on what i've observed tap, as in wire tap, only applies to audio tapping. As in, it might very well be legal to pop in a security camera so long as it doesn't pickup audio.

Further more, even the law you quoted implies *authorized access*. I would argue strongly that without basic security mesures that all people *are authorized* to access this material. It would be no diffrent, in my minds anyway, if they put up private information on a public web server, esp if google picks it up seeing no robots file in place.

I would further submit the fact that the service of WiFi netaccess is very much common place. For example, my local starbucks coffee offers WiFi access for a fee, and I know of one CAFE that offers public free WiFi access.

Given that this is a service offered in some establishments, a stumbler who accidently comes across access might reasonably assume that this is a service, given there was no security and *authorized access* is granted to everyone by the WiFi router based on a configeration choice by the system admin. My argument, which may or may not stand up in court, would be that because the system authorizes you that no law was broken, even if access to propriority data was made publicly available to anyone who requested access.

We can clearly agree the school fucked up, but I'd argue that they should be held criminaly liable because their WiFi network specificly grants *authorized access* to anyone. Just because it's an automated authorization system is no excuse in my minds eye, no diffrent then asking for propriority records and getting them by fax from an office worker that wasn't told better.

If it was me personaly, i'd say, "oh cool, public WiFi network, I can check my e-mail from here".

Forgot WPA

[gad_zuki!]

WPA will replace WEP as the standard 802.11x encryption scheme. It fixes the major problems with WEP e.g. airsnort won't crack keys anymore, and the implementation is supposedly easeir to use than WEP.

The bad part is its no IPSec w/ 3DES, but its better than WEP and many manufacturers will be able to provice WPA by ugrading the firmware on the card and access point, depending on the model of course.

I believe Windows XP support is already here.

Why can the news paper?

[rosewood]

You hear stories every so often about some "hacker" who gets into a system, does nothing, tells the sysadmin, and gets arrested/fined/sued, etc.

But when a newspaper does it, its just reporting? Id be raising hell if I was a parent and some newsie saw my kid's psych evaluation!

Re:California's new notification provisions: July

[PiousPeter]

I would assume the files were on a server. Even a Windows Server requires user authentication. If they were just using windows file sharing that should REALLY be pointed out.

I work at a school district and not only do we need server login, but also a login to the database that stores student records. Two counts of violating digital security...

Hah!

[xRelisH]

Yeah right, this is probably just some ploy to hide the real truth.

That real truth being a gang of hacker parents hacking into the school database and copying such information to an unprotected location in order for themselves and other parents to find out their childrens' marks since report cards seemed to be getting "lost" in the mail.

now that you mention it

[_avs_007]

Well, I'm sorry sir. We're going to have to allow Bob Squatter to build a condo on your back 40 because by not verifying that your land was secured, you gave up all right to it.


Actually. If your neighbor builds a fence to seperate your property from his, but decides to build it on YOUR property, you have seven years to notify your neighbor, otherwise, that part of your property is now legally his. I know, because it happened to my parents.

Re:now that you mention it

[Craig+Davison]

And it makes sense too. Obviously they had no use for that land.
Besides, all land was "stolen" from someone at some point. Since there's a limited amount of land out there, the defend it-or lose it idea makes sense.

Re:California's new notification provisions: July

[TinoMNYY24]

I was going to reply that you were wrong, but AC already did that for me. I really need to change my sig to my instructions for people posting on Slashdot:

read, think, post.

looking at it wrong

[_avs_007]

This is not like private property or a parking stall, where you shouldn't be in the first place. This is more like a business.

think of it this way:

Its 2pm on a monday afternoon. you walk down the street, and walk passed a 7-11. All the lights are on, and the door is unlocked. So you walk in. If you were closed, you shouldve said so, and locked the door.

The reason its more like this, is because there are public APs. How do you differentiate public APs from private APs? If you put a web server on the internet, how do you know you aren't allowed to use it, unless you secure it?

That's like me buying out the BedMart at the local mall, to use as my personal relaxation place, and getting pissed and arresting everyone that comes in, because its my "residence", not a store anymore. How were the "patrons" supposed to know this wasn't a store anymore?

Don't laugh..

I have a friend who has a thai love slave. Well it ended up more like him being her american love slave, but there was definatly some form of love slavage involved.

Re:California's new notification provisions: July

[TinoMNYY24]

There are ways to set up windows shares so that they do not reuire a password of any kind. In this case, the data is still publicly accessible. If the reporters were guessing passwords until they got access to the data, this tells us two things:
1) The school needs to require high-level passwords. 2) this reporters was seriously breaking and entering and should go to jail.
Either way, this is serious. If a regular reporter can wardrive around finding out school records (including psychological workups and SS#), then anyone can do it, regardless if he guessed passwords or not. The school should be required to beef up their security, or stop using wireless, which is ridiculous for a school anyway. Wire the buildings.

Re:California's new notification provisions: July

[NoodleSlayer]

The point is that there is no security to bypass... None, zip, zero, zilch. I live and just graduated from Monta Vista in the nearbye Fremont Union High School District, and the thing about 90% of the District tech guys is that they don't know what they are doing.

I've met an MCSE before that didn't know how to add a user to a Windows 2000 server. Honestly, these people on the most part are the lowest of the low. And similarly in FUHSD they too have an unencrypted wireless network. I can access that network *from my house* that's a mile away, granted we had to pull out a friend's parabolic dish, but we managed to hit the thing, not to mention that I have good line of sight to the entire valley from my house.

These guys don't comprehend that a wireless network does not stop at their walls, and they leave the networks unencrypted to make it "easier" for them. Security is only a concern as long as they don't get caught. I've seen, I've known students that have broke into a Apple File Sharing server with a simple brute force attack, and then they proceeded to delete several students work from the Typing class and move some files around.

This was a situation that was easily preventable by maxing out the number of times a account can attempt to login within an hour, but they didn't do it because it was "too inconvient." Evidently these guys also aren't smart enough to remember their own passwords, so much for security.

~Noodle

Not surprised

[Linker3000]

Stayed in a uni hotel (part of their conference suite) about a month ago and each room had access to the campus network and Internet via a 100BaseT connection. Hooking my laptop to the network revealed dozens of workgroups, numerous student and uni PCs. About 80% of the PCs had guest login disabled, but among the noteworthy that didn't: 1 PC hosting numerous recent movies including the one where there is no spoon (reloaded) 1 PC sharing 'my documents' with tons of party pics (all very pretty but harmless) Numerous MP3s in about 20 shared 'my music's A smattering of pr0n Almost every accessible PC infected with worms that spread via NETBIOS (Norton AV 2003 went frantic every time I browsed a share) Welcome to the real world L3K

Reminds me of my school

This story reminded me of what happened somewhat recently (6 months - 1 year) at my school.

Apparently some information in an e-mail list archive became publicly available by accident. Unfortunately this information contained the names and ssn of several students. 9,505 students to be exact. Oops.

Scary thing about this was that it was found out by some students who accidently ran across a cached page of this on google. If you wanna check out the stories that ran in the school newspaper you can click here and here

And in other news...

Dog Barks. ;-)

BTW, Good Luck BMW.WilliamsF1 team on sunday.

WiFi wasn't the culprit...

[Mike+McTernan]

... it was some sysadmin or the person who setup the network!

That's like blaming the ethernet for hacking my box!

Not a WiFi issue

This isn't a WiFi issue, though WiFi does aggravate the problem. This is a security issue. Noone seems to have taken security into account. IMO you should always use multiple security layers to secure data, especially if it is confidential or personnel data. A belief that physical security (no unauthorised person can access the systems) is sufficient is bunk. The IT management people (not the lowlevel techs and admins but the suits) deserve to be fired and prosecuted.

IMO if you design a network and are considering security, assuming that the network backbone is directly connected to an enormous internet cafe filled with script kiddies, warez doodz, black hats and other undesirables is a good idea.

Good Hunting

Coward

I think you all missed something...

[tbase]

I tried to find a comment on this issue, but didn't see one. Sorry if I missed one.

This has nothing to do with WiFi. The data was on the network and not even password protected. Take the WiFi out of the equation, and from what I read in the article, anyone, even a student in the library, could have accessed this info. Teachers shouldn't even have access to the psych evals unless there's a reason and they get permission. The board's own policy says that pictures of the kids shouldn't be stored on the network. The point is those files were supposed to be in a locked down area of the network, and they weren't. Even if they were, the individual files should also have been password protected, in addition to the volume they were on.

And as far as the newspaper getting in trouble, it seems to me that allowing guest access means that you're ok with guests connecting. I don't think there was much 'hacking' involved. If there was, they should get in trouble. Otherwise all I have to do is get a job as a freelance writer for a paper, and then I can do whatever the heck I want, and if I get caught, then I just say I'm working on a story. That's BS.

You want to do this kind of investigating, you should accept the risks. If you want a by-line and glory, you deserve what you get. Sometimes doing the wrong thing for a good reason is needed - but if you don't punish people when they're caught, it's going to get out of hand.

Laurent Marx

is that you?

in other news - Headline Exposes Ignorance

[Shadestalker]

"WiFi Exposes Sensitive Student Data"

The technology isn't the problem, it's the people. Oh sorry, I guess "People Still Stupid, Film at 11:00" doesn't make a juicy headline, now does it?

What about HIPAA?

[SolemnDragon]

Health Information Privacy Accountability Act... wouldn't the school be in violation for not locking down student's health data? This is a real issue here in the Northeast US, where everybody who has so much as a note from a doctor by a student or employee has to keep it carefully under the regulation-approved locks and deadbolts...

I'm not sure how this applies to an accidental WiFi transmission (IANAL), but i'm pretty sure that it would be grounds for serious fees and fines if it happened at any other kind of institution. i'm wondering whether the school will be in major trouble on this account alone. Under the rule, only health providers would face penalties for disclosing medical records- but if the school is a healthcare provider, for example, if they have an on-campus medical unit, they might be held liable.

thoughts, ideas, am i way off base here?

Public schools with new technology

[pmz]

are like a child with a gun.

Re:California's new notification provisions: July

[poot_rootbeer]

On a side note, could the newspaper be held liable for this, given that they were intruding on the network without permission?

The school district could go after the newspaper, but that would only gain them more bad press. Not only from the paper that did the investigating, but from all the other media outlets that worry a judgment against it would have a stifling effect on investigative journalism across the board.

Re:California's new notification provisions: July

[poot_rootbeer]

Did the newspaper bypass security and illegally access copyrighted material?

What security? There was none -- that's the point.

Also, what copyrighted material? Public school records not only are property of the government and thus uncopyrightable, but something like a list of grades is also a collection of facts, which have also been affirmed as uncopyrightable.

Re:California's new notification provisions: July

[pmz]

If so, didn't they violate the DMCA - no matter what their intent?

Hopefully they will find that there was no security to bybass.

What is potentially so bad is that the DMCA could shoot the messenger, here. The newspaper wasn't some black-hat cracker, who would have never revealed his/her new precious bounty. The school now knows about the vulnerability, which puts them in a much better position than before.

Re:California's new notification provisions: July

which I would consider perfectly out of the ordinary

Those words don't mean what you think they do.

Re:California's new notification provisions: July

In time the it will get past the embarassment and all will be well again. Nothing more volitile than blushing data,

I'm sorry, but what did you just say there? I know it's still early, and my brain isn't in gear yet, but fuck me!

Good Point

[OS24Ever]

Good point as well. But maybe we bring it to the school administration first before publishing it.

To me that's what it appears that they do.

Re:California's new notification provisions: July

[BJZQ8]

I won't say too much about who they are...I would like to go back there someday, replace my ex-boss, and clean up that stinkhole. It is a small town, and the newspaper won't publish anything "inflamatory" (their words) like that. Irrespective, they would do the same thing they did before, when a few people realized that they were open to the world, and were getting their e-mails and files read; they will claim it's been fixed after the expenditure of $50,000 or so by their expert Technical guys. When in fact nothing at all had changed...It's just really sad.

Balancing security and the ignorance of teachers.

[mindKMST]

I work for a school district and can understand the trade-offs that are made by network administrators. I have to weigh decisions every day to choose security or ease of use. Most of the teachers are technologically illiterate and cannot perform even basic functions on their computer without assistance from the IT staff. The problem of inadequate computer skills is compounded by the fact that many districts refuse to pay teachers to attend computer training more then a couple hours a year. There is also opposition from the teachers union to mandated computer use in the classroom. While I personally believe that computers have limited use in the classroom, more training is neccesary as teachers are now forced to make use of file servers as well student information systems on a daily basis.

While concepts of permissions and network based storage may be simple to those of us who are experienced computer users they are not easy to explain to a room of teachers. One on one training is the most effective way of helping teachers grasp the concepts neccesary to make them self-suficient computer users. I have taught several classes only to have the teachers who are already comfortable with these concepts pay attention. Those who need the most help usually sit there and chat or knit. They have the same defeatist attitude about computers that they try to discourage in their students. Many teachers, have an irrational fear that they will somehow break their computer by doing anything they are uncomfortable with. When teachers ask "How did you learn all this stuff?" I encourage them to 'break' their computer (softwarewise that is :) and then try to fix it.

Solutions. I think many of these issues will fade as younger teachers who are more comfortable with technology replace the older teachers who are less willing to change. New teachers are now required to take quite a few educational technology units in order to get a teaching credential. User interface standards must improve throughout the software industry. Most of these programs make sense to the nerds who designed them but more testing and better design is needed to make them usable for your average teacher.

This particular instance in Palo Alto appears to be an issue of user ignorance as opposed to the incompetence in the IT department. Quite simply, someone placed private documents on a public server.

Obviously I'm making broad generalizations for the sake of discussion but they are based on first-hand experience. Just relax and take 'em with a grain of salt.

Wrong title

[Telastyn]

Shouldn't that really be "dumbass sysadmin exposes student information"

And really; with all of the unemployed admins in the area, you'd think the school district could pick and choose one that was competant.

"WiFi Exposes..." WRONG - LAX SECURITY EXPOSES

[MobileDude]

The title is completely wrong. While WiFi is the medium, the obvious lax security is the real culprit.

I wonder why we never see sensationalistic headlines such as "100baseT Exposes..." or "Frame Relay Exposes..." or perhaps "Ethernet Exposes" ????

Re:California's new notification provisions: July

[gurps_npc]

No it is NOT like that at all, you are failing to realize exactly what it means to not have installed any security at all.

The best analogy I have seen walking down a street where all the houses are for sale, and none of themhave doors up, to facilitate people coming in and looking at them. You decide to buy one and do so, moving your stuff in, BUT NOT BUYING A DOOR. (As in not even attempting to install any security, not just installing inept security)

If you do this, and then refuse to buy a door, or put up a no-trespassing sign, or do anything else to indicate that people can not enter, then when people come up, it is not trespassing. It is not in fact surprising if people come in, sit down on your sofa, watch your TV, - for all they know this house is like the others, only set up with furniture to make people more likely to buy it. They may even say to themselves, what a nice neighborhood, where the realtor can leave a cool place like this unguarded and nothing gets stolen.

If you make NO, nada, zero, one minus one, one greater than negative one, effort whatsoever to create security or at least indicate that this is private property, then people are legally allowed to enter your area property and look around.

Note, they are still not allowed to TAKE anything. That means it would be illegal for the newspaper to publish any of the secure information, such as names, pictures, grades etc. In addition, if they did not at least make reasonable efforts to inform the owner of the system before they pubish, they could be charged with encourageing criminal actions. But they are allowed to look at it, and definitely allowed to publish the fact that they looked at it.

Re:California's new notification provisions: July

[DickBreath]

Also, what copyrighted material? Public school records not only are property of the government and thus uncopyrightable, but something like a list of grades is also a collection of facts, which have also been affirmed as uncopyrightable.

What makes you think the DMCA has anything to do with copyright? The DMCA is a tool. One that allows those with power/money to stop those without power/money from doing anything that those with power disapprove of. Things like making refill ink cartridges. Or taking a sewing pattern out of the trash and reselling it (without any copies being made).

I dont think so....encryption and the DMCA?

[jedi_gras]

The point is that there is no security to bypass... None, zip, zero, zilch.

What do you mean? They encrypted the data in binary and then broke it up into TCP/IP packets.

Just because the journalist could listen for the SSID of the network, connect to it, browse/download sensitive data, and then decode the binary data into a format that he could understand doesn't make it right. In fact, this should be protected under the DMCA or the DMCA should be reworded to include things like this.

On another note...what's the difference between the above scenario, with someone viewing data on an unencrypted wireless network from the one where someone finds a phone number of a modem, dials into a system, and downloads sensitive data? The former is considered OK because the data isn't officially encrypted and protected under the DMCA whereas the latter was illegal because of ignorance and fear. In my mind, they are the same thing...

Re:I dont think so....encryption and the DMCA?

You are either a troll or a complete fool one. For your sake, I hope it's the latter.

In my university,

in the CS faculty, you could connect to a public ethernet jack in a computer lab, and gain read/write access to all the students', professors', TAs and technical staff's home directories. Needless to say these include a lot of personal data and grades, which could be manipulated before being sent to the more secure permanent stores.

I agree.

[mindstrm]

They absolutely should be held accountable for their own mismanagement.

However...

That doesn't make it okay for someone to access the information in this manner without authorization.

Yes, it was broadcast over public airwaves... but that doesn't automatically make it public property. Intent plays a large part, ie: if you KNOW they don't realize it's set up that way, and you KNOW the data is not for you, then you are doing something wrong.. if not legally then morally.

Re:I agree.

[TinoMNYY24]

I agree with you that it was immoral to access the information, but we're talking illegal here. Laws need to be edited to include situations such as this. Also, "authorization" is a crazy term to use in the computer world. Computers are automated. It can be argued that since they got an IP address from the AP, they were authorized. They submitted a request to join the network, and that request was honored, and they had access to the files. Sounds like authorization to me. The intent of the parties that accessed the information is important for the individual case, but the laws need to reflect the fact that they were indeed authorized to use the network. If they weren't, they couldn't have gotten in.

Right.

[mindstrm]

But, the law is not the computer, and it's not pure logic.

You can say "Well I sent a request for an IP address, and it gave me one, therefore it authorized me to look at all information available on their network". Yeah right.

Judge: Sir, were you aware these were school records, things that are usually confidential? (by virtue of the fact that you reported it as newsworthy, obviously you were).

Reporter: Yes, your honor, I was aware of this..

Judge: Therefore you admit you accessed confidential records without authorization.

Access to information is not everything. If I forget to lock the door to my office, and you come in and rifle through all my files, are you going to tell the judge that because the door opened when you turned the knob, that authorized you to read all my files? That, because you knew the door technically should be locked, then obviously if someone left it unlocked, it was meant as permission? I doubt anyone is going to buy it.

Re:Right.

[TinoMNYY24]

You can't draw parallels between this and an open office door. This is more like leaving the information on the ground at a public theme park. The theme park allows people inside no matter what, and the information is there but difficult to find. The same thing is true for this situation. The network was being broadcast over public airwaves and was accessible to the public, and the files were non-protected on the network. These files were in a public place. The nature of them infers that they are supposed to be private, but there is no certain way to tell with information that literally is left wide open in public.