Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
Should be fascinating to see how people react as they start to find out how often security problems actually occur...
WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.
WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.
Attacks against the WAP WTLS protocol (PDF): Source one, Source two
Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek
Remember a week ago when at Senate hearings RIAA people said Peer to Peer that it could put inexpierenced users personal information at risk? My guess is there'll be a similar "Ban the Technology" movement against this for government use because of the potential danger. Except in cases where it would logically be needed, like free public internet access points. Of course, I could be wrong, but it's a thought.
Since when has this country used intellectual elite as a pejorative term?
the press has been held 'above the law' in such cases. Look at Watergate for a prime example.
That is a good thing, as long as the integrity of the information is held to a high standard. For example, if the published all the information they got, that would eb bad and they would be held accountable. If not by a law enforcement agency, then by a civil court. probably both.
The Kruger Dunning explains most post on
After you turn 18 you can at any time look into your permament record. Prepared to be shocked though. I was a slight rebel but nothing to serious and my consuler describe me, and I shit you not, as the NEXT HITLER!. Serious, she said: And in this report Nick sounds somewhat like the next Hitler (I wrote a paper saying academic proformence should determe which students got to go to Disneyland.)
Hollow words will burn and hollow men will burn.
I agree with you completely, but at the same time, what do you expect? If you want someone competent working on your network, you have to pay them. Cut the budget by $17 million, and devastation will result.
Here in the UK it would be a breach of the Data Protection Act 1998 and possibly the Computer Misuse Act 1990. Oh and the psychological evaluation would fall under the Access to Health Records Act. These carry serious fines (but not jail sentences) if organisations disobey them. The DPA '98 is based on an EC directive and came into effect a few years ago. It's run by the Information Commissioner. Of course - here you might run up against Crown immunity - which simply put means that the government can't be held liable for breaking one of its own laws. The problems of insecure wi-fi networks have been well highlighted here - especially in London - there've been many cases of drive by hacking via laptops.
Video Game cheats, hints a
All schools have them AFAIK. Its not necessarily 1 per school. They have therapists as well. I think the americans with disabilities act would make schools have even more than that. But it could be a handful per school district or something like that.
Well, actually, my attorney says no it isn't in my case... Because of the following argument:
Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.
Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.
Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.
Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.
If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)
In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.
Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.
Well, logically, ya, you should be able to listen to anything being broadcast at you.. But, look at what they do if you descramble satellite feeds without paying..
But, I don't think they accidently picked up the signal. They said they were sitting just outside of the school's office, with the proper equipment (ya, laptop and wifi card, big deal), but that's intent. Not only that, but sitting outside that office ("Using a laptop with a wireless card outside the district's main office") they sent data to retrieve data ("the Weekly gained access to such data as
Ahhhh, and here we go with the law (I've been busy with work, not much time to play). The summary of this is, yes, they broke the law, and it's punishable by $2,500 and/or 1 year in jail on the first offense, and $10,000 and/or 1 year in jail on the second offense.
PENAL CODE
SECTION 630-637.9
631. (a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, or attempts
to read, or to learn the contents or meaning of any message, report,
or communication while the same is in transit or passing over any
wire, line, or cable, or is being sent from, or received at any place
within this state; or who uses, or attempts to use, in any manner,
or for any purpose, or to communicate in any way, any information so
obtained, or who aids, agrees with, employs, or conspires with any
person or persons to unlawfully do, or permit, or cause to be done
any of the acts or things mentioned above in this section, is
punishable by a fine not exceeding two thousand five hundred dollars
($2,500), or by imprisonment in the county jail not exceeding one
year, or by imprisonment in the state prison, or by both a fine and
imprisonment in the county jail or in the state prison. If the
person has previously been convicted of a violation of this section
or Section 632, 632.5, 632.6, 632.7, or 636, he or she is punishable
by a fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the county jail not exceeding one year, or by
imprisonment in the state prison, or by both a fine and imprisonment
in the county jail or in the state prison.
I won't say that the school didn't fuck up, because honestly they did.. But, as any stumbler/wardriver knows, they're not the only ones. It doesn't take a computer expert to get into most networks. They should have done a better job, but failed. This is barely news, it's just a reporter bragging how they broke the law, invaded the privacy of thousands, criminally trespassed, and are flaunting it as news. It's as criminal as if they broke into a bank and took out cash, even if handing it back in the morning, to prove that it could be done.
With that said, ya, my laptop is set up for stumbling too.
Serious? Seriousness is well above my pay grade.
BTW, here's a nice little list of some of the state laws, just regarding the wiretap portion.
. htm
http://www.ncsl.org/programs/lis/CIP/surveillance
Serious? Seriousness is well above my pay grade.
But, look at what they do if you descramble satellite feeds without paying.
Ahh, that's activly *descrambling* the data. That's going above and beyond, theft of services and all that. You need to buy a key of sorts to gain access to these services, unless you are in canada ofcorse.
intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively
I do not claim to be a lawyer, but largly based on what i've observed tap, as in wire tap, only applies to audio tapping. As in, it might very well be legal to pop in a security camera so long as it doesn't pickup audio.
Further more, even the law you quoted implies *authorized access*. I would argue strongly that without basic security mesures that all people *are authorized* to access this material. It would be no diffrent, in my minds anyway, if they put up private information on a public web server, esp if google picks it up seeing no robots file in place.
I would further submit the fact that the service of WiFi netaccess is very much common place. For example, my local starbucks coffee offers WiFi access for a fee, and I know of one CAFE that offers public free WiFi access.
Given that this is a service offered in some establishments, a stumbler who accidently comes across access might reasonably assume that this is a service, given there was no security and *authorized access* is granted to everyone by the WiFi router based on a configeration choice by the system admin. My argument, which may or may not stand up in court, would be that because the system authorizes you that no law was broken, even if access to propriority data was made publicly available to anyone who requested access.
We can clearly agree the school fucked up, but I'd argue that they should be held criminaly liable because their WiFi network specificly grants *authorized access* to anyone. Just because it's an automated authorization system is no excuse in my minds eye, no diffrent then asking for propriority records and getting them by fax from an office worker that wasn't told better.
If it was me personaly, i'd say, "oh cool, public WiFi network, I can check my e-mail from here".
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
While concepts of permissions and network based storage may be simple to those of us who are experienced computer users they are not easy to explain to a room of teachers. One on one training is the most effective way of helping teachers grasp the concepts neccesary to make them self-suficient computer users. I have taught several classes only to have the teachers who are already comfortable with these concepts pay attention. Those who need the most help usually sit there and chat or knit. They have the same defeatist attitude about computers that they try to discourage in their students. Many teachers, have an irrational fear that they will somehow break their computer by doing anything they are uncomfortable with. When teachers ask "How did you learn all this stuff?" I encourage them to 'break' their computer (softwarewise that is :) and then try to fix it.
Solutions. I think many of these issues will fade as younger teachers who are more comfortable with technology replace the older teachers who are less willing to change. New teachers are now required to take quite a few educational technology units in order to get a teaching credential. User interface standards must improve throughout the software industry. Most of these programs make sense to the nerds who designed them but more testing and better design is needed to make them usable for your average teacher.
This particular instance in Palo Alto appears to be an issue of user ignorance as opposed to the incompetence in the IT department. Quite simply, someone placed private documents on a public server.
Obviously I'm making broad generalizations for the sake of discussion but they are based on first-hand experience. Just relax and take 'em with a grain of salt.