Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
Right way to get attention ....
Wrong way to do it without going to jail.
Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?
WiFi should be banned. In fact there was talk of a congressional hearing on the sad state of security in WiFI. It is insecure by default and the maximum secuirty you can apply to it is flawed and easily hackable.
If this does anything, it should make the gov. smack the hell out of all WiFi consortium members by preventing them from selling any more equipment till they actually get it right. (And giving refunds for all faulty equipment already sold)
Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.
Photos.
random searches of backpacks without probable cause (though this is something i agree with)
No freedom speech. No freedom of expression. (at our school boys couldnt wear hats or earings, certain colors of garments, no "extreme hairstyles" or shorts during winter or spring) No -everyone is equal-: girls could wear all those things that boys could not.
the only constitutional ammendment upheld in public schools is the separation of church and state.
I've came to the conclusion that schools are exempt from laws and are not held liable for their own mistakes, hell, Livonia Public Schools (Livonia, MI) Livonia Public Schools" the staff there actually tries to hack into students (and former students) computers.
Did the newspaper bypass security and illegally access copyrighted material?
If so, didn't they violate the DMCA - no matter what their intent?
After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
Actually it wouldn't surprise me in the least if the students knew all along. I wonder if the average grade was higher there than elesewhere.
As the purpose of copyright is to increase the amount of publication that enters the public domain, *can* they actually copyright something that is never published? And school district's .. that sounds suspiciously like Government, who cannot copyright documents either. No Copyright, no DMCA?
WiFi is now commonly used throughout hospitals transmitting unencrypted patient information to mobile carts and charting hand helds. Imagine what you could grab just by sitting in the lobby.
...shoot the messenger here?
I bet some legal action will be taken against the reporter who did the "hacking," while nobody will even think about holding any school officials accountable for their stunning negligence. I shudder to think what a pedophile with a WiFi-enabled laptop could have done with access to that kind of info. Cripes, it could have really turned into a serious NAMBLA convention out there.
I know this much, if I were a parent of a kid at that school I'd be raising holy hell about this and calling for the heads of people in the school administration. Starting with Superintendent Mary Frances Callan, who was quoted as saying, "I don't see this as such a huge news story." WHAT??? Bitch, you should be on your knees thanking God that this was uncovered by a reporter and not some scumbag who got a kid's address from that wide-open network of yours and found himself an ideal victim!
~Philly
This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.
... BUT went unheeded. School districts don't listen to teachers. School administrators are mostly in a world of their own which mainly consists of saving their own asses by kissing the asses of parents (mainly the parents of noisy, disruptive, sociapathic kids (where do you think they get it from)).
The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.
Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.
There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.
PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district
-------- -------- Support Wesley Clark for president!!!
I agree. I am a student in the PAUSD who happens to run a lot of the computer stuff at one of the high schools. Many times, parents (with what I hope are good intentions) try to give us stuff. Usually, it compleatly fails to work well with what is already in place, although they insist that it is perfect for whatever we want to do with it. What is more, we have so many tech parents that all want to set things up their own way, regardless of what anyone else is doing, because they want to "Help the school" that even the tech people for the school don't know how a lot of our equipment is set up. It has gotten so bad that I know of at least two teachers at my school who have said that nobody gets to do anything to their computers without their permission (fortunatly, they both know what they are doing). There are many times when I wish that all the helpful parents would go away and be helpful to somebody else, instead of giving us their old apple 2s or offering to set up that new campus-wide wireless network that is crucial to their child's learning environment.
Sigh. My rant is over now.
This PAW story is totally retarded, as usual. I worked for two years at JLS supporting that network on a volunteer basis. Every sixth grader in the district knows that FUJI is a scratch drive and that anything put up there is NOT SECURE and subject to being blown away every so often.
..."
.... we'll just bury that a safe distance from the headline.
...
... I still have to live in the People's Republic of Palo Alto.
The Weakly even says, "Although the server was not intended for high-security documents
Oh, *although*
In other words, "Although this is no story at all and all the important stuff is locked down, we thought we'd go rattling door nobs to see who left their doors open, then raid the houses. After all, WE are The Almighty Communityist Press."
The Weakly goes on to describe, "a sub-server known as Fuji, which was designed to allow authorized personnel to share files," on a temporary, non-secured basis (but we'll leave that part out; it's not a lie, just not all of the truth).
So the only issues here are STUPID USERS, and CARPING JOURNALISTS, as usual.
1. Did some overpaid adminstriviators put stuff on the scratch drive that they shouldn't have? It sure looks that way.
2. Is PAUSD leaving it's entire network wide open to the world? Definitely not.
3. Is the Weakly off on yet another cynical tangent, this time by driving around rattling door knobs? Definitely.
Since I live about half a mile from the district office, I'm locking all my windows tonight, that's for sure. After all, if I leave my window open, that means I was just INVITING reports to crawl in, right? Hey, it wasn't locked down
Yes, I'm posting as a Coward
My friend and I recently gave a white paper to our school describing all net vulnerabilities. We were able to access attendance and grade records, as well as the faculty folders because they didn't secure one of their servers. Also, there was an "install" folder with copies (serials included!) of all of the install cds for all the programs ever used at our school. Office, Starry Night, the grade program, etc. It was a treasure trove. But, like responsible people, we gave them the white paper. The sysadmin was unaware of any of this.
That's toeing the line between "security" and "protection racket"
If you know the data isn't for you, and it's not advertised for you to get, then you can reasonably assume it's private.
Surfing student records over a wireless connection is one of those things that falls under "We knew it was not public information, and that we were accessing information we were not supposed to be"
ANYONE who accesses my network through some kind of security breach does not deserve any kind of protection.
It's sort of ironic. People here are saying the school district should have some sort of financial liability for the negligence of allowing public access to this psychological/medical data. I'd tend to agree -- plus, I'd concur with those who say they have no business conducting (almost assuredly bogus) "psychological examinations" of students to begin with.
On the other hand, the reason they started doing psychological examinations of students is probably because, after the Columbine shootings, they'd probably risk financial liability if they didn't.
Breakfast served all day!
I do agree that it wasn't WiFi's fault, but I think itâ(TM)s a good thing to have "news at 11" to promote tightening of security. Now that itâ(TM)s been exposed in that district, I'm sure the surrounding area will also investigate their own blatant oversight.
this is my sig, there are many like it, but this one is mine.
I was involved in a similar situation about 2 years ago. Huge amounts of school information were exposed to the world, and it was all quietly swept under the rug. I was told to keep quiet and to say nothing more of it. I was threatened with termination if I disobeyed. Since I no longer work there, I'm pretty free in saying that their "security system" has a bigger hole than the goatse man. School districts that buy "consultants", which are little more than revolving-door Microsoft salesmen with MCSE's, should be dragged out and shot. All they do is put up a huge line of BS that gets them the sale, then they act like they have done their job. School computer systems are all a total joke.
I'm not sure how this would qualify on electronic tresspass. It's one thing to physicaly or electronicly attempt entry, but when the radio waves are not encrypted and pass through you body?
I mean... if for example I had a WiFI card and I was on campus, which I would consider perfectly out of the ordinary, and I tripped upon a network connection, I would think "oh neet public WiFi". Just like if I was walking down the street and saw a path to a lake, "Oh neet a public lake".
My point is without notice, how do you expect people to know it's treaspass? Or on the other hand, without encryption, how do you expect people to know it's private? Without notice of private property, I don't think it's tresspass.
Common sence should rule in cases like this, as for radio reasonable attempts should be made to protect private communications, and if they are intercepted it's your own damn fault.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.
Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.
After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.
As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.
I'm really disappointed with this. Not only is it a violation of my privacy, it's not the first.
.. who did nothing.
It's very easy to get a network drop and access files. This is simply ridiculous. Fortunately, I was able to save the day and alert the network administrator
Oh well, at least they opened up port 22 for me
PayPal $$ if you sign up for free offers (eBay, cred cards, e
The point is that there is no security to bypass... None, zip, zero, zilch. I live and just graduated from Monta Vista in the nearbye Fremont Union High School District, and the thing about 90% of the District tech guys is that they don't know what they are doing.
I've met an MCSE before that didn't know how to add a user to a Windows 2000 server. Honestly, these people on the most part are the lowest of the low. And similarly in FUHSD they too have an unencrypted wireless network. I can access that network *from my house* that's a mile away, granted we had to pull out a friend's parabolic dish, but we managed to hit the thing, not to mention that I have good line of sight to the entire valley from my house.
These guys don't comprehend that a wireless network does not stop at their walls, and they leave the networks unencrypted to make it "easier" for them. Security is only a concern as long as they don't get caught. I've seen, I've known students that have broke into a Apple File Sharing server with a simple brute force attack, and then they proceeded to delete several students work from the Typing class and move some files around.
This was a situation that was easily preventable by maxing out the number of times a account can attempt to login within an hour, but they didn't do it because it was "too inconvient." Evidently these guys also aren't smart enough to remember their own passwords, so much for security.
~Noodle
Stayed in a uni hotel (part of their conference suite) about a month ago and each room had access to the campus network and Internet via a 100BaseT connection. Hooking my laptop to the network revealed dozens of workgroups, numerous student and uni PCs. About 80% of the PCs had guest login disabled, but among the noteworthy that didn't: 1 PC hosting numerous recent movies including the one where there is no spoon (reloaded) 1 PC sharing 'my documents' with tons of party pics (all very pretty but harmless) Numerous MP3s in about 20 shared 'my music's A smattering of pr0n Almost every accessible PC infected with worms that spread via NETBIOS (Norton AV 2003 went frantic every time I browsed a share) Welcome to the real world L3K
AT&ROFLMAO
I tried to find a comment on this issue, but didn't see one. Sorry if I missed one.
This has nothing to do with WiFi. The data was on the network and not even password protected. Take the WiFi out of the equation, and from what I read in the article, anyone, even a student in the library, could have accessed this info. Teachers shouldn't even have access to the psych evals unless there's a reason and they get permission. The board's own policy says that pictures of the kids shouldn't be stored on the network. The point is those files were supposed to be in a locked down area of the network, and they weren't. Even if they were, the individual files should also have been password protected, in addition to the volume they were on.
And as far as the newspaper getting in trouble, it seems to me that allowing guest access means that you're ok with guests connecting. I don't think there was much 'hacking' involved. If there was, they should get in trouble. Otherwise all I have to do is get a job as a freelance writer for a paper, and then I can do whatever the heck I want, and if I get caught, then I just say I'm working on a story. That's BS.
You want to do this kind of investigating, you should accept the risks. If you want a by-line and glory, you deserve what you get. Sometimes doing the wrong thing for a good reason is needed - but if you don't punish people when they're caught, it's going to get out of hand.
666-607: 6th floor apartment of the beast
I'm not sure how this applies to an accidental WiFi transmission (IANAL), but i'm pretty sure that it would be grounds for serious fees and fines if it happened at any other kind of institution. i'm wondering whether the school will be in major trouble on this account alone. Under the rule, only health providers would face penalties for disclosing medical records- but if the school is a healthcare provider, for example, if they have an on-campus medical unit, they might be held liable.
thoughts, ideas, am i way off base here?
"I'd say 'Have a good time,' but arson is still illegal.