Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
Should be fascinating to see how people react as they start to find out how often security problems actually occur...
I guess Match.com and Yahoo Personals will have plenty of photos of young nubile girls to fill the fake ads on their service with.
WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.
WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.
Attacks against the WAP WTLS protocol (PDF): Source one, Source two
Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek
Remember a week ago when at Senate hearings RIAA people said Peer to Peer that it could put inexpierenced users personal information at risk? My guess is there'll be a similar "Ban the Technology" movement against this for government use because of the potential danger. Except in cases where it would logically be needed, like free public internet access points. Of course, I could be wrong, but it's a thought.
Since when has this country used intellectual elite as a pejorative term?
Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?
The district has known about some aspects of this vulnerability for nearly nine months, but failed to take action until the Weekly informed officials of the situation late last week -- a somewhat ironic development given the school board's recent adoption of a technology-use policy.
Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.
--"The perfect example of the man of action is the suicide." - William Carlos Williams
It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.
The simple truth here is that pointy-hairs and beaurocrats understand one thing: Money. If you threaten to kick them in their budget, they'll respond; otherwise, you'll just keep seeing these articles.
I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail. These institutions with faulty IT -- and it's not as if this was some complex cracking job, this is just carelessness -- need to be taught a serious lesson.
(shakes head) It kills me that a college can lose piles of cash for buying shoes for one of their basketball players and a business can get fined for having workers like a box that's 5 lbs. too heavy, but when they expose the private, valuable data of their students/customers, there's no sanction whatsoever....
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I wish my old high school would've had something like that happen to them. I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!
Trent Polack
www.polycat.net
Well, given that it's a newspaper that found this, I can't see that there'll be a big problem as far as non-disclosure on this one. Not to mention the fact that it's been posted to slashdot of course :-)
On a side note, could the newspaper be held liable for this, given that they were intruding on the network without permission? If the newspaper gets screwed over this, it could generate some much-needed publicity and the following public backlash over this BIG problem in the current internet legal scene (namely that if someone finds an insecure network, they usually can't disclose it without getting whacked. Sometimes even if they only tell the company concerned, the company fixes it and then whacks them).
This just goes to show we have a lot more to learn about wirless technology. To a lot of people it may seem like simple common sense to use WEP or some other serious form of protection for sensitive records like that. But getting wiresless is becoming just as easy as getting a cable modem hooked up so more people are doing it at a faster rate and not researching the risks that come with it.
I read an interesting (all be in short) article not too long ago about the risks that does a nice job of explaining things.
Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.
Photos.
What do you mean fake? I met my Thai love slave on Yahoo Personals. How much more real could you get?
when it comes to networks.
Not only do they expose sensitive information,
but they run generally insecure servers, and
they pay mercenary network installation contractors
1000 cents on the dollar for old crappy network
hardware.
And the web pages set up by school districts for
employess to use are brain dead.
This one:
http://www.teachinla.com
has a link on the NCLB teacher profile logo
that sends you to a page that will let anybody
that can get a teachers employee number and
birthdate change their professional credentials.
Well, it would, except the form page doesn't work!
From the article, it almost sounds as though it was a wide open access point (no WEP encryption or MAC filtering). If this is the case, there should be no demonizing WiFi - just a sloppy sysadmin.
...that they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.
Jason Lotito
Check out what the person in charge at the school said:
"I don't see this as such a huge news story," Superintendent Mary Frances Callan said the day after the district office abruptly shut down its wireless network and student information program. The real news, she added, was the great progress the district has made to its network plans, thanks to new software purchases, planned employee training sessions and the technology-use policy.
She has absolutely no sense of responsibility of the damage she could have/has caused. Money is the only thing that will get them to take notice.
the press has been held 'above the law' in such cases. Look at Watergate for a prime example.
That is a good thing, as long as the integrity of the information is held to a high standard. For example, if the published all the information they got, that would eb bad and they would be held accountable. If not by a law enforcement agency, then by a civil court. probably both.
The Kruger Dunning explains most post on
The same information was also accessible to individuals using district computers within school sites.
This case shows who or what department that was incharge had concrete policy with regards to information and IT security.
Security was fundamentally flawed, little or no security mechanisms in place, even lan connections had access to the files! Wireless connection only exacerbated the situation.
This is a general network security issue.
Confidential data needs to have strictly managed flows and storage. It'd worrying enough that this information could be accessed anywhere on campus even without the wireless threat.
When it comes to something like a psych evaluation I cant see why that information isn't kept 'offline' or on a small secured network. There is *no* justification even for allowing all staff members direct access to this sort of thing - it's ripe for abuse. I also cant see any reason why you'd need access to such a report instantly.
random searches of backpacks without probable cause (though this is something i agree with)
No freedom speech. No freedom of expression. (at our school boys couldnt wear hats or earings, certain colors of garments, no "extreme hairstyles" or shorts during winter or spring) No -everyone is equal-: girls could wear all those things that boys could not.
the only constitutional ammendment upheld in public schools is the separation of church and state.
This takes the cake: "I don't see this as such a huge news story," Superintendent Mary Frances Callan said ...
'nough said.
Did the newspaper bypass security and illegally access copyrighted material?
If so, didn't they violate the DMCA - no matter what their intent?
After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
After you turn 18 you can at any time look into your permament record. Prepared to be shocked though. I was a slight rebel but nothing to serious and my consuler describe me, and I shit you not, as the NEXT HITLER!. Serious, she said: And in this report Nick sounds somewhat like the next Hitler (I wrote a paper saying academic proformence should determe which students got to go to Disneyland.)
Hollow words will burn and hollow men will burn.
I'm a district over from Palo Alto, and it's not surprising to me that the wifi was open. That SasiXP and server shares were open is frightening. But this is what happens when parents are allowed to come in and run roughshod over the plans of the admins. Or when random parents are your admins. Palo Alto has tech people, they should get in trouble for leaving things unsecure, but the parent group that came in and blew a big hole in the existing security needs a solid slap on the knuckles too.
The tech staff that school have are usually underpaid and overworked, or contractors who are juggling the detail of 10-15 districts. I'm still cleaning up from the last time parents got involved, getting everyone connected to the internet.
To every tech minded parent out there: don't give us your used crap, don't come in and 'help,' just stay out of the way. We have a clue (well a lot of us do), but we spend 98% of our time cleaning up the messes left by helpful parents, clueless teachers, and malicious kids. We're trying to get the teachers up to speed, and we're working on making it hard for the kids to purposefully or accidentally fsck things up. But parents are totally deaf to the idea that the help they're offering is really hindering things.
How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?
CIA Industries - Running the world for fun and profit
WiFi is now commonly used throughout hospitals transmitting unencrypted patient information to mobile carts and charting hand helds. Imagine what you could grab just by sitting in the lobby.
With pictures and family contact information, e.g., the names of the parents or relatives authorized to pick up the child at school, identity theft is nothing compared to the other abuses that are possible.
E.g., a pedophile could go "shopping" for a victim, then use the information in the file to convince the kid that a trusted adult sent them to pick them up.
Or they could be even more aggressive and add an alias to the list of people authorized to pick up the kid at school. Then they show up and breeze past security that would normally extend from classroom to doorstep.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Those who can set up networks, do.
Those who can't, do it anyway.
It takes 3 seconds to set up an access point and about 2 minutes to set it up and secure it. Even my neighbor (who apparently has wi-fi going on I see) was smart enough to secure their network (so much for the extra bandwidth for those huge game demo downloads, while I play online with no latency or packetloss!)
"Andrew Hannah, a network administrator for the district, admitted security was an afterthought when the first open wireless networks were installed at the Jordan and Jane Lathrop Stanford middle schools and the district office between 2000 and 2002."
This is the problem with DeVry's, et al, ginning millions of Win32-morons out into the world of computer administration. You get a bunch of clownpunchers who know how to press shiny buttons but who don't have a clue about the underlying principles (and responsibilities) of the computer networks they are in charge of administering.
Mod me troll, but I'm tired of the polluted job market, and absolutely sick to death of cleaning up the puke left behind at countless small companies by these nimrods.
I have something in common with Stephen Hawking...
Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, [snip]
;)
:) What's this you say, the network was wide open? :)
Just getting an IPAddress? To get an IPaddress, you have to ask for one. Is it your fault they gave it to you? That's like if you knock honeywell's front door, and ask if you can come in, and they say, "OK, come on in", and as soon as you step foot in their premises, have you arrested for tresspassing. I suppose you could say, you did have permission, because you obeyed all network protocols, where the server has the right to accept/reject your requests. If the DHCP server gives you an IPAddress, and the DNS server resolves the host names for you, and the HTTP server fetches the documents for you, you did everything with permission
Now if they had WEP keys, and an IPSec tunnel, that you had to infiltrate, then thats a different ballgame
In all honesty, we shouldn't have legislation for data leaks and the such. Let's say Joe sysadmin sets up a WiFi network. Joe sysadmin locks down said network, board has difficult time accessing network and "orders" John netadmin to reduce the security and make it more "ease of use-ish." Now in the normal IT world there positions aren't filled with morons. In the educational system where tech jobs are filled @ $5.15 an hour, you have the soccer coach, or the part-time janitor doing IT work. Holes open up, since the net/sysadmin knows nothing of what they're doing, they get by.
The question is, would the hole have been discovered? Generally the answer is no, people don't always go looking for security exploits. Hehe, if I had WiFi when I was in HS, I'd be happier about that than anything. It makes me ponder if the news didn't try and get in, would someone have?
I've also worked for the school IT department at my university but quickly quit when I realized the average intelligence around is no higher than a walnut. The one thing I know however, is we don't want the government responsible for private information. Next thing we know is the government pushing DRM and all that other crap.
...shoot the messenger here?
I bet some legal action will be taken against the reporter who did the "hacking," while nobody will even think about holding any school officials accountable for their stunning negligence. I shudder to think what a pedophile with a WiFi-enabled laptop could have done with access to that kind of info. Cripes, it could have really turned into a serious NAMBLA convention out there.
I know this much, if I were a parent of a kid at that school I'd be raising holy hell about this and calling for the heads of people in the school administration. Starting with Superintendent Mary Frances Callan, who was quoted as saying, "I don't see this as such a huge news story." WHAT??? Bitch, you should be on your knees thanking God that this was uncovered by a reporter and not some scumbag who got a kid's address from that wide-open network of yours and found himself an ideal victim!
~Philly
Hmmm, IANAL, but in most areas, isn't doesn't this fall somewhere under electronic tresspass, or electronic wiretap. Like, accessing a computer system that isn't yours and that you weren't authorized to access? Sounds like not only an admission of guilt, but them bragging about it..
Of course, press like this is rarely very good. It's enough to scare lots of people away from new technologies.. I'd be surprised if someone doesn't make a push to bring them back down to paper files for everything.
Serious? Seriousness is well above my pay grade.
Breach of security in regards to medical and psychological data under the schools care, which was known about but not acted on for 9 months? Sounds like some parents are going to get rich quick. Bring on the law suits.
The attitude of the schools staff appalls me; sounds like the poor admin can't even do his job as everything needs to be rubber stamped before it can go in effect. And since when do they think that by securing the perimeter of the network does it make the files any more secure.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
My friend and I recently gave a white paper to our school describing all net vulnerabilities. We were able to access attendance and grade records, as well as the faculty folders because they didn't secure one of their servers. Also, there was an "install" folder with copies (serials included!) of all of the install cds for all the programs ever used at our school. Office, Starry Night, the grade program, etc. It was a treasure trove. But, like responsible people, we gave them the white paper. The sysadmin was unaware of any of this.
That's toeing the line between "security" and "protection racket"
If you know the data isn't for you, and it's not advertised for you to get, then you can reasonably assume it's private.
Surfing student records over a wireless connection is one of those things that falls under "We knew it was not public information, and that we were accessing information we were not supposed to be"
ANYONE who accesses my network through some kind of security breach does not deserve any kind of protection.
It's sort of ironic. People here are saying the school district should have some sort of financial liability for the negligence of allowing public access to this psychological/medical data. I'd tend to agree -- plus, I'd concur with those who say they have no business conducting (almost assuredly bogus) "psychological examinations" of students to begin with.
On the other hand, the reason they started doing psychological examinations of students is probably because, after the Columbine shootings, they'd probably risk financial liability if they didn't.
Breakfast served all day!
I'm your Thai love slave.
I'm a 46 year old white dude. I weigh in at 332 lbs, and I sell pig manure to soy bean farmers for a living.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
I grow tired of seeing WiFi get the blame because someone didn't flip a simple switch on a cheap wireless hub that would had prevented 99.99% of the reporters of the world out there from doing this.
WEP exists to stop people like this, it won't stop someone determined, but it will stop the sensationalistic 'news at 11' types
As a rock-in-roll Physicist once said, No matter where you go, there you are.
I do agree that it wasn't WiFi's fault, but I think itâ(TM)s a good thing to have "news at 11" to promote tightening of security. Now that itâ(TM)s been exposed in that district, I'm sure the surrounding area will also investigate their own blatant oversight.
this is my sig, there are many like it, but this one is mine.
Would you like a positive response this time?
If there's a liability exposure, institutions will buy liability insurance, and the insurance companies will be a well-funded central source of motivation and knowledge to improve security.
Steam boilers used to blow up and kill people. Insurance companies started demanding boiler inspections. After that, fewer boilers exploded.
The "U" in the UL tag on electrical equipment stands for "Underwriters".
All schools have them AFAIK. Its not necessarily 1 per school. They have therapists as well. I think the americans with disabilities act would make schools have even more than that. But it could be a handful per school district or something like that.
In this age of identify theft, I think Universities should be held to a high standard of privacy. I know when i attended college, I had a real problem with the University using my social security number as my "Student ID" number. I complained to the Dean of Student Affairs, and was told that it was University policy and there was nothing that could be done about it.
I remember strolling by empty offices of professors seeing the green printouts of class rosters at the beginning of each semster, and thinking that all it would take is somebody to duck into one of these rooms, lift that list, and poof, you've got hundreds of names and valid social security numbers.
I realize that many schools are moving away from using the social security number as a form of student identification, but I wonder if this coincides with a shift in the fundamental philosophies of these estabilishments, or if it is simply a method of saving face. I sincerely hope it is the former rather than the latter.
RFC2119
A few years ago I was taking a Cisco course that was offered through out school by the local Tech Institution. I was working on a way to log into a Win2k server box over a modem so that I could do various things from home (never did exactly figure out what as the net connection at the school was crap and the modem never did work), but as I was looking at the network I ran across the schools web page and looked at the server behind it (WinNT 4 with IIS, luckally patched for code red that had been running rampant about that time). I could log onto the sever through FTP as Anonymous and browse through the few files that were there. The one gem I found was a Access database with personal information about every single employee of the district. Beeing the good little boy I told IT (wonderful when the teachers listen to you). The server stoped serving FTP for about a week and then it was back up with the offending file. It didn't get taken back down until they did a major upgrade over the summer and put a Win2k box in its place. (that and half the IT staff got replaced that year). Ahh the stories of our IT staff, I could go on forever.
Well, actually, my attorney says no it isn't in my case... Because of the following argument:
Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.
Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.
Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.
Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.
If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)
In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.
Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.
I was involved in a similar situation about 2 years ago. Huge amounts of school information were exposed to the world, and it was all quietly swept under the rug. I was told to keep quiet and to say nothing more of it. I was threatened with termination if I disobeyed. Since I no longer work there, I'm pretty free in saying that their "security system" has a bigger hole than the goatse man. School districts that buy "consultants", which are little more than revolving-door Microsoft salesmen with MCSE's, should be dragged out and shot. All they do is put up a huge line of BS that gets them the sale, then they act like they have done their job. School computer systems are all a total joke.
I'm not sure how this would qualify on electronic tresspass. It's one thing to physicaly or electronicly attempt entry, but when the radio waves are not encrypted and pass through you body?
I mean... if for example I had a WiFI card and I was on campus, which I would consider perfectly out of the ordinary, and I tripped upon a network connection, I would think "oh neet public WiFi". Just like if I was walking down the street and saw a path to a lake, "Oh neet a public lake".
My point is without notice, how do you expect people to know it's treaspass? Or on the other hand, without encryption, how do you expect people to know it's private? Without notice of private property, I don't think it's tresspass.
Common sence should rule in cases like this, as for radio reasonable attempts should be made to protect private communications, and if they are intercepted it's your own damn fault.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.
Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.
After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.
As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.
I'm really disappointed with this. Not only is it a violation of my privacy, it's not the first.
.. who did nothing.
It's very easy to get a network drop and access files. This is simply ridiculous. Fortunately, I was able to save the day and alert the network administrator
Oh well, at least they opened up port 22 for me
PayPal $$ if you sign up for free offers (eBay, cred cards, e
Well, logically, ya, you should be able to listen to anything being broadcast at you.. But, look at what they do if you descramble satellite feeds without paying..
But, I don't think they accidently picked up the signal. They said they were sitting just outside of the school's office, with the proper equipment (ya, laptop and wifi card, big deal), but that's intent. Not only that, but sitting outside that office ("Using a laptop with a wireless card outside the district's main office") they sent data to retrieve data ("the Weekly gained access to such data as
Ahhhh, and here we go with the law (I've been busy with work, not much time to play). The summary of this is, yes, they broke the law, and it's punishable by $2,500 and/or 1 year in jail on the first offense, and $10,000 and/or 1 year in jail on the second offense.
PENAL CODE
SECTION 630-637.9
631. (a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, or attempts
to read, or to learn the contents or meaning of any message, report,
or communication while the same is in transit or passing over any
wire, line, or cable, or is being sent from, or received at any place
within this state; or who uses, or attempts to use, in any manner,
or for any purpose, or to communicate in any way, any information so
obtained, or who aids, agrees with, employs, or conspires with any
person or persons to unlawfully do, or permit, or cause to be done
any of the acts or things mentioned above in this section, is
punishable by a fine not exceeding two thousand five hundred dollars
($2,500), or by imprisonment in the county jail not exceeding one
year, or by imprisonment in the state prison, or by both a fine and
imprisonment in the county jail or in the state prison. If the
person has previously been convicted of a violation of this section
or Section 632, 632.5, 632.6, 632.7, or 636, he or she is punishable
by a fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the county jail not exceeding one year, or by
imprisonment in the state prison, or by both a fine and imprisonment
in the county jail or in the state prison.
I won't say that the school didn't fuck up, because honestly they did.. But, as any stumbler/wardriver knows, they're not the only ones. It doesn't take a computer expert to get into most networks. They should have done a better job, but failed. This is barely news, it's just a reporter bragging how they broke the law, invaded the privacy of thousands, criminally trespassed, and are flaunting it as news. It's as criminal as if they broke into a bank and took out cash, even if handing it back in the morning, to prove that it could be done.
With that said, ya, my laptop is set up for stumbling too.
Serious? Seriousness is well above my pay grade.
BTW, here's a nice little list of some of the state laws, just regarding the wiretap portion.
. htm
http://www.ncsl.org/programs/lis/CIP/surveillance
Serious? Seriousness is well above my pay grade.
But, look at what they do if you descramble satellite feeds without paying.
Ahh, that's activly *descrambling* the data. That's going above and beyond, theft of services and all that. You need to buy a key of sorts to gain access to these services, unless you are in canada ofcorse.
intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively
I do not claim to be a lawyer, but largly based on what i've observed tap, as in wire tap, only applies to audio tapping. As in, it might very well be legal to pop in a security camera so long as it doesn't pickup audio.
Further more, even the law you quoted implies *authorized access*. I would argue strongly that without basic security mesures that all people *are authorized* to access this material. It would be no diffrent, in my minds anyway, if they put up private information on a public web server, esp if google picks it up seeing no robots file in place.
I would further submit the fact that the service of WiFi netaccess is very much common place. For example, my local starbucks coffee offers WiFi access for a fee, and I know of one CAFE that offers public free WiFi access.
Given that this is a service offered in some establishments, a stumbler who accidently comes across access might reasonably assume that this is a service, given there was no security and *authorized access* is granted to everyone by the WiFi router based on a configeration choice by the system admin. My argument, which may or may not stand up in court, would be that because the system authorizes you that no law was broken, even if access to propriority data was made publicly available to anyone who requested access.
We can clearly agree the school fucked up, but I'd argue that they should be held criminaly liable because their WiFi network specificly grants *authorized access* to anyone. Just because it's an automated authorization system is no excuse in my minds eye, no diffrent then asking for propriority records and getting them by fax from an office worker that wasn't told better.
If it was me personaly, i'd say, "oh cool, public WiFi network, I can check my e-mail from here".
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
The point is that there is no security to bypass... None, zip, zero, zilch. I live and just graduated from Monta Vista in the nearbye Fremont Union High School District, and the thing about 90% of the District tech guys is that they don't know what they are doing.
I've met an MCSE before that didn't know how to add a user to a Windows 2000 server. Honestly, these people on the most part are the lowest of the low. And similarly in FUHSD they too have an unencrypted wireless network. I can access that network *from my house* that's a mile away, granted we had to pull out a friend's parabolic dish, but we managed to hit the thing, not to mention that I have good line of sight to the entire valley from my house.
These guys don't comprehend that a wireless network does not stop at their walls, and they leave the networks unencrypted to make it "easier" for them. Security is only a concern as long as they don't get caught. I've seen, I've known students that have broke into a Apple File Sharing server with a simple brute force attack, and then they proceeded to delete several students work from the Typing class and move some files around.
This was a situation that was easily preventable by maxing out the number of times a account can attempt to login within an hour, but they didn't do it because it was "too inconvient." Evidently these guys also aren't smart enough to remember their own passwords, so much for security.
~Noodle
Stayed in a uni hotel (part of their conference suite) about a month ago and each room had access to the campus network and Internet via a 100BaseT connection. Hooking my laptop to the network revealed dozens of workgroups, numerous student and uni PCs. About 80% of the PCs had guest login disabled, but among the noteworthy that didn't: 1 PC hosting numerous recent movies including the one where there is no spoon (reloaded) 1 PC sharing 'my documents' with tons of party pics (all very pretty but harmless) Numerous MP3s in about 20 shared 'my music's A smattering of pr0n Almost every accessible PC infected with worms that spread via NETBIOS (Norton AV 2003 went frantic every time I browsed a share) Welcome to the real world L3K
AT&ROFLMAO
I tried to find a comment on this issue, but didn't see one. Sorry if I missed one.
This has nothing to do with WiFi. The data was on the network and not even password protected. Take the WiFi out of the equation, and from what I read in the article, anyone, even a student in the library, could have accessed this info. Teachers shouldn't even have access to the psych evals unless there's a reason and they get permission. The board's own policy says that pictures of the kids shouldn't be stored on the network. The point is those files were supposed to be in a locked down area of the network, and they weren't. Even if they were, the individual files should also have been password protected, in addition to the volume they were on.
And as far as the newspaper getting in trouble, it seems to me that allowing guest access means that you're ok with guests connecting. I don't think there was much 'hacking' involved. If there was, they should get in trouble. Otherwise all I have to do is get a job as a freelance writer for a paper, and then I can do whatever the heck I want, and if I get caught, then I just say I'm working on a story. That's BS.
You want to do this kind of investigating, you should accept the risks. If you want a by-line and glory, you deserve what you get. Sometimes doing the wrong thing for a good reason is needed - but if you don't punish people when they're caught, it's going to get out of hand.
666-607: 6th floor apartment of the beast
"WiFi Exposes Sensitive Student Data"
The technology isn't the problem, it's the people. Oh sorry, I guess "People Still Stupid, Film at 11:00" doesn't make a juicy headline, now does it?
I'm not sure how this applies to an accidental WiFi transmission (IANAL), but i'm pretty sure that it would be grounds for serious fees and fines if it happened at any other kind of institution. i'm wondering whether the school will be in major trouble on this account alone. Under the rule, only health providers would face penalties for disclosing medical records- but if the school is a healthcare provider, for example, if they have an on-campus medical unit, they might be held liable.
thoughts, ideas, am i way off base here?
"I'd say 'Have a good time,' but arson is still illegal.
While concepts of permissions and network based storage may be simple to those of us who are experienced computer users they are not easy to explain to a room of teachers. One on one training is the most effective way of helping teachers grasp the concepts neccesary to make them self-suficient computer users. I have taught several classes only to have the teachers who are already comfortable with these concepts pay attention. Those who need the most help usually sit there and chat or knit. They have the same defeatist attitude about computers that they try to discourage in their students. Many teachers, have an irrational fear that they will somehow break their computer by doing anything they are uncomfortable with. When teachers ask "How did you learn all this stuff?" I encourage them to 'break' their computer (softwarewise that is :) and then try to fix it.
Solutions. I think many of these issues will fade as younger teachers who are more comfortable with technology replace the older teachers who are less willing to change. New teachers are now required to take quite a few educational technology units in order to get a teaching credential. User interface standards must improve throughout the software industry. Most of these programs make sense to the nerds who designed them but more testing and better design is needed to make them usable for your average teacher.
This particular instance in Palo Alto appears to be an issue of user ignorance as opposed to the incompetence in the IT department. Quite simply, someone placed private documents on a public server.
Obviously I'm making broad generalizations for the sake of discussion but they are based on first-hand experience. Just relax and take 'em with a grain of salt.