Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"
Yes, and she could also be criminally negligent for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue your precious little girl.
Mwwwwwaaahahahahahaha!
"Rocky Rococo, at your cervix!"
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
Ahh yes, the fun part of computer science in high school... trying to figure out how to break into (or just break) the network. From pwning Deep Freeze to giving everyone access to your network disk space (sometimes with comical results)... it was great attending a system with an incompetent IT staff.
The access was a crime. She accessed the system with an unauthorized name and password.
../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Only all the teachers passwords were blank, and they had superuser privaledges. I got in so much trouble for pointing that out :/
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
fak3r.com
You think the password was "Pencil"?
(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)
"Over the past three years, there has never been a single concern voiced to Red Schoolhouse by any teacher or other user of OARS about system security."
No kidding? You mean everyone used a default password for years, and didn't complain? Definitely a spin to take the heat off the company. The software should come with a big read warning sign, "Change the default password, and give each user a unique password!"
..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.
(c) [...] any person who commits any of the following acts is guilty of a public offense:
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
The NSA: The only part of the US government that actually listens.
A $250 write off?
That is the result of a powerful lobby?
I thought you were talking real money.
"Rocky Rococo, at your cervix!"
Tell me this isn't the same school that tapes their passwords onto the backs of their laptops... I'm sure there's a lawsuit just around the bend. No doubt they'll try to accuse students of breaking into the records system, since IT "professionals" who advocate the use of generic passwords can certainly be trusted to track down and report unauthorized access to the system. I mean, it's only their job if they can't find a scapegoat. Who better to blame than helpless children?
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
Dude. What's with your hate-on for the teaching profession?
Some teachers are more competent than others, sure, but your comments are a slap in the face to my friends who are teachers, who ARE underpaid, who DO have to purchase school supplies out of pocket.
This also has nothing to do with the article, so we should both be modded off-topic.
that can't help thinking of matthew broderick being sent to the principal's office just so he could check out the week's password in a certain movie? http://www.imdb.com/title/tt0091042/
ed
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
A common trick used by 'Art School account' holders at a certain University in 83 was to check the sequential account numbers and use the default password. If the rightful owner never logged in the account would be yours for the quarter. If they did, you got kicked and had to use on the other 100 or so you and your buddies built up.
I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. There were many non-student users at 'The Apocalyptic Cyber Coven' back then. Name the school and you get a cookie.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
In the early 1990s, my university did something similar. Everyone had a three-initial login consisting of their first/last names and a middle initial, and a letter following. It was policy to give all students who enrolled a login. ghk2, mby5, adh7 etc.
.. and ls -la to see the inactive user dirs. We'd keep multiple ones active if ever we went over quota, and give accounts to friends outside the university so they could login via the modem pool, and the uni did nothing about it for the five years I was involved with them, from 1991 to 1995.
Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...
Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd
I'm not surprised the same braindead thinking still exists somewhere in the world.
Some dumb teacher at my old school put up contact information for all students and staff in the school, as well as their accounts + email with passwords on a directory accessable without password. I found it the first year I went there (4 years ago), didn't tell anyone (would you? honestly...), and they just found out that it was there about 6 months ago. The kicker is that the thing got updated each year!
I work with a number of schools. Security is just something they don't get, at all.
This week, one of my schools had 2 random users suddenly become domain admins. They only had a few days worth of logs, so we don't know who did it, and no one who had administrative access has fessed up.
Teachers let students use their accounts, administrators use sticky notes with passwords, we're almost at the point where we'll be forced to disable screen saver lockouts because of the whining.
It isn't just computer security. Physically, they only want to appear to be secure. They make a nice show of forcing visitors to sign in, but I can sign in as Wayne Newton or Ted Bundy and not even get a glance. In any case, you can almost always go in any number of side doors.
I'll be sending this link around to some folks, I'm fairly sure my "obsession" with security garners snickers more often than anything else, but que sera sera.
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
Having worked in a university environment for 8 years, and now working in a private corporate environment, its staggering to see how often weak passwords are used in the educational areas. I had several roles that included support, which required me to work with users to solve their problems. Nine times out of ten, the password that the user chose was a dictionary word. The other 10% usually was some form of a dictionary word with a number at the end (usually 1). A small fraction of people (who had their lastname as their login) would make their password their first name. Some would keep them on post-it notes on their monitor, when they had no office door, and basically no physical security at all when they were away from their desk.
When I assumed the sysadmin role for a webserver, I changed the policy for that system, and manually assigned passwords that the users were not allowed to change. They were all passwords like (example) xj45Q!8p. People were upset, people were more often requesting password resets, but the number of instances of "I think someone accessed my account" dropped down to the single digits within the span of a year. Even those occurances were usually the user not remembering that they did something the day before.
The fact remains that too many people have weak passwords. I hardly ever use a password thats less than 15 characters, except when 15 is too long to be accepted. (On a side note, whats with having a MAX character length for a password? 4-8 characters? That's not enough for me.)
I think part of any company's "orientation" for new employees, or part of that form that some have to sign to get network/computer access should say something about passwords. Most users can't be trusted to create secure (or more secure) passwords on their own. Taking the word tomato and adding a 1 at the end, oooooh now they'll never figure that one out!
The idea of picking a good password in this day and age, needs to be escalated to a higher priority. I wonder how secure the president's email password is, if he even has one.
And they said zombies weren't real!
WHat you should be teaching your child is that when they get cought, they should simply tell whoever that they are doing "security testing". According to what I read at Slashdot, that makes it "OK".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
"It's mind-boggling."
Only a teacher would comment on default passwords like that.
Good times.
Against stupidity the Gods themselves contend in vain.
This is not a new concept in the least.
At my old high school years ago we worked on IBM PS/2 PC's that were networked by way of Token Ring (yes, you read that right, a token ring network, not ethernet).
In any event, every student had a default password ("pass", I do believe). What made it better is the login was a student number that was on every teacher's attendance list. So, if you could get a look at (or, in my case, get a hold of) these attendance sheets which often got thrown away for some reason or another, you could find the unlucky victim or an enemy student's number, and proceed to see if you could get in. This proved to be easy most times due to the fact that in my rural area not a lot of folks were exactly.. computer saavy.
Of course, it was much more fun when I got access to an assistant computer teacher's account and played around with his (much more powerful) options. His password was simply the name of the University he loved and was always telling us about. Very foolish.
Strong passwords people. It's the first defense. It may cost more for your department to make up unique defaults for users, but in the end you will save money and a great deal of embarassment.
Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.
I can't imagine not taking the time (minutes to hours) to require a real password for a service or application. cracklib goes a long way. My god, just make the default something like the middle 6 digits of their social security number (or other less conspicuous data which the school has recorded); sure, you can find a SSN, but in general you have to at least look for it.
Someone change the combination on my luggage!
Click here or here.
Most schools don't even require A password, much less one that you have to type with more than your right hand. I'm pretty confident schools have the worst IT security of any kind organization in the world that I know of. It's the one kind of system where insecurity is not only encouraged, but anyone who might want to point out the flaws to the administration is discouraged from doing so. I say this having been kicked out of 4 high schools in 1 year for reporting security risks to the administration. Apparently I have a "problem with authority" (I actually try to help them, is my problem).
Wanna talk lawsuits? Try "criminal negligence" if someone can show that the district's shitty security provided no real barrier to someone else who used the district's information to commit a more serious crime.
(If you need help, think of the laws surrounding "classified" information. Sure, it's illegal for most people to possess classified materials, but the law is structured to allow the government to go after malicious or sloppy guardians of classified materials because they are the leakers and thus the real problem.)
The city of San Francisco is looking for a new IT Manager. Must be able to come up with more than one password. Passwords with numbers a plus. Job to be filled immediately.
My school also asigns generic passwords to new users, the same password every year, and for new teachers as well. This rather makes it easier for loging on, but many students never change it. What's worse is that new users are added months before they come to the school, many before the end of the previous school year. And you can see a list of users if you really want to, sorted by year.
There are also some pretty major security holes besides the password. One example fixed the year before I got there was that holding the "a" during login would make your acount an administrator. Other ways to become an admin are still around... I saw one kid create a NEW admin account in under 30 seconds from Word, using the file opening interface. Other holes are less important; for example, we arn't allowed access to the C drive, but if you do certain things in powerpoint, then open a file "from history" anybody can get on, and do such things as play card games and change the screensaver. Our school tries to keep up with all the holes in Novel, but they just don't know most of them.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
Without great password models like this, I wouldn't have had internet access in 1994-1997.
Don't anthropomorphize computers: they hate that.
What do you mean you couldn't hack Oregon Trail? Did you die of dysentry or something? /Wonders how many "Poop lies here" tombstones are out there on 5 1/4" floppies...
Saskboy's blog is good. 9 out of 10 dentists agree.
At least the TV is still there.
:P
To use your example, theres a difference between trespassing and Breaking and Entering. Only one of them is a felony
Trespassing and leaving a note is WAY different than B&E, you know that whole Motive Means and Oppertunity thing.
Besides, just because I wrote the note doesn't mean I left it there.
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request.
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
My wife flips out when I travel because I do not use locks or combos at all. The combo locks are easy to feel your way to opening, and the travel locks with keys are easy to pick. I travel quite a bit and other than my bag being "lost" for a period, I have had nothing stolen from my bags. Of course, a nerd like me packs nothing of value, and I doubt airport personnel would have a thing for sniffing my boxers.
Click here or here.
When I first got my current job, everyone had the same password! It's awful because even when someone leaves the company, they can still access everyone else accounts. The system admins response when I asked him about it, "Well if you let them choose their own passwords they keep forgetting them and keeping bugging me about it."
This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.
The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.
Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
How many times do we see this same type of story in the news... Passwords are a weak link in the security chain and guidelines on how to create and manage passwords have been around forever. In this day and age it is a simple thing to use two-factor authentication through RSA tokens and such and it should be IMO a requirement placed upon systems that protect personal information. There is no excuse other than negligence for this kind of situation. I have seen so many cases where passwords initially given are so simple to guess (lastname,first initial or even password) and it plain pisses me off. Then on top of that they don't automate the system to check for weak passwords so people wind up changing their initial password to something just as easy to guess. One audit I did of about 200 users had a dozen or so using "password" another 20 or so using their name and another 50+ using passwords that were easily guessable... Its piss poor and there is no excuse.
News Reporters Make Tasty Polar Bear Treats!
From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
Just because you couldn't figure it out and your child could doens't mean you have to get pissy about it.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Most of the articles I've find on sfgate.com to be a little overly dramatic so I'm skeptical. First of all I wonder how much information was exposed. For instance it might have been only the students (or student numbers) and grades. Worst case it was their addresses and social insurance numbers. Doesn't this type of hacking occur everyday, and is it only newsworthy because a reporter was able to hack in?
~jennifer.k~
No offence, but if you aren't given the money to buy things, don't fucking buy them. Have a word with the person who's above you in the line of things and get it sorted out.
Really, if these are the people that are supposed to be teaching us how to do things, I'm pretty worried. Well, I would be if it wasn't for the fact I don't listen to a word they say and still get top grades.
Maybe I missed it in TFA, but I didn't see any explanation >WHY the passwords were generic to begin with. Why didn't the system create a random pw for the first login? Instead the article seemed to focus on who used it and whether teachers could be trusted. Red Schoolhouse should be taken to task for this. Instead, TFA seems to dance around this, instead of actually asking why this happened. It's obviously a technical issue.
We play the game with the bravery of being out of range
And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.
This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?
"'I'm fuming mad, ... It's mind-boggling.'"
...she's got a great future writing for the "Weekly World News".
ah.clem
---
"I don't know, Jenny, I don't know."
"Life is not magic." Dr. Ron Weiss - "If we don't play God, who will?" Dr. James Watson
And I must respond to you...
My mother has been a teacher for nearly 40 years. She/we had all the problems you describe plus more (probably because she was a single parent).
I am not the least bit sympathetic though. She picked her profession. Every single person in college for education knows they won't be paid jack shit for the horrible shit job known as "Teaching in Public Schools". Yet they continue regardless. So they should shut the fuck up and deal with it... they chose their fate.
I think we should cancel the whole deal anyways, kids don't learn shit nowadays (did they ever?), and so it is just one huge waste of money. The cash register at McDonald's or Wal-Mart does all the math for you anyways.
I always try is: Joshua I don't know why though.
Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?
Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.
That said, he/she/it should not have been so negligent.
When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm...
So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.
well, that sounds like a good plan... not buying something. But a good teacher makes sure their students get what they need to learn. And no, things don't get sorted out. My Father was threatened with possible firing because he sent a letter of complaint to the super-intendant(he's a pricnipal now) complaining about the lack of funding and salary cuts while the upper administration got raises. The problems are not the teachers, the problem is the overblown admininstration. I don't want to discuss all of this here, but when someone in a top administration postion decides the money and everyone gets cuts except for the top administration(who get raises) something is corrupt, and proper channels no longer work. But maybe that's just me.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
In my highschool, all students are issued a four-character password in the lower case alphabet. As I demonstrated to my teacher numerous times, using a password this weak means a maximum of 30 seconds using John The Ripper or L4, depending if you're using the Linux or Windows network.
Actually, the school charges you $5 to change your password, if the teachers who are in charge of doing so even listen to your request. It took me three months to get my password changed from 'hqfz' to a 8-character password which would take significantly longer to crack in L4 or John.
School and government security is a joke. I could get every single mark for every student in my school, including test writeups and exam reviews in less than ten minutes. And the IT department continues to enforce even more pseudo-security, claiming that the teachers are too stupid to remember a 8-character password. Perhaps it'd be best if we EDUCATED THE PEOPLE who use the machines instead of telling them to "move along, citizen"?
I thought the point of Good Samaritan laws was to ensure you could not be sued if you did help, and the person ended up disabled/peeved/dead anyway. I didn't think they also required you to help, although I'm not suggesting that's a bad idea. I think the first issue is a much greater problem than the second. Even in the cynical me-first US, accident victims usually get help.
RETURN without GOSUB in line 1050
My own child could go into this, figure it out and get all this data on all these students.
Not if you weren't a crappy parent! Watch your kids, people!
was the launch code WOPR was searching for to fire off the nukes. Do I win the geek-of-the-year award now?
RETURN without GOSUB in line 1050
I think this finally prooves, once and for all, school people are fucking retarted.
Yah, dude, parents should have to sit in the same room as their kids and watch them every second of every day.
We are implementing a statewide Enterprise Directory like this in Connecticut. Our model for distributed security scares me quite thoroughly for this very reason. This thread gives me more ammuntion to stand my ground on a much stiffer password management policy. Thanks Slashdot!
--Always, I mean never..., No I mean always check your references.--
This is what happens when "security" is made a convenience rather than a way of protecting a system.
Five Dolla Moddy-Moddy?
The passwords were out for everyone to see, provided they did a tiny bit of work. All you had to do was script-kiddie-style own a firewall, redirect a few ICMP packets, use a rootkit to get access on an unupdated (for three entire days!!!!!! unbelievable!) OpenBSD platform, go for an ypcat, run a few john the ripper hours on a decent (i had rewritten it to advantagely use my Bi-Xeon 4GHz) computer, and tadaaaa!
Unbelievable how people are unaware!
Yes, but not my information.
Problem is, in these cases, the schools are making publically available enough information to seriously inconvenience you should an identity thief come across it a few years down the line. This means that keeping your mouth shut is less of an option.
For the love of God, please learn to spell "ridiculous"!!!
You know, I knew someone would say that, but I was too lazy- er... busy to Photoshop in a blindfold.
My college was one of the first to use BSD Unix, back in the 80's. At the start of each semester, there had to be a default password for students to do their initial login. We wanted something that would be unique to each student. They were then shown how to change it on their very first login session. ... so we used the last 4 digits of their Social Security # as the initial password! (unique, not easy to guess, etc.) Boy, those were innocent times compared to now.
I think you both are right. The public education system in the US is fucked up. Some teachers are to blame, some administrators are to blame, but it really comes down to us being to blame. We pay the bills (taxes), and aren't getting a good return on our money. We all need to stand up to our elected officials, Reps, Dems, and Indys, and tell them to fix it OR ELSE. Then follow through on the OR ELSE.
Some teachers are underpaid, but some are overpaid. I was watching CSPAN or CSPAN II the other day, and heard someone complain that No Child Left Behind made teachers compete against each other instead of fostering a team attitude. The person on the TV said that it was bad that teacher A got a good raise because their kids passed the NCLB test, while teacher B got a crappy raise when their kids failed the test. I say that's a GOOD thing. Get the crappy teachers out of the system, or make them shape up and do their job right.
We've all had good teachers that really cared about what they were doing, and went the extra mile for us. We've also had bad teachers that had gotten their tenure, and didn't give a crap about anything except taking their next smoke break. Get rid of tenure, give the good teachers more money, and kick the ass hats to the curb.
Getting back to teachers pay, as I said earlier, some are under paid. However, teachers also get 2 months off every year. If you want to give every teacher about a 15% raise, fine, but make them work 12 months like the rest of us. You also have to look at the total compensation package. A friend of mine's wife is a teacher, and she's getting ready to retire next year. She made crap money for most of her carrer, except for the last few years. Why? Because her pension is based off of her salary for the last 3 or 5 years of her carrer. What's her pension you ask? 60% of her current pay until she dies. How does this compare to her husband who's an Mechanical Engineer? He gets paid more than her, get's 3 weeks of vacation a year, and when he retires his only income is based off of what he was able to put away in his 401k.
In my state, the education budget is based off of property taxes. The state provides a base amount to everyone, but local districts can raise extra money for their schools. This means that rich areas get alot of money, while poor areas get the shaft. That is just not right. Every kid deserves the same oppertunity as every other kid. Yeah there are other factors that come into play, home life, role models, teachers, crime, etc..., but every student deserves to go to a safe school that is in good repair, with books for every kid, and those books aren't falling apart. I grew up in a rural area, and my schools weren't that great. They were better than an inner city school, but no where near as nice as a big city suburban school.
Is the school administration to blame? You bet. The big wigs pull down fat cash, while the teachers make squat. Are the teachers to blame? You bet. They support a system that encourages everyone to do just enough to not get fired. Why? Because they get paid off with a sweet pension in the end. Are the taxpayers to blame. You bet. We put up with a system that is obviously broken.
Is No Child Left Behind the answer? Not completely, and I think parts of it need to change, but at least it's holding school systems accountable. Are vouchers the answer? Not completely, but I think every parent should have the right to pull their kid (and tax money) out of a shit house school and send them somewhere else. What's a better way to fund schools? I don't have a clue. All's I really know is that the current system isn't working, and something has to change.
Usually the Good Samaritan laws protect the person rendering aid. Usually within the limits of the aider's training or what a 'reasonable' person would be expected to do. For example, the law protects a first aider from a lawsuit for breaking a victim's ribs when performing CPR, but would not protect a person with Red Cross Community First Aid training if they were to perform an emergency C-section.
This is not to say that there are not laws that require you to render aid -- usually these are satisfied by calling 911.
As the ex-technology administrator of a K-8 school in northern CA, I can tell you from first hand experience that no matter how many times I told teachers to change their password from the generic one they were given for things like email, 70% of them never did. (thankfully I had the administrators convinced to change theirs immediately) Basically even now if you know the name of some new teacher in the district, you could probably get into their email. It's scary honestly how little people realize how dangerous keeping the generic password is.
...back when I was in high school, our school was using Net Ware. There was one particular admin account that nobody used, not even the admin. I discovered the account and basically tried a couple passwords each day just for the heck of it.
To my astonishment, the password was "school"!
But this admin login was unique to the other ones because it didn't do the phasers sound effect that they had setup on the admin accounts they did use. So teachers in the room weren't alerted to my area if I logged in.
Needless to say I did have a little bit of fun on that account but never did any malicious, etc. It's not like the account was tied to any school records or anything.
What's sad is that the account and password combo still worked for 1 or 2 years after I graduated according to some friends.
Somehow or other, by the complexity, the cost and the undesirability of themselves and their format, which no doubt stink since it was dreamt up in the revolting inhumane and frankly criminally sick minds. Die MS, and all other corporations. You make me want to puke. You crush the flower of happiness beneath you steal jackboots.
Also be careful not to tape your fairly obvious observations while standing by and doing nothing while a fat guy is being mugged :)
It's doubtful. I'm 53, and I had exactly 3 good teachers in public school: my 1st grade teacher (once I learned to read, I was ahead of teh game from then on), my 5th grade teacher, and a high school art teacher.
While in the sixth grade, my teacher failed a paper I wrote because she thought I made up the word "heirarchy."
When I was a freshman, a science teacher gave a paper I wrote an A because he couldn't understand half the vocabulary (and was honest enough to admit it).
I was grown before I ever really learned math; I used a slide rule to cheat, and the idiot teachers thought it meant I was smart. Well, maybe I was but it doesn''t take a genius to use a slide rule.
Thankfully, my college teachers (SIU Edwardsville) were all, to a man and woman, intelligent and educated.
We need to give the teachers twice the pay as the principals, and the principals twice the pay of the superintendants. And damn it, movies, TV, etc should stop glorifying jocks and start making teaching an honorable profession.
Typical educational system. Typical educational administrators. Typical software company. Typical humans.
Read Marcus Ranum's rant about "Stupid on Software" involving a bank buying a system with absolutely NO security - then trying to ADD-ON the security.
And the first page of
Morons, the lot.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I think the schools I've worked around or been involved with have been the worst for password issues. Here's a couple examples: 1. My girlfriend's school (where she teaches), has one username "teacher" and one username "student". The passwords are "teacher" and "student". Ridiculous. Besides this school, a guy I used to work with went to work at another school and found the exact same scenario! 2. My college uses social security numbers as user ids on their main student information system. Beyond this, the passwords are the student's birthdates in MMDDYY format. Now, I know this is a little more difficult than "student" as the username, but it still isn't that tough. In some states, if you steal a driver's license, all of this is listed. Either way, I just don't like it. The network admin skills at schools simply sucks, right along with the help desk support and everything else IT-related. Know why? Schools don't pay enough to hire real professionals and end up relying on work-study types (college) or the teacher who likes messing with it (high schools). Final thought: we need to eliminate the need for a password in the first place. In every organization, passwords suck. If the policy is too tight, people write the passwords down; if it's not tight enough, it's easily breakable. I'm yet to see a good middle ground for the users, so it's time to eliminate the whole password idea and come up with something new.
Don't forget their college education too. My wife is currently finishing up her degree, and it's insane the way they treat teachers. Here in Texas, she had to change her degree plan halfway through college because the legislature changed the requirements for getting her teaching certification (i.e. she could have still graduated under the original degree plan, but they wouldn't certify her, and with out a certification, you can't teach). Then there's thing called "student teaching" where you're at the school eight hours a day, fulfilling teacher responsibilities, paying for gas, etc, and they don't pay you anything. Factor in that on a matter of principle, her supervisors are not allowed to rate anything about her as "exceeds expecatations", regardless of how well she performs. According to them, it's impossible for a student teacher OR a first year teacher to exceed expectations. Funny thing is, her supervisor forgot that one time and had to scratch out a bunch of checkboxes. :)
Anyways, bottom line, teachers are not treated very well at any stage in their career. If my wife and I hadn't been as frugal as we are (no student loans so far), and if I weren't going to be getting a good engineering job soon, I don't know how a self-supporting teacher would ever be able to repay student loans.
They usually have student interns from within the district, or one roaming admin for all their schools. If they paid someone, that knew what a decent sec-pol looked like, they could have avoided this. Instead, the "admin" decided to make it easy for the teachers and this happened.
-Randy
I am wondering what tools are out there that an admin can use to check (and thereby enforce) strong passwords on an NT4 domain?
(spare me the NT4 jokes... yes, some corps still use NT4 domains although the clients are Win2K or XP. A move to AD is being worked on).
I'm sure many will question whether I'm being white or black hat about this but I will assure you I already am admin of this domain, so I have no problem with a tool that requires access to to files only the admin could access.
Preferably it's something that can be run "passively"/offline as to not overload a live server or lock-out accounts. I just need a way to know which users I need to talk to about choosing better passwords.
1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.
I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.
The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.
Never eat more than you can lift -- Miss Piggy
Some people have gleefully pointed out that the passwords weren't secure. They didn't need to be; that wasn't their function. Like a fence, a password system can serve two functions: as a social reminded that access is forbidden, and as a physical deterent to unwanted access.
A four foot fence with a locked gate isn't a very good defense against tresspassers. If someone really wants in, they'll just jump over the fence.
It is, however, still very useful for establishing something important to the courts: criminal intent. If I don't have a fence up, someone could whine that they didn't know that they weren't allowed on the property, didn't know where the property lines ran, tripped and stumbed onto the property by accident, or some other lame excuse.
But if I erect a locked fence, it's clear that you didn't clamber four feet straight into the air by accident. You'll need a much better excuse to prove that you didn't break the tresspass law "by accident".
Similarly, it's often illegal to access someone else's computer data without permission. However, if you don't make it clear who is to have access to the data, people might legitmately complain that they didn't know they "weren't allowed" to access it.
A login system, like a fence, announces the fact that you're not "allowed in" without explict permission. It's a social reminder, not a impenetrable physical barrier. And like a fence, if you weren't given the gate key by someone who owns the premises, you should stay out, or expect to be sued.
So no, the passwords weren't pointless. The kids and other authorities aren't allowed in, and it's the job of the police to put them in jail if they try to break the law. Stronger security will help keep them out, but a law-abiding society makes security irrelevant. In the case of schools, teaching kids how to become law-abiding citizens is probably more important than keeping student data confidential, as important as confidentiality is.
--
AC
Passwords and password management is old. Biometric login and/or smart cards is the new thing.
The fault of this falls directly on software developers, open source and otherwise. Every system has it's own proprietary password/user management system, and none of them can talk to each other. In some cases it's possible to hack together a syncing solution, but maintaining that becomes a problem too.
No one is putting any thought into what a serious problem it is to have a password for every individual system. Users cannot manage so many passwords, and as a result set them all to be the same crappy password, or even a shared password that everyone uses.
We really need a single sign on system that is both usable and manageable, and we need it now. Until we get something like that, these problems will only happen more often.
I don't see this as a "last time". There will always be screwups like this as long as people hire based on degree and not ability. As a student in high school I was in a class that amounted to tech help. There was about 20 kids in this class through all the periods, and we had one 'boss'. This guy was admin for a school of 850 computers (one guy for all that) and had left a career (retired) for this job. It was abismal, as he had to listen to his boss, who's position was at the county level, and was an idiot. The guy was 5 years out of college with a nice degree but knew nothing about securing or maintaining systems. However, he got to set our policies. Our school ended up with OC-3 internet, in order to faciliate streaming video from class rooms (which wasn't allowed) and was filtered on a county level (had to go through a T1 line to get to the filter). So they paid for OC-3 and by default limited it to T1 speeds. Luckily my boss quit and went back to Apple after two years (the length of his contract) but the county admin is the same guy. Why'd I tell that stupidly long story? To illustrate that this is not something to be surprised about. I'm sure everyone has stories of insecure school systems, and I think it boils down to the hiring practice of wherever it is. I know that my county had a degree requirement for that position, but it did no good as there was no "aptitude" requirement. I'm sure that is the same here, someone just figured "no one would *ever* try that password" due to lack of real-world experience.
Want to find other gamers to play board and role playing game
I very much agree with you, as I have an aunt who's a teacher. One thing I thought I'd mention about the Canadian (well, BC and NWT at least) system, teachers get paid for 12 months, but chose years ago to take paychecks only for the 10 months they're in school. (Bigger paychecks, but fewer of them.) Beats me why they did this in the first place; currently the ones that don't plan so well are hugely in debt at the end of the summer. Anyway, random Canadian fact for you.
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl
a similiar occurrence is happening at my school. on a public access drive (that means anyone, the students and the teachers) maintained by the office there is an excel file which has the username, address, phone number, etc. of all 1000+ students in my school. It has been there for 2 years now.
Getting pretty far afield from generic passwords, although "domainmaster" might be a good one.
RETURN without GOSUB in line 1050
Sounds like Government
And really, until you can manage people as easily as you can manage a server, then you won't have this problem. Of course, people are going to complain when you plug a terminal into the base of their skull, but thats what they get for not paying attention to hearing "This is a password. It is called a password because it allows you and only you to log into your account and access the files only you should have a right to. Do not pick one that is easy for other people to guess, and do not ever give it to anyone else. That means anyone." a half dozen times.
Interestingly - - - I gig at this one club where its painfully obvious that noone there is goiing to underrstand how to log in to a compuuter with a secure password and use it for simple timeclock functions. Their solution? Fingerprint reader. Works like a charm, and nobody forgets their fingers when they come to work.
sidenote: Schools have this problem? Hell, I've worked at more than one technology company that has this problem. Goddam bizdev girls.
s'wut i sed.
...the default password for all teachers (and maybe students too?) was the abbreviation of the high school, in all lowercase. E.g.: 'abhs' or 'mnhs' or 'xyhs'.
With spending like this, exactly what are "conservatives" conserving?
Do what I did when, in college, I found a way to hijack pretty much anyone's account: report it anonymously.
They had a nice place to drop written comments/complains/etc. I did so and gave them an anonymous email account not connected to (or used from) the university.
I even got a response: oops, we kinda sorta reintroduced that bug from an earlier version. It'll be fixed in the next upgrade. Lo and behold, it was... about 6 months after I first discovered it. Heh.
Never got in trouble. Couldn't, really. They didn't know who I was...
I dont entirely believe all that, sure they dont get a very high salary but i had teachers through my whole jr and sr highschool carrear use the same lesson plan they have been using for decades. These teachers had 4 blocks per day and only had to teach 3 of them per day if you did the math they only work 5-6 hrs per day and you can grade do your other tasks in the other 1.5 hr block (many of my teachers did). What about teachers that sit there and have your moron classmates grade their stuff for the teacher? I had plenty of that in highschool. Now there are teachers who stay after school and do events but i knew as many teachers when 5:00 hit they were GONE, Oh you want help with math you better come in early sorry. What about all the vacation time a student gets you cant say Oh they work 10 months. If you total the time they work in my state 181 days plus 7 after school ends to finish up the year. Negating the 10 or snow days my state gets im thinking thats not as bad as they want you to automcailly believe. Every job has its quirks you get tax breaks yet you have to grade and do stuff at home. Every job has its trade off, i sure as hell dont believe just dumping more money to administration or teachers or the infrastructure fixes the problem. My highchool got 10M in tech grants and paid almost all that plus the cost of a network to microsoft and an outside contractor, 3rd party software for mail systems and macintosh computers. All of which can barely do anything useful on other than type papers up and do basic math programs. What im getting at is a lot of the educational system is broken severly and every time i hear the argument for more money to schools i picture the IBM commerical where his advisor just recommends throwing money at the issue. When its me the average male taxpayer im not really interested in dumping more money into something that anyone can see doesnt give improvement.
The person on the TV said that it was bad that teacher A got a good raise because their kids passed the NCLB test, while teacher B got a crappy raise when their kids failed the test. I say that's a GOOD thing. Get the crappy teachers out of the system, or make them shape up and do their job right.
So which ever teacher happens to have the smartest kids in their class gets the money? Too bad if you've got some slow learners in your class - you're not going to hit the marks your colleague with a couple of budding geniuses will, so say goodbye to your raise.
I agree teachers should be evaluated, and their renumeration based on their ability, but you cannot judge that solely on the basis of how their class performs on a test, because those results are not determined solely by the teacher's ability. Their determined by a combination of the teacher's ability, and their student's ability - as well as a myriad other smaller factors.
DISCLAIMER: Both parents are both teachers, but in Australia, not the US.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Well, I'd say software which doesn't generate random passwords and/or facilitates setting the same password for all users has a glitch. I know we all have encountered such systems where something is "brought up" and everyone gets the same password - usually one of "password", "changeme", "setme", or "1234" - but that doesn't change the implementation of such a system from a system failure to a user failure.
Especially something as already-complex as a testing assessment system. I find it hard to believe a simple "randomize all passwords" wasn't built into the system and couldn't have been enforced as the default state of a new user's password. The fact that the software allowed a school IT guy to listen to the "bad angel" on his shoulder and compromise security in this manner is a Very Bad Thing.
IMHO, and I work on software for schools (not a competitor to this product, but still software for school administrators), any software which assumes that an IT administrator at a district or state education office is going to be following accepted "best practices" is going to be filled with software glitches and failures. The "computer guy" at a school is often not trained as such; he just has worked with computers before. In the cases where a district actually hires an IT guy, they tend to choose between hiring a small team of people who accept the lowest possible wages, or hire one "hotshot" IT guy and overload him with the work of ten.
Of course, that doesn't put all the blame on the software system. The system admin should have randomized the passwords from the start. The users should have logged on and changed their passwords the first day. But a well-designed system could have and should have made such human failures impossi -- er, less than likely.
You, of course, completely missed the point. Isn't that ironic?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
She clearly said "my child", not "child's play".
Not that I expect to just accept the fact that you are wrong and arguing for the sake of arguing. You can't even decide why you want to argue. Only that you want to argue and really really really really think that I must be wrong. First, you put words into my mouth, arguing that I think it's OK to leave our front doors unlocked and our keys on the dashboard, next you argue that I mininterpreted the meaning of the words "My own child" to mean "My own child" and that instead of "My own child" meaning "My own child", it really means "the computer is insecure".
Do you have any other really stupid things to say, or are you finished?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent