Generic Passwords Expose Student Data

Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

A crime was already committed

[Hanzie]

The access was a crime. She accessed the system with an unauthorized name and password.

quite a bit more than the poor sod in the UK who typed ../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.

different laws, but still a criminal trespass. I think that applies to reporters too.

hanzie.

California Penal Code 502

[It+doesn't+come+easy]

(c) [...] any person who commits any of the following acts is guilty of a public offense:

(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:

(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).

Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.

My university did similar.

[baryon351]

In the early 1990s, my university did something similar. Everyone had a three-initial login consisting of their first/last names and a middle initial, and a letter following. It was policy to give all students who enrolled a login. ghk2, mby5, adh7 etc.

Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...

Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd .. and ls -la to see the inactive user dirs. We'd keep multiple ones active if ever we went over quota, and give accounts to friends outside the university so they could login via the modem pool, and the uni did nothing about it for the five years I was involved with them, from 1991 to 1995.

I'm not surprised the same braindead thinking still exists somewhere in the world.

Re:Meanwhile, teachers have DUPED us...

[hcob$]

Meanwhile, teachers have duped us into believing they're underpaid! They even get special tax breaks, oestensibly to "purchase school supplies". What a powerful lobby they have!

Of course, now all students have to be IQ-tested for the "no student left behind" act. Perhaps we should test the teachers, too, and leave some of them behind.

I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.

My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.

Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.

And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.

Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.

Even if they changed the passwords.....

[8127972]

.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:

- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call

The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.

Old Problem, Easy Solution...

[Evil+W1zard]

How many times do we see this same type of story in the news... Passwords are a weak link in the security chain and guidelines on how to create and manage passwords have been around forever. In this day and age it is a simple thing to use two-factor authentication through RSA tokens and such and it should be IMO a requirement placed upon systems that protect personal information. There is no excuse other than negligence for this kind of situation. I have seen so many cases where passwords initially given are so simple to guess (lastname,first initial or even password) and it plain pisses me off. Then on top of that they don't automate the system to check for weak passwords so people wind up changing their initial password to something just as easy to guess. One audit I did of about 200 users had a dozen or so using "password" another 20 or so using their name and another 50+ using passwords that were easily guessable... Its piss poor and there is no excuse.

Re:Not new to me... teachers discovered!

[the+phantom]

I don't know about the grandparent's school, but at the school where I work, students are required to sign a contract before they are allowed to use the computer lab. On of the things on this contract is acknowldgement that they have not right to privacy on the school district's computers. The district has a right to monitor their browsing habits. I would imagine that it is like htis in most places. As a student, you haven't much right to privacy.

Re:My college did a similar thing

[jerkychew]

That company needs a better Exchange admin. There are a dozen better ways to let someone read everyone's email, with the end users never being able to tell it has been read.