Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
Yes ... human history is chock full of headless Good Samaritans.
Sometimes it pays to simply keep your mouth shut and let the people who are paid to deal with it do their jobs. Or not, but the U.S. is not a particularly friendly place for unauthorized people that report security problems.
If I noticed a serious security breach on a system or server somewhere, no way I'd point it out unless I happened to know the administrator personally, and knew that that person wouldn't immediately turn around and report me as an "evil hacker" to the FBI. I've read of too many cases where someone who was only trying to help got reamed.
It's funny, some States have Good Samaritan laws where you can be held liable for refusing to help someone in dire circumstances (car accident victim, etc.) but the law works pretty much the other way when it comes to computer security.
So forget it. Let everybody secure their own networks. Or not. But in either case it's not my problem.
The higher the technology, the sharper that two-edged sword.
It's "their" system, why shouldn't "they" know?
So then I suppose you'd have no problem sending a thank-you card if you came home and found a post-it note on your TV saying, "you should really remember to lock your front door next time you leave the house"?
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
After all, the people who point out the problems are at fault, not those that caused the problems.
Another analogy, shaped along the lines you proposed, is that you received a phone call from a neighbor who discovered your house was unlocked and unoccupied. Not "wandering in, using the toilet, rummaging the underwear drawers, drinking the beers in the fridge, and leaving a post-it note on the TV."
Gratitude (or least proper forbearance) is due to someone who innocently discovers a vulnerability and does not exploit it. In the form of your analogy, it's comparable to turning the doorknob (perhaps because you mistook this house for yours), seeing the living room isn't furnished like yours, and closing the door.
Your analogy might be appropriate if you went ahead and mentioned the various specific behaviours constituting the "inappropriate house access exploitation" you must certainly be thinking of. But simply discovering the access control mechanism is inadequate doesn't constitute breaking and entering.
Welcome to the Panopticon. Used to be a prison, now it's your home.
And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.
This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?
The password that was used is not relevant. The fact that they were impersonating someone else makes their access a crime.
If you login to Jane Doe's account using the default password (and you succeed), that is a crime (unauthorized access).
vb
Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?
Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.
That said, he/she/it should not have been so negligent.
When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm...
So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.
Looking into logs? Bad teacher!
And how exactly did you discover this?
I guess we have to assume that 1991 and 1995 were full years? When I went to school, the fall semester started in september and the spring semester ended in may.
As retarded as their comment may have been.. they might be correct.