Generic Passwords Expose Student Data

Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

Don't Do It! Think Of The Fscking Children!

[geomon]

"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"

Yes, and she could also be criminally negligent for doing so.

Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue your precious little girl.

Mwwwwwaaahahahahahaha!

1234

[yagu]

I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)

One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.

The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.

The default password was (for 50,000 employees) "1234".

sloppy admining

[fak3r]

sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.

(yeah, even the timesheet software has the same password -FOR ALL USERS!-)

Not new to me... teachers discovered!

[Thilo2]

..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.

The press is your friend.

[xxxJonBoyxxx]

A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.

Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.

No credit, no publicity, but results. (My kids will be students there soon!)

Re:My college did a similar thing

[shippo]

I worked at a place that had the same policy for their Exchange system - i.e. blank passwords for everyone. Not only that, but normal users were not able to change their account passwords.

I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.

I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.

Everything is as it should be

[iamacat]

Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.

Re:Integrity

[thefirelane]

That's why you teach your child this thing called "integrity". Never mind that your child could do. There are lots of things your child could do, but should not do. One of your jobs as a parent is teach your child the difference.

I 100% agree, why bother even having passwords in the first place?

"We don't rely on passwords, we rely on integrity"