Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"
Yes, and she could also be criminally negligent for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue your precious little girl.
Mwwwwwaaahahahahahaha!
"Rocky Rococo, at your cervix!"
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
The access was a crime. She accessed the system with an unauthorized name and password.
../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Only all the teachers passwords were blank, and they had superuser privaledges. I got in so much trouble for pointing that out :/
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
fak3r.com
You think the password was "Pencil"?
(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)
"Over the past three years, there has never been a single concern voiced to Red Schoolhouse by any teacher or other user of OARS about system security."
No kidding? You mean everyone used a default password for years, and didn't complain? Definitely a spin to take the heat off the company. The software should come with a big read warning sign, "Change the default password, and give each user a unique password!"
..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.
(c) [...] any person who commits any of the following acts is guilty of a public offense:
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
The NSA: The only part of the US government that actually listens.
A $250 write off?
That is the result of a powerful lobby?
I thought you were talking real money.
"Rocky Rococo, at your cervix!"
A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
Dude. What's with your hate-on for the teaching profession?
Some teachers are more competent than others, sure, but your comments are a slap in the face to my friends who are teachers, who ARE underpaid, who DO have to purchase school supplies out of pocket.
This also has nothing to do with the article, so we should both be modded off-topic.
that can't help thinking of matthew broderick being sent to the principal's office just so he could check out the week's password in a certain movie? http://www.imdb.com/title/tt0091042/
ed
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
A common trick used by 'Art School account' holders at a certain University in 83 was to check the sequential account numbers and use the default password. If the rightful owner never logged in the account would be yours for the quarter. If they did, you got kicked and had to use on the other 100 or so you and your buddies built up.
I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. There were many non-student users at 'The Apocalyptic Cyber Coven' back then. Name the school and you get a cookie.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
In the early 1990s, my university did something similar. Everyone had a three-initial login consisting of their first/last names and a middle initial, and a letter following. It was policy to give all students who enrolled a login. ghk2, mby5, adh7 etc.
.. and ls -la to see the inactive user dirs. We'd keep multiple ones active if ever we went over quota, and give accounts to friends outside the university so they could login via the modem pool, and the uni did nothing about it for the five years I was involved with them, from 1991 to 1995.
Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...
Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd
I'm not surprised the same braindead thinking still exists somewhere in the world.
Some dumb teacher at my old school put up contact information for all students and staff in the school, as well as their accounts + email with passwords on a directory accessable without password. I found it the first year I went there (4 years ago), didn't tell anyone (would you? honestly...), and they just found out that it was there about 6 months ago. The kicker is that the thing got updated each year!
I work with a number of schools. Security is just something they don't get, at all.
This week, one of my schools had 2 random users suddenly become domain admins. They only had a few days worth of logs, so we don't know who did it, and no one who had administrative access has fessed up.
Teachers let students use their accounts, administrators use sticky notes with passwords, we're almost at the point where we'll be forced to disable screen saver lockouts because of the whining.
It isn't just computer security. Physically, they only want to appear to be secure. They make a nice show of forcing visitors to sign in, but I can sign in as Wayne Newton or Ted Bundy and not even get a glance. In any case, you can almost always go in any number of side doors.
I'll be sending this link around to some folks, I'm fairly sure my "obsession" with security garners snickers more often than anything else, but que sera sera.
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
Having worked in a university environment for 8 years, and now working in a private corporate environment, its staggering to see how often weak passwords are used in the educational areas. I had several roles that included support, which required me to work with users to solve their problems. Nine times out of ten, the password that the user chose was a dictionary word. The other 10% usually was some form of a dictionary word with a number at the end (usually 1). A small fraction of people (who had their lastname as their login) would make their password their first name. Some would keep them on post-it notes on their monitor, when they had no office door, and basically no physical security at all when they were away from their desk.
When I assumed the sysadmin role for a webserver, I changed the policy for that system, and manually assigned passwords that the users were not allowed to change. They were all passwords like (example) xj45Q!8p. People were upset, people were more often requesting password resets, but the number of instances of "I think someone accessed my account" dropped down to the single digits within the span of a year. Even those occurances were usually the user not remembering that they did something the day before.
The fact remains that too many people have weak passwords. I hardly ever use a password thats less than 15 characters, except when 15 is too long to be accepted. (On a side note, whats with having a MAX character length for a password? 4-8 characters? That's not enough for me.)
I think part of any company's "orientation" for new employees, or part of that form that some have to sign to get network/computer access should say something about passwords. Most users can't be trusted to create secure (or more secure) passwords on their own. Taking the word tomato and adding a 1 at the end, oooooh now they'll never figure that one out!
The idea of picking a good password in this day and age, needs to be escalated to a higher priority. I wonder how secure the president's email password is, if he even has one.
And they said zombies weren't real!
You're lucky... Since I worked at a computer repair store in highschool, I got called in to fix all those things you did.... Fscking BASTARD!
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
WHat you should be teaching your child is that when they get cought, they should simply tell whoever that they are doing "security testing". According to what I read at Slashdot, that makes it "OK".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
"It's mind-boggling."
Only a teacher would comment on default passwords like that.
Good times.
Against stupidity the Gods themselves contend in vain.
This is not a new concept in the least.
At my old high school years ago we worked on IBM PS/2 PC's that were networked by way of Token Ring (yes, you read that right, a token ring network, not ethernet).
In any event, every student had a default password ("pass", I do believe). What made it better is the login was a student number that was on every teacher's attendance list. So, if you could get a look at (or, in my case, get a hold of) these attendance sheets which often got thrown away for some reason or another, you could find the unlucky victim or an enemy student's number, and proceed to see if you could get in. This proved to be easy most times due to the fact that in my rural area not a lot of folks were exactly.. computer saavy.
Of course, it was much more fun when I got access to an assistant computer teacher's account and played around with his (much more powerful) options. His password was simply the name of the University he loved and was always telling us about. Very foolish.
Strong passwords people. It's the first defense. It may cost more for your department to make up unique defaults for users, but in the end you will save money and a great deal of embarassment.
Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.
I can't imagine not taking the time (minutes to hours) to require a real password for a service or application. cracklib goes a long way. My god, just make the default something like the middle 6 digits of their social security number (or other less conspicuous data which the school has recorded); sure, you can find a SSN, but in general you have to at least look for it.
Someone change the combination on my luggage!
Click here or here.
Wanna talk lawsuits? Try "criminal negligence" if someone can show that the district's shitty security provided no real barrier to someone else who used the district's information to commit a more serious crime.
(If you need help, think of the laws surrounding "classified" information. Sure, it's illegal for most people to possess classified materials, but the law is structured to allow the government to go after malicious or sloppy guardians of classified materials because they are the leakers and thus the real problem.)
The city of San Francisco is looking for a new IT Manager. Must be able to come up with more than one password. Passwords with numbers a plus. Job to be filled immediately.
My school also asigns generic passwords to new users, the same password every year, and for new teachers as well. This rather makes it easier for loging on, but many students never change it. What's worse is that new users are added months before they come to the school, many before the end of the previous school year. And you can see a list of users if you really want to, sorted by year.
There are also some pretty major security holes besides the password. One example fixed the year before I got there was that holding the "a" during login would make your acount an administrator. Other ways to become an admin are still around... I saw one kid create a NEW admin account in under 30 seconds from Word, using the file opening interface. Other holes are less important; for example, we arn't allowed access to the C drive, but if you do certain things in powerpoint, then open a file "from history" anybody can get on, and do such things as play card games and change the screensaver. Our school tries to keep up with all the holes in Novel, but they just don't know most of them.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
Without great password models like this, I wouldn't have had internet access in 1994-1997.
Don't anthropomorphize computers: they hate that.
What do you mean you couldn't hack Oregon Trail? Did you die of dysentry or something? /Wonders how many "Poop lies here" tombstones are out there on 5 1/4" floppies...
Saskboy's blog is good. 9 out of 10 dentists agree.
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request.
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
My wife flips out when I travel because I do not use locks or combos at all. The combo locks are easy to feel your way to opening, and the travel locks with keys are easy to pick. I travel quite a bit and other than my bag being "lost" for a period, I have had nothing stolen from my bags. Of course, a nerd like me packs nothing of value, and I doubt airport personnel would have a thing for sniffing my boxers.
Click here or here.
You're lucky... Since I worked at a computer repair store in highschool, I got called in to fix all those things you did.... Fscking BASTARD!
I had it even better. I worked computer repair at my school. I got to spend an hour and a half of class time every day fucking things up and then fixing them.
Don't become a regular here -- you will become retarded.
When I first got my current job, everyone had the same password! It's awful because even when someone leaves the company, they can still access everyone else accounts. The system admins response when I asked him about it, "Well if you let them choose their own passwords they keep forgetting them and keeping bugging me about it."
This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.
The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.
Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
How many times do we see this same type of story in the news... Passwords are a weak link in the security chain and guidelines on how to create and manage passwords have been around forever. In this day and age it is a simple thing to use two-factor authentication through RSA tokens and such and it should be IMO a requirement placed upon systems that protect personal information. There is no excuse other than negligence for this kind of situation. I have seen so many cases where passwords initially given are so simple to guess (lastname,first initial or even password) and it plain pisses me off. Then on top of that they don't automate the system to check for weak passwords so people wind up changing their initial password to something just as easy to guess. One audit I did of about 200 users had a dozen or so using "password" another 20 or so using their name and another 50+ using passwords that were easily guessable... Its piss poor and there is no excuse.
News Reporters Make Tasty Polar Bear Treats!
From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
Just because you couldn't figure it out and your child could doens't mean you have to get pissy about it.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Most of the articles I've find on sfgate.com to be a little overly dramatic so I'm skeptical. First of all I wonder how much information was exposed. For instance it might have been only the students (or student numbers) and grades. Worst case it was their addresses and social insurance numbers. Doesn't this type of hacking occur everyday, and is it only newsworthy because a reporter was able to hack in?
~jennifer.k~
Maybe I missed it in TFA, but I didn't see any explanation >WHY the passwords were generic to begin with. Why didn't the system create a random pw for the first login? Instead the article seemed to focus on who used it and whether teachers could be trusted. Red Schoolhouse should be taken to task for this. Instead, TFA seems to dance around this, instead of actually asking why this happened. It's obviously a technical issue.
We play the game with the bravery of being out of range
And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.
This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?
"'I'm fuming mad, ... It's mind-boggling.'"
...she's got a great future writing for the "Weekly World News".
ah.clem
---
"I don't know, Jenny, I don't know."
"Life is not magic." Dr. Ron Weiss - "If we don't play God, who will?" Dr. James Watson
I always try is: Joshua I don't know why though.
Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?
Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.
That said, he/she/it should not have been so negligent.
When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm...
So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.
well, that sounds like a good plan... not buying something. But a good teacher makes sure their students get what they need to learn. And no, things don't get sorted out. My Father was threatened with possible firing because he sent a letter of complaint to the super-intendant(he's a pricnipal now) complaining about the lack of funding and salary cuts while the upper administration got raises. The problems are not the teachers, the problem is the overblown admininstration. I don't want to discuss all of this here, but when someone in a top administration postion decides the money and everyone gets cuts except for the top administration(who get raises) something is corrupt, and proper channels no longer work. But maybe that's just me.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
I thought the point of Good Samaritan laws was to ensure you could not be sued if you did help, and the person ended up disabled/peeved/dead anyway. I didn't think they also required you to help, although I'm not suggesting that's a bad idea. I think the first issue is a much greater problem than the second. Even in the cynical me-first US, accident victims usually get help.
RETURN without GOSUB in line 1050
was the launch code WOPR was searching for to fire off the nukes. Do I win the geek-of-the-year award now?
RETURN without GOSUB in line 1050
I think this finally prooves, once and for all, school people are fucking retarted.
We are implementing a statewide Enterprise Directory like this in Connecticut. Our model for distributed security scares me quite thoroughly for this very reason. This thread gives me more ammuntion to stand my ground on a much stiffer password management policy. Thanks Slashdot!
--Always, I mean never..., No I mean always check your references.--
This is what happens when "security" is made a convenience rather than a way of protecting a system.
Five Dolla Moddy-Moddy?
The passwords were out for everyone to see, provided they did a tiny bit of work. All you had to do was script-kiddie-style own a firewall, redirect a few ICMP packets, use a rootkit to get access on an unupdated (for three entire days!!!!!! unbelievable!) OpenBSD platform, go for an ypcat, run a few john the ripper hours on a decent (i had rewritten it to advantagely use my Bi-Xeon 4GHz) computer, and tadaaaa!
Unbelievable how people are unaware!
Problem is, in these cases, the schools are making publically available enough information to seriously inconvenience you should an identity thief come across it a few years down the line. This means that keeping your mouth shut is less of an option.
For the love of God, please learn to spell "ridiculous"!!!
You know, I knew someone would say that, but I was too lazy- er... busy to Photoshop in a blindfold.
As the ex-technology administrator of a K-8 school in northern CA, I can tell you from first hand experience that no matter how many times I told teachers to change their password from the generic one they were given for things like email, 70% of them never did. (thankfully I had the administrators convinced to change theirs immediately) Basically even now if you know the name of some new teacher in the district, you could probably get into their email. It's scary honestly how little people realize how dangerous keeping the generic password is.
...back when I was in high school, our school was using Net Ware. There was one particular admin account that nobody used, not even the admin. I discovered the account and basically tried a couple passwords each day just for the heck of it.
To my astonishment, the password was "school"!
But this admin login was unique to the other ones because it didn't do the phasers sound effect that they had setup on the admin accounts they did use. So teachers in the room weren't alerted to my area if I logged in.
Needless to say I did have a little bit of fun on that account but never did any malicious, etc. It's not like the account was tied to any school records or anything.
What's sad is that the account and password combo still worked for 1 or 2 years after I graduated according to some friends.
Also be careful not to tape your fairly obvious observations while standing by and doing nothing while a fat guy is being mugged :)
Typical educational system. Typical educational administrators. Typical software company. Typical humans.
Read Marcus Ranum's rant about "Stupid on Software" involving a bank buying a system with absolutely NO security - then trying to ADD-ON the security.
And the first page of
Morons, the lot.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
They usually have student interns from within the district, or one roaming admin for all their schools. If they paid someone, that knew what a decent sec-pol looked like, they could have avoided this. Instead, the "admin" decided to make it easy for the teachers and this happened.
-Randy
1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.
I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.
The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.
Never eat more than you can lift -- Miss Piggy
Passwords and password management is old. Biometric login and/or smart cards is the new thing.
The fault of this falls directly on software developers, open source and otherwise. Every system has it's own proprietary password/user management system, and none of them can talk to each other. In some cases it's possible to hack together a syncing solution, but maintaining that becomes a problem too.
No one is putting any thought into what a serious problem it is to have a password for every individual system. Users cannot manage so many passwords, and as a result set them all to be the same crappy password, or even a shared password that everyone uses.
We really need a single sign on system that is both usable and manageable, and we need it now. Until we get something like that, these problems will only happen more often.
I don't see this as a "last time". There will always be screwups like this as long as people hire based on degree and not ability. As a student in high school I was in a class that amounted to tech help. There was about 20 kids in this class through all the periods, and we had one 'boss'. This guy was admin for a school of 850 computers (one guy for all that) and had left a career (retired) for this job. It was abismal, as he had to listen to his boss, who's position was at the county level, and was an idiot. The guy was 5 years out of college with a nice degree but knew nothing about securing or maintaining systems. However, he got to set our policies. Our school ended up with OC-3 internet, in order to faciliate streaming video from class rooms (which wasn't allowed) and was filtered on a county level (had to go through a T1 line to get to the filter). So they paid for OC-3 and by default limited it to T1 speeds. Luckily my boss quit and went back to Apple after two years (the length of his contract) but the county admin is the same guy. Why'd I tell that stupidly long story? To illustrate that this is not something to be surprised about. I'm sure everyone has stories of insecure school systems, and I think it boils down to the hiring practice of wherever it is. I know that my county had a degree requirement for that position, but it did no good as there was no "aptitude" requirement. I'm sure that is the same here, someone just figured "no one would *ever* try that password" due to lack of real-world experience.
Want to find other gamers to play board and role playing game
I very much agree with you, as I have an aunt who's a teacher. One thing I thought I'd mention about the Canadian (well, BC and NWT at least) system, teachers get paid for 12 months, but chose years ago to take paychecks only for the 10 months they're in school. (Bigger paychecks, but fewer of them.) Beats me why they did this in the first place; currently the ones that don't plan so well are hugely in debt at the end of the summer. Anyway, random Canadian fact for you.
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl
a similiar occurrence is happening at my school. on a public access drive (that means anyone, the students and the teachers) maintained by the office there is an excel file which has the username, address, phone number, etc. of all 1000+ students in my school. It has been there for 2 years now.
Getting pretty far afield from generic passwords, although "domainmaster" might be a good one.
RETURN without GOSUB in line 1050
Sounds like Government
And really, until you can manage people as easily as you can manage a server, then you won't have this problem. Of course, people are going to complain when you plug a terminal into the base of their skull, but thats what they get for not paying attention to hearing "This is a password. It is called a password because it allows you and only you to log into your account and access the files only you should have a right to. Do not pick one that is easy for other people to guess, and do not ever give it to anyone else. That means anyone." a half dozen times.
Interestingly - - - I gig at this one club where its painfully obvious that noone there is goiing to underrstand how to log in to a compuuter with a secure password and use it for simple timeclock functions. Their solution? Fingerprint reader. Works like a charm, and nobody forgets their fingers when they come to work.
sidenote: Schools have this problem? Hell, I've worked at more than one technology company that has this problem. Goddam bizdev girls.
s'wut i sed.
...the default password for all teachers (and maybe students too?) was the abbreviation of the high school, in all lowercase. E.g.: 'abhs' or 'mnhs' or 'xyhs'.
With spending like this, exactly what are "conservatives" conserving?
The person on the TV said that it was bad that teacher A got a good raise because their kids passed the NCLB test, while teacher B got a crappy raise when their kids failed the test. I say that's a GOOD thing. Get the crappy teachers out of the system, or make them shape up and do their job right.
So which ever teacher happens to have the smartest kids in their class gets the money? Too bad if you've got some slow learners in your class - you're not going to hit the marks your colleague with a couple of budding geniuses will, so say goodbye to your raise.
I agree teachers should be evaluated, and their renumeration based on their ability, but you cannot judge that solely on the basis of how their class performs on a test, because those results are not determined solely by the teacher's ability. Their determined by a combination of the teacher's ability, and their student's ability - as well as a myriad other smaller factors.
DISCLAIMER: Both parents are both teachers, but in Australia, not the US.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Well, I'd say software which doesn't generate random passwords and/or facilitates setting the same password for all users has a glitch. I know we all have encountered such systems where something is "brought up" and everyone gets the same password - usually one of "password", "changeme", "setme", or "1234" - but that doesn't change the implementation of such a system from a system failure to a user failure.
Especially something as already-complex as a testing assessment system. I find it hard to believe a simple "randomize all passwords" wasn't built into the system and couldn't have been enforced as the default state of a new user's password. The fact that the software allowed a school IT guy to listen to the "bad angel" on his shoulder and compromise security in this manner is a Very Bad Thing.
IMHO, and I work on software for schools (not a competitor to this product, but still software for school administrators), any software which assumes that an IT administrator at a district or state education office is going to be following accepted "best practices" is going to be filled with software glitches and failures. The "computer guy" at a school is often not trained as such; he just has worked with computers before. In the cases where a district actually hires an IT guy, they tend to choose between hiring a small team of people who accept the lowest possible wages, or hire one "hotshot" IT guy and overload him with the work of ten.
Of course, that doesn't put all the blame on the software system. The system admin should have randomized the passwords from the start. The users should have logged on and changed their passwords the first day. But a well-designed system could have and should have made such human failures impossi -- er, less than likely.
You, of course, completely missed the point. Isn't that ironic?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
She clearly said "my child", not "child's play".
Not that I expect to just accept the fact that you are wrong and arguing for the sake of arguing. You can't even decide why you want to argue. Only that you want to argue and really really really really think that I must be wrong. First, you put words into my mouth, arguing that I think it's OK to leave our front doors unlocked and our keys on the dashboard, next you argue that I mininterpreted the meaning of the words "My own child" to mean "My own child" and that instead of "My own child" meaning "My own child", it really means "the computer is insecure".
Do you have any other really stupid things to say, or are you finished?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent