Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"
Yes, and she could also be criminally negligent for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue your precious little girl.
Mwwwwwaaahahahahahaha!
"Rocky Rococo, at your cervix!"
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
The access was a crime. She accessed the system with an unauthorized name and password.
../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Only all the teachers passwords were blank, and they had superuser privaledges. I got in so much trouble for pointing that out :/
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
fak3r.com
You think the password was "Pencil"?
(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)
..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.
(c) [...] any person who commits any of the following acts is guilty of a public offense:
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
The NSA: The only part of the US government that actually listens.
A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
A common trick used by 'Art School account' holders at a certain University in 83 was to check the sequential account numbers and use the default password. If the rightful owner never logged in the account would be yours for the quarter. If they did, you got kicked and had to use on the other 100 or so you and your buddies built up.
I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. There were many non-student users at 'The Apocalyptic Cyber Coven' back then. Name the school and you get a cookie.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
In the early 1990s, my university did something similar. Everyone had a three-initial login consisting of their first/last names and a middle initial, and a letter following. It was policy to give all students who enrolled a login. ghk2, mby5, adh7 etc.
.. and ls -la to see the inactive user dirs. We'd keep multiple ones active if ever we went over quota, and give accounts to friends outside the university so they could login via the modem pool, and the uni did nothing about it for the five years I was involved with them, from 1991 to 1995.
Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...
Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd
I'm not surprised the same braindead thinking still exists somewhere in the world.
Some dumb teacher at my old school put up contact information for all students and staff in the school, as well as their accounts + email with passwords on a directory accessable without password. I found it the first year I went there (4 years ago), didn't tell anyone (would you? honestly...), and they just found out that it was there about 6 months ago. The kicker is that the thing got updated each year!
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
WHat you should be teaching your child is that when they get cought, they should simply tell whoever that they are doing "security testing". According to what I read at Slashdot, that makes it "OK".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.
The city of San Francisco is looking for a new IT Manager. Must be able to come up with more than one password. Passwords with numbers a plus. Job to be filled immediately.
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request.
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
When I first got my current job, everyone had the same password! It's awful because even when someone leaves the company, they can still access everyone else accounts. The system admins response when I asked him about it, "Well if you let them choose their own passwords they keep forgetting them and keeping bugging me about it."
This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.
The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.
Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
How many times do we see this same type of story in the news... Passwords are a weak link in the security chain and guidelines on how to create and manage passwords have been around forever. In this day and age it is a simple thing to use two-factor authentication through RSA tokens and such and it should be IMO a requirement placed upon systems that protect personal information. There is no excuse other than negligence for this kind of situation. I have seen so many cases where passwords initially given are so simple to guess (lastname,first initial or even password) and it plain pisses me off. Then on top of that they don't automate the system to check for weak passwords so people wind up changing their initial password to something just as easy to guess. One audit I did of about 200 users had a dozen or so using "password" another 20 or so using their name and another 50+ using passwords that were easily guessable... Its piss poor and there is no excuse.
News Reporters Make Tasty Polar Bear Treats!
From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
Just because you couldn't figure it out and your child could doens't mean you have to get pissy about it.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.
This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?
Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?
Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.
That said, he/she/it should not have been so negligent.
When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm...
So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.
was the launch code WOPR was searching for to fire off the nukes. Do I win the geek-of-the-year award now?
RETURN without GOSUB in line 1050
I put my hard-to-remember PWs on a sticky note, inside a locked drawer, taped to the bottom of my desk (inside the drawer). I figure if anyone can get into the desk and find the note, they probably deserve a prize anyway. Also, I have a small card in my wallet of phone numbers. Some of the "phone numbers" are really account numbers and their PINs, but they're formatted exactly the same as the real numbers... I was always pretty proud of myself for that one.
1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.
I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.
The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.
Never eat more than you can lift -- Miss Piggy