Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"
Yes, and she could also be criminally negligent for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue your precious little girl.
Mwwwwwaaahahahahahaha!
"Rocky Rococo, at your cervix!"
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
The access was a crime. She accessed the system with an unauthorized name and password.
../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Only all the teachers passwords were blank, and they had superuser privaledges. I got in so much trouble for pointing that out :/
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
fak3r.com
..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.
(c) [...] any person who commits any of the following acts is guilty of a public offense:
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
The NSA: The only part of the US government that actually listens.
A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request.
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.