Generic Passwords Expose Student Data

Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

1234

[yagu]

I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)

One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.

The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.

The default password was (for 50,000 employees) "1234".

Re:1234

[Gr33nNight]

Thats the same combination on my luggage!!

Sigh

[GoodOmens]

I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.

A crime was already committed

[Hanzie]

The access was a crime. She accessed the system with an unauthorized name and password.

quite a bit more than the poor sod in the UK who typed ../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.

different laws, but still a criminal trespass. I think that applies to reporters too.

hanzie.

That headline ticks me off

[DeadVulcan]

I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.

The problem was the process by which passwords were being assigned.

California Penal Code 502

[It+doesn't+come+easy]

(c) [...] any person who commits any of the following acts is guilty of a public offense:

(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:

(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).

Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.

The press is your friend.

[xxxJonBoyxxx]

A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.

Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.

No credit, no publicity, but results. (My kids will be students there soon!)

Re:Meanwhile, teachers have DUPED us...

[hcob$]

Meanwhile, teachers have duped us into believing they're underpaid! They even get special tax breaks, oestensibly to "purchase school supplies". What a powerful lobby they have!

Of course, now all students have to be IQ-tested for the "no student left behind" act. Perhaps we should test the teachers, too, and leave some of them behind.

I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.

My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.

Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.

And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.

Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.