Forgot your password?
typodupeerror
Security Education

Generic Passwords Expose Student Data 251

Posted by Zonk
from the truly-a-learning-experience dept.
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
This discussion has been archived. No new comments can be posted.

Generic Passwords Expose Student Data

Comments Filter:
  • by geomon (78680) on Friday October 21, 2005 @10:47AM (#13844386) Homepage Journal
    "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"

    Yes, and she could also be criminally negligent [slashdot.org] for doing so.

    Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue [slashdot.org] your precious little girl.

    Mwwwwwaaahahahahahaha!
    • > Don't you believe for one MINUTE that we won't prosecute either.
      > Hell, we could just bypass the criminal justice system and sue
      > your precious little girl.

      could never happen! [danaquarium.com]
  • 1234 (Score:5, Interesting)

    by yagu (721525) * <yayagu@@@gmail...com> on Friday October 21, 2005 @10:48AM (#13844394) Journal

    I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)

    One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.

    The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.

    The default password was (for 50,000 employees) "1234".

    • by geomon (78680)
      How many of those default passwords do you think never got changed?

      And what is the name of your company again? (searches for pencil and paper). :)
    • Re:1234 (Score:5, Funny)

      by Gr33nNight (679837) on Friday October 21, 2005 @10:55AM (#13844468)
      Thats the same combination on my luggage!!
      • Re:1234 (Score:2, Funny)

        by qray (805206)
        I was using that for the parental controls on my TiVo, till my six year old son figured it out.
        Fortunately he wasn't smart enough to keep quiet about it
        --
        Q
    • The default password was (for 50,000 employees) "1234".


      Someone change the combination on my luggage!

      • The default password was (for 50,000 employees) "1234".

        Someone change the combination on my luggage!


        How about "2444"? That way you don't have to remember it differently (one 2, three 4's - one two three four!)

        Tired jokes aside, anyone know how many people actually use luggage combinations like that? And does the TSA try those combinations if you don't have a "TSA-compatible" lock? (For those who don't know - a TSA compatible lock is a luggage lock with a special access system for a master TSA key - such tha
        • Tired jokes aside, anyone know how many people actually use luggage combinations like that?

          My wife flips out when I travel because I do not use locks or combos at all. The combo locks are easy to feel your way to opening, and the travel locks with keys are easy to pick. I travel quite a bit and other than my bag being "lost" for a period, I have had nothing stolen from my bags. Of course, a nerd like me packs nothing of value, and I doubt airport personnel would have a thing for sniffing my boxers.

        • how many people actually use luggage combinations like that?

          In my car (Audi), the music system (Bose) has an antitheft device. If disconnected from the car (or fuse gets blown or something) you will need to enter the 4 digit code to unlock the system. It gives you 3 attempts and then you will have to wait for 24 hours to try again. A few weeks ago a fluke in electronics happened and Bose locked itself. I could not find the code in the manual, which I keep in the car (doh), so I had to go to the dealer, w
    • When I first started this job we used a 1337 spelling of common words for initial passwords.

      So I started using the Secure Password generation extension in Firefox, emailed the password to supervisor and set it so the user had to change it on first log in.

      Only problem was that after 10 or so minutes of conversatin with said new user you could guess their password.

      Passwords simply aren't enough anymore.
  • Sigh (Score:5, Funny)

    by GoodOmens (904827) on Friday October 21, 2005 @10:49AM (#13844406) Homepage
    I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
  • by Hanzie (16075) * on Friday October 21, 2005 @10:50AM (#13844414)
    The access was a crime. She accessed the system with an unauthorized name and password.

    quite a bit more than the poor sod in the UK who typed ../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.

    different laws, but still a criminal trespass. I think that applies to reporters too.

    hanzie.
    • by It doesn't come easy (695416) * on Friday October 21, 2005 @10:53AM (#13844448) Journal
      (c) [...] any person who commits any of the following acts is guilty of a public offense:

      (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

      (3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:

      (A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).

      Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
      • But if he had the password he had permission, acording to the rules encoded in the system itself. I don't think that the reporter, or the guy who tested the "../../" is at fault here. The company that installed the system made a grave mistake and this is their fault pointing fingers and using law to punished the reporter is the wrong thing to do.

        The next step in this line of thougth is to punish the research that is studing some protocol to see if we are actualy secure by it. In many cases this is only poss
        • The next step in this line of thougth is to punish the research that is studing some protocol to see if we are actualy secure by it./i?

          Too late, we have DMCA. Remember DVD Jon...
        • The password that was used is not relevant. The fact that they were impersonating someone else makes their access a crime.

          If you login to Jane Doe's account using the default password (and you succeed), that is a crime (unauthorized access).

          vb
          • Heck you can't even check another person's email according to many service agreements, etc. One time i had a low storage quota that i couldn't get raised on a college system, and i was about to go into the wilderness for 3 months (no net access at all), so i emailed the sys admin to get permission to have someone else check my email while i was away, but they wouldn't even grant me permission to do that. I was just testing them, but what if an important email were returned to the sender because i couldn't
      • Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.

        After all, the people who point out the problems are at fault, not those that caused the problems.
      • "Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty."

        That may be true, but with something like this, the district attorney who prosecutes the reporter for reporting this is out of a job. Californians have a long history of distrust of their government (why do you think their constitution looks like it was written by Tolstoy?) and turning a blind eye towards vigilantism.
    • Wanna talk lawsuits? Try "criminal negligence" if someone can show that the district's shitty security provided no real barrier to someone else who used the district's information to commit a more serious crime.

      (If you need help, think of the laws surrounding "classified" information. Sure, it's illegal for most people to possess classified materials, but the law is structured to allow the government to go after malicious or sloppy guardians of classified materials because they are the leakers and thus th
    • So, a person who accesses this system with default password (set by a stupid beuracrat), and uses student info to find the personal information about the child, uses same to gain access to at best, personal info/ financal info and scam the parents;, at worse, child's address and do nasty to child, may be charged with criminal tresspass? WELL I feel SO much better now....
        The whole system is stupid...
  • by Idimmu Xul (204345) on Friday October 21, 2005 @10:51AM (#13844423) Homepage Journal
    Only all the teachers passwords were blank, and they had superuser privaledges. I got in so much trouble for pointing that out :/
    • by ScrewMaster (602015) on Friday October 21, 2005 @11:01AM (#13844527)
      Yes ... human history is chock full of headless Good Samaritans.

      Sometimes it pays to simply keep your mouth shut and let the people who are paid to deal with it do their jobs. Or not, but the U.S. is not a particularly friendly place for unauthorized people that report security problems.

      If I noticed a serious security breach on a system or server somewhere, no way I'd point it out unless I happened to know the administrator personally, and knew that that person wouldn't immediately turn around and report me as an "evil hacker" to the FBI. I've read of too many cases where someone who was only trying to help got reamed.

      It's funny, some States have Good Samaritan laws where you can be held liable for refusing to help someone in dire circumstances (car accident victim, etc.) but the law works pretty much the other way when it comes to computer security.

      So forget it. Let everybody secure their own networks. Or not. But in either case it's not my problem.
      • A buddy of mine who was setting up a website that was going to be heavily DB driven got an account through on of these hosting services that gives you a 100mb of space and access to their mysql server.

        He instantly noticed that their mysql server root password was set to "password".

        Ironically when he pointed this out to them, they were actually nice about it, thanked him and promptly changed the password.
        • Ironically when he pointed this out to them, they were actually nice about it, thanked him and promptly changed the password.

          The difference here being that he was (a) a paying customer, and (b) rightly concerned about the security of the data he was going to be trusting to said paid service.

          If they weren't nice about something like that they would be out of business in no time.
      • human history is chock full of headless Good Samaritans.

        Thank you! I now have a new signature on my email at work! :-)

      • Problem is, in these cases, the schools are making publically available enough information to seriously inconvenience you should an identity thief come across it a few years down the line. This means that keeping your mouth shut is less of an option.
    • by shippo (166521) on Friday October 21, 2005 @11:05AM (#13844549)
      I worked at a place that had the same policy for their Exchange system - i.e. blank passwords for everyone. Not only that, but normal users were not able to change their account passwords.

      I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.

      I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.
  • by DeadVulcan (182139) <dead.vulcan@pobox . c om> on Friday October 21, 2005 @10:51AM (#13844424)

    I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.

    The problem was the process by which passwords were being assigned.

    • Pffft! You and your facts - how passe.
    • I have a bit of a bone to pick with that headline... it's not a "software glitch."

      Well the human brain is SOFT, isn't it?
    • It is an interesting example of how a lot of people seem to look at computers. They aren't seen as machines just like any other machine, ones where failure is usually due to design flaw or some other problem which can be mitigated or solved with better engineering. They're seen as these incomprehensible devices that dictate our lives according to whim. It seems like every security failure or crash or anything is always marked up as a "glitch" or some other Act of God in the media - everything from crappy
  • sloppy admining (Score:5, Interesting)

    by fak3r (917687) on Friday October 21, 2005 @10:52AM (#13844431) Homepage
    sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace [fak3r.com] where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.

    (yeah, even the timesheet software has the same password -FOR ALL USERS!-)
    • Wow. Our timesheet software not only has unique passwords, it forces you to change it every three months. So I've had to start writing mine down, not sure that does much for security...
  • The Password (Score:3, Interesting)

    by Snowgen (586732) on Friday October 21, 2005 @10:53AM (#13844436) Homepage

    You think the password was "Pencil"?

    (If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)

  • by Thilo2 (214163) on Friday October 21, 2005 @10:53AM (#13844445)
    ..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.
    • by Anonymous Coward
      It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.

      It's "their" system, why shouldn't "they" know?

    • by meringuoid (568297) on Friday October 21, 2005 @11:17AM (#13844652)
      The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy.

      You don't like them spying on you? Fine: throw some sand in their eyes.

      Doctor that file! Replace every occurrence of BoringEducationalSite.com with KinkyBondageSlutz.net and watch the fun begin!

    • One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy

      Looking into logs? Bad teacher!
      And how exactly did you discover this?

  • by xxxJonBoyxxx (565205) on Friday October 21, 2005 @10:56AM (#13844472)
    A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.

    Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.

    No credit, no publicity, but results. (My kids will be students there soon!)
  • Integrity (Score:4, Insightful)

    by lorcha (464930) on Friday October 21, 2005 @10:57AM (#13844476)
    'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'
    That's why you teach your child this thing called "integrity". Never mind that your child could do. There are lots of things your child could do, but should not do. One of your jobs as a parent is teach your child the difference.
    • WHat you should be teaching your child is that when they get cought, they should simply tell whoever that they are doing "security testing". According to what I read at Slashdot, that makes it "OK".
    • Never mind that your child could do. There are lots of things your child could do, but should not do.

      Next thing you'll be saying that just because it's on a computer or a network, that the same general civilized ethics as used in the real world should still apply. Where's the moral relativism? Where's the it's-Tech-so-all-bets-are-off slashdottedness? Sorry, I guess I've read a few too many comments here that would excuse anything done by any kid as long as it can be connected, no matter how obliquely, t
    • Re:Integrity (Score:4, Interesting)

      by thefirelane (586885) on Friday October 21, 2005 @11:56AM (#13845027)
      That's why you teach your child this thing called "integrity". Never mind that your child could do. There are lots of things your child could do, but should not do. One of your jobs as a parent is teach your child the difference.

      I 100% agree, why bother even having passwords in the first place?

      "We don't rely on passwords, we rely on integrity"
      • I 100% agree, why bother even having passwords in the first place?
        "We don't rely on passwords, we rely on integrity"


        Integrity stops us from doing such things.

        Passwords stop (or at least slow down) them.
  • A common trick used by 'Art School account' holders at a certain University in 83 was to check the sequential account numbers and use the default password. If the rightful owner never logged in the account would be yours for the quarter. If they did, you got kicked and had to use on the other 100 or so you and your buddies built up.

    I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. T
  • by baryon351 (626717) on Friday October 21, 2005 @10:57AM (#13844478)
    In the early 1990s, my university did something similar. Everyone had a three-initial login consisting of their first/last names and a middle initial, and a letter following. It was policy to give all students who enrolled a login. ghk2, mby5, adh7 etc.

    Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...

    Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd .. and ls -la to see the inactive user dirs. We'd keep multiple ones active if ever we went over quota, and give accounts to friends outside the university so they could login via the modem pool, and the uni did nothing about it for the five years I was involved with them, from 1991 to 1995.

    I'm not surprised the same braindead thinking still exists somewhere in the world.
  • by ZakuSage (874456) on Friday October 21, 2005 @10:57AM (#13844490)
    Some dumb teacher at my old school put up contact information for all students and staff in the school, as well as their accounts + email with passwords on a directory accessable without password. I found it the first year I went there (4 years ago), didn't tell anyone (would you? honestly...), and they just found out that it was there about 6 months ago. The kicker is that the thing got updated each year!
  • I work with a number of schools. Security is just something they don't get, at all.
    This week, one of my schools had 2 random users suddenly become domain admins. They only had a few days worth of logs, so we don't know who did it, and no one who had administrative access has fessed up.
    Teachers let students use their accounts, administrators use sticky notes with passwords, we're almost at the point where we'll be forced to disable screen saver lockouts because of the whining.

    It isn't just computer se
  • by RoadWarriorX (522317) on Friday October 21, 2005 @11:00AM (#13844513) Homepage
    I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.

    You'll never know, that still might happen...

  • Having worked in a university environment for 8 years, and now working in a private corporate environment, its staggering to see how often weak passwords are used in the educational areas. I had several roles that included support, which required me to work with users to solve their problems. Nine times out of ten, the password that the user chose was a dictionary word. The other 10% usually was some form of a dictionary word with a number at the end (usually 1). A small fraction of people (who had their la
    • When I assumed the sysadmin role for a webserver, I changed the policy for that system, and manually assigned passwords that the users were not allowed to change. They were all passwords like (example) xj45Q!8p.

      Don't you think they'd just write that password down too? Especially if they can't remember it?

      the number of instances of "I think someone accessed my account" dropped down to the single digits within the span of a year.

      I think people just learned not to fuck with the BOFH.
      • Don't you think they'd just write that password down too? Especially if they can't remember it?

        Some did, but they would usually do it in a way that was relatively secure. Most had password-protected PDAs, and kept the passwords in there.

        I think people just learned not to fuck with the BOFH.

        BOFH I may have been, but I got the job done and decreased the frequency of security incidents. :)
      • I tell people to put their random password in their wallet. If it's stolen, they have bigger things to worry about than having to change their password. If I don't suggest putting it in their wallet, I'll later find it on a sticky note on their monitor, or on a sticker beneath their keyboard, mouse, or desk.
  • Back in my AP Computer Science class, each kid go to make their own login and password. If you forgot the password, you go tell the teacher and he resets it. Then you log in and it prompts you to change it to something else. Of course, how it generally worked was the kid would forget their password, go get the teacher to reset it, then scramble back to their computer as fast as they can while everyone else in the class tries to log on and change the password to something funny.

    Good times.

  • by iamacat (583406) on Friday October 21, 2005 @11:12AM (#13844609)
    Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.
  • by artemis67 (93453) on Friday October 21, 2005 @11:19AM (#13844659)
    The city of San Francisco is looking for a new IT Manager. Must be able to come up with more than one password. Passwords with numbers a plus. Job to be filled immediately.
  • by Quiet_Desperation (858215) on Friday October 21, 2005 @11:25AM (#13844708)
    My company requires new users to navigate the Labyrinth Of Despair, swing on burning ropes across the Chasms Of Molten Hate, do battle with a dozen skeleton warriors and all the while collecting obscure Myst-like clues in order to figure out the initial login password.

    And if you forget your password, you have to do it again.

    Blindfolded.

    A new college hire involved in a password change request. [photobucket.com]

    Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).

  • by 8127972 (73495) on Friday October 21, 2005 @11:25AM (#13844711)
    .... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:

    - Name of their child
    - Type of car
    - Licence plate number
    - Name of husband/wife/spouse/life partner/current booty call

    The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
  • Lazy Admins (Score:3, Interesting)

    by SumDog (466607) * on Friday October 21, 2005 @11:28AM (#13844741) Homepage Journal
    When I first got my current job, everyone had the same password! It's awful because even when someone leaves the company, they can still access everyone else accounts. The system admins response when I asked him about it, "Well if you let them choose their own passwords they keep forgetting them and keeping bugging me about it."

    This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.

    The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.

    Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
  • by Evil W1zard (832703) on Friday October 21, 2005 @11:30AM (#13844778) Journal
    How many times do we see this same type of story in the news... Passwords are a weak link in the security chain and guidelines on how to create and manage passwords have been around forever. In this day and age it is a simple thing to use two-factor authentication through RSA tokens and such and it should be IMO a requirement placed upon systems that protect personal information. There is no excuse other than negligence for this kind of situation. I have seen so many cases where passwords initially given are so simple to guess (lastname,first initial or even password) and it plain pisses me off. Then on top of that they don't automate the system to check for weak passwords so people wind up changing their initial password to something just as easy to guess. One audit I did of about 200 users had a dozen or so using "password" another 20 or so using their name and another 50+ using passwords that were easily guessable... Its piss poor and there is no excuse.
  • by vertinox (846076) on Friday October 21, 2005 @11:33AM (#13844811)
    From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

    Just because you couldn't figure it out and your child could doens't mean you have to get pissy about it.
  • Child's Play (Score:2, Insightful)

    by hendridm (302246)
    My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling

    And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.

    This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?

  • Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?

    Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.

    That said, he/she/it should not have been so negligent.

    When I was a kid, my parents made me confess to the grocery stor

    • When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm... So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.

      Yup, hackers who break into systems are breaking the law. Just like people who break into

  • This is what happens when "security" is made a convenience rather than a way of protecting a system.

  • Typical educational system. Typical educational administrators. Typical software company. Typical humans.

    Read Marcus Ranum's rant about "Stupid on Software" involving a bank buying a system with absolutely NO security - then trying to ADD-ON the security.

    And the first page of /. comments are people bitching because a reporter exposed it.

    Morons, the lot.
  • False security (Score:3, Interesting)

    by canadiangoose (606308) <djgraham@gmaFREEBSDil.com minus bsd> on Friday October 21, 2005 @02:48PM (#13846576)
    My first tech job was as the sole helpdesk technician of a small/medium-sized hospital in Canada. When I was hired, they were in the middle of transitioning their main servers from Netware to NT4. The plan had been simple:

    1. Migrate client authentication over to NT
    2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
    3. Migrate file/print/email and whatever else over to NT as it suited them.

    I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
    They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.

    The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.

With your bare hands?!?

Working...