Generic Passwords Expose Student Data 251
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
Don't Do It! Think Of The Fscking Children! (Score:4, Interesting)
Yes, and she could also be criminally negligent [slashdot.org] for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue [slashdot.org] your precious little girl.
Mwwwwwaaahahahahahaha!
Re:Don't Do It! Think Of The Fscking Children! (Score:3, Funny)
> Hell, we could just bypass the criminal justice system and sue
> your precious little girl.
could never happen! [danaquarium.com]
Re:Don't Do It! Think Of The Fscking Children! (Score:2, Insightful)
Re:Don't Do It! Think Of The Fscking Children! (Score:2)
So then I suppose you'd have no problem sending a thank-you card if you came home and found a post-it note on your TV saying, "you should really remember to lock your front door next time you leave the house"?
Thank you! I grow weary of this attitude saying that it's ok to break into systems as long as you tell the operator about the flaw.
Even in this case where I was tempted to say that it was a legitimate reporter probably responding a story tip -- but why did she need to access two classrooms worth o
Re:Don't Do It! Think Of The Fscking Children! (Score:2)
Uh, how else are you going to verify a security hole?
I didn't say she couldn't verify it. I questioned why verification involved accessing two classrooms worth of data. Surely one would have been enough?
If reporters didn't actually report anything to the public, there wouldn't be any point to a free press. Besides, the quickest way to get a bureaucracy to change anything is by embarassing them.
I didn't say not to report it. I said that she should have reported it to the administration before repor
Re:Don't Do It! Think Of The Fscking Children! (Score:3, Insightful)
Another analogy, shaped along the lines you proposed, is that you received a phone call from a neighbor who discovered your house was unlocked and unoccupied. Not "wandering in, using the toilet, rummaging the underwear drawers, drinking the beers in the fridge, and leaving a p
Re:Don't Do It! Think Of The Fscking Children! (Score:2)
What are you doing on Slashdot?
Re:Don't Do It! Think Of The Fscking Children! (Score:2)
Some girl pissed off my (now) ex, who worked at one of the school libraries, so on the last day of registration she looked up the girls social and birthday on the library computer, then logged into the phone registration and dropped all her classes.
Man that was a vengeful bitch I was married to... but she sure was funny.
1234 (Score:5, Interesting)
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
Re:1234 (Score:2)
And what is the name of your company again? (searches for pencil and paper).
Re:1234 (Score:5, Funny)
Re:1234 (Score:2, Funny)
Fortunately he wasn't smart enough to keep quiet about it
--
Q
The combination is 1 2 3 4 5 (Score:2)
Someone change the combination on my luggage!
Re:The combination is 1 2 3 4 5 (Score:2)
Someone change the combination on my luggage!
How about "2444"? That way you don't have to remember it differently (one 2, three 4's - one two three four!)
Tired jokes aside, anyone know how many people actually use luggage combinations like that? And does the TSA try those combinations if you don't have a "TSA-compatible" lock? (For those who don't know - a TSA compatible lock is a luggage lock with a special access system for a master TSA key - such tha
Locks: Combination vs keyed (Score:2)
My wife flips out when I travel because I do not use locks or combos at all. The combo locks are easy to feel your way to opening, and the travel locks with keys are easy to pick. I travel quite a bit and other than my bag being "lost" for a period, I have had nothing stolen from my bags. Of course, a nerd like me packs nothing of value, and I doubt airport personnel would have a thing for sniffing my boxers.
Re:Locks: Combination vs keyed (Score:2)
Re:The combination is 1 2 3 4 5 (Score:2)
In my car (Audi), the music system (Bose) has an antitheft device. If disconnected from the car (or fuse gets blown or something) you will need to enter the 4 digit code to unlock the system. It gives you 3 attempts and then you will have to wait for 24 hours to try again. A few weeks ago a fluke in electronics happened and Bose locked itself. I could not find the code in the manual, which I keep in the car (doh), so I had to go to the dealer, w
Re:1234 (Score:2)
So I started using the Secure Password generation extension in Firefox, emailed the password to supervisor and set it so the user had to change it on first log in.
Only problem was that after 10 or so minutes of conversatin with said new user you could guess their password.
Passwords simply aren't enough anymore.
Re:1234 (Score:2)
Yeah, people email their passwords and say "I can't login!" and the helpdesk archives the emails.
That's nothing. I was once writing a new website for a client and, when one of their customers couldn't login to the website, he emailed me (not them) with his username, password, phone number, address, social security number, credit card number and expiration date. He was trying to show me that he is a paid member for their services and, thus, should be able to login.
As always, I archive every email I r
Re:1234 (Score:2)
Of course, these are kids. The password is from zero to guessed in about 10 seconds.
Sigh (Score:5, Funny)
Re:Sigh (Score:2)
A crime was already committed (Score:5, Informative)
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
California Penal Code 502 (Score:5, Informative)
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
Re:California Penal Code 502 (Score:2)
The next step in this line of thougth is to punish the research that is studing some protocol to see if we are actualy secure by it. In many cases this is only poss
Re:California Penal Code 502 (Score:2)
Too late, we have DMCA. Remember DVD Jon...
Re:California Penal Code 502 (Score:2, Insightful)
If you login to Jane Doe's account using the default password (and you succeed), that is a crime (unauthorized access).
vb
Re:California Penal Code 502 (Score:2, Interesting)
Re:California Penal Code 502 (Score:3, Insightful)
After all, the people who point out the problems are at fault, not those that caused the problems.
Re:California Penal Code 502 (Score:2)
That may be true, but with something like this, the district attorney who prosecutes the reporter for reporting this is out of a job. Californians have a long history of distrust of their government (why do you think their constitution looks like it was written by Tolstoy?) and turning a blind eye towards vigilantism.
Wanna talk lawsuits? Try criminal negligence... (Score:2)
(If you need help, think of the laws surrounding "classified" information. Sure, it's illegal for most people to possess classified materials, but the law is structured to allow the government to go after malicious or sloppy guardians of classified materials because they are the leakers and thus th
Re:A crime was already committed (Score:2)
The whole system is stupid...
My college did a similar thing (Score:4, Funny)
Re:My college did a similar thing (Score:5, Insightful)
Sometimes it pays to simply keep your mouth shut and let the people who are paid to deal with it do their jobs. Or not, but the U.S. is not a particularly friendly place for unauthorized people that report security problems.
If I noticed a serious security breach on a system or server somewhere, no way I'd point it out unless I happened to know the administrator personally, and knew that that person wouldn't immediately turn around and report me as an "evil hacker" to the FBI. I've read of too many cases where someone who was only trying to help got reamed.
It's funny, some States have Good Samaritan laws where you can be held liable for refusing to help someone in dire circumstances (car accident victim, etc.) but the law works pretty much the other way when it comes to computer security.
So forget it. Let everybody secure their own networks. Or not. But in either case it's not my problem.
Re:My college did a similar thing (Score:2)
He instantly noticed that their mysql server root password was set to "password".
Ironically when he pointed this out to them, they were actually nice about it, thanked him and promptly changed the password.
Re:My college did a similar thing (Score:2)
The difference here being that he was (a) a paying customer, and (b) rightly concerned about the security of the data he was going to be trusting to said paid service.
If they weren't nice about something like that they would be out of business in no time.
Re:My college did a similar thing (Score:2)
human history is chock full of headless Good Samaritans.
Thank you! I now have a new signature on my email at work! :-)
Pays to keep your mouth shut? (Score:2)
Re:Good Samaritan laws (Score:2)
Those laws aren't everywhere, but they do exist in places.
Re:Good Samaritan laws (Score:2)
[1] I don't think the UK has one, but then we aren't so litigation crazy that we need one. Yet.
Re:My college did a similar thing (Score:5, Interesting)
I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.
I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.
Re:My college did a similar thing (Score:3, Informative)
That headline ticks me off (Score:5, Insightful)
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Re:That headline ticks me off (Score:3, Funny)
Re:That headline ticks me off (Score:2)
Well the human brain is SOFT, isn't it?
Re:That headline ticks me off (Score:2)
sloppy admining (Score:5, Interesting)
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
Re:sloppy admining (Score:2)
Re:sloppy admining (Score:2)
The Password (Score:3, Interesting)
You think the password was "Pencil"?
(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)
Re:The Password (Score:2)
Re:The Password (Score:2)
"Pencil" was the first thing I thought of when I read the article too.
Sam
Re:The Password (Score:2)
CPE-1704-TKS (Score:2, Funny)
Re:The Password (Score:2)
I never quite bought that. You'd think the biology teacher would get suspicious when someone he no doubt clearly remembers giving a failing grade to doesn't repeat the course.
Not new to me... teachers discovered! (Score:3, Interesting)
Re:Not new to me... teachers discovered! (Score:3, Insightful)
It's "their" system, why shouldn't "they" know?
Re:Not new to me... teachers discovered! (Score:4, Funny)
You don't like them spying on you? Fine: throw some sand in their eyes.
Doctor that file! Replace every occurrence of BoringEducationalSite.com with KinkyBondageSlutz.net and watch the fun begin!
Re:Not new to me... teachers discovered! (Score:3, Insightful)
Looking into logs? Bad teacher!
And how exactly did you discover this?
Re:Not new to me... teachers discovered! (Score:3, Informative)
The press is your friend. (Score:5, Interesting)
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
Integrity (Score:4, Insightful)
Integrity (Score:3, Funny)
Re:Integrity (Score:2)
Next thing you'll be saying that just because it's on a computer or a network, that the same general civilized ethics as used in the real world should still apply. Where's the moral relativism? Where's the it's-Tech-so-all-bets-are-off slashdottedness? Sorry, I guess I've read a few too many comments here that would excuse anything done by any kid as long as it can be connected, no matter how obliquely, t
Re:Integrity (Score:4, Interesting)
I 100% agree, why bother even having passwords in the first place?
"We don't rely on passwords, we rely on integrity"
Re:Integrity (Score:2)
"We don't rely on passwords, we rely on integrity"
Integrity stops us from doing such things.
Passwords stop (or at least slow down) them.
Been going on since the 80s if not earlier (Score:2, Interesting)
I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. T
My university did similar. (Score:3, Informative)
Predictable (and simply so) login names are one thing, but following from that, the default passwords were identical to the login name. That sounds pretty bad. One more thing made it worse...
Not all students needed or ever came to use their logins. Indeed, the theatre, arts and media students never needed or were even told about theirs. It was the easiest thing to score a couple of logins by pure guesswork within minutes even among those people who didn't know to login, cd
I'm not surprised the same braindead thinking still exists somewhere in the world.
That's nothing, really (Score:3, Interesting)
Re:That's nothing, really (Score:2)
Yes. But then I'm not an amoral schmuck.
Re:That's nothing, really (Score:2)
Typical of schools (Score:2)
This week, one of my schools had 2 random users suddenly become domain admins. They only had a few days worth of logs, so we don't know who did it, and no one who had administrative access has fessed up.
Teachers let students use their accounts, administrators use sticky notes with passwords, we're almost at the point where we'll be forced to disable screen saver lockouts because of the whining.
It isn't just computer se
With the clueless mentality of today's schools... (Score:4, Insightful)
You'll never know, that still might happen...
Weak passwords are an epidemic (Score:2)
Re:Weak passwords are an epidemic (Score:2)
Don't you think they'd just write that password down too? Especially if they can't remember it?
the number of instances of "I think someone accessed my account" dropped down to the single digits within the span of a year.
I think people just learned not to fuck with the BOFH.
Re:Weak passwords are an epidemic (Score:2)
Some did, but they would usually do it in a way that was relatively secure. Most had password-protected PDAs, and kept the passwords in there.
I think people just learned not to fuck with the BOFH.
BOFH I may have been, but I got the job done and decreased the frequency of security incidents.
Re:Weak passwords are an epidemic (Score:2)
But it can be loads of fun (Score:2)
Good times.
Everything is as it should be (Score:4, Interesting)
In other news... (Score:3, Funny)
My company is just the opposite (Score:5, Funny)
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request. [photobucket.com]
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
Re:My company is just the opposite (Score:2)
I simply instituted a new password rule removing all older rules.
the password must not contain any characters that can be typed at the keyboard.
Soved the problem right there. all passwords are now secure.
Re:My company is just the opposite (Score:2)
Don't make me come over there! (Score:2)
Even if they changed the passwords..... (Score:5, Informative)
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
Re:Even if they changed the passwords..... (Score:2)
Lazy Admins (Score:3, Interesting)
This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.
The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.
Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
Old Problem, Easy Solution... (Score:3, Informative)
Old teachers... (Score:3, Funny)
Just because you couldn't figure it out and your child could doens't mean you have to get pissy about it.
Child's Play (Score:2, Insightful)
And yet an entire school district of adults couldn't figure out that using a generic password over a public medium would pose a risk.
This isn't brain science. What do you think would happen if your ATM card had a default password that you never changed?
Prosecute the reporter!!! (Score:2, Insightful)
Since when did it become legal for someone to access a private database system. Wasn't the reporter committing a crime?
Of course we all know that some poor sys admin just got chewed out for making the password decay policy too difficult. Naturally in an effort to ease the user's pain they just issued a generic (probably at the request of his overlord). Now he'll no doubt get the shaft.
That said, he/she/it should not have been so negligent.
When I was a kid, my parents made me confess to the grocery stor
Re:Prosecute the reporter!!! (Score:2)
When I was a kid, my parents made me confess to the grocery store clerk that I had stolen a lollypop. The lollypops were just sitting there for anyone to grab and put in their pocket. Oh....but wait, we as a society prosecute shop lifting. Hmmm... So why not start finally prosecuting the hackers. It was a password protected site. The reporter's use of the password was still a violation, regardless of the intention.
Yup, hackers who break into systems are breaking the law. Just like people who break into
Need I say it? (Score:2)
Morons (Score:2)
Typical educational system. Typical educational administrators. Typical software company. Typical humans.
Read Marcus Ranum's rant about "Stupid on Software" involving a bank buying a system with absolutely NO security - then trying to ADD-ON the security.
And the first page of
Morons, the lot.
False security (Score:3, Interesting)
1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.
I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.
The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.
Re:Meanwhile, teachers have DUPED us... (Score:2)
That is the result of a powerful lobby?
I thought you were talking real money.
Re:Meanwhile, teachers have DUPED us... (Score:5, Informative)
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Re:Ahh memories... (Score:2)
I had it even better. I worked computer repair at my school. I got to spend an hour and a half of class time every day fucking things up and then fixing them.
Re:am i really the first person... (Score:2)
Re:no sheep sherlock (Score:2)
Several systems I've used issue you with a password, say 4 letters or numbers. The first time you login, a password change progam runs and won't let you do anythng else till you've changed your password, and it has to be longer, so you can't keep the initial one.