WiFi Exposes Sensitive Student Data 350
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
California's new notification provisions: July 1 (Score:5, Informative)
Should be fascinating to see how people react as they start to find out how often security problems actually occur...
Re:California's new notification provisions: July (Score:5, Insightful)
On a side note, could the newspaper be held liable for this, given that they were intruding on the network without permission? If the newspaper gets screwed over this, it could generate some much-needed publicity and the following public backlash over this BIG problem in the current internet legal scene (namely that if someone finds an insecure network, they usually can't disclose it without getting whacked. Sometimes even if they only tell the company concerned, the company fixes it and then whacks them).
Re:California's new notification provisions: July (Score:5, Interesting)
If so, didn't they violate the DMCA - no matter what their intent?
After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?
Re:California's new notification provisions: July (Score:2)
Re:California's new notification provisions: July (Score:4, Insightful)
Of course, press like this is rarely very good. It's enough to scare lots of people away from new technologies.. I'd be surprised if someone doesn't make a push to bring them back down to paper files for everything.
Re:California's new notification provisions: July (Score:3, Interesting)
I mean... if for example I had a WiFI card and I was on campus, which I would consider perfectly out of the ordinary, and I tripped upon a network connection, I would think "oh neet public WiFi". Just like if I was walking down the street and saw a path to a lake, "Oh neet a public lake".
My point is without notice, ho
Re:California's new notification provisions: July (Score:4, Informative)
Well, logically, ya, you should be able to listen to anything being broadcast at you.. But, look at what they do if you descramble satellite feeds without paying..
But, I don't think they accidently picked up the signal. They said they were sitting just outside of the school's office, with the proper equipment (ya, laptop and wifi card, big deal), but that's intent. Not only that, but sitting outside that office ("Using a laptop with a wireless card outside the district's main office") they sent data to retrieve data ("the Weekly gained access to such data as
Ahhhh, and here we go with the law (I've been busy with work, not much time to play). The summary of this is, yes, they broke the law, and it's punishable by $2,500 and/or 1 year in jail on the first offense, and $10,000 and/or 1 year in jail on the second offense.
[ca.gov]
PENAL CODE
SECTION 630-637.9
631. (a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, or attempts
to read, or to learn the contents or meaning of any message, report,
or communication while the same is in transit or passing over any
wire, line, or cable, or is being sent from, or received at any place
within this state; or who uses, or attempts to use, in any manner,
or for any purpose, or to communicate in any way, any information so
obtained, or who aids, agrees with, employs, or conspires with any
person or persons to unlawfully do, or permit, or cause to be done
any of the acts or things mentioned above in this section, is
punishable by a fine not exceeding two thousand five hundred dollars
($2,500), or by imprisonment in the county jail not exceeding one
year, or by imprisonment in the state prison, or by both a fine and
imprisonment in the county jail or in the state prison. If the
person has previously been convicted of a violation of this section
or Section 632, 632.5, 632.6, 632.7, or 636, he or she is punishable
by a fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the county jail not exceeding one year, or by
imprisonment in the state prison, or by both a fine and imprisonment
in the county jail or in the state prison.
I won't say that the school didn't fuck up, because honestly they did.. But, as any stumbler/wardriver knows, they're not the only ones. It doesn't take a computer expert to get into most networks. They should have done a better job, but failed. This is barely news, it's just a reporter bragging how they broke the law, invaded the privacy of thousands, criminally trespassed, and are flaunting it as news. It's as criminal as if they broke into a bank and took out cash, even if handing it back in the morning, to prove that it could be done.
With that said, ya, my laptop is set up for stumbling too.
Re:California's new notification provisions: July (Score:4, Informative)
Ahh, that's activly *descrambling* the data. That's going above and beyond, theft of services and all that. You need to buy a key of sorts to gain access to these services, unless you are in canada ofcorse.
intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively
I do not claim to be a lawyer, but largly based on what i've observed tap, as in wire tap, only applies to audio tapping. As in, it might very well be legal to pop in a security camera so long as it doesn't pickup audio.
Further more, even the law you quoted implies *authorized access*. I would argue strongly that without basic security mesures that all people *are authorized* to access this material. It would be no diffrent, in my minds anyway, if they put up private information on a public web server, esp if google picks it up seeing no robots file in place.
I would further submit the fact that the service of WiFi netaccess is very much common place. For example, my local starbucks coffee offers WiFi access for a fee, and I know of one CAFE that offers public free WiFi access.
Given that this is a service offered in some establishments, a stumbler who accidently comes across access might reasonably assume that this is a service, given there was no security and *authorized access* is granted to everyone by the WiFi router based on a configeration choice by the system admin. My argument, which may or may not stand up in court, would be that because the system authorizes you that no law was broken, even if access to propriority data was made publicly available to anyone who requested access.
We can clearly agree the school fucked up, but I'd argue that they should be held criminaly liable because their WiFi network specificly grants *authorized access* to anyone. Just because it's an automated authorization system is no excuse in my minds eye, no diffrent then asking for propriority records and getting them by fax from an office worker that wasn't told better.
If it was me personaly, i'd say, "oh cool, public WiFi network, I can check my e-mail from here".
Re:California's new notification provisions: July (Score:3, Informative)
http://www.ncsl.org/programs/lis/CIP/surveillance
No way. (Score:2, Interesting)
If you know the data isn't for you, and it's not advertised for you to get, then you can reasonably assume it's private.
Surfing student records over a wireless connection is one of those things that falls under "We knew it was not public information, and that we were accessing information we were not supposed to be"
ANYONE who accesses my network through some kind of security breach does not deserve any kind of protection.
Re:No way. (Score:3, Insightful)
Re:California's new notification provisions: July (Score:2)
Re:California's new notification provisions: July (Score:3, Interesting)
Upside (Score:5, Funny)
Re:Upside (Score:5, Funny)
damnit.
Fake? (Score:5, Funny)
Something you should know (Score:3, Funny)
I'm a 46 year old white dude. I weigh in at 332 lbs, and I sell pig manure to soy bean farmers for a living.
Security is still sub-par with wifi (Score:5, Informative)
WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.
WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.
Attacks against the WAP WTLS protocol (PDF): Source one [cc.jyu.fi], Source two [securityfocus.com]
Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek [alphageekproductions.com]
Re:Security is still sub-par with wifi (Score:2)
Re:Security is still sub-par with wifi (Score:5, Insightful)
Aside from the fact that WEP is breakable and thus useless, if they had used WEP (and it wasn't broken) the data still would have been accessible to the legitimate wifi users (unless this was a special AP for people who need to see this data). They said the data was accessible to unauthorized users inside the network, too. And they fixed it by turning off the AP?
I salute the newspaper for taking the initive (and, perhaps, the risk) of accessing the data themselves. But I wish they would have spun it more as a "piss poor security" issue than a "wireless security" issue. As far as I can tell, this has hardly anything to do with wireless at all. It's certainly not a reason for schools to not run open networks. They just need to secure their wired networks just like they should have before wireless!
Re:Security is still sub-par with wifi (Score:2)
Re:Security is still sub-par with wifi (Score:2)
Re:Security is still sub-par with wifi (Score:5, Informative)
Re:Security is still sub-par with wifi (Score:5, Interesting)
The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.
Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.
There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.
PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district
Re:Security is still sub-par with wifi (Score:2)
Re:Security is still sub-par with wifi (Score:4, Funny)
Yeah, I'm sure they made it weak on purpose... They were all set to publish a stronger algorithm, but then someone said "Hey! This isn't wired *equivalent*, this superior to unencrypted Ethernet."
Unfortunately by that point they were already set on the name. [It was already in all the marketing materials and WEP just has a better ring to it than BWP (Better than Wired Privacy).] So the only solution was to introduce an arcane security flaw.
Yeah, that's so much more plausible than "They fucked up!"
-a
Re:Security is still sub-par with wifi (Score:2)
Re:Security is still sub-par with wifi (Score:2)
They were all (surprise) pdf's.
Justin
They did it with p2p... (Score:5, Informative)
Re:They did it with p2p... (Score:3, Interesting)
If this does anything, it should make the gov. smack the hell out of all WiFi consortium members by preventing them from selling any more equipment till they actually get it right. (And giving refunds for all faulty equipment already sold)
Re:They did it with p2p... (Score:2)
Excellent felony! (Score:5, Interesting)
Re:Excellent felony! (Score:5, Insightful)
Of course, they might just be declared enemy combatants and all this silly due-process thing could be avoided...
Re:Excellent felony! (Score:2)
Who, the newspaper reporters or the jury members that don't return a verdict the government likes?
Re:Excellent felony! (Score:2)
I don't think that's an or question.
Re:Excellent felony! (Score:2)
And of course they won't mind because they'll get an all-expenses-paid-permanent vacation in sunny Cuba.
Re:Excellent felony! (Score:5, Interesting)
Re:Excellent felony! (Score:3, Insightful)
Things like this bother me. Its getting to the point where if you have a laptop and you're outside or if you're on a cablemodem doing something other than web surfing, you're going to get arrested. The media isnt helping the witch hunt. Uninformed press always make things seem worse than they are just to boost sales and preserve position.
Re:Excellent felony! (Score:5, Interesting)
Historically (Score:3, Informative)
That is a good thing, as long as the integrity of the information is held to a high standard. For example, if the published all the information they got, that would eb bad and they would be held accountable. If not by a law enforcement agency, then by a civil court. probably both.
Re:Historically (Score:5, Insightful)
The newspapers never admitted to stealing the Watergate documents. They at least claimed that the documents were stolen by an anonymous informant. This case is different, because the paper admits to committing the felony itself, not through an anonymous informant.
I see no reason to hold this paper to any different of a standard than Kevin Mitnick. Personally I'd like to see all hackers pardoned, but until then the law is the law.
Re:Historically (Score:2)
First because if the press was convicted for this sort of crime, nobody would ever report this sort of crime could happen.
What they did was nowhere near what Kevin Mitnik did. Kevin committed several different crimes illegally breaking into systems, telephone fraud, and B&E.
Was his punishment overly severe? absolutly, but don't go comparing him to the press.
Re:Excellent felony! (Score:5, Interesting)
I'm not familiar with the laws, but which part is the felony exactly? How can "just" getting the IP address constitute a felony? We don't even know whether the newspaper had to crack encryption to get into this network. Maybe the access point was being run wide open, as another poster suggested.
Certainly, if they had to break in, then it's a felony; on the other hand, if the school ran the access point wide open, then there's more of a gray area.
I have a particular interest in this. You see, I recently got in trouble with H*neywell for using their WiFi without permission. I do consulting work for a small company, and there's a H*neywell office just down the hall from where I work. Someone at that office installed a WiFi access point, apparently contrary to company policy. That access point stayed up for many months, then recently came down, and I never thought anything of it. The access point was being run entirely without security of any kind -- no WEP, no password, nothing.
I was only using this to surf the web and download some software updates/patches to my iBook. I didn't go out looking for this access point, but my iBook is configured to find the nearest access point as soon as it wakes up from sleep (or boots up).
Then about a week after the access point went down, I got a call from my consulting firm. It seems that H*neywell had somehow traced my use of their WiFi access point, and wanted to do something about it. I almost lost my job, but ultimately, a deal was struck whereby I surrendered my laptop to have the hard disk imaged; the laptop was returned to me less than 2 days later, fully intact.
The official story I got was that H*neywell hired an outside firm to check their network security, and they identified the WiFi access point as a security hole; the employee who set it up was fired. Then the security firm traced all who had used the access point, and found my "digital fingerprint."
The unofficial story I got from some other folks in-the-know is that I had posted about my discovery in my LiveJournal [livejournal.com], and someone did a Google search and found the entry. Apparently, I forgot to make this a non-public entry. So that's how I was really found out. (That entry has been made friends-only now.) I'm still not 100% sure how Google indexed my journal, since I have my prefs set up to prevent indexing, but not all spiders respect that.
I know H*neywell is a defense contractor, so I had assumed, when I discovered the access point, that it must be some sort of public access point for the convenience of vendors, put in a DMZ on their network. Surely, I thought, they wouldn't be dumb enough to put a wide-open WiFi access point behind their firewall! As it turns out, the access point was behind their firewall, and I could have accessed a whole bunch of material I wasn't supposed to. Scary thought.
I think the real reason I got in trouble was that I embarrassed H*neywell. They could have conceivably taken legal action against me personally, but that would have created a weird situation for them, since it would expose them to government scrutiny. And they might lose some favorable government contracts if that happened. Moral of the story: Always check to see what you're connecting to. That hot-spot might not be safe to connect to after all!
eh? (Score:2)
Just getting an IPAddress? To get an IPaddress, you have to ask for one. Is it your fault they gave it to you? That's like if you knock honeywell's front door, and ask if you can come in, and they say, "OK, come on in", and as soon as you step foot in their premises, have you arrested for tresspassing. I suppose you could say, you did have
Re:eh? (Score:2)
"Was" being the operative word here.
There's no telling who else had access to their network. They just went after me because I was an easy target, and I gave them a black eye.
Getting an IP is a felony? (Score:5, Informative)
Well, actually, my attorney says no it isn't in my case... Because of the following argument:
Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.
Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.
Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.
Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.
If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)
In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.
Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.
Well... (Score:5, Funny)
Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.
Liability (Score:5, Insightful)
It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.
The simple truth here is that pointy-hairs and beaurocrats understand one thing: Money. If you threaten to kick them in their budget, they'll respond; otherwise, you'll just keep seeing these articles.
I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail. These institutions with faulty IT -- and it's not as if this was some complex cracking job, this is just carelessness -- need to be taught a serious lesson.
(shakes head) It kills me that a college can lose piles of cash for buying shoes for one of their basketball players and a business can get fined for having workers like a box that's 5 lbs. too heavy, but when they expose the private, valuable data of their students/customers, there's no sanction whatsoever....
Exactly (Score:5, Insightful)
"I don't see this as such a huge news story," Superintendent Mary Frances Callan said the day after the district office abruptly shut down its wireless network and student information program. The real news, she added, was the great progress the district has made to its network plans, thanks to new software purchases, planned employee training sessions and the technology-use policy.
She has absolutely no sense of responsibility of the damage she could have/has caused. Money is the only thing that will get them to take notice.
Re:Exactly (Score:2)
Re:Exactly (Score:2)
What would probably happen is that organizations would spend a relatively small amount of money purchasing a new kind of liability insurance, the terms of which would require them to take at least basic steps to secure their systems (ie, stunning incompetence
Re:Exactly (Score:2, Insightful)
(Unfortunately) most IT isn't about messing around with cool new stuff, it's implementing specific requirements, no matter how mundane. How she thinks the severity of loss of extremely private data can be mitigated with "look at my cool network"
Re:Liability (Score:3, Insightful)
"...allow sensative data to be stolen."
'not well secured' does not, nor has it ever, mean 'allow'
If it is negligence, really hard to say based on the info given, then they can, and should, be sued.
Re:Liability (Score:3, Informative)
Re:Liability (Score:2)
Re:Liability (Score:2)
It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.
I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail.
Companies are already accountable for negligence. But in order to win a case, you have to show damages. I don't see any damages caused by this particular negligence.
Far worse abuses of this data (Score:5, Insightful)
E.g., a pedophile could go "shopping" for a victim, then use the information in the file to convince the kid that a trusted adult sent them to pick them up.
Or they could be even more aggressive and add an alias to the list of people authorized to pick up the kid at school. Then they show up and breeze past security that would normally extend from classroom to doorstep.
Re:Liability (Score:2, Insightful)
Here is my question though. At what point does an institution move from being a victim of an attack to being responsible for it?
Don't get me wrong here, from reading the article, I would definitely agree the school was somewhat negligent. I mean, if I leave my keys in my ignition, and the car is stolen, my insurance policy has a clause stating that I am at fault for not securing my vehicle, and they don't have to pay. That makes sense to me. And
Boiler insurance (Score:3, Insightful)
If there's a liability exposure, institutions will buy liability insurance, and the insurance companies will be a well-funded central source of motivation and knowledge to improve security.
Steam boilers used to blow up and kill people. Insurance companies started demanding boiler inspections. After that, fewer boilers exploded.
The "U" in the UL tag on electrical equipment stands for "Underwriters".
Interesting... (Score:5, Funny)
Re:Interesting... (Score:2)
Just go down to the district office. (Score:2, Informative)
Re:Just go down to the district office. (Score:3, Funny)
Re:Interesting... (Score:3, Funny)
Didn't anyone tell you? If you want to see it, you are crazy.
Please lie down on the floor. The van will arrive shortly. Don't argue with the officers -- they are just doing their job.
Thank you.
more to learn (Score:5, Insightful)
I read an interesting (all be in short) article [eweek.com] not too long ago about the risks that does a nice job of explaining things.
Re:more to learn (Score:2)
You do realize that putting WEP on your WLAN is about as effective as putting 6 layers of duct-tape over your lock thinking that nobody with a key can get in now, right?
WEP is useless unless you want to keep people out that wouldn't spend 30 minutes or less trying to crack the key.
WiFI? It was easier at my school; (Score:5, Interesting)
Re:WiFI? It was easier at my school; (Score:2)
You guys have it easy. In our day, the grades were kept on a floppy (for use in a TRS-80), and you actually had to liberate the floppy from the teacher's briefcase to check it.
Not that I ever did.
School Districts are generally clueless (Score:2, Funny)
Not only do they expose sensitive information,
but they run generally insecure servers, and
they pay mercenary network installation contractors
1000 cents on the dollar for old crappy network
hardware.
And the web pages set up by school districts for
employess to use are brain dead.
This one:
http://www.teachinla.com
has a link on the NCLB teacher profile logo
that sends you to a page that will let anybody
that can get a teachers employee number and
birthdate change their professional cre
Was it just a wide open access point? (Score:5, Insightful)
agreed (Score:2)
So, it's funny... (Score:5, Insightful)
Re:So, it's funny... (Score:2)
But the moment a student would try the same thing, he would be expelled.
What are you suggesting, that they expel the newspaper? If they're not a student, they can't be expelled.
Re:So, it's funny... (Score:2, Interesting)
Wireless is not the core issue (Score:5, Insightful)
The same information was also accessible to individuals using district computers within school sites.
This case shows who or what department that was incharge had concrete policy with regards to information and IT security.
Security was fundamentally flawed, little or no security mechanisms in place, even lan connections had access to the files! Wireless connection only exacerbated the situation.
Re:Wireless is not the core issue (Score:2)
This case shows who or what department that was incharge had very little or no concrete policy with regards to information and IT security."
This isn't a problem with WiFi (Score:5, Insightful)
Confidential data needs to have strictly managed flows and storage. It'd worrying enough that this information could be accessed anywhere on campus even without the wireless threat.
When it comes to something like a psych evaluation I cant see why that information isn't kept 'offline' or on a small secured network. There is *no* justification even for allowing all staff members direct access to this sort of thing - it's ripe for abuse. I also cant see any reason why you'd need access to such a report instantly.
Re:This isn't a problem with WiFi (Score:3, Informative)
Solution: lawsuit? (Score:5, Insightful)
This takes the cake: "I don't see this as such a huge news story," Superintendent Mary Frances Callan said ...
'nough said.
psych evaluations, eh? (Score:2)
Check _this_ privacy policy!
yeah, welcome to the red tape. (Score:5, Insightful)
The tech staff that school have are usually underpaid and overworked, or contractors who are juggling the detail of 10-15 districts. I'm still cleaning up from the last time parents got involved, getting everyone connected to the internet.
To every tech minded parent out there: don't give us your used crap, don't come in and 'help,' just stay out of the way. We have a clue (well a lot of us do), but we spend 98% of our time cleaning up the messes left by helpful parents, clueless teachers, and malicious kids. We're trying to get the teachers up to speed, and we're working on making it hard for the kids to purposefully or accidentally fsck things up. But parents are totally deaf to the idea that the help they're offering is really hindering things.
How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?
Re:yeah, welcome to the red tape. (Score:3, Interesting)
How about in a hospital (Score:3, Interesting)
Tsk, Tsk, Tsk.... (Score:3, Funny)
Those who can't, do it anyway.
It takes 3 seconds to set up an access point and about 2 minutes to set it up and secure it. Even my neighbor (who apparently has wi-fi going on I see) was smart enough to secure their network (so much for the extra bandwidth for those huge game demo downloads, while I play online with no latency or packetloss!)
This is the problem... (Score:4, Insightful)
This is the problem with DeVry's, et al, ginning millions of Win32-morons out into the world of computer administration. You get a bunch of clownpunchers who know how to press shiny buttons but who don't have a clue about the underlying principles (and responsibilities) of the computer networks they are in charge of administering.
Mod me troll, but I'm tired of the polluted job market, and absolutely sick to death of cleaning up the puke left behind at countless small companies by these nimrods.
The Hilarity (Score:4, Insightful)
The question is, would the hole have been discovered? Generally the answer is no, people don't always go looking for security exploits. Hehe, if I had WiFi when I was in HS, I'd be happier about that than anything. It makes me ponder if the news didn't try and get in, would someone have?
I've also worked for the school IT department at my university but quickly quit when I realized the average intelligence around is no higher than a walnut. The one thing I know however, is we don't want the government responsible for private information. Next thing we know is the government pushing DRM and all that other crap.
How long until they... (Score:3, Interesting)
I bet some legal action will be taken against the reporter who did the "hacking," while nobody will even think about holding any school officials accountable for their stunning negligence. I shudder to think what a pedophile with a WiFi-enabled laptop could have done with access to that kind of info. Cripes, it could have really turned into a serious NAMBLA convention out there.
I know this much, if I were a parent of a kid at that school I'd be raising holy hell about this and calling for the heads of people in the school administration. Starting with Superintendent Mary Frances Callan, who was quoted as saying, "I don't see this as such a huge news story." WHAT??? Bitch, you should be on your knees thanking God that this was uncovered by a reporter and not some scumbag who got a kid's address from that wide-open network of yours and found himself an ideal victim!
~Philly
Bring on the law suits... (Score:3, Insightful)
The attitude of the schools staff appalls me; sounds like the poor admin can't even do his job as everything needs to be rubber stamped before it can go in effect. And since when do they think that by securing the perimeter of the network does it make the files any more secure.
Students do this too (Score:3, Interesting)
Psychological Evaluations (Score:2)
Does this mean they had a psychological evaluation for everyone? Is this common in US schools? It is unthinkable where I come from!
WiFi Didn't expose it, stupid administrators did. (Score:3, Insightful)
WEP exists to stop people like this, it won't stop someone determined, but it will stop the sensationalistic 'news at 11' types
Identity Theft (Score:3, Insightful)
I remember strolling by empty offices of professors seeing the green printouts of class rosters at the beginning of each semster, and thinking that all it would take is somebody to duck into one of these rooms, lift that list, and poof, you've got hundreds of names and valid social security numbers.
I realize that many schools are moving away from using the social security number as a form of student identification, but I wonder if this coincides with a shift in the fundamental philosophies of these estabilishments, or if it is simply a method of saving face. I sincerely hope it is the former rather than the latter.
I tried to be helpful (Score:5, Interesting)
Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.
After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.
As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.
Not surprised (Score:3, Interesting)
What about HIPAA? (Score:3, Interesting)
I'm not sure how this applies to an accidental WiFi transmission (IANAL), but i'm pretty sure that it would be grounds for serious fees and fines if it happened at any other kind of institution. i'm wondering whether the school will be in major trouble on this account alone. Under the rule, only health providers would face penalties for disclosing medical records- but if the school is a healthcare provider, for example, if they have an on-campus medical unit, they might be held liable.
thoughts, ideas, am i way off base here?
Re:i wouldn't get in (Score:2)
Re:i wouldn't get in (Score:2, Interesting)
random searches of backpacks without probable cause (though this is something i agree with)
No freedom speech. No freedom of expression. (at our school boys couldnt wear hats or earings, certain colors of garments, no "extreme hairstyles" or shorts during winter or spring) No -everyone is equal-: girls could wear all those things that boys could not.
the only constitutional ammendment uphe
Most schools... (Score:2)
Which is really, really sad.
Re:i wouldn't get in (Score:3, Interesting)
On the other hand, the reason they started doing psychological examinations of students is probably because, after the Columbine shootings, they'd prob
Re:Remember, this is a school system (Score:2)