Re: Eighth-grade hackers pilfer science class exam

[Thomas Roy Garner <trgarner () YTA ATTMIL NE JP>]

> Two eighth-grade honor students at a magnet middle school
> hacked into their science teacher's computer recently and thought they
> hit the jackpot.

I rarely, if ever, reply to this group, but I must ask, the article is a
bit vague on one level.  HOW did these kids get around security?  Now
before everyone get's their reply ready to go, THINK HARD, what has all
of these ISN reports taught us?  Question everything.  I do not fault
the students for their actions, I feel that they are being held
accountable for their actions, however, on the same note, what about the
school?  Did they use a common bug?  Was their system 100% up to date w/
the latest patches?  Was the password protection
AlphaNumeric-Case-Sensitive, w/ double checking against "common"
passwords?

> Cheating is nothing new among students. But Andi Ringer,
> Hillsborough's supervisor of middle school science education, said
> this is the first she has heard of it being accomplished by hacking.
>
> "I guess this is a new glitch," she said.

I know that I'm speculating, but when is a glitch a glitch?

> "We think only two students broke into (the computer) and according to
> the students they gave it to only one or two kids," said Hilderbrand.
> He would not identify the students.

I used to write an "underground" magazine many years ago, and the one
thing that I learned throughout those years, was that, you NEVER EVER
tell anyone your exploits.  This could apply to real-world crimes, ever
watch Cops?  Jesus!

> Ringer and Hilderbrand said the test should not have been put on the
> computer. "There's too many ways of getting a copy of it," Hilderbrand
> said.

If there was a way to get this document, then the method of security IS
AT QUESTION.  It seems that the if there are "too many ways of getting a
copy of it", then there must be some SERIOUS review of this school's
classification review; especially on the definition of "secure".

> Students could have seen the teacher's password, he said. Or they
> could have gotten an administrative password that overrides the
> teacher's. The teacher was not identified.

Of course, it is the STUDENTs fault, and not the teacher?  Did this
individual write it down and stick it in her desk?  (tisk tisk), was it
an easily identifiable pw?  Where is sysadmin?  System logs?  Something,
ANYTHING!

> Florida law makes unauthorized access to a computer system a
> third-degree felony. But DeRuzzo said school administrators thought
> they could handle the matter without calling police.

As always, I'm of two minds regarding this issue.  If a computer system
is NOT running w/ the latest patches, latest revision of firewalls,
allows individuals to pick/choose a password, doesn't do systematic
checks of passwords against dictionaries, then really, if you leave the
key's to your house outside your door, do you THINK your NOT going to be
robbed or at least have someone wander through your home?

BOTH sides are at fault, a) the students, b) the school district.



--
Thomas Roy Garner
Yokota Air Base, Japan
ICQ 4580576

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".