Admin pretends college IT security exists
- 09 July, 2008 10:06
In 2005, I attended a public gifted school. The school's computer admin decided we needed an update in the software used to select our classes, so he created a simple program where you type in your Social Security number as the password, then select the classes.
Well, some friends and I got curious one day and decided to look into the folder where the software was, and voila - we found the Public folder. It didn't contain much, but we located a simple .txt file that contained an alphabetical list of names and Social Security numbers. We decided to take this file, so we could have some fun with some of our more paranoid friends by walking up and greeting them as "Number ...."
Word quickly got out. Rumors spread that we had obtained a bar-code scanner and had used it to scan student IDs when the students weren't looking. Some even suggested we hacked the server. Eventually, school administrators found out who had copies of the file and started to threaten expulsion.
We all came clean. We even showed them how we did it. Some people were amused but others weren't. Some students demanded we be sent to the local court for a "hearing," which was actually more of a scare tactic than anything else. In this hearing, the judge told us, "With great power comes great responsibility." Having seen "Spider-Man" plenty of times, we could barely hold back a chuckle, which I'm sure did not help our case.
Nobody seemed to care that a simple fix could have kept the file hidden. The program was designed to match a name with a number, and we happened to find the list of answers. We were punished for exploiting a vulnerability that shouldn't have existed in the first place.
There was no punishment for the IT guy, though. He just made sure to put the information in a secure admin-accessible-only folder. (We went back to double-check to make sure he hid them.) Parents and outsiders never found out, and it was never released in the school news that there was any fumble at all. After the commotion died down, people just forgot. The couple of students involved demanded tighter security to one of the other admins (the guy who manages hardware).
To this day, a modified list of Social Security numbers is still floating around (my friends' numbers removed). I doubt any real harm will result, but there's no question that the situation is not ideal. Future students who decide to play with this information may not be as harmless as we were.
(In the state of Louisiana, where the school is, all of our college financial aid information -- SSN, address, name, and so forth -- is kept on computers in various universities. With Katrina, a lot of schools got hit hard, and some information was at risk of being lost. A company was recently hired to store the information as a backup just in case of another major hurricane. Last year, that company lost the information -- the encrypted drives went missing while being transported, I believe. We are not a state known for safeguarding sensitive information for students!)