Ontario student suspended for alerting his Universitie to online security vulnerability

[tlink]

12 minutes ago, ElfFriend said:

So... are these hashed and salted passwords or is the University staff so idiotic they stored everything in plain text?

you would be surprised at how many big company's still store passwords in plaintext or unsalted. schools often don't do it because staff forgets their passwords so often its really really dumb.

[Beskamir]

4 minutes ago, tlink said:

you would be surprised at how many big company's still store passwords in plaintext or unsalted. schools often don't do it because staff forgets their passwords so often its really really dumb.

That's why it's always a good idea to click the "forgot my password" link as soon as possible to get a feel of whether or not they're doing things properly. If they send you back your password (happened to me once with a club, specifically the problem solving club at UofC) change it to something you won't care about and then shame them

[bigneo]

He got suspended probably because of his action. It is like breaking into a building and then going to tell the building owner: hey I broke into your building because your windows weren't locked, just so you know.

 

However, if you accidentally discovered that windows were unlocked and reported it, it's a different story. I doubt his hack was accidental, it more than likely was intentional out of curiosity even if he meant no harm.

[leadeater]

59 minutes ago, tlink said:

you would be surprised at how many big company's still store passwords in plaintext or unsalted. schools often don't do it because staff forgets their passwords so often its really really dumb.

Some schools use Student Management software that generates and sets the student's passwords which are sync'd to Active Directory so staff can give any student their password, reset it, login as the student etc. This is actually extremely useful and in the context of a secondary school/high school is perfectly fine, there isn't much reason for a student to have their own personal password or have any kind of false sense of privacy on school provided systems.

 

Of course this changes when we start speaking about College and University where it wouldn't be appropriate to use such a system.

[Teddy07]

Can anyone explain to me what a student suspension is? I live in Germany and this term is completely unfamiliar to me.

 

I assume it is a ban from university for a certain amount of time but it seems strange to ban people from learning for their grades.

 

 

[leadeater]

4 minutes ago, Teddy07 said:

Can anyone explain to me what a student suspension is? I live in Germany and this term is completely unfamiliar to me.

 

I assume it is a ban from university for a certain amount of time but it seems strange to ban people from learning for their grades.

Your understanding is correct, it's also something not commonly given to students at university compared to earlier forms of education. They are given to students when the university deems it necessary such as investigating serious claims of cheating or other forms of misconduct and their presence on campus could be problematic during any investigation. The other time it is given to students is when it is felt it is not safe for the student to be on campus, my guess is in this case it's a bit of both scenarios.

[tlink]

1 hour ago, leadeater said:

Some schools use Student Management software that generates and sets the student's passwords which are sync'd to Active Directory so staff can give any student their password, reset it, login as the student etc. This is actually extremely useful and in the context of a secondary school/high school is perfectly fine, there isn't much reason for a student to have their own personal password or have any kind of false sense of privacy on school provided systems.

 

Of course this changes when we start speaking about College and University where it wouldn't be appropriate to use such a system.

almost all of those things can be achieved without weakening security. reset password, login as student etc can all be achieved without using a weak password storage system. i get that its not much of a risk but why take it for such a minor inconvenience? if the programmer is competent enough that is.. and yea for university's and college its pretty bad.

[leadeater]

16 minutes ago, tlink said:

almost all of those things can be achieved without weakening security. reset password, login as student etc can all be achieved without using a weak password storage system. i get that its not much of a risk but why take it for such a minor inconvenience? if the programmer is competent enough that is.. and yea for university's and college its pretty bad.

Oh for sure, the system I know of definitely doesn't store the password unencrypted.

 

Edit:

What makes it so useful is any staff member doesn't need to find someone from IT to do basic tasks such as telling the student what their password is. This is extremely common even when students do get to set their own password, in fact when it comes to student support it is the most common request for help so having 100 staff be able to help rather than just 1-3 is much more efficient.

 

Edit 2:

When it comes to Active Directory btw there is no way to login as a student or anyone for that matter without actually knowing their password, there is no way round it. Having the passwords generated and stored in a Student Management System is a bypass to this natural security yes but that system itself is more secure as it contains everything about the student including medical information and has role based security on it meaning you can only see specific information that you are allowed and no more.

[MoistyMcMoistface]

2 hours ago, leadeater said:

Oh for sure, the system I know of definitely doesn't store the password unencrypted.

 

Edit:

What makes it so useful is any staff member doesn't need to find someone from IT to do basic tasks such as telling the student what their password is. This is extremely common even when students do get to set their own password, in fact when it comes to student support it is the most common request for help so having 100 staff be able to help rather than just 1-3 is much more efficient.

 

I understand what you are saying, but I still think this is super bad practice.

 

Why don't they just do like evrey other IOT service that requires a password, have it write only. If the uni was smart I think they would have it so that, the Staff can change the password to something new but not read the old password. Therefore, even if a Staff account was compromised by someone malicious and they changed a students password to 1234 and gained access it would be loged. Instead of looking through a .txt file with 2000 account passwords, the hacker would have to rest the password of all the victims. The system could also be set up that if more than X number of password resets happen within X amount of time the System will lock up and one of the 1-3 IT guys will have to give it a quick phone call to the Staffer of the account making all the changes. 

 

If they can make the whole system encrypted and write only. When the staff account gets compromised the hacker would be limited to the max amount of password resets for that account before the IT guy gives the staffer a phone call or whatever to check it out. This way there is only a handful of victims instead of thousands. Also, what if the guy in this story was a black hat, I bet the Uni would never know there was a breach until it is to late. With write only password powers for staff; evrey time a password changed occurred, a well protected log file can tell the police WHO was hacked and WHEN, very important in determining the severity of the incident. 

[FPSwithaWacomTablet]

Hmm, security through obscurity. When it takes a rulebreaker to find out flaws in the system you know something is screwed.

[leadeater]

25 minutes ago, MoistyMcMoistface said:

I understand what you are saying, but I still think this is super bad practice.

 

Why don't they just do like evrey other IOT service that requires a password, have it write only. If the uni was smart I think they would have it so that, the Staff can change the password to something new but not read the old password. Therefore, even if a Staff account was compromised by someone malicious and they changed a students password to 1234 and gained access it would be loged. Instead of looking through a .txt file with 2000 account passwords, the hacker would have to rest the password of all the victims. The system could also be set up that if more than X number of password resets happen within X amount of time the System will lock up and one of the 1-3 IT guys will have to give it a quick phone call to the Staffer of the account making all the changes. 

 

If they can make the whole system encrypted and write only. When the staff account gets compromised the hacker would be limited to the max amount of password resets for that account before the IT guy gives the staffer a phone call or whatever to check it out. This way there is only a handful of victims instead of thousands. Also, what if the guy in this story was a black hat, I bet the Uni would never know there was a breach until it is to late. With write only password powers for staff; evrey time a password changed occurred, a well protected log file can tell the police WHO was hacked and WHEN, very important in determining the severity of the incident. 

I think you missed the part where this was being used in primary school and secondary school, as in below the age of 18. The reason many schools go with that type of system is support time required for young students many of whom don't often use their computer account.

 

Also a Student Management System is a complete application and database, it does all the things you describe in regards to the student's passwords but with the ability for a staff member to view it. To get access to it you need the application installed on your system, you need access to the application server and then you need to be able to login to the application. Every activity in these systems are logged, even viewing records. Far as someone gaining access to the database files themselves that won't give them much since those are encrypted plus you need the database engine to read them and then the data inside of the database is encrypted too.

 

Not every Student Management System is as good as the one I'm referring to however, and not everyone uses them in the same way.

 

This doesn't apply to staff accounts either only students.

 

Active Directory is how you describe, write only meaning you can't reverse the password (not without explicitly changing the password policies to allow reversible passwords but nobody does that). Also there are many password policies that you can configure.

https://redmondmag.com/articles/2011/08/01/managing-active-directory-password-policies.aspx

 

Mind you this is rather off topic to the thread so we shouldn't fill it up with random musings around this subject, happy to discuss it more in a new GD or OT thread though. 

[BuckGup]

My friend did things similar all in non malicious ways and he got expelled for life.

[ZestyJalapeno]

The reason he got suspended is because all students in most developed country unis have to abide by a code of conduct...one of rules was probably "do not hack the uni system". No exceptions whatsoever no matter what the motive is, because universities have to keep their credibility or they will simply cease to exist.

[MoistyMcMoistface]

Just now, Dogeystyle said:

The reason he got suspended is because all students in most developed country unis have to abide by a code of conduct...one of rules was probably "do not hack the uni system". No exceptions whatsoever no matter what the motive is, because universities have to keep their credibility or they will simply cease to exist.

Exactly they need to keep credibility, but the case the white hat is trying to make is that how can the Uni be credible if some bloke like him can walk in and look at everyone grades and plausibly change them, not very credible now are they. 

[ZestyJalapeno]

1 minute ago, MoistyMcMoistface said:

Exactly they need to keep credibility, but the case the white hat is trying to make is that how can the Uni be credible if some bloke like him can walk in and look at everyone grades and plausibly change them, not very credible now are they. 

Their system was shit, but they can fix that by paying some company and fixing that within a month. How much less credible do you think it would make them seem if they flaunt their own code of conduct, which for uni students is damn near a contractual obligation, for the sake of one this guy who willfully gained unauthorised access regardless of how easy it was.

[MoistyMcMoistface]

1 minute ago, Dogeystyle said:

Their system was shit, but they can fix that by paying some company and fixing that within a month. How much less credible do you think it would make them seem if they flaunt their own code of conduct, which for uni students is damn near a contractual obligation, for the sake of one this guy who willfully gained unauthorised access regardless of how easy it was.

Yes, and that is why this is controversial. The white hat broke his contract of academic integrity. By the book he should be punished. But on a human level what he did was kinda sort of a good thing. It is mostly agreed that some rules can be bent in certain circumstances; it is what makes us human. If evrey single person never strayed from  the law it would open some serious metaphysical thinking that at that point we would lose all humanity, and in fact be meat machines. 

 

I don't want to be a meat machine and I don't think you want to either that is why it is important to have open discussion on the effectiveness of important policy and power structures.

[ZestyJalapeno]

4 minutes ago, MoistyMcMoistface said:

Yes, and that is why this is controversial. The white hat broke his contract of academic integrity. By the book he should be punished. But on a human level what he did was kinda sort of a good thing. It is mostly agreed that some rules can be bent in certain circumstances; it is what makes us human. If evrey single person never strayed from  the law it would open some serious metaphysical thinking that at that point we would lose all humanity, and in fact be meat machines. 

 

I don't want to be a meat machine and I don't think you want to either that is why it is important to have open discussion on the effectiveness of important policy and power structures.

If I was in his position I'd have been urged to do the right thing, but I have invested already so much money and time into my degree and to lose that over morality would pretty much mean that I've wasted my life at this point. However, he could've gotten around it by trying to warn them anonymously. 

[Windows7ge]

8 hours ago, leadeater said:

And if you work at one make use of what you have, as part of our employment agreement we are allowed to take any papers we like (subject to entry requirements) at no cost. There is a maximum limit of how many we can take each year but that's fine, also have a job to do right .

When I see fit I like going beyond the classroom to further my education. There's many useful things the colleges just don't teach that places like this forum will. I like coming here to share what I know, correct what I thought I knew, and learn new things. Like when someone has a problem that I have no understanding of. I can research the issue online and read peoples posts who answer their threads.

 

Then theirs the people like the 2 or 3 in my current class. Server Administration, using CentOS, php myadmin, and a few other programs. A few people were caught cheating on the midterm. For whatever reason after the professor reported them the department responsible for dealing with those things said they can't do anything about it. So my professor is going to take matters into his own hands. That's someone who cares about his students learning.

[leadeater]

25 minutes ago, Windows7ge said:

Then theirs the people like the 2 or 3 in my current class. Server Administration, using CentOS, php myadmin, and a few other programs. A few people were caught cheating on the midterm. For whatever reason after the professor reported them the department responsible for dealing with those things said they can't do anything about it. So my professor is going to take matters into his own hands. That's someone who cares about his students learning.

That can actually be a rather interesting thing, the difference in assessment versus how things are really done out in the industry. How did these students cheat? Did they use internet access to gather the required information to answer the question/get the required system running. That is actually how we do it, along with using existing documentation and expert advice from vendors. We do use our fundamental knowledge and experience to evaluate what we find and the advice given to come to what we think is the best solution.

 

Assessments are a great way to show all the people that are good at remembering the exact instructions given in class and labs but it doesn't show the people that are good at problem solving and finding solutions. Obviously there is a place for assessments and there needs to be a way to evaluate student learning but educators can actually tell exactly where students are at without them anyway, it's one of the tools used to spot cheaters i.e. abnormal success where it is not expected.

 

My personal feeling when it comes to technology is the best way to learn it is through good instruction combined with broad and complex projects where the student is left to solve it on their own or as a group, guidance is necessary. Exploration and self discovery is one of the true ways to embed real understanding that will last well after graduation, rope learning and theories alone actually do a rather poor job.

[Okjoek]

Right make it so the US can't establish its own cyber-security force then gov't b*****es about other nations hacking them all the time.

[AntonChigurh]

"Oh this guy hacked our system easily and was nice enough to tell us what was wrong, you know, the thing big corporations literally pay people to do. Let's suspend him."

[PlayStation 2]

I understand that they suspended him for gaining unauthorized access, but their response is fucking stupid.

[Windows7ge]

1 hour ago, leadeater said:

How did these students cheat?

The professor likes to keep things anonymous which prevented us from learning exactly who did it and how. However he told us how he plans to discipline the individuals when they just so happened to not be in the classroom which ruled out 90% of the class because most of us were in the room at the time. The ones not in the classroom just so happened to be a handful of foreigners primarily middle-eastern and Nigerian people (I can't say they were really Nigerian but their skin color and in-particular thick accent leads me to believe that's where they're from) . They always did huddle around each other which could be a cultural difference but I always found it suspicious. They even did it during the midterm. Sat next to each other very tightly. The professor gave us a lecture on "Academic Integrity" the following class (it was when he told us he knew people cheated) and for some reason emphasized (got angry and loud) while mentioning "USB drives with cheating documentation on them", and "Using the internet to research the answers". He didn't so much emphasize the other cheating methods so I get the feeling those were what was used. They seem the most typical methods as well seeing as how computers were used to take the test.

1 hour ago, leadeater said:

Assessments are a great way to show all the people that are good at remembering the exact instructions given in class and labs but it doesn't show the people that are good at problem solving and finding solutions.

This is a VERY accurate description of how I learn and apply knowledge. My memory is garbage. In particular short term memory and when it is expected to remember vast very specific small details like Terminal commands. Or what a particular field is called in a file output after running a particular command. This can also be applied to the CISCO Certified Network Associate curriculum (My major). CISCO expects you to memorize every single microscopic detail about their switches and routers to pass their tests and it is not easy for my in the slightest. However, I have discovered that I have a very strong act for troubleshooting. When somethings not working my brain immediately fills with every possible thing that could cause the error and I'm able to use process of elimination based on what occurred prior to the error to deduce what is most likely to solve the issue. More often than not I'm able to solve the problem using this method within a relatively short amount of time but college doesn't allow me to apply this knowledge. I have to be outside the classroom helping friends or family to apply these skills.

 

(This isn't troubleshooting. This was just my extreme creativity.)

Except when I was taking a programming class (Visual Basic). The professor gave us two optional loops that would allow us to determine whether an input or series of inputs inside a 1D array were true or false when compared to a value. Looking over the two options that he wrote for us and all we had to do was patch it in our programs I thought they were more complicated than they had to be. He taught us to make our code as simple as possible so our programs used the minimum system resources to complete the desired task. So I asked him if I could write my own. He was intrigued that I wanted to try and write my own and said OK but that he had to check it before I used it. Within 24hrs I had it written, tested, and working. I showed him the following class. He was impressed and approved it. From then on any other application we wrote if we had to determine weather input(s) complied with a particular predetermined value I was able to use my simpler code to compare the value. Then approve or disapprove and have different things occur accordingly.

Surprisingly I still have my code written down in my notebook if you ever want to write a program in VB that could use it. 

[leadeater]

8 minutes ago, Windows7ge said:

This can also be applied to the CISCO Certified Network Associate curriculum (My major). CISCO expects you to memorize every single microscopic detail about their switches and routers to pass their tests and it is not easy for my in the slightest.

Yep totally feel your pain, I've done CCNA.

 

8 minutes ago, Windows7ge said:

The ones not in the classroom just so happened to be a handful of foreigners primarily middle-eastern and Nigerian people (I can't say they were really Nigerian but their skin color and in-particular thick accent leads me to believe that's where they're from) . They always did huddle around each other which could be a cultural difference but I always found it suspicious. They even did it during the midterm.

My secondary school computing teacher was also a licensed test supervisor for flight school exams and tests were held after class, he would often get students from those regions turning up with stacks of cash trying to pay for a pass, in a way it actually is a cultural thing as it's very common to just pay your way and see nothing wrong with it. Most do know that it's wrong in our culture but try it anyway.

[2FA]

It's not illegal or immoral to accidently discover an exploit. If you then purposely use that exploit to further gain access without explicit permission, then you are in the wrong.

 

He was purposefully testing or penetrating the security without permission and should be punished for it accordingly. Part of being a white hat is only hacking when given permission to.