'hacker' thread on uk.education.schools.it

[CyberNerd]

http://groups.google.com/group/uk.ed...2ec3d3a6c3243e

OMFG ! This is truely the most batty thing I've heared of.

[bossman]

You can say that again. But can't help feelin sorry for the guy if it is true what he is sayin? Seemas like one big mess. I do know of schools where they have little if no security whatsoever. This is one for the local authority to work out good luck to them.

[indie]

Interesting, I believe the school are also breaking the Data Protection Act by placing those files online for anyone to download.

[Gatt]

Just looked at the website's front page - is it me or does this site seem to function as both its INTRAnet and its INTERnet site?

Having a menu labelled "Student Data" where u can choose to look at info such as their behaviour availble on the Internet is shocking - that should not be there - for any reasons!

[indie]

Exactly, I'm on the verge or ringing the school to tell them they're breaking the DP act, I've already spoken to someone at the information Commissioners office about it.

[indie]

Heh, looks like the site is now offline :P

[petectid]

The server is a Frogteacher box this supplies web services with access to the school network mapping the users home folder in Active directory so that it can be accessed from any Internet connected PC via Internet Explorer (Home School links). One issue that I am aware of is that Google indexes pages that you may not wish the public to view. This post on Google outlines a "Google hack” the search string used is in the first post. If one of the pages indexed has search facilities for the MySQL database the users can be listed, as with any other data stored there. I suspect this is where the person has fallen foul; they have found one of these links in google and exploited it.

[woody]

Wow this is the school I went to when I was a lad! I can't beleive they've been so stupid? Does anyone know who their Network manager/It technician is? It would be interesting to hear their take on this.

[Gatt]

@woody: Normally i'd say "Check their website".. but in this instance that may not be the best thing to do - lol!

[Ric_]

Quote:

Originally Posted by Gatt

@woody: Normally i'd say "Check their website".. but in this instance that may not be the best thing to do - lol!

Job Centre might be a better bet

[GrumbleDook]

The problem seems to be that the authentication for the session is based in the id string for the page ... if the account that that session had been used had had it's account locked then you would not be able to access it.

It is a common problem with systems that keep authentication shells of any sort for more that a few hours without being cookie based, or similar (integrated windows authentication as an example of not needing to authenticate repeatedly).

The actions of the school were over the top ... the attitude of the student was over the top ... a friendly word from the student to the NM would have sorted this out long since.

[e_g_r]

Why blame the NM? I'm sure at Hathershaw they have some bigwig in charge of this thing, not your put upon NM.

[Geoff]

I have already made my views known in the newsgroup thread in question.

[Ric_]

Quote:

Originally Posted by e_g_r

Why blame the NM? I'm sure at Hathershaw they have some bigwig in charge of this thing, not your put upon NM.

To be fair... these systems tend to be thrust upon the NM (if they are kept in the loop at all). It will make other users of the froggy system (or whatever it's called) sit up and take a good look at their setups. The producers of the system wil also be a little embarrassed I imagine.

[GrumbleDook]

I have to admit to having lost any sympathy with the student now ... he has registered a similar domain (top search in google) and posted a site outlining it all ... does he not know how stupid and damaging to his case this might be?

He hasn't responded on the thread at all on the newsgroup but I have tried contacting the school (the site is now down so they may be aware) but without success.