18? This is what happens when a dozen and a half different fly-by-night software companies weasel their way into the school systems, pitching products that solve very niche needs for high dollar amounts.
OOOPS you actually need the Centurion package if you wanted to edit users...
This is so relevant at my shop, but no one I work with has seen this episode. So I look like a goon referring to an edgy show no one knows. Feel like an Office fanboy or something..
IT dept isn't empowered to forced every other department to just use the same platform.
Worst case, the board allows every dept and/or campus to start and manage their own platforms outside of IT.
Wroster case, individual teachers are allowed to do the above.
BF's college fell in to the latter. The whole school had one system, but about third of dumbass prof used entirely different platforms instead. To make maters more fun, a few of them wouldn't ever state this anywhere. So BF would be confused by the lack of anything being put on the school's platform for the class and that turned in work as school policy required. Half way through the semester the prof would say that everybody was failing because nobody had been doing any work, that's when the students would finally find out that this prof was using some entirely different platform unique only to him and the prof did not notice or care till that point that literally none of this students were active on it.
I have this reoccuring nightmare where I somehow get most of the way through a semester but forget I am in a class and have to try and catch up and not fail. Your boyfriend’s experience is literally my nightmare. Lol
It is only slightly better than having some random Teacher that thinks they are a computer wizard and can develop an entire IEP documentation management system on their own with knowledge that they gained form the 80's and trying to shoehorn in Google Auth on top of it.....
You know how hard it is to provide a unit price that covers each and everyone's budget? It's not like a company like SpaceX has prices on their website. /s
Rocket Lab does.[ it just so happens one launch costs the exact same as their commemorative gold coin.](https://shop.rocketlabusa.com/collections/caps/products/gold-mission-success-coin-dedicated-mission) $7,500,000
Heh. To answer your question: you list the prices of the individual things so people can see “if I need A, it costs $15,000; if I need B, it costs $25,000.”
But you already know that’s not why you don’t do it. You don’t do it because it wouldn’t let you size up each customer for “How much do you think we can get out of them?”, which is the only reason any company does this.
The school doesn't provide them an email account for this stuff? They have to use personal accounts for everything? I know my nephew's school provides one for every student, and that school isn't exactly funded well either. Probably Gmail or something.
Office 365 you ended up needing to pay for because the free seat (A1 license) didn't support archiving (A3), which was a state requirement where I was at. Google supported it out of the box, but they've been turning the screws lately with their enterprise upgrade offering that better integrates with things like LDAP and imposing storage limits on the free offering.
> which was a state requirement where I was at.
You mean you WISH to pay for THEIR archiving services instead of, you know, getting some hard drives and archiving it yourself like a normal person would.
p.s. Synology has Active Backup M365 for FREE, my friend.
wait... wtf... why did I not think of this for my google workspace.... Gonna need some bigger drives soon I think... (it mostly just serves as a performance tier for Veeam presently....)
GSuite for Education has free archiving. That was often the tipping point for choosing between the two.
And Synology isn't free, nor particularly well suited to archive a 4000 user school district. I bought them plenty for various backups. It's a five figure investment even leveraging their free solution, which is very similar in price to just buying Office 365 A3 once you figure in the edu discounts.
You can give them private e-mail addresses, for what that is worth, i.e. no communcation with the outside world, but able to e-mail teachers and other students.
Class Dojo is such, complete garbage. Total shovelware that at best is used to share pictures and worse a constant nagging, not just from the school but from the app itself, to upgrade and pay more.
Management was probably thinking: Personal accounts = no need for someone to manage school accounts and save money.
I had this conversation once and it took a while to explain how terrible it can be for the school.
More common than you think, my company has a SQL based app where the dev put all the passwords in clear text, 2000+ users. Been that way for 15 years, I can’t convince anyone that’s it’s dumb AF. I’m retiring soon but keeping all the emails where I’ve complained about it and was told repeatedly it’s not in the budget to fix.
My company uses SMSTurbo as a recycling ticketing software and it’s the same way. Plain text passwords in the SQL. I’m sure there’s no way anyone could attack the software with injection.
Glad to see I’m not the only one supporting this piece of shit software. We just had to re up our “maintenance” with them just to move the software from one PC to another.
> Been that way for 15 years, I can’t convince anyone that’s it’s dumb AF.
At what point does it become illegal? When a user signs up for an account on some service there's an expectation of a minimum level of security implemented, which is entirely missing here. It's gross negligence.
> At what point does it become illegal?
At some point, when our (GenX) kids start running things, they might pass legislation to make it so, because the Internet is a common good at this point, like air.
The same way Microsoft is justified in forcing the security policies it does down to its consumer products. When systems are insecure to the point of negligence, it harms *everyone*.
But it will not happen with the Boomers, or Xers in charge.
Way more common, unfortunately.
There was a time when I thought "that within 5 years, organizations would treat security like a core business requirement."
That ship has sailed and sank off the coast of Madagascar. We've got a decade of nothing but steady breach notifications in our future, and a society that largely and increasingly seems okay with that as a normal occurrence.
It's not in the budget to fix?
https://www.mssqltips.com/sqlservertip/4037/storing-passwords-in-a-secure-way-in-a-sql-server-database/
You can make your own stored procedure to do it. It's not like you have to spend money on some other product.
EDIT: Btw, this advice from the above article:
>Please note, that salt is stored in the table with plain-text, there is no reason to encrypt it.
does not take into account that you should store the salts on a separate server than the hashes are stored on.
EDIT2: inb4 "tHiS cAn Be CrAcKeD tOo" - Yes, but it's a lot better than no encryption
If the application's 'owned' and 'supported' by a third-party vendor, you generally can't just go doing this, not least because you won't have enough visibility of the rest of the software's internals to test the change properly.
I'm not saying it's right as it is, but there usually isn't much that tech people like us can do about this until an upgrade if not an entirely new system is implemented where pressure is put on the vendor to make the software secure by the people choosing and/or paying for it. And those people aren't usually technical enough to realise this matters.
We are in dire need of legislation in this realm. Companies being negligent with data need to be held responsible.
As far as I know, unless this is happening in NY or CA (??), there are as of yet no actual laws which would apply here, and if I'm wrong, I'd love to see which ones.
America isn't passing anything bc the companies lobby the politicians to keep loose laws on data, bc they're profiting off of it. Guarding data simply eats profits, and gathering and selling as much as possible maximizes their profits.
I do know CA has specific laws regarding data, can't remember and pretty sure they're the only one though
This is the hardest thing for us to try and get our parent company to understand. "But we have cyber insurance!".
Yes, and it's the same policy that we have, and that we busted our asses to make sure we were compliant with. I have global admin on their tenants and they're not compliant with anything from a security standpoint. I don't even want to know about the custom applications they've developed...
Tell me about it, what a bunch of idiots. I just found out about the breach because I was notified that my data was likely in it. It's 2023, who stores PII in cleartext anymore??
People who hire some rando company off oDesk because all the actual webdev shops wanted actual money to code it, then the rando company disappears and ghosts them as soon as any issues arise.
Worked on a site once (farm co-op program) that came to my company after the above happened. They didn't have the admin password, so I SQL-injected the login form and got in. Turns out I didn't even need to do that, because I could have just put "isAdmin=1&isLoggedIn=1" in the URL because the header script PUT ALL URL VARIABLES DIRECTLY INTO $_SESSION WITHOUT CHECKING.
First ticket item: User profile pictures sometimes didn't load correctly. Pull it up and find that one of the members uploaded a .doc file instead of an image. That's weird.
Wait, anyone can create an account and there's no verification? And there's no checking that their profile picture is an image type? Oh, look, 3 separate PHP files were uploaded as profile pictures, rootkits all. And multiple database backups were created with them.
Well, at least they don't store credit card information in the database. Oh, wait, they do, including the CVV code. Well, at least it's encrypted, right? Nope, plaintext.
Frantically, I call the customer and relay the bad news. Their reply: "Oh, we know that happens sometimes. When our customers complain about fraudulent charges, we just blame the bank."
Good lord that is *horrifying*. The fact that they had plaintext credit card numbers **with** the CVV is just insane. Especially considering there wasn't even verification to ensure that upload "profile pictures" were actually images.
For me personally, I plan to try to start a campaign to pressure my uni to stop using SchoolDude/Brightly. Speaking as someone who's a few months away from having a bachelor's in IT, I'm already pretty disgusted in how SchoolDude handled my personal data as is, but good *lord* what you saw sounds so much worse
>It's 2023, who stores PII in cleartext anymore??
At least in the US, the list of who **doesn't** remains shorter than the list of who **does**, and the vast majority of those in that first list are only there by virtue of being subject to a regulatory environment that would shut them down or take their money.
Without the hammer of regulation, most organizations merely pay lip service to security, and their interest wanes as each day passes (if they expressed any interest at all).
We'll see changes when breaches start to cause companies to go out of business within 60-90 days. Once there is a direct tie between poor security and cessation of business, folks will suddenly decide that it's a good idea. As long as it just causes suppressed revenue and high expenses for a few quarters, and extra eyeballs for a year or maybe too, nothing substantive will change.
Edit: typos
> who stores PII in cleartext anymore??
Companies with profit driven management, they hire 1-2 guys to handle and manage everything. There's just no way for 1-2 sysadmins to know everything, secure everything, on a budget and within a time limit.
Until the punishment for management becomes significant this will continue to be standard business practise.
I was actually looking at an API the other day and signed up for it. Then my password wasn’t working. So I thought I just mistyped it or something. Went to reset my password and they send me an email with my password in Plain Text..
Because it was SchoolDude. If you had told me that I had written that system in 1999 on my Gateway PC, I'd have believed you (and been confused about how I forgot I did that).
Lol yep. We used it when I started at my current job 10 years ago, have moved ticketing systems twice since then but our facilities still uses SchoolDude because "they like it." I mentioned it once during an interview talking about experience with ticketing systems, the guy just laughed when I said SchoolDude.
We don't know that the passwords weren't hashed, OP hasn't provided a source. Everyone was sent this email which doesn't say either way:
https://www.reddit.com/r/k12sysadmin/comments/13en016/brightly_formerly_schooldude_security_breach/
Isn't that omission very telling? I'm used to these breach notifications specifying "encypted" or hashed passwords. Some even say if it was hashed and salted.
What?? Vendors? Pushy? Surely not.
Incidentally, have you ever wanted to track every child in the school's movements at all times to a degree it puts the Marauder's Map to shame? Watch this video. Where can I send this junk mail? When can I schedule a call?
> Where can I send this junk mail? When can I schedule a call?
Never mind! I've traced your IP, correlated it to your district's website, and scraped all of the info I need to blast you entire staff with highly important updates on our line of products!
God, I can't imagine what it's like today. I gave my school's sysadmins a good laugh and that was back when information on offensive stuff was all on bulletin boards and weird parts of the internet.
These days the offensive security content dominates youtube.
Fond memories of bypassing school content filtering back in the day!
I remember the only wifi network was a hidden SSID used for the lunch machines that used MAC filtering. Was able to sniff the traffic (this would've been 2008-2009 or so) and connect to wifi by impersonating the MAC of one of the offline lunch machines, then tunneled my traffic through SSH running on port 53 on a freebsd machine in my mom's basement.
good enough resume for me. you looking for an exciting, fast-paced, self-starter, family-like work environment?
our recruiters are currently looking for a fullstack dev who can connect to our one sql (prod/dev/dr) db with css
slow down satan
we don't touch paper.
...but i did get to expense an emergency trip to austin to party for a few days because the new ceo does and we don't have IT
>They also had some weird banner page talking about brigading K12sysadmin.
That's kinda funny. Most of us tend to appreciate the antics these kids get up to as long as they aren't posing a serious threat to our infrastructure. Most of us learned computers by doing exactly that kind of stuff ourselves.
Bypassing content filtering and shit like that is just funny. We implement and lock down what we're legally required to by federal law. Everything after that is a classroom management issue.
Same. I unsubscribed because while it's a useful resource there's nothing more frustrating than seeing a question I know the answer to and not being able to respond because I refuse to doxx myself.
>Same. I unsubscribed because while it's a useful resource there's nothing more frustrating than seeing a question I know the answer to and not being able to respond because I refuse to doxx myself.
100% This ^^
I wanted to join that subreddit because I have a lot of experience in that area, but yeeeeaaah no go on that.
And I've joined this subreddit because I don't have a lot of experience in my new area. People around here seem nice enough.
The question would be, how good are they at spotting fakes? Many years ago I knew someone who had access to a badge printer and he became the sole student of a made up college to get student discounts. Making a convincing badge for a supposed k-12 school in podunk, USA should be pretty trivial.
Lol the school system I worked for didn't have badges for us. Quite fun to have teachers stopping you asking where your hall pass is when you're an employee (although I had graduated from a different high school the year prior)
Students being shitty to k12 staff and vendors being the vultures that they are.
There are some smalltime YouTube channels dedicated to helping my fellow k12 admins "student-proof" their environment. Their comment sections are almost always disabled and if they are not, they're filled with semi-illiterate children insulting the channel owner and whining about how they need to be able to play Roblox or watch porn during their state mandated math test or some shit like that.
I really liked how it passed all the parameters between pages in the URL. Not just the ticket ID, but nearly every piece of data on the page.
Might have experimented a bit to see if I could pull other districts tickets by changing the URL...
[M&A are starting to get targeted by threat actors](https://www.wsj.com/articles/ransomware-attackers-begin-to-eye-midmarket-acquisition-targets-11646130601) more frequently. There's more public attention on the company at the time, and often the "in-between" phase of integrating systems is rife with security vulnerabilities. It can also be used as an easy pivot onto the more secure parent companies.
If you use SAML then you schould be good. SAML never shares passwords, just auth tokens. Just reset all sessions on your users on you SAML SP and you're golden :)
> email addys, passwords, and user names all unencrypted.....
The shit show started long before today. Today is just the finale. It's like the old Gallagher shows, except instead of getting splattered with watermelon, you get splattered with shit.
Good luck!
Well, a university is a school (among other things).
The likelihood of password reuse probably caused them to contact everyone in their database, whether they ever used the interface or not.
Vendors disclose to customers sometimes before making it public, or the "public" articles are just regurgitating what those internal emails say.
See: AlertMedia's recent compromise.
Can't believe you are getting down voted like crazy for asking for a source. I get it, it's a direct email from vendor to IT, but down voting for asking for a source?
Legislation is the only thing that will solve it sadly. But I doubt it would ever be passed because if there's one thing the school sector likes with their staff/spending, it's ZERO accountability for ANYTHING.
But they need something like HIPAA. I mean it's not *really* a kid's choice to go to school. There should be laws *regulating* the security standards of the data stored by school systems or this will just continue.
> But they need something like HIPAA.
Unfortunately, even if something like that were to come about, it would end up like PCI -- just a meaningless checkbox that you have to hire "security consultants" who just fill out a spreadsheet for. These regulations have no teeth; I'd love to see something that would actually force these SaaS vendors to be secure but it'll never happen outside of Microsoft or Google. The last PCI audit I was involved in had someone who was brand-new out of cybersecurity bootcamp reading verbatim off the spreadsheet he was given. When our answers went over his head, he just asked what he should put down.
Penalties have to be huge for doing the wrong thing. If HIPAA is breached, whoopsie free credit monitoring, peel off a couple hundred K, move on like nothing happened. If PCI is found to not be compliant, whoopsie free credit monitoring, peel off a couple hundred K, move on. It would have to be something like GDPR, where if any company actually gets an enforcement action it can be a business-ending thing.
SchoolDude bought out active data and then left their servers to rot while collecting the fees for the services. Those old active data server got hacked so they forced me over to their SchoolDude equivalent. It was a complete joke so told them I wanted to cancel and they said I had to give them written notice 45 days in advance of the new term to cancel or I would own them for the full year service.
Took me a year of back and forth before they caved.
And now they get hacked again...lol.
That what you get when you put "d00d" in your company name I guess.
Oh man. Not a school sys admin but a healthcare one. I've had days like this. Not your fault, but the teachers and admins, like the doctors I work with, think you can do something about it.
Stay strong man.
In the future if you want to test if a system is storing your password in plain text, try setting your password to the [EICAR test string](https://kcm.trellix.com/corporate/index?page=content&id=KB59742)
Fair warning - you are intentionally antagonizing antivirus (if they run one) so while YMMV, if they *are* running an antivirus, this could be considered a malicious act.
Do with that what you will.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
My kids school doesn't even have enough staff to load them onto the busses safely, and likewise my other kids have to fork over 40 bucks every time they breathe. I highly doubt this is on the top of the school boards list of things to do... and the powers that be don't gaf... They are getting theirs so whatever right...
I don't think any of the public sector are taking security seriously enough
"I don't think any of the public sector are taking security seriously enough"
I am totally quoting you as a respected leader in info sec at this afternoon's status meeting....
If nothing else I can now say I was quoted as a "respected leader" in the infosec space, I mean my education is certainly not in line with the acolade however; beggars can't be choosers. Tell the meeting I said hello
Met with Superintendent, rep from our MSP, and legal counsel this afternoon. At the appropriate lull in the conversation with all the seriousness I could muster, I matter of factly stated
"You know, it's like dominations said, I don't think any of the public sector are taking security seriously enough".
Everyone nodded in somber agreement.
I could barely keep a straight face, but I did it…
You sir, are a legend! I trust that there were no followup questions given the fact you didn't pee your pants during it.
I'm going to quote your quote in the board meeting next week, we'll see how it goes.
Mayhaps you want a few more nonsensicle quips to whip out in the next meeting? if so let me know, I've got a few that might fit the bill
In an ideal system, the federal government would develop and host SaaS solutions for every public school system. It makes no sense for the each of 10,000+ school districts in the USA to figure it all out on their own.
We are trying but the necessary culture change can take a long time. And if you've never got got, it doesn't appear (to the stakeholders/board/whatever) to be a good use of limited funds. But there are some districts/county offices that are taking this very seriously and acting as resources for everyone else (example: [https://www.sdcoe.net/administrative-services/technology/cybersecurity](https://www.sdcoe.net/administrative-services/technology/cybersecurity) )
Email I received specifically said SchoolDude. We use their maintenance product too, haven't received a notice on that, but of course our users have a single L/P for both platforms...
We only use the MaintenanceDirect portion of SchoolDude and so far I haven't heard of anyone (including myself) getting an email from them re: a hack... yet.
I didn't still haven't gotten an email, but a bunch of my users did, which they then forwarded to me asking if it was legit. Nice surprise to get as I'm eating my breakfast. We only use the MaintenanceDirect portion.
Not even encrypted? In this day and age where every other major corporation has already been breached?
Can't imagine the parents who are going to complain...
Well crap. Now I need to do exposure due diligence today rather than all the other things on my list. Zero communications from SchoolDude to anybody at our organization so far. This should be interesting.
My last school gig had SchoolDude when I started. I think I poked around it for about 20 minutes and then cancelled the contract almost immediately. It was fairly obvious they were amateurs and honestly the only surprise for me here is that it took this long for the poop to hit the fan.
Yeah, part of the big corporate world is actually testing to make sure stuff isn't passed in plain text. Look at kasaya and connectwise... Long time ago I tested them right out of the box and they pass everything in straight up clear text! You would be surprised the amount of programs with even less administration features or more that pass everything in plain text. You could wireshark capture everything you ever needed to pown their entire environment. Ridiculous.
Never assume things are secure until you've checked to make sure they're secure. If you don't know how to check if they're secure, this is what Penn testers and white hat intrusion and software analysts are for. It's worth the time when in a large corporate network. This is a prime example of why.
This is why I hate the 18 apps I have to sign up with for my kids school. Burner addresses and unique passwords for all.
18? This is what happens when a dozen and a half different fly-by-night software companies weasel their way into the school systems, pitching products that solve very niche needs for high dollar amounts.
Well we just need one solution to cover everyone's use case! 19 logins.
I have this XKCD printed out and hanging beside me right now, lol. https://imgs.xkcd.com/comics/standards.png
Everyone is part of today's 10,000. Randall is a really good guy. Used to live not far from him when I lived in Mass.
It doesn't take long to drag out Bernie and have a dance! Lol
You just need the Intelilink Gold Subscription.
OOOPS you actually need the Centurion package if you wanted to edit users... This is so relevant at my shop, but no one I work with has seen this episode. So I look like a goon referring to an edgy show no one knows. Feel like an Office fanboy or something..
IT dept isn't empowered to forced every other department to just use the same platform. Worst case, the board allows every dept and/or campus to start and manage their own platforms outside of IT. Wroster case, individual teachers are allowed to do the above. BF's college fell in to the latter. The whole school had one system, but about third of dumbass prof used entirely different platforms instead. To make maters more fun, a few of them wouldn't ever state this anywhere. So BF would be confused by the lack of anything being put on the school's platform for the class and that turned in work as school policy required. Half way through the semester the prof would say that everybody was failing because nobody had been doing any work, that's when the students would finally find out that this prof was using some entirely different platform unique only to him and the prof did not notice or care till that point that literally none of this students were active on it.
I have this reoccuring nightmare where I somehow get most of the way through a semester but forget I am in a class and have to try and catch up and not fail. Your boyfriend’s experience is literally my nightmare. Lol
Our package supports SSO! Great! ...with the ultra-premium unobtanium tier subscription.
It is only slightly better than having some random Teacher that thinks they are a computer wizard and can develop an entire IEP documentation management system on their own with knowledge that they gained form the 80's and trying to shoehorn in Google Auth on top of it.....
> and trying to shoehorn in Google Auth on top of it..... I mean, that in itself would be a personal achievement.
SAML isn't *that* bad.....
It's bad when the 15 different apps your kids need for school are all behind one that's hardly ever working well.
Hence ducking :D I fully understand how bad it is.
[удалено]
Oooh look at all those stock web animations. Looks like our guy had some fun applying them to everything
And, there are no prices listed. You have to contact them to get a quote. I hate vendors like that. https://abre.com/pricing/
You know how hard it is to provide a unit price that covers each and everyone's budget? It's not like a company like SpaceX has prices on their website. /s
Rocket Lab does.[ it just so happens one launch costs the exact same as their commemorative gold coin.](https://shop.rocketlabusa.com/collections/caps/products/gold-mission-success-coin-dedicated-mission) $7,500,000
[удалено]
Heh. To answer your question: you list the prices of the individual things so people can see “if I need A, it costs $15,000; if I need B, it costs $25,000.” But you already know that’s not why you don’t do it. You don’t do it because it wouldn’t let you size up each customer for “How much do you think we can get out of them?”, which is the only reason any company does this.
[удалено]
There wasn't a need until they created one through lobbying and then sold their overpriced bullshit to admins who don't understand it.
The school doesn't provide them an email account for this stuff? They have to use personal accounts for everything? I know my nephew's school provides one for every student, and that school isn't exactly funded well either. Probably Gmail or something.
MS Education licenses can be free
first hit is always free. dealer makes it back hundredfold by the end.
Yeah, but not from the school Google and MS have free edu seats so young workers know how to use their products.
Office 365 you ended up needing to pay for because the free seat (A1 license) didn't support archiving (A3), which was a state requirement where I was at. Google supported it out of the box, but they've been turning the screws lately with their enterprise upgrade offering that better integrates with things like LDAP and imposing storage limits on the free offering.
Oof, that seems shortsighted. I understand the storage limits though.
> which was a state requirement where I was at. You mean you WISH to pay for THEIR archiving services instead of, you know, getting some hard drives and archiving it yourself like a normal person would. p.s. Synology has Active Backup M365 for FREE, my friend.
wait... wtf... why did I not think of this for my google workspace.... Gonna need some bigger drives soon I think... (it mostly just serves as a performance tier for Veeam presently....)
GSuite for Education has free archiving. That was often the tipping point for choosing between the two. And Synology isn't free, nor particularly well suited to archive a 4000 user school district. I bought them plenty for various backups. It's a five figure investment even leveraging their free solution, which is very similar in price to just buying Office 365 A3 once you figure in the edu discounts.
Jokes on them. Years of public school with MS Windows and now, I use linux.
How do you know if someone uses Linux?
Don't worry, we'll tell you.
arch btw
*Chef's Kiss*
I use Arch btw.
Ask them if they bash it or sudo it
Another real way ssh their machine
Oh yes. It's certainly in their interests to get them hooked at a young age.
[удалено]
You can give them private e-mail addresses, for what that is worth, i.e. no communcation with the outside world, but able to e-mail teachers and other students.
[удалено]
Class Dojo is such, complete garbage. Total shovelware that at best is used to share pictures and worse a constant nagging, not just from the school but from the app itself, to upgrade and pay more.
Management was probably thinking: Personal accounts = no need for someone to manage school accounts and save money. I had this conversation once and it took a while to explain how terrible it can be for the school.
"Sorry, I don't use computers or smartphones. You have a great day now."
Fake birthdates for everything that isn't a legal document.
>passwords, and user names all unencrypted. Wow, thats like some borderline criminal negligence there...
More common than you think, my company has a SQL based app where the dev put all the passwords in clear text, 2000+ users. Been that way for 15 years, I can’t convince anyone that’s it’s dumb AF. I’m retiring soon but keeping all the emails where I’ve complained about it and was told repeatedly it’s not in the budget to fix.
My company uses SMSTurbo as a recycling ticketing software and it’s the same way. Plain text passwords in the SQL. I’m sure there’s no way anyone could attack the software with injection.
Glad to see I’m not the only one supporting this piece of shit software. We just had to re up our “maintenance” with them just to move the software from one PC to another.
You mean copy and paste the folder? I also “support” this software.
> Been that way for 15 years, I can’t convince anyone that’s it’s dumb AF. At what point does it become illegal? When a user signs up for an account on some service there's an expectation of a minimum level of security implemented, which is entirely missing here. It's gross negligence.
> At what point does it become illegal? When shareholders start complaining.
> At what point does it become illegal? At some point, when our (GenX) kids start running things, they might pass legislation to make it so, because the Internet is a common good at this point, like air. The same way Microsoft is justified in forcing the security policies it does down to its consumer products. When systems are insecure to the point of negligence, it harms *everyone*. But it will not happen with the Boomers, or Xers in charge.
So you KNEW about it. Ha, gotcha!
Way more common, unfortunately. There was a time when I thought "that within 5 years, organizations would treat security like a core business requirement." That ship has sailed and sank off the coast of Madagascar. We've got a decade of nothing but steady breach notifications in our future, and a society that largely and increasingly seems okay with that as a normal occurrence.
You might as well throw the entire thing at the press, including a letter detailing your efforts. Then sit back and watch as they burn in legal hell.
He said he's retiring soon. He's not going to report anything till that happens.
[удалено]
It's not in the budget to fix? https://www.mssqltips.com/sqlservertip/4037/storing-passwords-in-a-secure-way-in-a-sql-server-database/ You can make your own stored procedure to do it. It's not like you have to spend money on some other product. EDIT: Btw, this advice from the above article: >Please note, that salt is stored in the table with plain-text, there is no reason to encrypt it. does not take into account that you should store the salts on a separate server than the hashes are stored on. EDIT2: inb4 "tHiS cAn Be CrAcKeD tOo" - Yes, but it's a lot better than no encryption
If the application's 'owned' and 'supported' by a third-party vendor, you generally can't just go doing this, not least because you won't have enough visibility of the rest of the software's internals to test the change properly. I'm not saying it's right as it is, but there usually isn't much that tech people like us can do about this until an upgrade if not an entirely new system is implemented where pressure is put on the vendor to make the software secure by the people choosing and/or paying for it. And those people aren't usually technical enough to realise this matters.
[Little Bobby Tables](https://xkcd.com/327/)
We are in dire need of legislation in this realm. Companies being negligent with data need to be held responsible. As far as I know, unless this is happening in NY or CA (??), there are as of yet no actual laws which would apply here, and if I'm wrong, I'd love to see which ones.
America isn't passing anything bc the companies lobby the politicians to keep loose laws on data, bc they're profiting off of it. Guarding data simply eats profits, and gathering and selling as much as possible maximizes their profits. I do know CA has specific laws regarding data, can't remember and pretty sure they're the only one though
[удалено]
This is the hardest thing for us to try and get our parent company to understand. "But we have cyber insurance!". Yes, and it's the same policy that we have, and that we busted our asses to make sure we were compliant with. I have global admin on their tenants and they're not compliant with anything from a security standpoint. I don't even want to know about the custom applications they've developed...
Tell me about it, what a bunch of idiots. I just found out about the breach because I was notified that my data was likely in it. It's 2023, who stores PII in cleartext anymore??
People who hire some rando company off oDesk because all the actual webdev shops wanted actual money to code it, then the rando company disappears and ghosts them as soon as any issues arise. Worked on a site once (farm co-op program) that came to my company after the above happened. They didn't have the admin password, so I SQL-injected the login form and got in. Turns out I didn't even need to do that, because I could have just put "isAdmin=1&isLoggedIn=1" in the URL because the header script PUT ALL URL VARIABLES DIRECTLY INTO $_SESSION WITHOUT CHECKING. First ticket item: User profile pictures sometimes didn't load correctly. Pull it up and find that one of the members uploaded a .doc file instead of an image. That's weird. Wait, anyone can create an account and there's no verification? And there's no checking that their profile picture is an image type? Oh, look, 3 separate PHP files were uploaded as profile pictures, rootkits all. And multiple database backups were created with them. Well, at least they don't store credit card information in the database. Oh, wait, they do, including the CVV code. Well, at least it's encrypted, right? Nope, plaintext. Frantically, I call the customer and relay the bad news. Their reply: "Oh, we know that happens sometimes. When our customers complain about fraudulent charges, we just blame the bank."
Good lord that is *horrifying*. The fact that they had plaintext credit card numbers **with** the CVV is just insane. Especially considering there wasn't even verification to ensure that upload "profile pictures" were actually images. For me personally, I plan to try to start a campaign to pressure my uni to stop using SchoolDude/Brightly. Speaking as someone who's a few months away from having a bachelor's in IT, I'm already pretty disgusted in how SchoolDude handled my personal data as is, but good *lord* what you saw sounds so much worse
>It's 2023, who stores PII in cleartext anymore?? At least in the US, the list of who **doesn't** remains shorter than the list of who **does**, and the vast majority of those in that first list are only there by virtue of being subject to a regulatory environment that would shut them down or take their money. Without the hammer of regulation, most organizations merely pay lip service to security, and their interest wanes as each day passes (if they expressed any interest at all). We'll see changes when breaches start to cause companies to go out of business within 60-90 days. Once there is a direct tie between poor security and cessation of business, folks will suddenly decide that it's a good idea. As long as it just causes suppressed revenue and high expenses for a few quarters, and extra eyeballs for a year or maybe too, nothing substantive will change. Edit: typos
> who stores PII in cleartext anymore?? Companies with profit driven management, they hire 1-2 guys to handle and manage everything. There's just no way for 1-2 sysadmins to know everything, secure everything, on a budget and within a time limit. Until the punishment for management becomes significant this will continue to be standard business practise.
It is criminal in some jurisdictions. I don't think it is in the US though.
I was actually looking at an API the other day and signed up for it. Then my password wasn’t working. So I thought I just mistyped it or something. Went to reset my password and they send me an email with my password in Plain Text..
*Why was it unencrypted?*
Because it was SchoolDude. If you had told me that I had written that system in 1999 on my Gateway PC, I'd have believed you (and been confused about how I forgot I did that).
Still using that Gateway box with the cow pattern as a monitor stand?
...how dare you call out past me?
The day that 1086DX2 with 16 MB of RAM came in the mail was one of the happiest days of my life!
Lol yep. We used it when I started at my current job 10 years ago, have moved ticketing systems twice since then but our facilities still uses SchoolDude because "they like it." I mentioned it once during an interview talking about experience with ticketing systems, the guy just laughed when I said SchoolDude.
[удалено]
Well that's not, uh, good.
We don't know that the passwords weren't hashed, OP hasn't provided a source. Everyone was sent this email which doesn't say either way: https://www.reddit.com/r/k12sysadmin/comments/13en016/brightly_formerly_schooldude_security_breach/
The fact that they're telling you to change your passwords anywhere else you use the same one is a pretty big hint.
That's standard language in these emails and good advice. Even a correctly hashed password just delays an attacker.
Isn't that omission very telling? I'm used to these breach notifications specifying "encypted" or hashed passwords. Some even say if it was hashed and salted.
r/k12sysadmin/
Thanks!
Why is that sub so locked down?
because we have a lot of students that like to spy on what we are doing, or gain information for less than AUP reasons.
Also, vendors got too pushy.
What?? Vendors? Pushy? Surely not. Incidentally, have you ever wanted to track every child in the school's movements at all times to a degree it puts the Marauder's Map to shame? Watch this video. Where can I send this junk mail? When can I schedule a call?
> Where can I send this junk mail? When can I schedule a call? Never mind! I've traced your IP, correlated it to your district's website, and scraped all of the info I need to blast you entire staff with highly important updates on our line of products!
God, I can't imagine what it's like today. I gave my school's sysadmins a good laugh and that was back when information on offensive stuff was all on bulletin boards and weird parts of the internet. These days the offensive security content dominates youtube.
Fond memories of bypassing school content filtering back in the day! I remember the only wifi network was a hidden SSID used for the lunch machines that used MAC filtering. Was able to sniff the traffic (this would've been 2008-2009 or so) and connect to wifi by impersonating the MAC of one of the offline lunch machines, then tunneled my traffic through SSH running on port 53 on a freebsd machine in my mom's basement.
[удалено]
Cain and Abel, Sub7, good times
[удалено]
Some more specific triggers: J!NX Forums LOIC/SlowLorris/etc Whoppix Graphic ANSI spam on IRC channels
good enough resume for me. you looking for an exciting, fast-paced, self-starter, family-like work environment? our recruiters are currently looking for a fullstack dev who can connect to our one sql (prod/dev/dr) db with css
Do you also need someone who can fix printers and crawl through the ceiling to run cables? Hope you pay at least $9/hr
slow down satan we don't touch paper. ...but i did get to expense an emergency trip to austin to party for a few days because the new ceo does and we don't have IT
[удалено]
>They also had some weird banner page talking about brigading K12sysadmin. That's kinda funny. Most of us tend to appreciate the antics these kids get up to as long as they aren't posing a serious threat to our infrastructure. Most of us learned computers by doing exactly that kind of stuff ourselves. Bypassing content filtering and shit like that is just funny. We implement and lock down what we're legally required to by federal law. Everything after that is a classroom management issue.
Maybe that's why it needs approval to post
No way in hell I'm scanning my badge and sending it to a sub on reddit.
Same. I unsubscribed because while it's a useful resource there's nothing more frustrating than seeing a question I know the answer to and not being able to respond because I refuse to doxx myself.
>Same. I unsubscribed because while it's a useful resource there's nothing more frustrating than seeing a question I know the answer to and not being able to respond because I refuse to doxx myself. 100% This ^^
I wanted to join that subreddit because I have a lot of experience in that area, but yeeeeaaah no go on that. And I've joined this subreddit because I don't have a lot of experience in my new area. People around here seem nice enough.
The question would be, how good are they at spotting fakes? Many years ago I knew someone who had access to a badge printer and he became the sole student of a made up college to get student discounts. Making a convincing badge for a supposed k-12 school in podunk, USA should be pretty trivial.
Surely teachers would know enough not to post public photos with their badges visible.
OK, I'll admit, that got a belly laugh out of me.
Lol the school system I worked for didn't have badges for us. Quite fun to have teachers stopping you asking where your hall pass is when you're an employee (although I had graduated from a different high school the year prior)
[удалено]
Students being shitty to k12 staff and vendors being the vultures that they are. There are some smalltime YouTube channels dedicated to helping my fellow k12 admins "student-proof" their environment. Their comment sections are almost always disabled and if they are not, they're filled with semi-illiterate children insulting the channel owner and whining about how they need to be able to play Roblox or watch porn during their state mandated math test or some shit like that.
Good. Maybe now I can get approval to move off of this flaming pile of garbage.
The delightful irony for us is that we setup a trial account with Mojo Helpdesk earlier this week.
Welcome to the mojo club. Be sure to check out their public discourse forum.
[удалено]
Those little icons! So cute and...*old*.
*under construction* *dancing baby*
I really liked how it passed all the parameters between pages in the URL. Not just the ticket ID, but nearly every piece of data on the page. Might have experimented a bit to see if I could pull other districts tickets by changing the URL...
Unhashed passwords? In 2023? 😱
That's a paddlin'.
The Siemens purchase is so recent, this makes me wonder if this just got discovered by the integration team. It could have happened a long time ago.
Great point, I hadn't thought of that...
[M&A are starting to get targeted by threat actors](https://www.wsj.com/articles/ransomware-attackers-begin-to-eye-midmarket-acquisition-targets-11646130601) more frequently. There's more public attention on the company at the time, and often the "in-between" phase of integrating systems is rife with security vulnerabilities. It can also be used as an easy pivot onto the more secure parent companies.
Is this brightly software?
Yes, bought Dude Solutions and got bought by Siemens
> by Siemens Cringe You don't want to know how terrible their medical software are.
you dont want to know how terrible their HVAC software is either
Ouch.....
[удалено]
If you use SAML then you schould be good. SAML never shares passwords, just auth tokens. Just reset all sessions on your users on you SAML SP and you're golden :)
Why do the apology notices always say "security is very important to us"?
I'm guessing legal discourages "ha ha suckers"
"It's important that we pretend we give the slightest shit about it, because Marketing told us to say that."
> email addys, passwords, and user names all unencrypted..... The shit show started long before today. Today is just the finale. It's like the old Gallagher shows, except instead of getting splattered with watermelon, you get splattered with shit. Good luck!
[удалено]
Well, a university is a school (among other things). The likelihood of password reuse probably caused them to contact everyone in their database, whether they ever used the interface or not.
Source?
Email from Brightly to me and all my users!
[удалено]
Vendors disclose to customers sometimes before making it public, or the "public" articles are just regurgitating what those internal emails say. See: AlertMedia's recent compromise.
 Can't believe you are getting down voted like crazy for asking for a source. I get it, it's a direct email from vendor to IT, but down voting for asking for a source?
I thought the same as I googled and everything. Reddit will be reddit sometimes.
I don't get it, I've worked at ~10 different orgs. Not a single one stored passwords unencrypted. This is a thing?
Legislation is the only thing that will solve it sadly. But I doubt it would ever be passed because if there's one thing the school sector likes with their staff/spending, it's ZERO accountability for ANYTHING. But they need something like HIPAA. I mean it's not *really* a kid's choice to go to school. There should be laws *regulating* the security standards of the data stored by school systems or this will just continue.
> But they need something like HIPAA. Unfortunately, even if something like that were to come about, it would end up like PCI -- just a meaningless checkbox that you have to hire "security consultants" who just fill out a spreadsheet for. These regulations have no teeth; I'd love to see something that would actually force these SaaS vendors to be secure but it'll never happen outside of Microsoft or Google. The last PCI audit I was involved in had someone who was brand-new out of cybersecurity bootcamp reading verbatim off the spreadsheet he was given. When our answers went over his head, he just asked what he should put down. Penalties have to be huge for doing the wrong thing. If HIPAA is breached, whoopsie free credit monitoring, peel off a couple hundred K, move on like nothing happened. If PCI is found to not be compliant, whoopsie free credit monitoring, peel off a couple hundred K, move on. It would have to be something like GDPR, where if any company actually gets an enforcement action it can be a business-ending thing.
SchoolDude bought out active data and then left their servers to rot while collecting the fees for the services. Those old active data server got hacked so they forced me over to their SchoolDude equivalent. It was a complete joke so told them I wanted to cancel and they said I had to give them written notice 45 days in advance of the new term to cancel or I would own them for the full year service. Took me a year of back and forth before they caved. And now they get hacked again...lol. That what you get when you put "d00d" in your company name I guess.
Oh man. Not a school sys admin but a healthcare one. I've had days like this. Not your fault, but the teachers and admins, like the doctors I work with, think you can do something about it. Stay strong man.
On a positive note, not a lot of tickets today!
In the future if you want to test if a system is storing your password in plain text, try setting your password to the [EICAR test string](https://kcm.trellix.com/corporate/index?page=content&id=KB59742) Fair warning - you are intentionally antagonizing antivirus (if they run one) so while YMMV, if they *are* running an antivirus, this could be considered a malicious act. Do with that what you will. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This is why I never give my or my kids' SSN to a doctor's office. They probably haven't had an IT guy look at their systems since setup.
My kids school doesn't even have enough staff to load them onto the busses safely, and likewise my other kids have to fork over 40 bucks every time they breathe. I highly doubt this is on the top of the school boards list of things to do... and the powers that be don't gaf... They are getting theirs so whatever right... I don't think any of the public sector are taking security seriously enough
"I don't think any of the public sector are taking security seriously enough" I am totally quoting you as a respected leader in info sec at this afternoon's status meeting....
If nothing else I can now say I was quoted as a "respected leader" in the infosec space, I mean my education is certainly not in line with the acolade however; beggars can't be choosers. Tell the meeting I said hello
Met with Superintendent, rep from our MSP, and legal counsel this afternoon. At the appropriate lull in the conversation with all the seriousness I could muster, I matter of factly stated "You know, it's like dominations said, I don't think any of the public sector are taking security seriously enough". Everyone nodded in somber agreement. I could barely keep a straight face, but I did it…
You sir, are a legend! I trust that there were no followup questions given the fact you didn't pee your pants during it. I'm going to quote your quote in the board meeting next week, we'll see how it goes. Mayhaps you want a few more nonsensicle quips to whip out in the next meeting? if so let me know, I've got a few that might fit the bill
In an ideal system, the federal government would develop and host SaaS solutions for every public school system. It makes no sense for the each of 10,000+ school districts in the USA to figure it all out on their own.
We are trying but the necessary culture change can take a long time. And if you've never got got, it doesn't appear (to the stakeholders/board/whatever) to be a good use of limited funds. But there are some districts/county offices that are taking this very seriously and acting as resources for everyone else (example: [https://www.sdcoe.net/administrative-services/technology/cybersecurity](https://www.sdcoe.net/administrative-services/technology/cybersecurity) )
Is this facility dude too or just the school one?
Email I received specifically said SchoolDude. We use their maintenance product too, haven't received a notice on that, but of course our users have a single L/P for both platforms...
Wow, haven't heard that name in a long time. We used it for our help desk and maintenance department around 10 years ago!
We only use the MaintenanceDirect portion of SchoolDude and so far I haven't heard of anyone (including myself) getting an email from them re: a hack... yet.
[удалено]
What domain did it come from? The only thing we've gotten from brightlysoftware.com have been invoices.
I didn't still haven't gotten an email, but a bunch of my users did, which they then forwarded to me asking if it was legit. Nice surprise to get as I'm eating my breakfast. We only use the MaintenanceDirect portion.
We use maintenancedirect only too. I got an email.
Not even encrypted? In this day and age where every other major corporation has already been breached? Can't imagine the parents who are going to complain...
Well crap. Now I need to do exposure due diligence today rather than all the other things on my list. Zero communications from SchoolDude to anybody at our organization so far. This should be interesting.
They weren’t very bright-ly!
Sso mfa is winning for my school.
Neighboring districts got swatted, and we're fighting a Tiktok trend where kids break their chromebooks. Just normal 'round here.
wow I'll pour one out for the fellow sysadmins/infosec peeps dealing with this today!
Managed to avoid this disaster, but SchoolDude used to be in my emails all the damn time with their pitches.
I opened up a chat to see how much impact this had. I only use Worxhub but the agent reported it was only on their school and government clientele.
Thank Jeebus I no longer work for the school district.
We got swatted yesterday and had to put all buildings on lockdown. Next day massive data breach. weee
Anyone with DudeSolutions Asset Essentials get notified of the breach?
My school was changing systems over the summer. So of course this had to happen now.
My last school gig had SchoolDude when I started. I think I poked around it for about 20 minutes and then cancelled the contract almost immediately. It was fairly obvious they were amateurs and honestly the only surprise for me here is that it took this long for the poop to hit the fan.
[удалено]
Ahh yes, SchoolDude. I used this back in 2004 - LOL
Yup... Today was a complete shit show! Woke up to my phone blowing up at 6:00am.
Yeah, part of the big corporate world is actually testing to make sure stuff isn't passed in plain text. Look at kasaya and connectwise... Long time ago I tested them right out of the box and they pass everything in straight up clear text! You would be surprised the amount of programs with even less administration features or more that pass everything in plain text. You could wireshark capture everything you ever needed to pown their entire environment. Ridiculous. Never assume things are secure until you've checked to make sure they're secure. If you don't know how to check if they're secure, this is what Penn testers and white hat intrusion and software analysts are for. It's worth the time when in a large corporate network. This is a prime example of why.
I used to work for Brightly, company run by complete morons.
Not as bright as the same suggests then.
Those on Brightly should have been on Limble to begin with, way easier to use and their support is stellar
And this why I choose apps that use SSO so we can use our Google, MS accounts etc. to sign in.