A colleague told me today that her son was suspended from school for ‘hacking’ the school computers. It turns out that he had managed to bypass the Department of Education’s firewall by guessing the password to the local system and was browsing game websites that were blocked by said firewall.
I understand that he did something that was wrong, but I believe the suspension was a complete knee jerk and not appropriate for what had been committed. Firstly, the network administrator at the school had a password which was a name, a cat’s name to be specific. This breaks probably the simplest, if not the most important rule on passwords; Do NOT use names/single word for passwords! Secondly, he was only browsing websites. It’s not like he had broken into a database or was performing some malicious action against the school or another organisation. Punishment was necessary/required for breaking the rules, but suspension? Come on, he only highlighted the fact that the brain-dead administrator was stupid enough not to secure his network/systems properly.
It also tells me that not much has changed since I was at high school, when the staff tasked with the school’s network administration or even teaching of computer studies courses knew little about IT or computers in general. I don’t know if this is a funding issue or the fact that there just isn’t anyone with the required skillsets interested in working for schools, but something needs to change there.
Update: It turns out the passwords are a little more secure than I first understood. It turns out that another student discovered the staff member’s username then through a process of asking said staff member questions in general discussion worked out the answers to the three security questions required to access a ‘forgotten password’. This student then logged in as the staff member for my colleague’s son to use (an accessory after the fact as it were). This is a little more sinister, but still doesn’t change the fact that it was possible for a student to obtain the staff member’s password. More stringent precautions need to be in place for retrieving passwords (email confirmation etc).
The fact that the son in question was suspended when they weren’t the one who obtained the information is even more so a glaring insight into how much the school has got it wrong.
