"Police: School data hacked, grades altered"

http://www.republicanherald.com/articles/2009/01/15/news/local_news/pr_republican.20090115.a.pg1.pr15hacker_s1.2230498_top4.txt

 Every once in a while, we get a great example of why web application security is vital no matter where in the world you operate.  Even though academia often feels like they are the exception due to lack of funding, chaotic environments and a cornucopia of other reasons we occasionally read a news nugget that proves they are just as needy as the rest of the business world of good web application security.

  An article in the Pottsville, PA Republican Herald, posted last Thursday January 15th, 2009 identified an incident that caused a bit of a ruckus.

 "Pottsville police anticipate filing charges against one or more computer hackers who unlawfully made changes to an online grading system used by Pottsville Area School District.

“You had some people who hacked into a school-functioned, online site and found ways to change data that was put in there,” Pottsville police Capt. Ronald J. Moser said Wednesday

“In this case, someone figured out a teacher’s login and password. It is still a federal offense,” said Monica Langenberg, Shawnee, Okla., director of business development for Classroll.com."

  There are several things we can gleam just from that critical quote... let's address:

• First, this incident highlights the dangers of having publicly accessible grading systems and school-tied information available on the public Internet.  Perhaps the school system should evaluate the sanity of having such critical information for its students protected by a simple username/password system available to the whole of the Internet?
•  Unless I misunderstand the content of this article... no one "hacked into" anything... the students simply guessed the login credentials of a teacher, who, coincidentally should be held accountable as well for having easily guessable credentials to such a system
• A "federal offense"? That's fascinating...
• The student demonstrated lack of malicious intent in my view, simply by making the types of changes that would get them caught... it very well could have been done silently over time to really cause some damage

  What does this teach you, if you've in academia and evaluating or building an online system like this?  Secure it.  Base-level login/password authentication from 1999 isn't going to work... Also because of COPPA (Child Online Privacy Protection Act) there is some much greater accountability for academic environments when it comes to protecting children and their information.