On Mon, 21 Jan 2013 23:23:16 -0500, Jean-Francois Mezei said: > This article may be of interest: > > > http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ > > Basically, a Montreal student, developping mobile software to interface > with schools system found a bug. Reported it. And when he tested to see > if the bug had been fixed, got caugh and was expelled. > > I the context of this thread, they found a vulnerability in the web > site's archutecture that allowed the to access any student's records. > > This is the perfect type of incident you can bring to your boss to > justify proper architecture/security for your web site. "How would you > react if it was your company's name in the headline ?"
The interesting part is where the same people who were totally unaware that they had a major security hole until it was pointed out to them were also able to issue a very fast blanket denial that any student's information was in fact compromised. Sure, you can check your logs for the footprint of the attack - but apparently this wasn't actually being done before the student mentioned it to them.
pgpD1goSCpTQ_.pgp
Description: PGP signature