[HN Gopher] Hackers post 25,971 files stolen from Broward schools
___________________________________________________________________
Hackers post 25,971 files stolen from Broward schools
Author : yellowyacht
Score : 58 points
Date : 2021-04-20 17:54 UTC (5 hours ago)
(HTM) web link (www.sun-sentinel.com)
(TXT) w3m dump (www.sun-sentinel.com)
| weird-eye-issue wrote:
| > A report about missing equipment includes a December 2018
| letter from a mother whose son took a laptop from his class and
| switched the inventory tag from his computer after he broke his
| device. The names of the mother and student are included.
|
| This kid is going places. Possibly jail, but definitely places
| okareaman wrote:
| Not with a mother that will turn him in all the time
| eMGm4D0zgUAVXc7 wrote:
| > Possibly jail, but definitely places
|
| Is this a thing where you live, putting kids into jail for
| something as worthless as a laptop?
|
| Everyone has got half a dozen old laptops in their basement
| nowadays, I can hand over 3 to them if that's what they need to
| keep them out of prison.
| ehutch79 wrote:
| I'm pretty sure he lived the same place I do, and the answer
| is Yes. Welcome to live in the US
| arcticfox wrote:
| In my reading, OP was implying that the sort of cleverness
| that leads you to intelligently swap back in a broken laptop
| is the same sort that might well land you in jail eventually
| (or alternatively, on to great success). Not that the laptop
| would be the direct cause.
| weird-eye-issue wrote:
| Finally the only person here who truly understands me :)
| kolbe wrote:
| The key is to hire him before he steps over the line.
| philjohn wrote:
| Depends - being gainfully employed didn't help Nick Leeson.
| arthurcolle wrote:
| Good movie about that with Obi Wan Kenobi starring in it,
| "Rogue Trader"
| shaggyfrog wrote:
| The classic American story of condemning a child to a life of
| incarceration and criminality because a family is too poor to
| afford to replace an accidentally broken school laptop (and has
| no other computer)...
| [deleted]
| creddit wrote:
| He's making a joke. The kid isn't going to jail for this.
| What's more, there's no evidence the kid or his family is
| poor. He might've done it because he was scared of asking his
| parents to buy a new one because he broke it.
| huntermeyer wrote:
| Wow. You've jumped to so many conclusions here.
|
| First you assume the family is poor. Second, you assume the
| laptop was _accidentally_ broken. Third, you assume the
| family has no other computer.
|
| From what evidence do you draw ANY of your conclusions?
|
| Plenty of rich or middle-class individuals steal things. It's
| not just the poor.
| aaomidi wrote:
| Stealing things shouldn't ruin your life but ok.
| weird-eye-issue wrote:
| Literally nobody is saying that. It was a joke.
| creddit wrote:
| It's like a Twitter thread in here.
| userbinator wrote:
| There's something called honesty...
| cgriswald wrote:
| Where I grew up, people were far too judgmental to make
| honesty the right call in a lot of situations where it
| really shouldn't have been a problem.
|
| If I had broken my laptop and was honest about it, they'd
| have gossiped about me, a child, as if I should have the
| sensibilities of an adult. They _might_ have also gossiped
| about my parents. They wouldn 't worry too much if I
| overheard--perhaps even making a point of it to 'teach' me
| something. They definitely wouldn't worry about their kids
| overhearing it, and then I'd have to deal with them judging
| me too (read: using it as an excuse to try to bully me). If
| one of their own bullying kids was the reason my laptop was
| broken I'd have gotten to deal with being called a liar on
| top of it all, which would have been an even bigger excuse
| to try to bully me.
|
| Thing is, if I'd have broken it, I'd have done odd jobs and
| saved allowances to repay it. That wouldn't have changed
| anything about the community response, though.
| capableweb wrote:
| People end up in positions where they have to break their
| own moral compass all the time, even if they are generally
| honest people. I'm not condoning it but I do have some
| understanding of unfortunate situations.
| bloqs wrote:
| The land of the free and the home of the brave is such an
| ironic statement it risks being a self-own
| bogwog wrote:
| > The district's Chief Information Officer Phil Dunn warned the
| School Board last week that a new cyber-attack could be
| devastating, affecting the district's ability to pay employees or
| even keep schools open. He requested $20 million to enhance the
| district's cyber-security efforts. The School Board plans to make
| a final decision in the coming weeks
|
| $20 million sounds like a lot to "improve cyber security", but
| I'm not involved in that industry. Can anyone with relevant
| experience share if that's a realistic budget?
| mywittyname wrote:
| Mr. Dunn's Brother-in-law is a foremost _expert_ in the field
| of cybersecurity and his services don 't come _cheap_. And why
| bother with a competitive bidding process when Mr. Dunn 's BIL
| is peerless in his expertise?
|
| /s
|
| School boards are a special mix of corrupt and incompetent and
| it can be hard to tell which is the cause for any particular
| bad decision they make.
| mistrial9 wrote:
| I have seen this in action - it takes years to get it
| Veserv wrote:
| That is a pretty realistic budget if you are considering an
| entire school district. Broward County Public Schools has 327
| schools with 271,517 students [1] and ~28,000 employees [2].
| So, that is ~830 students/school and an ask for an extra
| ~$61k/school which is significantly less than one extra full
| time person per school. That is ~$73/student which is ~1% of
| the per-student expenditure of ~$7300/student [3].
|
| However, cybersecurity spending is effectively worthless from
| an outcome perspective as even Fortune 500 companies allocating
| hundreds of millions of dollars per year to cybersecurity can
| not protect against attackers with ~$100k. Given that the
| hackers were demanding $40M, there is no commercial IT system
| in the world that would even claim to make such an attack
| unprofitable let alone actually be able to do so. The best
| systems are somewhere on the order of ~10% of that level, so we
| would need systems literally 10x better than the best currently
| available commercial IT systems for it to even be possible to
| get adequate cybersecurity against this attack.
|
| [1] https://en.wikipedia.org/wiki/Broward_County_Public_Schools
|
| [2]
| https://www.browardschools.com/cms/lib/FL01803656/Centricity...
| Page 35
|
| [3]
| https://www.browardschools.com/cms/lib/FL01803656/Centricity...
| Page 36
| asdff wrote:
| At what point do businesses just stop investing at all in
| cyber security, and just build in some redundancies in their
| organization to make it not matter at all if, say, the
| website went down, or you could readily get another redundant
| simple email server operating? I like to think that some
| businesses have an organizational structure that is so simple
| or baked in with more difficult-to-hack checks and balances,
| like the use of paper, that make them impervious to a hacker.
|
| On one end of the spectrum, we have my local taco truck which
| makes decent business having zero web presence at all, and of
| course various local convenient stores and other small shops
| who might be doing their books in excel, not much different
| really than how they did their books when they bought paper
| spreadsheets from the store. These small businesses are
| uniquely immune to a hacker. What would or could a hacker
| even do to something like a locksmith or a liquor store? Not
| much I don't think.
|
| There must be some lessons from this low tech way of doing
| business that can be carried over to large businesses, who
| have probably been oversold technology for decades by vendors
| looking to make sales. Maybe larger organizations should
| operate more like federations of smaller businesses. Like a
| franchise system but even more decentralized, using as little
| technology as possible, and the oldest, most proven tooling
| available to solve the job when technology is needed, rather
| than the newfangled thing everyone is
| blogging/tweeting/selling to you (that could probably be done
| with some awk).
| mike_d wrote:
| The transcript of the conversation with the hackers is great.
| They believe the district already holds millions in bitcoin and
| that children of a royal family(?) attend the school.
|
| https://www.documentcloud.org/documents/20535698-ransom-chat...
| Uhhrrr wrote:
| That's wild. I wonder if they just always toss that in, in case
| they accidentally hook someone for whom that's true.
|
| A number of things they say indicate English isn't their first
| language: "We could wait you forever", "your revenue is more
| than 4 billions. So it is a possible amount for you."
| anonAndOn wrote:
| What's the big reveal here? Did somebody get an extra set of
| whiteboard markers? From what I've seen, school districts have
| almost no discretionary cash and damn near every dollar is spoken
| for before it even gets spent. To wit, they're typically governed
| by collective bargaining agreements that have published pay
| scales. _Nobody_ is getting a discretionary bonus... unless you
| count the $5 Starbucks gift card given at Xmas to the Principal
| 's favorite teachers. If anybody finds out, they're screwed!
| jsheard wrote:
| Mirror for those locked out by the sites GDPR policy:
| https://archive.is/tIsPd
| vmception wrote:
| > found a few isolated incidents where confidential student or
| employee information was released, but none that contained Social
| Security numbers
|
| _phew_ , close one
| black_puppydog wrote:
| > Unfortunately, our website is currently unavailable in most
| European countries. We are engaged on the issue and committed to
| looking at options that support our full range of digital
| offerings to the EU market. We continue to identify technical
| compliance solutions that will provide all readers with our
| award-winning journalism.
|
| Fuck you too
| not1ofU wrote:
| Solution - 1. FoxyProxy (firefox add-on). 2. Google for US free
| proxy (took about 5 minutes to find one). 3. Profit. As the
| others who responded to you have already pointed out, was
| probably not as interesting to you as the headline suggests.
| wayoutthere wrote:
| Let's be realistic here, EU users aren't a core use case for a
| local newspaper in Florida. GDPR classification is not high up
| on the priority list for a local newspaper, so a risk averse
| lawyer says to just block the whole continent. It's the worst
| of US and EU culture combined to achieve the worst possible
| outcome.
| levi-turner wrote:
| I don't disagree to the conclusion but the Sun-Sentinel is
| owned by the Tribune Publishing Company, which is the third
| largest newspaper publisher in the US. Often the subsidiaries
| use the same core CMS / tech. Compare the Sun-Sentinel to
| another paper owned by Tribune: https://www.pilotonline.com/
|
| It seems a bit odd to not believe there is not only a way to
| handle this more gracefully but also that Tribune could
| handle this globally for all of their newspapers.
| p49k wrote:
| At the very least, they could license and proxy content to
| a European third party who is willing to take
| responsibility for GDPR compliance; they could easily find
| takers.
| fennecfoxen wrote:
| They could, but why? To make an additional $0.0000003 a
| month?
| p49k wrote:
| At any given time, there are hundreds of stories in the
| Tribune network that have gone viral on Reddit/Facebook
| and are generating millions of EU page views. They don't
| just operate one local newspaper in Florida, and many
| local stories have broad appeal. As the parent comment
| mentioned, they very clearly run all of this content on
| the same CMS and wouldn't need to integrate each paper's
| website individually.
| black_puppydog wrote:
| I never said I didn't understand their motivations. But that
| doesn't mean their conclusion (and formulation) doesn't come
| down to a "fuck you" in the end.
| HenryBemis wrote:
| Plain and simple. Yes they do say '..... you'. I translate
| that as:
|
| _we don 't care about you. You don't bring any revenue.
| None of our advertisers care to advertise to an EU
| audience._
|
| Example: And why would a restaurant in Florida care to
| advertise to someone in Paris? What are the chances that
| someone in Paris will think "oh I need to eat that burger
| in XYZ Florida resto?"
|
| (ok my example for Paris-burger-Florida is semi-sarcastic -
| but true. what are the odds? - what is the cost vs
| potential benefit?)
| jacobsenscott wrote:
| The GDPR is an FU from EU bureaucrats to the world, not the
| other way around.
| tomrod wrote:
| Can you blame them? At least they are honest about their
| adherence instead of something like StackOverflow's "accept
| everything or die" banner ~~ads~~ pop-ups.
| eMGm4D0zgUAVXc7 wrote:
| They're *NOT* honest:
|
| > We are engaged on the issue
|
| No you're not, the GDPR has been active for 3 years now, or 5
| years if you include the time where it wasn't mandatory, if
| you were engaged it would have been fixed already.
|
| > and committed to looking at options that support our full
| range of digital offerings to the EU market.
|
| Yea, so how about the option of just disabling privacy
| invading code on your website, which would probably take much
| less than 3 years?
|
| > We continue to identify technical compliance solutions that
| will provide all readers with our award-winning journalism.
|
| More repetition of the same empty "we're DOING SO MUCH!".
|
| But well, at least it doesn't say "We care about our European
| readers" like most of such blocked websites say.
|
| That one usually makes my blood boil: You're not caring at
| all. If you were caring, you wouldn't lock out 448 million
| people for years!
| cortesoft wrote:
| But what is their incentive to do that work? They probably
| don't make any money from European users, or at least not
| enough to make the effort worthwhile... so why should they
| do it?
| eMGm4D0zgUAVXc7 wrote:
| - It is called the "WORLD WIDE web", not the "local web".
| If you go to a place you ought to respect its fundamental
| purpose, no matter if it is a physical place or a virtual
| one.
|
| - We live in a highly globally interconnected society.
| Actions everywhere on the planet have consequences
| everywhere on the planet. If the US fabric of society
| blows up after their previous clinically insane president
| incited violence for years, that WILL have consequences
| for Europe. If only for the thousands of nukes they have
| and the trillions they spend on military and invading
| unstable regions.
|
| Also remember that we're being asked to spend tons of
| money on the NATO to aid in defending US interest.
|
| It is thus of very HIGH interest for me as a European to
| know WTF is going on in the US because it may end up
| killing us all, and even if not we still pay for their
| shenanigans.
|
| So denying us knowledge of affairs we're *very* involved
| in is rude.
|
| - My country's military has been in Afghanistan for 20
| years because of the US invasion. Nobody knows for how
| long we will be target of terrorist attacks for that. And
| as a thank you for all of this, I can't even read your
| local news sites. I wonder how much the US would be
| enraged if that situation were reversed?
| RcouF1uZ4gsC wrote:
| > It is called the "WORLD WIDE web", not the "local web".
|
| So who gave the EU the right to be making rules for the
| entire "WORLD WIDE" web?
|
| If the EU has the right to be making laws for their
| jurisdiction, then websites in other jurisdictions also
| have the right to ignore the EU laws and exclude EU
| members.
| eMGm4D0zgUAVXc7 wrote:
| Why would they have to obey the laws if they're not part
| of the EU?
|
| They could just leave their website online as is, no need
| to block it if the laws don't apply to them anyway.
| black_puppydog wrote:
| Just don't lie to us. The text as is just says "fuck you"
| in fancy language. It's insulting.
| black_puppydog wrote:
| Of course I can blame them. More for being full of shit than
| anything else.
| bigwavedave wrote:
| > Fuck you too
|
| Maybe I'm wrong in this assumption, but to me the section you
| quoted sounds like they're saying "we're not GDPR compliant, so
| we can't participate in that market right now"; it's not a
| "fuck you, Europe" kind of thing. But hey, you know what they
| say about assumptions.
| ryandrake wrote:
| OPs quote was full of the usual contentless corp-speak. "We
| are engaged on the issue...", "committed to looking at
| options..." and "We continue to identify..." These phrases
| are a nice, pleasant and important-sounding way of saying "We
| aren't actually doing anything at all, despite GDPR having
| been adopted over five years ago."
| jandrese wrote:
| > committed to looking at options
|
| The option they are looking for is the full repeal of the
| GDPR. Otherwise they aren't going to bother to do anything.
| whydoyoucare2 wrote:
| Ok? It's a local newspaper from Florida, why should they be
| expected to do extra work to support Europeans? You're not
| entitled to access their site. These local papers are
| struggling to keep the lights on to serve their
| communities. YOUR government decided to make GDPR this
| stringent, and the European Parliament ignored warnings
| about exactly this happening. You can get your reporting
| second hand from a European source that follows your laws,
| at cost to you, or be left out of the loop because your
| continent expects the rest of the world to follow their
| laws.
|
| The choice was made in Europe. You reap what you sow.
| simion314 wrote:
| I would be fine with a bit more sincerity, something
| like: "we don't care about privacy, so go somewhere
| else". Or if you want to translate it you can put a
| message like "the EU market is too small for us to even
| consider implementing non tracking ads, we are sorry we
| can't sell your data anymore!"
| throwErrorAway wrote:
| I think that's a little unfair to assume that the reason
| they don't want to bend over backwards for the GDPR is
| because they're selling your info. Maybe they are, maybe
| they simply decided the overhead cost of having lawyers
| validate everything their teams do isn't worth it. I
| don't know and I can't say I really care, because that's
| not what this is about. In my (admittedly limited)
| experience on HN, it seems like a lot of the time the
| response towards "how does the GDPR affect the rest of
| the world" from users in the EU is "if you don't want to
| follow it, you can stay out of this market- no one's
| forcing you to do business in Europe." And that's fine.
| But OP's response to that exact explanation from the
| company was "fuck you too." You can't have it both ways.
| It's perfectly okay to dictate the laws of your own
| marketplace- I absolutely believe this and frankly I'm
| grateful for the GDPR. However, it's pretty childish to
| tell someone to find a different market if they don't
| like the rules of yours and then get angry when they do
| exactly that. I'm not usually an angry person but good
| grief, grow up OP.
| philjohn wrote:
| It's a local newspaper, but owned by the third largest
| newspaper publisher in the US and uses a shared CMS.
| throwaway823882 wrote:
| It's a website about Florida. They are doing you a favor.
| black_puppydog wrote:
| Single valid counter point here. :)
| meepmorp wrote:
| It's not unreasonable to want top avoid the regulatory
| compliance headache that is GDPR, especially for people who
| aren't likely to be regular users of the site.
| devenblake wrote:
| Site's covered in globs of advertisements and video anyway.
| You'd click off even if you could see it, don't worry.
| yesenadam wrote:
| Please consider that on HN you not only get to vent, but other
| people have to read it. Scrolling onto your comment felt like
| coming across a dog poo on a walk in the park. Nothing good
| about it. I looked at a few pages of your comment history, and
| too many of them are like that. I'm sorry you have so much
| anger... Thanks.
| fouric wrote:
| Is there a coherent argument for not making collectors of data
| (in this case, the Broward school district, but it could be
| Facebook, Equifax, whatever) liable for damage incurred due to
| data in their possession being stolen?
| thaumasiotes wrote:
| No way to measure the damages.
| alasdair_ wrote:
| Statutory minimums would be possible.
|
| That being said, we'd need to also make it illegal (with a
| bigger fine) to not inform customers of the breach, and to
| provide reduced damages for companies that promptly inform
| users. Otherwise the "correct" approach for a company would
| be to ignore every hacking attempt and never investigate.
| thaumasiotes wrote:
| > Statutory minimums would be possible.
|
| Sure, but _fining_ someone for leaking data is a very
| different thing than making them liable for damages, even
| if you call the fine "statutory damages".
| throwaway823882 wrote:
| Who would get sued though? The school? So we'd be suing
| ourselves?
| analog31 wrote:
| In a sense, we'd be suing ourselves over this incident,
| but at the same time the precedent would serve to
| discipline other school districts into erasing personal
| information stored in computer readable form before it
| can be stolen.
| cortesoft wrote:
| What does it mean to "discipline" a school district? Why
| would suing a school district incentivize them to change
| their behavior? They don't personally have to pay the
| fine, the they would have to do the work for
| securing/deleting the data.
| fn-mote wrote:
| At least in some cases, when a school district breaks
| federal law and loses a lawsuit, the outcome is a consent
| decree with $__MM to be allocated for education about the
| law and rights.
|
| Police misconduct gives rise to lawsuits. I'm sure one of
| the hopes of the plantiffs is that they change the
| system.
|
| So, there is some precedent for lawsuits against public
| bodies in an attempt to change their behavior. I am
| somewhat skeptical about their utility in affecting
| institutional change, but there is definitely research on
| the subject and not just HN comments.
| analog31 wrote:
| The threat of being penalized through the tort system
| encourages public awareness and incentivizes districts to
| do the right thing. That's what I mean by discipline.
| bogwog wrote:
| Are you kidding? A lawsuit is going to hit them where it
| hurts most: the budget. People will lose their jobs over
| it, so there is very strong incentive for the decision
| makers not to end up in that situation again.
| thereddaikon wrote:
| Fines for these kinds of things don't work. They just get
| factored in as overhead. Penalties should effect people not
| budgets. Nobody would be lax with security if
| administrators went to jail every time there was a data
| incident on their watch.
| fennecfoxen wrote:
| Great way to promote outsourcing to another jurisdiction.
| zizee wrote:
| Just imagine the quality of the candidates you'd have
| applying to admin jobs if they risked going to jail
| everytii there was a data incident.
|
| It's hard to imagine anyone with half a brain working
| under such conditions.
|
| It's also hard to imagine that putting such a measure in
| place would not result in data and systems being so
| locked down that they become unusable to most staff.
| mike_d wrote:
| This was a public school district. You'd have to tax every
| resident of the county $20 to give them back $8 by the time the
| lawyers get it all sorted out.
| jasonfarnon wrote:
| Of course there is an argument but it doesn't square with torts
| law in most states, at present. The main reason is that it is
| too hard to establish whatever harm you claim occurred is
| proximately caused by the breach. A more practical reason is
| that the harm provably caused is typically of minimal value,
| and the harm is of such a varied nature, that class actions
| never get certified for breaches, with a few exceptions like
| Equifax. Individual cases can of course proceed, but it's rare
| for the harm to be great enough to make legal fees worthwhile.
| jacobsenscott wrote:
| I don't think so. If the school is forced to store their
| records outside in a cardboard box should they be liable when
| it is stolen? Because that's what we are essentially doing by
| under funding, under training, and not even providing secure
| software to begin with.
___________________________________________________________________
(page generated 2021-04-20 23:02 UTC)