UK schools' "anti-radicalisation" software lets hackers spy on kids

Originally published at:

I’m sure spying on kids, censorship, and shovelling money to their supporters are higher priorities than security.


If the password is “password” we can safely assume that it has been extensively hacked already.
I think we need an official body to deal with this sort of thing - to take reports from security researchers (or members of the public who accidentally come across something) and communicate with vendors, with vendors who refuse to comply being prevented from supplying the public sector and being required to remove nonconformant software at their expense.
I think this is one to write to my MP about.


Idiot didn’t bother contacting them privately first. That’s a pretty standard requirement for a security researcher. He just wanted bragging rights.

It makes absolutely no sense to me how these companies freak when researchers do a free (to them) security audit. Wouldn’t the rational reaction to be to congratulate the researchers for finding the bugs before someone pwns your service? I believe the proper reaction would be to say, “thanks for your work, now lets work to fix this problem”?


Yeah, maybe the guy’s an idiot (probably smarter than me or you). But the fact that the TOS seem to forbid doing security research at all is worth talking about.


There is a level of negligence where this should be forfeited. Using “password” as a default certainly goes there.

Spyware peddling companies may also qualify for gloves-off treatment. Especially if peddling it to governments.


Which may have happened if he had reported it privately rather making it available to all students and criminals without telling them.

Agreed. All freaking out and screaming murder does is keep honest people that might want to help from speaking up.

Wasn’t there a thing where guy found vulnerabilities and politely emailed going ‘hey guys found bugs in your interface’ and was facing criminal charges?


Yes, this level of stupid is quite common.
Some years ago a contractor (not me) discovered a Government recruitment website which was backed by a MySQL database with no password (that’s right - public access) and had the names and details of some 15000 personnel on it. So he told them…and was promptly threatened with prosecution under the Official Secrets Act.
Incidentally, if you ever need to write to your MP about this kind of thing, ask him or her to forward it to David Davis MP, who as far as I know is the only one who has a computer science degree. Richard Bacon is very good on IT waste and failing projects, but not so much on the technical side.


That’s how you do it when you more-or-less want the piece of software to survive and thrive.


This topic was automatically closed after 5 days. New replies are no longer allowed.