back to article Brit school software biz unchains lawyers after crappy security exposed

Brit biz Impero unleashed its legal eagles after someone published details of a security cockup in its school network management software. The disclosed design flaw in Impero's Education Pro can be exploited to execute commands and run malicious code on a school's Windows PCs. Last month, a security researcher called …

  1. Uberseehandel

    many "hackers" are ratbags, but.....

    letting loose the dogs of war (aka Lawyers) because you got found out hard coding keys....

    Sadly, it is no more than most of us expect .....

    1. Bob Vistakin
      Facepalm

      Re: many "hackers" are ratbags, but.....

      Yeah, shoot the messenger - what's the worst that could happen?

  2. Anonymous Coward
    Anonymous Coward

    "must first have access to the network?!?!"

    Who do you think will use these exploits, the students, 14-15 year olds who want to cause mayhem or just look at something they were not supposed to!

    When I was at school 20 years ago, I had access to every other students accounts on the network, all because of a stupid choice by a teacher....

    1. Omgwtfbbqtime

      @AC

      was the password "dutchman" by chance?

      oh sorry you said 20 years not closer to 30.

      1. Anonymous Coward
        Anonymous Coward

        Re: @AC

        no, everyone's password was their student id used for tests!

        And the admin (well design&technology teacher) was so slow typing, the first time I was next to him when he logged on I remembered his password!

        1. gerdesj Silver badge
          Childcatcher

          Re: @AC

          "no, everyone's password was their student id used for tests!"

          You'll be glad to know that the initial migration password I am setting on destination user accounts are md5sums calculated on a few bytes from (effectively) /dev/urandom, for each one. If the real source password doesn't sync and overwrite the random one then at least the account has a pretty decent password!

          The default was to use the surname field!

          1. Tom 13

            Re: The default was to use the surname field!

            Remember, it could be worse. I mean at least that's unique (sort of) and random. They could have just set all of them to:

            -password

            -12345

            -asdf

            -qwerty

            or my personal favorite, simply left it blank.

            1. Jamie Jones Silver badge

              Re: The default was to use the surname field!

              C'mon - Who here *didn't* successfully hack the school Econet system?

              More holes than [ insert here something witty referencing something with lots of holes ]

              1. F0rdPrefect
                Boffin

                Re: The default was to use the surname field!

                @Jamie Jones

                "C'mon - Who here *didn't* successfully hack the school Econet system?"

                Me, for one, as it would have taken just far to long to hand punch out all of the 80 column cards necessary to send off to the local Tech to be run through their 3rd hand ICL mainframe.

  3. Yet Another Anonymous coward Silver badge

    Legal advice

    >the methods used to identify and communicate this particular issue were not legal

    If your legal dept thinks that it, and not the courts, get to decide what methods used to publish information are legal - then you need some new legal advice.

    1. joepie91

      Re: Legal advice

      Well, Impero is *owned* by Gateley plc, the company that send the threat. So maybe they have a bigger problem...

    2. streaky

      Re: Legal advice

      They're completely legal, what's more now they're going to end up with every blackhat in the world trawling though their code.

      Some people never learn from the mistakes of others.

  4. Anonymous Coward
    Anonymous Coward

    Getting the lawyers is probably not the smartest move for a company using a hard coded key.

    From their website,

    The hype around cloud computing has never been greater, yet many vendors often overlook the need for secure identity validation when implementing remote solutions. YouID Access offers an intuitive and secure portal for seamless sign in to all your web applications. Sign in once to your personalized web desktop and access everything you need for online working. From everyday work tools such as Office 365 and Google Apps to online resources and individual accounts such as Purple Mash and Edmodo, YouID Access makes accessing, navigating and securing the cloud easy. YouID Access works from any browser or device and does not require client installation.

    is it safe?

    The answer is ‘yes.’ No longer do users need to jot down passwords on notepads, in word documents or spreadsheets, for all to see. One set of login details means only one set of login details to remember.

    YouID Access seamless sign in applies secure encrypted tokens; it doesn’t store passwords, so the risk of interception is eradicated.

    As soon as the software’s set up and running, all traffic to and from the portal is secured using SSL and industry standard protocols (very secure protocols), and all user data stored in the database is encrypted using AES-256bit encryption (very secure encryption).

    I like the use of the word "very". I am also unsure but with access to the tokens does that not equate to access to the account?

    They've now alerted every hacker to a flaw in one system. Now what are the odds it's an issue in all of them and if so that YouID software would be a prime target.

    1. Anonymous Coward
      Anonymous Coward

      The baked-in key is in use in Impero Education Pro. This doesn't affect Impero Remote Manager or YouID.

      YouID is a completely separate product which uses standard https encryption.

      Impero Remote Manager uses rolling 30 day (default, it could be tuned to be shorter or longer, last time I saw it) certificates for client communications.

      Education Pro is used to control client PC's, typically students. It's also completely local, as in, installed on client PC's. Remote (vpn, rootkit etc.) or physical access to the network is required to compromise the system.

      Even knowing the key, the damage someone can do is going to be quite limited, as they won't have console access rights, which means the Impero Server will probably disregard their commands, so only the peer-to-peer functions will work.

      A much bigger problem than hackers is teachers leaving their computers unlocked when they leave the room.

    2. Steve Davies 3 Silver badge
      Facepalm

      Asking for trouble

      Getting the lawyers is probably not the smartest move for a company using a hard coded key.

      Exactly my thoughts.

      Get this to court and bang all the explots will become public knowledge. Ny sending in the lawyers they have an immediate 'Striesand' effect. The more people who know the less viable their biz is.

  5. Mark 85 Silver badge

    What a bunch of numpties... calling in the lawyers instead of fixing the problem. They deserve whatever crap hits them. I guess the new mantra is: "Think of the profit and then maybe the children..."

    1. Anonymous Coward
      Anonymous Coward

      What a bunch of numpties... calling in the lawyers instead of fixing the problem. They deserve whatever crap hits them. I guess the new mantra is: "Think of the profit and then maybe the children..."

      Yes and no. I think there has been a severe lack of clear thinking in this case, but from both sides. If the "researcher" wants to engage in these sort of activities he ought to have respected established protocol: warn the company of the problem and set a reasonable timeline for release. On the other side, the way this has been reported suggests the company immediately opened a can of lawyers instead of engaging in discussion which is also just about the most stupid way to deal with a reported issue (it pretty much guarantees press coverage and reactions as yours, and thus promotes wide disclosure).

      I think *both* parties could have done better.

      1. Phil Endecott

        > ought to have respected established protocol

        I fear that in the 99% of cases that we don't hear about, the "respected protocol" is to quietly sell your exploit to the highest bidder.

  6. nsld
    Facepalm

    Worth remembering

    That lawyers have no power.

    Given the claims made by the provider over its security are clearly false perhaps a charge of fraud by misrepresentation would be in order.

    Along with a slapping for being a bunch of cockwombles when it comes to security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Worth remembering

      Worth remembering

      That lawyers have no power.

      Ah, but their power comes from endlessly dragging on a case which incurs fees, fees and then some more fees. It turns legal threats from any attempt to justice into blackmail by the entity with the biggest wallet. Even if you're right, your finance may not last to see that proven in court, which is why there is quite a gap between court cases and the concept of justice. The enormous timespan over which such cases take place is not helping either.

    2. Anonymous Coward
      Childcatcher

      Re: Worth remembering

      Shock horror, think of the poor children at risk !

  7. AustinTX

    A bit of a windfall for Slipstream

    "We were made aware that someone had maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence," Impero told The Reg in a statement.

    That there is what we call "slander". Sue Impero into the stone age.

    1. nematoad Silver badge
      Headmaster

      Re: A bit of a windfall for Slipstream

      'That there is what we call "slander".'

      No, that what we call "libel"

      Slander is defamation by spoken word.

      Libel is defamation by Written word.

      They may have spoken it originally but this is printed.

  8. moonrakin

    Impero - we know you're reading this :-)

    fwiw THIS and THIS is how to deal with bug reporting, security warnings and ... get shedloads of free positive press advertising

    twerps

    1. This post has been deleted by its author

      1. moonrakin

        Re: Impero - we know you're reading this :-)

        heh - nope ... but air travel is seriously over-rated as a experience - I say that as somebody who' gets 100K +++ miles a year in sometimes.

        I've long argued that broken or structurally inadequate software is no different in principle to a failed mechanical part and should attract the same level of attention - this doesn't happen in general.... Although some folk get it - an awful lot - including far too many developers dont :-(

        I worked for a short time doing support for a Merkan corporate - the number of bugs was astonishing and the main strategy for dealing with them was dissembling and denial.... Things are improving - but then you get the A400M FADEC fiasco...... anybody there have Chinook FADEC on their cv I wonder?

        Personally - I'd reward any and every bug found in a piece of software with T-shirts + mugs - up to serious amounts of money - Google have already cottoned to this iirc?

  9. Destroy All Monsters Silver badge
    Facepalm

    A "copyright" on a 256-bit number?

    A number that is supposed to be secret?

    That's a new one in deeper levels of retardation.

    They could have called up "disclosure of trade secrets", but still...

    If they had registered a trademark on that number, it would make sense, but then it would no longer be a secret.

    1. 2+2=5 Silver badge
      Facepalm

      Re: A "copyright" on a 256-bit number?

      Dear Impero's lawyers,

      Please note that I have a copyright on the following sequences of 256 bit numbers as generated by the following code.

      <insert loop to generate all possible permutations of 256 bits *except* the one used by the s/w>

      Please ensure your client does not infringe my copyright by using any of these sequences in its software.

      Yours etc.

  10. JP 6

    Different views on security for everyone.

    The following is a partial transcript of a chat I had, trying to explain a security flaw I found.

    7:48:05 PM

    Actually it is _________ ________. The upper O is a typo

    By having then set to auto or manual, makes it easier to hack in.

    Josephine M:

    7:49:13 PM

    you could also raised your concern at our community

    any additional concerns JP?

    You:

    7:50:03 PM

    HACKERS read the community. I don't want to give anyone ideas. If I can write a program that reads the programs think what a JAVA expert could do.

    Oddly, [redacted] could fix it with just two changes to the next batch.

    Josephine M:

    7:51:38 PM

    okay. just suggesting if you wanted to post on the [redacted] Community, we'll it up to your choice then

    You:

    7:52:22 PM

    Do you recommend posting whenever you hear of security flaws?

    Send

  11. Alan Brown Silver badge

    Wrong move.

    "Slip's advisory gist disappeared from GitHub soon after the letter from Impero's lawyers Gateley arrived in his Yahoo! Mail inbox. El Reg has seen the full exploit, and withheld publishing specific details in the interests of responsible disclosure."

    As soon as any outfit starts threatening lawyers over a bug discovery it's time to publish everything.

    _Anything_ else is irresponsible. The fact that the bug exists and has been mentioned means that bad guys will find and exploit it within days or hours but the company will continue to lie to its customers that things are secure (Customers probably have a pretty good civil case against the vendor for attempting to cover up vulnerabilities)

    Full disclosure policies appeared precisely because of this kind of response by companies with insecure software.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong move.

      As soon as any outfit starts threatening lawyers over a bug discovery it's time to publish everything.

      No, it is not. You still give them time to think, because you may be facing a gut reaction. Even El Reg itself knows full well what can happen if you publish an article that wasn't terribly bright, and how a friendly insider can help turn that around into less embarrassment for everyone. There is always enough time to start a war, but you start with dialogue.

      _Anything_ else is irresponsible. The fact that the bug exists and has been mentioned means that bad guys will find and exploit it within days or hours but the company will continue to lie to its customers that things are secure (Customers probably have a pretty good civil case against the vendor for attempting to cover up vulnerabilities)

      The company actually has a decent chance of getting its pound of flesh in court because established protocol was skipped - there must be a reasonable time for the company to react and address the problem before the issue is published, otherwise you tell me what the difference is between this researcher and a hacking site with banking zero days. There is a reason this protocol exists, it has proven over time to be the best compromise between being a jerk seeking publicity and letting companies cover up a security problem.

      1. Alan Brown Silver badge

        Re: Wrong move.

        "The company actually has a decent chance of getting its pound of flesh in court because established protocol was skipped"

        There _is_ no established protocol.

        Some researchers send notification to companies, which never do anything,

        Some researchers give them 30 days, then publish - but this has historically resulted in injunctions being taken out to prevent disclosure.

        Some publish immediately and damn the torpedos - mostly as a result of the last item.

        Some sell the bug to the highest bidder (Hacking Team?)

        Claims about "established procedure" show a fundamental ignorance about what happens in the real world.

  12. 2+2=5 Silver badge

    How to avoid copyright infringement

    "Whatever you do, don't publish the 256 bytes of data starting at offset nnnn in file xxx.dll or Impero's lawyers will threaten you with copyright violation".

  13. Bob Dole (tm)
    Holmes

    A few problems here

    First off, I think Slipstream did the absolute worst thing by publishing the exploit BEFORE telling the company that they had a problem.

    Second, in many areas it is, in fact, illegal to attempt to break the security on products without prior authorization. One commentard referenced a bounty program put in place by United Airlines. In that case the company expressly encouraged hackers to not only break their network but to also do the *responsible* thing by privately disclosing the information to them. The point is: authorization was given PRIOR to performing the work.

    Third, the lawyers are idiots in trying to get a copyright claim on a key. That's just dumb. What they *should* have done is fixed the problem FIRST then go sue the crap out of Slipstream for being completely irresponsible. Not the other way around.

    1. Anonymous Coward
      Anonymous Coward

      Re: A few problems here

      First off, I think Slipstream did the absolute worst thing by publishing the exploit BEFORE telling the company that they had a problem.

      Absolutely. That is why genuine security researchers have established the waiting time.

      Second, in many areas it is, in fact, illegal to attempt to break the security on products without prior authorization. One commentard referenced a bounty program put in place by United Airlines. In that case the company expressly encouraged hackers to not only break their network but to also do the *responsible* thing by privately disclosing the information to them. The point is: authorization was given PRIOR to performing the work.

      I think it's the Computer Misuse Act which indeed states just that. It's actually one of the problems a security researcher faces when publishing a vulnerability, even after a waiting time. What can happen here is that Slipstream can actually made liable for breaches now as they have published a weakness without giving the company time to address it (I think, IANAL).

      Third, the lawyers are idiots in trying to get a copyright claim on a key. That's just dumb. What they *should* have done is fixed the problem FIRST then go sue the crap out of Slipstream for being completely irresponsible. Not the other way around.

      What they should have done is ask the guy nicely first, telling him it wasn't the brightest thing in the world to do but they'd forego all the annoying legal stuff if he would be so kind to take the site down and discuss the matter so it can be fixed. This stupidity of getting lawyers involved from first breath is something that has blown over from the US< and we all see what a fine society that has made. Sure, keep them on standby but you may want to invest some time in finding lawyers that actually have a clue about software. The copyright approach smacks of desperation trying to find a stick without knowing IT law, and for a company selling IT products that is plain stupid. I'd change lawyers.

      1. Hey Nonny Nonny Mouse

        Re: A few problems here

        The issue is, at least in part, that the software is used in schools.

        If one of the tabloids picks it up and runs with it on the fallacious 'paedo hackers are stealing your children' line, the company will suffer *huge* losses so, sadly, to be seen to be carrying out swift and 'decisive' action to remove the 'threat' of hordes of nerd child molesters is possibly the best course of action to take in terms of image management.

        We all know it's bollocks, we all know Slip was an arse for doing it this way (unless there's more to this than we are being told) but it's the way of the world, posturing for effect in the public arena is a business tool.

        1. AlbertH

          Re: A few problems here

          You can be absolutely certain that the tabloids will promulgate some bizarre sensationalist blather - and the company will collapse within a week or two.....only to rise - phoenix-like - with a different name, re-selling the same old crap-ware to schools under a new product name from a "new" company.

    2. Doctor_Wibble

      Re: A few problems here

      Have to agree - FTFA "I didn't tell them about [the vulnerability] before posting it" is the confession of being an arse. This was the wrong way to do it and a bunch of lawyers is an entirely expected response. Was it worth it for the 15 minutes of fame?

    3. Adrian 4 Silver badge

      Re: A few problems here

      Except that the company DID patch the exploit reported on github. The lawyers came in when Slipstream told them their patch was inadequate. There's no report that the failings of their fix were disclosed. So while the initial reporting method was poor, it was the correctly-managed followup that resulted in the lawyering.

      1. Doctor Syntax Silver badge

        Re: A few problems here

        " it was the correctly-managed followup that resulted in the lawyering."

        If they didn't manage to put a name & address to the github post it might have been the followup which gave the lawyering a target.

  14. Anonymous Coward
    Anonymous Coward

    Really silly move on the part of the software company, lacking understanding of security research/disclosure practises. :(

    With this response, Slipstream is almost guaranteed to pay extra special attention to more of their software now.

  15. Anonymous Coward
    Anonymous Coward

    When I were a lad at school

    The teacher used to keep all of our workbooks on her desk, in Plain Text!

    Crazy!

    And Private Key was the thing visitor's used to access the teachers wash room.

    1. Mystic Megabyte
      Joke

      Re: When I were a lad at school

      Luxury! We only had lumps of coal to write on and the teacher sat behind an upturned barrow :)

      1. wikkity

        Re: When I were a lad at school

        Luxury, when I was a lad coal hadn't even started fossilising and had to write with damp peat.

        1. Will Godfrey Silver badge

          Re: When I were a lad at school

          You lucky people. Writing hadn't even been invented when I was a lad.

        2. Mpeler
          Headmaster

          Re: When I were a lad at school

          "Luxury, when I was a lad coal hadn't even started fossilising and had to write with damp peat."

          And, if ye did it wrong, you had to re-peat the class...

          1. Mpeler
            Coat

            Re: When I were a lad at school

            Worse, if ye were caught diluting the peat to make it go farther, ye were told to

            Re-peat, and thin no more...

        3. MrT

          Re: When I were a lad at school...

          ...no-one wanted to work with "Damp Pete" for any length of time, let alone long enough to do some writing...

  16. John Smith 19 Gold badge
    Unhappy

    Skipping the "notify the developers and give then some time to fix it" part was not smart.

    But lawering up and screaming "copyright" on a number just makes the company look like whiny ass b**ches with clueless legal representation.

    I think the fellow who reported holes with the remote access to a CCTV system used by a lot of day care centres (reported by El Reg) did it better.

    That companies reaction (called in the lawyers as well) was also pretty cretinous.

    Companies. If there is any kind of serious competition in your market sector you will lose sales if you behave like this.

    It's not like there aren't lists of "stupid s**t to avoid doing when writing software" already available.

  17. Peter Galbavy
    Trollface

    Perhaps they should consult with Babs Streisand as to how to proceed next?

  18. Little Mouse Silver badge
    Childcatcher

    Here's hoping that "Slipstream" turns out to be a nine year old.

    I reckon the simplest way to identify flaws in any application would be to let a bunch of kids loose on it and see how much damage they can do.

  19. This post has been deleted by its author

    1. Quotes

      Re: That blackboard is a disgrace.

      The lowercase R is playing truant: ‘leaRning objective’

      1. Mpeler
        Childcatcher

        Re: That blackboard is a disgrace.

        The lowercase R is playing hookey, as part of COMMON COrE education.

        Lazy folk, always sitting of their Rs.....

  20. Anonymous Coward
    Anonymous Coward

    Lawyer bashing

    So basically:

    - Hacker publishes working exploit code on GitHub without warning company first

    - Company scrambles to patch exploit

    - Hacker subsequently emails company to diss the patch

    - Company, now having contact details for the hacker, throws lawyers at him to discourage future stupidity by him or anyone else, using the only civil (rather than criminal) legal basis available to them - copyright.

    All things considered, he's lucky they didn't call in the police - irrespective of *his* motives, releasing working exploit code that accesses school systems to the weird wild web is just dumb and dangerous.

    /Dons flame retardant jacket

    //Replaces with retard retardant jacket

    1. Mpeler
      FAIL

      Re: Lawyer bashing

      "/Dons flame retardant jacket

      //Replaces with retard retardant jacket"

      /// IS a retard, jacket or not.

      There, FTFY...

  21. Anonymous Coward
    Anonymous Coward

    Interesting times for the new regime

    Going public with the exploit before giving them notice of it, and time to fix it, was a dick move.

    Impero was recently acquired and there have been some management and other changes, which is part of the reason for the knee-jerk lawyering up. Some people are very heavily invested and don't want to loose their shirts.

    1. Mpeler
      WTF?

      Re: Interesting times for the new regime

      "Some people are very heavily invested and don't want to loose their shirts."

      Maybe what they should spend their "heavily invested" money in is better development and testing then.

      Shooting the messenger never solves the problem, although perhaps in the rarefied boardroom world of "perception is reality" it satisfied their arrant egos.

      1. Anonymous Coward
        Anonymous Coward

        Re: Interesting times for the new regime

        Mostly, what they spent it on was buying in. Also, the Impero boardroom's not really high enough to be rarefied, Oak House is only 3-ish floors, but I bet their lawyers offices are. I agree with the sentiment though, but a developers solution is to develop and a lawyers solution is to litigate. It's pretty obvious who's driving the boat.

        1. Alan Brown Silver badge

          Re: Interesting times for the new regime

          " a developers solution is to develop and a lawyers solution is to litigate. It's pretty obvious who's driving the boat."

          And it's also fairly well known what historically happens when the non-developers start doing it.

          If anyone administering schools has any sense they should be looking for an exit scenario in case the company goes titsup or simply starts jacking license fees through the roof (the new management will want a quick return on all tha money they just ploughed into buying the company).

          Sadly, school administrators are not generally well known for their sense in these kinds of issues.

      2. Anonymous Coward
        Anonymous Coward

        Re: Interesting times for the new regime

        Shooting the messenger never solves the problem, although perhaps in the rarefied boardroom world of "perception is reality" it satisfied their arrant egos.

        It's the result of a dangerous mix of ignorance and arrogance. Ignorance because it is "tech" and thus the domain "of some geeks/underlings/minions" (take your pick, it all represents "pond scum from many levels down doing stuff I don't understand"), arrogance because it considers people below their level not worthy talking to (hence the absence of any discussion), and calling in the lawyers is about the only punitive move these people know. I worked for idiots like this, and you spend most your time massaging massive egos. Why do you think City office need such huge doors?

        Releasing an exploit before there is a full patch is a stupid thing to do, but you can recognise boardroom arrogance by the tools they deploy to solve conflict at any level. The results here aren't good. If I were an investor, I'd be rather worried about their approach.

        1. Alan Brown Silver badge

          Re: Interesting times for the new regime

          "Releasing an exploit before there is a full patch is a stupid thing to do"

          That depends on the circumstances and the companies involved.

          _Anything_ involving Impero will be treated this way by most people now, given that they've demonstrated that they prefer to lawyer up over fixing software.

  22. Kubla Cant Silver badge
    Headmaster

    Some people are very heavily invested and don't want to loose their shirts.

    If they keep their shirts tucked into their belts, they won't be loose.

    1. Anonymous Coward
      Anonymous Coward

      50/50 chance, wrong every time...

      On a semi-serious note, if they un-tucked their shirts, they might find a better outlook.

  23. Lee D Silver badge

    I work in schools, I can't say I'm one bit surprised. Not just Impero but any "educational" (though the buzzword is pedagogical nowadays) software. MIS software, in particular, scares the pants off me.

    Bear in mind that MIS software will probably contain:

    Salaries

    Bank details.

    Disciplinary notes.

    CRB checks and details of passport, driving licence, etc. for all staff.

    Pupil details (including parents names, numbers and arrangement for pickup)

    Medical info (staff and kids, everything from long-term conditions to issue of sanitary pads, etc.).

    Info on witness protection programs, child abuse records, Learning Support information, every minor concern about a child imaginable.

    Timetables.

    Events, including arrangements for transport, pickup, whether a child will be alone, etc.

    Parent's banking details for fees, paying meals, etc.

    And yet their "security" is some of the most lax I've ever seen. I've yet to fully push our MIS online because of these kinds of problems - the only MIS gateway available to us VPN's into our site to pull SQL information to their remote site, which then puts it into a "secured" web interface. I have paranoia over us executing SQL statements which ultimately originate from some random guy on the web logging into a website.

    If I can crash your MIS software in a hundred different ways off the top of my head (everything from overflow, to not entering a number when required, to choosing one option before another) and you want to put that accessing my SQL data containing all the above into a web interface that parents and even children can log into to see their little darling's school report? You can think again until you tighten up your coding and security and at least integrate some decent error checking.

    1. Mpeler
      Pint

      @ Lee D (I work in schools...)

      obligatory xkcd:

      https://xkcd.com/327/

      and

      http://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables

      for the educrats (who knows if they'll understand/care even then...)

  24. Anne-Lise Pasch

    Can you claim copyright infringement if someone repeats a line from a public Github?

  25. John Smith 19 Gold badge
    Unhappy

    Oh look, it's #7 on the Common Weaknesses Enumeration list 2011.

    As found here

    The latest list is much longer

    While writing your software to avoid these won't guarantee you're software is bug free it will be substantially more f**kup proof than otherwise.

  26. Potemkine Silver badge
    Flame

    "legal eagles"?

    "legal scavengers" would be closer to reality

  27. Tubz

    30 days is adequate time for a company to fix a flaw once notified. After that, users have the right to know of the flaw, protect against it and force a company to fix it. if said company doesn't like it, then that's just tough !

    1. Alan Brown Silver badge

      "30 days is adequate time for a company to fix a flaw once notified"

      Assuming the company isn't one of the ones which have a predilection for lawyering up and getting gagging orders - which is why full disclosure without notice became commonplace during the 1990s.

      Impero have demonstrated that tendency. They lost any chance of the courtesy of advance notification when they did so.

  28. CaptainBanjax

    Back when I was at school...

    We had a Novell based setup and the IT teacher had a disk that contained all of the management tools.

    A quick copy of that disk later and almost everyone was able to "manage" everytbing on the network.

    Took them months to figure out why were able to keep getting Doom installed.

    Mind you even after we were found out we still managed to get doom installed into the print spooler folder.

    It'd cause the network to churn out endless printed pages of crap but it worked well and at the time there was no way to lock that down.

    Years later at college we had an RM based network which was even worse, there used to be a site called "crash dummies" with all manner of tools for modifying the network and granting yourself extra priviliges.

    Each time I found ways to get games on various networks it was heralded as an era based on the game I deployed. Novell was the Doom era. RM was the Atomic Bomberman era.

    Ah I miss those days. Innocent times when fun loving hackers got a slap on the wrist and asked politely with respect how they managed it rather than the modern equivalent which is lawyer-mageddon, multiple death sentences and 5 generation curse on your family that doesnt exist and previous generations of ancestors. Plus their dogs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021