He says he probably could have accessed more data.īlackboard also downplayed the incident and said that there was no evidence that anyone other than Demirkapi had exploited the flaw that he had found, so no one else to their knowledge was able to see the data. Follett said they appreciated his help, but also stated that the security flaw that he found would not have given him access to the data of other students other than his own. Wired Magazine, which is where we first heard about the story, reached out to both companies. And that’s when he got more of a response from company officials, since at that point it was a customer-the school officials-who were complaining. And this is absurd.” I even sent them a screenshot that I caught them red-handed.Īt some point, Demirkapi went to his school administration and they set up calls with the companies. I want to keep searching, but you’re not showing me the respect that I deserve.
You know, this is kind of disrespectful to me because I’m doing your IT department’s job for them and for free. I said, “Your Blackboard security commitment says you’re going to do this, this and this. So I felt a little bit disrespected, too. Although that’s actually a reality in the real world, I didn’t know that. Bill Demirkapiĭemirkapi: No vendor had ever just ignored me or left me on the spot. And yeah, I did get suspended for two days for creating a major disturbance.īlackboard didn’t respond either, which also frustrated him. The school administration wasn't that happy with it-understandably. Basically, whenever you logged in, you would see that if you’re in my district. Learn more at It turns out it actually got a little bit farther than I expected.
HIGH SCHOOL STORY HACK FULL
This week’s podcast is brought to you by Edgility Consulting: A full service national executive search and talent consulting firm, Edgility helps clients find, hire and support the talent they need to make a difference in the lives of youth. My name is Bill Demirkapi.” And I said, “At Follett Corporation, there’s no security.” So what I did was I added one of these group resources and said, “Hey, hello. But I found out that I could actually add my own group resource as a student. I think schools could use this to add useful links, like the student handbook or the school calendar. So when he didn't hear anything back, he took things a little bit further.ĭemirkapi: What I found was one of the improper access control vulnerabilities allowed me to add something called a “group resource.” A group resource is something that whenever you logged into Aspen, there’d be a list of group resources. In the case of Follett, Demirkapi didn't feel like he was heard when he sent his initial emails. Or read a transcript below, lightly edited for clarity.īill Demirkapi: I saw a little over 34,000 immunization records on Blackboard’s database, and it was concerning to see how much data the school had on a database, and what they trusted Blackboard with.ĮdSurge: The student reported the security holes to both companies. You can follow the podcast on the Apple Podcast app, Spotify, Stitcher, Google Play Music or wherever you listen. Listen to the story on this week’s EdSurge podcast. Some of what he was able to find actually surprised him. When he started poking around these systems built by Blackboard and Follett, he found that he was able to access millions of records, things from test grades to medical records, what they eat for lunch, all kinds of things. So what was the student able to see when he tried out his hacking skills on his own school? He even has a motto, posted prominently on his blog about security issues, that says he wants to break anything and everything.
He said he’s long been interested in computers, and thought it would be “cool” to be a hacker like he had seen in Hollywood movies. Essentially these are the tools used by his former school to store grades and student records, and manage communications. Specifically, he tried to get into the student information system built by Follett, and Blackboard’s communication tool, which are two of the most widely used edtech systems in the country. While many kids might play video games or just goof around when they get bored, Demirkapi decided to go poke around in some of the computer systems that his school uses. We’re focusing on a pretty unusual story about Bill Demirkapi, who had a pretty odd hobby while he was in high school in Lexington, Massachusetts. This week on the podcast we’re talking about cybersecurity at schools-and how secure, or in some cases how vulnerable, the tech systems in school systems are these days.
0 kommentar(er)
