Before I start, I’d like to inform you that I have never met or directly communicated with Rob Teller beyond Instant Messaging. I have no interest to talk to him ever again. My experience, as well as that of close family, has been negative and unless I’m promised differently I’d rather not communicate with Teller again. I am a student at Hunterdon Central High School and have had the displeasure of using this site my Freshman year. I am going to try to present you with the facts and only the facts. I do think a site like HCSchedules is useful if executed correctly and if basic security measures are taken. I have not known of any problems with the site until its MySQL databases (the databases storing students information) were released to Robert Teller during/preceding the take over. I also figure you’d like to know what qualifications I have, if any, in my claims. Well, I don’t have any written qualifications but I’ve been programming for a number of years, I know PHP and MySQL interfaces (what this website was developed with), and I’ve been working with security and cryptography for some time as well.
The recent media coverage of the site has been, as far as I can say, inaccurate on a few levels. The reports have addressed the school’s complaints and Robert’s responses but have not mentioned anything I have witnessed in relationship to the site. I do not even know if the school is aware of how the information collected is being used. For those that don’t already know Hunterdon Central sent out the following e-mail regarding the website on August 15th, 2007:
“Please be aware that Hunterdon Central does not sponsor or authorize a website called HCSchedules.com. The site is being used by students to see what other students are in their classes. The information is not reliable and Counseling Services cannot verify data reported on this website. Also, please be aware that the website is requiring personal information from your child that you may prefer to keep guarded. Hunterdon Central is recommending that its students not interact with this website.”
I’d also like to clarify that the site has collected similar information throughout it’s entire life and this Hunterdon Central email does not seem to be related with the recent take over by Robert Teller which is why I assume that the school does not know how the collected information is being used. On that note I’m going to compare basic security procedures every website takes with the security on Robert Teller’s website, or lack thereof. I’d also like to mention that this lack of security has been around for (as I imagine) the life of the site. On almost all websites that have user accounts and passwords they require the user to fill out a registration form with a username and password. This form than gets sent to their server, sometimes encrypted and sometimes unencrypted. When it reaches the server the information is stored in a database (in this case a MySQL database) and encrypted. This encryption protects the data (usually just the password or any personally identifiable information) from the administrators or hackers being able to view it. This makes sure that no one, other than you knows your password. Even the site owners. However, HCSchedules has none of this. The passwords are saved in plaintext, readable to anyone who has access to the MySQL database (in this case Robert Teller or a hacker). Adding this basic security technique would require no more than 20 minutes and about fifty lines of code on the average system. (Really all they need to do is add the word PASSWORD() and put the users password between the parentheses to protect it)
Why does Robert Teller’s site not have this basic protection? I can’t tell you, I don’t even think he’d be able to tell you, as he didn’t do the programming for the majority of HCSchedules. I hope encryption is added soon. Why is this dangerous? Because any hacker with the will to obtain access to HCSchedules’ MySQL database or even Rob Teller himself could abuse knowledge of passwords.
Most people use one or two passwords for everything. This means Robert or any competent hacker has your password to almost all of your accounts, including email and school network accounts. You submitted your school ID and your password, this means he could go to any computer on the school’s campus, enter your ID and your password and log in as you, delete or modify school-related files, send inappropriate emails to teachers, and download illegal materials under your name. Disciplinary action against an unsuspecting victim would be the result. Although one could make the argument that Robert Teller cannot be expected to abuse personal information, in my experience, his behavior has been less than scrupulous. He has instant messaged me my own password and school ID and even abused password knowledge; in the case of my sister, to log in to a victim’s AIM account.
In closing, I propose the following to Robert Teller: Fix security holes in HCSchedules and don’t release personal information to anyone, even family members. It doesn’t seem you can keep the promises you make on your website “None of your information is ever released to ANYBODY.†I ask Hunterdon Central to either demand the use of common security features on HCSchedules and overview the website or create another website that provides the same functionality. I would be more than happy to help in either the creation and security in a future or current HCSchedules website.
