The catholic school board’s IT department is *not* smarter than an 8th-grader.

From the department of IT Security 101, courtesy the Peterborough Catholic district School Board, comes this real life lesson of what happens when you don’t tripple check your security. you end up hacked by one of your own students.

John Mackle, education director at the Peterborough Victoria Northumberland and Clarington Catholic District School Board, said the Grade 8 pupil at St. Anne’s School in Peterborough’s north end found his way — via his laptop, a piece of downloaded software and the board’s internal network — into a board file server containing provincewide test results.

“To be honest, I don’t know that he would have understood what he was seeing,” Mackle said.

“The information that he was able to see wouldn’t have made a lot of sense to him.”

Mackle said the incident occurred when the server in question, which isn’t located at the school, was turned back on after undergoing a service upgrade.

“We normally have two levels of security,” Mackle said. “In this case, level 1 was turned back on, but level 2 was not. This allowed the boy to gain access.”

Security for all servers has been upgraded in the wake of the incident, he added.

By “upgraded”, does he mean “reenabled”? And, really, just what kind of security do they over at the Peterborough school board consider to be level 1? Inquiring minds want to know. If the system was secured, the kid shouldn’t have been able to access it. On second thought, I’ve come to understand the school board’s definition of secured and the rest of the world’s definition are usually two pretty different things. If given enough time to work at it, most school board security systems–at least up here–could probably be compromised with a minimal amount of effort, if someone with a problem with that school or the board really wanted to.

Let this be a lesson for aspiring IT people. Secure your shit. Twice. And for the love of chese, if you’ve got a system installed, tripple check that it comes up when the server you’re trying to protect does. I should not have to point that out.

Have an opinion?