Have they been sitting on this story? In our hour of triumph! At least they didn't wait until the Crimson beat Arizona.
Seriously though, NAQT might consider not depending on the honor system for access to the questions that are the basis of their entire competition. This ain't Ultimate Frisbee.
Well that's one reading of TFA and the NAQT announcements. It's clear however that the attackers in this case had been given access to the same site, backed by the same database, that contained the data they were attacking. There may have been additional ad hoc countermeasures designed to restrict them to a proper subset of the data, but this is probably OWASP's "Failure to Restrict URL Access" rather than something more easily validated like e.g. TLS setup. I'm not saying that an app couldn't defend against such a threat, but it would be a higher bar to clear, easily obviated by the reasonable policy of maintaining separate sites for the high school and college questions.
A higher-level threat than the dudes they caught (not sure NAQT has such, but whatever) will typically seek privilege escalation before doing anything that betrays its intentions. These dudes just used their own credentials to view the "List of Questions" page a bunch of times in the week before their competitions. Other attackers, who used their site access to attack the credentials or clients of those users with legitimate access to this data, have not been caught.
My statement wasn't based on a "reading" of anybody's announcement; I'm pretty familiar with the situation at hand and with the system. There's no optimal way to maintain separate sites for high school and collegiate questions, or any reason to do so, since most writers write questions for both sets. Obviously there are privilege and access problems with the software, and with the way that privileges are implemented across the software's different features, but that can't be solved by walling off the sets of questions (especially since some sets can't even be explicitly categorized as "high school" or "college").
4 comments
[ 5.7 ms ] story [ 26.5 ms ] threadSeriously though, NAQT might consider not depending on the honor system for access to the questions that are the basis of their entire competition. This ain't Ultimate Frisbee.
A higher-level threat than the dudes they caught (not sure NAQT has such, but whatever) will typically seek privilege escalation before doing anything that betrays its intentions. These dudes just used their own credentials to view the "List of Questions" page a bunch of times in the week before their competitions. Other attackers, who used their site access to attack the credentials or clients of those users with legitimate access to this data, have not been caught.