| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to one_organization:
The incident involving serious bugs in school software, specifically in software sold by Blackboard and Follett, was discovered by 18-year-old Bill Demirkapi. He found vulnerabilities that allowed deep access to student data, including student grades, immunization records, cafeteria balance, schedules, passwords, and photos. The vulnerabilities were present in Blackboard's Community Engagement software and Follett's Student Information System. Demirkapi reported the bugs to the companies, and they eventually fixed the issues [88022].
(b) The software failure incident related to multiple_organization:
The software failure incident involving vulnerabilities in school software sold by Blackboard and Follett highlights the broader issue of cybersecurity in education software. Bill Demirkapi's findings revealed common web bugs like SQL-injection and cross-site-scripting vulnerabilities in these widely used software systems. The incident underscores the poor state of cybersecurity in education software and the lack of attention to such vulnerabilities across multiple organizations that provide software solutions for schools [88022]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the articles can be attributed to the design phase. The incident involved serious bugs found in the web interfaces of software sold by tech firms Blackboard and Follett, which were used by schools. These bugs allowed a hacker, in this case, a high school student, to gain deep access to student data, including sensitive information like student grades, immunization records, cafeteria balance, schedules, passwords, and photos [88022].
(b) Additionally, the software failure incident can also be linked to the operation phase. The high school student hacker, Bill Demirkapi, exploited flaws in the operation of the software systems by finding bugs that would give him access to student data like grade point average, special education status, number of suspensions, and passwords. In the case of Follett's software, passwords were stored unencrypted, making them fully readable. Demirkapi's actions highlighted vulnerabilities in the operation of the software systems, indicating a failure in ensuring secure operation and misuse of the systems [88022]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident reported in the articles is primarily within the system. The failure was due to serious bugs found in the web interfaces of software sold by tech firms Blackboard and Follett, which were used by schools. These bugs allowed a teenage hacker, Bill Demirkapi, to gain deep access to student data, including sensitive information like student grades, immunization records, cafeteria balances, schedules, passwords, and photos [88022].
(b) outside_system: There is no specific information in the articles indicating that the software failure incident was primarily due to contributing factors originating from outside the system. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case was primarily due to non-human actions, specifically vulnerabilities in the software itself that were exploited by a teenage hacker named Bill Demirkapi. Demirkapi discovered serious bugs in the web interfaces of software sold by Blackboard and Follett, which allowed him to gain deep access to student data, including sensitive information like grades, immunization records, passwords, and more [88022].
(b) However, human actions also played a role in this software failure incident. After discovering the vulnerabilities, Demirkapi struggled to get the companies to take him seriously when he tried to report the issues. He faced challenges in getting Blackboard and Follett to acknowledge and address the security flaws he had identified, leading him to resort to more disruptive actions like sending messages to thousands of users to get their attention. Eventually, with the help of his school district's director of technology and Carnegie Mellon's CERT Coordination Center, the companies began to listen and work towards fixing the vulnerabilities [88022]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not provide information about the software failure incident occurring due to contributing factors originating in hardware.
(b) The software failure incident reported in the articles is related to vulnerabilities in the school software systems developed by tech firms Blackboard and Follett. The vulnerabilities discovered by the high school hacker, Bill Demirkapi, were due to serious bugs in the software that allowed unauthorized access to student data. These bugs included SQL-injection and cross-site-scripting vulnerabilities in Blackboard's Community Engagement software and Follett's Student Information System. Additionally, the software flaw in Follett's system allowed access to student data like grade point average, special education status, number of suspensions, and passwords stored in unencrypted form [88022]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in the articles is malicious in nature. The incident involved a high school hacker, Bill Demirkapi, who discovered serious bugs in the school software provided by tech firms Blackboard and Follett. These bugs would allow a hacker to gain deep access to student data, including sensitive information such as student grades, immunization records, cafeteria balances, schedules, passwords, and photos [88022].
Demirkapi found vulnerabilities like SQL-injection and cross-site-scripting in the software, which ultimately allowed access to a database containing various categories of data, indicating a deliberate attempt to exploit weaknesses in the system for unauthorized access [88022].
Additionally, Demirkapi's actions were driven by a combination of teenage boredom and a desire to learn more about cybersecurity and web-based hacking. He engaged in activities like exploiting flaws in a college admission software to change his admission status, demonstrating a deliberate intent to manipulate the system [88022]. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
(a) The intent of the software failure incident was not due to poor decisions but rather due to accidental decisions made by the high school hacker, Bill Demirkapi. He found serious bugs in the school software by poking around the web interfaces of Blackboard and Follett, which led to vulnerabilities in student data access. Demirkapi's actions were motivated by teenage boredom and a passion for learning about cybersecurity and web-based hacking, rather than any deliberate poor decisions on his part [88022]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident in this case can be attributed to development incompetence. The incident involved serious bugs found in the software used by schools, including Blackboard and Follett, which allowed a high school hacker to gain deep access to student data. The vulnerabilities discovered by the hacker, Bill Demirkapi, included SQL-injection and cross-site-scripting vulnerabilities, as well as unencrypted storage of passwords in Follett's software. Despite the hacker's efforts to report the bugs to the companies, he faced challenges in getting them to take him seriously initially, indicating a lack of attention to cybersecurity in the development process [88022].
(b) The software failure incident can also be considered accidental to some extent. The high school hacker, Bill Demirkapi, initially started exploring the vulnerabilities out of teenage boredom and a desire to learn more about cybersecurity and web-based hacking. His actions, although unauthorized, were driven by curiosity rather than malicious intent. Additionally, the hacker mentioned that he struggled to get the companies to take him seriously when he tried to report the bugs, leading to unintended consequences such as sending a message to thousands of users due to a bug he found in Follett's software, which got him suspended from school for two days [88022]. |
| Duration |
temporary |
(a) The software failure incident in the articles can be categorized as temporary. The vulnerabilities found by the teenage hacker, Bill Demirkapi, in the Blackboard and Follett software were reported to the companies, and both companies acknowledged the bugs and fixed them by July of 2018 [88022]. This indicates that the failure was temporary and was resolved once the companies addressed the security flaws. |
| Behaviour |
other |
(a) crash: The incident reported in the article does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, it focuses on vulnerabilities found in school software that could allow a hacker to gain deep access to student data [88022].
(b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). It primarily revolves around the discovery of serious bugs in software used by schools that could potentially compromise student data [88022].
(c) timing: The incident is not related to a failure due to the system performing its intended functions correctly but too late or too early. It is centered around security vulnerabilities found in the school software that could lead to unauthorized access to sensitive information [88022].
(d) value: The software failure incident does not involve a failure due to the system performing its intended functions incorrectly. Instead, it highlights the discovery of bugs in the software that could allow unauthorized access to student data [88022].
(e) byzantine: The incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. It primarily focuses on the security vulnerabilities found in the school software, highlighting the potential risks associated with unauthorized access to student information [88022].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability exploit. The incident involves a high school student discovering serious bugs in software used by schools, which could potentially lead to unauthorized access to sensitive student data. The student's findings shed light on the inadequate cybersecurity measures in education software and the potential risks associated with such vulnerabilities [88022]. |