

Veritossed: Cheating Scandal Kills 4 Harvard Quizbowl Championships - cdcarter
http://www.insidehighered.com/news/2013/03/22/cheating-scandal-kills-4-harvard-quiz-bowl-championships

======
jessaustin
Have they been sitting on this story? In our hour of triumph! At least they
didn't wait until the Crimson beat Arizona.

Seriously though, NAQT might consider not depending on the honor system for
access to the questions that are the basis of their entire competition. This
ain't Ultimate Frisbee.

~~~
joe5150
It wasn't just an honor system. There was a system of actual, albeit clearly
flawed and deficient, security in place, which was exploited.

~~~
jessaustin
Well that's one reading of TFA and the NAQT announcements. It's clear however
that the attackers in this case had been given access to the same site, backed
by the same database, that contained the data they were attacking. There may
have been additional _ad hoc_ countermeasures designed to restrict them to a
proper subset of the data, but this is probably OWASP's "Failure to Restrict
URL Access" rather than something more easily validated like e.g. TLS setup.
I'm not saying that an app _couldn't_ defend against such a threat, but it
would be a higher bar to clear, easily obviated by the reasonable policy of
maintaining separate sites for the high school and college questions.

A higher-level threat than the dudes they caught (not sure NAQT has such, but
whatever) will typically seek privilege escalation before doing anything that
betrays its intentions. These dudes just used their own credentials to view
the "List of Questions" page a bunch of times in the week before their
competitions. Other attackers, who used their site access to attack the
credentials or clients of those users with legitimate access to this data,
have not been caught.

~~~
joe5150
My statement wasn't based on a "reading" of anybody's announcement; I'm pretty
familiar with the situation at hand and with the system. There's no optimal
way to maintain separate sites for high school and collegiate questions, or
any reason to do so, since most writers write questions for both sets.
Obviously there are privilege and access problems with the software, and with
the way that privileges are implemented across the software's different
features, but that can't be solved by walling off the sets of questions
(especially since some sets can't even be explicitly categorized as "high
school" or "college").

