School laptop auction devolves into extortion allegation • The Register

When a Texas college district offered some outdated laptops at public sale final 12 months, it in all probability did not count on to finish up in a public authorized combat with an area laptop restore store – however a debate over what to do with district information discovered on the liquidated machines has led to exactly that.

The San Benito Consolidated Unbiased Faculty District offered greater than 3,500 gadgets at public sale in July 2022, of which 700 had been bought by native laptop restore and resale store RDA Applied sciences. 

RDA co-owner David Avila stated he discovered 11 onerous drives the district had did not wipe, and which contained delicate information on workers and college students. Avila instructed native media that he reported the presence of the information to the district in October, saying “legally, it is their job to wipe out or destroy onerous drives.” 

It is right here issues begin to get sophisticated. 

The district admitted to the publicity of the information because of the sale to RDA, however stated Avila’s firm “has not agreed to our proposed resolution.” Avila disputed that characterization in a late January interview, saying that the district needed him to signal a nondisclosure settlement as a part of a deal to purchase again the 11 computer systems, and an extra 503 that hadn’t been inspected. 

Avila says he needs the district to be open concerning the errors in its course of – notably as he alleges some computer systems offered by the district went to overseas consumers – so isn’t keen to signal an NDA.

The district additionally claimed that it wasn’t given the possibility to examine the machines to confirm they contained the alleged information. Avila denied this too, claiming a consultant from the district had visited his store to examine them in October. Native information media reported they’d inspected a machine and verified the information was current. 

The district fired again with a statement on February 2, together with a copy [PDF] of communications with RDA. Amongst these communications are accusations from the district’s authorized representatives that Avila is trying to “extort” the district.

Conveniently absent from the trove of communications is Avila’s preliminary message to San Benito. Additionally lacking is something that really incriminates Avila in extortion, as San Benito’s attorneys allege within the missives.

The district additionally known as RDA out for the same scheme at a distinct Texas college district in 2019. RDA had machines from Edcouch-Elsa CISD the place related data was discovered. Avila said on the time he needed Edcouch-Elsa to inform the general public, as on this newest case.

Edcouch-Elsa stated it additionally failed to succeed in an settlement with RDA.

In accordance with San Benito CISD, the matter is now within the fingers of the Texas AG, who is not its information wiping failures, however is investigating RDA. “The District is offering data to the Texas Legal professional Common to assist representatives from the Texas Legal professional Common’s workplace of their future inspection of RDA Applied sciences,” Superintendent Theresa Servellon stated.

Patch now to keep away from a Jira takeover

A number of variations of Atlassian’s Jira Service Administration Server and Information Middle comprise an authentication vulnerability that might let an unauthenticated attacker impersonate customers and acquire distant entry to affected programs. 

“With write entry to a Consumer Listing and outgoing e-mail enabled on a Jira Service Administration occasion, an attacker may acquire entry to signup tokens despatched to customers with accounts which have by no means been logged into,” Atlassian stated in its advisory.

The Australian outfit stated the bug earns a CVSS rating of 9.4.

Such tokens may be accessed when an attacker is included on a Jira situation or request with the goal person, or when an attacker good points entry to an e-mail containing a view request hyperlink from a kind of customers. Atlassian stated bot accounts are notably weak on this state of affairs, as they’re usually used to speak with different person accounts, however not often see a human login. 

Variations 5.3.x, 5.4.x and 5.5.x are all affected, Atlassian admitted, and it recommends upgrading to the newest variations now. 

For these that may’t instantly deploy the patch, Atlassian additionally issued a JAR file that may replace the servicedesk-variable-substitution-plugin, however stated that is solely a brief repair. 

TSA urges airways to watch out with that no-fly checklist

The Transportation Safety Administration has urged airways to check out their programs to verify nothing is amiss after a hacker noticed a 2019 copy of the no-fly checklist on an unsecured public-facing server final month.

Whereas it does not seem to have been revealed on-line, a TSA spokesperson instructed a number of information retailers that the Administration had issued a safety directive to all home airways. Per a TSA spokesperson, the directive “reinforces present necessities on dealing with delicate safety data and personally identifiable data.” 

We will hope these present necessities had been being grossly ignored at CommuteAir, which uncovered the checklist by leaving a take a look at server uncovered to the web. The server in query was taken down earlier than information of the publicity was reported. 

Nonetheless, Republicans on the Committee on Homeland Safety aren’t thrilled with the incident, telling TSA administrator David Pekoske in a letter that information of the no-fly checklist’s discovery was alarming. 

“The notion that such a consequential database be left unsecure is a matter regarding cybersecurity, aviation safety, in addition to civil rights and liberties,” Representatives Mark Inexperienced and Dan Bishop wrote of their letter.

The representatives have given the TSA till February 8 to answer their questions. ®