back to article SuperProf gets schooled after assigning weak passwords to tutors

Private tutor networking website SuperProf has irritated teacher clients of a firm it recently acquired – by handing out hopelessly insecure passwords. SuperProf, headquartered in Paris, recently bought UK-based Tutor Pages. Tutor Pages teachers have been migrated to the SuperProf platform but details of their fees, subjects, …

  1. nuked
    Holmes

    All tutors from the tutor pages will be given a year's premium membership...

    ...and then we will double our prices next year once you're tied-in to make up for it. Thanks for being a valued customer.

    1. Captain Scarlet Silver badge

      Re: All tutors from the tutor pages will be given a year's premium membership...

      It sounds like most tutors have actually paid already, so its not really as free as it sounds.

  2. BitCoward
    FAIL

    So they compensate for their foulup by misleading users

    "All tutors from the tutor pages will <snip> have their accounts updated 'star' tutor status, that usually requires many months of activity to achieve on the platform."

    So who are the real star tutors on the platform?

    Solving one problem by creating another, impressive.

  3. Lotaresco

    How do they send out the new "secure" passwords?

    My guess is that they send them unencrypted in an email. Because that's what happened to me when the company that I used for domain name registration and email sold its business to a new supplier.

    1. Gordon 10
      FAIL

      Re: How do they send out the new "secure" passwords?

      I admire your security principles but that's how 99.9% of password resets that are not links are sent. Let's not be too anal eh?

      As long as the passwords or accounts are expiring no harm no foul.

      1. Lotaresco
        Headmaster

        Re: How do they send out the new "secure" passwords?

        "I admire your security principles but that's how 99.9% of password resets that are not links are sent. Let's not be too anal eh?"

        That, with respect, is the old "Eat shit, 17 Quadrillion flies can't be wrong." argument rehashed. There are many more ways of distributing a password than sending them unencrypted in email. I haven't seen the emails in question, but I suspect these were not one-shot passwords based on the content in the article.

        I'll even place odds that they did not use the sensible challenge/response approach of password + text message to your phone for a verification code then require password be changed on first use. Because anyone clueless enough to use your name as part of password is not going to use one-shot passwords either.

        Anyway, I'm a Security Architect. Being anal about security is what I do.

    2. KarMann Silver badge
      WTF?

      Re: How do they send out the new "secure" passwords?

      You guess correctly. My wife is a tutor, and has been quite livid about this over the weekend, as was I when I saw how they'd assigned the initial 'password'. And yes, both the old super+name one and the new random one are clear text in a plain e-mail.

  4. Aladdin Sane
    Flame

    At Superprof we take security seriously and know how key it is to the running of our business

    No. You. Fucking. Don't.

    1. DJV Silver badge

      Re: At Superprof we take security seriously and know how key it is to the running of our business

      It makes more sense if you replace "security" with "bullshit".

      1. Mark 85
        Megaphone

        Re: At Superprof we take security seriously and know how key it is to the running of our business

        It makes more sense if you replace "security" with "bullshit".

        That pretty much sums up every companies' response to any issue. I don't know why they even bother to say it since it automatically sets off the Bullshit Alarm.

        Icon: BS klaxon just about worn out from overuse.

        1. cosmogoblin

          Re: At Superprof we take security seriously and know how key it is to the running of our business

          Yeah, there's all these stock phrases people love to wheel out, they didn't mean anything in the first place and they're even worse now that everybody's heard them a hundred times before.

          "I apologise if any offence was caused"

          (no admission that I was the one who caused it)

          "We have implemented robust procedures to make sure that this specific case doesn't happen again"

          (we lost the unencrypted CD on a train, next time it'll be a USB stick in a taxi)

          "We have upgraded our systems, and the small minority who used X just need to migrate to Y"

          (we have downgraded our systems, and the 40% of customers who only signed up to use X are now SOL)

          ... and so on. Give me a week's worth of news, and I could collect dozens...

          1. Adam 1

            Re: At Superprof we take security seriously and know how key it is to the running of our business

            > "I apologise if any offence was caused"

            > (no admission that I was the one who caused it)

            Shirley that would be "We apologise if anyone took offence"

            (We didn't cause it, it's your own fault if you got offended. Mumble mumble mumble nanny state mumble PC gone nuts mumble. Suck it up princess.)

    2. Pascal Monett Silver badge

      Re: At Superprof we take security . . .

      I love how they always say that after it has been clearly demonstrated that no, security was NOT taken seriously.

      And resetting tutor profiles, inventing new clauses and forcing people to pay again to fix stuff ?

      Here's a thought : do your integration on a seperate server, unplugged from the Web, and ensure that all the stuff is properly represented as it was when the customer paid his money the first time. You buy a company, you buy its obligations.

      Once you can be sure that the data has been reliably integrated, then you fold it into the production site.

      Just a tip for the summer intern who visibly did the job.

      1. heyrick Silver badge

        Re: At Superprof we take security . . .

        "Just a tip for the summer intern who visibly did the job."

        You say that in jest...

        SuperProf is headquartered in Paris. It's August. Right now it's probably only the "stagiaires" running the company...

    3. Aodhhan

      Re: At Superprof we take security seriously and know how key it is to the running of our business

      Taking security seriously doesn't mean you have cousin Nigel--educated by the London public school system and flunked out of taxi driving school--audit your security practices.

      Taking security seriously, means you've built your security policies and procedures around industry best practices, and annually have an outside agency audit your security and risk management programs. Then you take the audit to heart to make changes as necessary to constantly improve.

  5. JeffyPoooh
    Pint

    "All tutors....will....have their accounts updated [to] 'star' tutor status"

    Everyone is above average. Yay!

  6. Dan 55 Silver badge
    FAIL

    TSB school of migration

    Did they test anything?

  7. SVV

    SuperProf

    Sounds like they could do with someone to tutor them in basic infosec principles. Now where could they find someone to do that?

    1. Adam 1

      Re: SuperProf

      Maybe they should get one of their "star" tutors.

  8. fidodogbreath

    At Superprof we take security seriously

    pop "It look like you're apologizing for a massive privacy cock-up. Would you like me to insert six paragraphs of meaningless corporate platitudes about how much you supposedly value the users you have screwed?"

    1. Rob Moir

      I think you’re being unfair there. Clippy can do a much better apology letter than their effort.

  9. Terry 6 Silver badge

    Don't get it

    The world's full of tutor agencies. The best / best paid (and the ones with the "in" to the best heeled punters, ) don't even use them anyway, they get recommendations from previous clients who wouldn't touch an agency. And if these tutors are any good they'd be best away from this crew.

    1. Korev Silver badge
      Headmaster

      Re: Don't get it

      I have an acquaintance whose job appears to be flying around the world tutoring kids of the obscenely rich to prepare them for Prep or Public* school. I believe he's seen the inside of a fair few private jets and super yachts. I'm pretty sure that he's not on the sites in the article :)

      Kind of a teacher -->

      *"Public schools" in the UK are the most expensive private ones

      1. Is It Me

        Re: Don't get it

        But unless you already have an "in" you aren't going to get started that way.

        I had a quick look at the language tutors on that site and a lot of them in my area are post-grad students supplementing their income.

        The site also gives the option of remote tutoring, which would add extra flexibility for the tutors, e.g. single parents working from home.

        1. Korev Silver badge

          Re: Don't get it

          That's very true. I don't know him very well, so I don't know how he ended up in the job.

          1. Terry 6 Silver badge

            Re: Don't get it

            To elucidate. There are plenty of agencies. In my youth I did a lot of agency work. There are national chains, franchises, local agencies and even cooperatives. Or just advertising in the local paper yourself. And the agencies seem to have plenty of work available.

            Also there are plenty who get work from their own schools to start with. It's from those latter ranks that the real super tutors I've met ( not many of them) seem to come from. Teachers who have got jobs in the posher private schools. Super in the sense that they can earn tons of money from the private work tutoring for "Common Entrance" type exams. (Though not as "super" imho as those of us who choose to work for peanuts to help kids who are really needy - it's meant to be a vocation).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like