Slashdot Mirror
Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned
If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.
they are the ones to fix this problem.
Second, if the technical staff does not fix it,
contact your school's Deans for intervention.
Third, if the Deans do not get the problem solved,
contact your school paper and ask for help.
This all shows that you're a team player,
in case you need to escalate it later.
What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.
Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.
Prevent email address forgery. Publish SPF records for y
IANAL, but I suspect that if you intentionally demonstrate the insecurity of the system, you will be sent to jail. Ask a lawyer, but I suspect that their advice wil be to not do anything that involves you breaking into the system.
On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.
At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."
I feel for you. Be careful.
Two wrongs don't make a right, but three lefts do.
So Slashdot, what is a concerned student to do?
this?
I would recommend you not to get the passwords and user names. I know you are not going to be using them to do anything harmful, but it is ilegal. Instead of doing that get one or two professors to back you up. If those in the IT department don't pay attention to you, you would have a professor that could talk to the dean or someone 'important' that would make ge the attention of the admins.
While sniffing passwords sounds like a great way to get students' awareness up, that's generally an extremely bad idea. While the administration sounds like it's being incompetent, you posting sensitive information online will quickly get you slapped with legal issues.
Yeah, that's 'cuz I forgot the 20 second rule. I just hit Submit, got the 20 second warning (I had waited 17 seconds, apparently), hit back, and had to type it in again, then wait 20 seconds. At least 45 seconds total.
I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.
Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."
Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.
The submitter doesn't mention his school, but this is exactly the situation at Georgia Tech.
2. get a lawyer. you have a right to use their networks, not admin it. you can point things out, and use the system as intended, but that's as far as it goes. i.e. http vs https. changing other's passwords and what not is something for your parents and a lawyer to discuss with the school.
-
ping -f 255.255.255.255 # if only
Do *not* sniff passwords or publish them, unless you want to face some nasty consequences. What you should to is draw up a list of the tools required to sniff the passwords and give them a recipe as to how someone could crack their security.
From what you've said there... You should say something along the lines of "A person could sit in the school parking lot with a laptop and a wireless networking card, and run the program 'Ethereal' to watch the network traffic. This person could literally watch the login IDs and passwords, and use that information to get your SSN and other vital and private information."
Pass that along to IT, your school administrators... if that doesn't get them hopping try passing the story on to your local community newspaper. That would be much safer than risking the legal reprecussions of cracking passwords yourself.
501 Not Implemented
I have the following suggestions for you:
- Don't change your password over the wireless network
- Don't stir shit up too much. Complain to somebody in the IT department, and then complain to someone in a position of authority (the dean, etc).
- If that doesn't produce the desired results, forget about it. DO NOT threaten anyone with anything, and don't tell anyone you sniffed passwords. Doing that can land you in jail pretty easily, assuming the network administrator is sufficiently incompetent.
Otherwise, just forget about the whole thing. SSNs and DOBs are not very hard to obtain, you know.
Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.
In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.
If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!
Blogging Weight Loss, Distance Education, and more at verlin.com
I always wonder who the kind of people are who say things like:
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school.I mean, come on. This has nothing to do with computers -- if you just think about that for one second doesn't it strike you as mildly idiotic?
Just don't do it. If you are concerned about security, write a letter to the editor of your paper or an op-ed piece and explain what could be done by anyone but make clear that you have not done it. Just get the facts out into the public without implicating yourself or laying down threats. School administrations dislike bad press, even from the annoying school newspaper. Parents call in, kids complain and if you do your research you might find some relevant laws that it breaks by them implementing this so poorly.
-davidu
# Hack the planet, it's important.
Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.
If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.
while true ; do echo this is my sig; done
First consider your goal. I presume it is to get them to fix the problem rather than to extort money, humiliate them, etc.
Given that assumption remember that there are many players. There are the software writers and network admins. They may be afraid of being made to look bad in front of their superiors. They may know the problems and be working on them. They may simply be doing all they can with the resources that have been given them.
Work your way up from there. IT Department heads may try to claim it isn't a problem (prevent embarassment), indicate the need for more resources or may be in the dark because their people screwed up and hid the problem.
The legal department and higher administration will be worried about liability and bad press. As such, any "demonstration" you put on can be used against you. Suddenly you will be the bad guy - the evil cracker. They may even try to go after you legally to cover their asses.
Others have mentioned S-O legislation. There may be a compliance officer on campus who you can contact.
So what to do?
I would write a detailed letter describing the problem in layman's terms. Profess ignorance to allow people to save face (phrases such as "perhaps I am unaware of fixes that are already in the works", and "I know running a student network on a tight budget is difficult...") and express your desire that this matter be handled quickly and without the need to involve outside parties but insist that it must be handled.
The "ignorance" method also allows you to send the letter to a wide recipient list without looking like you are trying to skewer any particular person or department: "I apologize for the wide distribution but I'm not sure who is in charge of such a matter as it involves S-O compliance, student privacy, IT etc..."
You may want to offer recommendations (perhaps this system should be taken offline to protect the sensitive data until the security problems are repaired) and offer your assistance. If you offer to arrange a demo and they accept, request that they set up a dummy account. This helps isolate you from liability and demonstrates your concern for privacy.
Other avenues if the "good-guy" method fails: many universities have a student ombudsman, there may be state or federal S-O compliance resources and finally, there is the press.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Sarbanes Oxley has nothing to do with it.
HIPAA, on the other hand, has some clout.
Seriously, though, I'm guessing you have a phone book. There are so many resources that you could use. I'm not meaning this as a knock against you, but you could try google, or ask take a second to think about the resources available to you.
RandomAndInteresting.comdefending the world from stupidity since 1979
I don't know all the ins and outs, but it seems to be that many people have been burned by the DMCA for trying to let others know about their security problems. I can't remember how many stories on Slashdot I've read that seemed utterly ridiculous because someone was in legal hot water for trying to help some company/institution/organization get their security issues known about.
I've seen some apps that ran over plain old HTTP but had a Java applet that was a VPN client so they were essentially just tunneling the encrypted session via port 80. :)
(Yeah, I doubt that's the case here too...
What are you on about with the whole "proprietary user id and password" nonsense. We usually call these things just "username" and "password". Proprietary usually refers to some sort of intellectual property of some value, like source code or wiring diagrams or similar.
It's not a synonym for "something I don't like". Weirdo.
Nobody seems to have mentioned this, but if the school is knowledgably posting student data, then they are in open violation of FERPA (Family Educational Rights and Privacy Act). If you notify them of the problems & they still refuse to do something, you have every right (& possibily the responsibility) to sue the hell out of them.
At my sec school I got in trouble three times. Once because I used megaproxy.com to access Hotmail to send some work home (intrestingly enough, megaproxy.com was stuck on a post-it on the side of the server (yes, the server was just on a desk in a little closet!) - the council, not the school, have authority over what's blocked, so my guess is the teachers used that site to access things which were blocked too....). I got a little ticking off for that. The teachers knew it was silly and had had lots of complaints from students, but done nothing about it.
The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.
The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).
That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.
The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.
It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.
The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.
Good luck.
This has nothing to do with the above posting.
I post here because of the importance of my message:
DO NOT break security to prove its inefffectiveness. it is ILLEGAL and you will get into major trouble for it.
Find ways to speak with the local sysadmin, show them how vulnerable they are-- most responsible ones will listen no matter who comes and tries to speak with them.
But remember this: when dealing with somebody who might consider themselves an "adult" compared to you, approach with an air of maturity and try to reason with them, if anything, for the sole purpose of responsibility. If you believe in your ideals, don't give up, but NEVER resort to irresponsible behavior-- you will be doing more harm than good for both you and your classmates.
The security is not your responsibility - you should be studying.
If you are worried about security, then after you have finished all your studies write a letter on a piece of paper and mail it to the most senior head of department you can think of, and cc it to the head of another department, and keep a copy for yourself, for your records in the years to come. Then you have done your job. Well done.
Your letter should be polite, friendly, positive, typed, with a handwritten signature and note at the bottom.
Then get on with your studies and be proud of yourself for doing the right thing. Chill out.
If your post has nothing to do with the one above yours, why did you reply to it?
If its so important, why don't you start a new thread?
Idiot.
Provide a link so that the slashdot masses can slashdot this unsecure server into oblivion!
just where did you say you go to school? ;>
" I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."
Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!
-psy
Some of my respondents here are absolutely right - it's HIPAA I'm talking about, not S-O. What can I say, long day at the office, been working so much on compliance for both they're freaking interchangeable in my mind by now, etc. etc. Still no excuse.
:)
First, IANAL (as evidenced by my previous stupid message naming the wrong act). In any event, my understanding is that although HIPAA was originally enacted/intended as a Health-Care related act, it's effects have been interpreted to apply outside of Health Care and to any industry that stores people's private, personal data. One of the big flags the act applies is storing social security numbers.
Rule of thumb is that if you see something private stored or transmitted somewhere it needs to be seriously secured. Seriously secured is roughly defined as encryption for every stage of the data lifecycle, from storage to transmission; as well as access control measures and all that jazz.
So anyway, a whole bunch of industries are running around with their panties in a knot because of these new privacy regs. Then you have happy California's 1386 stuff which I think was meant for online shopping but ended up saying something like that if someone hacked your entity and gained access to customer data you have to notify every single member of that customer population that resides in California or be banned from doing any kind of business in that state. I'm sure that strictly speaking the laws apply only to some very specific instances, but that hasn't stopped people from panicking just in case it could be twisted into applying to them. I'm sure that my explanations are grossly overgeneralized, but they do serve the purposes of this conversation.
The point being, there's cool new regs that protect your privacy. Make sure your school is taking them into account. I wouldn't be hostile about it, but they might just need a pointer in the right directions.
Good luck,
-Jack Ash
Send me an email (ste phe n@t ous et. org) so I can find out if you go to the same University I do--the description matches perfectly. If so, the both of us will probably have better chances of changing something. Especially considering I know most of the Student Government and IT folks there.
No comment.
A few credit applications using the Dean of Students'
home address and the names/ssns of ten or twenty
lucky students would get some attention, I reckon!
-I like my women like I like my tea: green-
Or perhaps not. In the grand scheme of things, this is a very minor issue, the details aren't that significant, the time taken to procure them would be excessive, and I doubt that a large proportion of students even use the wireless network. You should perhaps consider yourself lucky to have access to such a network at all, not kick up such a fuss posting articles on Slashdot full of hyperbole just because the login form uses HTTP instead of HTTPS, and certainly not advocate sniffing the network yourself and violating other's privacy.
Lets face it, your school computer account is unlikely to be of interest to most of the world. If you really feel the need to raise the issue (personally I don't think it's even worth the effort), speak to the person in charge of the school network, and if they don't do anything and you still consider it to be a significant issue, schedule a meeting to raise the issue with the principal. Certainly do not direct threats at anyone.
WTF--unless the school is a publicly traded company, Sarbanes-Oxley doesn't even apply. FERPA, yes. GLB (if the school deals in student loans, most do), yes. S-O, no.
Nah.
Just post the name of your school here and let the problem take care of itself.
OK, I skimmed the topics and didn't see anything that really targetted this idea, so here it is...
First, go to the school with a nicely written letter explaining the vulnerabilities, the impact and why it must be fixed. Tell them that you intend to publish your findings after a month or so or later if the school needs that time to fix the problem. The idea it to fix a date so that that school fixes the problem.
Again, our goal is to fix the problem. Not arm the baddies.
If you fear that you will be sued for some odd reason (and unfortunately, our governing officials in the US do not understand security very well) grass roots is powerful. Word of mouth is devistating. The down side is that this method will almost surely alert the wrong folks to the problems before they are fixed. If it makes you feel any better, the problems you are describiing are so trivial that I'll wager that they are already being exploited.
On a final note, you as a technical person able to help others have, in my book, an obligation to try and help fix this. I think you already understand this (hense your post to /.) so bravo to you! Fight the good fight.
Sam
I was in the library reading slashdot on..shudder..Windows when the impossible happened: IE.EXE crashed. I begin to hold the power down button for a cold boot. [IT Bitch walks over] IT Bitch: What do you think you're doing? Me: IE.EXE Crashed. Big Surprise. IT Bitch: Normally people come and get us when that happens. Me: IT Bitch: What were you doing? Me: Reading /.
IT Bitch: What's that?
Me: *stare*
[IT Bitch informs me that the thing to do is reboot the terminal]
IT Bitch: What was all that typing? I heard a bunch of typing...
Me: I was typing a URL in the address bar
[IT Bitch checks the CD drive. Empty. Looks disappointed]
IT Bitch: Show me /.
[I show her slashdot]
IT Bitch [upon noticing the 'Hardware Hacking Projects for Geeks banner advertisement] kicks me out of the library.
And don't get me started on my 2 day suspension for distributing linux...
eBayDig 1s a typo saerch engien
The most important thing to remember is that they're going to avoid losing face in front of their superiors at all costs. This reclaiming of face might involve lying or throwing you in jail. If you find a way to inform them of the problem *without* causing anyone to look bad in front of someone with influence, they'll be grateful.
Half of business communication is learning how to tell people things without causing them to lose face in the workplace. The sooner you figure this out, the sooner you'll be successful in the business world.
Walk away.... dont say a word...
If your school is WTAMU, then just walk away... dont say a word about it... your info WILL be used against you. They will use anything to cover their asses... including you...
Take it to them, explain to their most technically savvy reporter (get their web guys to help if they have them), and get them to write a story. They can make the other students aware of the problem, and once a lot of students are aware, the administration won't be able to simply ignore it. They'll be forced to fix it, and it won't look like you were trying to blackmail them.
You said you've already brought it up to them.
If you're in the US (or France), unless you really like the people in charge of your school AND they like you, forget the whole thing.
If they're not interested in fixing it, just walk away. There are better things to do. What's in it for you? Jail time?
You're going to be in that school for how many more years? Just do your time in school and get out. Why risk doing time in jail as well?
The whole world is not secured properly, but things still work because most people have better things to do than exploit every security weakness they see.
you want the school to kick your ass out because you threatened them with revealing their network secrets and not following their AUP (surely they have one?)?
instead, find some sympathetic influential faculty (especially if they have tenure) who can make life hell for those responsible. if they refuse to do anything, just report it to your local newspaper and document _EVERYTHING_ (either immediately write notes while in their presence or tape-record what their comments are while they deny any problems). if they turn purple or get irate, either way you got 'em by the short-n-curlies.
you shouldn't have to put up with stupid people who endanger your future life because they won't protect your data.
hmmm, I wonder if this would make them liable for future case of identity theft? potentially big bucks!
I'm good with numbers -
About a year ago, I noticed a fairly significant vulnerability allowing me to get the shadow passwords of any student in the CS program, as well as all faculty and staff at my university. Thankfully, I am on good terms with the CS computers administrator, and told him what I could do, and told him what to type to get it. Being plain old DES, the shadows passwords would have been trivial to crack using a dictionary approach.
He immediately contacted the university CTS staff (they administer everything else), and it turns out they were aware of the vulnerability. I noticed that later that week the hole was closed in a hacked way, by simply disallowing use by regular users of a certain system binary.
He also told me it was a smart decision on my part to come forward immediately with the information, because if they had found out that I knew and didn't tell them, I would have been expelled and barred from any post-secondary institution in North America for several years. I guess they keep a watch list somewhere.
He who laughs last is stuck in a time dilation bubble.
1) Sniff student passwords, then email the passwords to those students. Nothing is compromised since you are only emailing someone their own password, but that will bring the security flaw to their attention. If you do this enough, then a lot of people will get frustrated with the school.
2) Go to the CS department. There is probably some grad student who is doing a thesis on network sniffing or honeypots or wireless security or sometihng. Have THEM do the sniffing under the watchful eye of their faculty sponsor. That way, it is protected as research (well, as much as is possible these days) and the school can only blame themselves.
3) Okay, I said 2. Third is to go to the student government. Students going directly to the administration is seen as a challenge and they commonly to respond by stonewalling. The Student Government is the appropriate organization to lobby on behalf of the students.
I'm assuming that you're in IT to some capacity and not someone who just knows a good deal about networking and security. The reason I'm asking is because if you're not in IT and you approach them, they might talk down to you or attempt to discedit you. I'm sure you know what I'm talking about. The "Well what does he/she know about computers?" If you are in IT, you might want to approach them from the standpoint of an IT professional. You might say something like,"Hello. I was logging in and noticed something...." And make them aware that you are an IT professional/student so that they know you're someone that's speaking on a level playing field. And if you're a student, you could say something like,"Well in security class, I learned https and..." It's a tough situation because you don't want them to get the impression that you're snooping around and looking for something to exploit. At the same time, you don't want to come across as being intrusive or pushy. The other option is to approach them showing concern about your own privacy. The idea of an ultimatum has already been answered by previous comments.
to be going to school at IU are you?
I experienced similar things with my school (except that we're a high school in florida, which means there's almost no education money. bastard politicians.). I found a multitude of insecure things in the workstation setup (including being able to edit file shares between machines from a non-admin account). So, I made a report for them and gave it to my computer teacher. The first IT person that got ahold of my report wanted me suspended and barred from all on-campus computer labs. The second one finally fixed everything that I'd mentioned and now we're running much more securely (although there are still problems that I'm NOT going to bother filing a report about as it won't do any good, I don't plan to exploit them, and I'll just get suspended). But, I haven't gotten any thanks from the IT department. Honestly, I'd rather take it to the deans first as an issue of personal privacy vs. network security. You're probably safer that way as you'll be above the IT people and won't get owned hardcore by them.
don't you mean LGB (Lesbian-Gay-Bisexual)?
STFU. JUST STFU! Quit being paranoid, you pussy! Nobody gives two shits about your SSN, date of birth, or address. You're nobody special. I'd advise you to quit wasting time with the schools' IT internals and get back to studying. Wasting time dicking around with nonsense like this causes missed classes and low grades. You'll regret it years later, likely after you've dropped out of college and have spent all your unemployed time submitting Ask Slashdot questions. COCKSUCKER!
In this case they will only fix the "squeaky wheel" YOU! And probably with a bludgeon. Shutup, protect yourself, get over it and stop using their network for things you think are important.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Grab userid/password from all 18,000 students, then send emails from ALL of them to the Dean, and head of IT demanding that security holes be fixed. Then, use those email accounts to SPAM the administration until security is fixed. Problem solved, and I'm sure the other students will be fine with you using their accounts for such a noble endeavour.
Liberalism...the next best thing to thinking.
Certified mail.
To the principal of the school and cc the office of the superintendent of the district.
Politely and concisely explain that as a concerned student you believe that the current student database system is needlessly risky as it exposes private information such as name, address and social security number on the computer network.
Students and parents rely upon the school board and administration not only to provide the best possible education, but also to protect their students' private information from unauthorized disclosure.
Tell them you think the problem is serious and warrants immediate attention and correction. You'd be happy to work with representatives from the school to demonstrate what you feel are the essential features of the problem.
Don't be too enthusiastic when it comes time to reveal the problem. (Remember, no one wants to be shown how they fucked up by contracting things out to IT For Less.) They will trust you less if you have any hint of cockiness. Act professional and courteous. Your attitude will critically determine whether you are perceived as a 1337 h4X0r that is dangerous and not to be trusted, or as an intelligent, concerned individual that is willing to your skills for the betterment of the community.
Don't go tell all your friends so that people find out by the grapevine.
Hang on to a copy of the dated letter and if nothing happens for a year, then forward a copy to the president of the PTA and to a local newspaper. But there's no good reason to light that fire before it's needed; most school administrators will try their best to fix problems the best they can with the resources they have (admittedly, money and skilled personnel are often drastically limited at many schools).
"Provided by the management for your protection."
Get your parents to pay for his/her retainer. If you're in the Columbus, OH area I could refer you to one lawyer at least that would be ethical and fight for you at the same time. (He's not me, but I do know him well enough to know he's a good guy).
Seriously. If you know that your personal ID info can be VERY easily obtained (as your posting indicated) then it's only different than if you were embroiled in trying to regain your identity through fraud because you're being pre-emptive about it rather than trying to fix the problem after the injustice occurred. I think if you could demonstrate to a lawyer the very serious potential risk your school is taking in not securing the website than you can have the lawyer send them a cease & desist letter that let's them know you're already protected and concerned enough about this issue to go to a lawyer with it.
I've seen this happen, and heard of it so many times, you definitely need to approach this from a deeply political standpoint, that's how it will pe pproached by everyone else. Obviously thi kind of breach is illegal, but they'll get away with it if you let them nail you instead.
Can I be a Luddite too?
If you're in the mailing database of CCP, you'll see your SSN right on the envelope, above your name and address. Someone must have realized this would be a problem, but instead of doing something real about it they just shift the numbers around. So if your SSN is 123-45-6789, then the address label looks something like this:
OK, so you know your own password and you can allow yourself to access your data. So, how about making a controled intrusion attempt?
:-)
Try to see if you can obtain your own password over the wires or wireless. You know what you are looking for but it may be more difficult than you think, and hence you can avoid making a scene of yourself
Record the whole session, so you can replay it in front of the admin. A demo is often very instructive when people seem reluctant to believe you.
You cannot be accused of hacking since all you have done is granted yourself access to your own data.
This way you have not disclosed sensitive information or violated others privacy. Publishing other peoples ids and passwords online is a very bad idea, even if intended as a proof of concept. Respect the privacy of others, even if you find it is not properly protected.
If it doesn't succeed the objective, go to the press, school paper or other and demonstrate replay the intrusion.
I happened to check the online site for my high school grades, too, and noticed it's on a HTTP, not HTTPS for pete's sake !
I was upset about them changing from using my SSN to a proprietary number scheme
What? Are you saying you were content with them using your social security number as an means of unique identification? I am not sure about the specifics, but I know there is legal restriction involving using someone's SSN for anything but social security. Secondly, my university does the same thing, and I don't like the idea at all. Sometimes I have to fill it out on scantrons and other forms that include my full name. By law, I believe the school has a certain deadline before, assuming my SSN is used for, as they sometimes call it, "my student ID number" has to be changed.
Back in college, the same thing (more or less) happened to me. My school was using http instead of https for email, and the same password was used to access student information including DOB, SSN, etc. You also had the ability to add or drop classes with the same password. Since the school had "free" wireless access, and no form of network authentication, anyone could sit in the library and sniff passwords. I made the utterly stupid mistake of calling the "help desk," and the lout who answered accused me of hacking when I tried to explain that email wasn't secure.
Needless to say, the computer services department eventually met with me, and offered me a tech support job. Being the starving college student, I jumped at the chance. Stupidly, I filled out the job application, and waited to hear back from them...and waited....and waited. Over the next two months, I met with the computer services department three times, each time being given some excuse as to why I hadn't started my new job.
During this time period, I knew a number of people who worked for the computer services department who I was on good terms with. I asked one of them to check for me to see why it was taking so long to start my job, and he did some poking around for me. Eventually he found out that the job application was a front, and they used the information provided in it to do a "background check" on me to see if I had gotten in trouble for "hacking" in the past. They went so far as to call my high school and check there, and then blacklisted me as a "bogey," apparently their term for hackers.
They never intended to give me a job. They offered me the job to keep me happy until they could do a check on me. As I had done nothing in the past to give me a "hacker record," they decided to just give me the cold shoulder. I passed up two other job offers during that time period, thinking that the higher-paying computer services job was just around the corner, as I was lead to believe. I never got the job.
I guess the point of my story is that you can try to do the right thing, and explain the situation to your school's IT department, but you might very well end up in my situation. I'd go to an internet cafe, or send a letter, or something, but do it as anonymously as you can. Unfortunately, even though you're in college, some of the people there do not have open minds, and will scorn you for your attempt at helping.
Funny thing is, about a year after my initial call to the IT department, one of the school newspapers ran a story detailing the problem, and praising the IT department who had "fixed this problem." The story went on to say how this "hole in the network" had been open for over a year, and hadn't been noticed until recently. I laughed out loud when I saw that, as I knew it was complete and utter bullshit.
Mod me down if you will, but I know that at least one of the people involved in my case reads slashdot, so if this story sounded familiar, maybe you should rethink your method of dealing with those who only wanted to help.
Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.
The Columbo method works basically like this;
"I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)
Other phrases: "You know, I was wondering..." / "I find it curious that..."
Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!
"If only someone could do something about that. Do you know anyone?"
Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.
If anything, be a little funny but do not be condecending.
Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.
Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I sent an anonymous packet of informtion to the dean through campus mail, regarding a faculty member's use of equipment purchased for a university project, and his taking that equipment for a company that he started, and giving us instead dated equipment with 'property of NASA' stickers on it. [where he worked part time, it was my understanding]. He also claimed the work of one of the students for whom he was an advisor, as the work of his company.
Unfortunately, as there were relatively few people who had access to all of the information that I did, it was rather easy for them to track it back to me. I was called into a meeting with the dean, and the faculty member, and they threatened me with expusion. They also weren't happy with something that I posted to the group's web page (which was in fact, a violation of the university's policies regarding use of computer systems)
I also wasn't aware that the dean had a vested interest in keeping the faculty member, as he had received a multi-million dollar grant for some of the research that he was doing.
So, my recomendation is -- if you're going to do anything, go straight to the feds. More than likely, whomever you complain to internally knows what's going on, and wants it to continue, for some reason that you don't know about. [It might even just be a cover-your-ass approach].
Oh -- and after graduating, years later, I needed to get a transcript for a job. It turns out the university had shipped me a diploma, but didn't have my graduation listed in their computer system. It took me over four months to get the issue resolved, and even then, as the last meeting I had with the assistant dean, he had the balls to appologize to me -- not for someone missing to update a flag in the computer system, but for them sending out an incorrect letter informing me of what classes I needed for graduation and sending me the diploma in error.
[They only flagged me as graduated, as I had taken a number of graduate level classes, and they applied those to make up for the two one credit classes they claimed I needed, 6 years later].
Unfortunately, I don't think that this is a direct violation of FERPA, but I know there was some new law, that I think is now in effect, that made it so they had to stop using SSNs as tracking numbers. I've been out of higher ed for almost a year now [working as a systems programmer, and speaking up about problems -- which got me fired], so I'm not as current as I used to be.
If you really want to report this to the school, take it to the student government, or some other body that the school doesn't have direct control over.
Build it, and they will come^Hplain.
Instead if you know people in IT, you can try going to them with your concerns, from a "hey did you know... it worries me...." perspective. If they're good people and well managed (but just didn't stop to think about it), that should help. If you don't have a friend there, or you hear that IT are a bunch of bozos, your best bet is to bypass them and take your concerns (as "I know enough about it to suspect this could happen", not "I know how to do this") directly to one of the offices charged with handling your student data (e.g. registrar, business office, financial aid). They're the ones who ought to be most alarmed over confidentiality problems (because they've had in-services driving the point home), and it'll be their bosses in the administration who'll have the authority to put the pressure on IT to do their job.
http://alternatives.rzero.com/
Find an admin who knows his shit, and wants to help.
:)
DO NOT sniff passwords, DO NOT send "ultimatums", just say "Hi, I've found what could be a security hole on the network. I can show you why it's insecure and how it could be exploited. I don't want anything in return, I just want to help you close the hole because it could uncover a hell of a lot of problems."
Your ass is covered (you said you didn't want anything, can't be blackmail) and you might get a few brownie points out of it. If the admin responds badly to this and you get expelled or in some other kind of shit, my advice (IANAL applies) is to sue, because you have done nothing wrong...so long as you don't try and seem like a l33t h4X0r g0d by sniffing passwords/sending "ultimatums"-just get to the point, tell the admin what the problem is and how to solve it.
(For the record, I have some great network admins who listen to the students and are very receptive. The way to go
I'm amazing. You aren't. SUCK IT
You, my friend, are a genius.
If only I had thought of the 'Columbo method' before, I think it could have saved me much time with my own University's idiot IT department (and other idiots... they seem to populate the earth.)
The Columbo method will be my new problem solving manifesto.
Thankyou.
Don't you have something like the Open University in the USA?
Sounds like the parent poster "torpor" speaks from experience. He probably ratted out some white hacker kid to the cops, justifying it to himself because the kid did not spellcheck his report.
Oh, torpor, BTW, when you wrote "not one single persons problem," you should have written "not one single person's problem." You forgot the apostrophe....
eat shiat and bark at the moon
Whatever, troll.
... this 'white hat'/'black hat' bullshit is simply narcissism refined ...
I don't care how 'old' you are, or what 'color your hat is', if you are on my system when you are not supposed to be, then you are going to be punished.
There is no such thing as a 'good cracker'
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Do not go to the IT department. They have screwed up, and will move to cover their asses in the easiest way; making you a scapegoat and likely sending you ass to jail.
As one of those IT people, I take offense to this charactization. The chances are that they already know about this problem and are working on a fix but haven't implemented it yet. Talk to them, ask if there is any plans to fix it. *THEN* evaluate the situation.
One thing that most people don't understand about IT at my university-employer is that we have 50,000 people on campus. And the network HAS to work ALL OF THE TIME. So, it takes time to properly evaluate, test, and implement changes. This isn't your home e-mail server.
So, if you ask the IT people in charge (the helpdesk people are just there to keep the real geeks from going nuts, you will probably be pleasently surprised by their competence and by their plans to address the issues that you're concerned about.
Every so often, I have a "darn, those guys are GOOD!" moment -- and I've been here several years and know a lot of the IT people on campus.
I'm assuming your a CS student. Approach one of your CS professors who has a security clue. Make him aware of the problem, see if he'll help you communicate with the School SysAdmins and administrators. I recently did this very thing and once everyone involved understood the problem, they let me turn the solution into my Master's Thesis. which may be better then getting 'paid' to fix the problem.
Sig 'em boy!
I have had plenty of "darn, those guys are good"; I wouldn't trade my IT career for any other. What I describe has nothing to do with IT. If the person had found a flaw in accounting or grant or scholarship allocation or any other critical and potentially very embarrassing problem, they would be in the same situation. When you deal with departments with political clout and you raise a very embarrassing problem, you have to realize that it's very easy for you to get squashed if you're a flea. It's harder if you're a flea riding a big dog.
Even if the department does nothing, the college will move to protect itself. Somebody will come up with the idea of scapegoating the messenger, and if there is zero reason not to, it will happen.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
I myself would hate to learn that my information was made public in that way.
Does your school have some sort of EULA for the website?
Most institutions require some kind of security for nonpublic information, such as DOB SSN. It would seem to me that if this information is not secured properly, then perhaps a class action lawsuit would be in order. Identity theft at a university could damage someone for life. It could lead to you losing financial aid, or student loans you never applied for. I would retain a lawyer. Can be done for roughly $100 have said lawyer send a legal letter (certified mail so as to get a return receipt) and have it stated that his client who wishes to remain anonymous will file a lawsuit against the school for wrongfull disclosure of private information if the situation is not remedied.
I am Bennett Haselton! I am Bennett Haselton!
I'm too lazy to log in;
but which school did you say you went to?
Schools just SUCK when it comes to IT I myself am 16 years old, and live in Belgium. @ my school we use winXP boxes for CAD-programs (robodraw) and NT4 for the typical Wort/Expell lessons.
Security is good, but not everything. We have 2 save our CAD drawings to the HD wich is not pw protected. Everyone can delete or change the drawings I made, i solved this by saving my drawings on my own comp @ home by using my ftp-server. No1 can get them there :-P
Other students don't have these tools or such -> their documents and files are insecure.
Back 2 the topic, in my school no student information is stored on the computers!
Administrative documents and all of that kind are on a different network (TISK for students TISP for secretary and stuff) and there is no connection between them. We have Wireless also, no protection at all, just drive your car next to the building and your laptop will say: Network Connection Established and you can browse the entire TISK network. BUT there is nothing 2 see over there!
And indeed, tell the admin over there everything trough a good spelled mail (not like my English). If you come with solutions or possible improvements use the words 'I think it is better ...' or 'It might be better'
In this way I convinced my school to try Open-Source with OpenOffice as they are always promoting Oxfam (don't know if that's in America) and FAIR trade stuff, this is the right way 2 go! I told them about Open-Source & bla bla bla, and they stepped into the project with me.
(The admin told me it would take weeks to install it on every computer - - - It took me 1 hour to install OOffice on every computer in 1 classroom, due to slow computing power :-P)
btw, this is my first Slashdot post, sowrry fo sukcy engglisch
make install, not war