Slashdot Mirror
Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
they are the ones to fix this problem.
Second, if the technical staff does not fix it,
contact your school's Deans for intervention.
Third, if the Deans do not get the problem solved,
contact your school paper and ask for help.
This all shows that you're a team player,
in case you need to escalate it later.
You'll end up in jail for "hacking" if you do that. Seriously. I meerly nmaped our server, and I spent a night in jail, and lost all computer priveleges forever at school. Do NOT even act like you may be comprimising network security... you'll end up in a boatload of trouble.
I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.
Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
I'm not so sure about this. Although I guess now that you've posted here you had better speak up. But if it was me, I'd have just kept my mouth closed. I know someone who reported a security flaw in my highschool's network and was promptly banned from using any school computers except under supervision and suspended from school for a week.
2. get a lawyer. you have a right to use their networks, not admin it. you can point things out, and use the system as intended, but that's as far as it goes. i.e. http vs https. changing other's passwords and what not is something for your parents and a lawyer to discuss with the school.
-
ping -f 255.255.255.255 # if only
Do *not* sniff passwords or publish them, unless you want to face some nasty consequences. What you should to is draw up a list of the tools required to sniff the passwords and give them a recipe as to how someone could crack their security.
From what you've said there... You should say something along the lines of "A person could sit in the school parking lot with a laptop and a wireless networking card, and run the program 'Ethereal' to watch the network traffic. This person could literally watch the login IDs and passwords, and use that information to get your SSN and other vital and private information."
Pass that along to IT, your school administrators... if that doesn't get them hopping try passing the story on to your local community newspaper. That would be much safer than risking the legal reprecussions of cracking passwords yourself.
501 Not Implemented
Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.
In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.
If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.
First consider your goal. I presume it is to get them to fix the problem rather than to extort money, humiliate them, etc.
Given that assumption remember that there are many players. There are the software writers and network admins. They may be afraid of being made to look bad in front of their superiors. They may know the problems and be working on them. They may simply be doing all they can with the resources that have been given them.
Work your way up from there. IT Department heads may try to claim it isn't a problem (prevent embarassment), indicate the need for more resources or may be in the dark because their people screwed up and hid the problem.
The legal department and higher administration will be worried about liability and bad press. As such, any "demonstration" you put on can be used against you. Suddenly you will be the bad guy - the evil cracker. They may even try to go after you legally to cover their asses.
Others have mentioned S-O legislation. There may be a compliance officer on campus who you can contact.
So what to do?
I would write a detailed letter describing the problem in layman's terms. Profess ignorance to allow people to save face (phrases such as "perhaps I am unaware of fixes that are already in the works", and "I know running a student network on a tight budget is difficult...") and express your desire that this matter be handled quickly and without the need to involve outside parties but insist that it must be handled.
The "ignorance" method also allows you to send the letter to a wide recipient list without looking like you are trying to skewer any particular person or department: "I apologize for the wide distribution but I'm not sure who is in charge of such a matter as it involves S-O compliance, student privacy, IT etc..."
You may want to offer recommendations (perhaps this system should be taken offline to protect the sensitive data until the security problems are repaired) and offer your assistance. If you offer to arrange a demo and they accept, request that they set up a dummy account. This helps isolate you from liability and demonstrates your concern for privacy.
Other avenues if the "good-guy" method fails: many universities have a student ombudsman, there may be state or federal S-O compliance resources and finally, there is the press.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Some of my respondents here are absolutely right - it's HIPAA I'm talking about, not S-O. What can I say, long day at the office, been working so much on compliance for both they're freaking interchangeable in my mind by now, etc. etc. Still no excuse.
:)
First, IANAL (as evidenced by my previous stupid message naming the wrong act). In any event, my understanding is that although HIPAA was originally enacted/intended as a Health-Care related act, it's effects have been interpreted to apply outside of Health Care and to any industry that stores people's private, personal data. One of the big flags the act applies is storing social security numbers.
Rule of thumb is that if you see something private stored or transmitted somewhere it needs to be seriously secured. Seriously secured is roughly defined as encryption for every stage of the data lifecycle, from storage to transmission; as well as access control measures and all that jazz.
So anyway, a whole bunch of industries are running around with their panties in a knot because of these new privacy regs. Then you have happy California's 1386 stuff which I think was meant for online shopping but ended up saying something like that if someone hacked your entity and gained access to customer data you have to notify every single member of that customer population that resides in California or be banned from doing any kind of business in that state. I'm sure that strictly speaking the laws apply only to some very specific instances, but that hasn't stopped people from panicking just in case it could be twisted into applying to them. I'm sure that my explanations are grossly overgeneralized, but they do serve the purposes of this conversation.
The point being, there's cool new regs that protect your privacy. Make sure your school is taking them into account. I wouldn't be hostile about it, but they might just need a pointer in the right directions.
Good luck,
-Jack Ash
well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money"
...
Too often the 'well meaning' part of these stories is hype. More often than not, it was a selfish, arrogant little brat-kid type who was trying to 'rule supreme over the stooopid school admins' and got upset when nobody listened to their tantrum and rants.
Some guidelines for the current situation:
- Put everything in writing, proof-read it first, then again, and spell check. Produce a professional report, not a whiny rant about why things suck.
- Send a copy of this report to your schools administrators, registered mail. Hand-deliver a copy to the school administrator, if you can, but always, always, always put everything in writing first. Always. ALWAYS.
- Be thorough and complete, and make sure you explain why you are being so thorough.
- Provide examples WHEN ASKED and not before-hand. If you attach a page full of passwords you've sniffed out of the ether, this gives you a definite disadvantage if they decide to put your head on a pike. Remember, as a student, you are just one of many in the eyes of the administrator. It may well be that the problems they try to solve involve decapitating you.
- Be courteous about this problem. It is not one single persons problem, but is in fact a group problem. Singling out one person for all the problems and mistakes of the group will do nothing but serve to make you enemies, so don't do it.
- Follow up. If there is a change as a result of your investigation, follow up and ensure it is fixed. Work as closely with the people who are responsible for this problem as you can...
Always, always, always try to remember, that a whiny rant about things sucking is not going to work as well as a detailed, professional, spell-checked report. If your report about the network problems doesn't look like homework, and doesn't shoot for an "A", then its going to get you into more trouble than you expect
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I'm with you there. Just think about what happened to Randal Schwartz at Intel a few years ago!
Mencken had it right. So glad that's old news.
The guy obviously has been causing a lot of intentional damage already. His blog also talks about him stealing things from his school. If he went to jail, he probably went for a ton of other things as well.