Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security and School - How Should One Speak Up?

Posted by Cliff on from the making-your-concerns-known dept.

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

7 of 137 comments (clear)

  1. Show the problem to your school leaders... by joelparker · · Score: 4, Informative
    First, contact your school technical staff;
    they are the ones to fix this problem.

    Second, if the technical staff does not fix it,
    contact your school's Deans for intervention.

    Third, if the Deans do not get the problem solved,
    contact your school paper and ask for help.

    This all shows that you're a team player,
    in case you need to escalate it later.

  2. Re:No no no by Biochrome · · Score: 5, Informative

    You'll end up in jail for "hacking" if you do that. Seriously. I meerly nmaped our server, and I spent a night in jail, and lost all computer priveleges forever at school. Do NOT even act like you may be comprimising network security... you'll end up in a boatload of trouble.

  3. No ultimatums... by isaac · · Score: 4, Informative
    Do not make an ultimatum. You WILL be subject to disciplinary procedures, and probably prosecuted. If speaking to the campus technology people responsible (and I mean speaking to the people who are *really* responsible - the managers, not the helpdesk) for these systems and networks about your concerns produces only indifference, you should drop the F-bomb - FERPA, the Family Educational Rights and Privacy Act. Under FERPA, your school may be both liable to you (and theoretically face loss of federal funds) for unauthorized disclosure of your educational records and other personally-identifiable information like SSN. (Directory information, such as your name, and the fact that you're a student, is not automatically protected from discloseure by default, but you may request that such info not be disclosed to third parties.)

    I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.

    Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.

    -Isaac

    --
    I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
  4. Re:Bad idea! by yotaku · · Score: 4, Informative

    I'm not so sure about this. Although I guess now that you've posted here you had better speak up. But if it was me, I'd have just kept my mouth closed. I know someone who reported a security flaw in my highschool's network and was promptly banned from using any school computers except under supervision and suspended from school for a week.

  5. Honestly? No techies. by JabberWokky · · Score: 5, Informative
    Do not go to the IT department. They have screwed up, and will move to cover their asses in the easiest way; making you a scapegoat and likely sending you ass to jail.

    Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.

    In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.

    If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  6. Re:Legal repercussions for the school by alienw · · Score: 4, Informative

    Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.

  7. Re:Job opportunity? by torpor · · Score: 5, Informative

    well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money"

    Too often the 'well meaning' part of these stories is hype. More often than not, it was a selfish, arrogant little brat-kid type who was trying to 'rule supreme over the stooopid school admins' and got upset when nobody listened to their tantrum and rants.

    Some guidelines for the current situation:

    - Put everything in writing, proof-read it first, then again, and spell check. Produce a professional report, not a whiny rant about why things suck.

    - Send a copy of this report to your schools administrators, registered mail. Hand-deliver a copy to the school administrator, if you can, but always, always, always put everything in writing first. Always. ALWAYS.

    - Be thorough and complete, and make sure you explain why you are being so thorough.

    - Provide examples WHEN ASKED and not before-hand. If you attach a page full of passwords you've sniffed out of the ether, this gives you a definite disadvantage if they decide to put your head on a pike. Remember, as a student, you are just one of many in the eyes of the administrator. It may well be that the problems they try to solve involve decapitating you.

    - Be courteous about this problem. It is not one single persons problem, but is in fact a group problem. Singling out one person for all the problems and mistakes of the group will do nothing but serve to make you enemies, so don't do it.

    - Follow up. If there is a change as a result of your investigation, follow up and ensure it is fixed. Work as closely with the people who are responsible for this problem as you can...

    Always, always, always try to remember, that a whiny rant about things sucking is not going to work as well as a detailed, professional, spell-checked report. If your report about the network problems doesn't look like homework, and doesn't shoot for an "A", then its going to get you into more trouble than you expect ...

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --