Security and School - How Should One Speak Up?

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

UM...

[ewhenn]

I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned

If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.

Re:UM...

[Grab]

Dead right.

By all means, sniff the passwords. But then put them in a document and circulate it to your department supervisors. Make sure the document says *exactly* what you did (every step of the process). It would be good if every step was within the IT policy you subscribed to (then they can't lynch you for that), although as a whistle-blower this may not be necessary. And NEVER use those passwords, otherwise you could be done for hacking into someone else's account.

Don't even think about asking for money - as someone else said, this makes you look like a blackmailer. Initially you have to act simply as someone bringing in information. What they choose to do with the info is their decision - most likely someone in the IT department *does* have the skills to fix the problem, it's just that they got some incompetent trainee to do it instead. If it turns out that the IT department need your skills then you can negotiate a contract or you can do it for free, but NEVER state that to start with.

Give out ONLY hard-copies - that way a Word document can't accidentally get put on the web or something dumb like that. This limits circulation - it's more effort to photocopy/scan than to forward an email, so there's less chance of the passwords going where they shouldn't.

Finally, make sure a hard-copy goes to the school paper, with instructions to hold onto it for 2 weeks (or some arbitrary length of time), and have a good talk with the people running the paper before you tell the school authorities. Make sure when you raise the issue with the school authorities that you tell them you've given the info to the school paper, and tell them the time limit. That way, they know they need to fix things within 2 weeks before things go public. It also covers your ass by ensuring they can't lynch you as a scapegoat, bcos the paper will crucify them.

Basically, examine every step you take and see how it could be used against you. Getting a couple of your friends to check through what you're doing would also be useful (and having a friend watching at crucial stages like sniffing the passwords gives you the extra backup of a witness).

Grab.

Re:UM...

[Spoing]

1. By all means, sniff the passwords.

Do *NOT* follow that advice.

Follow this advice.

If I have to say why, you're already treading on thin ice.

When I've run system scans and dumps on systems I do not manage, I've asked first and shown the admins what I do exactly -- and that's in my professional capacity.

As a student, make no doubts that you will not be treated well if they even think you are able to do this. The admins should get it, though others will not understand -- though if the admins did know WTF they were doing, they'd use HTTPS in the first place...right?

Instead, I'd point out that you are concerned since HTTP is an unsecure method and that others are likely to abuse your account and you want to know if the school is willing to take responsibility when that happens.

Scare them into action but do so from the point of view of someone who would not even look themselves.

In the meantime, use https:// in the URL yourself -- it will probably work -- and suggest friends do the same if it does.

Re:UM...

[Glonoinha]

This sounds a lot like that college kid that decided to 'test' airport security a few months ago by sneaking a knife onto a commercial flight. Made it past security, got onto the plane, then announced his amazing feat of stealth and cunning to the crew. Ha Ha your security still sucks - I tested it and I am better than you - hey wait, it was only a test - hey who are these stormtrooper guys - ouch.

Oddly neither the airport nor the government found his 'test' very enlighting. No, in fact I think he was facing several years in Federal Pound-Me-In-The-Ass Prison.

Original poster : you are approaching this like a child in an adult world. It is obvious that you desire peer level attention and recognition for your 'accomplishments'. Trust me, as someone that was 'recognized' and 'acknowledged' by the university administration for 'hacking' his college computers (possibly before you were even born) ... recognition is highly overrated. That you even suggested collecting the list of passwords and placing them on a webpage at school shows incredible immaturity. Not because you said it, but because doing so is even a remotely viable consideration in your mind.

You want to blow the whistle, then blow the whistle. If you see a serious breach of security and you feel the need to get it fixed, go to https://tips.fbi.gov and fill out that form, hit submit. I pretty much 100% guarantee that they will take you serious. You can call them at 202-324-3000 if you want.

Understand, however, that once you invite the government into any aspect of your life or business it is impossible to put that genie back in the bottle. This goes with any cute little pranks you enumerated like sniffing passwords or listing them on a web page at school.

There is a fine line between helper and terrorist in today's environment and you really don't want to screw away your lifetime potential because you were being 'gifted and talented' in college. Not only do you not want to cross the line, you don't even want to be under evaulation as to which side of the line you are at - all it takes is one bureaucrat to misinterpret anything you have said and you are royally fscked.

If you are here because you are genuinely concerned about massive lapses in the security as implemented at your university then consider whether or not you are ready to be a martyr for that security - because once you blow the whistle you can pretty much kiss goodbye any chances at graduation from that college. But the needs of the many outweigh the needs of the few and we are ok with sacrificing you as a pawn in the name of the overall good.

If you are here to impress us with your 1337 haxor skillz - what you did wasn't 1337, it was merely a rite of passage for every systems guy worth his salt. About like programming a bubble sort in visual basic - everybody is proud the first time they do it, but it really isn't that big a deal.

You want to impress us, do something none of has done yet :
Find Osama bin Laden, hell I think there is still a $25M reward for the information leading to his capture.
Figure out a way to actually get the administration to fix their security. Do that and you will be our hero.
Find a way to bring back the tech sector jobs that are being outsourced overseas. Do that and you will be our hero and we will rename Linux in your honor.

No no no

[FattMattP]

I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school.

So you're going to point out how insecure their network is by placing 18,000 students accounts in more danger than they're already in? You'll end up in jail for "hacking" if you do that. Seriously.

What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.

Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.

Damned if you, damned if you don't

[G4from128k]

IANAL, but I suspect that if you intentionally demonstrate the insecurity of the system, you will be sent to jail. Ask a lawyer, but I suspect that their advice wil be to not do anything that involves you breaking into the system.

On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.

At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."

I feel for you. Be careful.

Sniffing's a bad idea

[the_truk_stop]

While sniffing passwords sounds like a great way to get students' awareness up, that's generally an extremely bad idea. While the administration sounds like it's being incompetent, you posting sensitive information online will quickly get you slapped with legal issues.

Re:No ultimatums...

Remember also that you catch more flies with honey than with vinegar, and even if you drop the "F" bomb, a pissed-off vice chancellor or IT manager can stonewall like you can't even comprehend while appearing to any outsider to be dealing with an unreasonable student as responsibly as possible

Re:Job opportunity?

[c]

so why not explain the problem and ask them if they would be willing to pay you to fix it?

Because a lot of institutions will take the offer and twist it so it looks like a blackmail attempt, then involve law enforcement. I've seen way too many headlines reading something like "well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money".

The last thing you want to do is make it look like you're after money.

c.

WTF?

If your post has nothing to do with the one above yours, why did you reply to it?

If its so important, why don't you start a new thread?

Idiot.

SSN?!

[psyconaut]

" I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."

Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!

-psy

Your school newspaper

Take it to them, explain to their most technically savvy reporter (get their web guys to help if they have them), and get them to write a story. They can make the other students aware of the problem, and once a lot of students are aware, the administration won't be able to simply ignore it. They'll be forced to fix it, and it won't look like you were trying to blackmail them.

I'm assuming you're in IT

[Gary+Destruction]

I'm assuming that you're in IT to some capacity and not someone who just knows a good deal about networking and security. The reason I'm asking is because if you're not in IT and you approach them, they might talk down to you or attempt to discedit you. I'm sure you know what I'm talking about. The "Well what does he/she know about computers?" If you are in IT, you might want to approach them from the standpoint of an IT professional. You might say something like,"Hello. I was logging in and noticed something...." And make them aware that you are an IT professional/student so that they know you're someone that's speaking on a level playing field. And if you're a student, you could say something like,"Well in security class, I learned https and..." It's a tough situation because you don't want them to get the impression that you're snooping around and looking for something to exploit. At the same time, you don't want to come across as being intrusive or pushy. The other option is to approach them showing concern about your own privacy. The idea of an ultimatum has already been answered by previous comments.

Re:No ultimatums...

[bcrowell]

Under FERPA, your school may be both liable to you (and theoretically face loss of federal funds) for unauthorized disclosure of your educational records and other personally-identifiable information like SSN.
IANAL, but I believe there are some big exceptions written into the law. Your information can be given to anybody who has a legitimate educational reason to see it. I also don't think the law spells out any particular level of security that's required. The only kind of stuff that really gets you in trouble as a teacher or administrator is somthing silly like posting people's grades on the door of your office at the end of the semester.

The OP just needs to get a better grip on reality. His SSN is not a well kept secret. Anybody who really wants to find out his SSN can easily do it. I also think he's confused about the "proprietary" student ID number as opposed to an SSN. Using an SSN for anything but social security is both a security risk and an invasion of your privacy. His school is doing the right thing by switching away from SSNs.

The basic solution is that he should not use a valuable password on this particular account. Problem solved.

From a guy in the IT Dept:

[tverbeek]

Do not under any circumstances use this knowledge of vulnerabilities to actually sniff passwords, gain access to information you're not intended to have, etc. If your college's Acceptable Use policy is anything like ours, doing so will be a violation. Full stop. AU policies never include an "unless you're doing it for a noble reason" or "didn't do any harm by it" exception. And if you were to catch me with my pants down, you can be sure that I'm not going to thank you for it; I'm going to throw the book at you, to make sure that no one else gets the idea of trying something similar. It doesn't matter if I'm negligent or not; that's just the prudent IT fear-mongering to discourage genuinely malicious hacking (of the kind you're worried about).

Instead if you know people in IT, you can try going to them with your concerns, from a "hey did you know... it worries me...." perspective. If they're good people and well managed (but just didn't stop to think about it), that should help. If you don't have a friend there, or you hear that IT are a bunch of bozos, your best bet is to bypass them and take your concerns (as "I know enough about it to suspect this could happen", not "I know how to do this") directly to one of the offices charged with handling your student data (e.g. registrar, business office, financial aid). They're the ones who ought to be most alarmed over confidentiality problems (because they've had in-services driving the point home), and it'll be their bosses in the administration who'll have the authority to put the pressure on IT to do their job.