Slashdot Mirror


Security and School - How Should One Speak Up?

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

10 of 137 comments (clear)

  1. UM... by ewhenn · · Score: 4, Insightful

    I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned

    If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.

    1. Re:UM... by Grab · · Score: 3, Insightful

      Dead right.

      By all means, sniff the passwords. But then put them in a document and circulate it to your department supervisors. Make sure the document says *exactly* what you did (every step of the process). It would be good if every step was within the IT policy you subscribed to (then they can't lynch you for that), although as a whistle-blower this may not be necessary. And NEVER use those passwords, otherwise you could be done for hacking into someone else's account.

      Don't even think about asking for money - as someone else said, this makes you look like a blackmailer. Initially you have to act simply as someone bringing in information. What they choose to do with the info is their decision - most likely someone in the IT department *does* have the skills to fix the problem, it's just that they got some incompetent trainee to do it instead. If it turns out that the IT department need your skills then you can negotiate a contract or you can do it for free, but NEVER state that to start with.

      Give out ONLY hard-copies - that way a Word document can't accidentally get put on the web or something dumb like that. This limits circulation - it's more effort to photocopy/scan than to forward an email, so there's less chance of the passwords going where they shouldn't.

      Finally, make sure a hard-copy goes to the school paper, with instructions to hold onto it for 2 weeks (or some arbitrary length of time), and have a good talk with the people running the paper before you tell the school authorities. Make sure when you raise the issue with the school authorities that you tell them you've given the info to the school paper, and tell them the time limit. That way, they know they need to fix things within 2 weeks before things go public. It also covers your ass by ensuring they can't lynch you as a scapegoat, bcos the paper will crucify them.

      Basically, examine every step you take and see how it could be used against you. Getting a couple of your friends to check through what you're doing would also be useful (and having a friend watching at crucial stages like sniffing the passwords gives you the extra backup of a witness).

      Grab.

    2. Re:UM... by Spoing · · Score: 3, Insightful
      1. By all means, sniff the passwords.

      Do *NOT* follow that advice.

      Follow this advice.

      If I have to say why, you're already treading on thin ice.

      When I've run system scans and dumps on systems I do not manage, I've asked first and shown the admins what I do exactly -- and that's in my professional capacity.

      As a student, make no doubts that you will not be treated well if they even think you are able to do this. The admins should get it, though others will not understand -- though if the admins did know WTF they were doing, they'd use HTTPS in the first place...right?

      Instead, I'd point out that you are concerned since HTTP is an unsecure method and that others are likely to abuse your account and you want to know if the school is willing to take responsibility when that happens.

      Scare them into action but do so from the point of view of someone who would not even look themselves.

      In the meantime, use https:// in the URL yourself -- it will probably work -- and suggest friends do the same if it does.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    3. Re:UM... by Glonoinha · · Score: 3, Insightful

      This sounds a lot like that college kid that decided to 'test' airport security a few months ago by sneaking a knife onto a commercial flight. Made it past security, got onto the plane, then announced his amazing feat of stealth and cunning to the crew. Ha Ha your security still sucks - I tested it and I am better than you - hey wait, it was only a test - hey who are these stormtrooper guys - ouch.

      Oddly neither the airport nor the government found his 'test' very enlighting. No, in fact I think he was facing several years in Federal Pound-Me-In-The-Ass Prison.

      Original poster : you are approaching this like a child in an adult world. It is obvious that you desire peer level attention and recognition for your 'accomplishments'. Trust me, as someone that was 'recognized' and 'acknowledged' by the university administration for 'hacking' his college computers (possibly before you were even born) ... recognition is highly overrated. That you even suggested collecting the list of passwords and placing them on a webpage at school shows incredible immaturity. Not because you said it, but because doing so is even a remotely viable consideration in your mind.

      You want to blow the whistle, then blow the whistle. If you see a serious breach of security and you feel the need to get it fixed, go to https://tips.fbi.gov and fill out that form, hit submit. I pretty much 100% guarantee that they will take you serious. You can call them at 202-324-3000 if you want.

      Understand, however, that once you invite the government into any aspect of your life or business it is impossible to put that genie back in the bottle. This goes with any cute little pranks you enumerated like sniffing passwords or listing them on a web page at school.

      There is a fine line between helper and terrorist in today's environment and you really don't want to screw away your lifetime potential because you were being 'gifted and talented' in college. Not only do you not want to cross the line, you don't even want to be under evaulation as to which side of the line you are at - all it takes is one bureaucrat to misinterpret anything you have said and you are royally fscked.

      If you are here because you are genuinely concerned about massive lapses in the security as implemented at your university then consider whether or not you are ready to be a martyr for that security - because once you blow the whistle you can pretty much kiss goodbye any chances at graduation from that college. But the needs of the many outweigh the needs of the few and we are ok with sacrificing you as a pawn in the name of the overall good.

      If you are here to impress us with your 1337 haxor skillz - what you did wasn't 1337, it was merely a rite of passage for every systems guy worth his salt. About like programming a bubble sort in visual basic - everybody is proud the first time they do it, but it really isn't that big a deal.

      You want to impress us, do something none of has done yet :
      Find Osama bin Laden, hell I think there is still a $25M reward for the information leading to his capture.
      Figure out a way to actually get the administration to fix their security. Do that and you will be our hero.
      Find a way to bring back the tech sector jobs that are being outsourced overseas. Do that and you will be our hero and we will rename Linux in your honor.

      --
      Glonoinha the MebiByte Slayer
  2. No no no by FattMattP · · Score: 4, Insightful
    I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school.
    So you're going to point out how insecure their network is by placing 18,000 students accounts in more danger than they're already in? You'll end up in jail for "hacking" if you do that. Seriously.

    What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.

    Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.

    --
    Prevent email address forgery. Publish SPF records for y
  3. Damned if you, damned if you don't by G4from128k · · Score: 3, Insightful

    IANAL, but I suspect that if you intentionally demonstrate the insecurity of the system, you will be sent to jail. Ask a lawyer, but I suspect that their advice wil be to not do anything that involves you breaking into the system.

    On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.

    At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."

    I feel for you. Be careful.

    --
    Two wrongs don't make a right, but three lefts do.
  4. Sniffing's a bad idea by the_truk_stop · · Score: 3, Insightful

    While sniffing passwords sounds like a great way to get students' awareness up, that's generally an extremely bad idea. While the administration sounds like it's being incompetent, you posting sensitive information online will quickly get you slapped with legal issues.

  5. Re:No ultimatums... by Anonymous Coward · · Score: 3, Insightful

    Remember also that you catch more flies with honey than with vinegar, and even if you drop the "F" bomb, a pissed-off vice chancellor or IT manager can stonewall like you can't even comprehend while appearing to any outsider to be dealing with an unreasonable student as responsibly as possible

  6. Re:Job opportunity? by c · · Score: 4, Insightful

    so why not explain the problem and ask them if they would be willing to pay you to fix it?

    Because a lot of institutions will take the offer and twist it so it looks like a blackmail attempt, then involve law enforcement. I've seen way too many headlines reading something like "well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money".

    The last thing you want to do is make it look like you're after money.

    c.

    --
    Log in or piss off.
  7. SSN?! by psyconaut · · Score: 4, Insightful

    " I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."

    Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!

    -psy