Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned
If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.
What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.
Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.
Prevent email address forgery. Publish SPF records for y
so why not explain the problem and ask them if they would be willing to pay you to fix it?
Because a lot of institutions will take the offer and twist it so it looks like a blackmail attempt, then involve law enforcement. I've seen way too many headlines reading something like "well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money".
The last thing you want to do is make it look like you're after money.
c.
Log in or piss off.
" I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."
Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!
-psy