Slashdot Mirror
Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)
So Slashdot, what is a concerned student to do?
this?
If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."
Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.
The submitter doesn't mention his school, but this is exactly the situation at Georgia Tech.
Call me paranoid. In a perfect world this would be the ideal situation.
If you are determined to get this fixed ( as you should be ), and you are
on friendly terms with both your system admins and your school's administration
then take the straight forward approach suggested by joelparker.
If they do not know you, I would attempt to be a little more anonymous.
If you point out laxaties in their security, you will be the first person
they think of when there is a problem. The security admin will probably
also get his ass chewed by his boss. The admin will remember you.
If you are still determined, do one of two things;
1. Compose anonymous snail mails. One to the school's admin, and
if this is a state school - one to the state's security admin at the
department of education.
2. If you have money, or can find an activist lawyer willing to do this
pro-bono - retain council and enter into a priveledged communication.
Have the lawyer communicate with the admins.
Just remember - no good deed ever goes unpunished.
-- "It was as if the paint factories had decided to deal direct with the art galleries." - Thursday Next
Yeah, but there doesn't seem to be a clear cut line. From what he's said, the data is pretty much secure. As secure as any normal data was 15 years ago.
Sure, it could (and probably should) be more secure, but does FERPA lay out detailed standards for encryption and data security practices? I personally don't know, but I seriously doubt it.
(On the other hand, I see no use in putting that data on the web, of course he knows his own SSN and personal info.)
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!
Blogging Weight Loss, Distance Education, and more at verlin.com
If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.
while true ; do echo this is my sig; done
What are you on about with the whole "proprietary user id and password" nonsense. We usually call these things just "username" and "password". Proprietary usually refers to some sort of intellectual property of some value, like source code or wiring diagrams or similar.
It's not a synonym for "something I don't like". Weirdo.
At my sec school I got in trouble three times. Once because I used megaproxy.com to access Hotmail to send some work home (intrestingly enough, megaproxy.com was stuck on a post-it on the side of the server (yes, the server was just on a desk in a little closet!) - the council, not the school, have authority over what's blocked, so my guess is the teachers used that site to access things which were blocked too....). I got a little ticking off for that. The teachers knew it was silly and had had lots of complaints from students, but done nothing about it.
The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.
The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).
That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.
The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.
It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.
The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.
Good luck.
The most important thing to remember is that they're going to avoid losing face in front of their superiors at all costs. This reclaiming of face might involve lying or throwing you in jail. If you find a way to inform them of the problem *without* causing anyone to look bad in front of someone with influence, they'll be grateful.
Half of business communication is learning how to tell people things without causing them to lose face in the workplace. The sooner you figure this out, the sooner you'll be successful in the business world.
you want the school to kick your ass out because you threatened them with revealing their network secrets and not following their AUP (surely they have one?)?
instead, find some sympathetic influential faculty (especially if they have tenure) who can make life hell for those responsible. if they refuse to do anything, just report it to your local newspaper and document _EVERYTHING_ (either immediately write notes while in their presence or tape-record what their comments are while they deny any problems). if they turn purple or get irate, either way you got 'em by the short-n-curlies.
you shouldn't have to put up with stupid people who endanger your future life because they won't protect your data.
hmmm, I wonder if this would make them liable for future case of identity theft? potentially big bucks!
I'm good with numbers -
About a year ago, I noticed a fairly significant vulnerability allowing me to get the shadow passwords of any student in the CS program, as well as all faculty and staff at my university. Thankfully, I am on good terms with the CS computers administrator, and told him what I could do, and told him what to type to get it. Being plain old DES, the shadows passwords would have been trivial to crack using a dictionary approach.
He immediately contacted the university CTS staff (they administer everything else), and it turns out they were aware of the vulnerability. I noticed that later that week the hole was closed in a hacked way, by simply disallowing use by regular users of a certain system binary.
He also told me it was a smart decision on my part to come forward immediately with the information, because if they had found out that I knew and didn't tell them, I would have been expelled and barred from any post-secondary institution in North America for several years. I guess they keep a watch list somewhere.
He who laughs last is stuck in a time dilation bubble.
I experienced similar things with my school (except that we're a high school in florida, which means there's almost no education money. bastard politicians.). I found a multitude of insecure things in the workstation setup (including being able to edit file shares between machines from a non-admin account). So, I made a report for them and gave it to my computer teacher. The first IT person that got ahold of my report wanted me suspended and barred from all on-campus computer labs. The second one finally fixed everything that I'd mentioned and now we're running much more securely (although there are still problems that I'm NOT going to bother filing a report about as it won't do any good, I don't plan to exploit them, and I'll just get suspended). But, I haven't gotten any thanks from the IT department. Honestly, I'd rather take it to the deans first as an issue of personal privacy vs. network security. You're probably safer that way as you'll be above the IT people and won't get owned hardcore by them.
OK, so you know your own password and you can allow yourself to access your data. So, how about making a controled intrusion attempt?
:-)
Try to see if you can obtain your own password over the wires or wireless. You know what you are looking for but it may be more difficult than you think, and hence you can avoid making a scene of yourself
Record the whole session, so you can replay it in front of the admin. A demo is often very instructive when people seem reluctant to believe you.
You cannot be accused of hacking since all you have done is granted yourself access to your own data.
This way you have not disclosed sensitive information or violated others privacy. Publishing other peoples ids and passwords online is a very bad idea, even if intended as a proof of concept. Respect the privacy of others, even if you find it is not properly protected.
If it doesn't succeed the objective, go to the press, school paper or other and demonstrate replay the intrusion.
Back in college, the same thing (more or less) happened to me. My school was using http instead of https for email, and the same password was used to access student information including DOB, SSN, etc. You also had the ability to add or drop classes with the same password. Since the school had "free" wireless access, and no form of network authentication, anyone could sit in the library and sniff passwords. I made the utterly stupid mistake of calling the "help desk," and the lout who answered accused me of hacking when I tried to explain that email wasn't secure.
Needless to say, the computer services department eventually met with me, and offered me a tech support job. Being the starving college student, I jumped at the chance. Stupidly, I filled out the job application, and waited to hear back from them...and waited....and waited. Over the next two months, I met with the computer services department three times, each time being given some excuse as to why I hadn't started my new job.
During this time period, I knew a number of people who worked for the computer services department who I was on good terms with. I asked one of them to check for me to see why it was taking so long to start my job, and he did some poking around for me. Eventually he found out that the job application was a front, and they used the information provided in it to do a "background check" on me to see if I had gotten in trouble for "hacking" in the past. They went so far as to call my high school and check there, and then blacklisted me as a "bogey," apparently their term for hackers.
They never intended to give me a job. They offered me the job to keep me happy until they could do a check on me. As I had done nothing in the past to give me a "hacker record," they decided to just give me the cold shoulder. I passed up two other job offers during that time period, thinking that the higher-paying computer services job was just around the corner, as I was lead to believe. I never got the job.
I guess the point of my story is that you can try to do the right thing, and explain the situation to your school's IT department, but you might very well end up in my situation. I'd go to an internet cafe, or send a letter, or something, but do it as anonymously as you can. Unfortunately, even though you're in college, some of the people there do not have open minds, and will scorn you for your attempt at helping.
Funny thing is, about a year after my initial call to the IT department, one of the school newspapers ran a story detailing the problem, and praising the IT department who had "fixed this problem." The story went on to say how this "hole in the network" had been open for over a year, and hadn't been noticed until recently. I laughed out loud when I saw that, as I knew it was complete and utter bullshit.
Mod me down if you will, but I know that at least one of the people involved in my case reads slashdot, so if this story sounded familiar, maybe you should rethink your method of dealing with those who only wanted to help.
Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.
The Columbo method works basically like this;
"I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)
Other phrases: "You know, I was wondering..." / "I find it curious that..."
Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!
"If only someone could do something about that. Do you know anyone?"
Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.
If anything, be a little funny but do not be condecending.
Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.
Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I sent an anonymous packet of informtion to the dean through campus mail, regarding a faculty member's use of equipment purchased for a university project, and his taking that equipment for a company that he started, and giving us instead dated equipment with 'property of NASA' stickers on it. [where he worked part time, it was my understanding]. He also claimed the work of one of the students for whom he was an advisor, as the work of his company.
Unfortunately, as there were relatively few people who had access to all of the information that I did, it was rather easy for them to track it back to me. I was called into a meeting with the dean, and the faculty member, and they threatened me with expusion. They also weren't happy with something that I posted to the group's web page (which was in fact, a violation of the university's policies regarding use of computer systems)
I also wasn't aware that the dean had a vested interest in keeping the faculty member, as he had received a multi-million dollar grant for some of the research that he was doing.
So, my recomendation is -- if you're going to do anything, go straight to the feds. More than likely, whomever you complain to internally knows what's going on, and wants it to continue, for some reason that you don't know about. [It might even just be a cover-your-ass approach].
Oh -- and after graduating, years later, I needed to get a transcript for a job. It turns out the university had shipped me a diploma, but didn't have my graduation listed in their computer system. It took me over four months to get the issue resolved, and even then, as the last meeting I had with the assistant dean, he had the balls to appologize to me -- not for someone missing to update a flag in the computer system, but for them sending out an incorrect letter informing me of what classes I needed for graduation and sending me the diploma in error.
[They only flagged me as graduated, as I had taken a number of graduate level classes, and they applied those to make up for the two one credit classes they claimed I needed, 6 years later].
Unfortunately, I don't think that this is a direct violation of FERPA, but I know there was some new law, that I think is now in effect, that made it so they had to stop using SSNs as tracking numbers. I've been out of higher ed for almost a year now [working as a systems programmer, and speaking up about problems -- which got me fired], so I'm not as current as I used to be.
If you really want to report this to the school, take it to the student government, or some other body that the school doesn't have direct control over.
Build it, and they will come^Hplain.