Slashdot Mirror


Security and School - How Should One Speak Up?

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

9 of 137 comments (clear)

  1. Job opportunity? by eviljolly · · Score: 5, Interesting

    Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)

  2. Bad idea! by 42forty-two42 · · Score: 4, Interesting
    "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school."
    If you're going to blackmail your school (and threaten to break various computer crimes laws), don't post about it on a high-traffic site beforehand! Better would be to talk directly to the network admin and offer to show them a live password-capture session.
  3. Inspiration by MegaT · · Score: 3, Interesting

    So Slashdot, what is a concerned student to do?
    this?

  4. At Northwestern University... by the_truk_stop · · Score: 3, Interesting
    ...the page where you change your password has a Javascript app that will check if your password meets the Northwestern University IT guidelines.

    If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."

    Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.

  5. Re:Show the problem to your school leaders... by mar1boro · · Score: 5, Interesting

    Call me paranoid. In a perfect world this would be the ideal situation.
    If you are determined to get this fixed ( as you should be ), and you are
    on friendly terms with both your system admins and your school's administration
    then take the straight forward approach suggested by joelparker.

    If they do not know you, I would attempt to be a little more anonymous.
    If you point out laxaties in their security, you will be the first person
    they think of when there is a problem. The security admin will probably
    also get his ass chewed by his boss. The admin will remember you.

    If you are still determined, do one of two things;
    1. Compose anonymous snail mails. One to the school's admin, and
    if this is a state school - one to the state's security admin at the
    department of education.
    2. If you have money, or can find an activist lawyer willing to do this
    pro-bono - retain council and enter into a priveledged communication.
    Have the lawyer communicate with the admins.

    Just remember - no good deed ever goes unpunished.

    --
    -- "It was as if the paint factories had decided to deal direct with the art galleries." - Thursday Next
  6. MOD PARENT DOWN by Fortunato_NC · · Score: 4, Interesting

    Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!

    --
    Blogging Weight Loss, Distance Education, and more at verlin.com
  7. It depends on who you know. by consolidatedbord · · Score: 4, Interesting

    If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.

    --
    while true ; do echo this is my sig; done
  8. At my secondary school.. by Anonymous Coward · · Score: 3, Interesting

    At my sec school I got in trouble three times. Once because I used megaproxy.com to access Hotmail to send some work home (intrestingly enough, megaproxy.com was stuck on a post-it on the side of the server (yes, the server was just on a desk in a little closet!) - the council, not the school, have authority over what's blocked, so my guess is the teachers used that site to access things which were blocked too....). I got a little ticking off for that. The teachers knew it was silly and had had lots of complaints from students, but done nothing about it.

    The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.

    The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).

    That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.

    The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.

    It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.

    The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.

    Good luck.

  9. Re:Honestly? No techies. by Spoing · · Score: 3, Interesting
    1. Do not go to the IT department. They have screwed up, and will move to cover their asses in the easiest way; making you a scapegoat and likely sending you ass to jail.

    Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.

    The Columbo method works basically like this;

    "I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)

    Other phrases: "You know, I was wondering..." / "I find it curious that..."

    Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!

    "If only someone could do something about that. Do you know anyone?"

    Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.

    If anything, be a little funny but do not be condecending.

    Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.

    Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.