Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)
Call me paranoid. In a perfect world this would be the ideal situation.
If you are determined to get this fixed ( as you should be ), and you are
on friendly terms with both your system admins and your school's administration
then take the straight forward approach suggested by joelparker.
If they do not know you, I would attempt to be a little more anonymous.
If you point out laxaties in their security, you will be the first person
they think of when there is a problem. The security admin will probably
also get his ass chewed by his boss. The admin will remember you.
If you are still determined, do one of two things;
1. Compose anonymous snail mails. One to the school's admin, and
if this is a state school - one to the state's security admin at the
department of education.
2. If you have money, or can find an activist lawyer willing to do this
pro-bono - retain council and enter into a priveledged communication.
Have the lawyer communicate with the admins.
Just remember - no good deed ever goes unpunished.
-- "It was as if the paint factories had decided to deal direct with the art galleries." - Thursday Next