Slashdot Mirror
Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned
If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.
they are the ones to fix this problem.
Second, if the technical staff does not fix it,
contact your school's Deans for intervention.
Third, if the Deans do not get the problem solved,
contact your school paper and ask for help.
This all shows that you're a team player,
in case you need to escalate it later.
What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.
Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.
Prevent email address forgery. Publish SPF records for y
IANAL, but I suspect that if you intentionally demonstrate the insecurity of the system, you will be sent to jail. Ask a lawyer, but I suspect that their advice wil be to not do anything that involves you breaking into the system.
On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.
At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."
I feel for you. Be careful.
Two wrongs don't make a right, but three lefts do.
So Slashdot, what is a concerned student to do?
this?
While sniffing passwords sounds like a great way to get students' awareness up, that's generally an extremely bad idea. While the administration sounds like it's being incompetent, you posting sensitive information online will quickly get you slapped with legal issues.
I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.
Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."
Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.
2. get a lawyer. you have a right to use their networks, not admin it. you can point things out, and use the system as intended, but that's as far as it goes. i.e. http vs https. changing other's passwords and what not is something for your parents and a lawyer to discuss with the school.
-
ping -f 255.255.255.255 # if only
Do *not* sniff passwords or publish them, unless you want to face some nasty consequences. What you should to is draw up a list of the tools required to sniff the passwords and give them a recipe as to how someone could crack their security.
From what you've said there... You should say something along the lines of "A person could sit in the school parking lot with a laptop and a wireless networking card, and run the program 'Ethereal' to watch the network traffic. This person could literally watch the login IDs and passwords, and use that information to get your SSN and other vital and private information."
Pass that along to IT, your school administrators... if that doesn't get them hopping try passing the story on to your local community newspaper. That would be much safer than risking the legal reprecussions of cracking passwords yourself.
501 Not Implemented
Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.
In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.
If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!
Blogging Weight Loss, Distance Education, and more at verlin.com
Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.
If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.
while true ; do echo this is my sig; done
First consider your goal. I presume it is to get them to fix the problem rather than to extort money, humiliate them, etc.
Given that assumption remember that there are many players. There are the software writers and network admins. They may be afraid of being made to look bad in front of their superiors. They may know the problems and be working on them. They may simply be doing all they can with the resources that have been given them.
Work your way up from there. IT Department heads may try to claim it isn't a problem (prevent embarassment), indicate the need for more resources or may be in the dark because their people screwed up and hid the problem.
The legal department and higher administration will be worried about liability and bad press. As such, any "demonstration" you put on can be used against you. Suddenly you will be the bad guy - the evil cracker. They may even try to go after you legally to cover their asses.
Others have mentioned S-O legislation. There may be a compliance officer on campus who you can contact.
So what to do?
I would write a detailed letter describing the problem in layman's terms. Profess ignorance to allow people to save face (phrases such as "perhaps I am unaware of fixes that are already in the works", and "I know running a student network on a tight budget is difficult...") and express your desire that this matter be handled quickly and without the need to involve outside parties but insist that it must be handled.
The "ignorance" method also allows you to send the letter to a wide recipient list without looking like you are trying to skewer any particular person or department: "I apologize for the wide distribution but I'm not sure who is in charge of such a matter as it involves S-O compliance, student privacy, IT etc..."
You may want to offer recommendations (perhaps this system should be taken offline to protect the sensitive data until the security problems are repaired) and offer your assistance. If you offer to arrange a demo and they accept, request that they set up a dummy account. This helps isolate you from liability and demonstrates your concern for privacy.
Other avenues if the "good-guy" method fails: many universities have a student ombudsman, there may be state or federal S-O compliance resources and finally, there is the press.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
At my sec school I got in trouble three times. Once because I used megaproxy.com to access Hotmail to send some work home (intrestingly enough, megaproxy.com was stuck on a post-it on the side of the server (yes, the server was just on a desk in a little closet!) - the council, not the school, have authority over what's blocked, so my guess is the teachers used that site to access things which were blocked too....). I got a little ticking off for that. The teachers knew it was silly and had had lots of complaints from students, but done nothing about it.
The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.
The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).
That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.
The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.
It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.
The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.
Good luck.
" I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."
Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!
-psy
Some of my respondents here are absolutely right - it's HIPAA I'm talking about, not S-O. What can I say, long day at the office, been working so much on compliance for both they're freaking interchangeable in my mind by now, etc. etc. Still no excuse.
:)
First, IANAL (as evidenced by my previous stupid message naming the wrong act). In any event, my understanding is that although HIPAA was originally enacted/intended as a Health-Care related act, it's effects have been interpreted to apply outside of Health Care and to any industry that stores people's private, personal data. One of the big flags the act applies is storing social security numbers.
Rule of thumb is that if you see something private stored or transmitted somewhere it needs to be seriously secured. Seriously secured is roughly defined as encryption for every stage of the data lifecycle, from storage to transmission; as well as access control measures and all that jazz.
So anyway, a whole bunch of industries are running around with their panties in a knot because of these new privacy regs. Then you have happy California's 1386 stuff which I think was meant for online shopping but ended up saying something like that if someone hacked your entity and gained access to customer data you have to notify every single member of that customer population that resides in California or be banned from doing any kind of business in that state. I'm sure that strictly speaking the laws apply only to some very specific instances, but that hasn't stopped people from panicking just in case it could be twisted into applying to them. I'm sure that my explanations are grossly overgeneralized, but they do serve the purposes of this conversation.
The point being, there's cool new regs that protect your privacy. Make sure your school is taking them into account. I wouldn't be hostile about it, but they might just need a pointer in the right directions.
Good luck,
-Jack Ash
A few credit applications using the Dean of Students'
home address and the names/ssns of ten or twenty
lucky students would get some attention, I reckon!
-I like my women like I like my tea: green-
Nah.
Just post the name of your school here and let the problem take care of itself.
The most important thing to remember is that they're going to avoid losing face in front of their superiors at all costs. This reclaiming of face might involve lying or throwing you in jail. If you find a way to inform them of the problem *without* causing anyone to look bad in front of someone with influence, they'll be grateful.
Half of business communication is learning how to tell people things without causing them to lose face in the workplace. The sooner you figure this out, the sooner you'll be successful in the business world.
you want the school to kick your ass out because you threatened them with revealing their network secrets and not following their AUP (surely they have one?)?
instead, find some sympathetic influential faculty (especially if they have tenure) who can make life hell for those responsible. if they refuse to do anything, just report it to your local newspaper and document _EVERYTHING_ (either immediately write notes while in their presence or tape-record what their comments are while they deny any problems). if they turn purple or get irate, either way you got 'em by the short-n-curlies.
you shouldn't have to put up with stupid people who endanger your future life because they won't protect your data.
hmmm, I wonder if this would make them liable for future case of identity theft? potentially big bucks!
I'm good with numbers -
About a year ago, I noticed a fairly significant vulnerability allowing me to get the shadow passwords of any student in the CS program, as well as all faculty and staff at my university. Thankfully, I am on good terms with the CS computers administrator, and told him what I could do, and told him what to type to get it. Being plain old DES, the shadows passwords would have been trivial to crack using a dictionary approach.
He immediately contacted the university CTS staff (they administer everything else), and it turns out they were aware of the vulnerability. I noticed that later that week the hole was closed in a hacked way, by simply disallowing use by regular users of a certain system binary.
He also told me it was a smart decision on my part to come forward immediately with the information, because if they had found out that I knew and didn't tell them, I would have been expelled and barred from any post-secondary institution in North America for several years. I guess they keep a watch list somewhere.
He who laughs last is stuck in a time dilation bubble.
I'm assuming that you're in IT to some capacity and not someone who just knows a good deal about networking and security. The reason I'm asking is because if you're not in IT and you approach them, they might talk down to you or attempt to discedit you. I'm sure you know what I'm talking about. The "Well what does he/she know about computers?" If you are in IT, you might want to approach them from the standpoint of an IT professional. You might say something like,"Hello. I was logging in and noticed something...." And make them aware that you are an IT professional/student so that they know you're someone that's speaking on a level playing field. And if you're a student, you could say something like,"Well in security class, I learned https and..." It's a tough situation because you don't want them to get the impression that you're snooping around and looking for something to exploit. At the same time, you don't want to come across as being intrusive or pushy. The other option is to approach them showing concern about your own privacy. The idea of an ultimatum has already been answered by previous comments.
I experienced similar things with my school (except that we're a high school in florida, which means there's almost no education money. bastard politicians.). I found a multitude of insecure things in the workstation setup (including being able to edit file shares between machines from a non-admin account). So, I made a report for them and gave it to my computer teacher. The first IT person that got ahold of my report wanted me suspended and barred from all on-campus computer labs. The second one finally fixed everything that I'd mentioned and now we're running much more securely (although there are still problems that I'm NOT going to bother filing a report about as it won't do any good, I don't plan to exploit them, and I'll just get suspended). But, I haven't gotten any thanks from the IT department. Honestly, I'd rather take it to the deans first as an issue of personal privacy vs. network security. You're probably safer that way as you'll be above the IT people and won't get owned hardcore by them.
Back in college, the same thing (more or less) happened to me. My school was using http instead of https for email, and the same password was used to access student information including DOB, SSN, etc. You also had the ability to add or drop classes with the same password. Since the school had "free" wireless access, and no form of network authentication, anyone could sit in the library and sniff passwords. I made the utterly stupid mistake of calling the "help desk," and the lout who answered accused me of hacking when I tried to explain that email wasn't secure.
Needless to say, the computer services department eventually met with me, and offered me a tech support job. Being the starving college student, I jumped at the chance. Stupidly, I filled out the job application, and waited to hear back from them...and waited....and waited. Over the next two months, I met with the computer services department three times, each time being given some excuse as to why I hadn't started my new job.
During this time period, I knew a number of people who worked for the computer services department who I was on good terms with. I asked one of them to check for me to see why it was taking so long to start my job, and he did some poking around for me. Eventually he found out that the job application was a front, and they used the information provided in it to do a "background check" on me to see if I had gotten in trouble for "hacking" in the past. They went so far as to call my high school and check there, and then blacklisted me as a "bogey," apparently their term for hackers.
They never intended to give me a job. They offered me the job to keep me happy until they could do a check on me. As I had done nothing in the past to give me a "hacker record," they decided to just give me the cold shoulder. I passed up two other job offers during that time period, thinking that the higher-paying computer services job was just around the corner, as I was lead to believe. I never got the job.
I guess the point of my story is that you can try to do the right thing, and explain the situation to your school's IT department, but you might very well end up in my situation. I'd go to an internet cafe, or send a letter, or something, but do it as anonymously as you can. Unfortunately, even though you're in college, some of the people there do not have open minds, and will scorn you for your attempt at helping.
Funny thing is, about a year after my initial call to the IT department, one of the school newspapers ran a story detailing the problem, and praising the IT department who had "fixed this problem." The story went on to say how this "hole in the network" had been open for over a year, and hadn't been noticed until recently. I laughed out loud when I saw that, as I knew it was complete and utter bullshit.
Mod me down if you will, but I know that at least one of the people involved in my case reads slashdot, so if this story sounded familiar, maybe you should rethink your method of dealing with those who only wanted to help.
Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.
The Columbo method works basically like this;
"I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)
Other phrases: "You know, I was wondering..." / "I find it curious that..."
Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!
"If only someone could do something about that. Do you know anyone?"
Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.
If anything, be a little funny but do not be condecending.
Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.
Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I sent an anonymous packet of informtion to the dean through campus mail, regarding a faculty member's use of equipment purchased for a university project, and his taking that equipment for a company that he started, and giving us instead dated equipment with 'property of NASA' stickers on it. [where he worked part time, it was my understanding]. He also claimed the work of one of the students for whom he was an advisor, as the work of his company.
Unfortunately, as there were relatively few people who had access to all of the information that I did, it was rather easy for them to track it back to me. I was called into a meeting with the dean, and the faculty member, and they threatened me with expusion. They also weren't happy with something that I posted to the group's web page (which was in fact, a violation of the university's policies regarding use of computer systems)
I also wasn't aware that the dean had a vested interest in keeping the faculty member, as he had received a multi-million dollar grant for some of the research that he was doing.
So, my recomendation is -- if you're going to do anything, go straight to the feds. More than likely, whomever you complain to internally knows what's going on, and wants it to continue, for some reason that you don't know about. [It might even just be a cover-your-ass approach].
Oh -- and after graduating, years later, I needed to get a transcript for a job. It turns out the university had shipped me a diploma, but didn't have my graduation listed in their computer system. It took me over four months to get the issue resolved, and even then, as the last meeting I had with the assistant dean, he had the balls to appologize to me -- not for someone missing to update a flag in the computer system, but for them sending out an incorrect letter informing me of what classes I needed for graduation and sending me the diploma in error.
[They only flagged me as graduated, as I had taken a number of graduate level classes, and they applied those to make up for the two one credit classes they claimed I needed, 6 years later].
Unfortunately, I don't think that this is a direct violation of FERPA, but I know there was some new law, that I think is now in effect, that made it so they had to stop using SSNs as tracking numbers. I've been out of higher ed for almost a year now [working as a systems programmer, and speaking up about problems -- which got me fired], so I'm not as current as I used to be.
If you really want to report this to the school, take it to the student government, or some other body that the school doesn't have direct control over.
Build it, and they will come^Hplain.
Instead if you know people in IT, you can try going to them with your concerns, from a "hey did you know... it worries me...." perspective. If they're good people and well managed (but just didn't stop to think about it), that should help. If you don't have a friend there, or you hear that IT are a bunch of bozos, your best bet is to bypass them and take your concerns (as "I know enough about it to suspect this could happen", not "I know how to do this") directly to one of the offices charged with handling your student data (e.g. registrar, business office, financial aid). They're the ones who ought to be most alarmed over confidentiality problems (because they've had in-services driving the point home), and it'll be their bosses in the administration who'll have the authority to put the pressure on IT to do their job.
http://alternatives.rzero.com/