Slashdot Mirror
Security and School - How Should One Speak Up?
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned
If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.
they are the ones to fix this problem.
Second, if the technical staff does not fix it,
contact your school's Deans for intervention.
Third, if the Deans do not get the problem solved,
contact your school paper and ask for help.
This all shows that you're a team player,
in case you need to escalate it later.
What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.
Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.
Prevent email address forgery. Publish SPF records for y
IANAL, but I suspect that if you intentionally demonstrate the insecurity of the system, you will be sent to jail. Ask a lawyer, but I suspect that their advice wil be to not do anything that involves you breaking into the system.
On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.
At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."
I feel for you. Be careful.
Two wrongs don't make a right, but three lefts do.
So Slashdot, what is a concerned student to do?
this?
While sniffing passwords sounds like a great way to get students' awareness up, that's generally an extremely bad idea. While the administration sounds like it's being incompetent, you posting sensitive information online will quickly get you slapped with legal issues.
I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.
Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."
Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.
Do *not* sniff passwords or publish them, unless you want to face some nasty consequences. What you should to is draw up a list of the tools required to sniff the passwords and give them a recipe as to how someone could crack their security.
From what you've said there... You should say something along the lines of "A person could sit in the school parking lot with a laptop and a wireless networking card, and run the program 'Ethereal' to watch the network traffic. This person could literally watch the login IDs and passwords, and use that information to get your SSN and other vital and private information."
Pass that along to IT, your school administrators... if that doesn't get them hopping try passing the story on to your local community newspaper. That would be much safer than risking the legal reprecussions of cracking passwords yourself.
501 Not Implemented
Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.
In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.
If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!
Blogging Weight Loss, Distance Education, and more at verlin.com
Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.
If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.
while true ; do echo this is my sig; done
First consider your goal. I presume it is to get them to fix the problem rather than to extort money, humiliate them, etc.
Given that assumption remember that there are many players. There are the software writers and network admins. They may be afraid of being made to look bad in front of their superiors. They may know the problems and be working on them. They may simply be doing all they can with the resources that have been given them.
Work your way up from there. IT Department heads may try to claim it isn't a problem (prevent embarassment), indicate the need for more resources or may be in the dark because their people screwed up and hid the problem.
The legal department and higher administration will be worried about liability and bad press. As such, any "demonstration" you put on can be used against you. Suddenly you will be the bad guy - the evil cracker. They may even try to go after you legally to cover their asses.
Others have mentioned S-O legislation. There may be a compliance officer on campus who you can contact.
So what to do?
I would write a detailed letter describing the problem in layman's terms. Profess ignorance to allow people to save face (phrases such as "perhaps I am unaware of fixes that are already in the works", and "I know running a student network on a tight budget is difficult...") and express your desire that this matter be handled quickly and without the need to involve outside parties but insist that it must be handled.
The "ignorance" method also allows you to send the letter to a wide recipient list without looking like you are trying to skewer any particular person or department: "I apologize for the wide distribution but I'm not sure who is in charge of such a matter as it involves S-O compliance, student privacy, IT etc..."
You may want to offer recommendations (perhaps this system should be taken offline to protect the sensitive data until the security problems are repaired) and offer your assistance. If you offer to arrange a demo and they accept, request that they set up a dummy account. This helps isolate you from liability and demonstrates your concern for privacy.
Other avenues if the "good-guy" method fails: many universities have a student ombudsman, there may be state or federal S-O compliance resources and finally, there is the press.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
At my sec school I got in trouble three times. Once because I used megaproxy.com to access Hotmail to send some work home (intrestingly enough, megaproxy.com was stuck on a post-it on the side of the server (yes, the server was just on a desk in a little closet!) - the council, not the school, have authority over what's blocked, so my guess is the teachers used that site to access things which were blocked too....). I got a little ticking off for that. The teachers knew it was silly and had had lots of complaints from students, but done nothing about it.
The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.
The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).
That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.
The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.
It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.
The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.
Good luck.
" I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."
Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!
-psy
Some of my respondents here are absolutely right - it's HIPAA I'm talking about, not S-O. What can I say, long day at the office, been working so much on compliance for both they're freaking interchangeable in my mind by now, etc. etc. Still no excuse.
:)
First, IANAL (as evidenced by my previous stupid message naming the wrong act). In any event, my understanding is that although HIPAA was originally enacted/intended as a Health-Care related act, it's effects have been interpreted to apply outside of Health Care and to any industry that stores people's private, personal data. One of the big flags the act applies is storing social security numbers.
Rule of thumb is that if you see something private stored or transmitted somewhere it needs to be seriously secured. Seriously secured is roughly defined as encryption for every stage of the data lifecycle, from storage to transmission; as well as access control measures and all that jazz.
So anyway, a whole bunch of industries are running around with their panties in a knot because of these new privacy regs. Then you have happy California's 1386 stuff which I think was meant for online shopping but ended up saying something like that if someone hacked your entity and gained access to customer data you have to notify every single member of that customer population that resides in California or be banned from doing any kind of business in that state. I'm sure that strictly speaking the laws apply only to some very specific instances, but that hasn't stopped people from panicking just in case it could be twisted into applying to them. I'm sure that my explanations are grossly overgeneralized, but they do serve the purposes of this conversation.
The point being, there's cool new regs that protect your privacy. Make sure your school is taking them into account. I wouldn't be hostile about it, but they might just need a pointer in the right directions.
Good luck,
-Jack Ash
Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.
The Columbo method works basically like this;
"I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)
Other phrases: "You know, I was wondering..." / "I find it curious that..."
Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!
"If only someone could do something about that. Do you know anyone?"
Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.
If anything, be a little funny but do not be condecending.
Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.
Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.