Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security and School - How Should One Speak Up?

Posted by Cliff on from the making-your-concerns-known dept.

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

17 of 137 comments (clear)

  1. Job opportunity? by eviljolly · · Score: 5, Interesting

    Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)

    1. Re:Job opportunity? by c · · Score: 4, Insightful

      so why not explain the problem and ask them if they would be willing to pay you to fix it?

      Because a lot of institutions will take the offer and twist it so it looks like a blackmail attempt, then involve law enforcement. I've seen way too many headlines reading something like "well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money".

      The last thing you want to do is make it look like you're after money.

      c.

      --
      Log in or piss off.
    2. Re:Job opportunity? by torpor · · Score: 5, Informative

      well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money"

      Too often the 'well meaning' part of these stories is hype. More often than not, it was a selfish, arrogant little brat-kid type who was trying to 'rule supreme over the stooopid school admins' and got upset when nobody listened to their tantrum and rants.

      Some guidelines for the current situation:

      - Put everything in writing, proof-read it first, then again, and spell check. Produce a professional report, not a whiny rant about why things suck.

      - Send a copy of this report to your schools administrators, registered mail. Hand-deliver a copy to the school administrator, if you can, but always, always, always put everything in writing first. Always. ALWAYS.

      - Be thorough and complete, and make sure you explain why you are being so thorough.

      - Provide examples WHEN ASKED and not before-hand. If you attach a page full of passwords you've sniffed out of the ether, this gives you a definite disadvantage if they decide to put your head on a pike. Remember, as a student, you are just one of many in the eyes of the administrator. It may well be that the problems they try to solve involve decapitating you.

      - Be courteous about this problem. It is not one single persons problem, but is in fact a group problem. Singling out one person for all the problems and mistakes of the group will do nothing but serve to make you enemies, so don't do it.

      - Follow up. If there is a change as a result of your investigation, follow up and ensure it is fixed. Work as closely with the people who are responsible for this problem as you can...

      Always, always, always try to remember, that a whiny rant about things sucking is not going to work as well as a detailed, professional, spell-checked report. If your report about the network problems doesn't look like homework, and doesn't shoot for an "A", then its going to get you into more trouble than you expect ...

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  2. Bad idea! by 42forty-two42 · · Score: 4, Interesting
    "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school."
    If you're going to blackmail your school (and threaten to break various computer crimes laws), don't post about it on a high-traffic site beforehand! Better would be to talk directly to the network admin and offer to show them a live password-capture session.
    1. Re:Bad idea! by yotaku · · Score: 4, Informative

      I'm not so sure about this. Although I guess now that you've posted here you had better speak up. But if it was me, I'd have just kept my mouth closed. I know someone who reported a security flaw in my highschool's network and was promptly banned from using any school computers except under supervision and suspended from school for a week.

    2. Re:Bad idea! by 42forty-two42 · · Score: 4, Funny
      Yeah...there are some people on Slashdot, but this guy is one of the dumbest I've seen yet.
      You're new here, aren't you?
  3. UM... by ewhenn · · Score: 4, Insightful

    I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned

    If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.

  4. Show the problem to your school leaders... by joelparker · · Score: 4, Informative
    First, contact your school technical staff;
    they are the ones to fix this problem.

    Second, if the technical staff does not fix it,
    contact your school's Deans for intervention.

    Third, if the Deans do not get the problem solved,
    contact your school paper and ask for help.

    This all shows that you're a team player,
    in case you need to escalate it later.

    1. Re:Show the problem to your school leaders... by mar1boro · · Score: 5, Interesting

      Call me paranoid. In a perfect world this would be the ideal situation.
      If you are determined to get this fixed ( as you should be ), and you are
      on friendly terms with both your system admins and your school's administration
      then take the straight forward approach suggested by joelparker.

      If they do not know you, I would attempt to be a little more anonymous.
      If you point out laxaties in their security, you will be the first person
      they think of when there is a problem. The security admin will probably
      also get his ass chewed by his boss. The admin will remember you.

      If you are still determined, do one of two things;
      1. Compose anonymous snail mails. One to the school's admin, and
      if this is a state school - one to the state's security admin at the
      department of education.
      2. If you have money, or can find an activist lawyer willing to do this
      pro-bono - retain council and enter into a priveledged communication.
      Have the lawyer communicate with the admins.

      Just remember - no good deed ever goes unpunished.

      --
      -- "It was as if the paint factories had decided to deal direct with the art galleries." - Thursday Next
  5. No no no by FattMattP · · Score: 4, Insightful
    I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school.
    So you're going to point out how insecure their network is by placing 18,000 students accounts in more danger than they're already in? You'll end up in jail for "hacking" if you do that. Seriously.

    What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.

    Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.

    --
    Prevent email address forgery. Publish SPF records for y
    1. Re:No no no by Biochrome · · Score: 5, Informative

      You'll end up in jail for "hacking" if you do that. Seriously. I meerly nmaped our server, and I spent a night in jail, and lost all computer priveleges forever at school. Do NOT even act like you may be comprimising network security... you'll end up in a boatload of trouble.

  6. No ultimatums... by isaac · · Score: 4, Informative
    Do not make an ultimatum. You WILL be subject to disciplinary procedures, and probably prosecuted. If speaking to the campus technology people responsible (and I mean speaking to the people who are *really* responsible - the managers, not the helpdesk) for these systems and networks about your concerns produces only indifference, you should drop the F-bomb - FERPA, the Family Educational Rights and Privacy Act. Under FERPA, your school may be both liable to you (and theoretically face loss of federal funds) for unauthorized disclosure of your educational records and other personally-identifiable information like SSN. (Directory information, such as your name, and the fact that you're a student, is not automatically protected from discloseure by default, but you may request that such info not be disclosed to third parties.)

    I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.

    Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.

    -Isaac

    --
    I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
  7. Honestly? No techies. by JabberWokky · · Score: 5, Informative
    Do not go to the IT department. They have screwed up, and will move to cover their asses in the easiest way; making you a scapegoat and likely sending you ass to jail.

    Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.

    In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.

    If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  8. MOD PARENT DOWN by Fortunato_NC · · Score: 4, Interesting

    Sarbanes-Oxley has nothing to do with your college's wireless network, or private data, or any of that. It's about corporate governance and reporting requirements for large public corporations. Mods, YHBT. YHL. (again!) HAND!

    --
    Blogging Weight Loss, Distance Education, and more at verlin.com
  9. Re:Legal repercussions for the school by alienw · · Score: 4, Informative

    Actually, it's called FERPA. Sarbanes-Oxley has nothing to do with privacy or colleges.

  10. It depends on who you know. by consolidatedbord · · Score: 4, Interesting

    If you go to the principle, you will probably get suspended/expelled for "hacking" the network. I went to 2 highschools. At Highschool A, if you had anything to do with anything that was not a part of the school's acceptable use policy, even if it was non-malicious and for the better of the school, you were almost guaranteed expulsion. (If they caught you that is. ;-) ) At Highschool B, there was a well established tech community that the assistant principle was a close part of. The on-site LAN admin s were young, former students of the school, so were pretty open to listening to what anyone had to say about "insecurities" on the LAN. I became a part of their student tech program, which offered fairly simple classes in networking, perl, html, and operating system theory. I advanced in the classes, and ended up teaching one of them as a student. Quickly, one of the LAN admins and I become buddies, and a trust was formed with me, him, and the assistant principle. As long as no harm was done when finding some kind of security vulnerability, then no suspension/expulsion was needed. I do recall however, having a history teacher at Highschool A who would periodically pull me and a fellow tech out of class periodically to fix computers. A trust was formed between us, and him. The best advice for reporting this, would be to find a teacher who you are closest to, and explain to them the issues involved. Inform him/her that you aren't trying to harm anyone, you only made a simple ovservasion and would like to report it. A trusting teacher will then put in a good word for you, the student, and you may even get some extra credit.

    --
    while true ; do echo this is my sig; done
  11. SSN?! by psyconaut · · Score: 4, Insightful

    " I was upset about them changing from using my SSN to a proprietary number scheme for identifying students..."

    Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!

    -psy