Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security and School - How Should One Speak Up?

Posted by Cliff on from the making-your-concerns-known dept.

AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?" "I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"

5 of 137 comments (clear)

  1. Job opportunity? by eviljolly · · Score: 5, Interesting

    Maybe you should take a different approach to this situation. You say that the school has security problems, and you seem to be knowledgeable in the matter, so why not explain the problem and ask them if they would be willing to pay you to fix it? If all else they might nag their developers to work a little harder after hearing about it. :)

    1. Re:Job opportunity? by torpor · · Score: 5, Informative

      well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money"

      Too often the 'well meaning' part of these stories is hype. More often than not, it was a selfish, arrogant little brat-kid type who was trying to 'rule supreme over the stooopid school admins' and got upset when nobody listened to their tantrum and rants.

      Some guidelines for the current situation:

      - Put everything in writing, proof-read it first, then again, and spell check. Produce a professional report, not a whiny rant about why things suck.

      - Send a copy of this report to your schools administrators, registered mail. Hand-deliver a copy to the school administrator, if you can, but always, always, always put everything in writing first. Always. ALWAYS.

      - Be thorough and complete, and make sure you explain why you are being so thorough.

      - Provide examples WHEN ASKED and not before-hand. If you attach a page full of passwords you've sniffed out of the ether, this gives you a definite disadvantage if they decide to put your head on a pike. Remember, as a student, you are just one of many in the eyes of the administrator. It may well be that the problems they try to solve involve decapitating you.

      - Be courteous about this problem. It is not one single persons problem, but is in fact a group problem. Singling out one person for all the problems and mistakes of the group will do nothing but serve to make you enemies, so don't do it.

      - Follow up. If there is a change as a result of your investigation, follow up and ensure it is fixed. Work as closely with the people who are responsible for this problem as you can...

      Always, always, always try to remember, that a whiny rant about things sucking is not going to work as well as a detailed, professional, spell-checked report. If your report about the network problems doesn't look like homework, and doesn't shoot for an "A", then its going to get you into more trouble than you expect ...

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  2. Re:No no no by Biochrome · · Score: 5, Informative

    You'll end up in jail for "hacking" if you do that. Seriously. I meerly nmaped our server, and I spent a night in jail, and lost all computer priveleges forever at school. Do NOT even act like you may be comprimising network security... you'll end up in a boatload of trouble.

  3. Re:Show the problem to your school leaders... by mar1boro · · Score: 5, Interesting

    Call me paranoid. In a perfect world this would be the ideal situation.
    If you are determined to get this fixed ( as you should be ), and you are
    on friendly terms with both your system admins and your school's administration
    then take the straight forward approach suggested by joelparker.

    If they do not know you, I would attempt to be a little more anonymous.
    If you point out laxaties in their security, you will be the first person
    they think of when there is a problem. The security admin will probably
    also get his ass chewed by his boss. The admin will remember you.

    If you are still determined, do one of two things;
    1. Compose anonymous snail mails. One to the school's admin, and
    if this is a state school - one to the state's security admin at the
    department of education.
    2. If you have money, or can find an activist lawyer willing to do this
    pro-bono - retain council and enter into a priveledged communication.
    Have the lawyer communicate with the admins.

    Just remember - no good deed ever goes unpunished.

    --
    -- "It was as if the paint factories had decided to deal direct with the art galleries." - Thursday Next
  4. Honestly? No techies. by JabberWokky · · Score: 5, Informative
    Do not go to the IT department. They have screwed up, and will move to cover their asses in the easiest way; making you a scapegoat and likely sending you ass to jail.

    Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.

    In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.

    If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien