Security and School - How Should One Speak Up? 137
AJ asks: "Well, in the midst of writing 1 of my 3 papers tonight, I realized how insecure my school's network is. It all started because I was upset about them changing from using my SSN to a proprietary number scheme for identifying students. I didn't think that was a bad thing, but I was wondering if they really were securing things. So, I needed a password to access a school resource from the internet. After a little of dabbling around, I found the place where I needed to enter my propriety school ID and password. As it turns out, the login form uses HTTP instead of HTTPS! Also, my school runs a wide-open wireless network that I always had considered a convenience, but now I am changing my passwords over that network! Oh, and that proprietary ID along with a password, lead right to a student summary page where my DOB, age, address and SSN are located. So Slashdot, what is a concerned student to do?"
"I have made suggestions before with little results. Should I send an e-mail with an ultimatum. What should my after-ultimatum actions be. I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school. I wouldn't be so concerned, but this wireless problem, combined with a poor web design, has me freaked out. Has anyone dealt with this before?"
Job opportunity? (Score:5, Interesting)
Re:Job opportunity? (Score:5, Insightful)
Because a lot of institutions will take the offer and twist it so it looks like a blackmail attempt, then involve law enforcement. I've seen way too many headlines reading something like "well meaning security person gets ass-fucked because they offered to help intitution fix security problems in return for money".
The last thing you want to do is make it look like you're after money.
c.
Re:Job opportunity? (Score:5, Informative)
Too often the 'well meaning' part of these stories is hype. More often than not, it was a selfish, arrogant little brat-kid type who was trying to 'rule supreme over the stooopid school admins' and got upset when nobody listened to their tantrum and rants.
Some guidelines for the current situation:
- Put everything in writing, proof-read it first, then again, and spell check. Produce a professional report, not a whiny rant about why things suck.
- Send a copy of this report to your schools administrators, registered mail. Hand-deliver a copy to the school administrator, if you can, but always, always, always put everything in writing first. Always. ALWAYS.
- Be thorough and complete, and make sure you explain why you are being so thorough.
- Provide examples WHEN ASKED and not before-hand. If you attach a page full of passwords you've sniffed out of the ether, this gives you a definite disadvantage if they decide to put your head on a pike. Remember, as a student, you are just one of many in the eyes of the administrator. It may well be that the problems they try to solve involve decapitating you.
- Be courteous about this problem. It is not one single persons problem, but is in fact a group problem. Singling out one person for all the problems and mistakes of the group will do nothing but serve to make you enemies, so don't do it.
- Follow up. If there is a change as a result of your investigation, follow up and ensure it is fixed. Work as closely with the people who are responsible for this problem as you can...
Always, always, always try to remember, that a whiny rant about things sucking is not going to work as well as a detailed, professional, spell-checked report. If your report about the network problems doesn't look like homework, and doesn't shoot for an "A", then its going to get you into more trouble than you expect
"torpor" ratted out some kid to the cops before? (Score:2)
Oh, torpor, BTW, when you wrote "not one single persons problem," you should have written "not one single person's problem." You forgot the apostrophe....
Re:Job opportunity? (Score:2)
Somewhere between 'hacking the data' and 'posting it on the web page' or doing whatever he was going to do with it (expose a massive security flaw, perhaps?) a college kid at UT got caught doing exactly this. He hadn't even done anything with them yet except possess the information.
Best quote of that article : "If convicted, he could face a maximum term of eight years in a federal prison and up to $500,000 in fines."
Bad idea! (Score:5, Interesting)
Re:Bad idea! (Score:4, Informative)
Re:Bad idea! (Score:1)
Re:Bad idea! (Score:2)
Open University? (Score:2)
Re:Bad idea! (Score:2)
Imagine if all along they have been running HTTP over IPSEC - boy would his face be red.
Re:Bad idea! (Score:5, Funny)
UM... (Score:5, Insightful)
If this page really allow you to view all of the above info (SSN, etc.) AND you are upset it would violate your privacy, why are you willing to post a bunch of other peoples passwords online?? Wouldn't taht violate THEIR privacy. I mean if someone found a problem with my banks online checking that would let people exploit and get into my account, I would not appreciate someone posting my account number an pin online. In fact I would sue the poster of htat information if I could. Be careful where you tread.
Re:UM... (Score:4, Insightful)
By all means, sniff the passwords. But then put them in a document and circulate it to your department supervisors. Make sure the document says *exactly* what you did (every step of the process). It would be good if every step was within the IT policy you subscribed to (then they can't lynch you for that), although as a whistle-blower this may not be necessary. And NEVER use those passwords, otherwise you could be done for hacking into someone else's account.
Don't even think about asking for money - as someone else said, this makes you look like a blackmailer. Initially you have to act simply as someone bringing in information. What they choose to do with the info is their decision - most likely someone in the IT department *does* have the skills to fix the problem, it's just that they got some incompetent trainee to do it instead. If it turns out that the IT department need your skills then you can negotiate a contract or you can do it for free, but NEVER state that to start with.
Give out ONLY hard-copies - that way a Word document can't accidentally get put on the web or something dumb like that. This limits circulation - it's more effort to photocopy/scan than to forward an email, so there's less chance of the passwords going where they shouldn't.
Finally, make sure a hard-copy goes to the school paper, with instructions to hold onto it for 2 weeks (or some arbitrary length of time), and have a good talk with the people running the paper before you tell the school authorities. Make sure when you raise the issue with the school authorities that you tell them you've given the info to the school paper, and tell them the time limit. That way, they know they need to fix things within 2 weeks before things go public. It also covers your ass by ensuring they can't lynch you as a scapegoat, bcos the paper will crucify them.
Basically, examine every step you take and see how it could be used against you. Getting a couple of your friends to check through what you're doing would also be useful (and having a friend watching at crucial stages like sniffing the passwords gives you the extra backup of a witness).
Grab.
Re:UM... (Score:4, Insightful)
Do *NOT* follow that advice.
Follow this advice. [slashdot.org]
If I have to say why, you're already treading on thin ice.
When I've run system scans and dumps on systems I do not manage, I've asked first and shown the admins what I do exactly -- and that's in my professional capacity.
As a student, make no doubts that you will not be treated well if they even think you are able to do this. The admins should get it, though others will not understand -- though if the admins did know WTF they were doing, they'd use HTTPS in the first place...right?
Instead, I'd point out that you are concerned since HTTP is an unsecure method and that others are likely to abuse your account and you want to know if the school is willing to take responsibility when that happens.
Scare them into action but do so from the point of view of someone who would not even look themselves.
In the meantime, use https:// in the URL yourself -- it will probably work -- and suggest friends do the same if it does.
Re:UM... (Score:4, Insightful)
Oddly neither the airport nor the government found his 'test' very enlighting. No, in fact I think he was facing several years in Federal Pound-Me-In-The-Ass Prison.
Original poster : you are approaching this like a child in an adult world. It is obvious that you desire peer level attention and recognition for your 'accomplishments'. Trust me, as someone that was 'recognized' and 'acknowledged' by the university administration for 'hacking' his college computers (possibly before you were even born)
You want to blow the whistle, then blow the whistle. If you see a serious breach of security and you feel the need to get it fixed, go to https://tips.fbi.gov and fill out that form, hit submit. I pretty much 100% guarantee that they will take you serious. You can call them at 202-324-3000 if you want.
Understand, however, that once you invite the government into any aspect of your life or business it is impossible to put that genie back in the bottle. This goes with any cute little pranks you enumerated like sniffing passwords or listing them on a web page at school.
There is a fine line between helper and terrorist in today's environment and you really don't want to screw away your lifetime potential because you were being 'gifted and talented' in college. Not only do you not want to cross the line, you don't even want to be under evaulation as to which side of the line you are at - all it takes is one bureaucrat to misinterpret anything you have said and you are royally fscked.
If you are here because you are genuinely concerned about massive lapses in the security as implemented at your university then consider whether or not you are ready to be a martyr for that security - because once you blow the whistle you can pretty much kiss goodbye any chances at graduation from that college. But the needs of the many outweigh the needs of the few and we are ok with sacrificing you as a pawn in the name of the overall good.
If you are here to impress us with your 1337 haxor skillz - what you did wasn't 1337, it was merely a rite of passage for every systems guy worth his salt. About like programming a bubble sort in visual basic - everybody is proud the first time they do it, but it really isn't that big a deal.
You want to impress us, do something none of has done yet
Find Osama bin Laden, hell I think there is still a $25M reward for the information leading to his capture.
Figure out a way to actually get the administration to fix their security. Do that and you will be our hero.
Find a way to bring back the tech sector jobs that are being outsourced overseas. Do that and you will be our hero and we will rename Linux in your honor.
Show the problem to your school leaders... (Score:5, Informative)
they are the ones to fix this problem.
Second, if the technical staff does not fix it,
contact your school's Deans for intervention.
Third, if the Deans do not get the problem solved,
contact your school paper and ask for help.
This all shows that you're a team player,
in case you need to escalate it later.
Re:Show the problem to your school leaders... (Score:5, Interesting)
If you are determined to get this fixed ( as you should be ), and you are
on friendly terms with both your system admins and your school's administration
then take the straight forward approach suggested by joelparker.
If they do not know you, I would attempt to be a little more anonymous.
If you point out laxaties in their security, you will be the first person
they think of when there is a problem. The security admin will probably
also get his ass chewed by his boss. The admin will remember you.
If you are still determined, do one of two things;
1. Compose anonymous snail mails. One to the school's admin, and
if this is a state school - one to the state's security admin at the
department of education.
2. If you have money, or can find an activist lawyer willing to do this
pro-bono - retain council and enter into a priveledged communication.
Have the lawyer communicate with the admins.
Just remember - no good deed ever goes unpunished.
I did something similar once... (Score:3, Interesting)
Unfortunately, as there were relatively few people who ha
Re:Show the problem to your school leaders... (Score:1)
Second, someone at that university is responsible for that network. That person might have gotten his job through political means, rather than displaying competency. That's likely, given the nature of the security hole. Pointing out the mistakes of politicians from a point of weakness is not a smart thing. He might be technically right, but I doubt that a college student has the financial mean
Re:Show the problem to your school leaders... (Score:2)
Gotta agree here. Anonymous is the way to go. While he certainly has every right, and perhaps even an obligation to complain about the problem since it's his personal info that is at risk here, it's all too common for the messenger to be stabbed, hung, shot, and dragged through the street in situations like this.
Re:Show the problem to your school leaders... (Score:2)
Communicating through a lawyer is also good, if expensive. If they're involved from the beginning, then it'll be cheaper than getting them involved later on. Try contacting the EFF [eff.org], the
Re:Show the problem to your school leaders... (Score:1)
If a university has enough money to automate its systems and pay for a fast internet connection, then it very well can afford $500 to buy a cert.
You know I keep reading the competency thing and as one of these kinds of people that make applications this is just insulting.
I suggest that you stop being insulted, and do whatever you can to become competent. Skipping a secure connection because of $500 isn't competent. Hell, even your overly long defense of the bogus reas
No no no (Score:5, Insightful)
What you should do instead is write a letter explaining the situation in terms that a layman can understand. Outline why you believe the current setup is a problem and the risks associated with it. Identity theft is becoming more of a problem these days so maybe they'll understand where you're coming from. Then, and here's the important part, present a solution for them.
Whatever you do, DO NOT sniff the network and post the results. Don't even show them privatly to the people in charge. Let them handle their own security investigation. All you need to do is point out the problem and suggest a resolution.
Re:No no no (Score:5, Informative)
Re:No no no (Score:1)
Re:No no no (Score:1, Informative)
The guy obviously has been causing a lot of intentional damage already. His blog also talks about him stealing things from his school. If he went to jail, he probably went for a ton of other
Re:No no no (Score:3, Informative)
Damned if you, damned if you don't (Score:4, Insightful)
On the otherhand, until somebody at the school gets their identity stolen AND they can prove the school was at fault, nothing will change.
At most, I would document the problem WITHOUT breaking any laws (again IANAL). Even documenting the problem that might get you in hot water for the terrorist crime of "hacking."
I feel for you. Be careful.
Inspiration (Score:3, Interesting)
this? [cnn.com]
Re:Inspiration (Score:1)
Do not! (Score:2)
Sniffing's a bad idea (Score:3, Insightful)
No ultimatums... (Score:5, Informative)
I guarantee the IT managers will have heard of FERPA, and they should snap to attention when you remind them of their responsibilities under the act.
Consult an attorney licensed to practice in your jurisdiction for more information on your rights. I also recommend judicious use of Google.
-Isaac
Re:No ultimatums... (Score:2, Interesting)
Sure, it could (and probably should) be more secure, but does FERPA lay out detailed standards for encryption and data security practices? I personally don't know, but I seriously doubt it.
(On the other hand, I see no use in putting that data on the web, of course he knows his own SSN and personal info.)
Re:No ultimatums... (Score:3, Insightful)
Re:No ultimatums... (Score:2)
Fuck the IT manager. This affects EVERYBODY!! that's what you plan when you do this,....
Re:No ultimatums... (Score:3, Insightful)
IANAL, but I believe there are some big exceptions written into the law. Your information can be given to anybody who has a legitimate educational reason to see it. I also don't think the law spells out any particular level of security that's required. The only kind of stuff that really gets you in t
At Northwestern University... (Score:3, Interesting)
If it doesn't, a pretty window pops up, displaying your password along with an explanation of the error. Wonderful. A variation of my second most sensitive password suddenly popped up when I missed the shift key while typing in a symbol. So far all my complaint has gotten from IT is "We'll forward this one on to so-and-so."
Students in-the-know are generally ignored. I wouldn't bet heavily that your school will change its policies anytime soon. It probably took a boatload of work to make the switch in the first place, so more changes will probably take a lot of prodding.
Re:At Northwestern University... (Score:2)
Re:At Northwestern University... (Score:1)
Well, there IS a reason why password entrance fields usually only give asterisks as feedback.
Re:At Northwestern University... (Score:1)
Having password displayed in plaintext against my will is even more dangerous.
Re:At Northwestern University... (Score:2)
Work up a scheme of passwords for different layers of security
- one set of passw
Re:At Northwestern University... (Score:1)
Actually, I have a "super duper" password that's an unspecified-but-very-large number of characters long, was randomly generated, includes alphanumeric and punctuation characters, and I learned by brute force memorization and repetition. I use that for root's password and GPG.
My lesser password I keep at 10 or more characters. It's got alphanumeric and punctuation characters. I change it yearly.
Oh yeah, and I have a separate BIOS p
obvious (Score:3, Informative)
2. get a lawyer. you have a right to use their networks, not admin it. you can point things out, and use the system as intended, but that's as far as it goes. i.e. http vs https. changing other's passwords and what not is something for your parents and a lawyer to discuss with the school.
Re:obvious (Score:2, Informative)
DO NOT give up the protection of a lawyer under any circumstance, because they will screw you over. If changes aren't made, have your lawyer send a cease and desist for violating FERPA, the Family Educational Rights and Privacy Act.
Lawyers are expensive. I bet you could find one to take this on pro-bono. Ask around, email the ACLU and EFF.
Suggestion (Score:4, Informative)
From what you've said there... You should say something along the lines of "A person could sit in the school parking lot with a laptop and a wireless networking card, and run the program 'Ethereal' to watch the network traffic. This person could literally watch the login IDs and passwords, and use that information to get your SSN and other vital and private information."
Pass that along to IT, your school administrators... if that doesn't get them hopping try passing the story on to your local community newspaper. That would be much safer than risking the legal reprecussions of cracking passwords yourself.
Suggestions (Score:2)
- Don't change your password over the wireless network
- Don't stir shit up too much. Complain to somebody in the IT department, and then complain to someone in a position of authority (the dean, etc).
- If that doesn't produce the desired results, forget about it. DO NOT threaten anyone with anything, and don't tell anyone you sniffed passwords. Doing that can land you in jail pretty easily, assuming the network administrator is sufficiently incompetent.
Otherwise,
Honestly? No techies. (Score:5, Informative)
Go to a Dean, the highest level one you can get a good ten minute discussion. Do not discuss this with anybody else. Tell him that you have not discussed this with anybody else, that you have not exploited this vulnerability in any way, and you are coming to him directly as you realize that publically announcing such a discovery can lead to serious consequences.
In the corporate world, this is known as an "executive sponsor", somebody with the political clout to shield you when the people who screwed up try to discredit you. It is vital that you have a sponsor, since a student has nearly zero political standing. Lay it all on the line and look the Dean directly in the eye and tell him or her that you are concerned about this issue and also about the reprocussions that whistleblowing this issue may have.
If the Dean is not connected to the technical issues, they won't have any reason to cover their asses and will stand in your corner in the resulting (and there will be one) shitstorm.
--
Evan
Re:Honestly? No techies. (Score:1)
Re:Honestly? No techies. (Score:4, Interesting)
Agreed on going to the dean. If you use what I call the Columbo method -- after the dumbly and wise detective on TV -- you can also go to the IT department though this is a bit more risky but may silently solve the problem.
The Columbo method works basically like this;
"I'm no expert, though shouldn't there ..." (and give a base -- even misworded -- comment on what is wrong)
Other phrases: "You know, I was wondering..." / "I find it curious that..."
Now, don't follow through and 'catch the bad guy'...you're only talking after all -- and *you're* not the expert! These things confuse you!
"If only someone could do something about that. Do you know anyone?"
Change the subject and leave or if the mood is right, just smile and leave. A "Yep, I find that interesting" as you go might also get it to sink in.
If anything, be a little funny but do not be condecending.
Who to talk to? Pick someone who is in the IT department who does not have an ego or a nasty attitude. Be unexcited, and mention your concerns as if you're commenting on the weather.
Note: If using https:\\ instead of http:\\ works, mention that *you* found a work around, though https should be the default -- after all -- for all those other people who haven't noticed yet. But what do you know?
Re:Honestly? No techies. (Score:1)
If only I had thought of the 'Columbo method' before, I think it could have saved me much time with my own University's idiot IT department (and other idiots... they seem to populate the earth.)
The Columbo method will be my new problem solving manifesto.
Thankyou.
Re:Honestly? No techies. (Score:2)
I have had plenty of "darn, those guys are good"; I wouldn't trade my IT career for any other. What I describe has nothing to do with IT. If the person had found a flaw in accounting or grant or scholarship allocation or any other critical and potentially very embarrassing problem, they would be in the same situation. When you deal with departments wit
In my job... (Score:2)
I always wonder who the kind of people are who say things like:
I was thinking that I could simply start to sniff passwords (18,000 students and quite a few use wireless) and then place them on my webpage at school.
I mean, come on. This has nothing to do with computers -- if you just think about that for one second doesn't it strike you as mildly idiotic?
Just don't do it. If you are concerned about security, write a letter to the editor of your paper or an op-ed piece and explain what could be done by a
It depends on who you know. (Score:4, Interesting)
Many players (Score:4, Informative)
Given that assumption remember that there are many players. There are the software writers and network admins. They may be afraid of being made to look bad in front of their superiors. They may know the problems and be working on them. They may simply be doing all they can with the resources that have been given them.
Work your way up from there. IT Department heads may try to claim it isn't a problem (prevent embarassment), indicate the need for more resources or may be in the dark because their people screwed up and hid the problem.
The legal department and higher administration will be worried about liability and bad press. As such, any "demonstration" you put on can be used against you. Suddenly you will be the bad guy - the evil cracker. They may even try to go after you legally to cover their asses.
Others have mentioned S-O legislation. There may be a compliance officer on campus who you can contact.
So what to do?
I would write a detailed letter describing the problem in layman's terms. Profess ignorance to allow people to save face (phrases such as "perhaps I am unaware of fixes that are already in the works", and "I know running a student network on a tight budget is difficult...") and express your desire that this matter be handled quickly and without the need to involve outside parties but insist that it must be handled.
The "ignorance" method also allows you to send the letter to a wide recipient list without looking like you are trying to skewer any particular person or department: "I apologize for the wide distribution but I'm not sure who is in charge of such a matter as it involves S-O compliance, student privacy, IT etc..."
You may want to offer recommendations (perhaps this system should be taken offline to protect the sensitive data until the security problems are repaired) and offer your assistance. If you offer to arrange a demo and they accept, request that they set up a dummy account. This helps isolate you from liability and demonstrates your concern for privacy.
Other avenues if the "good-guy" method fails: many universities have a student ombudsman, there may be state or federal S-O compliance resources and finally, there is the press.
Seriously? Here's a list: (Score:1)
Seriously, though, I'm guessing you have a phone book. There are so many resources that you could use. I'm not meaning this as a knock against you, but you could try google, or ask take a second to think about the
Advice? Be careful what you say. (Score:1)
Any chance it really is encrypted? (Score:2)
(Yeah, I doubt that's the case here too...
Re:Any chance it really is encrypted? (Score:1)
Proprietary user id and password? (Score:2, Interesting)
It's not a synonym for "something I don't like". Weirdo.
Can you say lawsuit?? (Score:1)
At my secondary school.. (Score:3, Interesting)
The second time I was logged on on somebody else's account and I just did a copy/paste on the common drive. That didn't actually waste much space or slow down performance at all, but it was worth a letter home and a ticking off. Yes, it was stupid using somebody else's account.
The third time I was pointing out vulnerabilities in the security software they were using (rather, it was a program running over windows and one of the features was that it prevented you from typing "C:\" in a file dialog box. A friend discovered that if you put c:\ in the clipboard and hold paste in the dialog box then eventually the software will be too slow, windows will win and the dialog will open. He screenshotted it and put it on the common drive for people to see. I opened it and put a ring round the "c:\" showing in the dialog box. Of course, my name came up as "last edited" (I never understood why they didn't check created by, but said person had friends right at the top...hmmm.....CORRUPTION..).
That got a letter home and lots of chats with the Admin and Head of IT (who also happened to be my maths teacher, and knew a) I was brilliant and b) I wasn't harmful) - but still, because of politics from above, she had to take action.
The funny thing is that there were people in the year below me regularly abusing holes but who didn't get caught because they weren't trying to inform the school. Oh the irony.
It sucks. The suits don't understand the world of computing - just right, wrong, PR and . They don't understand that sometimes you have to be "cruel to be kind", to nick a lyric.
The hardest part is that if you do NOT show them the holes they will ignore you, but if you DO, you get letters, action, records, jail time.
Good luck.
Re:At my secondary school.. (Score:2, Interesting)
So tell me, little shaver, (Score:2)
SSN?! (Score:5, Insightful)
Let me see if I understand: you're upset about not being told to use a piece of information that's the root of identity theft issues? Heck, I'd be *glad* the school was moving away from having my SSN plastered all over the place!
-psy
I think we go to the same University (Score:2)
Platinum cards (Score:3, Funny)
home address and the names/ssns of ten or twenty
lucky students would get some attention, I reckon!
Watch out! (Score:1)
Or perhaps not. In the grand scheme of things, this is a very minor issue, the details aren't that significant, the time taken to procure them would be excessive, and I doubt that a large proportion of students even use the wireless network. You should perhaps consider yourself lucky to hav
bah (Score:3, Funny)
Nah.
Just post the name of your school here and let the problem take care of itself.
Good practice in exposing exploits (Score:2)
OK, I skimmed the topics and didn't see anything that really targetted this idea, so here it is...
First, go to the school with a nicely written letter explaining the vulnerabilities, the impact and why it must be fixed. Tell them that you intend to publish your findings after a month or so or later if the school needs that time to fix the problem. The idea it to fix a date so that that school fixes the problem.
Again, our goal is to fix the problem. Not arm the baddies.
If you fear that you will be su
Today's experience with school IT people.... (Score:1)
Above all, tact (Score:2, Interesting)
The most important thing to remember is that they're going to avoid losing face in front of their superiors at all costs. This reclaiming of face might involve lying or throwing you in jail. If you find a way to inform them of the problem *without* causing anyone to look bad in front of someone with influence, they'll be grateful.
Half of business communication is learning how to tell people
Your school newspaper (Score:1, Insightful)
Drop it (Score:2)
If you're in the US (or France), unless you really like the people in charge of your school AND they like you, forget the whole thing.
If they're not interested in fixing it, just walk away. There are better things to do. What's in it for you? Jail time?
You're going to be in that school for how many more years? Just do your time in school and get out. Why risk doing time in jail as well?
The whole world is not secured properly, but things still work because mo
don't come close to threatening (Score:2, Interesting)
instead, find some sympathetic influential faculty (especially if they have tenure) who can make life hell for those responsible. if they refuse to do anything, just report it to your local newspaper and document _EVERYTHING_ (either immediately write notes while in their presence or tape-record what their comments are while they deny any problems). i
I've had this same situation (Score:2, Interesting)
About a year ago, I noticed a fairly significant vulnerability allowing me to get the shadow passwords of any student in the CS program, as well as all faculty and staff at my university. Thankfully, I am on good terms with the CS computers administrator, and told him what I could do, and told him what to type to get it. Being plain old DES, the shadows passwords would have been trivial to crack using a dictionary approach.
He immediately contacted the university CTS staff (they administer everything else)
Re:I've had this same situation (Score:2)
Bullshit. Even if you were expelled, most schools won't say more than the vaguest idea why. It's to prevent them from lawsuits. Besides, you could just omit that institution from your transcript and they would never know, if that was t
Two suggestions (Score:2)
2) Go to the CS department. There is probably some grad student who is doing a thesis on network sniffing or honeypots or wireless security or sometihng. Have THEM do the sniffing under the watchful eye of their facult
Re:Two suggestions (Score:1)
I'm assuming you're in IT (Score:3, Insightful)
Watch your ass (Score:2, Interesting)
Please Prosecute me! (Score:2)
In this case they will only fix the "squeaky wheel" YOU! And probably with a bludgeon. Shutup, protect yourself, get over it and stop using their network for thin
Another solution (Score:1)
Send a Letter (Score:2)
Certified mail.
To the principal of the school and cc the office of the superintendent of the district.
Politely and concisely explain that as a concerned student you believe that the current student database system is needlessly risky as it exposes private information such as name, address and social security number on the computer network.
Students and parents rely upon the school board and administration not only to provide the best possible education, but also to protect their students' private inform
Hire a lawyer (Score:1)
Seriously. If you know that your personal ID info can be VERY easily obtained (as your posting indicated) then it's only different than if you were embroiled in trying to regain your identity through fraud because you're being pre-emptive about it rather than tr
Community College of Philadelphia (Score:2)
If you're in the mailing database of CCP [ccp.edu], you'll see your SSN right on the envelope, above your name and address. Someone must have realized this would be a problem, but instead of doing something real about it they just shift the numbers around. So if your SSN is 123-45-6789, then the address label looks something like this:
A controled attack (Score:1, Interesting)
Try to see if you can obtain your own password over the wires or wireless. You know what you are looking for but it may be more difficult than you think, and hence you can avoid making a scene of yourself
Record the whole session, so you can replay it in front of the admin. A demo is often very instructive when people seem reluctant to believe you.
You cannot be accused o
you're not the only one (Score:1)
I happened to check the online site for my high school grades, too, and noticed it's on a HTTP, not HTTPS for pete's sake !
SSNs (Score:2)
What? Are you saying you were content with them using your social security number as an means of unique identification? I am not sure about the specifics, but I know there is legal restriction involving using someone's SSN for anything but social security. Secondly, my university does the same thing, and I don't like the idea at all. Sometimes I have to fill it out on scantrons and other forms that include my full name. By la
Anonymity (Score:2, Interesting)
From a guy in the IT Dept: (Score:3, Insightful)
Instead if you know people in IT, you can try going to them with your concerns, from a "hey did you know... it worries me...." perspective. If they're good people and well managed (but just didn't stop to think about it), that should help. If you don't have a friend there, or you hear that IT are a bunch of bozos, your best bet is to bypass them and take your concerns (as "I know enough about it to suspect this could happen", not "I know how to do this") directly to one of the offices charged with handling your student data (e.g. registrar, business office, financial aid). They're the ones who ought to be most alarmed over confidentiality problems (because they've had in-services driving the point home), and it'll be their bosses in the administration who'll have the authority to put the pressure on IT to do their job.
My idea (Score:1)
DO NOT sniff passwords, DO NOT send "ultimatums", just say "Hi, I've found what could be a security hole on the network. I can show you why it's insecure and how it could be exploited. I don't want anything in return, I just want to help you close the hole because it could uncover a hell of a lot of problems."
Your ass is covered (you said you didn't want anything, can't be blackmail) and you might get a few brownie points out of it. If the admin responds
MOD PARENT DOWN (Score:5, Interesting)
Re:Legal repercussions for the school (Score:5, Informative)
Er, you mean HIPAA... (Score:2)
HIPAA, on the other hand, has some clout.
Re:Legal repercussions for the school (Score:4, Informative)
First, IANAL (as evidenced by my previous stupid message naming the wrong act). In any event, my understanding is that although HIPAA was originally enacted/intended as a Health-Care related act, it's effects have been interpreted to apply outside of Health Care and to any industry that stores people's private, personal data. One of the big flags the act applies is storing social security numbers.
Rule of thumb is that if you see something private stored or transmitted somewhere it needs to be seriously secured. Seriously secured is roughly defined as encryption for every stage of the data lifecycle, from storage to transmission; as well as access control measures and all that jazz.
So anyway, a whole bunch of industries are running around with their panties in a knot because of these new privacy regs. Then you have happy California's 1386 stuff which I think was meant for online shopping but ended up saying something like that if someone hacked your entity and gained access to customer data you have to notify every single member of that customer population that resides in California or be banned from doing any kind of business in that state. I'm sure that strictly speaking the laws apply only to some very specific instances, but that hasn't stopped people from panicking just in case it could be twisted into applying to them. I'm sure that my explanations are grossly overgeneralized, but they do serve the purposes of this conversation.
The point being, there's cool new regs that protect your privacy. Make sure your school is taking them into account. I wouldn't be hostile about it, but they might just need a pointer in the right directions.
Good luck,
-Jack Ash
Re:Legal repercussions for the school (Score:2)
Re:failure (Score:1, Troll)
I post here because of the importance of my message:
DO NOT break security to prove its inefffectiveness. it is ILLEGAL and you will get into major trouble for it.
Find ways to speak with the local sysadmin, show them how vulnerable they are-- most responsible ones will listen no matter who comes and tries to speak with them.
But remember this: when dealing with somebody who might consider themselves an "adult" compared to you, approach with an air of maturity
WTF? (Score:1, Insightful)
If its so important, why don't you start a new thread?
Idiot.