To Report or Not To Report

[^Mobius^]

I consider myself to be an ethical person. On my school's local network, I discovered a series of _HUGE_ security holes, and reported them. I was thanked for this by being suspended and having my network priveliges removed, I can no longer even log on and access the internet. I would like to point out that other than look around, nothing was confidential, I did not do anything. I did not damage any files, or anything at all malacious. They knew this.

Now, while doing a virus scan for a teacher, I noticed that the machine scanned *.PWL files. The network is run mainly on Win98 machines running NT scripts, with a Win2000 ISA Server. (....) Whenever someone logs on, windows machines makes a copy of their password on the C Drive, and its fairly easy to decrypt.

My question is, should I report this flaw or not? I can always do it from an anonymous source, but after what they did to me last time...Opinions? (Either way, I intend on keeping some Passwords so I can get on if I really need to, in case of an emergency)

[aeallison]

That really sucks...sorry to hear that. Can't you appeal their decision? I would not tell them how bad their security is if that is the way they treat people who try to help. They would probably expell you for another occurance.

[jxrry59]

Remember the old saying," Let no good deed go unpunished!" I think if you had to ask the question you already know what you have to do to be right with yourself

[^Mobius^]

Exactly how I feel! As it is, I have to use my laptop to do all of my work, including for several programming classes, and such. I need to get someone else to login for me to print something out! (I dare not use one of the many User/Pass combos I found.)

I also used to be the Webmaster, but they decided that my niceness made me a security threat, and needed to be removed from my position helping them. (I did, of course, never do anything but design and fix the website for the school AND the Regional Planning Commission!)

As for appealing it...I saw a quote in a 2600 that fits this situation perfectly. "We don't know what you did...nor how you did it...but we're going to punish you...and don't do it again." Or something like that.

Despite all this...I still want to help them! Do I dare though? Even through anonymous channels...

I quoted that for a full week. Silence...or Righteousnes?

[lockejr]

Even though it would be a good deed I don't know that I would mention the password thing to them. I would just chill and continue as you are until they have a problem and can't fix it. Offer up a solution and hopefully they will see your really not a bad kid after all. Just my opinion though.

[tatui]

It's a really hard decision.. I think that if you try it again, even through annonymous channels, they might think it's you again and try another punishment. What they did is really disgusting.. I wonder if suing them would be an option. Damn, you are innocent. Well, I don't know if you found the vulnerabilities by chance, or if you were searching for them. Perhaps you should just forget about it. I wouldn't help them anymore after such a punishment, but wouldn't exploit the vulnerabilty either. "Someone the does something nasty to the network? Wasn't my fault, I told them before and was punished." And them sleep the sleep of the just.. well, almost. :/

[^Mobius^]

I am tempted to let it go, tempted to take advantage of them, though that isn't an option. Shall I stay silent? Or shall I take a risk again? I discovered all faults while looking around, or in this case, doing a virii scan. Gah! <Curse> *Bleep* them! *Censored* </Curse> Oh well. I can always tell them about it later, right?

[Tedob1]

if you see a door opened that should be locked its one thing to report the open door its another to go in and snoop around then report it. the fact is you obtained illegal entrance. your lucky you didn't get arrested. breaking the law and then reporting yourself IS one of the dumber things ive heard so far this year.

it would be right to explain the possible dangers in .pwl files. just don't illustrate your point by cracking them first before you tell them

=+=+=+=+=+=+=+=+=+
I am tempted to let it go, tempted to take advantage of them
=+=+=+=+=+=+=+=+=+

i think your just looking for validation to do what you want to do anyway. so go ahead show them all how 1337 you are, get your education the hard way.

[^Mobius^]

Tedob, I never went in or got illegal access to anywhere. I found ways in, and looked around on the network, to places that I was allowed into (although they shouldn't have let me in.)

Here's an idea of how stupd they were, just because I want to rant a bit. Everyone has they're own network drive, and that network drive is named after their username, such as this \\(severname)\users\ teachers\studentyears\office\admin (depending on group)\username

Thus making enumeration all to easy. These people are vindictive, and stupid.

I don't think I'll help them, but I have no intention to damage anything on the network.

"Perhaps I could work for the school to look for more security holes.."
"We arlready have people who do that, and they're experts! They know what they're doing!"
*Under breath* "..Obviously they did a bad job"

I realized that I might get a better answer if I divide the problem into parts.

A) Do I WANT to help them at all? Yes
B) Should I help them? Yes
C) Does what happened before absolve me of this? Perhaps
D) Will I be punished if they know I report this? Yes
E) Is it worth the risk? Perhaps.

So it really comes down to two questions, C and E.

The other question that occurs to me is:
F) Will they even plug up this security hole? ...Perhaps.

So...does it seem that I am obligated to help them here, or not?

Tedob..I never said that I wanted validation. I have absolutely no intention of taking advantage of these files. To do so would be...stupid...arrogant...actually hundreds of words come to mind here, but none of them are good. Remember, temptation is not the same as doing something. :-)

I can always speak up later...but I can only be silent once. I think, for now, I won't tell them what I discovered unless I see the need to. I know its there, and no one else does, so I doubt anyone else will take advantage of it. If they do...oh well.

BTW, I modified my last post with some other thoughts that better refined the question, so make sure you see that.

(I also editted the post that Tedob1 refered to, because it apparently was unclear. He thought I was a script kiddie. LoL. To take advantage of this would go against everything I believe in, and make me a hypocrite, something I hate with a passion.)

Does anyone feel strongly that I SHOULD speak up about this?

(I'd like to apologize for problems with this being posted a few times in the same thread, in the same post and such...my browser went weird on me, and didn't tell me it had been posted. So I tried again. It should be fixed now. Hope it didn't bother anyone!)

[cwk9]

The same thing happened to me in high school. I pointed out some problems with sam files, easily guessable passwords and some network folders that should have been read only. I was suspended the next day. The worst part was even after agreeing not to touch any of the computers in the school again the principle still called me to the office every once and a while blaming me for every single problem with the network. At lest I demonstrated the incompetence of the two admins that the school contracted. In the end they were fired and replaced with an admin that didn’t need to blame students to cover up his incompetence.

Here are a few tips about disclosing security holes in schools

1. Go to the right person
Whose ever in charge of you network might feel threaded and may decide to burn you instead of facing the facts. Good admins shouldn’t do this but most public schools don’t pay admins that much so they sometimes get stuck with one from the bottom of the barrel.

2. Don’t be a know it all.

3. Never use the word hacking, even “security hole” might be the wrong word.

4. Read that piece of paper that your school made you sign so you could use the computers. Some of those things are so restrictive you might as well just keep you mouth shut. When ever there’s a question of proper use it always comes back to that little piece of paper. Most of the ones I’ve seen are so vague that it’s almost entirely up to the staff to decide what’s allowable and what’s not.

5. Keep in mind that computer problems are the last thing that your principle wants to deal with.

6. Offer a fix if you can

7. If they get confused and end up accusing you of things that you had nothing to do with don’t think you have nothing to worry about. They might not have the knowledge to check log files and instead base there decisions on theory’s and there personal perception of how computers work.

Of course there’s the anonymous e-mail. Sounds like a great idea but keep in mind that they might just decide that you sent it because they’ve had problems with you in the past.

Disclosing security holes is a touchy subject. The right way isn’t always obvious and every situation is different. I recently discovered a hole in a testing program at the collage I attend. There is an exam file in a read only folder. You use an exam player to take the test; it asks you for a password and after the results are then sent to the instructor. The problem is that when you open the file in notepad the password is stored in clear text. Even though the file isn’t up until about 10-30 minutes before the exam it’s still enough time to copy the file and write the test a few times before class. I’ve decided that e-mailing the company that makes the product might be a better option then informing my instructor and bringing every test I’ve written on that system into question.