Alerting My School of its Vulnerabilities
Page 1 of 6 123 ... LastLast
Results 1 to 10 of 55

Thread: Alerting My School of its Vulnerabilities

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    206

    Alerting My School of its Vulnerabilities

    I have a dillema. Recently while bored in computer programming, I started snooping around. I didn't install any software onto the computer, just used what was already there. I didn't do any harm, but found tons of vulnerabilites in our network.

    • Students run cmd, regedit, and msconfig
    • 'net send' is enabled, allowing someone to "net send /all" and bombard the network with messages
    • Shutting down other network computers with "shutdown -s -m ipaddress" is possible
    • You can get around the internet nanny program by viewing the cached page on google
    • Telneting to "mail.fubared_school_district.us 25" from inside the network allows people to forage email
    • Anyone could install any number of malicious programs or format the hard drive of any computer at will


    I'd like to alert the school of these problems. The school district has big enough to have a couple IT guys. However, by contacting them, I'd be admitting I violated the AUP a hundred times over. I can't risk losing computer privlidges. What should I do?
    It is better to die on your feet than to live on your knees.

  2. #2
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Well a definite applause for being a stand-up guy about all this.

    It's not really that hard to contact them, but I understand your hesitation. Drop them a good old fashion letter (but don't sign it...lol). Go to the library and open an email account with hotmail.com using bogus personal info.

    It's really that easy.

    cheers
    Connection refused, try again later.

  3. #3
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Or you may use anonymous remailer.. to convey your resentment about the ill-configured networking system... Go ahead man!

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  4. #4
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Or you can ignore it... I would. What would you have to gain from this? Some type of reassurance and self-importance? Your school's "Vulnerabilities" is that it trusts people within the network or its just another time saver for them. So here we have services and loose policy for you and maybe even a few pals.

    Why complain when you know if I where in charge at best, you'd be lucky to even have an operable keyboard and mouse, I never even enable the use of the clipboard... even that gets people pissed. Infact for a school, I hate the little shits... the only thing you'd be able to run is a lame text only browser. Oh and all cd & floppy related devices would be pulled out and replaced with a sheet of metal welded in place so no one could attach any drives, I'd weld things like the USB ports closed too.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Specialist: What was the highest paying job you had in the computer industry and how long did you keep the job.... Please don't look at your watch to determine that.....

    Jareds: You absolutely should inform your admin(s) of this but definitely do it anonymously. The school admins I have come across often have the computers in this "state" because they either don't have time, (only one man for 600 computers spread across numerous schools), or, more usually, have no idea how to fix the issue.

    The anon account at hotmail is the best idea since hotmail aren't going to "give you up" because you are doing the right thing. Tell them what problems you have encountered but more importantly tell them how to fix them and allow them to ask you questions via the anon account, (but don't make it sound like you are doing them a favor - you are genuinely interested in seeing the system impelemented in a safe and secure fashion). Save _everything_ you send to them and everything they send back to you. If you can generate a good relationship then maybe you can take it further - but don't stop saving everything - just in case... This is security we are talking about and being paranoid is ok. Just be careful.

    Good job for being a stand-up chap.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    The unfortunate truth is, that even if you do report it, chancea are nothing will get done about it. Thats the situation I was put in while in high school. I didnt get in trouble becasue I was a TA and the schools tech while I was a student, so I had unlimeted access. but didnt have the skills/resources to fix all the problems Hopefully you have better luck with this then I did.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  7. #7
    Senior Member
    Join Date
    May 2004
    Posts
    206
    Thanks for the quick responses guys. I plan to email the administrator tommorow at school. Depending on the reply I get, I might fix the problems for them, or I may not. Thanks again for the help, and I'll update you on how it goes.
    It is better to die on your feet than to live on your knees.

  8. #8
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Jareds,
    What ever about the problem of sending an anonymous e-mail you should definiatley include information on how to fix the problems. Of course your biggest problem is going to be explaining why you were doing what you were doing when you found those loopholes. Some "admins" wouldn't like a "smart mouth kid" telling them they dont know their job (Not my opinion, anyone who points out a security flaw on my system is ok by me). I would sugest that you make it clear that you are interested in computer security and maybe suggest making a project out of it. At the worst point them to this site they should fiind the information they need here to fix the problems.
    By the way it sounds like everyone has more or less administrator privilages on your schools computers.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  9. #9
    Member
    Join Date
    Feb 2005
    Posts
    60
    TheSpecialist cracks me up.


    wouldn't want to work with him tho.

  10. #10
    Senior Member
    Join Date
    May 2004
    Posts
    206
    Well, it's good that I stayed anonomous. The administrator replied that my actions were a severe breach of the AUP, and that it was being investigated, and I'd lose my computer privlidges if I was found. I guess the only good point is that from the security of our network I can tell that he couldn't trace anything if his life depended on it. I guess there's nothing else I can do.
    It is better to die on your feet than to live on your knees.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •