Alerting My School of its Vulnerabilities

[Jareds411]

I have a dillema. Recently while bored in computer programming, I started snooping around. I didn't install any software onto the computer, just used what was already there. I didn't do any harm, but found tons of vulnerabilites in our network.

• Students run cmd, regedit, and msconfig
• 'net send' is enabled, allowing someone to "net send /all" and bombard the network with messages
• Shutting down other network computers with "shutdown -s -m ipaddress" is possible
• You can get around the internet nanny program by viewing the cached page on google
• Telneting to "mail.fubared_school_district.us 25" from inside the network allows people to forage email
• Anyone could install any number of malicious programs or format the hard drive of any computer at will

I'd like to alert the school of these problems. The school district has big enough to have a couple IT guys. However, by contacting them, I'd be admitting I violated the AUP a hundred times over. I can't risk losing computer privlidges. What should I do?

[Relyt]

Well a definite applause for being a stand-up guy about all this.

It's not really that hard to contact them, but I understand your hesitation. Drop them a good old fashion letter (but don't sign it...lol). Go to the library and open an email account with hotmail.com using bogus personal info.

It's really that easy.

cheers

[Black Cluster]

Or you may use anonymous remailer.. to convey your resentment about the ill-configured networking system... Go ahead man!

Cheers

[TheSpecialist]

Or you can ignore it... I would. What would you have to gain from this? Some type of reassurance and self-importance? Your school's "Vulnerabilities" is that it trusts people within the network or its just another time saver for them. So here we have services and loose policy for you and maybe even a few pals.

Why complain when you know if I where in charge at best, you'd be lucky to even have an operable keyboard and mouse, I never even enable the use of the clipboard... even that gets people pissed. Infact for a school, I hate the little shits... the only thing you'd be able to run is a lame text only browser. Oh and all cd & floppy related devices would be pulled out and replaced with a sheet of metal welded in place so no one could attach any drives, I'd weld things like the USB ports closed too.

[Tiger Shark]

Specialist: What was the highest paying job you had in the computer industry and how long did you keep the job.... Please don't look at your watch to determine that.....

Jareds: You absolutely should inform your admin(s) of this but definitely do it anonymously. The school admins I have come across often have the computers in this "state" because they either don't have time, (only one man for 600 computers spread across numerous schools), or, more usually, have no idea how to fix the issue.

The anon account at hotmail is the best idea since hotmail aren't going to "give you up" because you are doing the right thing. Tell them what problems you have encountered but more importantly tell them how to fix them and allow them to ask you questions via the anon account, (but don't make it sound like you are doing them a favor - you are genuinely interested in seeing the system impelemented in a safe and secure fashion). Save _everything_ you send to them and everything they send back to you. If you can generate a good relationship then maybe you can take it further - but don't stop saving everything - just in case... This is security we are talking about and being paranoid is ok. Just be careful.

Good job for being a stand-up chap.....

[XTC46]

The unfortunate truth is, that even if you do report it, chancea are nothing will get done about it. Thats the situation I was put in while in high school. I didnt get in trouble becasue I was a TA and the schools tech while I was a student, so I had unlimeted access. but didnt have the skills/resources to fix all the problems Hopefully you have better luck with this then I did.

[Jareds411]

Thanks for the quick responses guys. I plan to email the administrator tommorow at school. Depending on the reply I get, I might fix the problems for them, or I may not. Thanks again for the help, and I'll update you on how it goes.

[MURACU]

Jareds,
What ever about the problem of sending an anonymous e-mail you should definiatley include information on how to fix the problems. Of course your biggest problem is going to be explaining why you were doing what you were doing when you found those loopholes. Some "admins" wouldn't like a "smart mouth kid" telling them they dont know their job (Not my opinion, anyone who points out a security flaw on my system is ok by me). I would sugest that you make it clear that you are interested in computer security and maybe suggest making a project out of it. At the worst point them to this site they should fiind the information they need here to fix the problems.
By the way it sounds like everyone has more or less administrator privilages on your schools computers.

[Tryska]

TheSpecialist cracks me up.


wouldn't want to work with him tho.

[Jareds411]

Well, it's good that I stayed anonomous. The administrator replied that my actions were a severe breach of the AUP, and that it was being investigated, and I'd lose my computer privlidges if I was found. I guess the only good point is that from the security of our network I can tell that he couldn't trace anything if his life depended on it. I guess there's nothing else I can do.