|
-
February 8th, 2005, 12:18 AM
#11
sorry to hear that the admin was a dipshit. Dont let him discourage you. If you feel like being a ***** you should forword your email along with his response to the school admins. maybe one of them will sympathize with you and put the ****er in his place.
-
February 8th, 2005, 01:58 AM
#12
Two things:
For one, as a former school admin, I would have welcomed the infomration (although these wouldn't have been vulnerable  Unfortunately, the less competent the admin, the more prone to they seem to climb up the curtains for nothing...
Secondly, if you want to really post anonimously, don't just use hotmail as it logs the IP you connected to when sending the e-mail in the headers. Either use an anonymous proxy first or use an hushmail account or such...
Ammo
Credit travels up, blame travels down -- The Boss
-
February 8th, 2005, 02:31 AM
#13
Jareds411, being a former civil servant myself, I like the idea of letting the sh!t flow downhill. I would forward his reply to several sources, with him copied to see it was sent out. Now before you do this, I want you do to a bit of soul searching, consider the consequences that you could incur, and be truthful with yourself...this could really jack up your world...or it could give your personal integrity a nice shining star to add to your resume when you go for that first IT job.
Send the email, with his response, to several local reporters. Also send it to the school board, the school district IT coordinator, and anyone else you think is worthy and relevant. Slashdot and Boing-Boing might like it, or might give it a pass. It's worth a try.
In the email, I would reply to his comments in kind...and explain that you understand their dismay at your actions, and reiterate that while you are curious and looked into these things, you DID NOT do anything malicious, and because of your restraint AND your curiosuty, a serious breach may now be avoided.
I wouldn't get preachy or complain about this guys inadequacy, because that will certainly ostrecize you (even more), but if you drop the subtle hint that their 'security' was found to be wide open and vulnerable be a 'mere student', it would be a strong case of 'egg on the face.'
Best of luck, and keep us appraised (PM me if this thread dies out...I want to know what goes on!)
Also, and this last note is important...I would CEASE AND DECIST all activities that violate the AUP. It will help reinforce your position of not being malicious.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 8th, 2005, 02:37 AM
#14
ammo,
He's sending it through his school (public) computers. If they try, they will only be going..... in circles.
XTC46,
I doubt a person from the office would care, unless an action has taken place. But, you can give it a try. Maybe something like; It has come to my attention and has been confronted with the <techies name>, that your network or computers are at risk of unwanted eyes. I write this to you because <techies name> has ignored my request with blinding ignorance. Please, for the reputation of the school, inform the tech to do his/her job.
I was thinking as I wrote this, depending on the school itself may laugh at such a request.
Also, were ever your sending this from, check for cameras  .
Leo Da Vinci reminds us: That blinding ingnorance does mislead us.
Cheers
-
February 8th, 2005, 02:48 AM
#15
If I may play devil's advocate for just one minute....
If I was an administrator that didn't know all that much, I would personally be freaked out if someone emailed me one day saying that my system was full of holes. Why? Because if they could figure out the holes they could exploit them -- people automatically assume the worst. Just another fine product of our untrusting society. So, he would probably feel threatened (not only on a personal level, but also on a professional level -- if he didn't patch the holes and someone exploited them, he could probably lose his job).
Again, I'm not saying what you did is bad -- au contraire, I applaud you for doing this -- I'm just trying to examine why he has responded to you in such a terse fashion. Maybe like zencoder suggested, you could email him again in a non-threatening tone and explain it professionally. If he still doesn't listen, your hands are clean if something does happen.
Also, another thing to watch out for is that if something does happen, you would be the first to blame... so make sure that when you're sending the hotmail acct, you do it from a public computer, and follow what everyone else has been saying here (the AO members, especially the senior ones like zencoder usually know what they're talking about hehe)
just my $0.02...
-ikl
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
-
February 8th, 2005, 02:59 AM
#16
Junior Member
hrm
All the same, Ive seen similair problems at my school. I tried to get into the Tech room and help out with the website, but they turned me down because they had "too many" students, who i may add, know nothing.
Anyways, these students in there are always taking down the firewalls, the website blocker (whatever its called) and just not doing what their saposed to do. But im not going to get into just on the fact that they rejected me 
-
February 8th, 2005, 03:12 AM
#17
There is also another MAJOR consideration...
I doubt it applies well to this situation, but there is a phenomenon in the Security industry that is not really officially acknowledged, due to the nature of the transaction, but it is well know and discussed.
Non-disclosure vs. Full-Disclosure. Most sensible InfoSec folks belong in the Full-Disclosure camp, I believe, and most PHB executive types remain entrenched in the Non-Disclosure.
Anyway...many, many, many major companies, banks, and institutions have been hacked. 0wnz0r3d mah |310tc|-|!!!!!1111 in the most serious of ways. And occasionally, the intruder will contact the company with an offer along the lines of "pay me 100 billion dollars" (hehe, nod to Dr. Evil) and I will explain what I did, how I learned about and did it, and what to do to fix it...and I won't tell anyone about this."
Unfortunately, many companies accept this sort offer, rather than lose face and risk the financial reprecussions of their stock price falling. They figure it is cheaper to pay him off with a legally binding NDA than lose market share and stock value. And putting on my purely managerial/non-InfoSec-geek hat, I can see that it might just seem like a valid business decision. This is the mindset you are certainly facing, as Iron-Kurtain and others suggested.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 8th, 2005, 03:48 AM
#18
I fully understand why it would scare him, but the fact is, if you are being paid to secure something, you better damn well know how to secure it. It is impossible to plug every hole but threatening somone who points one out is only going to piss them off. In high school this kind of reaction to the stuff I did only made me want to exploit the problem in a very public and obvious way since the admin obviously wasnt going to listen to me.
I dont like the idea that people look down on alot of kids and automaticly assume they are up to no good. I cant count the number of times I have walked into offices (still happens since im only 19) and the CEOs of these million dollar companies stare at me and treat me like I am stupid becasue I am less then half there age. And sometimes it takes a nice digital kick in the mouth to make people realise that some of us are fighting for the good guys and do want to help. And it sounds like this is what is going on. The guy hates the idea that "some punk kid" just showed why his security is like swiss cheese.
If I were you id go with Zencoder and start emailing the press. Hackers are making news bigtime again, so alot of new reporters will jump on it when Admins react this way to something that should ahve stayed between the two of you, and should be fixed.
/rant
-
February 8th, 2005, 03:58 AM
#19
Code:
START
net send /users Tell the Admin to fix the damn computers!!!
GOTO START
just leave that running on a couple of machines see how long he can ignore the problem
v_Ln
-
February 8th, 2005, 04:55 AM
#20
School Security
Well Kid you did the right thing......
Hiding out may have been the best way.....
Some admins do not want to be told there not very smart....
It's a school and low pay.... what do you expect....
I did the same thing but even then it cost me many bucks and grey hair.....
see my story here http://users.adelphia.net/~franksradio/
The ISP I am on now for most of my networking work is a real nice bunch of people...
My access to the net..... via a cable modem... not sure about them yet, but no complaints...
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes! 
And learning to Play the Bugle 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
