Alerting My School of its Vulnerabilities

[Jareds411]

I'm going to take zencoder's advice and forward his reply to the school board and superintendent. If their reply is bad, I'll forward it to the local newspaper and TV station. Thanks for the advice and support everyone. I'll keep you updated.

[zencoder]

Originally posted here by Jareds411
I'm going to take zencoder's advice and forward his reply to the school board and superintendent. If their reply is bad, I'll forward it to the local newspaper and TV station. Thanks for the advice and support everyone. I'll keep you updated.

Good luck. Just remember what I said:

#1 dont threaten, suggest nicely, explain why it's a mistake
#2 don't continue to abuse their lack of security, it'll kill your credibility

Believe it or not, personal integrity and credibility go a LONG way. Kevin Mitnick is one of the best examples. He has done fairly well with his new company and using his reputation and notoriety to make money. I wish him well. But can also tell you that for every company that thinks hiring him for security training or consulting is a good idea, many others will hire him with a grain of salt. "Let's see what he has to say. But while we're at it, let's ask Symantec, VeriSign, Counterpane, IBM, and some other MSS providers." And the rest will outright not consider him. The door is closed to him, for his past criminal activities (legality and (in)appropriatness of the federal justice systems handling of him aside.) This topic is actually one that is often hotly debated in forums much like this one. Can a former blackhat go white/grey, etc. I won't get into it, but I will comment that it removes a lot of opportunities.

[MURACU]

Unfortunately you got the answer many here were worried about. I would say that if was recieving the anonyomous e-mail freaked him out.
I am working now for a semi-public company. Most of the people working here are or were civil servants and unfortunately there is a similair attitude prevalent here. keep your head down and dont rock the boat. It bugs the hell out of me as I was working for a start up when we were taken over by this company. In any case if you do follow it up stay as proffesionel as possiable but be ready to be disappointed.

Can a former blackhat go white/grey? Of course it just depends on what washing powder you use...... . To be serious it is much harder now days than it was before.

[XTC46]

can a black hat turn white/grey hat?


I think so. As a kid I fel in love with the "hacker" persona. creeping around networks defacing stuff, deletiing files, etc. but as I grew older and realised that what I really loved was the challenge of doing all this and the thrill I got of staying ahead of the admins I figured it would be even harder to stop them. by my freshman/sophmore year I would purposley install trojans on my computer just to **** with the guy on the server end of it. and would take pride in making decoy boxes on networks just to mess with people.(sort of a honeypot?) and then got into netowork security and even more into social engineering (I always was somehwat good at it, just never knew it was an actual skill) Now I work for a "technology solutions provider" and have been paid to crack networks for owners recover passwords, things like that. Without the illegal stuff I did I wouldnt have the experience i have now (and im sure its the same for alot of people)

so yes, I think a blackhat can go to white hat. I was far from a hardcore blackhat hacker (closer to a script kiddie) but it is what got me started. I think the true blackhats have very good instincts and that is what makes them so good. (and unshakeable determination) so when they realise they want to do good, they bring that mindset with them.

[NtrlZr]

You probably made the right choice jared, but remember to be nice as zencoder said.
Keep it up :P

[TheSpecialist]

I think people who toss the H word onto themselves or pushes it onto others are a bunch stupid ****s. I hate them and I hate you.

[skiddieleet]

Originally posted here by Jareds411
Well, it's good that I stayed anonomous. The administrator replied that my actions were a severe breach of the AUP, and that it was being investigated, and I'd lose my computer privlidges if I was found. I guess the only good point is that from the security of our network I can tell that he couldn't trace anything if his life depended on it. I guess there's nothing else I can do.

I'm glad I didn't reply before. I was going to say that you should not do it anonymously. I don't get it though. How can you be in violation of the AUP when they are too lazy to restrict you from doing those things? You need to slap your admin. It's like he's saying, we're gonna leave it to where you can do all this stuff, but if you do we're gonna take away all your privileges. If he does find you, just tell him you didn't feel comfortable using his network anyway, it was too insecure for you. . Peace.

[MURACU]

Then again it may be the anonymous mail that freaked him out or not.

[Iron-Kurton]

h3r3tic,

It violates the AUP because in it, they probably have very clear language that you aren't allowed to do bad things. Jared saying that he found those problems on the network implies (in the minds of the admins) that he has exploited those holes..

It's like leaving your car keys in the car, and leaving it parked on the street. Sure, anyone can get into and out of the car, and even drive off with it, but it doesn't mean that you are legally allowed to do so.

[The Grunt]

Originally posted here by XTC46
The unfortunate truth is, that even if you do report it, chancea are nothing will get done about it. Thats the situation I was put in while in high school. I didnt get in trouble becasue I was a TA and the schools tech while I was a student, so I had unlimeted access. but didnt have the skills/resources to fix all the problems Hopefully you have better luck with this then I did.

Things don't change at my school either. I have warned and even gave ways on how to fix stuff. Nothing happened. I warned that the admin pass was 3 letters. Nothing happened. I told the computer teacher stuff so SHE could tell the admin. He still didn't fix ****, and the servers go down all the time on top of that. It's ignorance in its purest form.