-
March 21st, 2005, 05:28 AM
#11
I’ve been too depressed lately to get drunk, but I’m getting there now and saw this ..
I also find it interesting that at thie time of this writing nekenieh is not subscribed to this thread! The ONLY thread he/she has ever posted to up to this point. Makes you wonder?
Anyway,
*** Anyone reading this, if you know me and feel you want to skip over this feel free, but PLEASE, read the EPILOG ****
In order to do what you want you should have been here two years ago and read and questioned EVERYTHING !
The room to the lab has a swipecard reader to get access ...
Well, can you tell me, .....
Now remember, your are under oath at a jury trial because the appeals and civil suits went that far ..... So tell me that NO ONE has ever entered that room behind someone who swiped for entry, or stood by someone entering just to place tape over the lock, or that the door was never propped open? So how do you know exactly who did and did not enter?
Have all the boxes in the lab been examined? What is the possibility that some dumb-ass student ( or faculty member ) at some other time ( maybe last semester ) put some file-sharing program on it ( or others ) which was compromised by them or someone else from the outside? What about someone downloading a virus or worm at some other time which was now lead to the box being compromised from outside?
Can you tell me what software the admins would need to have. Ours is a pretty good sized university, so I would think they have something - I just need to tell them what to do, apparently.
LMFAO !!! I think Egaladeist said it grand!
You need to tell your network administrator's what tools to use ? Are they doorknobs ?
ROFLMFAO !!!!
Anybody, see if I missed something, I’m sure I did:
1) check the ... wait a minute, you said the threat was “ posted online” .. what EXACTLY does that mean? Posted on a forum, in an e-mail, web-page hijacked?
2) You said you found the computer where threat was made from. How? How good is your evidence?
3) check who logged into the computer ( oh, forgot, no login required ... that’s ok with the admins ? )
OK, now to your question:
4) Check with the IT Admins.
a)Do they have and retain firewall logs?
b) How about IDS Logs ?
c) are the IDS placed properly and appropriately?
d) Do they know how to read the logs?
e) Do they know how to retain evidence?
f) In the event that the IP address that you identified had been taken over, when was the last time they checked the integrity of the network?
The list goes on, but my point here is that if the network was properly secured this may or may not have been prevented, but could definitely be tracked down. But if you have to tell your admins how to do it then it was not properly secured ( unless the powers that be fired the only ones who knew what they were doing ... do you work for a private or government entity ? )
Epilog:
You did not say nor did you include where you are. I will assume then you will fall under similar laws to where I am. That being said:
1) If you feel these threats have no merit, won’t ever be carried out, ( and you did not say what the threats were, ) that they are mere harassment, you may or may not be REQUIRED to notify authorities.
2) If you feel that these threats are such that you believe that you are in physical danger and that you reasonably believe that they would be carried out you are OBLIGATED to notify authorities, weather or not you work for a public or private entity.
Although I initially found it amusing and typical it probably is a serious situation on many fronts. But I have been around too long and seen incompetence too often in all the above alluded to arenas to assume the right thing was done to properly prosecute the offender(s).
Remember, any hacker worth a damn will be able to cover most if not all their tracks, depending on how good the Admins are. If you have to tell them what to do, after asking here, the game is lost.
I at least hope this shed some light on the situation.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
March 21st, 2005, 02:16 PM
#12
Now remember, your are under oath at a jury trial because the appeals and civil suits went that far ..... So tell me that NO ONE has ever entered that room behind someone who swiped for entry, or stood by someone entering just to place tape over the lock, or that the door was never propped open? So how do you know exactly who did and did not enter?
Good point, we call that "tailgating", also if the door is a fire door it should have an inspection panel.............just bang on the door and someone who recognises you will let you in.
Have all the boxes in the lab been examined? What is the possibility that some dumb-ass student ( or faculty member ) at some other time ( maybe last semester ) put some file-sharing program on it ( or others ) which was compromised by them or someone else from the outside? What about someone downloading a virus or worm at some other time which was now lead to the box being compromised from outside?
I would have thought that fairly unsophisticated remote support capabilities would allow someone elsewhere to us the machine as a proxy? Another possibility perhaps? Naturally they would disable them afterwards.
A threat against me was recently posted online
I do hope that it was a threat, rather than a promise made by one who keeps their word
I also find it interesting that at thie time of this writing nekenieh is not subscribed to this thread! The ONLY thread he/she has ever posted to up to this point. Makes you wonder?
Indeed it does Perhaps we are advising the defence rather than the prosecution? ..........hmmm.......... I guess I would go for $250,000 compensation and free tuition for the rest of my life............seems like a reasonable plea bargain to me
-
March 21st, 2005, 05:30 PM
#13
If the person has to sig a log sheet to use the computer check it and match it up with the history
Ahh nothing like good old paper
-
March 21st, 2005, 05:41 PM
#14
Junior Member
I wanted to thank everyone for the help. I'm going to go back to the IT people today and get some more specifics, check on the swipecard reader, etc.
To answer a couple of the questions posted: the lab PCs run Windows XP (I'm pretty sure w/SP2), the threat was made to an online bulletin board (they are the ones who provided me with the time and IP address) but the board does not require a login, and, finally, I don't need "beyond a reasonable doubt" evidence, I just need enough to get the student to admit what they did was wrong, etc. (i.e. scare them into an admission - generally not too hard).
Finally, for the poster who asked what warranted the attention of a Dean: any threat made by one member of the university to another.
-
March 21st, 2005, 09:05 PM
#15
Hmmm
the threat was made to an online bulletin board
How did you find out about it then? I am certain that it was not a random action or random choice on the part of the perpertrator.
I don't need "beyond a reasonable doubt" evidence, I just need enough to get the student to admit what they did was wrong, etc. (i.e. scare them into an admission - generally not too hard).
Oh really, and which of the World's glorious fascist dictatorships do you happen to live in? If I were you I would get down off that ivory tower high horse before some hot shot lawyer blows you off it . I don't care what "rules" you think your insignificant little institution has (yes even Yale, Harvard, Stanford, Berkley).............it is answerable to the LAW, both civil and criminal...........that is a fact. Similarly, so are you
So, lets look at what you have got?
1. A computer lab with equipment that does not require a User ID or login, yet allows internet connectivity, and a bulletin board that does not require logins etc.
2. You have a set of IT administrators who, from your description, make the local supermarket vegetable shelves seem "gifted" (they would be the first witnesses I would call)
3. An access control system using a swipe card.............not sure what it logs, but no "turnstile" single person entry control I will bet. This would allow "tailgating", as I mentioned. Also, I will bet that you just have to push a button to get out (you DO comply with fire regulations at your institution, I take it?) This means that someone on the inside can let people in, and you have no idea when people left.
4. No surveillance or keylogging to prove who may have done it, and which computer was actually used.
5. You have no way of telling who used the computer, or even if it really was that computer that was used. If you don't have to log in, why bother logging out?
6. Previous and subsequent usage proves nothing in an environment such as you describe.
I suspect that if someone is out to get you, they are doing it by playing to your intellectual and personality shortcomings ( I base that assessment on your statement: "scare them into an admission - generally not too hard") and are setting you up for a nice little lawsuit. You can bet that they are not on their own, and have probably got reasonably expert advice.
I would strongly recommend that you discuss your proposed actions with your Dean, and a competent legal authority. Remember your actions commit your institution as well as yourself.
-
March 21st, 2005, 09:15 PM
#16
Heineken,
It's really hard for the people here to access your situation without certain information that you have excluded from your profile and have avoided answering here in this thread...
Why the secrecy? What institution are we talking about? What do you teach? Where are you located? What bulletin board, and where can we find it to correctly assess your damages?
-
March 21st, 2005, 09:38 PM
#17
Wait a second, what kind of university has all external IP addresses? I mean really. You say it’s a good sized university, so unless the kid was on a server that has an external IP address than every computer on the network will have the same IP according to the message board. Any lab computer that I have ever seen will have internal IP addresses; I could be wrong because I have only worked on about a dozen school networks. That means that the IP you got from the message board is the external IP for the school (atleast one of them) and it could have been posted from ANY computer on the network and you couldnt tell. So tell us, how exactly did you track down a single computer in the lab, with only an external IP address to work with?
after this realization, in combination with the supposedly good for nothing admins who don’t promote logons to terminals (especially at a university), the fact that you stumbled on this threat randomly, your secrecy, and the fact that you plan on going after a kid with little more than a screen name leads me to believe this is all bullshit. Anyone agree?
-
March 21st, 2005, 09:46 PM
#18
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 21st, 2005, 09:54 PM
#19
As someone who works in a post-secondary educational unit I have some suggestions:
First, if it's a threat many jurisdications do consider that a legal issue and can be a crime punishable by law. The problem arises from a lack of authentication and identification. What you may believe as to who it is may not be in fact the case (e.g., ratemyprofessor.com -- perhaps this is the site in question -- has tonnes of students posting and some post well after they have passed/failed the course).
Second, we had a similar issue -- very nasty comments about what a few students wanted to do to certain profs (along with tests and exam questions being passed around by students). We got around this by having the school offer and host it's own BB. This means that they control who logs in and KNOWS who it is since the authenication is tied to their existing school account (they MUST have a school email and the password associated with it to log in -- this isn't foolproof but does make it somewhat easier to track down).
Lastly, if you're not hosting it (as in the university hosting it) I doubt there is much that can be done unless the threat is a serious death threat (I know of written RPGs way back when and a certain "attempted rape" case).
-
March 21st, 2005, 10:28 PM
#20
Just a question
nekenieh,
- I was in the office this afternoon while reading this thread. I was eager to ask some points but I guess observing it would probably minimize my confusions. Nevertheless, the succeeding replies made me write this points:
A)
computer is on the school's network... ...The room to the lab has a swipecard reader to get access... ...Ours is a pretty good sized university
- I am just wondering why a pretty good sized university is more concern on securing the computer lab rather than the workstations itself (not to mention that it is running Win XP [and with SP2 - did the admin ever read about the so called benefits of SP2?] (at least a USER AND PW can be configured)? 'Coz IMHO, universities should have these standard protocols in facilities they use.
B)
the threat was made to an online bulletin board (they are the ones who provided me with the time and IP address)
- I was going to ask this bacause I just had an idea that the "ONLINE" you had mentioned could fall into forum, guestbook or e-mail. Well, close enough. But the question is, how did you know about the threat? Did the BBS guys told you or informed you about it? Or you happened to be a member of the BBS (public?). And about the IP and time, for sure BBS servers have more info to give, you can ask them again.
C) About the University's policy on security, I just can't believe that a pretty good sized university lacks the ADMINISTRATIVE CONTROL OVER THE WORKSTATIONS? Did I miss something here?
D) Lastly,
any advice on how I could go about identifying the person that made the post?
- I could sum-up the advice but it will be effective on the next tracing that you could conduct:
- TO THE ADMIN, DO YOUR JOB AND SECURE THE WORKSTATION (God!)
- TO THE BBS people (if they are part of the ADMIN, do what MsM told,
they control who logs in and KNOWS who it is since the authenication is tied to their existing school account (they MUST have a school email and the password associated with it to log in -- this isn't foolproof but does make it somewhat easier to track down).
- AND TO YOU,
I don't need "beyond a reasonable doubt" evidence
believe me, you'll need it.
BTW, I am just making a point that what you are trying to trace would be difficult given that the information you have so far, may not help answering your needs. Before AO could give concrete inputs and answers, please answer such question raised by the AO guys.
Goodluck!
Yo!
*most of the points I had mentioned above had been mentioned in somewhat another way or exactly as is by other AO guys (my bad, too much reading... LoLz)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|