need some advice

ok, I've discovered quite a few vulnerabilities to a 2k network running at my college, most of them COULD be exploited to a disastrous level. I have a long list of stuff which I'd like to talk to the system admins about (including how to correct the exploits) but I'm a bit concerned as to how they will react, because they might have me kicked out because obviously I had to do a few things which are considered wrong to find the exploits (but no destruction of data or anything malicious etc.), so I mean, how do you explain to them to get it sorted without getting prosecuted yourself ?

Tell them anonymously? Make sure you tell them why you write anonymously though, otherwise you might freak them out...

You have a problem indeed
getting info about exploits on a system could be interpreted as a crack...

Maybe you should give the info anonymous?

Yeah. Write them a nice long e-mail telling them exactly what's wrong with their systems and how they can fix it... and send it from a web based e-mail account (dont post it as anonymous and send it from your college e-mail account - they can read the From: field!!!!)

Oh, and next time, make sure they know what you're trying before you start... they probably logged your attempts, and after reveiling those exploits, you can bet they go through those logs... Well, if you did nothing malicious, you're probably safe regardless.

Yeah. I told the computer technicians at my school as soon as I heard that they were putting in a network that they might see some unusual stuff in the logs (if they even *have* logs) because I'll be helping them by locating all the problems.

lol seems so simple really when u think about it ! maybe I should have ;) the webbased email thingy sounds like the best idea

It's not a bad idea to warn / ask before you poke around

Once I got a message from the network adminstrator of my College with the question if someone else made use of my account to test some things...
So, they actually look at logs,
I was surprised ,but I never told that I did these things and not 'a malicious cracker from the evil net'

Yup, places that actually have logs DO check them... However (believe it or not) most schools and colleges don't keep logs for 2 reasons

1) Too time consuming
2) The admins wouldn't know an error from normal activity anyway!!!

So, I had just bad luck... or wasn't hidding my attempts enough.

still, stay with the webmail idea (You could use a new created wemail account on a public shared computer, so even the IP isn't a link to you)

But for reporting faults to college net admins, thats a bit paranoid, unless they're gonna call in the FBI.

And hey maybe most places do check logs, its probably just that the net admins at my school wouldnt know a cat5e cable from a parallel printer cable let alone an unusual log entry from the rest of the network traffic!

to tell you the truth maybe a email wouldnt be such a good Idea for the fact 1 they might disscard it. 2 cant they trace an email? Some people are like that when it comes to there sites, you find a problem then you go and tell them and the next thing you know you are in court with an old ass judge waiting to make an example out of you. But then again how about telling them and say you heard it thru the grape vine! lol (california raisin style ). but who knows you might get a nice cozy job with them if they see your sencerity. Good luck and let me know how it turns out.

Yeah Good luck!!!

Go for it

You never know, you might get employed by them as a security consultant or something!!

Or they could kick you out

Well, yeah. That's the other extreme... Its a risk whatever you do! So good luck.

thanks for the vote of confidense guys, I think I'll try the email thing first, then if nothing happens, talk to one of the lecturers that I actually trust and see if he can pass the info on

Yeah, thats probably the best plan of action.

If you are paranoid about being kicked out, DO NOT send it from on campus. Even if you send it through a web based email such as hotmail, it can be traced. Your best bet is to go to a library (off campus) and send it through web based email from there. I helped my school trace an email sent from a hotmail account. The only reason they wanted to trace it was the email was a suicide note. Trust me, it can be done.

Happy Hacking

Suicide notes through e-mail... I've received a fair few of those... My friends all want to kill themselves, I guess they can't take my sarcasm and sense of humour as much as I thought they could!!

id tell them to their face in private. let them no you plan to tell no one else because you can get kicked out. if it was you, would you display your ignorance and maybe lose your job to get somebody, you don't even have a grudge against, in trouble when thier trying to help you out?

Good point.