Risk vs. Right

[SonofGalen]

I would like everyone's opinion on something:

Back when I was in high school, I found (as the Webmaster) a series of security loopholes that could let anyone get admin or teacher access within minutes of just browsing the network, as we're supposed to do, and do on a daily basis. They were running Windows 98 machines with NT Scripts (that self-reportedly didn't work). That's one of the causes of the problem.

So I reported the problem, and was immediately suspended, had my network access taken away, and had a bunch of other things shoved onto my permanent record. I was also forced to drop two classes. Luckily, it went on my transcript the day after I had it sent off to colleges, and was still accepted into a very good school.

Now the same thing is beginning to happen. I've noticed a few problems in the school's network, this time much bigger, more complex, and with people on who it are largely unmonitored and more clever than the folks back in high school.

I don't know whether or not I should go ahead and report it. I'm good friends with my CS Professor, a few other CS Professors, and the Network Admin knows me, although he's still leary. Because I asked him about the legality of getting my FTP Server to be available outside the network he may not trust me, and may pin these things (quite wrongly) on me.

What do you all think? Should I report these flaws or not? Keep in mind, I haven't exploited or explored them much beyond seeing that the cracks are there.

Opinions?

[RoadClosed]

drop a note in one of your campus boxes that are for feedback or something.

[SonofGalen]

No such box. ::Sighs:: I could anonymously mail it, but still...::Shrugs:: I'm not making any decision until after break.

[rapier57]

System and Network Admins are busy people. First years are interesting and sometimes entertaining, but generally don't shake the earth much when they make suggestions.

Some things on your college network are configured the way they are for reasons you may not understand, yet.

I suggest taking your discoveries or ideas to your CS professor. Explain what you think you found, demonstrate one of the flaws. Make it clear that you stumbled on this, and that you are bringing it to someone's attention. The CS prof can go to the network admin with a bit more authority and credibility than you.

You will find that the college work environment is much different than the k-12 environment. It isn't perfect, but at least it is usually populated by real professionals, not just wannabees.

[SonofGalen]

I suppose that's my only choice...::Sighs::

[RoadClosed]

not just wannabees

lol

[groovicus]

IMHO, what is the worst thing that could happen with the vulnerabilities as they are? Are they going to affect you directly? (ie, your personal information is accessible, etc.) If not, then don't worry about it...

I know it's difficult when you see something wrong, and you know it can be fixed..especially since you have been burned before. Pardon me for being a little cynical though.... I think there is more to your story that you are keeping to yourself

Maybe you could ask your IT people ,"hey, why is this set up this way?"..but I would suggest that you be very careful with your wording...if it sounds like you are accusing them of being morons (which they may very well be), they probably will not be very receptive.

If you approach it from the view that you are trying to learn and understand, I think they may be more receptive to explain things to you... sometimes all you have to do is plant a seed in someone's mind, and they can figure out the rest for themselves...you just have to be cautious in your approach...

Tough decision, no matter how you look at it, but don't lose sleep over it.

Good Luck!!

[RoadClosed]

Hmm depending on your access and the vulerability, you could also fix it.