Alerting My School of its Vulnerabilities

[br_fusion]

I would just like to wish you the best of luck, because from my past experiences and others, your heading down a tough but good road.

Highschool = two things

When in your position, there are a lot of threats and even more intimidation.


Cheers and good luck
Fusion

[Tiger Shark]

When in your position, there are a lot of threats and even more intimidation.

Jareds: If that begins to occur feel free to either forward your response to me first so I can look it over or just forward the threat/intimidation and allow me to formulate a professional response on your part. Just PM me your email.....

You are doing the right thing and are showing significantly more integrity and self respect than the admin has shown you to date, (regardless of the apology - it wasn't his doing it was the super's). It's a shame that you might be making him look bad but his responsibility is to protect the super and therefore the school from liability... It seems, from what you have said, that he is summarily failing in his duty and, as such, any voluntary help provided him should be taken in the spirit that is meant rather than the defensive attitude you implied he started with.

I, for one, am right behind you and will assist you in any way you want to maintain your anonymity and remain on a "higher plane" than those that would respond with pettiness and unprofessionalism.... You know where to find me....

[Kite]

jareds, tell your admin to get script logic and he wont have to be worried about ever doing something that requires actuall skill ever again.

[noahsarc]

Tigershark and Jareds...

The general situation here is that the individual PCs are not locked down properly, am I correct?

How many PCs are there at the school? How many IT guys are at the school itself? Are they primarily teachers with little IT training, support, or time?

Did the letter to the the School board address the District's IT program/plan/support or lack of it. If not then isn't this just addressing a symptom and possibly causing a hard working if unskilled person a great deal of grief through general FUD?

I see this situation as one of leaving internal security light and unmanaged ... but unless student records and confidential information is involved, how big a problem is it really?

I fully expect a school to control the boundaries of a campus to protect students and staff, and locking file cabinets with personal information. But leaving doors inside unlocked that allow anyone in the school to make off with an extra kickball at recess are things to control with rules and discipline.

[XTC46]

Network has holes in it....
Computers with personnel data, grades, etc are on network...
therfore a connection to these computers from the outside just got easier.


not to mention if he found the holes its possible other students may find them and the other ones may have malicious intent. I know in high school I could have gotten into a bunch of the computers my teachers kept there grades on, i could have kicked them offline when grades needed to be mailed in, I could have done alot of things but didnt. Luckliy the only other people in the school with the skill(well atleast the ones i knew of) and the ones who had access were on the "good side" or just didnt give a **** about students grades, so they never did anything. security is only as good as its weakest point. If its easy to access a network, then getting to the computer you want just got a hell of alot easier.

[whatthe]

I work at a school and in most cases I would probably welcome the insights offered if I were in that guy's position. There are a few things that could swing me the other way.

It sounds like you were just playing around when you came across this stuff. Every school has their group of kids who try every loop hole to get through security and play with stuff. "It's the IT guys job to fix what we mess up." True but there's also more important ways for us to use our time. Maybe he thinks you're one of those kids (doesn't sound like you are or you wouldnt've posted for help).

It could have been that he was having a really crappy day and didn't think out his reply to you because he was pissed off. I'm sure there aren't too many people who have never sent an e-mail they wish they could take back. I know there's times I have to wait to send replies. Maybe he regretted it later, before you went over his head (through proper channels, you gave him a chance). Or it could be he's a dick who hates his job. Both of those are his problem.

I'd give the guy the benefit of the doubt but also I'd stay anonymous as long as possible, just in case he is a dick.

[noahsarc]

My take is that we don't know the network setup.

The computers with grades and personal information may not be on the same network as the one Jareds found problems on.

Yes, the network is more vulnerable to the outside and malicious students could cause problems.

But Jareds has not mentioned any problems. Popups, slowdowns, virus, spyware activity would be showing up already if the network were open to the outside. Internal malicious activity would have been mentioned by now also.

I'm not against Jareds addressing the issue, or notifying the admins and the district. I think it is a good path that he has chosen. I just wanted to ask about the scope of the issue. It is something to consider while deciding what to do when you discover these situations.

[XTC46]

My take is that we don't know the network setup.

The computers with grades and personal information may not be on the same network as the one Jareds found problems on.

Yes, the network is more vulnerable to the outside and malicious students could cause problems.

But Jareds has not mentioned any problems. Popups, slowdowns, virus, spyware activity would be showing up already if the network were open to the outside. Internal malicious activity would have been mentioned by now also.

so nothing should be done until someone exploits the weaknesses? wouldnt it be SMARTER to fix the problems BEFORE something happens? its called PREVENTION.
And every single school network that I have worked on (only 4 or 5) has had there admin computers on the same network with the rest of there computers. they were different subnets, still the same network.

[BigDick]

Look at it this way, in many cases a school IT guy make be extremely overwhelmed. My high school had like .334 IT people on the staff that was comprised of principals, teachers, and students with some free time. With all of the systems that they had it's amazing that they kept it running at all. In your sending him this email, what you did is you exposed a weakness in his system. When you did that he took it personally and in so doing lashed out at the one person who was trying to help him. it kindof reminds me of what me and my friends did in high school, take advantage of one of the vulnerabilities to send them a message telling them it exists. (we used a loop hole to access a network drive that contained a host of really important stuff, and used some of the novell netware stuff to inform them as such). Obviously the IT guy feels threatened now that he knows that someone has found his holes. I think that's all it boils down to. He was threatened because he, a professional, felt like his short comings had been exposed by someone much younger and less experienced than he. I would take it as a compliment, because it shows that for once you knew about something a professional didn't catch...good job.

At my school the important stuff was also on a different subnet, same network though. funny, like that where I work too.

[noahsarc]

Yes prevention is smarter and that's why AntiOnline is here.

So I ask, are the issues Jareds brought up enough to indicate that other subnets on the same network are at risk?

Is it enough to fix the vulnerabilities that one student found? Or should the fix be to PUSH for the district to provide more instruction, training and support to their staff who are being used as 'IT' probably without proper compensation but with all the responsibility and potential blame.