To Report or Not To Report

[Spyrus]

I am assuming you are in high school and got into this trouble? not a university of some sort. I dont know who was in charge of suspending you but if it wasnt the principal you should go to him and ask him if he will let you do security scans free of charge under his supervision. then you can give him a detailed report of everything that is wrong. Then he will be able to go to the sys admin with the information and fix whatever is wrong. If he was the one who suspended you and you really do want to help take it a step higher and talk to the superintendent of the school, give him the same speal, let him know you were suspended for reasons that dont seem logical to you. See if you can get your parents to back you up. Now if you are in college go to the dean and do the same. These are just some thoughts. let me know if it works for you

Cheers Spy

[Tedob1]

=+=+=+=+=+=+=+=+=+
Tedob, I never went in or got illegal access to anywhere. I found ways in, and looked around on the network
=+=+=+=+=+=+=+=+=+

just because you CAN get somewhere dosn't give you authorization.

http://www.swiss.ai.mit.edu/6.805/ar...-comp-law.html

Unauthorized use.

Unauthorized use is a misdemeanor and the least serious of the New York computer crime offenses. It is designed to thwart the curious hacker who gains entry into another's computer system to look around rather than to do damage.

Computer trespass. To be deemed guilty of computer trespass, a user must gain unauthorized access to a computer system and then either commit a felony or obtain "computer material," which is narrowly defined under the New York law as protected commercial information available only to specified members of the company. Examples of computer material include trade secrets databases, and member lists. Information available to the public by computer or other means cannot be considered computer material.


http://vx.netlux.org/texts/laws/new_hamp.html

I. A person is guilty of the computer crime of unauthorized
access to a computer system when, knowing that he is not
authorized to do so, he knowingly accesses or causes to be
accessed any computer system without authorization

+=+=+=+=+=+=+=+=+=+=+=+

this are amoung the first few items that i came accross but they're all basically the same.

this is what you did! If you happened to open any of the documents that where there then are guilty of computer trespass.

whatever made-up ethical standard your think your abiding by the fact remains that you broke the law.

If your not AUTHORIZED to view certain files at certain network locations and you thwarted network security procedures no matter how flimsy....you broke the law.

If you accessed an area not provided to you by straightfoward means... you broke the law

BUT...breaking the law isn't the issue here. You reported yourself.

If you must waste your time reading rable rousing documents like "the Hacker Manifesto" and consider yourself part of a non-existant organized hacker underground, at least have the smarts to read the documents that usually accompany this paper...what constitutes computer crime.

for god sakes man im not comming down on you for exploring a network thats what brought most of us here to begin with. im comming down on you for being dumb.

[^Mobius^]

LoL. Tedob, I thought I had stated clearly before, though I'm sure I didn't or you would have understood, I didn't access anything I wasn't allowed to. I did find out HOW to do so, but didn't, and never broke the law. THAT is why I was surprised and upset about being punished. But that isn't the issue.

Also, "The Hacker Manifesto," which I just read for the first time, BTW, seems nice enough, but its a sentiment that many people will try and twist around. The good points that it makes don't have to be pointed out to us, and will be lost on those that do need to hear it because of how its written. But, we're not talking about that either.

And I don't consider myself dumb. In fact, I resent that statement! I prefer "Intellectually-challenged."

[powertoad5000]

LoL. Tedob, I thought I had stated clearly before, though I'm sure I didn't or you would have understood, I didn't access anything I wasn't allowed to.

Whenever someone logs on, windows machines makes a copy of their password on the C Drive, and its fairly easy to decrypt.

(I dare not use one of the many User/Pass combos I found.)

So... you know there are PWL files on the clients of your school network, and you decrypted the PWL files and you have a list of user/pass combinations. Easier solution - upon discovering PWL files on the clients, inform the school that a simple registry edit on the client boxes will ensure that PWL files will not be created on login (link). I honestly don't see how this could get you suspended, if you didn't do anything stupid like decrypting them and keeping a list of combinations. You could have said something about it straight after the virus scan.

To take advantage of this would go against everything I believe in

You went and decrypted PWL files... why? You know they're a security risk. You don't need to decrypt them. All you needed to do was inform your admin.

And seriously... if you are going to get into trouble for doing this, then don't report it. Easy. If, when you reported the old bugs, you really didn't do anything wrong, and you still got suspended, well that should be enough of a hint. And yeah, this thread does basically seem like validation of your 'efforts'.

[^Mobius^]

quote:
Whenever someone logs on, windows machines makes a copy of their password on the C Drive, and its fairly easy to decrypt.

That was saying that it would be fairly easy to decrypt. I have not, nor do I have any intention, decrypt any such thing.

quote:
(I dare not use one of the many User/Pass combos I found.)

Again, this is the PWL files that I could have decrypted, but I did not.

As for things before...I found holes that were obvious. You don't have to go through an open doorway to see that its there, and there's gold beyond. If you see it...its obvious.

Yes, the problem is there. Yes, I could decrypt the files and get admin status immediately. Will I? Heck no!

I really hope this clears up the remaining confusion. This post has nothing to do with "Should I 'hax0r' them or not?" But "Dare I report the problem?"

Powertoad, did I say anything else to make you think I had decrypted the files?

BTW, I haven't seen any posts from you in awhile, where have you been?

[powertoad5000]

If you didn't decrypt them, fair enough, but you have to admit it did sound like you had. And I understand what your question is. It just seems that the answer is incredibly obvious. If you feel that strongly about it, send a fake email to your admin and make sure it doesn't sound like it's coming from you i.e. simply give some links to resources which will enable them to fix the holes - do not include anything in the email except these links.

BTW, I haven't seen any posts from you in awhile, where have you been?

My last post was less than a week ago... we can't all post 28 times a day (and counting)

[Tedob1]

ok maybe im reading this wrong:

"I would like to point out that other than look around, nothing was confidential, I did not do anything. I did not damage any files, or anything at all malacious. They knew this. "

you accessed an area that you were not given explicit or implyed permission to access. that is there wasnt a network drive mapped to it on windows explorer or a short cut on the desktop or a menu entry to access these files. you simply found them by exploring the network and accessed them.

you found this area and expolred it. i don't have a problem with this but believe it or not this is against the law And im sure against the schools network use policy. As illustrated by the schools actions against you.

OK lets forget about the manifesto poor choice maybe ethical hacking. i realized that was a bad choice as i was running off to the gym. But what can possibly be ethical about prying where you dont belong. i mean i do it, but i dont consider it ethical.

i am not saying you are not intelligent or that you have a low IQ i really think the opposite but not having the knowledge you need to keep your ass out of trouble makes you dumb...just like the the "self proclaimed white hats" that get busted for reporting security holes they find in web sites to the admins and give their real identities....dumb

[^Mobius^]

Time seems a bit warped..I just seem to get caught up in threads like this one. ::Grin:: AO is addictive. I'll probably burn out in a week though! ::Tries to ignore the cheering in the background:: Hush you.

Glad we were able to clear it up...as for the answer being obvious...practicality says one thing, while morals says another. For me, a very difficult dilemna.

I understand what you mean, Tedob, and I do appreciate your input. I consider it worth reading and taking into consideration.

As for "I would like to point out that other than look around, nothing was confidential, I did not do anything. I did not damage any files, or anything at all malacious. They knew this. " I believe, though I don' specifically remember, that my intent was that I looked around the network. I may have been looking at files, and if I did they were ones I already had access to. Going beyond that, in a SCHOOL where there is a LOT of confidential information, means a violation of, not only the law, but people's privacy. I think we both agree on that.

Thank you for also revising your statement to make it more clear. I didn't take any insult, because I was pretty sure one of us mis-understood, and that seems correct. (Because I did.)

Thanks again!

[HTRegz]

To speak from experience here.

My HS was a Novell network until started gr 11, then we switched over to an NT Network. We had one Administrator for a school board that geographically covered around 1000sq km. So he did a lot of travelling. I ended up setting up my schools network, securing everything and such. From that point on I helped out with the computers. When i pointed out bugs, or found holes, regardless of what I'd done I was commended for it. I remember before I helped with the security I was a thorn in the schools side, i was constantly asked about problems with the computer network, and when I had internet access, the librarian stood over my shoulder the entire time. Helping the school out changed their opinion of me. I even ended up working with the Police Dept. in my town, beause they didn't have a security expert, and a student at the school I attended had received an E-mail threat. Anyways.. In a case like that I'd say point out the holes. Showing them that I could be a help greatly improved the way they looked at me.

[rcgreen]

You are to be commended for wanting to be a "good samaritan",
but they have made it quite clear that they do not want your
help.

The security weaknesses in their network are not your problem.
CYA