Sign in to follow this  
Followers 0
fluidicslave

my schools sysadmin sux

45 posts in this topic

so my school has a really old student and faculty tracking system writen in visual basic. what it does is record when a given student is on a given computer and put that information in a database. The software has many weeknesses but the most glaring is the fact that it stores the user name and password that the software is useing to connect to the database in a file on the local maschine.

I mentioned this to our sytem administrator but she said this was ok because " there is no way to connect to the data base its on a protected server" then I demonstrated to her that it was easy to connect to useing MS access.

I just recently realized that she had not fixed the problem affter a YEAR !!! so I went to the Dean of students and who emidiatly contacted the president. I then demonstrated the problem to the president and printed out his own social security number!

0

Share this post


Link to post
Share on other sites

so my school has a really old student and faculty tracking system writen in visual basic. what it does is record when a given student is on a given computer and put that information in a database. The software has many weeknesses but the most glaring is the fact that it stores the user name and password that the software is useing to connect to the database in a file on the local maschine.

I mentioned this to our sytem administrator but she said this was ok because " there is no way to connect to the data base its on a protected server" then I demonstrated to her that it was easy to connect to useing MS access.

I just recently realized that she had not fixed the problem affter a YEAR !!! so I went to the Dean of students and who emidiatly contacted the president. I then demonstrated the problem to the president and printed out his own social security number!

Ahahah nice

0

Share this post


Link to post
Share on other sites

He did the right thing by going to the adminstrator, and when that didn't work, going up higher in the chain of command.

As long as he didn't let any students know what was going on, I can understand how the administration reacted without assuming any wrongdoing on his part. Unfortunately, we're not always so lucky. Sometimes you have to ignore issues like that, knowing there's a chance you'll be blamed if something bad happens.

A similar thing happened at a company I was working for. I noticed some major, major issues. I went to the guy in charge and let him know, but he brushed it off. I immediately had a meeting with the company president and showed her how easy it was for someone to access a list of 500 customer credit card numbers via the unencrypted wifi.

The inventory tracking devices used in the warehouse were the reason for the lack of security. The damn things didn't even support WEP. Rather than upgrading their handheld units, they just opted for the "cheaper" alternative by just not using any encryption at all.

0

Share this post


Link to post
Share on other sites
:blink: I have heard plenty of stories where students do what you have done. Find a vulnurbility in their school network then notify someone at the school about it, and have been suspended/expelled. I wouldn't persue this too much more if nothing is done about it.
0

Share this post


Link to post
Share on other sites

I work as a tech at a local high school. I would be thrilled if a student showed me a hole in the system. Now there would be consequences but it would not be serious. I would actually have them help me fix the problem and probably have him/her write a paper on security or something. But suspended or expelled I would fight for them to get a lesser punishment.

0

Share this post


Link to post
Share on other sites

I work as a tech at a local high school. I would be thrilled if a student showed me a hole in the system. Now there would be consequences but it would not be serious. I would actually have them help me fix the problem and probably have him/her write a paper on security or something. But suspended or expelled I would fight for them to get a lesser punishment.

why in the world would there be any punishment you should be really worried about the students who find holes and dont tell you about them.

I think its really sad that you would punish some one for helping you

0

Share this post


Link to post
Share on other sites

:blink: I have heard plenty of stories where students do what you have done. Find a vulnurbility in their school network then notify someone at the school about it, and have been suspended/expelled. I wouldn't persue this too much more if nothing is done about it.

He should pursue this all the way, he said that the database also stores student information so anybody who attends that school has their personal info at risk.

edit: badly worded

Edited by tao_of_pi
0

Share this post


Link to post
Share on other sites

why in the world would there be any punishment you should be really worried about the students who find holes and dont tell you about them.

I think its really sad that you would punish some one for helping you

some people just get scared or flustered when u tell them that you found a vuln. they want to know why u were looking for it and such. But even if they dont punish u then, they could later by assuming that it wasur fault somthing broke.

0

Share this post


Link to post
Share on other sites

My school's tech person is my advisor :P i cant wait for an oppertunity to wear my "hacker" shirt to school ^_^

but i dunno if i found a vulnerability if i would report it

0

Share this post


Link to post
Share on other sites

My school's tech person is my advisor :P i cant wait for an oppertunity to wear my "hacker" shirt to school ^_^

but i dunno if i found a vulnerability if i would report it

I wouldnt. I would get expelled. I know it.

0

Share this post


Link to post
Share on other sites

I once visited a returant who had the point of sales systems on an unprotected wireless network with open windows shares on it and I recived free food for letting them know about there mistake.

the reality is that most people are nice.

Edited by fluidicslave
0

Share this post


Link to post
Share on other sites

My school's tech person is my advisor :P i cant wait for an oppertunity to wear my "hacker" shirt to school ^_^

but i dunno if i found a vulnerability if i would report it

I wouldnt. I would get expelled. I know it.

We share the same frustrations

I once visited a returant who had the point of sales systems on an unprotected wireless network with open windows shares on it and I recived free food for letting them know about there mistake.

the reality is that most people are nice.

You have to realize that at a good restaurant, the customer always comes first. At school, they treat you like garbage.

0

Share this post


Link to post
Share on other sites

I work as a tech at a local high school. I would be thrilled if a student showed me a hole in the system. Now there would be consequences but it would not be serious. I would actually have them help me fix the problem and probably have him/her write a paper on security or something. But suspended or expelled I would fight for them to get a lesser punishment.

why in the world would there be any punishment you should be really worried about the students who find holes and dont tell you about them.

I think its really sad that you would punish some one for helping you

Part of the reason there would be a punishment is because this is not their system to try and find holes. I understand curiosity and all. But they would have done something that they are not supposed to do.

As for the ones who don't tell they will be found. Maybe not right away but eventually. Trust me.

I wish punishment was not an option. But if that person does something they should not be doing ie.. using someone elses password or making. Again a short 1 to 2 page paper is hardly punishment. I would hope that you could learn something while writing the paper. It is totally different when you are an adult and you have higher ups like the Princepal and school board admins. Just my opinion. And I am proud of you for disagreeing with me. That is what makes this board so great. We can disagree and still get along.

0

Share this post


Link to post
Share on other sites

I think punishment when someone brings a security vulnraiblity to light just teaches them that if they find another hole, just let the adminstration keep it open so that they don't get in troubble again. The way it was when I was in highschool, one time I saw the admin in the hall, stoped him and told him that there was a database that I could view, and that was the end of it.

Edited by lmnk
0

Share this post


Link to post
Share on other sites

i rarley use my schools computers for anything but strictly schoolwork, as i 99.99% know that they are keylogging us, or atleast watching everything we do... and yet my advisor asks us like once a week, whenever there is government spying, "How does that make you feal, is it right for them to spy on you for national security" :P

0

Share this post


Link to post
Share on other sites

My school also has kelogging, internet logging, remote viewing and every other spying service novell has to offer. I found a stupidly easy way of blocking it though, from the computers in our Tech Ed lab (which are set up differently than other school computers) I can control the windows firewall and I am able to block all novell spying software.

0

Share this post


Link to post
Share on other sites

when i was in high school every computer on campus was running win2k. in typing class i sent a 'net send' to a friend of mine across the room, something like "Warning, Billy, you just broke the internet!! Please reboot". he bugged me for two days till i finally told him how to do it. the next day he single handedly started a 'net send' carpet bombing that ended with one other kid sending "jerry is a fag," or some other lame shit, to the broadcast channel. every single computer in that wing had a nice little window sitting in the center of its desktop proclaiming Jerry's sexual orientation. when the admin traced back through the logs, and found that i was the one who started it, i was forced to drop the class and was put back in freshman PE (the only class open in that time slot) for the rest of the semester. i also was not allowed to take any class with a computer orientation for the rest of my time there.

not as harsh of a punishment as i could have gotten i suppose.

0

Share this post


Link to post
Share on other sites

when i was in high school every computer on campus was running win2k. in typing class i sent a 'net send' to a friend of mine across the room, something like "Warning, Billy, you just broke the internet!! Please reboot". he bugged me for two days till i finally told him how to do it. the next day he single handedly started a 'net send' carpet bombing that ended with one other kid sending "jerry is a fag," or some other lame shit, to the broadcast channel. every single computer in that wing had a nice little window sitting in the center of its desktop proclaiming Jerry's sexual orientation. when the admin traced back through the logs, and found that i was the one who started it, i was forced to drop the class and was put back in freshman PE (the only class open in that time slot) for the rest of the semester. i also was not allowed to take any class with a computer orientation for the rest of my time there.

not as harsh of a punishment as i could have gotten i suppose.

i would have definitly complained, you used in a private manner, a feature IN the OS the SCHOOL chose to use, its their fault for using windows, and the other kids fault for abusing it

0

Share this post


Link to post
Share on other sites

yeah well, PE sucked the secound time around, just like it did the first time. but its funny how arguments like that instantly pop into your head when you're 23, but when you'er 14 you'er just glad you'er not getting yelled at and you can still go out on weekends. it basicaly boild down to some one had to take the heat for it, and suspending 75% of the typing class just had too many logistical problems. typing class = the suck anyway.

the quick brown fox jumps over the lazy dog

teh wuick born fox jumops ovenr the laxzy dog

LOL, YOUR WORD SPEED IS 22 WPM

MAVIS BEACON ROFL's @ you!!

0

Share this post


Link to post
Share on other sites

heh when i type out typing tests, i always score like 33WPM, although i type closer to 60 WPM usually, its something about the pressure and the abnormality of typing something that i see on the screen rather than typing out my thoughts :lol:

0

Share this post


Link to post
Share on other sites

as weird as it is, i can write code @ 40wpm and up

but actual words drag me spiraling back down to th 20-30 range

i also have to copy/past every thin i type in to KATE to have it spell checked, so as not to look like a fool for miss-spelling "because" or "color"

but not to hijack fluidicslave's post, for a typing class tangent.

fluidicslave you did the right thing, and good on you for not getting screwed buy a bunch of lamers in a position of power.

0

Share this post


Link to post
Share on other sites

Colleges are the most hostile networks in the world (only topped by DefCon). They should have the best security admins, and they are not quick to say they missed something.

I have tried to close some holes at work and most of the time they don't understand and it becomes shoot the messenger situation. I have adopted a "My network, my problem; not my network not my problem" attitude.

Hell, could be my benefit if I have some thing to gain. I am amazed how many intrusions are covered up because most admins won't admit to their boss they have been hacked.

One time I found L0pht using SMS at one of our sites in India. My boss was more interested in covering up the situation then discovering how bad we were compromised.

Because you said something to the admin you are required to follow through just to cover your own ass.

0

Share this post


Link to post
Share on other sites

Part of the reason there would be a punishment is because this is not their system to try and find holes. I understand curiosity and all. But they would have done something that they are not supposed to do.

As for the ones who don't tell they will be found. Maybe not right away but eventually. Trust me.

I wish punishment was not an option. But if that person does something they should not be doing ie.. using someone elses password or making. Again a short 1 to 2 page paper is hardly punishment. I would hope that you could learn something while writing the paper. It is totally different when you are an adult and you have higher ups like the Princepal and school board admins. Just my opinion. And I am proud of you for disagreeing with me. That is what makes this board so great. We can disagree and still get along.

I'll let E.S. Raymond provide the counterargument's framework.

1. The world is full of fascinating problems waiting to be solved.

Discouraging the improving of the world or solving any of the world's problems is, dare I said it, evil. "It's not his network to fix" doesn't mean too much. If something was vulnerable enough that he could see it, then it's not his fault for being able to see it. That's the nature of all holes, isn't it? Blaming somebody for looking for problems to solve is not a very saintly thing to do.

2. No problem should ever have to be solved twice.

Telling the kid, "Bad! You should not have done that, so I will punish you!" and then doing exactly what the kid did yourself seems hypocritical to me. The kid found a problem and fixed it for you. Be happy, and more importantly, be gracious.

3. Boredom and drudgery are evil.

By punishing the student in such a way and for such a "crime," what are you teaching him? You're either wasting his time or telling him that he should be a black hat instead of a white hat. And never forget that the primary fuction of schools is actually not to hand out punishments, and when they absolutely need to, to give them out as minimally as possible to teach a lesson and possibly prevent a thing from happening again. Heavy-handed justice doesn't serve anybody's purpose.

4. Freedom is good.

If you do not want people browsing a part of your network, then you should make that part of the network invisible to them or otherwise prevent people from accessing it. If somebody else finds a hole, then you have not succeeded here. People have the right to access things on the network that are open, and whether or not you wanted a part of the network to be open or not is ultimately irrelevant. Kid finds a hole? Finds something to be public that should be private? Fix the problem and move on; if the kid tried to break into it after you made it private, only then would there be a problem.

5. Attitude is no substitute for competence.

In such a situation, it would be your job to assume a gracious attitude and allow the kid to help solve the problem. Maybe it'd even be wise to reward the kid. But at any rate, your professional focus should above all be on fixing the problem as efficiently as problem and making sure such holes didn't appear again.

I agree that the BinRev forums are great in part because of how people can disagree with each other. They're even better when people can allow themselves to be convinced when sufficiently good points are made. I hope you're the type who isn't afraid of being convinced to change their mind. :)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0