8

Background:

A few years ago, I asked this question about disclosing somewhat serious vulnerabilities found in my high school's computer network.

More than two years later, the principal was made aware (by overhearing other students talking) that I was rumored to be a "hacker" and called me into his office to ask about (unrelated) suspicious network activity. The assistant superintendent and two of the district's IT personnel were present in this meeting. Misunderstanding the situation, I assumed they were aware of the extent of what I knew and explained the issues I had found:

  • The network administrator password is accessible to all users, and is located in a plain-text file on every computer
  • Every computer has a local administrator account that requires no password to log into
  • The security cameras throughout the building are accessible from the wired and wireless network, and can be streamed live, turned, set to stop recording, disabled, or otherwise messed with; the streams are unencrypted and the web-based camera control panels use the default (or no) credentials
  • The web-based sign-on for the (otherwise password-less) wireless network can be trivially circumvented, allowing anyone to access it without authenticating themselves as a student
  • The content filtering and website blocking system can be trivially circumvented

I also explained that I had found the issues several years prior, and had neither expoited nor reported them out of fear of the consequences. I think my unexpected disclosure of several major vulnerabilities took the prinicpal by surprise, and he said that I would not be suspended or expelled if I stopped all "exploration" of the network and stopped bypassing the school's content filtering system. I also think I may have embarrassed the IT guys in the room a little; they explained that they would not have known anything about my activities had I not told them.

I have since graduated, however right before graduating (roughly a year after my conversation with the school principal) I wanted to check whether the problems I had found were fixed, in spite of being explicitly instructed to not do so. Not a single one was. I have graduated, but I still take these issues very seriously. I feel that the vulnerabilities I found pose a major security and safety risk for the school district's thousands of students. This is especially true if the vulnerabilities are used in combination, since anyone can, for example, access the wireless network (and therefore the cameras) without authentication from outside the building.


Question:

I am wondering about the best course of action, keeping in mind that I directly disobeyed my principal's explicit instructions, that the issues are known to multiple levels of district administration and IT personnel, and that they have been aware of them for a full year. My identity is also now known, which means if I brought these issues back up, it would be difficult to do anonymously. With those factors in mind, my questions are as follows:

  • What are the likely consequences of pursuing this further? Are they different now that I am no longer a student?
  • How can I do my best to make sure these issues are resolved without resorting to speaking with the press as is suggested by some here or suing as suggested here?
  • In spite of the seriousness of these issues, is it worth pursuing this further, or have I basically done all that I can?
Anonymous
  • 81
  • 1

1 Answers1

4

I would not pursue this any further.

To summarize: You actively and extensively looked for vulnerabilities in their network (likely illegal, depending on your location). You admitted doing this and were luckily not punished, but told to not do it again. And then you did it again.

Your first exploration can be explained by youthful ignorance of laws and school rules (and could maybe even have been excuses by "accidentally" discovering these issues during normal activity), but the second one cannot (it is mainly a legal problem, but doing something to things you do not own against the expressed will of the person responsible for it is unethical in many cases as well; this is even true when considering that the school is also acting unethical here by not fixing serious issues in a timely manner).

What you should have done

This is not helpful now, but if you are in a similar situation in the future: Ask.

The school might actually have been happy to allow you to re-check these issues. Or they might not have been. But the only way to know is to ask.

If you wanted to make sure that the issues do get fixed, you could have offered to help fix them; by suggesting possible solutions, by offering to re-check their solutions, or by actually helping to implement these solutions (this maybe could have taken place in the form of extracurricular activities which maybe could have even been mentioned on a resume or college application).

What to do now

I don't see a way to pursue this without getting into trouble.

IANAL, but going to the press, suing, or even just saying that you know that the systems are still vulnerable could very well get you into legal trouble.

If you really want to, the best approach may still be to contact them and ask if they were able to fix the issues, and if they would like you to re-check them, or if they would like your help in fixing them (for free; anything else could also get you into legal trouble). If you do this, don't mention that you already re-checked without permission (and hope that they do not have any monitoring in place that could disclose your previous activity).

tim
  • 29,122
  • 7
  • 96
  • 120
  • Isn't the usual course of action in situations like this responsible disclosure? It's been a year. That's well outside pretty much any reasonable timeline for disclosure, regardless of whether the underlying issues were ever fixed or not. – Ajedi32 Aug 16 '17 at 17:17
  • 1
    @Ajedi32 For software products - open or close source -, definitely (It's still up to the researcher, but I would argue that it is a moral responsibility). But this isn't about vulnerabilities in software a lot of people are using, this is about misconfigurations of one specific network. I don't think responsible disclosure applies here, and the legal implication of OP because of the initial actions they took should also be taken into consideration. – tim Aug 18 '17 at 23:09
  • In this case however several of these vulnerabilities could impact other students at the school. It's very similar to a software project or cloud service in that respect. – Ajedi32 Aug 18 '17 at 23:24