My school fails at computer security...

The school experience. School related queries, discussions, and stories that aren't specific to a subject.

Moderators: gmalivuk, Moderators General, Prelates

Chant
Posts: 5
Joined: Sun May 29, 2011 5:21 am UTC

Re: My school fails at computer security...

Postby Chant » Fri Mar 09, 2012 7:45 am UTC

Just had a major success - cracked the NTLM hash for the admin password - with jakash3's stickykeys hack, so I will postmortem here.

1. booted onto a compsci lab computer with linux on a flashdrive. These computers auto-boot to the flashdrive, so it was easy.
2. They had the default teacher account, but not the admin. Stole the teacher password with ophcrack within linux. Turns out it was "apple"
3. logged onto the teacher accounts on the library, where my group all could meet up at the same time, and where we had a bit more time to work with (as we didn't need to also do our compsci work)
4. Turns out the teacher accounts had cmd.exe enabled and permission to COPY but not RENAME or DELETE files in system32. Copy cmd.exe sethc.exe
5. created our own admin account (only local, not on net)
6. installed cain
7. dumped hashes
8. turns out the password isn't in the default rainbow tables. one guy is generating his own on the library computers right now, but I found a table that works so we'll probably shut it off in the morning tomorrow

What didn't work:
2.5. When I got the teacher password, I also tried copying system32 into program files, where it could be more easily accessed later. Somehow, I screwed up most of the files in config and ended up bricking the computer for a month while it got sent to repair-zone. luckily, this was over winter break
3.5. we tried to get the BIOS password on the library computers to enable booting from linux there, but the default / backdoors for AWARD bioses didn't work. Also, when we tried some shady program that guessed about 26^6 passwords, the school's sysAdmin came over and asked what was going on. "oh we booted up but then it gave us this 'input password' screen, no idea wut happened lol"
5.5. Some guy stuck a paperclip in the CPU fan through a gap in the case. not sure why...

zenix
Posts: 6
Joined: Sun Mar 18, 2012 2:10 am UTC

Re: My school fails at computer security...

Postby zenix » Sun Mar 18, 2012 2:29 am UTC

I go to a private school in England and the security's fairly standard (though seeming an awful lot better relative to a lot of the stuff I've been reading on here).

Essentially, CMD isn't blocked, only hidden. All it takes is *notepad* *cmd.exe* *save as .bat* *hit enter* and you're in. I joined 5 years ago, by the end of my first year I'd got my account administrative privileges as well as getting hold of the password list for the entire school (though not including the admins passwords). Essentially, the security was good enough to block anyone who knew nothing about programming (about 99.5% of the students) but left it wide open to myself and a few others.

I used to really enjoy playing games with the IT dept. in 5 years they've never managed to hand me a detention slip because they've never been able to prove I've done anything (I make a personal habit of not leaving evidence behind me). Planning a big send off for leavers' day this year. I managed to sneak some code onto the computers they use to run the projector, sound and lighting equipment in the assembly hall thanks to a friend who helps out with the music dept. So I'm thinking of hijacking the last assembly of the year. Also tempted to lock the admins out of the system for the day then hole myself up somewhere inconspicuous (If I can get hold of one, I'm thinking the back of a van in the car park) from which to organise the days' entertainments.

This said though, me and the IT dept. have a sort of understanding. I don't do anything permanent to their system (and don't go seriously messing with stuff either), in return, they don't come down too hard on me when I start experimenting and taking a look around folders and root directories I really shouldn't have access to. It works quite well.

Oh yeah, and whilst the IT guys actually know their stuff, the head of IT (also my form tutor, which has led to many an interesting confrontation) knows jack all about computers. He's a management type. I periodically sneak into CR1 (Computer Room 1) when he's giving a lesson and remote log-off his computer. Deputy head is absolutely brilliant. Keeps telling him that until he can prove I've actually done anything, he can't impose sanctions.

The idiot tried to set up monitoring software on my account. Unfortunately for him, the way he used it actually opened a 2-way connection. I simply jammed his account so he couldn't log off then proceeded to root around his account for a bit while he franticly tried to regain access. He stopped trying after that point and I grew up enough to appreciate that there are very real boundaries to what the IT dept. will tolerate.

Will be interesting to see what the computer system at Oxford is like when I go there this autumn. I'm guessing, what with the high concentration of exceptional talent, that the system's going to seriously fortified. It'll make an interesting challenge though.

Meem1029
Posts: 379
Joined: Wed Jul 21, 2010 1:11 am UTC

Re: My school fails at computer security...

Postby Meem1029 » Mon Mar 19, 2012 11:20 pm UTC

I'm also guessing that you should either:
a) be a respectful student and not do things you aren't supposed to (although from your post I doubt that will happen...) or
b) make darn sure you read the policies relating to the network and computers so you don't get kicked out, since they can and probably will do that if you mess with their stuff.
cjmcjmcjmcjm wrote:If it can't be done in an 80x24 terminal, it's not worth doing

User avatar
Tomlidich the second
Posts: 1230
Joined: Thu Mar 22, 2012 5:38 pm UTC

Re: My school fails at computer security...

Postby Tomlidich the second » Fri Mar 23, 2012 5:11 pm UTC

i only graduated my senior year of high school because of my schools shitty computer network.

my entire grade was hinging on a project, that as of yet, was not complete. it appeared i was going to fail.

but someone, who i still have not figured out who they are (i want to shake this guy's hand someday)
hacked in, deleted everything, and wiped the servers. everyone's work, documents, records, all gone, schoolwide.
they had no backup plan of any kind. rather pathetic really.

so my teacher waived the assignment for everyone, being that noone had any of their work and school ended in less than a week.

so, i passed.

but the big thing i took from it was a lesson everyone needs to learn.

no matter who you are, no matter how unimportant you think you are, someone, somewhere, will try to break your system. and you need to prepare for that.
Image

MisterCheif
Posts: 253
Joined: Tue Apr 14, 2009 1:24 am UTC

Re: My school fails at computer security...

Postby MisterCheif » Mon Mar 26, 2012 8:39 pm UTC

One of my friends found how easy it was to bruteforce your way into any account on the school's ftp server. You only need the username, which is viewable in the ftp server without logging in, and the password, which is a six digit number. He found that all the current ones start with 2, so by running five processes of a cracking program (to split up the ranges that have to be covered), it takes him at most 7 minutes to get in. He has informed the IT department about the fact that the login is not rate limited.

He plans on continuing this to help them, because they are hopelessly incompetent at anything beyond blocking websites or installing software. I think he is going to tackle security flaws in the grading software system next, to let them know about those...
I can haz people?
lulzfish wrote:Exactly. Playing God is a good, old-fashioned American tradition. And you wouldn't want to ruin tradition. Unless you hate America. And that would make you a Communist.

stickler
Posts: 85
Joined: Sun Jan 01, 2012 12:40 pm UTC

Re: My school fails at computer security...

Postby stickler » Wed May 23, 2012 9:55 am UTC

My school is pretty good at computer security, with everything possible blocked, bios passwords etc.

There is also some powerful webfiltering that blocks porn, this forum, gmail, youtube etc all the time; and xkcd, facebook and games, out of hours (its a boarding school).

However it would appear that something has happened to the list of blocked websites and everything apart from thir custom list are uncatorgises and therfore not blocked : ). That said I expect there are still logs so I am keeping off anything dodgy!

I'm kinda surprised that it is still broken - last time it took them ten minutes, now it has been over two hours. I'm wondering if someone has gone on www.google.com/}]; DROP TABLE DOMAINS;--!

Or its possible that they are being nice and letting people on on what they want! (Thats my story and I'm sticking to it!)

I am too scared to try and 'grey hat' anything else here though! - And I promiced my Dad I wouldent :oops:

-Stickler

HungryHobo
Posts: 1708
Joined: Wed Oct 20, 2010 9:01 am UTC

Re: My school fails at computer security...

Postby HungryHobo » Thu May 24, 2012 10:34 am UTC

ah memories.

When I started in secondary we had a little computer lab which was lightly locked down. about half way through we moved to a new building with a big network full of security theatre.

With the small network I felt no urge to circumvent anything because it let you do most things. the big one just gradually pissed me off because you couldn't go 5 minutes without getting a "that action has been disallowed".

things like: users couldn't right click or use most commands through the normal windows interface but with a little jiggering they could run most commands with a batch script.
I was pretty clueless back then but security was a joke on that network.

it was a private company running things and we shared an admin with 4 other schools. clusterfuck. anything broke it could have to wait for 3 weeks or more.

Even as a clueless teenager I was able to stomp all over that thing with big boots on. Teachers were just happy I could make their printers and similar work or unblock things they needed for class without having to wait 3 weeks for the admin.
Even the teacher who had used to run the small network was just amused. I remember him asking some time why my folder was full of help files and documentation for the various services on the school network.

college was more fun, I became friends with the CS network admin there and as he put it "security here is pretty much the honor system" which it was but they also didn't really disallow much and as long as you didn't have malign intentions they were quite relaxed about everything since it was a CS department. Wrote a distributed parallel hash cracker from scratch which split a job across all the lab machines.
Last edited by HungryHobo on Fri Jun 15, 2012 8:07 am UTC, edited 1 time in total.
Give a man a fish, he owes you one fish. Teach a man to fish, you give up your monopoly on fisheries.

User avatar
Ariii
Posts: 3
Joined: Wed Jun 13, 2012 5:24 am UTC

Re: My school fails at computer security...

Postby Ariii » Wed Jun 13, 2012 5:29 pm UTC

There are some things I don't like about my school's computer department. They use Macs loaded with the latest software, which is great, but they consider the 2008 MacBooks 'old'. They also have iPads, now. They have a couple of iBook G4's laying around, which they don't even consider usable, which I've never seen pulled out before, and they use non-open-source software. I used OpenOffice and trying to exchange with Word gave me so, so many errors. Nearly every kid in my school (I live in a rich suburb) has a high-end Windows 7 computer complete with Microsoft Office. I, however, still use my iBook clamshell as my main machine with a triple boot of Debian (I modified it to take up less space), OS 9, and OS X on a 10 GB hard-drive. My family was actually considering having a complaint letter about having all the school computers use Office for everything as a requirement. They ended up saying that most open-source things aren't good or dependable so they can't use them, which really, really confused me. Also, I almost got suspended for hacking the school computers for having a Terminal window open (I was typing up my school paper in emacs) and the only sites blocked are Facebook, YouTube, and various gaming websites, while the kids in my school were able to override it in seconds just by using a different browser. The Terminals are now about to be blocked because the students found out how to play Tetris on them, and there is nearly no other security other than that. The only real threat to security is stealing the iDevices, which has happened before, but only me and a couple other people know any type of coding at all. In my new high school, the school computers are all Wintel towers though.

User avatar
cjmcjmcjmcjm
Posts: 1158
Joined: Tue Jan 05, 2010 5:15 am UTC
Location: Anywhere the internet is strong

Re: My school fails at computer security...

Postby cjmcjmcjmcjm » Mon Jun 18, 2012 4:06 am UTC

Ariii wrote:There are some things I don't like about my school's computer department. They use Macs loaded with the latest software, which is great, but they consider the 2008 MacBooks 'old'. They also have iPads, now. They have a couple of iBook G4's laying around, which they don't even consider usable, which I've never seen pulled out before, and they use non-open-source software. I used OpenOffice and trying to exchange with Word gave me so, so many errors. Nearly every kid in my school (I live in a rich suburb) has a high-end Windows 7 computer complete with Microsoft Office. I, however, still use my iBook clamshell as my main machine with a triple boot of Debian (I modified it to take up less space), OS 9, and OS X on a 10 GB hard-drive. My family was actually considering having a complaint letter about having all the school computers use Office for everything as a requirement. They ended up saying that most open-source things aren't good or dependable so they can't use them, which really, really confused me. Also, I almost got suspended for hacking the school computers for having a Terminal window open (I was typing up my school paper in emacs) and the only sites blocked are Facebook, YouTube, and various gaming websites, while the kids in my school were able to override it in seconds just by using a different browser. The Terminals are now about to be blocked because the students found out how to play Tetris on them, and there is nearly no other security other than that. The only real threat to security is stealing the iDevices, which has happened before, but only me and a couple other people know any type of coding at all. In my new high school, the school computers are all Wintel towers though.

Rich suburbs have surprisingly stupid IT people.
frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: My school fails at computer security...

Postby Steax » Mon Jun 18, 2012 4:30 am UTC

The whole office document wars are the whole reason I advocate kids to hand in assignments as PDFs anyway.
In Minecraft, I use the username Rirez.

User avatar
Sizik
Posts: 1196
Joined: Wed Aug 27, 2008 3:48 am UTC

Re: My school fails at computer security...

Postby Sizik » Wed Jun 20, 2012 3:38 pm UTC

Yeah, from what I've seen, I've concluded that word processor file formats are meant solely to be edited and printed, not digitally distributed. That's what PDFs are for.
gmalivuk wrote:
King Author wrote:If space (rather, distance) is an illusion, it'd be possible for one meta-me to experience both body's sensory inputs.
Yes. And if wishes were horses, wishing wells would fill up very quickly with drowned horses.

Brickmack
Posts: 59
Joined: Wed Sep 01, 2010 1:48 am UTC

Re: My school fails at computer security...

Postby Brickmack » Wed Jul 11, 2012 8:15 pm UTC

Wow, sounds like a lot of other schools have way worse security. At mine (and all schools in the district I think) the command line is accessable but a lot of stuff is restricted. A lot of the folders are set up so they cant be accessed, and the computers are set up so you cant save anything except in my documents (it looks like the computers have everything on the computer except in a few locations wiped when you log off, and the computer makes a temporary copy of everything thats needed from the network when loggin in). Also most programs cant be installed, though I have gotten te latest Firefox, Google Earth, and a few other programs installed in my documents (but every few weeks whoever manages the network goes in and deletes my program files). A few settings can be temporarily changed in control panel, bu not much. Theres also web filtering, but most of te time only porn is blocked (they block other sites from time to time, but they blocks can be circumvented by using https instead of http, or the ip address.

I spend a lot of time with a friend messing with the computers to see what restrictions we can get around. My computer teacher said he doesnt mind, as long as we dont break anythin too permenantly.

User avatar
Carlington
Posts: 1588
Joined: Sun Mar 22, 2009 8:46 am UTC
Location: Sydney, Australia.

Re: My school fails at computer security...

Postby Carlington » Fri Nov 30, 2012 4:14 pm UTC

The New South Wales state Government is incompetent. Let's get that out of the way to begin with.
To follow that, the Department of Education and Training (DET) is, perhaps, its most incompetent branch.
Throughout primary school (the first seven years), security wasn't an issue. At my school, however, nobody was really tech-savvy enough to take advantage of that fact.
The same year that I hit high school (the next six years), the DET started the rollout of their shiny new state-wide network. Possibly the most bloated and ineffective software system I have ever had the misfortune to encounter, and I had to use a desktop running Windows ME for five-odd years.
Each computer had a local generic "student" account, a local generic "staff" account. Each student had an account for network access, as did each teacher (with more privileges) and the admin had the most privileges of all. Each school had a big shared server, which hosted ALL the files for the entire school network. Yes, this means that once the server is full, nobody gets to save things anymore. The local storage on the computer was completely inaccessible, only network storage could be accessed. Students had access Home directory (H:/), with read/write privileges, and a "Student Data" directory (S:/), which was mostly read-only.
Passwords were chosen by the students, and fell under the usual password rules (alphanumeric only + spaces), but with no minimum length requirement. Usernames came in the form Firstname.Lastname(n), where n is left off if you are the first student with this name in the state, and after that starts counting at 1. Everybody logged in to the school server, and teachers and admin got access the other directory, which basically allowed them to connect to the BIG server for the entire state in Sydney. Interestingly enough, my full name exceeded the maximum length for the username field in the database in Sydney, meaning that, while I logged in with the usual Firstname.Lastname combo, to Sydney (and to admins), I appeared as a string of random characters (something like "fhhzwqwqeqwqeqqe#//"), which was effectively indistinguishable from anyone else with a username that was too long. I never used this to my advantage, but I can't speak for any of the others. The interesting part about this is, that instead of being connected to the schools version of our server, I was connected to Sydney's version of our server. Since our schools networked printers weren't connected to Sydney's version of our server, I couldn't print from my own account. I had to pester the librarian every time I wanted to print something, and she'd let me print on her account from a thumbdrive.

That half of the system (known as the school intranet) was reasonably well set-up. Students could be easily identified by interested parties, because their username left no room for anonymity (with the exceptions of those with extensive monikers). The only real exceptions are the fact that Control Panel and the Command Prompt were disabled, but the Run... dialog wasn't, so they could be accessed through Run -> "cmd.exe", etc., and the fact that the local hard drive could be accessed (read/modify privileges, no ability to create new files, and pointless using it for extra storage). This was done, quite simply, by accessing the H:/ drive, right-clicking, selecting "Create Shortcut", and pointing it at C:/

The other half of the system is where the incompetence really shines. The system was rolled out before proper completion, because the school year was starting too soon. There was intent to patch up the issues, but this only occasionally happened. Upon opening a web browser, a dialog box would appear, asking for a username and password. This was the same username as the school network login, and another custom password. So far, so good. The dialog box, for no good reason, appeared no less than eleven times each time a new connection was established. After which, you'd be redirected to a generic "Portal Login" page, and have to login AGAIN, through a fancy web interface. After logging in a dozen times, you are shown a usage policy, which is fairly stock-standard ("No cyber-bullying, no pornography, no offensive content, we can and will find you"). This was accompanied by two options. Agree/Disagree. Disagree boots you off the network. Agree takes you to a launch page for the internet (within the confines of the DET filter bubble). With the initial rollout, "Agree" didn't work. Both links would boot you from the network. Until I tried to use the network, nobody in the school had found a fix, and Sydney couldn't push a fix through for x amount of time for bullshit reason y. Instead of clicking "Agree", I typed "http://www.google.com" into the address bar, and was rewarded with internet access. Unfathomable. That was, however, fixed, and life moved on.
There was also the issue of student email, which was a custom gmail setup, and required a further dozen logins to access. Strangely, my "fhhzafaeggfgff#//" affliction didn't affect this level of the network, only the intranet. Not really sure why. This email account was incredibly bloated, had a filter on it which arbitrarily filtered emails on the grounds of "offensive content", and had the oppressively long domain of username@edu.nsw.gov.au.

The DET bubble operated on a blacklist system, which started with a list of pre-blocked sites, and the list was expanded over time by teachers and admins reporting sites to be added to the list. All well and good, except for nearly every case, because I have met perhaps three teachers over the course of thirteen years who were not completely computer-illiterate. The practical upshot of this is that teachers would not understand what they are seeing, report it, and have it blacklisted by some drone in the Sydney office who just needs to get these reports out of his inbox so he can do some actual work. This year (one year after I finished), this system was replaced with a whitelist system, whereby everything (bar a few necessary websites) is pre-blocked, and if a site is required for a justifiable educational purpose, it can be submitted for review in the Sydney office, and maybe eventually unblocked.

There was also the whole Rudd laptop scheme, which was a shambles from the outset, and the installation of smartboards in every school. I never got the chance to play with one of the student laptops, so I can't speak to how well they worked.

All in all, a decent system, security-wise. I never really tried too hard to get around it, but it would have been traceable if I had. The only really grating part of it is the amount of bloated and unnecessary faff involved. It smacks of incompetence, really.
Kewangji: Posdy zwei tosdy osdy oady. Bork bork bork, hoppity syphilis bork.

Eebster the Great: What specifically is moving faster than light in these examples?
doogly: Hands waving furiously.

Please use he/him/his pronouns when referring to me.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: My school fails at computer security...

Postby ahammel » Fri Nov 30, 2012 4:35 pm UTC

Wait, so if I guess somebody's password or I happen to have a long name I can anonymously launch a DOS attack on the central file server for, what, the whole school? The whole state?

Sounds like a pretty big security hole to me.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
Carlington
Posts: 1588
Joined: Sun Mar 22, 2009 8:46 am UTC
Location: Sydney, Australia.

Re: My school fails at computer security...

Postby Carlington » Fri Nov 30, 2012 4:38 pm UTC

I...hadn't really thought about it, actually. I'm fairly certain running .exe files was disallowed, except for programs that were installed system-wide by an admin.
Kewangji: Posdy zwei tosdy osdy oady. Bork bork bork, hoppity syphilis bork.

Eebster the Great: What specifically is moving faster than light in these examples?
doogly: Hands waving furiously.

Please use he/him/his pronouns when referring to me.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: My school fails at computer security...

Postby ahammel » Fri Nov 30, 2012 4:44 pm UTC

I don't know what's built-in with Windows, but if there's any scripting language at all it would be trivial to fill up the server with garbage. Hell, even if you could only write Word documents it would just take a little bit of patience to do it by hand.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
Carlington
Posts: 1588
Joined: Sun Mar 22, 2009 8:46 am UTC
Location: Sydney, Australia.

Re: My school fails at computer security...

Postby Carlington » Fri Nov 30, 2012 4:45 pm UTC

Ah, no, wait. There was a cap on the maximum space available to any one person. So there's that.
Kewangji: Posdy zwei tosdy osdy oady. Bork bork bork, hoppity syphilis bork.

Eebster the Great: What specifically is moving faster than light in these examples?
doogly: Hands waving furiously.

Please use he/him/his pronouns when referring to me.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: My school fails at computer security...

Postby ahammel » Fri Nov 30, 2012 4:46 pm UTC

Oh good. That would've been stupid.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
Xantix
Posts: 24
Joined: Tue Oct 30, 2012 5:16 pm UTC

Re: My school fails at computer security...

Postby Xantix » Mon Dec 10, 2012 6:45 am UTC

I had some time to myself in the Multimedia Lab in High School. I was allowed to work unattended during lunch...

Anyway, had the idea to search for my student id in the files/folders accessible to me...turns out at least 2/3 of the whole schools student ID's and usernames were stored in plain text freely available if you knew which drives/folders to look in.

E-mailed the list to myself, but never did anything with them.

I realized later that with some footwork (get their street address, b-day) I could get each student's grades, and social security number, through the grades website.

Anyway, surprised me that it was so easy to get info like that at a 5A High School. I didn't have to hack the system at all, on the other hand IT would probably have caught any hacks.

User avatar
poochyena
Posts: 186
Joined: Fri May 20, 2011 2:02 pm UTC

Re: My school fails at computer security...

Postby poochyena » Mon Dec 10, 2012 11:35 pm UTC

So, at school we have a class were we get laptops and go online and take an online class, which is very very nice since we can now take classes that no teacher at the school is able to teach(ex. more language classes), anyways, we have to use dumb ol internet explorer, its a very old version too, i tried starting firefox up from my usb but it didn't work, but after months of being bored and exploring random files on the computer i discovered 2 things, 1. some files, when you try to open them say something like "blocked by administrator", but you can easily go around this by going to ms word(or notepad or anything really) and press "open" to browse files, where it asks for file name, just enter the file address to the file within the folder that is blocked, and you can open it, example: if you try to open a folder called "music" it will say its blocked, but if you type in something like "C:\Users\username\Music\Justin Bieber" then it will open that file, and you can then go up a level and be in the music file.
2. I also obviously tested to see if you can open task manager or anything like that, you can't, but i found the anti-virus/security program and was able to open it up, and it had its own task manager, you can see all the programs running and stuff, and i seen google chrome was running in the background, so i right clicked it and opened file location, opened the file and started chrome! so i copied the address and made a .bat file and put it on my usb so now i can just plug it in and use chrome!

tl;dr
school computer makes you use internet explorer, but i found chrome on the computer, and can now use it.

satinyou
Posts: 9
Joined: Sun Apr 25, 2010 9:07 am UTC

Re: My school fails at computer security...

Postby satinyou » Wed Dec 19, 2012 3:13 pm UTC

At my school exes are unable to be opened, C drive is unable to be accessed, cmd.exe opens but comes up with some message about being disabled and generally everything is blocked on the internet (inexplicably they over one holiday they installed powershell on all the computers and that works fine).

The one exception to the restrictions is java, so out came java file manager and I found that the C drive was accessible and writeable (at least in the C:\Documents and Settings\<username> part). Some one found that if you download and immediately run an exe it would work, so I guessed that they messed up the whitelisting of locations of exes to be run from to include the whole C drive.

Pulling this all together, I wrote a small launcher in java that can pull down games I have in a hidden folder on the shared document folder and launch them so we play halo and age of empires 2 quite a bit. The admins have yet to catch on to anything, apart from accidentally DOSing a school server a few years back...

User avatar
pkcommando
Posts: 526
Joined: Fri Feb 10, 2012 3:22 pm UTC
Location: Allston, MA

Re: My school fails at computer security...

Postby pkcommando » Fri Dec 21, 2012 8:17 pm UTC

I'm on the very low end of tech-savvy, but -

In high school (mid 90s) my first computer was an old 286. I had accidentally deleted the autoexec.bat file while trying to delete a game. So, I told a friend about it while we were in the school library. He was able to go right into DOS and delete the same file and fiddle with just about every configuration setting on the screen. We were only caught because we were the last 2 students seen near the computer before it ...... spontaneously stopped functioning. The principal was less than amused, but he didn't really punish us when my friend pointed out that it shouldn't have been so easy in the first place.

Not much of a security thing: In college, I was the Honors program and we had our own private lounge and computer "lab" (2 PCs, 1 Mac & a scanner for a while, and a printer). Our printing there didn't go against our semester limit. One day it stopped working. We were told that it would be a while and no one could fix it. Some of the other Honors students were Computer Science majors and had no answers. One day I sat down and noticed that the print drivers were missing from both PCs, so I went to the HP site and installed them. Then I set the printers again. it's so many levels of sad that I figured out what the Computer majors couldn't.

My college computers had no real block on anything. Any site you wanted to visit was accessible and anything you wanted to download and install seemed to be okay w/ IT. We'd get emails reminding people to use their better judgment and they'd subtly imply IT was watching us, but given the fact that no one ever came up against a firewall it was hard to take them seriously. They even had us sign agreements that said our network log-ins could be revoked, but again... One year they were getting pissed over students using the network for Counterstrike tournaments and did ... something to block it. One of the worst offenders of this, though, lived in the suite next to mine and was one of IT's student workers. He once boasted it wasn't that hard to get around in the first place, but being on the inside didn't hurt.
"The Universe is for raptors now!" say Raptors, as they take over all of Universe.

MisterCheif
Posts: 253
Joined: Tue Apr 14, 2009 1:24 am UTC

Re: My school fails at computer security...

Postby MisterCheif » Tue Jan 01, 2013 2:04 am UTC

I've already posted about my high school's security, where my friend was able to brute force the password to the student private folders that you can access from home. All the usernames where lastnameFirstinitial(optionalmiddleinitial), and could be seen by looking at the folder containing all the private student folders. In addition to that, during my senior year, our student ID cards had our ID number on it (6 digits, and incremented +1 from the person alphabetically before you) - the same number as our unchangeable student account password, also used for the ftp file access.

At college, getting connected to the network is relatively difficult, having to register your computer and MAC address for specific IPs for wired connections in your residence hall, as well as for wifi, and install security certificates. For phones, you need to install the certificates as well, which it seems do not allow you to not have your phone password locked (seeing as it is always in my pocket, or next to me when I'm sleeping, I'm not concerned about it being stolen). Thank god android has pattern unlock and the ability to set it so that you only have to reenter the pattern after 30 minutes of the screen off... I'm told all of the security is because there used to be a nuclear reactor on campus, though it was decommissioned several years ago.

Other than the hoops you have to jump through to get everything connected, it's pretty unrestricted. Basically, you can't torrent, you have a 15GB daily download limit and 70GB total weekly limit, and Skype and Youtube (though only non-HD youtube - or maybe it is, but they allowed enough more bandwidth for HD Youtube videos that the throttling isn't noticeable) are throttled.
I can haz people?
lulzfish wrote:Exactly. Playing God is a good, old-fashioned American tradition. And you wouldn't want to ruin tradition. Unless you hate America. And that would make you a Communist.

User avatar
GenericAnimeBoy
Posts: 372
Joined: Tue Feb 01, 2011 1:33 pm UTC
Location: Houston, TX

Re: My school fails at computer security...

Postby GenericAnimeBoy » Tue Jan 01, 2013 3:29 pm UTC

This one should actually read "My State fails at computer security". Due to narrow literal interpretation of a recently passed state law, passwords at my school have to be exactly 8 characters (they can't be longer), and contain at least one capital, one lowercase letter, one symbol, and one number. That restricts the entropy space quite nicely for the sake of brute force attacks, don't you think? :roll:
In light of the impermanence and absurdity of existence, I surmise that nothing is better for us than to rejoice and to do good in our lives, and that everyone should eat and drink and enjoy the good of his/her labor. Such enjoyment is a gift from God.

Meem1029
Posts: 379
Joined: Wed Jul 21, 2010 1:11 am UTC

Re: My school fails at computer security...

Postby Meem1029 » Mon Jan 07, 2013 7:52 pm UTC

Well let's see, the other day I was happily sitting there wasting time in irc. Go to bed and the next day I wake up and my computer won't connect to the internet. I tried the other port in my room and it worked just fine. I send a message to the IT people and they say that my port got blocked for having an "irc bot" that may have infected my computer. There were many fails here. First, they apparently assumed that nobody uses IRC anymore so it's clearly a bot (at least that's my best guess. Although it does lead to confusion about why in the couple years prior I never got hit for it), but then it's worse. I emailed the security department to ask about it and specifically asked if they could tell me what servers it was on so I could make sure that nothing bad was happening on them. They responded something along the lines of "no, because it's a moving target and if we tell you what servers it's connecting to that will help the virus makers". The most fail part in my opinion was that in the report for it they had my MAC address recorded and said to not use other ports because it might get them blocked too. If their interest was in blocking that specific computer from the internet, why didn't they do a MAC address ban?
cjmcjmcjmcjm wrote:If it can't be done in an 80x24 terminal, it's not worth doing

User avatar
philsov
Not a fan of Diane Kruger
Posts: 1350
Joined: Sat Sep 20, 2008 7:58 pm UTC
Location: Texas

Re: My school fails at computer security...

Postby philsov » Fri Feb 22, 2013 5:41 pm UTC

Work security here.

I can't send any .exe file via the company email, including software necessary for other security protocol.

But, if I compress it into a zip/rar file it'll sail on through.

I can't tell if this is a good thing or not :\
The time and seasons go on, but all the rhymes and reasons are wrong
I know I'll discover after its all said and done I should've been a nun.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: My school fails at computer security...

Postby ahammel » Fri Feb 22, 2013 5:43 pm UTC

Perhaps they think that people clueless enough to execute .exe files from untrusted sources will also be too cluless to decompress attachments?
He/Him/His/Alex
God damn these electric sex pants!

EvanED
Posts: 4330
Joined: Mon Aug 07, 2006 6:28 am UTC
Location: Madison, WI
Contact:

Re: My school fails at computer security...

Postby EvanED » Sun Feb 24, 2013 6:58 pm UTC

My guess is that it's an attempt to make the boobs.jpg.exe style attachments a lot less natural.

nemui10pm
Posts: 9
Joined: Thu Feb 10, 2011 5:03 am UTC

Re: My school fails at computer security...

Postby nemui10pm » Fri Apr 12, 2013 6:06 am UTC

While it's perhaps not as bad as some of the other examples, my school's not very good at this, either. They replaced the computers during the summer holidays, and some of the settings seems to have been changed - notably, prediction was turned on.

This meant that anyone accessing Gmail could see the usernames of everyone before them, which was bad enough for the slightly paranoid (i.e. me), but I could see the password of someone who forgot to press "tab" after entering her username. (It looked like nickname+birth year, by the way.) Luckily I'm not affected since I always use incognito/private browsing, but it's a little troubling.
a genius, a philosopher, an abstract thinker

TychoMaudd
Posts: 28
Joined: Wed Apr 11, 2012 2:11 pm UTC

Re: My school fails at computer security...

Postby TychoMaudd » Thu May 30, 2013 2:48 pm UTC

When I was back in highschool, the school district tried to keep computers secure, but ran into a big problem with running the MacOS 9. Mac OS 9 had no inherent file permissions and everything essentially ran in kernel mode. The security system used tried to intercept commands from the System and Finder to limit what a user was able to do. However, a program that was allowed to run could access any file because the security system would only monitor the Finder. By setting a desired program as a helper program for specific file types in a webbrowser, the webbrowser would launch any application it was pointed to, even if you couldn't do so normally. Once you get your hands on a few useful applications, you could enable or disable the security on any computer.

To compound that flaw, the networking administrative program's password could be reset to the default found in the manual by deleting the preference file. While this allowed you to access it, other computers would ask for their own password. However, many of the faculty in the district had a bad habit of leaving file sharing on with no password, so you could get into their computer, reset the preferences and then remotely control their computers with the network administrative program. You could also prevent the computer you were currently using from being monitored with the same program.

These two flaws let me have tons of fun on the computers, until I got caught one day doing so. Then I was hired to fix the holes I found and prevent anyone else from exploiting any other holes in the security.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: My school fails at computer security...

Postby ahammel » Thu May 30, 2013 6:26 pm UTC

TychoMaudd wrote:Mac OS 9 had no inherent file permissions and everything essentially ran in kernel mode.
Seriously? That's awful. How did they even do that? Didn't OS9 inherit from BSD?

I remember using the file sharing to make an impromptu chat room back in grade 8. We sent messages by changing the names of folders in a shared directory.
He/Him/His/Alex
God damn these electric sex pants!

TychoMaudd
Posts: 28
Joined: Wed Apr 11, 2012 2:11 pm UTC

Re: My school fails at computer security...

Postby TychoMaudd » Fri May 31, 2013 6:48 pm UTC

ahammel wrote:
TychoMaudd wrote:Mac OS 9 had no inherent file permissions and everything essentially ran in kernel mode.
Seriously? That's awful. How did they even do that? Didn't OS9 inherit from BSD?


MacOS X is based on BSD, replacing the classic Mac OS. But everything up to and including MacOS9 was basically just built up from the original Macintosh's system software from 1984.

Nem
Posts: 335
Joined: Fri Aug 14, 2009 12:19 pm UTC

Re: My school fails at computer security...

Postby Nem » Wed Jul 03, 2013 3:50 pm UTC

hintss wrote:Hows your schools computer security?


You used to be able to get complete listings of everyone's stuff - teachers, students, everyone - just by firing up run typing in CMD and asking for them in the normal manner.

User avatar
poochyena
Posts: 186
Joined: Fri May 20, 2011 2:02 pm UTC

Re: My school fails at computer security...

Postby poochyena » Wed Sep 11, 2013 12:33 am UTC

So, i'm in a class with 4 other people and because our computer log in thing is buggy because of the new computer systems this year, we get to sign in into an admin account. literally nothing is blocked. you can change admin stuff and use cmd, task manager, youtube, facebook, ect.

So what evil thing have i done with all this power?
I got on the xkcd forums and read posts.

Its been like 4 weeks, so i doubt we are getting student log ins with everything locked anytime soon, so, what can i even do with admin privileges? Before, with everything locked, i would snoop through everything seeing what i can access... now, everything is open, so what is there to do? o.o


oh, and flash drives have been banned in the class this year because someone could put a virus on one.
lol

User avatar
Tomlidich the second
Posts: 1230
Joined: Thu Mar 22, 2012 5:38 pm UTC

Re: My school fails at computer security...

Postby Tomlidich the second » Thu Sep 12, 2013 6:41 pm UTC

poochyena wrote:oh, and flash drives have been banned in the class this year because someone could put a virus on one.

oh no!
someone could track in enough vrisues to make up a whopping .01 percent of what comes through the internet line every day!
they must be stopped!
Image


Return to “School”

Who is online

Users browsing this forum: No registered users and 4 guests