My school fails at computer security...

The school experience. School related queries, discussions, and stories that aren't specific to a subject.

Moderators: gmalivuk, Moderators General, Prelates

User avatar
Levi
Posts: 1294
Joined: Tue Oct 14, 2008 1:12 am UTC

Re: My school fails at computer security...

Postby Levi » Sat Nov 27, 2010 2:00 am UTC

hintss wrote:that reminds me, my friend, Hans (jelloking357 on the fora) is planning to start the BHG army. the ad in his sig will be funny.

What's the BHG army? Better Homes and Gardens?

User avatar
Dason
Posts: 1309
Joined: Wed Dec 02, 2009 7:06 am UTC
Location: ~/

Re: My school fails at computer security...

Postby Dason » Sat Nov 27, 2010 3:04 pm UTC

I can't say for sure but my best guess would be that BHG = 'Black Hat Guy'
double epsilon = -.0000001;

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sun Nov 28, 2010 6:55 am UTC

Dason wrote:I can't say for sure but my best guess would be that BHG = 'Black Hat Guy'

yup. also, he's looking to buy a BHG hat. anyone know what that type of hat is called? (he has plenty of black hats, just none like that. quoting him on skype, "I retrieved this hat from my hat database. *puts on hat*")

User avatar
Babam
the Nearly Deleted
Posts: 1170
Joined: Tue Apr 01, 2008 2:05 am UTC
Location: A multiverse, wandering the couch
Contact:

Re: My school fails at computer security...

Postby Babam » Thu Dec 02, 2010 10:50 am UTC

hintss wrote:
VDOgamez wrote:...

I really want to bring a bootable USB drive to school one day with Linux on it.

Done (with DSL, a mandriva remix, and backtrack). also a live CD, a netbook, and a VM (running on a school computer). That reminds me of when I accidentally formatted one of the school computers under linux, then had to go through the hours long process of reimaging it. (seriously, the image is 2 years old, why can't you put it on a CD or something!)

It gets boring...

You're a dick, stop using school computers.

There... I said it, I can leave this thread now.
Spoiler:
crucialityfactor wrote:I KNEW he could club bitches!

SecondTalon wrote:Reality - More fucked up than Photoshop.

s/notwittysig/wittysig

Meem1029
Posts: 379
Joined: Wed Jul 21, 2010 1:11 am UTC

Re: My school fails at computer security...

Postby Meem1029 » Thu Dec 02, 2010 7:59 pm UTC

With all that he says he is doing, I don't think it will be too long before the school helps him to fulfill your wish.
cjmcjmcjmcjm wrote:If it can't be done in an 80x24 terminal, it's not worth doing

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Fri Dec 03, 2010 3:52 am UTC

Meem1029 wrote:With all that he says he is doing, I don't think it will be too long before the school helps him to fulfill your wish.

a bit too late. twice. also, apparently, they don't work with the high school IT.

also, rant to high school IT: let me change the keyboard layout under my account to dvorak!

Heady
Posts: 33
Joined: Mon Mar 29, 2010 7:21 pm UTC

Re: My school fails at computer security...

Postby Heady » Fri Dec 03, 2010 4:00 am UTC

At least your school gives you accounts. At my high school, it's expected that you have a flash drive or an online file service (Docs/Dropbox), and thusly in all public computers, there is only a generic student account. Everything on the local drives get flushed every night, and the only place with accounts is the World Language lab, where all the computers are continually monitored by Remote Desktop on the teacher computer.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Fri Dec 03, 2010 4:04 am UTC

Heady wrote:At least your school gives you accounts. At my high school, it's expected that you have a flash drive or an online file service (Docs/Dropbox), and thusly in all public computers, there is only a generic student account. Everything on the local drives get flushed every night, and the only place with accounts is the World Language lab, where all the computers are continually monitored by Remote Desktop on the teacher computer.

hey, at least you can actually use dropbox from school.

User avatar
Sokh
Posts: 274
Joined: Thu Jun 10, 2010 1:03 pm UTC

Re: My school fails at computer security...

Postby Sokh » Fri Dec 03, 2010 2:02 pm UTC

Babam wrote:You're a dick, stop using school computers.

There... I said it, I can leave this thread now.


*salute* *nod* *exit quietly*

User avatar
SWGlassPit
Posts: 312
Joined: Mon Feb 18, 2008 9:34 pm UTC
Location: Houston, TX
Contact:

Re: My school fails at computer security...

Postby SWGlassPit » Tue Dec 07, 2010 4:41 pm UTC

Babam wrote:You're a dick, stop using school computers.

There... I said it, I can leave this thread now.


The number of times this has been said in this thread is quite large. He doesn't get it, and he likely won't.
Up in space is a laboratory the size of a football field zipping along at 7 km/s. It's my job to keep it safe.
Image
Erdös number: 5

User avatar
NecklaceOfShadow
Posts: 775
Joined: Sun May 03, 2009 7:40 pm UTC
Location: In the alchemical aether
Contact:

Re: My school fails at computer security...

Postby NecklaceOfShadow » Wed Dec 08, 2010 1:43 am UTC

We try anyways, hoping it'll get to him eventually.

It's not as if he can ever say "But I didn't know it was wrong/a douche thing to do/a horrible idea in the first place!" now.
Significantly less weird than I used to be. Still pretty weird.

οὗτός ἐστιν Ἀγαμέμνων, ἐμὸς
πόσις, νεκρὸς δὲ τῆσδε δεξιᾶς χερός
ἔργον δικαίας τέκτονος. τάδ’ ὧδ’ ἔχει.

User avatar
konaya
Posts: 118
Joined: Sat Oct 02, 2010 8:45 am UTC

Re: My school fails at computer security...

Postby konaya » Mon Dec 13, 2010 11:19 am UTC

At my school (well, university), security is good where it should be good and absent where it should be absent. The wireless is connected to eduroam, and as such is both secure and awesome. The wired network is authenticated with a captive portal running SSL (of course). Save for some ports like port 25 being blocked by the upstream provider, the traffic to and from your own computer is not filtered by any means, and that includes incoming connections. Yes, that means that we don't use NAT; why would we? It's just in the way if you for example need to SCP something from your home computer to your netbook at school, with your home computer as the client.

You are yourself responsible for the actions logged on your account. If someone steals your credentials, you're responsible for letting them be stolen. If someone uses your computer while you're on a coffee break, you're at fault for not locking your session. If your netbook starts spamming the network due to some virus, you're responsible for not being immune to viruses. Needless to say, as much as a third of the students run Linux, and I suspect that's just the way the administration wants it.

The stationary computers on campus runs mainly Windows, with some roomfulls of Ubuntu computers, some Mac rooms (technically different campus but same school), and I believe there are some old Solaris boxes lurking somewhere. All computers (don't know about the Macs, but why not?) tries to boot from USB before booting normally, and booting your own system from USB for added flexibility and security is encouraged (although I think accessing the internal hard drive is disabled in BIOS when booting from USB, which is only fair).

The only two rules for Internet access are somewhat vague: Don't run P2P services that would strain the network, and don't run servers that would strain the network. There's no anti-piracy clause, and it seems that they couldn't care less if you have apache2 running for some project you're working on. They do have an automatic flagging system which sends out warnings to people with abnormally high bandwidth usage who also have visited a known torrent site. The warnings seem to do absolutely nothing, but I often mail our IT department and explain the situation with this: "I didn't use bittorrent on the school network. I downloaded a torrent file from Pirate Bay to my school computer, uploaded it to my home computer, waited a bit, and then transferred the download to my school computer with NFS. I was bored and I wanted to watch House", and they respond "ah, that's alright then, warning lifted, talk to you soon" and that's that.

I think the philosophy used here is: People won't break the rules if you don't make stupid ones or give them reason to. We are given near-total freedom in all matters that count, and as a direct result no one has a reason to poke around. If someone would decide to go black hat just for the fuck of it, it would be hard to actually do something; booting from USB on a school computer to mess with the computer would be fruitless because you can't access the internal hard drive, and the routers won't even forward ICMP packets without you being authenticated first, either through the captive portal if wired or through the RADIUS server if wireless. And even if you would somehow find something you could use... Then what? Elevation of privileges? Elevation to where?

I'm not saying it's perfect, but it's far superior from the iron curtain strategy most other schools seem to have. There are a few things, a few possible flaws in some select special-case systems on campus, that I'd like to explore when I have the time, just for the sake of curiosity. It's probably nothing; if it turns out to be all I hope for it to be, I'll be able to do some fun stuff that has absolutely no bearing on security whatsoever.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Tue Dec 14, 2010 3:34 am UTC

I wish my school was like that

anyway, a quote from Alex, someone on the robotics team:

"Henry, you're the most evolved person I'd call a nood"
-Alex, after I kicked a soccer ball into the back of his head, started rolling wheels across the room, and then made slide whistle noises using the pneumatic pistons

sidek
Posts: 17
Joined: Thu Sep 16, 2010 3:44 am UTC

Re: My school fails at computer security...

Postby sidek » Thu Dec 16, 2010 3:02 pm UTC

hintss : be a black hat if you want to choose that (generally) terrible career path. But don't be a petty script kiddie on your school network. At least do something like blackhat SEO that makes you more than petty.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sun Dec 19, 2010 7:40 am UTC

sidek wrote:hintss : be a black hat if you want to choose that (generally) terrible career path. But don't be a petty script kiddie on your school network. At least do something like blackhat SEO that makes you more than petty.

actually, I had an idea that used javascript the other day. more details if I can get it to work.

Manatee
Posts: 1
Joined: Sun Dec 19, 2010 9:23 pm UTC

Re: My school fails at computer security...

Postby Manatee » Sun Dec 19, 2010 10:06 pm UTC

My school is generally pretty good, but there is one amusing hole. It's possible to telnet into the school mail server and send mail from anyone to anyone. However it's only possible from the school's comp sci server(for which you need to take computer science to have an account on). But pretty much all i have to do is ssh to the comp sci server an then telnet the mail server and voila, I'm in.

Another amusing thing (though not security-related) is a rogue shell script that one of the comp sci teachers wrote. It's a pretty simple script that syncs files from the documents folder of your account on a laptop (our comp sci department has like 20 laptops, and we have a remote account on each one) to your account on the server, and vice versa. However, it is now impossible to delete any files from your documents folder on either a laptop or the server because it immediately gets the file from the the other machine. Humorously, it is also impossible to delete the script because it's in the documents folder :lol:

User avatar
dumbzebra
Posts: 275
Joined: Thu Dec 10, 2009 4:59 pm UTC
Location: Somewhere on the moon.

Re: My school fails at computer security...

Postby dumbzebra » Mon Dec 20, 2010 1:56 pm UTC

Why do you guys want to mess around on your school networks? Security and rules are there for a reason, because it sucks if something suddenly doesn't work anymore. If there is a notable lack in security, you should tell the person in charge. I thought being the cool,rebellious hacker hasn't been cool since the late 80s...?
As the great philosopher Socrates once said: "No."

sidek
Posts: 17
Joined: Thu Sep 16, 2010 3:44 am UTC

Re: My school fails at computer security...

Postby sidek » Mon Dec 20, 2010 2:36 pm UTC

It's always fun to screw around - echo 'virus installing...' on April Fools (I have yet to do so... I might ,soon. It depends on whether whoever would deal with it can take a joke.).I do, however, generally agree with the poster above me.

One thing I don't agree on is the telling the person in charge- I've done that before, and, at least where I am, the guys always either get mad at me for being aware of the obvious, or they do nothing.My policy, thus, is to remain silent and do nothing with the information I have.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Tue Dec 21, 2010 1:20 am UTC

sidek wrote:It's always fun to screw around - echo 'virus installing...' on April Fools (I have yet to do so... I might ,soon. It depends on whether whoever would deal with it can take a joke.).I do, however, generally agree with the poster above me.

One thing I don't agree on is the telling the person in charge- I've done that before, and, at least where I am, the guys always either get mad at me for being aware of the obvious, or they do nothing.My policy, thus, is to remain silent and do nothing with the information I have.

don't, you'll get suspended (I almost did)

they pretended to take my advice seriously, thanked me, then did nothing...

User avatar
gear-guy
Posts: 22
Joined: Thu May 06, 2010 6:05 pm UTC
Location: Edinburgh-ish, Scotland

Re: My school fails at computer security...

Postby gear-guy » Sun Jan 02, 2011 7:40 pm UTC

Reading some of hintss posts from after the last time i posted, it's become obvious that the excuse he is using is "because i can".

Even if you can, don't.
Only do something that could be called "hacking" (even if its not) if you have a legitimate reason. Attacking a network as a whole for no other reason than you can is not cool. However, if the rector/headteacher is a complete and utter arse about something everyone cares about, feel free to bring down as big a chunk of the network as you can without detection, emphasis on that last bit.

But yes, as i've said before, Hintss, you're not hard, you're a twat, get a life.

User avatar
Westz
Posts: 3
Joined: Wed Dec 22, 2010 5:54 pm UTC
Contact:

Re: My school fails at computer security...

Postby Westz » Fri Jan 14, 2011 8:08 pm UTC

my school's library computers wont even install drivers automatically when you insert USB drives. so i got really sly about it... i popped the case (the side panels on those things arent screwed on because the techs use the server to write the OS image to the harddrive about once a triad) so i popped the cmos battery to reset the bios password, set to boot from my fedora live CD, then went to the harddrive and renamed cmd.exe to sethc.exe, and sethc.exe to sethc.old. sethc is the executable for stickykeys, which doesnt check for authenticity and runs before logon. so if you press shift five times at the logon screen, you get a root cmd.exe which you can add remove and change account privleges with. i logon as system, change my users priveleges to full, aand voila, i can install my flash drive drivers. seems like a lot of work, no? it took less than five minutes. booting from the live cd took most of the time... network security was a beast, blocked everything and used a hugeass password. nothing vidalia didn't get around though. what really pissed me off though was that they blocked all email besides their shitty google hosted student email. A: it wouldnt let us change the password. B: it opened in a popup box, so they got rid of the popup blockers, (not smart enough to just add an exception) C:if you refreshed the email page it crashed the browser, D: it only had a gig of storage space on it, E: they sent daily announcements to it, so it filled up quickly, and you had to clean it out regularly if you wanted to actually use it, plus it automatically deleted the messages from non whitelisted addresses when you got a new one if the inbox was full,(and of course the announcement address was whitelisted) so if you had a full inbox and emailed yourself something say, at 7 pm and wanted to access it at school the next day, it'd be gone because the daily announcement would overwrite it. we got fancy and uberspammed the announcement email till it got full and couldnt be used anymore, and we got someone on 4chan with a botnet to loic the shit outta the email server.

User avatar
nehpest
Posts: 518
Joined: Fri Jun 12, 2009 9:25 pm UTC

Re: My school fails at computer security...

Postby nehpest » Fri Jan 14, 2011 11:07 pm UTC

Westz wrote:D: it only had a gig of storage on it, E: they sent daily announcements to it, so it filled up quickly, and you had to clean it out regularly if you wanted to actually use it, plus it automatically deleted the messages from non whitelisted addresses when you got a new one if the inbox was full,(and of course the announcement address was whitelisted)...

:shock: Just how big are these announcements? Unless you're using the email account to store media or object code, I can't understand how a daily announcement regularly fills up a gig worth of storage.

As for the rest, you had me up til the DDoSing. The odds of your tactic having the desired outcome (better email policies at the school) are virtually zero; the odds of your school using the vandalism as an excuse for a crackdown are significantly higher. That and, y'know, most places regard DDoSing a government computer system as a crime. Just sayin'.

Edit: quote fail.
Kewangji wrote:Someone told me I need to stop being so arrogant. Like I'd care about their plebeian opinions.

blag

possum888
Posts: 5
Joined: Sun Jan 16, 2011 8:35 am UTC

My school

Postby possum888 » Sun Jan 16, 2011 8:58 am UTC

I've just registered to say something about my school...

The server runs Windows Server 2003, which turns out it can have its admin password reset easily. Each computer in the school has this software called 'ABTutor Control' on it, and from what I've seen on the teachers computers, they can do ANYTHING. Send us messages, see what we have open, they can even blank out the screen if need be.

The most annoying feature is whenever you try to run a .bat or .exe, the screen turns red with a white hand, and the speakers blare out the word HALT over and over. All keyboard/mouse functionality is locked when this screen shows up. I managed to find the file on the server, which is actually just a looping SWF. (screenshot: http://img593.imageshack.us/img593/1922/fdfj.png )

Each student gets their own ID number and a random 5-digit password. My Computer only displays a H:\ drive associated with the student ID. Everything is own lockdown: no flash drives, no .exes, web filtering, keyloggers etc.

However most ports aren't blocked. I managed to Telnet into the JetDirect print server and made all the printers in the school display random comments on the LCD screens. After that the tech guy gave me a choice: help him maintain the network and find security vulnerabilities -or- suspended for a week. I took the first option.

Ever since, I got an admin account, which also allowed me to log onto the teacher intranet and view reports/grades for every student, and I've been lurking on the network since. And the schools server was a 10-year homebuilt one, and the tech guy wanted a new one, but the schools BOT wouldn't give him the funding. While installing a new HD, I *might* have unclipped the heatsink off the processor. Now we run a brand new HP server :)

Meem1029
Posts: 379
Joined: Wed Jul 21, 2010 1:11 am UTC

Re: My school fails at computer security...

Postby Meem1029 » Sun Jan 16, 2011 10:25 pm UTC

And you posted all that on the internet for anyone to see why? Anyway, I would recommend to you to stop messing with things like that as that is possibly breaking laws and almost certainly breaking your school's computer use policy. On the other hand, clever thought about the heatsink (but you still shouldn't have done it).
cjmcjmcjmcjm wrote:If it can't be done in an 80x24 terminal, it's not worth doing

User avatar
cjmcjmcjmcjm
Posts: 1158
Joined: Tue Jan 05, 2010 5:15 am UTC
Location: Anywhere the internet is strong

Re: My school fails at computer security...

Postby cjmcjmcjmcjm » Mon Jan 17, 2011 3:48 pm UTC

The school where I'm studying abroad at fails at computers in general. First, they have the stupid "unsecured Wi-Fi with a login page" in internet instead of using a secure connection with enterprise login because "the manor is far enough away from other places that an unsecured network isn't a problem". Secondly, they have craptastic network management strategies. This is most evidenced when large downloads keep coming out corrupted. I've had Ubuntu repos that simply won't download correctly, iTunes downloads that download 100k or so before giving me error -50, and a Mac OS update that downloads and then tells me that it has an incorrect checksum. It doesn't help that they effectively block Steam, although I do not know whether that is intentional. I've heard that this unusual behavior is to prevent one application from taking up too much resources. If that is really important, why not try to implement something to block Skype video calls?
frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sat Jan 29, 2011 7:27 am UTC

it took 40 minutes and 2 admins for them to realise that an ssh connection was in fact a connection to a remote machine, not, in fact a command prompt window. So, as far as I know, the school has 3 admins, with only one listed on the contact page. strange...

User avatar
Ouch.jars
Posts: 101
Joined: Sat Jan 31, 2009 11:47 am UTC
Location: Adelaide, Australia

Re: My school fails at computer security...

Postby Ouch.jars » Thu Feb 03, 2011 11:59 am UTC

My school blocks facebook.com, but not www.facebook.com.
ouchjars: putting the "pie" in "sapience" since '08

User avatar
cjmcjmcjmcjm
Posts: 1158
Joined: Tue Jan 05, 2010 5:15 am UTC
Location: Anywhere the internet is strong

Re: My school fails at computer security...

Postby cjmcjmcjmcjm » Fri Feb 04, 2011 11:55 am UTC

The school I'm at seems to throttle some downloads, corrupt others, and sometimes work really well with no predictable pattern of how things will turn out. It does prioritize Skype, though, but that's not of too much use to me
frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.

User avatar
GenericAnimeBoy
Posts: 372
Joined: Tue Feb 01, 2011 1:33 pm UTC
Location: Houston, TX

Re: My school

Postby GenericAnimeBoy » Fri Feb 11, 2011 5:22 am UTC

possum888 wrote:And the schools server was a 10-year homebuilt one, and the tech guy wanted a new one, but the schools BOT wouldn't give him the funding. While installing a new HD, I *might* have unclipped the heatsink off the processor. Now we run a brand new HP server :)
This is simultaneously the most irresponsible and most badass thing I have ever heard of someone doing with a school computer. :lol:

My school (a large university) has unsecured wifi, and a bunch of people walking around with laptops in Ad-Hoc mode but with the same SSID as the school network. I think I need to get a VPN. :?
In light of the impermanence and absurdity of existence, I surmise that nothing is better for us than to rejoice and to do good in our lives, and that everyone should eat and drink and enjoy the good of his/her labor. Such enjoyment is a gift from God.

User avatar
lolol
Posts: 32
Joined: Wed Dec 08, 2010 3:23 am UTC

Re: My school fails at computer security...

Postby lolol » Sat Feb 12, 2011 12:30 am UTC

Recently found out that you can bypass my high schools internet filters by using https. so https://www.facebook.com works and the same with youtube. Except youtube videos won't play :/

User avatar
mandachan
Posts: 48
Joined: Wed Aug 12, 2009 8:56 pm UTC
Contact:

Re: My school fails at computer security...

Postby mandachan » Sat Feb 12, 2011 1:13 am UTC

Yeah, we use the https trick for Facebook in journalism all the time (that's how we get a lot of our work done).

Though apparently the censorship software also blocks The Onion, says it's "R-rated."
I swear by my pretty floral bonnet, I will end you.

User avatar
lolol
Posts: 32
Joined: Wed Dec 08, 2010 3:23 am UTC

Re: My school fails at computer security...

Postby lolol » Sat Feb 12, 2011 2:56 am UTC

mandachan wrote:Yeah, we use the https trick for Facebook in journalism all the time (that's how we get a lot of our work done).

Though apparently the censorship software also blocks The Onion, says it's "R-rated."


Right. It blocks most forums too, but not these. Do you get a black screen with orange letters "Access has been denied"? Mote/Moric filtering company or something

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Mon Feb 28, 2011 12:04 am UTC

So... College.

Where do I begin?

Well, we have dodgy permissions set for a lot of user folders, mine hasn't been touched but a lot of user folders can be read by anyone (though not written to). We told them about this back in October and yeah, it's still there.

In other news, NetSupport Tutor, no security key (not that it's hard to crack, I found a Pascal program that can decrypt NetSupport Tutor security keys), and an empty firewall rule. Basically, while I have tried running Portable tutor before (the techies told us to run wild and let them know of any exploits we found) it wouldn't work outright because Windows Firewall blocked it. Unfortunately for them, there's a duplicate firewall rule for the NS Client, one is the right one and one has an invalid path, guess what though? We can write to Program Files on a lot of PCs, so it's a simple matter of creating that folder, copying tutor across and renaming it to the client exe, instant access to everyone's PC.

Just gotta find the right copy of Tutor, mine is too new, they're still running 9.6 here. And yeah, I'm gonna let them know once I confirm the problem.

Final bit of news, the Exchange Server Public Folders has a folder containing the emails of every student's parent(s), that's, well, rather dodgy if I do say so.

possum888 wrote:However most ports aren't blocked. I managed to Telnet into the JetDirect print server and made all the printers in the school display random comments on the LCD screens. After that the tech guy gave me a choice: help him maintain the network and find security vulnerabilities -or- suspended for a week. I took the first option.


Ah yes, we found this one recently, quite a bit of damage could be done considering the printers are all listed in Network Discovery. The techies already know about it after one of our little crew of Computing guys who know this stuff told people he did it and someone asked the techies about it. They were a tad annoyed, as they'd have to go around and change them all back (they need the new HP Web Admin UI, let's you manage a whole network of JetDirects!).

Fun times, good for bypassing the credit printing system since we can print over telnet. =P

Critically|Ashamed
Posts: 12
Joined: Tue Apr 06, 2010 12:05 pm UTC

Re: My school fails at computer security...

Postby Critically|Ashamed » Tue Mar 01, 2011 11:30 am UTC

Since we're all boasting about being silly in skewl ITT,

I remember in grade, before that whole "being well behaved" non-sense was important to me I was pretty into trolling around with the computer system. We had a few remote admin programs on our system, atm we have ABTutor but a while ago we also had a little gem called RealVNC. Our school being a particularly lazy public school had only gotten the free trial edition so it wasn't exactly top of the line stuff. There was an easy available download of the client so once you knew the password you were free to do whatever you want. That next be took a bit, the password is stored in some spot in the registry so it took a bit of digging.

Turns out it was rainbow (:

From then on I spent all my business classes being an obnoxious douchebag. We pretty much had access to every single computer throughout the school, few times we stumbled across the IP of the Principals and the head tech (say what you want about the outdated software, but that guy was a hardcase and a half) and I remember how awe-inspiring it was. In the end one of the guys I hung out with gave out the client and password during lunch while I was out playing basketball. They all proceeded to punk some poor newbie kid and he had a fit and told the techies. Everyone being the Bravehearts they are pretty much said "lol Critically was responsible for all that" and it got traced straight to me. The hardcase knew me from reprimanding me for programming during accounting so he was alrightish about it. Pretty much just made me tell him how I'd gotten it and said not to do anything so stupid again.

ozkidzez91
Posts: 8
Joined: Wed Aug 25, 2010 1:34 am UTC

Re: My school fails at computer security...

Postby ozkidzez91 » Wed Mar 02, 2011 3:38 pm UTC

I was in high school a couple of years ago.

I took a non-OP (basically doesn't count towards your OP "Overall Position" score, which is given after high school graduation is used for entrance to university degrees) IT class (easy stuff like movie maker, game maker, dreamweaver etc). I'm way, way above the level of work done in class, so I'd basically do my work in the first half of the first of around three 1 hour lessons used for doing that assignment, then do nothing. (Got straight A's btw, no such thing as A+ at that school)

My friend, who knew a thing or two about linux and networking, set up a server at home. Essentially we'd ssh it using port 443 from the school computer using putty tray (of course so you can hide it in the systray) and make a tunnel on port 8080, boot portable firefox from a usb drive and then do whatever on the net from then on. I always did my work first and then went of forums, wikipedia, flash games, whatever. The teacher didn't care; she caught me a few times, but after I showed her I'd finished my work already she'd basically just congratulate me on the good work on the assignment, and tell me not to let anyone else know how to do it.

Obviously when I saw people watching me I'd bring up youtube or something just to annoy them, then refuse to tell them how I did it. I did see a few people with firefox open on other computers trying youtube.com and wondering why it didn't work.

Other than that I never cared about security, no reason to do anything to the school computers. Maybe I was more mature than I thought back then. Also I respected our Admin for the school network. Seriously, the guy would play COD4 online in his office! What a mad dawg.

Also, at my uni, the same friend got into the jesus freaks' club server. He promptly noticed that someone else had done the same, and closed the entrance they'd set up for themself, and then attack that person's server. He never did anything there though, not that kind of guy, just interested in everyone's security. He's a pretty strong antireligion person like me though, so I'm surprised that he didn't deface their website. Again, maturity prevails. (and fear of prosecution, even if he was protected by TOR and very good cleanup practices)

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Tue Mar 08, 2011 8:03 am UTC

the admin, 3 other students and I once had a lan game of armagetron.

its a lot more fun to mess with cycle rubber settings when you're about to hit a wall...

pianoelias
Posts: 5
Joined: Sat Mar 12, 2011 3:09 pm UTC

Re: My school fails at computer security...

Postby pianoelias » Sat Mar 12, 2011 3:41 pm UTC

My school's gotten better, but it used to be absolutely terrible. When I was in the 8th grade, me and a couple of friends accidently got full access. We had accidentally entered a correct username and password. The username was just the letter "b." The password field had to be blank. Pretty pathetic, but we had access to all student accounts, and could even delete them (as we discovered by accident when my account was deleted).

That's not all, either. The same year, the school set-up a block of all games and networking etc. It took the students awhile to figure it out because the teachers actually lied to us and told it was a "server problem" that would be fixed soon. Eventually we found/set up proxies, and when those got blocked we found out the password (I'm still not sure exactly how that happened, but I know of at least one teacher that would tell anyone who asked). Eventually they changed the password, which we found out again, and again, and again. At some point it seemed like everyone in the school knew it, but none of the teachers knew that we knew it. Pretty weak security. Anyway, now they've changed it so that there is no login to get past the block on student accounts, but teachers have full access.

Finally, the old remote access system the school used was pretty stupid. It was annoying to use, yes, but more importantly anyone that used it had access to all student documents (though very few students ever realized this).

satinyou
Posts: 9
Joined: Sun Apr 25, 2010 9:07 am UTC

Re: My school fails at computer security...

Postby satinyou » Fri Mar 25, 2011 9:50 pm UTC

Just out of interest, what method do your schools use to filter the internet or is it unfiltered? My school uses a RM product called Janet that works through a proxy. They have had a lot of trouble blocking all the domains and subdomains of youtube and facebook, youtube.cf is nice and obscure by the way and went unnoticed for months. The proxy isn't even a standard http or socks one either. I have run some packet capturing from my laptop and it seems to use kerberos and NTLM authentication in 2 separate requests, with a response asking for auth every time before it actually does what it is meant to do. Browsers work with this auth scheme but I haven't found anything else that will work.

Technical Ben
Posts: 2986
Joined: Tue May 27, 2008 10:42 pm UTC

Re: My school fails at computer security...

Postby Technical Ben » Mon Mar 28, 2011 10:57 pm UTC

As the threads still going anyway...
hintss wrote:
Done (with DSL, a mandriva remix, and backtrack). also a live CD, a netbook, and a VM (running on a school computer). That reminds me of when I accidentally formatted one of the school computers under linux, then had to go through the hours long process of reimaging it. (seriously, the image is 2 years old, why can't you put it on a CD or something!)

It gets boring...


I "accidentally" formatted a college pc. I booted it into dos by pressing F8 or something. I then typed the format command. Just before pressing the button I though "No, this cannot possibly work. They could not have left the PC open this much?"
I regret pressing enter now, but learned that no work or school security is worth anything. That and the way to bypass the password systems was to press "cancel" when it asked for a password. :roll:
It's all physics and stamp collecting.
It's not a particle or a wave. It's just an exchange.

User avatar
gear-guy
Posts: 22
Joined: Thu May 06, 2010 6:05 pm UTC
Location: Edinburgh-ish, Scotland

Re: My school fails at brainbox security...

Postby gear-guy » Wed Mar 30, 2011 7:49 pm UTC

Once again, i return after being asleep for long long time, with news of BIOS settings. Me and this other guy set out to break into the bios on one of the computers in computing studies, we managed in less than a minute with both of us thinking up possibilities, me typing them in and him saying them as he thought of them, it turns out it's workstation. The amusing thing is my teacher witnessed this and let us do it. Afterwards he told us not to do it in front of other (stupid) people in case they tried and fucked about with the wrong settings, and that he had reported us to the techies without mentioning any names. The techies must really love me, what with me finding their serial numbers and passwords folder on the server, sending a mass email of a picture of a cat that crashed the mailserver and blowing up an electric socket...

nothing has ever happened about any of it, i've spoken to one of them once, but that was about printers, so doesnt count.


Return to “School”

Who is online

Users browsing this forum: No registered users and 6 guests