9

This is more or less a continuation of my previous question: As a student, how do I safely and responsibly disclose a serious security issue in a school environment?

More than four months on after I sent my anonymous letter outlining this security issue, I checked carefully if the vulnerability I reported still existed, and it still does in its entirety. A few unrelated IT changes were made, but these have been mainly directed toward staff (such as introducing BitLocker).

Between the time that I reported it and now, I heard from a close friend (who came from a different school in the same district as me) who had reported a different security issue and who had tried to report it to his computer science teacher, who in turn reported it to the IT department. Rather than respecting the student's anonymity, however, the IT head threatened the teacher with his job (it's not known how he would carry out this threat) if he did not divulge the identity of the student who found the security exploit, and was also threatening the student with disciplinary action or arrest. Regardless of the accuracy of the story, I felt that I did the right thing reporting this via an anonymously and independently written letter.

However, the problem has not been fixed at all. The letter was sent to two different departments in order to ensure that the problem was heard loud and clear and that a plan would be made to resolve it. But none of this happened. In fact, it was as if one person read the letter and convinced the other to throw it away.

The exploit remains dangerous, and at this point I am almost certain that I am not the only one who know about it.

I could send another anonymous letter, further explaining the implications of leaving this exploit in the open. But it would be difficult to do anything else as it would be threatening them to take action "or else." I would turn into a gray(er) hat.

I cannot stress enough the importance of resolving this security issue before something big happens. But I cannot threaten them into doing anything, for that would imply my willingness to do wrongdoing. What are my options?

Community
  • 1
oldmud0
  • 583
  • 4
  • 9
  • 3
    *"the IT head threatened the teacher with his job"* 0_o What kind of crazy school is this? I really hope the IT department does not actually have the ability to fire faculty. – Alexander O'Mara Apr 16 '16 at 05:34
  • Exploit into the system, then fix it youself...NOT! Just joking, but the notion of responsible disclosure is that once you've told them they're vulnerable and if they continue to disregard it you let their customers know that they're vulnerable and don't care about fixing it so they either stop using their service or pressure them for a fix. But since this may put you under a risk, you might want to just let things be vulnerable, let them get attacked, lose money, learn things the hard way. – Silverfox Apr 16 '16 at 09:53
  • 1
    Go to the press and get publicity. Name and shame is the only option in this case ( and similar ones) –  Apr 16 '16 at 09:44
  • Did you sent the message using anonymous email? How sure are you that your message hasn't just been caught in a spam filter? – Lie Ryan Jul 01 '16 at 01:06

4 Answers4

4

This entirely depends on wether or not you violated any law or school rules when you stumbled onto the problem.

If you found it without violating rules

If you didn't violate any rules (e.g. this is a simple enumaration problem with a web app and you just put in yourID+1 and got another students data) there should be no problem with disclosing this non-anonymously.

Please keep in mind that especially schools do get a lot of anonymous threats that are mostly - and correctly - not taken seriously.

Thus, your disclosure might have better credibility with your name on it - and since you didn't break any rules, there shouldn't be a problem.

If this still doesn't work, read further and ignore the remarks about anonymity.

If you are unsure wether you broke any rules

If there is doubt wether this might lead to legal trouble for you, there are some options, I'd advocate for a responsible disclosure.

After allowing a grace period (that should be included in the report to make sure the consequences of not fixing this are clear to all parties), you can proceed with publicly disclosing the issue.

There are several means to do so; there are websites that accept vulnerability reports and publish them anonymously. But in your case, as this is a rather localized vulnerability, you might be better off to approach the press.

With global information security being in the media regularly, you'll find at least one local newspaper that would be happy to publish the general problem and put some shame on the people that previously didn't respond at all.

Public shaming is a - rather cruel, mideval but - effective way to convince people to take an action they may previously wouldn't have.

In most jurisdictions, the press has special rules allowing them to guarantee the anonymity of the information source.

Community
  • 1
Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Laws are vague and if you can demonstrate you've accessed information. E.g., one US federal law (18 U.S. Code § 1030) says if you obtain information from a protected computert (US gov't computer; used by financial institution; used in interstate/foreign commerce) that exceeds your authorized access its a crime. ( https://www.law.cornell.edu/uscode/text/18/1030 ). – dr jimbob Apr 16 '16 at 19:30
  • Any disclosure you do make, if you wish to remain anonymous, should be done from a public wifi and a burner email - never access that account from an internal network. Send a follow up with a time limit on when you intend to disclose the hole, then wait and disclose when ready. If you wish credit, create a hacker name for yourself and make sure they credit you when disclosed or use it when you out the security hole. Finding security holes has value, you might wish to have that credit one day. – Andrew Philips Apr 17 '16 at 00:21
2

If the admin did not address the security flaw, even after a kind soul informed them- this is their gaping hole, not yours, sir. You did the best you could, more than most. I've emailed admins, good ones say thanks, bad ones ignore. No need for worry, you are trying to help is all.

Remember, they are being paid, you are not, it's a good job you said anything at all!

XeniaAnatop
  • 21
  • 1
1

According to google, they recommend 90 to 120 days to patch after disclosing the vulnerability. I would be careful if you do not have permission to "play" on the network as this maybe illegal. Sounds like something you stumbled upon without probing for vulnerabilities. If you get no response, leave it alone as you may face legal issues

user107699
  • 11
  • 1
0

How anonymously did you report the vulnerability? If they have no way to contact you back (eg. a random email on a free provider, or on a system like mailinator), maybe there are some reasons they haven't addressed it yet, but have no way to tell you.

Or perhaps they tried to reproduce it but failed (some instructions where ambiguous, it only happens when using certain computers…) and were unable to ask you for more information.

Sadly, it's relatively frequent that security reports require numerous follow-ups by the reporter until they are finally dealt with (maybe not the fault of your school, they may have raised the issue with their provider and they are waiting for them to fix it, there are often several reporting layers involved).

Ángel
  • 17,578
  • 3
  • 25
  • 60