AntiOnline Security Spotlight: No Good Deed

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

AntiOnline: Maximum Security for a Connected World

The sad story plays out as follows...

A prankster sets a BIOS password on a school library computer. A well-intentioned young student removes the password. The librarian is not amused. Are they ever?

Guess who gets branded as an evil hacker? The aforementioned well-intentioned young student that rid the library PC of its restrictive password, of course.

"A school library? How quaint," you may be thinking.

The fact of the matter is that today's schools are a tangle of networked computers not unlike most businesses. You may not care too much if little Suzy somehow gains access to the principal's email. But swap Suzy for the mail clerk and the principal for the CEO, then visions of the unemployment line aren't far behind.

The lesson here, for users and admins in any setting, is that securing systems is a group effort. Computer-savvy users that notice gaping holes (or in this case roadblocks) should report them, not take matters into their own hands.

Yes, there is a place for do-it-yourself gumption, but network security is not one of them. Admins are best suited to manage the overall health of a network, and by extension, the client systems connected to it.

As a user, your best bet is to alert a sysadmin and trust him/her to take care of it, no matter how expertly you could have handled it yourself. You don't want your actions to implicate you in case a more sinister force is at work. You will have done your duty, covered your back, and most importantly, left no room for mistrust.

Admins, in turn, must encourage users to adhere to an organization's security policy and limit a user's ability to tinker. And when a user that exhibits more PC knowledge than the typical Web surfing and emailing shows up with a concern, listen. Even the most diligent network administrator can miss something.

Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.

Direct link to this week's spotlight thread:

Did I Do the Right Thing?


PM8228 faced a librarian's wrath despite resolving a problem...

Some idiot put a BIOS password on a computer at my school library. Nobody in the library could use the computer so I took it upon myself to help.

I tried random passwords (123456, etc...) and I eventually go it and removed that password. The librarian then got mad at me and demanded to know that password. I did not know what it was, but I told her that I had removed it, and that I could not tell her.

The network administrators started going through my server space and think I have hacked the school network, and have the ability to change grades. Shouldn't they be paying me, or at least thanking me for doing them a service?

HTRegz takes a look at the issue from an administrator's point of view.
While it may seem to you like you did the school a favor, that is not always true. Undoubtedly you had to sign a paper in order to use the schools computer systems, and going into the BIOS definitely violates the Terms of Use. The proper thing to do would have been to tell them immediately and offer to fix it for them, or just point out the problem.

Think about it this way. If someone is walking down the street and they see your headlights are on, do you want them going inside your car to turn them off? What if you walked out as they were in your car, or they came and told you that they were inside it but just to turn off the headlights? I wouldn't believe them.

The key thing to remember is that if it isn't yours, don't do anything without permission and even then unless you really trust the person try and get that permission in writing. Say the librarian had told you to fix the computer if you'd told her first, then the Network Admin finds out and the librarian says she never gave you permission, you'd be in hot water yet again.

The ever-vigilant Ms. Mittens thinks that a lesson can be learned by all.
While you shouldn't have fixed it without asking permission first or telling someone beforehand that you were willing to take them time to do a "brute force" so that other students could end up using that machine, they shouldn't have classified you as "guilty" of a crime. Perhaps after this is over, you can point out to the admin that perhaps it might be a good idea for him/her to put their own passwords on there so that curious students won't and then situations like this won't happen again.
Go ahead, share your thoughts with the rest of the class!

What is AntiOnline?

AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.

We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the eye-opening discussions and expert participants that have helped make AO the "go to" online resource for network security.

Submit a Comment

Loading Comments...