IT Security & My Experiences w/ How Much People Don't Care Until Something Bad Happens.

[Windows7ge]

I thought today might be a good day to have a little discussion about past experiences with how bad security in IT infrastructure is in the modern age. Over the years I have discovered and even gotten in trouble for discovering vulnerabilities in network configurations/equipment at schools and businesses.

 

This topic is intended as a constructive conversation where I'd like others to share their experiences and raise awareness. If even one person makes a positive change somewhere as a result of this that at least counts for something. If anyone including myself go into too much detail as far as how certain things were/are exploitable I'd appreciate if the mods could just chop out what goes against the CS as opposed to shutting down the conversation.

 

So I wanted to start off by stating I don't classify myself under the White | Gray | Black Hat hacker cauterizations. I don't actively pursue Pen Testing or elicit activity for personal gain...but when I get bored and have a computer in front of me I like to push buttons...and I've had times when doing so not only showed me things I shouldn't have access to but I've gotten in trouble for discovering...

 

Today I have four stories and I'll try to put them in chronological order as best I can remember. Each one is unique in itself which is why I'm including them all.

 

High School: Poorly Implemented Web Filters

Spoiler

As most anyone in Elementary/Middle/High School might discover schools like to implement a network-wide web filter that prevent students from visiting websites not approved for use on campus or during class time. Well, back when I was in high-school my senior year I was attending BOCES for CISCO CCENT. My teacher there had a FTP server on the LAN for simple file sharing and we used it to download class materials to out client machines.

 

Accessing a FTP server through a Web Browser was pretty easy. Just like how you'd type out a web address starting with HTTP:// or HTTPS:// access to the FTP server was done by typing in the URL box:

FTP://ip-of-server

This told the browser not to use the HTTP/S protocols but to use the FTP protocol.

 

Well, how this ties into the Web Filter my school was using was the rather sloppy implementation of it they used. I never got to know who was in charge of IT at my school so I don't know if the Web Filter was a inside or outsourced job but whoever set it up made it so this rather obscure URL address would appear in the URL box when the Web Filter blocked your attempt to go to say YouTube or CoolMath Games. Of course as many people are used to seeing LONG addresses that use seemingly random characters with no clear reason behind the naming convention the Web Filter at my school showed three private IP Addresses in the 172.16.0.0 Class B range in the URL.

 

Well guess what? I was bored. And I started asking myself questions about those IP's. Now we didn't have CMD access. So I couldn't try to ping them. I tried putting them in the URL box alone. Nothing happened. Then I thought about FTP...

 

So I started typing...

FTP://172.16.something.someting

Nothing happens. Basically a 404 error.

 

Went to the next IP.

FTP://172.16.something.something

Nothing happens. Again basically a 404 or connection refused error.

 

Went to the 3rd and final IP.

FTP://172.16.something.something

This time a little dialog box appeared in the top right corner of the web browser:

Please enter your administrative username and password.

Username:
Password:

 

 

Needless to say I backed the fuck out of there about as fast as I realized what I just discovered...which was unfortunately not fast enough because ring-a-ding-ding like two days later I was locked out of my school account and through a series of events I won't be going over I got escorted down to the admins office and given a couple extended detentions for that. Admin accused me of trying to change my grades. I'm willing to bet he didn't even know what server I nearly accessed. Not that I knew either.

 

In summary. If you're working as an IT admin in a school. Check your Web Filters and how they pop-up when they block websites. Don't leave then exposing IP addresses in the URL box if it's avoidable.

 

 

WPA2-PSK has innate crippling vulnerabilities? That's the last of your worries if you own a particular popular router

Spoiler

This just further gives reason to change the SSID and password on any new router that you either buy or get from your ISP. Now I'm not going to name names/manufacturers or ISP's here but if you own one of these you're going to know what ones I'm talking about.

 

So as usual I was bored. Family had just recently switched ISP's and we got a new shiny cable modem/router. The weird thing was the default SSID on the router Wi-Fi was really really close to the Wi-Fi password. In fact it was identical with the exception of 4 alphanumeric characters two digits from the end of the password. Example.

 

SSID: TG1672GF2

Password: TG1672G17B6F2

 

What caught my attention was after a little bit of research these four alphanumeric characters always stayed under the letter F. For those familiar counting in Hexadecimal is Base 16. 0 - 9, A - F. That got me thinking. Where were they getting these numbers from? My memory is fuzzy here but I remember seeing, somewhere, the MAC address of the Wi-Fi adapter in the router. And guess what I saw?

 XX:XX:XX:17:B6:F0

...I started thinking this must be a joke. No manufacturer could be so stupid as to use the MAC address as a password...so I decided to test it in the field.

 

I went to a friends house who had the same router.

I went to work where they had the same router.

I went into town where somewhere nearby someone had the same router.

 

Guess what all three locations had in common? I was able to access their network/internet without asking anyone for the password...

 

In summary. Change your SSID's and passwords. Don't trust that your ISP or 3rd party router has your best interests in mind.

 

 

Network Discovery, Firewall Rules, & Implementing Remote Command Execution

Spoiler

By this time in my life I had enrolled in college as a CIS major. I won't be naming schools here for obvious reason but using the computers in the technology building further drove my curiosity to learn about systems/networks and how they can be used/managed on a large scale.

 

One day I was sitting in a very easy class I was taking just for an elective credit and we finished the class work early. Normally you'd be free to leave but most everyone opted to stick around. I can't remember exactly why. So as you can guess by now...I was bored...now it's easy to understand for educational reasons that the computers at least in the technology building may be granted a little more freedom to the network/administrative services to aid education. Sort of a "With great power comes great responsibility." deal. Now I don't know if it was deliberate, laziness, or not paying attention by the college IT dept but when setting both firewall rules, network discovery and the ability to perform remote command execution I discovered a little dirty secret I don't think the college wanted anyone to know...

 

So while I was sitting there I took to CMD because why not? So I just started typing commands. One command led to another, which lead to another, which led me to a command called:

net view

Now I had used this long in the past but never got any output from it. Today was different. This time it spat out a long LONG list of every peer/cilent on the subnet...

 

...ok...

 

For shits and giggles I looked up the name of my computer. Yep, there it was in the list. Then I decided to explore something I really shouldn't have. Remote command execution...

 

I think by this time most of the class had left. Only a few people were hanging out so I decided to explore a command you really have to be careful with.

shutdown –r –m \\MachineName -c

For shits'n'giggles I looked at the number of my computer and went one number up. Say I was TCH4556 I typed in:

shutdown –r –m \\TCH4557 -c "System will restart. Performing updates."

So I'm just like. "Yeah, this would never work" *hits Enter*

 

Not 5 seconds pass. The person immediately diagonally of me: "DUDE! MY COMPUTER JUST TURNED OFF! SOMETHING ABOUT UPDATES!"

 

Me:

 

 

 

Now this led me down a path of shenanigans that narrowly landed me in some seriously deep shit. Ultimately I notified a professor that I trusted and they anonymously (not mentioning my name) notified campus IT.

 

When I caught up with this professor again I asked how things went and she told me the head of the IT dept, when they got the notice, was FUCKING LIVID that a student discovered this...

 

Me:...Oh...

 

In summary. If your campus really doesn't need a service like remote command execution enabled don't leave it enabled. A while later the PC's were swapped out for newer ones and I decided to gently check if they patched this. They did.

 

 

Guest Wi-Fi and requiring user login credentials.

Spoiler

Now if you've gone to almost any big name public store or school you'll have seen Wi-Fi where they'll let you use it if you login as a guest or provide username/password credentials. Otherwise you're blacklisted from the network/Internet. Sounds fairly strait forward but this one shows it's not so simple.

 

This story actually takes us back to college again. For many people who have experienced this issue before colleges will limit the number of devices you're allowed to register on the campus. Sometimes 2,3 maybe 5 devices before you have to talk to IT and work something out.

 

Well my college did a really bad job of implementing the campus wide Wi-Fi. Normally if you exit out of the device registration page you have no Internet access at all except back to the device registration page. Well at my school and I'm quite certain it's not supposed to work this way you have a very limited amount of internet access. I strongly believe it's not deliberate but just a very bad implementation of the registration requirement.

 

For example. You can reach websites like Google or YouTube but you cant reach websites like this forum or say Microsoft.com. You can't even go to the colleges main web page. It's very bizarre.

 

Something I never liked about the campus Wi-Fi is it would block the ability to SSH to any server outside the campus domain. If you were taking HTML/CSS courses you had SSH access to a publicly viewable onsite server for students to use for web design but that was it. You couldn't SSH anywhere offsite like your house for example. The firewall didn't allow it.

 

What I discovered only recently is that although SSH was blocked, because of the campuses rather broken Wi-Fi registration system one service that wasn't being blocked was OpenVPN.

 

Now I'm not going to go into any more detail than that but as you can guess by that point if you can VPN out. You're free to access the world without registering any devices.

 

In summary. As a member of the IT staff put more forethought into making sure your network security actually works. If your Wi-Fi has blatantly open holes in like this they will be exploited especially by young college students.

 

 

That's everything I had to share. Does anyone else have anything similar to add? I feel this could be worth-while material for those who either work in IT or just want to beef up their security otherwise.

[Robchil]

Well.. this wasn't a school, but communal management, also running school networks..  those where atleast quite secure. 

but the communal management had singel hyper-V servers accessible from within the same vlan.. so anyone working there of 4-500 people.. could have tried to logged on to the host of the mailserver and shut down the whole server that was running 3 more vm's.. 

 

they had 5 or 6 singel hyperv hosts. just making it more inconvenient to access any of the servers.. 

 

when i was done they had 3 clusters with backup and management in a separate vlan behind a second FW. 

[MelonBite]

Hello @Windows7ge, can you please share some insights about your career, please? I am also interested in IT but need guidance and advice. I want to get into network, cloud, and security.

 

1) Do you have college degree?

2) what certifications do you have?

3) how did you land your first job and internship?

 

[Needfuldoer]

A shocking number of devices in my industry use "admin/admin" or "admin/[the name of the vendor]" as the default login credentials. 

 

A disappointing number of deployments don't change these defaults.

[wseaton]

I deal with a lot of business ransomware problems and talk to owners of MSPs who deal with bigger ones.

 

In every case they think they got actively hacked when the reality is they clicked on a link in an email and got toasted. 

 

I've been in doctors offices where all patient data is stored on the public folder of their file server. AD is running, but nobody knows how to join stations to the domain. And they have a HIPPA audit tomorrow. 

 

Large hospital I worked at had strict policies about leaving computers unattended. It was encouraged to access the email of any unattended computer and send  out embarrassing emails. You tended to make this mistake once and not again. I preferred to sign them up to as many adult rendezvous sites as I could. 

 

The typical college CS security grad I encounter has no concept as to how ransomware works in any detail. 

 

 

[Windows7ge]

1 hour ago, James Evens said:

Another example would be instead of using radius server just whitelist the mac addresses of devices allowed to use the network.

I'm not experienced with RADIUS but I know the school uses the Wi-Fi NIC's MAC address for registration. That's how it tracks your devices. What it actually uses on the back-end and why it seems so broken I have no idea. Haven't poked that far yet.

 

1 hour ago, Robchil said:

Well.. this wasn't a school, but communal management, also running school networks..  those where atleast quite secure. 

but the communal management had singel hyper-V servers accessible from within the same vlan.. so anyone working there of 4-500 people.. could have tried to logged on to the host of the mailserver and shut down the whole server that was running 3 more vm's.. 

 

they had 5 or 6 singel hyperv hosts. just making it more inconvenient to access any of the servers.. 

 

when i was done they had 3 clusters with backup and management in a separate vlan behind a second FW. 

One of my biggest fears with the idea of self-hosting public/business services is the possibility of people being able to access the hypervisor I'd likely be using due to network misconfigurations like that.

 

This arrangement of hardware and software configuration sounds like the classic "Too cheap to hire someone who actually knows what they're doing". Opting for cutting corners because "So long as it works it doesn't matter." sort of deal.

 

1 hour ago, Schnoz said:

This is more focused on the end user, but I still feel like it's relevant here.

 

End user: "Windows 7 keeps telling me to update. How can I turn that off?"

 

Me: *opens their update history and sees that the last security update is from 2012* "You should definitely update; the lack of updates you've given your computer for almost the past decade or so leaves it open to security holes."

 

End user: "Eh, it'll be fine" (Ensue small argument where I fail to convince her to take the hour or so it'll take to update)

Four months later:

End user: "Hey, can you help me with this ransomware infection?"

I can understand people not liking change or putting time into things they don't understand because what they have is working and has been working but the stubbornness of some people when you face them with undisputable facts that a given course of action is in their best interest and they just respond with ignorance is infuriating. Even young people today can be just as ill-informed as the previous generation when their technical understanding ends at opening Twitter on a smartphone. So I don't think this is something we'll be escaping any time soon unfortunately.

 

1 hour ago, MelonBite said:

Hello @Windows7ge, can you please share some insights about your career, please? I am also interested in IT but need guidance and advice. I want to get into network, cloud, and security.

 

1) Do you have college degree?

2) what certifications do you have?

3) how did you land your first job and internship?

 

Unfortunately I'm not the best person to ask. Almost everything I know today is self-taught and I don't have a clear career path.

1. Currently trying (and failing) to get my Associates. 
2. None but the courses I've taken for both CISCO CCENT & CCNA have CompTIA A+ certs associated with them. I don't recommend them. They really don't test your knowledge and I've rarely heard employers credit them as a nice thing to have on a resume. I can't list alternative options but there are better ones to invest your time into.
3. I did not. Never had an internship. Technically never landed a job in the IT field (yet).

The one thing I'd like you to take away from this though so I don't send you off completely empty handed is that taking classes in school really only teaches you very specific sub-topics. These will help you land a job because it looks good on paper but once you're in the field you will need to develop the aptitude to respond appropriately to various scenarios and they don't teach you that in school.

 

Invest your personal time into exploring more in depth what interests you the most and branch out. Grow more comfortable in this environment. If you can spare a few dollars buy a server and configure it to do something. Get hands on. By far this has been the greatest teacher. Learn what software is popularly used in your field. See if it's available for free/inexpensively. Use it. Get familiar with it. Then branch out further and just continue to build on that. Even if what you find yourself learning isn't directly useful to a future occupation it will help you develop confidence and broaden your understanding which can help grasp different concepts you might not have picked up on as easily otherwise.

 

2 hours ago, Needfuldoer said:

A shocking number of devices in my industry use "admin/admin" or "admin/[the name of the vendor]" as the default login credentials. 

 

A disappointing number of deployments don't change these defaults.

When I was at the old place I used to work at the Grainger vending machine (for gloves, box cutters, etc) decided to stop working. It had a small computer w/ display built into it. I can't tell you how nostalgic but terrifying it is at the same time when the vendor came in to reboot the computer and I heard the classic Windows XP start-up sound.

 

And I'm pretty sure this thing was connected to the network...

 

36 minutes ago, wseaton said:

In every case they think they got actively hacked when the reality is they clicked on a link in an email and got toasted. 

The number of times the campus network has been knocked down to a degraded state because someone in an office clicked a link in an e-mail they really shouldn't have would surprise you. Some people just don't learn.

[TempestCatto]

I'm too tired to read anything right now. But I wanted to post this to add to the discussion.

 

When I was a freshman in high school, I had to make a phone call due to some family shit going on. I had to go to the main office where they had a small private room off to the side for just such an occasion. Inside is a small table with a computer, and a phone (and a box of tissues but get your mind out of the gutter...). For whatever dumbass reason, there was a sticky note taped on the wall next to the phone with the administrator credentials for the whole network. After my phone call, I wrote down those credentials and kept it to myself. About a week later I used those to install a pirated version of Minecraft onto the main server, so any computer on the network could run it.

 

No one really knew about it until next semester when I got caught playing it during my HTML5 class. The teacher didn't have a clue, she just told me to turn it off. But the kids behind me wanted to know how I got Minecraft running on school computers. So I told them, and showed them where I hid it. For the rest of the year, we played Minecraft during class whenever the teacher was up front teaching.

 

The next year, I had wondered if that sticky note was still there, so I faked having to make another phone call to get inside the room. Turns out, it was still there. I promptly went to the school library and hopped on the computer furthest away from anyone. Those credentials still worked. I then went to check if Minecraft was still there - nope. But that's because they purge those servers every year as a routine thing.

 

Year after year, I installed and played Minecraft on the school server and dicked around with other various files and programs. It was during the second year of this, however, I discovered something very fucked up. They kept login credentials for students and staff in a .txt file... First thing I did was change my password because I had used the same password I use for personal use. But then of course young malicious me ran with that shit. I'd log into peoples profiles on the network and just fuck with them. Small troll like things such as changing default programs, uninstalling programs, installing other programs, altering their projects like PowerPoint's and Word docs. I never deleted files that could screw someone over - I wasn't that bad. 

 

A little over a year after I had graduated, I went back in for an art show and open house type thing. I snuck away from main party (if you can call it that) and made my way into the main office. I got lucky because the custodians were still cleaning, so everything was still unlocked and open. I went strait for that small room, and that damn sticky note was still fucking there! I joined back with the main party, meandered on over into the library, same far away computer, same credentials still fucking worked!

 

It's been 5 or 6 years since that open house and I've not gone back. I don't know if that sticky note remains and/or if the admin credentials are still the same. But what I do know is - don't leave the paper with all your passwords and logins written down on it, out in the open. Human stupidity is the biggest security flaw in today's technology. (love how I said I'm too tired to read, yet here I am, with a wall of my own text. lol I'm going to bed now).

[WhitetailAni]

This is all at my high school, which is quite well managed.

But they have two security flaws that I've discovered (one I reported that STILL isn't fixed) - one on their Windows computers and one on their network.

Flaw #1: If you sign into the Microsoft store, you can install whatever the heck you like in there, and it'll generally work. (Firefox didn't sadly; I was hoping I could get around their annoying locked settings in Chrome). Minecraft W10 version free trial did; FH4 did somehow, and... Windows Terminal did.

Now a standard setting of Windows is to have the option to disable Command Prompt; which thankfully IT had done. I later learned that this wasn't always the case, and someone figured out something and got their butt expelled and I think he faced criminal charges. I kid you not, IT unplugged his computer and carted it away. No one ever saw it again; if said student did face charges it was probably used as evidence and then destroyed.

However, they didn't block PowerShell correctly.

If you looked up PowerShell, it would say something like "no you can't access this". But Windows Terminal was able to access PowerShell. And while my powers were limited...

It had regular user rights. Not super ultra locked down user rights. So I could access anything in my users folder pretty much.

Want to know what I did? I moved my Undertale and Deltarune saves around and edited them because I had a 32GB flash drive packed to the gills with games. Mario Kart Wii in the back of the room anyone?

I haven't done anything much more with that; since I wasn't actively trying to get myself suspended or expelled. Everything I've found is because there's something that would be really convenient that I could do if this annoying restriction wasn't in place, and PowerShell let me do those few things.

 

Enter Flaw #2. Bad WiFi security.

Now the way my school has WiFi set up at their school is like this. District's name (will be called cia because yes), followed by a dash, followed by its use.

They had:'

cia-guest (the guest WiFi that runs at 2 bits per second and blocks half the websites you want to use)

cia-byod-student (the 15 bytes per second bring your own device student wifi)

cia-byod-staff (probably 100 meg for BYOD staff)

cia-dod-student (for the Chromebooks, can't check speed because speedtest.net is blocked)

cia-dod-staff (for the staff's Dell laptops that is very likely the same as dod-student)

cia-env

 

I understood all of them except cia-env. What was its use?

So I looked at it... and OH MY it is secured with WPA1.

Not WPA2, or WPA3.

WiFi Protected Access. OG.

The one that can be cracked by anyone with a bit of work, time, braincells, and not a Chromebook.

 

Now what did I do?

 

Immediately tried to break in. I brought my MBP, tried to capture the necessary packet, and was met with:

sudo: airport: command not found

Darn.

Then my common sense engaged and I decided to go the path of waiting.

I haven't reported it though; I do want to crack it someday. Maybe as a senior prank on my last day I'll leave a note with the password somewhere, and watch chaos ensue.

[Windows7ge]

48 minutes ago, TempestCatto said:

Inside is a small table with a computer, and a phone (and a box of tissues

My brain: Kids crying for one reason or another and needing to wipe their eyes/nose while talking to their parents.

 

52 minutes ago, TempestCatto said:

but get your mind out of the gutter...).

Out of the wha-oh...Ooooohh. OK. I get it now.

 

I never got that lucky in highschool. Stickies with passwords on them were never left out in areas where students frequented but that is a bizarre story. I can only guess a staff member had to make calls and recite the login credentials to people off-site on a frequent basis.

 

The .txt file is freaky though. Weather the domain was managed on Windows Server or GNU/Linux I can't imagine that file served a purpose with the user accounts.

 

1 hour ago, TempestCatto said:

Human stupidity is the biggest security flaw in today's technology.

Couldn't agree more.

[Zodiark1593]

3 hours ago, Schnoz said:

This is more focused on the end user, but I still feel like it's relevant here.

 

End user: "Windows 7 keeps telling me to update. How can I turn that off?"

 

Me: *opens their update history and sees that the last security update is from 2012* "You should definitely update; the lack of updates you've given your computer for almost the past decade or so leaves it open to security holes."

 

End user: "Eh, it'll be fine" (Ensue small argument where I fail to convince her to take the hour or so it'll take to update)

Four months later:

End user: "Hey, can you help me with this ransomware infection?"

Thank Tech Jesus we have SSDs now. Updates are far less ornery than on a spinning platter. 

[sub68]

About school security.

My schools wifi uses MAC addresses to ID and triage devices.

We have to register our devices to run on the networks.

 are school keeps very close track to those numbers

 

About security in general.

Most networks are not secured to maximum that would be to hard so that why Chromebooks make sense in that you can use google docs to have stuff in the cloud than local machine and if local machine gets curropted you can nuke the OS and reinstall it.

Basically why I like chromebooks.

[sub68]

3 hours ago, James Evens said:

Why is this so common???

Mac addresses aren't unique/can easily be catchend and faked.

If it is changed it usually flags in the system and the said device can’t connect.

also the IT check those MAC.

as why is there any other way

[Windows7ge]

8 hours ago, sub68 said:

Most networks are not secured to maximum that would be to hard

This is, in a sense, the purpose of the topic. To bring to light some of the do's and dont's that your average IT admins has to deal with.

 

We're only human but if someone like me with no Security/Pen Testing research/education at all can find holes like this because I'm bored and just poking around at what I'm allowed to access imagine what holes could be discovered at these places if someone who actually knew what they were doing decided to do something malicious.

 

It wouldn't even be a challenge and the school/business would get fucked.

[Windows7ge]

55 minutes ago, sub68 said:

If it is changed it usually flags in the system and the said device can’t connect.

also the IT check those MAC.

as why is there any other way

11 minutes ago, James Evens said:

I can use what ever MAC I want. Meaning I could get the mac of any device which is allowed and use it for myself.

It's hard to say what's informationally accurate without an accurate description of how the IT department at the school has these policies configured. All we can do is speculate.

 

There are other identifiers that could be used to track a device besides the MAC address. Something as simple as the computer name but this can also be changed. IPv4 & IPv6 will transfer other basic device information to the requesting server. I can't go into the specifics here but if a device isn't connected. Changes the MAC while keeping the Vendor ID portion then connects, the school really has no way of knowing it's a spoofed device. The Vendor ID would match the vendor information of the device and it would just look like more than one Acer laptop, or more than one Chromebook with similar characteristics. That wouldn't likely trip any flags at all.

 

What could trip security if they have tracking for it is if a script is running on the client to randomly generate new MAC addresses and/or request new IP's periodically. This is to make tracking down a source more difficult but would raise all sorts of flags to suspicious activity.

 

Similarly if a device NIC enters Promiscuous Mode this is also a red haring that someones doing something they shouldn't be and is often tracked for on school networks.

[sub68]

12 minutes ago, Windows7ge said:

Similarly if a device NIC enters Promiscuous Mode this is also a red haring that someones doing something they shouldn't be and is often tracked for on school networks.

Exactly what happens when you change MAC address and why schools use them a lot.

1 hour ago, Windows7ge said:

This is, in a sense, the purpose of the topic. To bring to light some of the do's and dont's that your average IT admins has to deal with.

Ok, makes sense.

The only thing it comes down on is founding a lot of the time.
I am very fortunate that I live in a good town that has a big college.

ie they have the money to get good networking.

for example of a good district or PD is there radios.

my school is using Motorola XPR 3500e which is a good solution to coms it’s not redicules but good set to cover the problem.

 

my school is on WPA2 but for a good reason.

they convert the IT building to WPA3 so they can iron out the kinks then change it district wide.

[Windows7ge]

2 hours ago, James Evens said:

Unless they modernized everything they still can't see what is connected where on the network and you can still crash the entire network by two things: 1. run a WIFI AP with it's own DHCP. 2. just plug a RJ-45 with both ends into the RJ-45 jacks. Client isolation is also not implement.

This brings us back to people who actually know at least a little bit about what they're doing. Running a rouge DHCP server and tricking clients to connect to that would be a little over most kids heads.

 

As for plugging both ends of an Ethernet cable into wall jacks. Commercial switches have a nifty feature to mitigate the Broadcast Storms that can cause. It's called STP (Spanning Tree Protocol).

 

That is part of what caused the little fiasco at my college but I do believe this was partially deliberate as Network Discovery was only functioning in the technology building. Nowhere else on campus could you just look up peers on the same subnet. Going back to the "With great power comes great responsibility." phrase. I think it was for educational reasons.

[Windows7ge]

8 minutes ago, James Evens said:

@Windows7ge Well... it was a real problem before they had officially wifi. When teacher turned on cheap/bad access point to connect for example an ipad the entire school network went down resulting at multiple times in an mandate to not use those devices.

This reminds me of a time where even my own professor had to bend the rules to do her job. The network ports on the walls were configured to block router & switch devices. I don't know if it just blocked them using MAC ACL's or what but you couldn't add a router/switch in your office.

 

Her solution. Hubs. Old school hubs. Campus network switch couldn't argue with it so she was able to plug in all her devices like a printer, desktop, laptop, etc.