My College's IT Department Is Leaving Computers Exposed in a Very Stupid Way

[firehawken]

My colleges IT department is completely useless. This wouldn't be a problem, except they've left as far as I can tell every single computer BIOS unprotected on campus. Every computer I've used in the past several months has had no sort of password protection blocking someone from booting into the BIOS and then booting off of a flash drive. Even worse, every computer is linked to a central data system and your files transfer to any computer you log onto, which means someone could put some sort of virus, malware, or ETC onto one computer and have it spread to all the others.

 

I've tried to notify the IT department, and I've tried tweeting the college, but nobody seems to care. So at this point, I'm trying to think of a way to get them to care. Any ideas would be greatly appreciated.

 

Update: Tweet has been deleted. I realize that tweeting isn't the best way to get a problem fixed. I'm still going to try to contact the IT staff and alert them to the issue.

 

Update: I know allot of you think that I’m coming across as smug for using the word useless to describe my schools IT department, and I agree. I never meant to come across as smug or as someone who has some sort of grudge. I know my IT department does some really important things on campus, and I just want to alert them to a possible issue.

Edited February 2, 2018 by firehawken
Added updated info, Typo Fix

[tomoki]

HAHAHAHAHAHA ~ That's hilarious omg

Just wait till the destruction happens. 

[bimmerman]

Don't do anything stupid that will follow you in your post-college life.

[Silentprototipe]

Let them have it, I would strongly suggest you do nothing yourself however. That's how you get into trouble  

[ItsMitch]

Do a paper on how the negative effects on leaving stuff unprotected and publish it. 

[Sors]

Keep a backup of your files, and let them deal with the problems that will come.

[knightslugger]

Don't be the squeaky wheel.

[Arika]

5 minutes ago, firehawken said:

So at this point, I'm trying to think of a way to get them to care. Any ideas would be greatly appreciated.

Apart from what you've already done. I would advise against doing anything else. Especially if your planning on messing with the computers in the way I think you are. That is unless of course you don't care about consequences and being suspended or expelled

[bcredeur97]

6 minutes ago, firehawken said:

My colleges IT department is completely useless. This wouldn't be a problem, except they've left as far as I can tell every single computer BIOS unprotected on campus. Every computer I've used in the past several months has had no sort of password protection blocking someone from booting into the BIOS and then booting off of a flash drive. Even worse, every computer is linked to a central data system and your files transfer top any computer you log onto, which means someone could put some sort of virus, malware, or ETC onto one computer and have it spread to all the others.

 

I've tried to notify the IT department, and I've tried tweeting the college, but nobody seems to care. So at this point, I'm trying to think of a way to get them to care. Any ideas would be greatly appreciated.

don't do anything that affects them negatively to get their attention. YOU will be the one to feel the wrath.

all you can do really is keep telling them, and perhaps go so far as to publicly shaming them for it. (which you're pretty much doing here)

 

eventually something will happen. whether it be them fixing it, or something horrible happening.

[firehawken]

I don't plan on doing anything to get myself into trouble. Worst comes to worst, they don't care and they get hit by some sort of ransomware attack, and then I get to enjoy watching the IT department run around frantically.

[NTDaws]

Well it terms of the bios, you can easily reset one by either taking out the battery, or pressing the reset bios switch on the motherboard.

[bcredeur97]

1 minute ago, Being Delirious said:

Well it terms of the bios, you can easily reset one by either taking out the battery, or pressing the reset bios switch on the motherboard.

sometimes BIOS passwords are stored in something non-volatile though. So it stays even across reboots.

Not all the time, but I remember having this issue on an old Dell a friend of mine had been given.

[Orangeator]

I would just write a proper paper warning them of the dangers of such negligent inaction. Then when shit goes sideways for them you get to say those glorious words, "I told you so".

[firehawken]

3 minutes ago, Being Delirious said:

Well it terms of the bios, you can easily reset one by either taking out the battery, or pressing the reset bios switch on the motherboard.

That isn't too much of an issue as the computers are locked closed. In my opinion, It's kinda pointless to lock the computers if you're gonna leave the BIOS unlocked. 

[kokakolia]

5 minutes ago, Orangeator said:

I would just write a proper paper warning them of the dangers of such negligent inaction. Then when shit goes sideways for them you get to say those glorious words, "I told you so".

Nah! Worse. They will blame you! 

[Orangeator]

1 minute ago, kokakolia said:

Nah! Worse. They will blame you! 

A well worded paper about a vulnerability you publish to that university is not incriminating. They'd need proof it was him, other than that document.

 

For the record I am not endorsing messing with the systems.

[Guest]

Its probably on purpouse. Further in Computer Science at my uni you learn to develop Linux drivers so I imagine this would be convenient. Unless you have silly people who waste their time I dont see the issue?

[Majinhoju]

College/University was a while ago for me so I don't remember everything but do students sign any sort of documentation or policy declaring that they won't misuse the hardware? It's not like it's children using these computers.

[Tyr of Thoth]

Don't worry about it. College IT Staff leave computers unprotected so that they can occasionally have something to do, and keep their jobs. But don't give them work, they will find you, and you will get expelled.
If you are legit worried about security, I recommend BYOD.

[WkdPaul]

18 minutes ago, firehawken said:

I don't plan on doing anything to get myself into trouble. Worst comes to worst, they don't care and they get hit by some sort of ransomware attack, and then I get to enjoy watching the IT department run around frantically.

Except that they now have some "proof" that you are aware of the problem and that could be a problem if anything was to happen. If I was you I would simply try to talk to someone in person in that IT department.

 

If they can't care less, then don't bother. And make sure not to use those PC too much since them being open like this means there could be anything installed on them (keylogger and such).

[Princess Luna]

31 minutes ago, silentprototipe said:

Let them have it, I would strongly suggest you do nothing yourself however. That's how you get into trouble  

Surprisingly enough that's how I got my ever only suspension from high school, someone trolled teachers by replacing the keyboard keys on the classroom computer keyboard, teachers would always suffer typing all wrong and classes wouldn't work out so some day I just had enough of it went there took the keys off and replaced them correctly.

 

Someone that disliked me recorded it and said I was the one who was making the trolling, got myself 3 days suspension even though I showed it was in the correct layout now and I was only getting it fixed, got a lectured not to ever "play around" with school property.

 

Meh... ever since I stopped caring to others on person as much.

[firehawken]

To all of you who are concerned I might do something to get myself expelled, at this point I haven’t done anything that would be expell worthy. All I’ve done is noticed that the computer BIOS is completely unlocked. I would never do something against school terms.

 

The reality is, I’m probably going to have to let this go. I just wanted affirmation that this is a poor security descion by the IT staff.

[firehawken]

21 minutes ago, wkdpaul said:

Except that they now have some "proof" that you are aware of the problem and that could be a problem if anything was to happen. If I was you I would simply try to talk to someone in person in that IT department.

 

If they can't care less, then don't bother. And make sure not to use those PC too much since them being open like this means there could be anything installed on them (keylogger and such).

That's a fair point, and if they do come to me and accuse me of doing something malicious with the computers I'll cooperate fully. I have no reason to be concerned, as I haven't, and never will do anything to mess with any sort of device on campus.

[dalekphalm]

40 minutes ago, Being Delirious said:

Well it terms of the bios, you can easily reset one by either taking out the battery, or pressing the reset bios switch on the motherboard.

Most modern Enterprise grade computers (Such as Dell or HPE) would write the BIOS password to a protected non-volatile media, and pulling the battery wouldn't do anything.

27 minutes ago, RorzNZ said:

Its probably on purpouse. Further in Computer Science at my uni you learn to develop Linux drivers so I imagine this would be convenient. Unless you have silly people who waste their time I dont see the issue?

Why would developing Linux Drivers require access to the BIOS?

If the computers needed Linux, the IT department should pre-install a dual-boot system or some other permanent solution.

 

Furthermore, in modern UEFI BIOS, you can disable booting from external devices, like USB, while still allowing booting to different internal OS's.

15 minutes ago, Princess Cadence said:

Surprisingly enough that's how I got my ever only suspension from high school, someone trolled teachers by replacing the keyboard keys on the classroom computer keyboard, teachers would always suffer typing all wrong and classes wouldn't work out so some day I just had enough of it went there took the keys off and replaced them correctly.

 

Someone that disliked me recorded it and said I was the one who was making the trolling, got myself 3 days suspension even though I showed it was in the correct layout now and I was only getting it fixed, got a lectured not to ever "play around" with school property.

 

Meh... ever since I stopped caring to others on person as much.

I mean... you should have just told a teacher, and showed them a normal keyboard compared to one of the "messed up" ones.

[firehawken]

29 minutes ago, Majinhoju said:

College/University was a while ago for me so I don't remember everything but do students sign any sort of documentation or policy declaring that they won't misuse the hardware? It's not like it's children using these computers.

I don't remember signing any sort of documentation relating to that. I also don't know of anyone else who has had to sign that type of documentation.