I suppose I should be a little more articulate than that!
Posting the info will probably be construed as illegal, and you will probably be called to task for it. Check any documents you signed when you first hooked in.
Explaining to the dean is useless, to use your terms those "idiots" may well have budgeting issues, or reasons for using the printers without passwords (for example, there is some unnamed management software that you can not control certain printers with if they do have passwords on them). Frankly, you were an intern, you have no goddamned idea about what is going on there and it is not your place to say.
The idea of spreading FUD is a "l33t h@ck3r" one, not a professional idea. You do it, you are more likely to cause mass rioting than fixing the problem. Besides which it is irresponsible.
You *should* do nothing. You have done all you legitimately can. For example, I did a pentest 5 years ago for a company, and every hole is still there. Should I go wipe all their systems now to teach them a lesson? That's just idiocy at its finest.
And finally, I frequent those other forums (though not under this name), and you will either find someone willing to be bored and break out what they can, or noone will care and you will be mocked.
Do the right thing, keep your mouth shut and move on. It's not your network, it's not your problem, and you're not a student there.
QUOTE=lupin My advice is do nothing, there is a very good chance you will end up in the manure yourself for what you have already done, and if you actually start advertising the fact that you have been doing an unauthorised audit and you start spreading around the flaws you have found the chances increase that it will all come back on you. Especially if you post the flaws somewhere you shouldnt.
Once you work as a systems administrator or security professional for a while you will realise that the situation you describe of a dreadfully insecure network is the rule and not the exception. You should also be aware that no one asked you to do what you have done, and odds are you will not be greeted with praise and adulation if you start telling them they are doing things wrong. Yes that seems ridiculous, but yes it does happen a lot of the time. The messenger gets shot.
As for the lazy/incompetent admins thing. Well maybe they are, but there are other equally likely possibilities.
Its possible that those admins do know the right thing to do but don't have the time to do it - they have to move onto a new project right after an installation is done - this is very common. If an administrator works in an environment where security isn't required or rewarded, and they are not given adequate time or resources to secure systems, it's inevitable that security will suffer. Given a choice between the following, what do you think the average person would do?
- Letting security suffer and focusing on the things you will get rewarded for
- Adding security at the expense of not doing other tasks which your performance was being measured against, or
- Staying late for several hours on a regular basis to add security on your own time for no reward
As an Administrator, unless security really interested you, or you believed you had an ethical obligation to give security greater consideration than your bosses do, the rational choice is not to add security.
These same admins could also have been deliberately told to disable security functionality because it makes things take longer to setup or it breaks some piece of wizbangery that is required for "business reasons".
Another possibiliy (although probably less likely than the others) is that the college is aware of the problems and has other mitigating strategies in place, or has decided to accept the risk. This is actually a perfectly valid approach to security if done properly. Appropriate security is after all a balancing act between allowing people to do whatever they want or preventing people from doing anything, and the appropriate balance will be different for each organisation depending on the risks they face. Security also costs money, in terms of resources to implement, inconvenience and direct capital expenditure. The costs of bad computer security are also often borne by entities other than the organisation who gets breached, even taking breach notification, privacy laws and the potential cost of lawsuits into account, which also doesnt really provide an incentive to dedicate resources to improve security. While obviously I cant make any definitive statements abut this college based on the information I have, its possible that their security is actually appropriate, when all the factors are taken into account.
So my advice again - stay away from this, I dont think theres any upside from your perspective to pursue this further, unless the thought of being a whistleblower appeals. Theres lots of ways this could go bad for you, especially considering that the security posture of this college could have come about via deliberate choice, in which case nothing will change and you will get the blame for poking around in the network where you shouldnt have.