That’s just how colleges are. I once reported to my alma mater that a somewhat obscure (but obviously public) link seemed to trigger the download of a zip of student details for no discernible reason (I think it was a WIP site), and they immediately threatened to call the FBI on me. I just sort of laughed it off, but I decided that was the last time I was going to initiate any sort of contact with them if I didn’t absolutely have to.
Which is the policy I followed when I found that they had stored one of their LDAP admin passwords in a world readable file on the CS servers.
Wasn't a government agency rendering citizen SSNs client-side and when someone discovered it, they went after them? Wouldn't be surprised if the anti-DRM part of the DMCA is used to persecute these non-crimes.
I think you're thinking of this case [1] from Missouri where a reporter notified the state that teacher SSNs were exposed, and the Governor went ballistic. Luckily, it seems like the local law enforcement set the record straight.
I never figured out if the governor was that inept that he was truly convinced the person was a hacker despite every tech professional's opinion, or if he was merely doubling down on the hacking accusations to try to save face.
Yes, that was in MO. Their idiot governor threatened the journalist that discovered it with prosecution.
An investigation by the Missouri State Patrol and a MO county later determined that the executive branch screwed up and leaked the SSNs and that the reporter committed no crime.
I imagine governments tend to be the same way, though my only direct experience here is that I don't report anything and nothing bad happens. The funny thing to me is that the discovery of these issues is not what triggers retaliation, but the audacity of reporting them.
Were I personally impacted, I would just submit information to the media as an anonymous whistleblower to get it fixed.
Really? If you’re personally impacted then surely you don’t want the media bringing attention to an open vulnerability where anyone can steal your data.
I’d opt for silence in this case and hope that some future update patches the bug (accidentally or otherwise).
Isn't it weird how universities are so hostile towards their students? Some professors are genuinely interested in developing students and are great, but many faculty and administrators - and the overall tone of the schools - are draconian.
Universities are businesses, they aren't institutions of learning. Students are on the "liability" side of the balance sheet. Students who stand out could accrue massive costs.
Research universities have plenty of professors who are there to do research. But they often still have a teaching responsibility. For those professors, teaching students is a mandatory thing they only do so they can keep their job doing what they actually want: research.
Those professors aren't great teachers, and I think we shouldn't blame them for it. Instead we should blame the system that forces them to do something they aren't good at.
This is a problem but it's not really related to the issue of the harsh reaction of college administrations to exposing problems, the examples mentioned in this thread and in the original article are all capital A Administration responses, a group completely separate from the professors. Some professors are involved in admin work but the vast majority of admin work is done by employees who neither teach nor research.
Which is the policy I followed when I found that they had stored one of their LDAP admin passwords in a world readable file on the CS servers.