[plug] Computer insecurity
Bret Busby
bret at clearsol.iinet.net.au
Mon Aug 6 17:34:10 WST 2001
Someone posted a query about a paper that he is writing about security, and,
narrowing it down to Internet security.
I have today found that Mudrock has compromised the security and privacy of
all of its students, by implementing a change without doing it properly, and,
without thinking about the consequences.
Below is an extract of the email that I have sent to various people of
significance, within Mudrock, with details.
Christian, and, any other Mudrock students, can verify the validity of the two
examples included, the first, by simply telnetting to the library, and,
checking their borrower records. From there, holds, or, recalls, on books can
be cancelled, books can be renewed or recalled, and other actions can be
undertaken, in the name of the student whose account is being accessed.
It is the stupidity of using as an account name, that needs to be known to
other users within a system, the password of the person, on other systems
within the same institution, with the user's name being the user name on the
other systems within the institution with both the person's name and
identifying number, needing to be known by other user's in the institution, by
virtue of the systems in use. Also, there is the problem, of requiring other
users within the institution, to know the person's identifying number, when
that identifying number is used to index confidential information displayed
within the institution, where the secrecy of the person's identifying number,
is the only protection of the confidential information.
Now, there's a consideration for you, Christian, in your security unit...
Given that the accounts mentioned below, are used primarily for the email
communications, and, therefore, involve the Internet, this is of relevance to
computer (in)security and the Internet, and, to system/network
(mal)administration, if not directly to Linux.
Bret Busby
.......................
I have grave concerns about the imposition of the new student email system,
which uses student numbers of students, instead of student names, for email
account names.
With the new system imposing the use of student numbers instead of student
names, for email accounts, serious and significant security and privacy risks to
the students, are imposed by the university.
I am enrolled in a unit, where contact between students is required to be made
using email. Where the student number of a student is included in email
communications, a student sending an email message to another student must
necessarily know the receiving student's student number and name. Where, as in
the case of this particular unit, group work is required, each member of the
group necessarily knows the email address of each other student in the group,
and, therefore, each other student's student number and name.
This imposes security risks and privacy risks.
At present, the library still uses the student number and student name, for
identifying a student, allowing a person who knows another student's name and
student number, to wreak havoc with the other student's library account (as
used for borrowing books, etc).
Also, with student numbers indexing semester unit results on notices posted
outside the library at the end of each semester, a student can easily find the
results and academic history of another student, now that the university has
imposed this new system.
These are just two examples, one of security, and, one of privacy, of the risks
that have now been imposed by the university on the students.
It is unfortunate that the university has chosen to jeopardise the interests of
the students, in such a way, without apparent proper consultation, either with
security advisers, or, with the student representative body, in order to
prevent such an violation of the rights of students, as the university
compromising the security and privacy of its students.
.......................
More information about the plug
mailing list