Thursday, February 24, 2011

Football: Brain Damaged?

I suppose I am expected to make some pithy, well-informed comment about links I post. Otherwise, my reader, errr, readers (hi Mom!) will get bored. But all I can work up to reports of substantial brain damage in football players is, "wow." I always felt that college athletes at many (most?) schools get a raw deal. But I never imagined anything like this. Check out the Tenured Radical for details.

Saturday, February 19, 2011

OMG!! DATA BREACH!!! Ummm... not so much.

This article from the Chronicle of Higher Ed's Wired Campus blog alerts us to a recent incident at Princeton University. And wow, what a mountain was made out of such a tiny molehill!
Ms. Aronson said Mr. Li had engaged in unauthorized use of information that was supposed to be available only to university programmers who needed to access the information for official university business. She pointed to a Princeton policy that states that anybody who finds a gap in the university’s online security must report it to the university and refrain from exploiting it.
You're kidding, right? It is to laugh.

The LDAP server was set up to provide exactly the level of access that Mr. Li took advantage of. EXACTLY. There was no effort to limit access to the server so that, say, you had to have a Princeton account to log in, or you had to be on the Princeton campus. (Should it have been set differently? Arguably, yes... or no. This is a policy decision, one that I hope would have been taken by staff who were intimately familiar with Princeton's policies for handling student information.) It is only by the most CYA-inspired PR-spinning that this accessible LDAP server could be considered "a gap in the university's online security."

Mr. Li simply took advantage of the complex LDAP database protocols that were available to those with the extensive training needed to access them.  Oh, wait, no, he followed the directions on a Princeton-provided web page to perform a fairly simple, if somewhat arcane, configuration of a freely available email client, directions which could have been adapted to any other LDAP client in about five seconds. (I digress to note that this web page now states that "unix access" to the LDAP server NAUGHTY! So DON'T DO IT!! OK, cool, that means I can still use a Windows or MacOS based client, right? Or, wait, Linux isn't unix, right? Android? Yay we still have plenty for sanctioned access methods!)

At this point, somebody out there is going to say, "Well just because I left my front door unlocked doesn't mean somebody can come in and steal stuff." True... true indeed. Let's look at what the malicious Mr. Li stole. Let's see... ummm.. there was... uhh....
The information Mr. Li found does not appear to be protected by the Family Educational Rights and Privacy Act, or Ferpa, experts say.
Experts who, presumably, were unwilling to actually go on record. (Except for Tracy Mitrano, who is cited later in the article. Though the use of the plural "experts" suggests the Chronicle spoke to at least one other person besides Ms. Mitrano.)

If Mr. Li discovered this, shall we say, loophole, and ran out to set out his web site, I'd be much more sympathetic to university officials trying to put a lid on this. But the Chronicle article says he learned about it back in the summer. It doesn't say whether he did anything before last week.  But Li "said that OIT had been made aware of the security issue by other students in the past." (This last quote from an article on the subject from the Daily Princetonian which, surprise surprise, is more sympathetic to a student view of things than the Chronicle.) But, once again, we lack interesting details of when these notifications might have happened.

The facts are simple. The LDAP server was there, with all the information exposed. It was exposed intentionally on the part of Princeton staff who set it up. (I argue intention because the alternative, incompetence and ignorance, seems less likely in light of the LDAP access instructions previously provided by Princeton.)

The exposure of this information may have been intentional in an institutional sense, after an appropriate policy-making process. If so, all Princeton had to do was re-iterate its policy. Based on the reaction, we can assume that it was not. In this case, the sensible reaction would be to chop off the LDAP server (either drastically limit access, or, most easily and sensibly, require a login to access the information) while a new access policy developed.

The attempt to bring some sort of disciplinary action against Mr. Li is ridiculous. The only thing it will accomplish, even if "successful," is to make Princeton look stupid. Clearly, they're already guilty of a disconnect between student information policy and on-the-ground implementation in the IT organization. Really, people, doesn't everybody have bigger fish to fry? 

Oh, yeah. Any employee of any university who reads this and doesn't ask, "gee, I wonder what directory information is available publicly from my employer?" needs to wake up.


Friday, February 18, 2011

Welcome; Colophon

Welcome to my humble blog. I am an anonymous cog in the information services apparatus of a university.  I plan to blog on subjects of interest to me from the worlds of academia and of information technology. 

In the interest of keeping a low profile, I plan to remain pseudonymous. In this, as in other respects, I have been inspired by Dean Dad, whose posts have been consistently thought-provoking over the years. (I hope we will not begrudge me the shameful co-option of his blog title; I'm horribly un-creative about such things.)

I also owe a tip of the hat to Scott Adams, who inspired my pseudonym. "Steal from the best," as somebody said. Regrettably, I have misnamed myself "Denier" rather than "Preventer." Although I could change it, well, that would be a denial of my own mistake, and why not let it stand? At any rate, as I hope will be clear, my taking of the character's name does not imply that I have modeled myself after the character. Or, perhaps I'm just in, well, denial.