Greg (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} gmalivuk) wrote in ![[info]](http://l-stat.livejournal.com/img/community.gif){kind=small} umstudents,@ 2004-05-24 19:53:00 |
|
Lying fuckers
Skimming through the Daily today, I noticed this article about the student who basically stumbled upon the official record database accidentally.
Contrary to what the university said in its letter (which was the topic of an earlier post here), the fact that this guy accidentally came across the records (at least, assuming he's being honest) means it wasn't a particularly difficult thing to do. And given that the problem "may have existed" since February (coincidentally the date that they "improved" Wolverine Access), I'd be willing to bet other people had come across the same info before.
“It’s just crazy because it wasn’t hard to get to at all. It took about five clicks and required no secret code at all.”
Some guy from the university argued that it was unlikely others had seen it because you had to already be logged into Wolverine Access (which "narrows" the pool of possible people to, oh, about 50,000 people).
Plus, it was someone using Safari from a Mac, rather than Internet Explorer. So Safari on OS X is the "infrequently used operating system/browser combination employed by a small percentage of individuals with access to the system"?
This page points out that "most U-M students, faculty, and staff use Wolverine Access via operating system/browser combinations that did not enable unauthorized access to this information." But "most" doesn't mean "all" or even "the vast majority". It'd be one thing if the information was only accessible to someone using Linux or an obsolete version of Windows or Mac OS, but nearly every student, faculty, or staffperson using a Mac in any one of the dozen or so computing sites on campus probably uses Safari for browsing.
So yeah, I'm pretty much counting on multiple unauthorized people having had access to my personal information, and am just hoping none of them decided to remember it...
Edit: Turns out it's worse:
"Peterson added that the student used the Safari web browser for Macintosh operating systems whereas most students use Internet Explorer and would not be able to gain access through Internet Explorer."
Actually I used Mozilla Firefox on Gentoo Linux. Mozilla is also available for Windows and Mac. In addition, it IS possible to access through Internet Explorer although it requires a bit more technical knowledge.
Jon Oberheide
jonojono@umich.edu
So the university's most common browser would have allowed access, plus, while fewer general students may be using the browser he used, the ones who do probably tend to be more technically adept anyway, and could have been using it from any platform.
Edit2: This was posted as a comment in my own journal.
My friend pointed out the umstudents livejournal post about this issue to me. Apparently I can't post anon on the umstudents group so if you could 'forward' this over there that'd be great.
mreyeliner: Yeah, I did go to Troy High and we still do run our business...who are you/what year did you graduate?
ripburger: Correct, social engineering is a huge problem that is still unheard of in many organizations. A computer is only as secure as the person in front of it...meaning not very secure for the average user. Human stupidity is often the weakest link in many situations and employees need to be trained to recognize social engineering techniques. 'The Art of Deception' by Kevin Mitnick is a good read.
bittershell: Thanks for pointing out the Daily feedback addition. Regarding the whole Safari/Mac fiasco, apparently the Daily pulled that one out of their ass or got confused somewhere. I talked to MAIS about that and they have no idea where that quote came from...Julia Peterson did not say that. They may have gotten mixed up when talking to ITD as the bug was reproduced by ITD on Safari over the phone with me. So yes, all browsers and platforms were affected. All that was necessary was the ability to open a specific frame in a new window...Mozilla just makes that easier.
I would also be very suprised if someone else did not stumble upon, given the huge number of people that use Wolverine Access. Unfortunately, for that same reason, it is rather infeisible to maintain log files for that long of a period of time to know for sure.
While a full dump of the database would not be possible with the limited web-based forms and restriction to 300 results, it would be possible to get a large majority of the data with some complex screen-scraping and common-name techniques. Let's hope no one came across it and thought of that.
So in conclusion, there's not really anyway to know who's been affected so everyone just needs to keep a watchful eye on their credit report.
If you have any questions, hit me up at jonojono@umich.edu or on AIM at BinaryJono.
Regards,
Jon Oberheide
jonojono@umich.edu
Skimming through the Daily today, I noticed this article about the student who basically stumbled upon the official record database accidentally.
Contrary to what the university said in its letter (which was the topic of an earlier post here), the fact that this guy accidentally came across the records (at least, assuming he's being honest) means it wasn't a particularly difficult thing to do. And given that the problem "may have existed" since February (coincidentally the date that they "improved" Wolverine Access), I'd be willing to bet other people had come across the same info before.
“It’s just crazy because it wasn’t hard to get to at all. It took about five clicks and required no secret code at all.”
Some guy from the university argued that it was unlikely others had seen it because you had to already be logged into Wolverine Access (which "narrows" the pool of possible people to, oh, about 50,000 people).
Plus, it was someone using Safari from a Mac, rather than Internet Explorer. So Safari on OS X is the "infrequently used operating system/browser combination employed by a small percentage of individuals with access to the system"?
This page points out that "most U-M students, faculty, and staff use Wolverine Access via operating system/browser combinations that did not enable unauthorized access to this information." But "most" doesn't mean "all" or even "the vast majority". It'd be one thing if the information was only accessible to someone using Linux or an obsolete version of Windows or Mac OS, but nearly every student, faculty, or staffperson using a Mac in any one of the dozen or so computing sites on campus probably uses Safari for browsing.
So yeah, I'm pretty much counting on multiple unauthorized people having had access to my personal information, and am just hoping none of them decided to remember it...
Edit: Turns out it's worse:
"Peterson added that the student used the Safari web browser for Macintosh operating systems whereas most students use Internet Explorer and would not be able to gain access through Internet Explorer."
Actually I used Mozilla Firefox on Gentoo Linux. Mozilla is also available for Windows and Mac. In addition, it IS possible to access through Internet Explorer although it requires a bit more technical knowledge.
Jon Oberheide
jonojono@umich.edu
So the university's most common browser would have allowed access, plus, while fewer general students may be using the browser he used, the ones who do probably tend to be more technically adept anyway, and could have been using it from any platform.
Edit2: This was posted as a comment in my own journal.
My friend pointed out the umstudents livejournal post about this issue to me. Apparently I can't post anon on the umstudents group so if you could 'forward' this over there that'd be great.
mreyeliner: Yeah, I did go to Troy High and we still do run our business...who are you/what year did you graduate?
ripburger: Correct, social engineering is a huge problem that is still unheard of in many organizations. A computer is only as secure as the person in front of it...meaning not very secure for the average user. Human stupidity is often the weakest link in many situations and employees need to be trained to recognize social engineering techniques. 'The Art of Deception' by Kevin Mitnick is a good read.
bittershell: Thanks for pointing out the Daily feedback addition. Regarding the whole Safari/Mac fiasco, apparently the Daily pulled that one out of their ass or got confused somewhere. I talked to MAIS about that and they have no idea where that quote came from...Julia Peterson did not say that. They may have gotten mixed up when talking to ITD as the bug was reproduced by ITD on Safari over the phone with me. So yes, all browsers and platforms were affected. All that was necessary was the ability to open a specific frame in a new window...Mozilla just makes that easier.
I would also be very suprised if someone else did not stumble upon, given the huge number of people that use Wolverine Access. Unfortunately, for that same reason, it is rather infeisible to maintain log files for that long of a period of time to know for sure.
While a full dump of the database would not be possible with the limited web-based forms and restriction to 300 results, it would be possible to get a large majority of the data with some complex screen-scraping and common-name techniques. Let's hope no one came across it and thought of that.
So in conclusion, there's not really anyway to know who's been affected so everyone just needs to keep a watchful eye on their credit report.
If you have any questions, hit me up at jonojono@umich.edu or on AIM at BinaryJono.
Regards,
Jon Oberheide
jonojono@umich.edu
