Stanford Hack Exposes 10,000
Edward Lewis
Ed.Lewis at neustar.biz
Thu May 26 17:29:06 UTC 2005
>Yes, that seems obvious, but it doesn't happen. Considering the sort of free
>wheeling environment prevalent in University networks, you would think they
>would be a bastion of high security. Sadly, this isn't the case.
This isn't meant to be a bashing session on universities and other
educational systems, just an observation. I would think, and I may
be wrong, that a educational network would be subject to -
stakeholders (students, faculty, alumni) that turn over quickly,
calendar-tied fluctuations in activity, and a user base that tends to
be more liberal and risk-tolerant than a typical end user network. I
would think that these traits would work against the accumulation of
tested operational techniques, appreciation of the time and cost of a
reliable service, and stiff enough penalties for anti-cyber-social
behavior. Also working against this is the availability of time
(like between semesters) when major upgrades can be done, because in
the rush to do so sound techniques can be over looked.
I don't mean to cast dispersions on educational campus IT functions.
There is a lot of good security research and energy available in
those environment. I'm just saying the environment is harsher than
for other end users. No - I'm not leading up to a suggestion to
quarantine them from the rest of the Internet.
Stories like this just serve as the example headlines of why any
organization ought to take preventative measures when it comes to
this kind of data. Hopefully, whatever vulnerabilities that were
exploited will be patched, even if there is no public disclosure.
(Word will get around when it needs to.)
PS - I was more surprised by the case of identity data that was lost
when a laptop was stolen. Why was something so valuable left in such
a mobile form?
http://informationweek.com/story/showArticle.jhtml?articleID=159907962
An example of following bad practices. Is the solution "more consultants?" ;)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
If you knew what I was thinking, you'd understand what I was saying.
More information about the NANOG
mailing list