Stanford Hack Exposes 10,000

Edward Lewis Ed.Lewis at neustar.biz
Thu May 26 17:29:06 UTC 2005


>Yes, that seems obvious, but it doesn't happen. Considering the sort of free
>wheeling environment prevalent in University networks, you would think they
>would be a bastion of high security. Sadly, this isn't the case.

This isn't meant to be a bashing session on universities and other 
educational systems, just an observation.  I would think, and I may 
be wrong, that a educational network would be subject to - 
stakeholders (students, faculty, alumni) that turn over quickly, 
calendar-tied fluctuations in activity, and a user base that tends to 
be more liberal and risk-tolerant than a typical end user network.  I 
would think that these traits would work against the accumulation of 
tested operational techniques, appreciation of the time and cost of a 
reliable service, and stiff enough penalties for anti-cyber-social 
behavior.  Also working against this is the availability of time 
(like between semesters) when major upgrades can be done, because in 
the rush to do so sound techniques can be over looked.

I don't mean to cast dispersions on educational campus IT functions. 
There is a lot of good security research and energy available in 
those environment.  I'm just saying the environment is harsher than 
for other end users.  No - I'm not leading up to a suggestion to 
quarantine them from the rest of the Internet.

Stories like this just serve as the example headlines of why any 
organization ought to take preventative measures when it comes to 
this kind of data.  Hopefully, whatever vulnerabilities that were 
exploited will be patched, even if there is no public disclosure. 
(Word will get around when it needs to.)

PS - I was more surprised by the case of identity data that was lost 
when a laptop was stolen.  Why was something so valuable left in such 
a mobile form?
http://informationweek.com/story/showArticle.jhtml?articleID=159907962
An example of following bad practices.  Is the solution "more consultants?" ;)
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

If you knew what I was thinking, you'd understand what I was saying.



More information about the NANOG mailing list