Comments on: SSN Records at UChicago Compromised

By: Mark

Mark — Mon, 30 May 2005 05:18:15 +0000

I’m not sure if this could really be called a “compromise” since there has been no “incident” (at the moment, no one is known to have stolen the data), but it is a severe security violation.

I’m glad that deligent Residential Computing staff found the information, but I do find it dubious that the information ended up on krypton in the first place. I am disappointed as well that that would occur.

The window of opportunity has also been sporadic since Rescom people have combing through the files periodically. I realize that is of little confort. NSIT ans associated organizations should have been auditing services immediately after sensitive files were first discovered.

What is sad is that some organization in the administration just really did not get it… and was uploading files up to last week.

My theory is that the information originated from the registrar’s office and was placed on krypton in order to transfer the information from one office to another within the administration. The perpetrators probably were not aware of the public nature of the server nor of the inherent insecurity.

I optimistically hope that the Good Guys ™ found it first and that the current situation will make people more aware of the sensitivity of the data they handle.

By: Ali Ebrahim

Ali Ebrahim — Sat, 28 May 2005 16:26:02 +0000

To “someone@uchicago.edu”, you’re quick to assume that I’m laying the blame on NSIT. In fact, nowhere in my post did I blame NSIT for how this has been handled. When I talk about the “university”, I use it to refer to the careless entity who uploaded private data onto a publicly accessible server. Given my dealings with those at NSIT, I don’t think there is anybody there who would be stupid enough to do this.

I said that the people at NSIT are good people, and I applauded their quick action. Ultimately, NSIT cannot be held responsible for what its users do. I think we are in agreement on this.

I remain disappointed with the organisation within UChicago who negligently stored this information on a publicly accessible server.

By: Someone

Someone — Sat, 28 May 2005 15:54:18 +0000

This was not the fault of NSIT. Krypton is not a secure server and the policy is clear: don’t put up things that need to be secure! Someone who had access to Krypton — and that’s a lot of people — uploaded secure information and made it world readable. As far as I know (contrary to the Maroon article) none of this information was available at any time directly from the internet. At the least you needed access to Krypton.

If, say, OUSH uploaded your personal information to a web server run by AOL would you upset with the OUSH or AOL? Everyone seems to be opting for the latter.