Friday, May 21, 2004
Administration Privacy Double-Talk"Though he's majoring in computer science, Jon Oberheide said he didn't need to draw on his studies to come across a serious security breach within the University of Michigan's online student records system.
With literally a few clicks of the mouse, he found easy entry to student and alumni Social Security numbers, addresses and student identification numbers issued by the university. The data were exposed through Wolverine Access - a Web portal containing financial aid, billing records, transcripts and other sensitive information for students.
"It was amazing how simple it was," Oberheide said. "It took like five mouse clicks. It was kind of scary ... You wonder how many other people have seen it." ...
U-M Registrar Paul Robinson said there was no reason for students or their parents to panic.
"We want them to know we're taking this very seriously," Robinson said. "There was no chance for anybody's record to be altered." ...
The Wolverine Access break isn't the first information security problem facing the university. Last year, a university audit revealed that several departments failed to erase sensitive information about students and employees from computers before they were sold to the public through the university's Property Disposition warehouse. The audit found 19 of 28 computers ready to be sold from Property Disposition contained university data. Of those, five had student and employee names and Social Security numbers, among other private information.
Separately, Ning Ma, a former U-M engineering graduate student, stood trial in March on 23 computer-related felony charges after he was accused of stealing user names and passwords of students and faculty. A jury deadlocked on a verdict in the case. Ma, who has maintained his innocence, will face a second trial. ..."
> AANews: "U-M online security flaw exposed"
This is from an administration which recently congratulated themselves on their privacy in an email to graduating students. It seems some corrections are in order before we can brag about being a "leader" in student privacy:
Congratulations on your upcoming graduation!
If you are not returning to campus next term as a graduate student, faculty, or staff member, the following information is directed to you.
While there are services that are less expensive or even free, you will find that your UM-Online package guarantees the privacy and security afforded by one of the leading advocates of student rights.
The UM-Online order form can be completed online at the UM-Online Web site: http://www.umonline.umich.edu/services/ or you can print a copy to be completed and mailed or faxed to the ITCS Accounts Office...."
Meanwhile, the administration simply handed over the names of eight students charged with copyright violations by the RIAA:
"U-M hands over song copy names
The University of Michigan complied with a subpoena on Thursday and handed over the identities of eight students and one staff person who allegedly used its computer network to illegally distribute thousands of copyrighted songs over the Internet.
The recording industry had sought the information but only had the IP addresses of the individuals, essentially the unique numeric address assigned each user's computer by the Internet service provider, which, in this case, is U-M.
Now it will contact the people to reach a settlement. The average settlement in these cases has been $3,000. If no settlement is reached, it will file a lawsuit.
U-M had received the subpoena earlier this month and was up against a May 20 deadline to comply. Lawyers reviewed the subpoena and found it was valid. U-M turned over the names, addresses, telephone numbers and e-mail addresses of each individual. " (In Brief)
Here's the relevant part of the Standard Practice Guide, the University's rules which apply to faculty, staff, and administrators, about "Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan" (PDF)
Posted by Rob at 11:47 AM