It takes a tough hide to be a reporter. My note in RISKS-15.06 on the RISKs of
trusting e-mail generated a modest flurry of responses pointing out some
errors and asking for some clarifications. Since all who sent me notes could
just as well have sent them directly to RISKs, I am assuming that even though
they want parts of the record set straight they don't want to do so publicly.
Although I know my "sources" on the scene were convinced of the accuracy of
what they told me, by the time the information passed into their hands it
seems that some of it was slightly garbled, although not badly enough to
weaken the essential point of the whole incident.
(Not to detract from the seriousness of the situation, I do have to note
that none of the email pointing the following out was digitally signed or
authenticated.)
1. The secretaries of the principal figures involved in the resignation
message did not take the *contents* of the message seriously. However, they
took its existence seriously, believing it indicated there had been a
serious compromise of the security of their office information systems. The
incident itself has "undermined the confidence" of the clients of the
University's computer systems. (This is new information which I think makes
the incident actually of more interest than the original version.)
2. The FBI was not called in and the students (three, not five) were not
expelled, but reprimanded and (temporarily, according to another source)
denied their e-mail privileges. I suspect here my sources were telling me
actions that were being contemplated but upon which a final decision had
not yet been made.
3. It was not really fair to mention the name of the mail client the
students used, since that is irrelevant and not the source of the problem:
it is the SMTP protocol and the inherent insecurity of the internet that
give the opportunity. One doesn't even need to have an e-mail program to
forge an e-mail message: telnet works just fine.
4. "PEM" stands for "Privacy Enhanced Mail." See internet RFC's 1421, 1422,
1423 and 1424; implementations for a variety of platforms are available.
(temptation to insert commercial here resisted.) PEM provides digital
signatures, authentication, and encryption.
5. "6,000" of course is not the size of the student population at the U of
W, but some could have read my note that way. The number of students, all
of whom are eligible for an e-mail account, is about 41,000. "6,000" (the
number now is actually closer to 7,000) is the number who have signed up
for it so far.
Ted Lee, Trusted Information Systems, Inc., PO Box 1718, Minnetonka, MN 55345
612-934-5424 tmplee@tis.com [tmplee@tis.com (Theodore M.P. Lee) via risks-digest Volume 15, Issue 13]
5:40
#
G!
