"We don’t vote for grownups in Muskogee,
We just want a chump at City Hall,
Then we can manipulate the system,
While junior’s havin’ an awesome time and all."
--M. Haggard

Mr. Mayor Is a Freshman

Top Official in Education Dept. to Lead Business-School Consortium

GAO Report Says Community Colleges Are Crucial in Training the Work Force

Academic Capital Flows: U. of Chicago Plans $200-Million Milton Friedman Institute

Medical School for Physician-Scientists Will Offer Free Tuition

Study Finds Varying Community-College Enrollments Among States

Cal State Instructor Fired for Refusing to Sign Loyalty Oath | 74

Princeton U. Press Recalls Typo-Filled Book and Says It Will Reprint | 57

U. of Colorado at Boulder Wants to Hire 'Professor of Conservative Thought' | 57

Roman Catholic College Disinvites Pro-Choice Speaker | 47

U. of Florida Plans Layoffs and Enrollment Cuts as State Funds Fall | 44

Athletics
Community Colleges
Government & Politics
Information Technology
International
Money & Management
Northern Illinois
Research & Books
Short Subjects
Students
The Faculty

• May 2008 (82)
• April 2008 (176)
• March 2008 (152)
• February 2008 (216)
• January 2008 (157)

September 30, 2007

University Allows Student Journalist Who Discovered Data-Security Flaw to Remain

A student at Western Oregon University, who discovered while working at the campus newspaper that the institution had left private information about some applicants out in the open, on an unsecured computer network, will not be kicked out of the university. A disciplinary committee, which met on Friday to determine the student’s fate, decided that he could stay.

Blair W. Loving, a 29-year-old senior English major and copy editor for the student paper, had been accused of violating the university code of conduct because he accessed sensitive material on a university computer, The Oregonian reported. The incident, which occurred in June, had already cost the job of the newspaper’s faculty adviser, Susan Wickstrom.

The trouble started on June 5 when Mr. Loving, while working at the student-run Western Oregon Journal, logged on to the university’s network and opened a file that contained the names and Social Security numbers of 100 applicants to Western Oregon’s College of Education. He told The Oregonian, a newspaper in Portland, Ore., that he found the file by accident, and was shocked to see how much confidential information it contained.

Mr. Loving says he made a copy of the file and immediately told the editor at the student paper, who informed Ms. Wickstrom of the discovery that same day. She reportedly kept a copy of the file given to her by the students. The editor also informed College of Education officials; the newspaper went on to publish a story about the security lapse that month.

By June 7, university administrators had begun an investigation. It is not clear what they did to shore up computer security, but it is clear that they felt both Mr. Loving and Ms. Wickstrom may have violated the institution’s computer-use policy. Ms. Wickstrom — who did not immediately inform the administration of the data breach — was notified on August 8 that her contract would not be renewed. Mark Weiss, Western Oregon’s vice president for finance and administration, said that he could not comment directly on the dismissal because it was a personnel matter. But he stated that a journalism adviser should be able to inform students about the importance of privacy as well as the importance of press freedom.

Mr. Loving went before the Student Conduct Committee on Friday. Tina Fuchs, dean of students, told The Oregonian that she would not comment on the decision because it was confidential.

Mr. Loving told the Portland newspaper that he would be allowed to remain at the university, but he would have to write a proposal for helping students understand the responsibilities of using the computer system. And he would have to write a commentary in the student paper about the importance of reading campus policies.

The university, for its part, agreed to restore Mr. Loving’s computer access. —Josh Fischman

Comments

1. So what happened to the folks that left the info unsecured? It appears Western found a couple of scape goats.

   — Dr. Bill    Oct 1, 07:48 AM    #

2. I guess the student should have simply sold the private information to on-line identity theft brokers, rather than violate the “university code of conduct” by revealing a serious administrative blunder to (shudder…) the public.

   — Dr. Jim    Oct 1, 08:43 AM    #

3. Sounds to me as if both the student and the advisor have cause for action against the university. I hope they take it. At the very least, the university should be forced to apologize to the student. From this account it is difficult to come to any other opinion than that the university retaliated for being exposed.

   Mr. Loving should bill the university for his time.

   — Owen Lock    Oct 1, 09:05 AM    #

4. The University leadership was clearly embarrassed by this and took it out on the student and his advisor, blaming them instead of accepting the blame, which was clearly theirs. The student and advisor should have been thanked, not spanked.

   — Prof Bill    Oct 1, 09:24 AM    #

5. I agree that from this article the only conclusion I can draw is that the university retaliated against a whistle-blower. I hope both student and advisor take swift legal action against the university.

   — Former EIC    Oct 1, 09:55 AM    #

6. The CIO should be booted, the president hauled over white-hot coals, the members of the disciplinary committee ought to be flogged, then put into pillory for a week for even considering to participate in the travesty. THEN a full, public apology should be made to the student, followed by the award of an all expenses-covering “BA to Postdoc” scholarship. After all, a good lawsuit would cost the university significantly more, result in the CIO still getting fired, and possibly the president as well, while the lofty members of the committee would have egg all over their faces anyhow. O tempora, o mores, what?

   — Dag von Lubitz    Oct 1, 10:22 AM    #

7. Clearly, there was a security problem if personal data was exposed to a normal network user. A regular user should not be able to access a directory or folder without a “need to know.” That said. . .

   The sentence, “(He) logged onto the university’s network and opened a file. . .” skips a heck of a lot of key info. What was the purpose of the server and shared folder where the file was located? Why was he in that folder looking around? If someone took a student data file and saved or copied it to the College Newpaper’s work folder, that would be one thing. It doesn’t sound like that happened, rather, that the student was snooping around on the network and found a shared folder where the permissions were set incorrectly. Most college user policies forbid such conduct. If you aren’t authorized to be on a particular server, you don’t go there. If a file doesn’t belong to you, you shouldn’t be opening it. If a faculty member left his or her office unlocked and the student went in and took a test from the desk drawer, who is at fault? Does an open door (or unsecured network folder) mean you can go in and do anything you wish? And it’s okay?

   Hardly. Had the student and the advisor reported the security breach right away, instead of making copies of the file, and opening them, and sitting on the information for 2 days, I doubt there would have been a problem for either of them. They could still have written a great story once they lived up to their responsibilities as network users.

   — Bill    Oct 1, 10:57 AM    #

8. Here are three paragraphs from the Oregonian about the case:

   “The incident unfolded at the end of last school year when Loving used his laptop to log on to the campus server. Newly named to the campus newspaper staff, Loving found the file while practicing with the system used by student journalists to edit stories.

   “He told editors, and they made a copy of the file on a compact disc. Newspaper staffers went to administration officials to tell them about the security breach and later wrote a story.

   “Susan Wickstrom, the university’s journalism adviser, held the disc temporarily before turning it over to the administration. She lost her job with the university.”

   It sounds to me like Mr. Loving has been scapegoated. No one assumes that a folder he can access is off-limits.

   — Dennis Sepper    Oct 1, 12:27 PM    #

9. Technically, Bill is correct. Practically, it rarely works like that, and a jury will look at the practicality. WOU will rue the day they fired Ms. Wickstrom.

   — marci    Oct 1, 01:08 PM    #

10. WOU administration has made complete idiots of themselves. They were caught in a lapse and are choosing to focus on punishing those who discovered it, when it is clear that those individuals had no ill intent. Sure, they technically violated a rule, but come on. This course of action is only making WOU come off worse than it already did.

    — Kenneth    Oct 1, 05:14 PM    #

11. The story in the Oregonian contained false information and was highly slanted. Certainly there was culpability on the University’s part, however, the actions (and non-actions) taken by the media advisor were inexcusable.

    — in the know    Oct 1, 05:21 PM    #

12. Isn’t Bill the name of WOU’s CIO?

    — John    Oct 2, 12:47 AM    #

13. John – It may indeed be the name of WOU’s CIO. But that post was mine and I live on the other side of the country. Nice try. One doesn’t have to work at the place to see that the student was probably doing something he shouldn’t have been doing. . .

    — Bill    Oct 2, 11:31 AM    #

14. If you leave the gate to your backyard unlocked and someone drowns in your pool in the backyard, you’re responsible. Never mind that the poor soul that drowned shouldn’t have been in the backyard; you’re at fault for not locking your gate. In the same spirit, the knuckleheads who run WOU should have said thanks for the heads-up, and then possibly talked with Loving and Wickstrom about university policies.

    — Carolyn    Oct 2, 03:19 PM    #

15. The decision to punish and not reward is perhaps poorly thought out. It can lead to bad relations between the university and students. If I am a student and run across another security problem there I would not report it except perhaps to some spurious friends who can post it to the web and let the university find out that way. Or perhaps I will advise the individuals on the list who can determine what action they wish to take.

    Another response the university initially possessed is to reward students who find security flaws. Some might say that rewards will make them look for flaws. I agree. I think they are going to look for flaws anyway. With rewards they may bother to report them. In the infamous words of Napoleon Dynamite: “Idiots!” :)

    — web-devel    Oct 2, 04:32 PM    #

16. The comments made about the individuals responsibilities in knowing policy are correct, but policies are not controls. As with locks or gates, they only keep honest people honest – the school did not excercise due diligence by securing the information and is ultimately responsible for the information being accessed by unauthorized persons. In this case, individuals with no malignant motive discovered the security lapse. Perhaps this gap has already been exploited by others with less than honorable intentions – and those social security numbers are already compromised.

    — Jim    Oct 3, 09:35 AM    #

17. The punishment makes the critical point is this episode:It is not the responsibility of employees or students to find out organizational policies. It is the responsibility of the organization to ensure that all hands know and follow policies. A piece in the student newspaper does not satisfy this requirement. An audit team asks to see published policy; then asks employees about the policy; then looks at the tapes to see if policy compliance is accomplished and logged. The University is at fault.

    — Jeff O'Byrne    Oct 5, 03:11 PM    #

Previous: Delaware State U. Expels Student Charged in Shootings
Next: Admissions Group Eases a Rule on Early-Admissions Offers