March 6, 2008
One More Security Lapse at Ohio U.
Just a week after Ohio U.‘s president told a packed room at The Chronicle’s Technology Forum in Tampa that the university’s days of sloppy IT security were over, the student newspaper has reported another lapse: 25,000 photos of students were on a freely available Web server, with no password protection.
The photos appeared to be head shots of students taken for their university identification cards, the paper, The Post, reported. They were on a Web site used by the university’s resident assistants. The site was available to anyone who knew the precise Web address to type into a browser.
No other data were associated with the photos, and within hours of being notified of the lapse by the newspaper, the university restricted access to the images. It does not appear that anyone’s privacy was compromised. But in these situations one can never be sure. And leaving these images open to the public might be a violation of the Family Educational Rights and Privacy Act, a federal law.
Ohio U. made national headlines in 2006 after hackers broke into the institution’s computer network several times, exposing thousands of private alumni records. Roderick J. McDavis, the university’s president, told the Technology Forum crowd on February 26 that Ohio U. had shored up its IT department and network systems, spending $2-million so far, with plans to spend $8-million altogether.
But apparently there are still a few holes to be patched. “This is a perfect example of where there was one layer that was not as pat as we would want it to be,” Brice Bible, the university’s chief information officer, told the newspaper.—Josh Fischman
Posted on Thursday March 6, 2008 | Permalink |Comments
Commenting is closed for this article.
Previous: Giving Away Gadgets -- Like iPhones -- May Not Be the Best Way to Spur Innovation
Next: Ryerson U. Student Faces Expulsion for Running a Facebook Group
There has to be something else to write about! Last time I checked, posting photos online with no other personally identifiable information was NOT a violation of FERPA or any other federal law! So how MIGHT this be a violation of FERPA?
— Huey Mar 6, 08:18 PM #
Hackers will get in no matter what. Some are real pros who have to show off their stuff. Those who publicly pronounce their invincibility will be even greater targets because it will be a greater challenge.
— Robert Mar 7, 07:26 AM #
So an RA who is also a member of the student press accesses a Web site for use by RAs, then writes about it in the student newspaper…and this is news?
— Vincent Mar 7, 10:06 AM #
You know how some people avoid photographs because they believe that photographs steal a bit of their soul? What would happen if you posted that photo on the Internet? Is there any further effect on their soul? Could it like drain their soul completely? And what is a person without a soul? A zombie? Hmmmm.
— marci Mar 7, 12:13 PM #
Sounds to me like Ohio University is trying to steal their students’ souls. :)
— Bob S. Mar 7, 12:43 PM #
The photographs also had student id numbers attached to them. The RA, who writes for the Post, did not have access to the site with the photographs. The university has sent the campus cops after the Post writer in an effort to scare him and other students from finding and reporting security failures still present after Ohio University spent $2 million on private consultants and is paying Brice Bible $210,000 to CIO its info technology. The university’s president should learn not to make claims that clearly lack documentation.
— jeff b. Mar 8, 08:04 PM #
The RA is a University employee who, in loyalty, is supposed to be looking after the interests of both the University and the students. So when he found the lapse he should have reported it to the proper University officials to fix the problem without the fanfare of publishing it in the student paper. I would immediately terminate him from his RA position! Whatever happened to the old value of loyalty – and don’t tell me that it is “covering up a violation” to fix the problem without publicity. Minor errors can/should be fixed without a congressional hearing.
A second diappointing item was that the Education Department spolesman made a dumb public statement without checking the law. The FERPA (34 CFR Part 99) was cited by a wise writer in the comments section of the student paper. Check it out (http://www.ed.gov/legislation/FedRegister/finrule/2000-3/070600a.html under section 99.3). It may have been a minor violation of Univeristy but not a Federal case.
Much handwringing about nothing.
— Ole Professer Mar 10, 12:39 AM #
You know what gets me about this whole thing. If students who supposidly LOVE the university want to really help, then what they do is contact IT and tell them, “hey, there may be a problem here” and they allow IT to FIX the problem, they get an “atta’ boy” thank you, and then they go on their way. They don’t see who can be the first to broadcast the dirty laundry and give the U a black eye. The Post Reporters and Chief Editor are childish Edward R. Murrow wanna-bees. They have a lot of growing up to do. They are never going to get a job doing making big deals out of non-issues.
— endSider Mar 10, 09:27 AM #
Ole Professor asks “Whatever happened to the old value of loyalty”? Excellent question. Why not ask OU IT, who, when the hole was discovered, actively encouraged their employees to “report regarding data privacy or integrity, inappropriate use of technology, software piracy
or copyright infringements through the Ohio University Ethics Hotline (https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=13086)
by calling toll-free at 866-294-9591”. Apparently, loyalty is a one-way street. The above “ethics” link, is a third party website that OU shelled out tens of thousands for, in order to enable anonymous “tips” about anything and everything one could accuse someone else of, WHETHER OR NOT IT IS TRUE. Don’t go to the newspaper, oh, no. Parents might find out that their daughter’s picture is widely available on the internet. Not that that’s a problem, getting caught is the problem.
Like some Orwellian gulag, OU feels that it is worth that kind of money to generate false reports from disgruntled employees with an axe to grind, rather than spending the money to shore up its servers. Welcome to the New Soviet Union, where people are encouraged to snitch on their co-workers, with impunity. As long as we keep it “in the Bobcat family”, everything will be just fine. It is appalling what is happening in this country right now, and even moreso when the institutions of Higher Learning, who should know better, fall in lock-step behind the Totalitarian survelliance mentality that currently grips the U.S. With all due respect, Ole Professor, I got your loyalty right here.
— Alum Mar 10, 09:34 AM #
To endSider and Alum: I hope that you are not surprised that I agree with both of you albeit for rather different reasons.
I always take an open-minded viewpoint to search for intelligence, even when I don’t completely agree. I do except the junior high school, childish rants which appear occasionally even though this is supposed to be a scholars’ forum.
— Ole Perfesser Mar 10, 05:10 PM #
jeeeez, i hope my photo doesn’t get released!
— Client #9 Mar 10, 08:39 PM #