lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4455535B.5000306@linuxwiz.net>
Date: Mon May  1 03:12:23 2006
From: jeremy at linuxwiz.net (Gaddis, Jeremy L.)
Subject: What is wrong with schools these days?

Mike Iglesias wrote:
> Many universities do not have a central IT organization running every 
> computer on campus as you would in a commercial enterprise.  They have a 
> decentralized model where each school, department, or research group 
> runs their computers. In addition, you have many students, faculty, and 
> staff with personally owned laptops that they take care of (or not) 
> themselves.  So you have many little fiefdoms running computers, some 
> with more of a clue than others.  The clueless ones have untrained 
> students running the computers, and most of them don't know much about 
> security.  They're told to setup a computer and put this data on it so 
> the professor can do his research.

While this often holds true, there should always a central infosec 
department that has the ability to kill a switch port.  Kill the network 
connection to a critical server exposing private information and people 
take notice pretty quick.

> Central entities in universities, like the registrar, should know what 
> they are doing if they are setting up ways to remotely access information.

Yes, they should, but they often don't.  Remember, these end users are 
just that -- users, not security professionals.

> Not responding to emails and/or phone calls to the security/abuse/etc 
> group is irresponsible, if you ask me.

Agreed, though lack of a response doesn't mean nothing is happening. 
Often times, the first time infosec must do is contact legal for advice. 
  Legal's first advice is often to simply not respond.

-j

--
eJeremy L. Gaddis
GCWN, MCP, Linux+, Network+
http://www.jeremygaddis.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ