Conversation

Notices

1. Embed this notice
   BrianKrebs (briankrebs@infosec.exchange)'s status on Saturday, 06-Sep-2025 07:16:57 JST BrianKrebs

   #StreisandEffect

   Copying an archive.is link of this OregonLive.com story because it probably deserves more attention and is behind a paywall:

   "A former University of Oregon undergraduate who says he discovered a significant security flaw in the college’s computer network and twice reported it to university officials faced a disciplinary hearing as a result."

   "Physics major Owen Mitchem said he was able to inadvertently access confidential information, including the Social Security numbers of more than 3,500 public university employees around the state, last fall, including of the university’s president and its football coach, the highest-paid public employee in the state. He says the breach should have been a wake-up call for the university to tighten its online security."

   "But according to an email the university provided to The Oregonian/OregonLive in response to a public records request, the university’s associate dean of students, Dianne Tanjuaquio, concluded that Mitchem’s actions violated the school’s policies on “acceptable use of computing resources.” She required him to write a 750-word essay reflecting on the situation; if not completed, he could face a suspension of his student account, preventing him from registering for classes or changing his course schedule."

   "Mitchem says he was just searching in Microsoft Teams for some budget figures for the physics club he ran when he stumbled across a spectrum of university financial documents, visible via files on SharePoint, a Microsoft tool that can be integrated with Teams. They seemed harmless at first glance, he told The Oregonian/OregonLive, but not something his student email permissions should have allowed him to view."

   "Mitchem alerted a physics department grants technician and assumed the wide access would be quickly corrected. He later found out that the technician hadn’t alerted the university’s information department, meaning that unbeknownst to him, the IT department remained unaware of the security lapse, Mitchem said via email."

   https://archive.is/rG2KG

   • GreenSkyOverMe (Monika), Steve's Place and Rich Felker repeated this.
   • Embed this notice
     Bill Zaumen (bzdev@fosstodon.org)'s status on Saturday, 06-Sep-2025 07:18:15 JST Bill Zaumen

     in reply to

     @briankrebs Since this person is a physics major, perhaps his 750 word essay should go into what he learned about doing experiments, including all the steps and record keeping so you can reproduce it and test hypotheses.

     Curiously, once while doing some mundane operation - copying a file - I managed to get system privileges on a computer. I repeated the steps a few times to make sure that I
     had recorded everything needed to reproduce that behavior, and then reported the problem.

   • Embed this notice
     M Schommer (musevg@23.social)'s status on Saturday, 06-Sep-2025 07:18:41 JST M Schommer

     in reply to

     @briankrebs
     Hello ChatGPT, old friend. How are you today?
     Please write me an essay of 5000 words (plus citations) on information security and privacy, featuring AuthN and AuthZ. Also include chapters on need to know principle and auditing. For good measure sprinkle some don't shoot the messenger and security-by-obscurity and add a list of 5 local pentesting companies. In all Alice-and-Bob examples, name the adversary Dianne (she/her).
     Thank you and have a nice day!

   • Embed this notice
     Mark Bryant (spartan_1986@infosec.exchange)'s status on Saturday, 06-Sep-2025 08:12:32 JST Mark Bryant

     in reply to

     @briankrebs

     I've personally known a few university level IT workers. They are far more worried about students abusing their systems than APTs. The extent they go to to try and catch website defacers from within, puts any corporate insider threat program to shame. I remember one sys admin out of Boise I took a class with who had a dozen honeypots set up on internal networks just to catch students, and not one designed to ensnare an APT. He would sit there during class breaks and give a "play by play" of all the students he was going to get into trouble. To say UO going after the student doesn't surprise me is an understatement. Most University IT staff are very out of touch IMO.