Re: security hole in 802.3hssg web site
- To: "Roger B. Marks" <r.b.marks@ieee.org>
- Subject: Re: security hole in 802.3hssg web site
- From: "David Law" <David_Law@eur.3com.com>
- Date: Tue, 6 Apr 1999 23:13:15 +0100
- cc: stds-802-3-hssg-owner@majordomo.ieee.org, stds-802-sec@ieee.org, lnapoli@stdsbbs.ieee.org
- Sender: owner-stds-802-sec@majordomo.ieee.org
Hi Roger,
Thanks for pointing this one out, as you say the whole thing is a big pain.
In the past we have set up e-mail archives for our e-mail reflectors in a
password protected area of the IEEE web site. Now the need for password
protected areas is to store IEEE copyright protected material. As we send out
information on the reflector on how to obtain IEEE copyright protected drafts
the need to also password the archive came about. It however seemed a great pity
that we had to go to all the trouble of password protecting the hundreds of
e-mails that we have on the reflector archive just for the sake of a very few
e-mails that are sent towards the end of a project when the actual drafts are
produced.
This situation is particularly apparent to us in the case of the IEEE802.3
Higher Speed Study Group. This group has just formed and is the first case in
802.3 of a project that will have an e-mail archive right from the beginning of
the project. They will not have anything that needs to be private until the
generation of drafts, this is some way away in this particular project as we
have not even had our first Study Group meeting !!!
As the default we initially set up the site to be password protected hence the
URL and password in the message but I have since then been in contact with the
IEEE and they have agreered that the 802.3 Higher Speed Study Group e-mail
archive will no longer be in a password protected area. This was agreered on the
basis that when the time comes to distribute information on obtaining drafts we
will devise a mechanism so that the password does not show up in the public
e-mail archive. This will probably be achieved by sending the information out
directly to a list of e-mail addresses rather than to the reflector itself.
So at the moment we are in the process of removing the password protection from
this area and once this is done I will send out a message to the reflector
informing everyone of the removal of the password. All that we are doing at the
moment is sending out a password to an area that soon will not be password
protected. Also note that this is the only 802.3 reflector that you receive the
e-mail archive password for when you subscribe to it.
Bye for now,
David Law
"Roger B. Marks" <r.b.marks@ieee.org> on 06/04/99 21:33:12
To: stds-802-3-hssg-owner@majordomo.ieee.org
cc: stds-802-sec@ieee.org, lnapoli@stdsbbs.ieee.org (David Law/GB/3Com)
Subject: security hole in 802.3hssg web site
I've noticed a security hole in the 802.3hssg web site.
The issue is that the stds-802-3-hssg "info" file advertises the username and
password of the hssg private site
<http://grouper.ieee.org/groups/802/3/10G_study/private>. Anyone can get the
info file by sending majordomo@majordomo.ieee.org the message:
info stds-802-3-hssg
This means that anyone can easily get onto the password-protected site.
At the moment, the only thing in the site is a reflector archive. It's not clear
why this ought to be protected anyway, because the live reflector is open to
anyone by request. However, the security issue would also affect any truly
sensitive material posted to the "private" directory.
I'm cc'ing the SEC in case others have done something similar.
By the way, I have been struggling to come up with a good privacy policy with
regard to the reflector and web site. I am close to a plan. I am very curious to
know what others are doing, and what they might do differently if they were
going to start from scratch. My current policy is that the reflector and
reflector archive are available to anyone. Most of the web is too, but we have a
private site that we intend to use for contributions that are copyrighted or
otherwise too sensitive too post freely. We still need to clarify the details of
what will go there. I'd like to hear comments on when it's a good idea to leave
committee working documents out in the open and when not too.
Also, when you password-protect an area, who gets the password? Anyone who has
ever attended a meeting? [Otherwise, do you keep changing passwords as the
voting membership changes? What a nuisance!] And what are the rules on sharing
the password? Or sharing the information from the protected area with, for
example, your corporate colleagues?
By and large, this whole secrecy issue looks like a morass to me. I'd like to
avoid it as much as possible and would appreciate any advice.
Roger
Dr. Roger B. Marks <mailto:marks@nist.gov>
Chair, IEEE 802.16 Working Group on Broadband Wireless Access
National Wireless Electronic Systems Testbed (N-WEST) <http://nwest.nist.gov>
National Institute of Standards and Technology/Boulder, CO
phone: 1-303-497-3037 fax: 1-303-497-7828