Data Privacy Month (with a painful story about the students-l list)

Today is Data Privacy Day. See http://www.staysafeonline.org/data-privacy-day/

To celebrate, here is a true story culled from the vaults of HMC server administrator lore. Read it, weep… and then change your passwords.

Once upon a time there was a moderator of the students-l list. She was diligent and hard-working, devoted to the task of saving other students time by only approving messages that she judged to be of interest to students, and collecting together announcements about events at the other Colleges so they could all be included in one message. She worked on this most days, using the students-l list software.

The students-l list system is very old and resides on a Linux machine called Odin. The list system is so old that it may have been created when “GUI” was only a railway code for a station on the Glossop Line and graphical user interfaces were figments of fevered imaginations at Xerox PARC.

Now one day our diligent moderator (let’s call her Agnes) logged in to the system and noticed it was really slow, slower than usual.  At first, Agnes thought that maybe the list system was on the blink or even that Odin was finally giving up the ghost.  She couldn’t moderate messages or send anything out to students-l. Agnes quickly reported it to the CIS Help Desk.

The server admins were soon busy examining Odin as it lay there on its sheets of Irish linen. Little did they know that they were entering their very own long dark teatime of the soul, not working on high priority HMC projects, but just trying to figure out what was going on.

Bit by bit (was that pun intended?), they discovered that Odin was sending out tons of spam and then getting back tons of bounce messages.  So many that poor Odin was choking, unable to give any attention to Agnes’ plaintive login requests. Even worse, Odin was failing to recognize Agnes’ user name and trying to send error messages about that.

“But why?” said the server admins, pulling at their hair (long dark teatimes can have that effect).  “Why Odin?  Why now?  Why spam?  …Why us?”.

Now you just have to sit there and imagine time passing. Slowly.  No students-l messages are getting through.  Spam is spewing.  The server admins are ignoring other things. “Educational Technology?…no time for that”.   Are you imagining that?

OK. In the end, they figured it out.  Another user account on Odin  had been hacked and the hackers were using it to send their spam. And how did they hack it?  You guessed it. A weak password on the user account….  Sigh. Once they figured that out, the server admins had to spend several hours cleaning up the mess and then let Agnes know she was back up and moderating.  Lots of time lost and all because of a weak password.

Data Privacy Day. It’s everyone’s responsibility to ensure data privacy. And it can start with a better password. For tips on creating a better one, maybe even creating one that meets HMC requirements, take a quick look at the HMC Password Policy.

Held annually on January 28, Data Privacy Day encourages everyone to make protecting privacy and data a greater priority. DPD is an international effort to empower and educate people to protect their privacy and control their digital footprint. It kicks off Data Privacy Month (http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/community-engagement/data-privacy-month).

Thanks for reading. Now go forth and change your passwords.

Leave a Reply