security hole in 802.3hssg web site
- To: email@example.com
- Subject: security hole in 802.3hssg web site
- From: "Roger B. Marks" <firstname.lastname@example.org>
- Date: Tue, 6 Apr 1999 14:33:12 -0600
- Cc: email@example.com, firstname.lastname@example.org
- Delivered-To: email@example.com@fixme
- Sender: firstname.lastname@example.org
I've noticed a security hole in the 802.3hssg web site.
The issue is that the stds-802-3-hssg "info" file advertises the username and password of the hssg private site
<http://grouper.ieee.org/groups/802/3/10G_study/private>. Anyone can get the info file by sending email@example.com the message:
This means that anyone can easily get onto the password-protected site.
At the moment, the only thing in the site is a reflector archive. It's not clear why this ought to be protected anyway, because the live reflector is open to anyone by request. However, the security issue would also affect any truly sensitive material posted to the "private" directory.
I'm cc'ing the SEC in case others have done something similar.
Also, when you password-protect an area, who gets the password? Anyone who has ever attended a meeting? [Otherwise, do you keep changing passwords as the voting membership changes? What a nuisance!] And what are the rules on sharing the password? Or sharing the information from the protected area with, for example, your corporate colleagues?
By and large, this whole secrecy issue looks like a morass to me. I'd like to avoid it as much as possible and would appreciate any advice.
Dr. Roger B. Marks <mailto:firstname.lastname@example.org>
Chair, IEEE 802.16 Working Group on Broadband Wireless Access
National Wireless Electronic Systems Testbed (N-WEST) <http://nwest.nist.gov>
National Institute of Standards and Technology/Boulder, CO
phone: 1-303-497-3037 fax: 1-303-497-7828