security hole in 802.3hssg web site
- To: stds-802-3-hssg-owner@majordomo.ieee.org
- Subject: security hole in 802.3hssg web site
- From: "Roger B. Marks" <r.b.marks@ieee.org>
- Date: Tue, 6 Apr 1999 14:33:12 -0600
- Cc: stds-802-sec@ieee.org, lnapoli@stdsbbs.ieee.org
- Delivered-To: fixup-stds-802-sec@ieee.org@fixme
- Sender: owner-stds-802-sec@majordomo.ieee.org
I've noticed a security hole in the 802.3hssg web site.
The issue is that the stds-802-3-hssg "info" file advertises the username and password of the hssg private site
<http://grouper.ieee.org/groups/802/3/10G_study/private>. Anyone can get the info file by sending majordomo@majordomo.ieee.org the message:
info stds-802-3-hssg
This means that anyone can easily get onto the password-protected site.
At the moment, the only thing in the site is a reflector archive. It's not clear why this ought to be protected anyway, because the live reflector is open to anyone by request. However, the security issue would also affect any truly sensitive material posted to the "private" directory.
I'm cc'ing the SEC in case others have done something similar.
By the way, I have been struggling to come up with a good privacy policy with regard to the reflector and web site. I am close to a plan. I am very curious to know what others are doing, and what they might do differently if they were going to start from scratch. My current policy is that the reflector and reflector archive are available to anyone. Most of the web is too, but we have a private site that we intend to use for contributions that are copyrighted or otherwise too sensitive too post freely. We still need to clarify the details of what will go there. I'd like to hear comments on when it's a good idea to leave committee working documents out in the open and when not too.
Also, when you password-protect an area, who gets the password? Anyone who has ever attended a meeting? [Otherwise, do you keep changing passwords as the voting membership changes? What a nuisance!] And what are the rules on sharing the password? Or sharing the information from the protected area with, for example, your corporate colleagues?
By and large, this whole secrecy issue looks like a morass to me. I'd like to avoid it as much as possible and would appreciate any advice.
Roger
Dr. Roger B. Marks <mailto:marks@nist.gov>
Chair, IEEE 802.16 Working Group on Broadband Wireless Access
National Wireless Electronic Systems Testbed (N-WEST) <http://nwest.nist.gov>
National Institute of Standards and Technology/Boulder, CO
phone: 1-303-497-3037 fax: 1-303-497-7828