From: Alexander Brown (albrown_at_eecs.berkeley.edu)
Date: Wed Aug 27 2003 - 11:50:39 PDT
When blu.berkeley.edu was first announced, I raised another issue with
HR (which I consider more tangible), and was basically told that it was
legal, so they were going to do it:
When you log into blu with your calnet credentials, you then have the
option to change where your paycheck is direct deposited. There is no
additional opt-in; if you have a calnet ID, you are set up to be able to
do this. Additionally, there is no way to opt out. Anyone who steals
your calnet credentials can therefore also redirect your paycheck to the
account of their choice.
I think it's great that this option is being offered, but I am concerned
that it's on by default, without the consent of the person who owns the
paycheck. I'm even more concerned that there's no way to decline the
service; I am being exposed to this risk whether I like it or not. I
personally think that any financial aplication that uses CalNet for
authentication should require opt in, and optimally, additional
authentication. But I am a lowly sysadmin and not really sophisticated
in such matters.
--alex
Debra Bartling wrote:
>
> I'm forwarding a message from one of our staff members. Sorry to bring up
> blu again, but I am REALLY CONCERNED! Is anyone doing a security audit on
> applications like this?
>
> >I don't know whether you've tried this yet, but I just set myself up on
> >our spiffy new site called blu (blu.berkeley.edu), having no choice, as
> >there are several things I can't access without it. This evidently uses
> >the same authentication as CalNet, since your CalNet ID is used to get you
> >in to your "personal" page.
> >
> >Well, so I clicked on "personal information," and what to my wondering
> >eyes appeared but my SS# and DOB. Among other things that I DON'T NEED TO
> >BE TOLD, and don't want to see unnecessarily, no matter how "secure" the site.
> >
> >I am going to send a note to that effect to the blu people, and I wanted
> >to know whether you and your security maven friends were aware of this
> >latest item, and whether there's a movement yet to stamp it out.
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Wed Aug 27 2003 - 12:56:02 PDT