Fwd: Re: [SECURITY] Directory Trolling

[Dave Kovarik <david-kovarik () NORTHWESTERN EDU>]

From Roger Safian:

I'm at FIRST.  If anyone wants to talk about this, or other
topics, seek me out.

At 12:22 PM 6/15/2010, Ken Connelly put fingers to keyboard and wrote:
> Northwestern displays the e-mail address from a directory lookup as a
> simplistic captcha image. I've been trying for a couple of years to get
> a similar thing implemented here, but so far...
>
> http://directory.northwestern.edu/

Just a couple of comments about the service.  We have a
method to allow our authenticated users to view the actual
(clickable) information.  That works pretty well, so for most
of our community they don't have to deal with the CAPCHA's.
The service still helps prevent spam, but, we can see some
flaws.  Cheap labor means that you can no hire somebody
to manually root through the directory and record the addresses
by hand.  We've seen the attacks several times, and the time
it takes (along with typos) makes it pretty clear these are
not automated.

At 12:31 PM 6/15/2010, Daniel Bennett put fingers to keyboard and wrote:
> I am interested to know if any university has seen student abuse of their online
> public directory?  I have seen some instances where students will use that
> directory to contact other students from a class and send a cancelation notice
> to the students in a class when in fact the class was not canceled.

We've seen this, but, typically it's not done via the directory, but
through our course management system which has a class list feature.
FWIW, it's not very common, and I believe has always results in
disciplinary action against the so called genius who wanted to
enjoy a nice day off.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 467-6437   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"