tag:blogger.com,1999:blog-16750015.post9117923785869267924..comments2024-01-24T20:01:37.600-05:00Comments on slight paranoia: Update to IU Phishing storyChristopher Soghoianhttp://www.blogger.com/profile/08950937382104783909noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-16750015.post-18854480988466644122007-04-26T13:09:00.000-04:002007-04-26T13:09:00.000-04:00Why don't you fill out a form at IU to prevent you...Why don't you fill out a form at IU to prevent your "directory information" from being released or published if you don't want it to be public?Unknownhttps://www.blogger.com/profile/07079711446918348415noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-65128990934516025902007-04-24T19:35:00.000-04:002007-04-24T19:35:00.000-04:00"I guess the main point that we both agreed on, wa..."I guess the main point that we both agreed on, was that this problem did not stem from IU technical staff not doing a good job."<BR/><BR/>I might disagree with that. Given a host with a lot of users on it, many of them naive, it's pretty much a certainty that a portion of those accounts will be compromised. I would be very surprised if they didn't have a minimum of several accounts per month compromised, given the size and composition of the user community.<BR/><BR/>It's incumbent on system administrators of systems like this one (a large system with a lot of shell accounts) to ensure that when the inevitable account compromises occur, sensitive information is not exposed.<BR/><BR/>If, as with me, you believe that those e-mail addresses were not sensitive information anyway, you can argue that in that particular respect the sysadmins did nothing wrong. If you believe that those e-mail addresses had some expectation of confidentiality, however, the sysadmins were in the wrong.<BR/><BR/>It is possible to configure (some) Unix systems to avoid giving out information about other users, but it's usually difficult. Normally I simply wouldn't give out shell accounts, and give out only POP3/IMAP/WebMail accounts instead.Anonymousnoreply@blogger.com