Book smart, security stupid: Rogue professors flunk Security 101

Two academics betray highly ill-advised security practices when using the university's computer network

If anyone wants to study human nature, they should tag along with IT pros for a few days. We see it all, the many shades of good and bad. Here's a story that made me lose a little faith in those who should know better.

I manage the help desk for a small unit at a big university. We do everything from setting up the virtual infrastructure to connecting wireless mice.

[ Also on InfoWorld: IT dishes on a year of missteps, miscues, and micromanagers. | Pick up a $50 American Express gift cheque if we publish your story: Send it to offtherecord@infoworld.com. | Get a dose of workplace shenanigans -- follow Off the Record on Twitter. ]

My story starts last year, when I'd only been in this position for a few months. We were working on upgrading to new computers and were making other changes, such as revamping users' access rights.

It's mine -- mine, I tell you

But these changes did not make "Professor A" happy. He was notorious for claiming the largest computer lab as "his" and had gotten used to having admin rights over the old computers, adding programs and customizing them. He was annoyed that he didn't have control over the new machines. But after a few days, he appeared to back off a bit. We hoped the worst had passed.

It wasn't too much longer, though, before we heard from him again. Professor A waged a battle to have software installed that would give him control over the student machines. He claimed to need it to demonstrate computer exercises in class since he couldn't easily wander among the students due to the lab's layout.

To be fair, this lab is oddly shaped and arranged poorly. Unfortunately, our public university budget hasn't allowed for a new setup, so we make do with what we have. This means the projector screen hangs to the side and slightly in front of the instructor's desk -- it's an awkward floor plan. But the desks are arranged so that every student can see the screen for demonstrations.

I didn't want this software installed for various reasons, not the least of which was because it seemed like an invasion of privacy to anyone who used the lab. But Professor A swore (at times literally) up and down that he would never dare use the software to spy. He would only use it in class, for instructional purposes, Scout's honor. But the final decision came down and I was overruled. The software was installed.

Suspicious minds

Fast-forward one year: It's 4:45 p.m. on the Friday of finals week, and Christmas vacation is just around the corner. The office is calm, and people are full of holiday cheer. Suddenly, the ticket system spews out an email worse than the Grinch, your great aunt's leaden fruitcake, and ripping open a present as a kid only to find underwear combined.

Professor A had sent in a ticket letting us know that he happened to be in the lab and saw someone logged in as Professor B -- who was nowhere to be found.

The first problem was that Professor A was not teaching a class at this time. Classes were over for the semester, although a few students hadn't yet left the campus. Professor A had no good reason to be in the lab running the software program, but he was. In fact, he was spying like he swore he wouldn't. But that problem swiftly took a backseat as soon as I dove a little deeper into Professor B's disembodied login.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies