Re: Security with students entering own data?

From: John Strange <jstrange_at_imtn.dsccc.com>
Date: 1996/03/21
Message-ID: <4is92o$oen_at_tpd.dsccc.com>#1/1


You did not supply enough information about the "known" database informtaion.

If I had to design the system, the student information would contain a user workstation login id column. The block querey would be restricted to information about the login id. To get the workstation login id, do a

	select osuser
	  from v$session
	 where audsid = userenv('sessionid') ;

Your system seems to allow someone to obtain personal data about someone else just on student id alone. I could probably get a list of student ids by just going through the university staff's trash looking for reports.

I agree anyone could hack someone's password on the workstation.

Torfrid Leek (torfridl_at_ulrik.uio.no) wrote:
:> We are about to implement our new student system, and the developers are
:> finally ready to discuss security.
:> It turns out they want students to be able to update their own demographic data,
:> and register for exams etc.
:> This will be done from designated workstations with a special client program.
:> But the question arises, how do we pretend the students from deregistering
:> anybody whose "person number" they might pick up somewhere, changing other
:> people's addresses etc - in short, how can we authenticate them?
:> So far we have come up with the idea of mailing them usernames and passwords
:> with their admission letters - but we are told the vast majority of students
:> do not read their mail and do not bring the required documentation.
 

:> I would be interested to know if anybody is addressing similar issues, and how.
:> In principle this is no different from letting them make a phone call to the
:> student office to update this information. Maybe we should accept the fact
:> that this information is not 100% trustworthy?
 

:> Regards, Torfrid Leek
:> USIT - Centre for Information Technology Services
:> University of Oslo
 

:> torfrid.leek_at_usit.uio.no

--
This posting represents the personal opinions of the author. It is not the
official opinion or policy of the author's employer. Warranty expired when you
opened this article and I will not be responsible for its contents or use.
Received on Thu Mar 21 1996 - 00:00:00 CET

Original text of this message