Tivoli Identity Manager, or: Stop Complaining Already!

Raph al Guul

Almost inevitably, many students recently complained about the changes that the University of Zurich made to their online services. Yes, I am referring to the dreaded Identity Manager. I, for one, would like to speak on behalf of those changes today. I understand the frustration that these seemingly pointless modifications may cause. However, I firmly believe that the problem does definitely not lie with the IT staff, but with the ignorance of complaining students. Of course, if you’re just complaining because you are a punk and you like the feeling of being a rebel, don’t read any further. I recognize your right to demonstrate publicly and my right to ignore you. To all the others: Let’s get on with it.

The first complaint people put forward was that it happened way too suddenly. This is a lie and we all know it. In fact, there was an announced cross-over period of about 6 months, during which both the old and the new login information could be used to access online services. There was an email that informed all students of the university about this. To that, a student at the English Seminar answered: “Yes, but I ignore all emails that the IT staff sends me as a matter of principle.” I respect that. I approve of that. But you will agree with me that in this case, the Identity Manager thing has virtually nothing to do with the fact that you perceived the change to be sudden. On to more relevant complaints, then!

Students and staff likewise complained about how inconvenient it is that every year or so, the IT department at the University of Zurich introduces new logins, passwords, and security checks. And I do agree with this observation. For the user of the university’s resources, the new standards are a drag. I do not think, though, that complaints are justified. What do you know about internet- and network-security? If it is not more than basic knowledge of how firewalls and anti-virus software work, then you do not know enough to make an assessment of this situation. But even then, you’d know this: internet security threats are not a fixed thing that you can take care of once and never bother with again. Your Kaspersky tells you to update every three days (or just does it without your consent). Why? Because new threats have been found. New problems require new countermeasures.

And in case of network security, things get even worse. Spyware is designed to enter your computer through an existing internet connection and holes in your defenses. This means that the threat is caused by the fact that your network is connected to the source of malware, namely the internet. However, there are other kinds of threats that do not come from within. The most common one would probably be wireless network hacking. If you have a wireless network that enables you to access the internet and maybe share files between computers connected to said network, you will be likely to protect this wireless signal with some kind of encryption. Now, there is an encryption called WEP which has been used for quite a while and which some people still use to secure their networks. However, this “security” is a joke. Try this: secure your wireless network with a WEP encryption, search for “WEP+cracking+guide” on google.com, browse the results, download the ready-to-go beini-distribution of Linux, take your netbook and see how much time it takes you to crack your own WEP pass key. It took me two minutes. It’s a simple routine combining brute force, package-interception, and 10th grade math. What I am trying to demonstrate here is that an encryption standard that was regarded as “safe” has become so insecure that only a few years later, if you find someone stupid enough to still use it, a simple Google search and two minutes of your time are enough to gain access of that person’s network.

Large networks of online resources, particularly stuff like the records of students (aka “Leistungsnachweis”) and OLAT, obviously need to be secured in a similar way. Network cracking is booming – and not just because people know that if they get caught cracking a major university’s network, they will be bombarded by job offerings after they get out of prison – and universities know that they have to keep up. And believe it or not, the most secure thing to do is switch security protocols every now and then, especially when there is concern that there might be a threat. It is not elegant, but it efficiently makes hackers’ progress up to that point worthless. And also bear in mind that a university cannot risk a breach before taking precautions. I know, you think your OLAT account does not yield much valuable information for a hacker and so you may not get the point. In that case, apart from the huge damage that would be done to the University of Zurich if one was to simply delete files off of OLAT, it is also a question of copyright. The reason why the OLAT platform is so valuable is because it is a way for members of the university to share files below the radar of the file sharing police. Basically, this is a way of making piracy legal. Public access to OLAT would make this platform a meeting point for internet pirates and it would have legal consequences for the university. And even more importantly, what must not happen is that someone accesses record files to change information, particularly change grades!

All in all, I would still like to emphasize that I share your unease about this whole business. I like it when things work for me and it annoys me that even if this is the case, people go ahead and change things. I would also like to appeal to reason, though. There are real threats that the university has to face and that we, the silly students, do not recognize or even worry about. If new protocols are introduced, this affects us, while the consequences of a hacker attack would probably not. That doesn’t mean that it is dumb or pointless. Changing security protocols for an entire university and several different resource networks costs a lot of money. The university would not be paying that if it was just a fun thing to do for them. Please, please cut the IT staff at the University of Zurich some slack. That is all.


6 responses to “Tivoli Identity Manager, or: Stop Complaining Already!

  1. Thank you, for a more detailed perspective on this issue. Agreeing on almost everything with you, I do think that your line of argumentation starts somewhere in the middle of the discussion rather than at the beginning of it. While I do understand that the Identity Manager is there to do what its name suggest (manage identities), I do not really see the point why there have to be so many identities that they need to be managed and consolidated in the first place. I studied at much bigger academic institutions with many more students and faculty in the United States and Canada and had to familiarize myself with their online services. There, it was possible to do everything with just one access key, and they were not any simpler. In fact, most of them included more (practical) features and much more sensitive data (credit card numbers to pay for tuition, etc.). And don’t give me the thing that one access key is not secure enough: everyone who has been to the United States knows how much Americans put into security and the same holds true for campus activities, including online services!

    • I see your point. Someone else did a comparison similar to yours, too and complained that while most universities would actually try to reduce the amount of “logins” and “passwords”, the University of Zurich is doing the opposite. And I am not sure if I understand that trend, either. I assume that behind the curtains, there seem to be bigger security issues to be going on. Maybe it’s also a question of budget and Tivoli is simply offering reasonable security at reasonable prizes. But what I believe to most likely be the case is that the Identity Manager helps to manage data volume. Basically, using the same encryptions and pass keys for an expanding network pushes that network’s capacity to the limits. You can do one of two things to prevent a breakdown: You can either reprogram the software to be able to handle these huge amounts of data. The problem with this is a) it’s incredibly expensive because it means that you have to entirely replace software that you already paid for in advance. b) you will have to “translate” the old data to the new soft- and possibly hardware. The files available on your email account, OLAT, etc. need to be made available on the new platform, as well. You can imagine how much work this is and what a huge potential of invasion of privacy this has. Your second option is to “split servers” (this is a gaming analogy, because if you ever played an expanding game with limited capacity, you will know that this is often done). If you separate OLAT from everything else, and everything else from each other, you bring down that capacity issue. It’s less work, and it’s cheaper. I don’t know if this reflects what is actually happening at the IT department, but it would at least kind of explain why there is this weird trend to complication. And by the way, I have simply made all my logins the same in the identity manager. It’s not like I have to memorize 5 more passwords now.

  2. I agree that the IT staff should be commended for doing a good job: they are efficient and helpful, despite the onslaught of people they must have had. But I too would agree with Cyril that the system itself is more complex than it needs to be, and the fact that so many IDs are needed is just bad design.
    On a purely philosophical note, I don’t like feeling I have to “manage my identities”. I shouldn’t have to have quite so many forms of myself online. Plus, the shortname is aesthetically very displeasing… 😉

    • I like your philosophical note. And again, I have heard that before, as well: It’s weird that they call it “identity manager”. It implies Schizophreny, in my opinion 😛 It’s such a postmodern thing to have so many identities that they now need to be managed.

  3. True, one needs a special notebook or a very good memory for all these identities – and Uni is changing such things every year…

    • I reset mine to the old logins and I made them all the same. I have to remember 2 login combos now. Though I have them all saved in my Firefox appdata and I can transfer them to all my computers if I should loose the login information for some reason.
      And once again: I don’t know why these changes are taking place so frequently. A friend of mine who is working in the IT staff of a University in the Netherlands told me that it might be to handle volume or to improve security. Either way, seems like they are struggling to solve their problem permanently. But yet again, I am not sure if we are supposed to blame them for that. It’s not like every problem has a permanent solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s