Raph al Guul
Almost inevitably, many students recently complained about the changes that the University of Zurich made to their online services. Yes, I am referring to the dreaded Identity Manager. I, for one, would like to speak on behalf of those changes today. I understand the frustration that these seemingly pointless modifications may cause. However, I firmly believe that the problem does definitely not lie with the IT staff, but with the ignorance of complaining students. Of course, if you’re just complaining because you are a punk and you like the feeling of being a rebel, don’t read any further. I recognize your right to demonstrate publicly and my right to ignore you. To all the others: Let’s get on with it.
The first complaint people put forward was that it happened way too suddenly. This is a lie and we all know it. In fact, there was an announced cross-over period of about 6 months, during which both the old and the new login information could be used to access online services. There was an email that informed all students of the university about this. To that, a student at the English Seminar answered: “Yes, but I ignore all emails that the IT staff sends me as a matter of principle.” I respect that. I approve of that. But you will agree with me that in this case, the Identity Manager thing has virtually nothing to do with the fact that you perceived the change to be sudden. On to more relevant complaints, then!
Students and staff likewise complained about how inconvenient it is that every year or so, the IT department at the University of Zurich introduces new logins, passwords, and security checks. And I do agree with this observation. For the user of the university’s resources, the new standards are a drag. I do not think, though, that complaints are justified. What do you know about internet- and network-security? If it is not more than basic knowledge of how firewalls and anti-virus software work, then you do not know enough to make an assessment of this situation. But even then, you’d know this: internet security threats are not a fixed thing that you can take care of once and never bother with again. Your Kaspersky tells you to update every three days (or just does it without your consent). Why? Because new threats have been found. New problems require new countermeasures.
And in case of network security, things get even worse. Spyware is designed to enter your computer through an existing internet connection and holes in your defenses. This means that the threat is caused by the fact that your network is connected to the source of malware, namely the internet. However, there are other kinds of threats that do not come from within. The most common one would probably be wireless network hacking. If you have a wireless network that enables you to access the internet and maybe share files between computers connected to said network, you will be likely to protect this wireless signal with some kind of encryption. Now, there is an encryption called WEP which has been used for quite a while and which some people still use to secure their networks. However, this “security” is a joke. Try this: secure your wireless network with a WEP encryption, search for “WEP+cracking+guide” on google.com, browse the results, download the ready-to-go beini-distribution of Linux, take your netbook and see how much time it takes you to crack your own WEP pass key. It took me two minutes. It’s a simple routine combining brute force, package-interception, and 10th grade math. What I am trying to demonstrate here is that an encryption standard that was regarded as “safe” has become so insecure that only a few years later, if you find someone stupid enough to still use it, a simple Google search and two minutes of your time are enough to gain access of that person’s network.
Large networks of online resources, particularly stuff like the records of students (aka “Leistungsnachweis”) and OLAT, obviously need to be secured in a similar way. Network cracking is booming – and not just because people know that if they get caught cracking a major university’s network, they will be bombarded by job offerings after they get out of prison – and universities know that they have to keep up. And believe it or not, the most secure thing to do is switch security protocols every now and then, especially when there is concern that there might be a threat. It is not elegant, but it efficiently makes hackers’ progress up to that point worthless. And also bear in mind that a university cannot risk a breach before taking precautions. I know, you think your OLAT account does not yield much valuable information for a hacker and so you may not get the point. In that case, apart from the huge damage that would be done to the University of Zurich if one was to simply delete files off of OLAT, it is also a question of copyright. The reason why the OLAT platform is so valuable is because it is a way for members of the university to share files below the radar of the file sharing police. Basically, this is a way of making piracy legal. Public access to OLAT would make this platform a meeting point for internet pirates and it would have legal consequences for the university. And even more importantly, what must not happen is that someone accesses record files to change information, particularly change grades!
All in all, I would still like to emphasize that I share your unease about this whole business. I like it when things work for me and it annoys me that even if this is the case, people go ahead and change things. I would also like to appeal to reason, though. There are real threats that the university has to face and that we, the silly students, do not recognize or even worry about. If new protocols are introduced, this affects us, while the consequences of a hacker attack would probably not. That doesn’t mean that it is dumb or pointless. Changing security protocols for an entire university and several different resource networks costs a lot of money. The university would not be paying that if it was just a fun thing to do for them. Please, please cut the IT staff at the University of Zurich some slack. That is all.