Re: Security Lapses on Campuses Permit Theft From JSTOR Database - Chronicle of Higher Education Online, 12/12/2002

["James A. Robinson" <jim.robinson@stanford.edu>]

At least with some software (e.g., Apache), you can configure it so that
on-campus use is totally open (anyone may connect from a campus computer),
and off-campus use requires a password.  That password could be a single
username/password, or as complex as the implementor desires (e.g., student
or staff id number, or id number and password).

Is that flexiblity all that's needed to solve the problems of on and off
campus proxy use?  Clearly password sharing is not going to be a concern
in this context -- If I am reading the messages correctly, what this JSTOR
attacker was doing was hitting many open proxies at once, or jumping from
one to another as soon as one got shut down or blocked. Without some
social networking, libraries with proxy servers that require a password
(and don't, for example, decide to post that password on a public
webpage!), are going to be secure from abuse by that method.

As a technical person, I have to admit with some chargrin that I have
accidently configured servers which act as open proxys. I blamed poor
documentation at the time, but the fact is that it's an easy mistake to
make.  I don't see that as a reason to jump from the proxy model to one of
restricting site access to a single computer in a locked room in the
basement of a library.

Digitial certificates, as they currently exist, do not strike me as a
workable solution. I would think it would be too compliciated to get a
certificate installed on every legitimate computer. There are also some
serious privacy concerns (depending on how identifying those certificates
get).

Jim
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
James A. Robinson                       jim.robinson@stanford.edu
Stanford University HighWire Press      http://highwire.stanford.edu/
650-723-7294 (W) 650-725-9335 (F)