(This is an update of an earlier post)
So I've already gotten in trouble once for publishing security exploits, but I think it's worth chancing it again to make my point. I went by the Student Activities office today to get a subdomain name, and decided to ask for the SOFC # for the Libertarians. The nice girl at the desk promptly looked it up for me, and then when I asked her about the procedure for changing passwords, she wrote down the password for the group's account as well. Since I had mentioned in passing my membership in another group, she wrote down their SOFC # and password as well. At no time did I actually say that I was an officer in any of these groups, show any identification or even ask for the password - I simply asked how to go about getting to it, and she provided passwords for two groups for me. Then I proceeded to the computer office to get a new subdomain for another group I'm webmaster of - again, no confirmation of my identity or membership status was necessary. Now I'd like to think that my trustworthy appearance and rugged good looks persuaded the girl at the info desk to be generous with the info, but somehow I doubt that's the case, and that worries me because many groups keep significant sums of $ in their accounts, and this is less than stellar security, despite the huge bureaucratic mess than a group has to go through to get organized and maintain their mandatory bank account with SOFC.
This reminds me of the policy at Evans library to force changes to passwords every 90 days. As a result, many staff members write their passwords on sticky notes on their monitors, and one of the library admins advised me to amend a "02f" "O2s" and so on to a "base" password as a way of remembering it, which I suppose is the advice she gives to everyone else....kinda defeating the purpose?
But, hey, what do I know, maybe Aggies really don't lie cheat or steal after all.
Ten days ago, I requested a room for the Libertarians. I had to get my advisor to sign a form where I picked my top preferences for meeting rooms because there was no way to look them up (or so the person at the registration desk said.) This means, that everyone who reserves rooms has to hope to not request the same day as any other group. Then today, I went to pick up the schedule, and they said they couldn't find it. After about 30 minutes (not kidding) of looking, they found that it had been misfiled under the wrong file. Now it wouldn't be too hard to put all this info online to eliminate security risks, calendar mix-ups, and several jobs, but this is a bureaucracy we're talking about here. Government jobs contribute to "aggregate output" -- right?