Disaster on the wires

Something of a major catastrophe occurred at the weekend, when apparently the Warwick IT Services' password database (governing the university-wide network) was compromised. The notice that appeared on the main website said:

There has been a security incident which compromised a number of GroupWise email user accounts. Those who were directly involved have had both their ITS and email accounts disabled and will need to contact the IT Service Desk on [number] to find out how to get their accounts re-enabled. All other staff and students must now change their passwords to their ITS and GroupWise email accounts themselves.

(Of course, it wasn't displayed on a very frequently-used webpage, certainly not one that all 15-20,000 university members were going to see on a Sunday morning, but that's by the by.) What it didn't mention was that those whose logins weren't immediately disabled had only two attempts to change their passwords before they, too, were locked out. (This seemed like a strange security policy — if the accounts are so vulnerable that you're going to be locked out after two logins, why give people the two logins in the first place to sort themselves out?)

Now, if you had logged in from a Warwick computer, you would have been greeted with a big notice telling you to change your password immediately. What has happened is that , what with it being a weekend, very few people had logged in using a Warwick computer, and had instead done all their logging in remotely. Idiots, eh?

What this meant was that everyone has used up their "grace logins" (in my case, just by Thunderbird accessing my uni email) and had no warning whatsoever that they were about to be locked out if they didn't change their passwords.

So then, now we have 15-20,000 students each one of whom has to phone the help desk and get their password individually reset. I'm told there were long phone queues yesterday afternoon, once the news had broken on the Warwick blogs (by the two remaining people who'd managed to get their passwords changed in time, and therefore could still log on), and heaven only knows what things are like this morning. It didn't help, of course, that ITS stopped answering the phones yesterday at the normal clock-off time of 5pm.

We had an assignment due in this morning. All assignments must be handed in with an official cover sheet, which is generated by a Perl script once you enter your uni number and assignment name into the form. What with all the user accounts being disabled though, it now won't generate the cover sheet because it can't verify the uni number. Stunning. (Cue 200 panicking CS students running around like headless chickens.) We're better off than almost anyone else though — although we can't log on to the main network, the DCS machines are on a different network, managed by DCS instead of ITS. Which is how I am sitting here typing to you now, rather than trying to aimlessly fill up two hours between lectures without the aid of a computer.

The useful thing about having a blog outside the Warwick network, is that I'm one of the very few people who gets to blog about this before I phone up and wait in a queue for two hours to get my password changed. Everyone else has been effectively gagged until then.

What fun.