[daip] Re: on-line FILLM

Patrick P Murphy pmurphy at nrao.edu
Thu Jun 2 13:16:04 EDT 2005 

Hmm.  Given that I'm the Computer Security Manager for NRAO, I'm
thinking this may merit our committee having a look and helping
out... at the minimum, if there has been a breach, an incident report
needs to be filed.

Based on what Eric said below, it seems more like this incident is one
where social engineering was applied, not necessarily cracking/hacking.

It will probably look good (and be the right thing to do) if I give
Bryan a call asking him for more specifics.

				- Pat

On Thu, 2 Jun 2005 11:09:38 -0600, Eric Greisen <egreisen at nrao.edu>
   said: 

> Bryan Gaensler writes:

>> I'm on the NRAO Users Committee and we're working on our annual report to
>> the Director right now. One of things we are currently discussing is my
>> own personal experience in the past year, in which some proprietary VLA
>> data was (accidentally?)  stolen from me by someone running on-line FILLM
>> at AOC before the data could be transferred and locked in the archive.

>> We are trying to work out what we can say/recommend about this issue in
>> our annual report.  Lisa Young told me you had some thoughts about some
>> possible (simple?) changes to FILLM which might close this loophole?

> Having not looked yet I am not sure how simple they will be:

> 1. FILLM has to know that it is the on-line version
> 2. It would then require that (a) the program code be specified
>    and (b) prompt for a password
> 3. It would then pass those two on to the on-line open routine
> 4. The on-line open routine would have to compare the two with a
>    data base of passwords and continue only if they match

> The worst problem I suspect is the maintenance of the password data
> base which would have to be current a day or more before the observing
> run.  I guess it has to be more or less that already so it may not be
> a problem.  The data base would have to be at the VLA as well as at
> the AOC since miranda at the VLA is also expected to run on-line
> FILLM.

> Eric Greisen

> _______________________________________________
> Daip mailing list
> Daip at listmgr.cv.nrao.edu
> http://listmgr.cv.nrao.edu/mailman/listinfo/daip

More information about the Daip mailing list