Concerns Over Web Portal Force Password Change

Harvard Arts and Sciences Computing Services (HASCS) sent an e-mail yesterday to over 400 students who had registered to use houseSYSTEM—a student-created web portal that sparked controversy last week because of potential security vulnerabilities—instructing users to change their e-mail passwords because they “may have been compromised on a web server located off campus.”

Their Harvard network accounts were locked, and the users were unable to access them until they chose new passwords. As of yesterday, the site’s creator had modified houseSYSTEM to allow no new users to register.

The notice came two weeks after the initial launch of houseSYSTEM—which promised to allow students to trade textbooks, give feedback about classes and check e-mail—and followed a spate of e-mails over the Lowell House open e-mail list, debating the possible security risks of using the portal.

The debacle stemmed from houseSYSTEM’s requirement that any user provide his or her Faculty of Arts and Sciences (FAS) network password in order to use the site’s web-based e-mail function.

As of yesterday, 402 people had registered with the portal or with its predecessor, CriticalMass, according to Lowell House Senior Tutor Jay L. Ellison, though it is not known how many of those people had provided their actual FAS password.

Though it did not mention either CriticalMass or houseSYSTEM by name, the e-mail from HASCS yesterday afternoon warned students of the possibility that their accounts might have been tampered with.

“To protect the security of your FAS account and the privacy of your e-mail and data, we are asking you to change your password at this time,” the message read. “In the future we would also ask, for security reasons, that you never enter your FAS password on any website that is not officially endorsed or operated by FAS Computer Services.”

HASCS Director Franklin M. Steen said he had not heard of any specific instances in which users’ systems might have been compromised through contact with houseSYSTEM, but said that anyone whose password might have been recorded on a non-FAS website should take precautions.

“We don’t know if they were compromised or not, but if there’s a chance, we want to be sure people change them,” said Steen. “That’s just our policy, that anytime it appears that there might be a problem with a password to have people change them.”

Aaron J. Greenspan ’05, who designed houseSYSTEM along with the Harvard Student Entrepreneurship Club (SEC), maintained that no one’s password—whether their genuine FAS password or not—had ever been in jeopardy. It was partially for this reason, he said, that he initially balked when Ellison informed him that the College administration wanted him to turn over the usernames of every houseSYSTEM registrant.

“HASCS wanted to instruct everybody using houseSYSTEM to change their password,” said Greenspan. “I objected to this on the count that there was no security risk.”

The administration made other requests as well, according to Greenspan and Ellison. In addition to turning over a list of user names, he was asked to delete any FAS passwords—even if encrypted—that were in the houseSYSTEM database and to make sure that no project of his ever asked for FAS passwords again.

Greenspan consented and sent the College the list, but said he was uncomfortable with the idea of turning over any information pertaining to users of houseSYSTEM. Integrated in the portal are all users from the old CriticalMass website, a site Greenspan created last year to act as a venue for feedback about classes and professors. Greenspan worried that with enough information, a student might be linked to what he or she had said previously about a class or instructor.

“If they had other information from the database, it would be a simple matter,” Greenspan said. “They already have a lot of this information. It’s not likely that they would abuse it, but it still should not be in their hands.”

Greenspan said he had been threatened with “unspecified disciplinary action” if he did nor turn over the list of user names.

So he complied, but before he did, he sent an e-mail to everyone with a houseSYSTEM account.

“I have been asked to disclose the entire table pertaining to members in unaltered form, complete with information about your choice to remain anonymous on houseSYSTEM,” he wrote. “I realize that this is an egregious breach of your privacy. Adding further irony to the situation is the College’s claim that it is necessary in order to protect your privacy, and the fact that it has been justified by administrators who actively refuse to understand the technical details necessarily involved. I have done all that I can to avoid this situation.”

But both Ellison and Dean of Harvard College Benedict H. Gross ’71 said that they had neither requested nor received any information other than the list of user names registered to use the portal.

“The College is not interested in any private information stored on the houseSYSTEM database,” Gross wrote in an e-mail. “We asked for a list of all FAS user names which were recorded as having submitted FAS passwords to the SEC web site. We are not asking for any other information, such as names, posts, history, etc.”

And Ellison maintained that the only reason the school had requested that list was in order to inform the students that they were encouraged to change their passwords.

“We haven’t asked for anything but usernames,” Ellison said. “We asked so that we could notify the students that they needed to change their passwords immediately, because their passwords were in a non-Harvard system. Because of that, they were essentially open to hacking or some other kind of security breach.”

“Nothing is impregnable,” Ellison added. “Even though Aaron did make some guarantees, we still have concerns about the information being out there.”

Ellison noted that Greenspan had no way of differentiating between a genuine and a dummy password, which would account for some people’s receiving the notice to change their passwords—even if they had not originally given their real ones.

Several students who received the notice from HASCS expressed concerns. The message made no specific reference to Greenspan, the SEC, CriticalMass or houseSYSTEM, but rather said simply that FAS had learned that their passwords might have been endangered.

“I was surprised that they had e-mailed me because I never gave my FAS password to houseSYSTEM,” said Gregory N. Price ’06. “I wasn’t planning on changing it, I wasn’t expecting that to be the case.”

He said he then tried to log on.

“It was an unpleasant surprise to get an error message I’d never gotten before,” he said. “Shell access denied.”

David A. Molnar ’02-’03 said that had he not been aware of the controversy over houseSYSTEM previously, he would not have known what the HASCS message was in reference to.

“If I didn’t know that the houseSYSTEM thing was behind it, I wouldn’t have known what was going on,” he said.

Steen said the HASCS e-mail did not specify houseSYSTEM as the potential source of risk because the College’s decision in the case was still pending.

HASCS had simply wanted to get the news out to students to tell them to change passwords, he said, though there had been no proof of actual compromise.

“As far as I know we haven’t detected anything that’s actually happened,” said Steen. “This is basically a protective measure.”

—Staff writer Laura L. Krug can be reached at krug@fas.harvard.edu.