Student Site Stirs Controversy

A sharp debate raged on Lowell House’s open e-mail list this week after security issues were raised concerning a new student-run web portal launched last Friday that promised a place to trade textbooks, read and give feedback on classes and plan a class schedule.

While its creator lauded it as a much-needed resource for students, critics said they were concerned that the site’s web-based e-mail function—which requires a user to provide their Faculty of Arts and Sciences (FAS) account password—poses a security risk.

Aaron J. Greenspan ’05, who helped create the site, said that Harvard-run portals such as my.harvard and the House websites failed to centralize information that could be helpful and convenient to students.

“That was my diagnosis of the problem,” Greenspan said. “There was nowhere to trade textbooks, the CUE [Committee on Undergraduate Education] Guide wasn’t always as complete as it could be and the House websites were lacking.”

So he and the Harvard Student Entrepreneurial Council created houseSYSTEM to combine different services that could be helpful to students, Greenspan said. Once registered, users can submit and view commentary on classes, buy and sell items like futons and check e-mail from their Faculty of Arts and Sciences (FAS) accounts.

The ability to check e-mail formed the crux of the back-and-forth over Lowell’s list. In order to access e-mail, houseSYSTEM must know a user’s Harvard password. The site asks for it on registration—and currently informs users supplying invalid passwords that the site will lack full functionality.

Several members of the Lowell e-mail list contended that supplying one’s FAS password to a third party raised concerns.

“I’m certainly not an expert in computer security or online security, but there are certain red flags that I recognize,” said Graham R. Stanton ’05. “They were asking for the password [to my e-mail account] which is just something that’s not done. It said, when I tried to log in, that I needed it, which to me meant...it probably tried to access my e-mail account or something similar.”

Daniel J. Ellard, a tutor in Lowell House, was the first to post to the list with such a warning, pointing out that the site asked for a substantial amount of personal information—including a Harvard ID number and e-mail login name and password.

Director of Residential Computing Kevin S. Davis ’98 said he could not comment on the site itself, but that once a password is given to a computer system—no matter how it is secured—the system is able to read it in the end.

“It’s possible to encrypt any piece of information such that it’s well secured,” said Davis, who is also a Crimson editor. “Even if they encrypt your password, they need to be able to decrypt it; otherwise you couldn’t get to your mail.”

But Green-span said his intent in creating houseSYSTEM was not to collect personal information but to provide an important service.

“The only guiding idea here is to improve student life,” he said. “It’s not to collect people’s passwords. It’s not to abuse information for some evil purpose. It’s for students to benefit, whatever those pieces of information might be, whether it’s getting a job or your e-mail or your packages. It’s all things we’re trying to centralize in a way that FAS should but does not.”

Greenspan defended the security of his site, saying that a student’s houseSYSTEM account is kept completely separate from his or her Harvard student account.

“We can’t access those and shouldn’t access those,” he said. “Our database is kept separate from that.”

He said he uses an encryption algorithm called MD5 to encode information that should be kept secure.

But because the security and safety of MD5 was called into question as well, Greenspan said he is in the process of transitioning to a different algorithm called SHA-1.

“I don’t think the security of houseSYSTEM was ever so bad that anybody’s password was in jeopardy. I wouldn’t have released a piece of software like that,” Greenspan said.

Greenspan said student enthusiasm seemed high. Between the launch of the portal on August 1 and Tuesday night, 400 accounts had been registered, he said.

Lexy Vanier ’03-’05 was one of those who expressed excitement about houseSYSTEM in the beginning.

“When I first saw the e-mail [about houseSYSTEM], the first thing that popped into my head was, this is an easy place to write down what classes I was going to shop,” she said. “I thought it was an extension of the student council site. I thought it was an official website, an official thing.”

She said she would think twice about giving it the requested information after seeing the debate on the Lowell House list.

“I just really don’t want to have to give out any FAS account information on a system that’s not of the highest encryption possible,” she said. “I wouldn’t use it at this time.”

Greenspan said complaints were also raised about the method used to encrypt the entire body of information that a user can enter into houseSYSTEM.

An SSL certificate can encrypt chunks of information while traveling through networks. But buying an official certificate is expensive—and Greenspan said the fledgling SEC could not afford to purchase one right away. Instead, Greenspan integrated the publicly-available code for SSL into his site. But he lacks the official backing of companies that make commercial certificates to say the code is implemented and that information is safe. Greenspan said it is the same code—and, therefore, just as secure as any other company-signed certificate.

Davis said self-signed SSL certificates may mean nothing about the security of a system—any website with one may be perfectly legitimate. He did say, though, that it is up to the user to decide if he or she will trust the site’s creator.

“For a lot of people, sort of the general practice is to only trust sites that have a [company]-signed SSL certificate,” said Davis. “I think that many people get nervous when they see the warning [on sites with self-signed certificates]. That’s why web creators make their warnings so dire: they really want their users to know there’s a little more risk than if it were signed.”

—Staff writer Laura L. Krug can be reached at krug@fas.harvard.edu.