Thursday, August 09, 2007

no one ever said the 's' in 'asa' stood for security

OK, I have way too much today to do to be blogging, but: ASA has opened their new online messaging service, and it's structured in such a way that anyone with a lick of sense who received the e-mail with their own username (their e-mail address) and default password can immediately deduce anybody else's password. Which means one can pose as anyone else and leave messages for whoever under their name. This is not especially different from what one was always able to do with ASA, since it's not like the old messaging systems ever had any kind of security to verify that people were who they said they were. And it's not like when you leave a message at a hotel for someone you are asked to prove who you are, etc.. What it adds the veneer of security that comes along with there being a nominal password, so spoofed messages are likely more credible.

Plus, you can also use the new system to send e-mails to anyone! So, if you've had any pent up inclinations for poison-pen e-mails, just pick your favorite senior sociologist and go. Maybe Fabio will post a special edition of his "Grad School Rulz" about how you can use the ASA messaging system to destroy your rivals on the job market.

(Needless to say, I changed my password before posting this. If you change your password, you can also set the system to forward messages to your e-mail account, so that you don't have to wonder if anyone has left you a message so long as you are checking your e-mail.)


Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

That is a surprisingly weak password system, security-wise. I just changed my password too.