Book smart, security stupid: Rogue professors flunk Security 101

If anyone wants to study human nature, they should tag along with IT pros for a few days. We see it all, the many shades of good and bad. Here’s a story that made me lose a little faith in those who should know better.

I manage the help desk for a small unit at a big university. We do everything from setting up the virtual infrastructure to connecting wireless mice.

[ Also on InfoWorld: IT dishes on a year of missteps, miscues, and micromanagers. | Pick up a $50 American Express gift cheque if we publish your story: Send it to offtherecord@infoworld.com. | Get a dose of workplace shenanigans — follow Off the Record on Twitter. ]

My story starts last year, when I’d only been in this position for a few months. We were working on upgrading to new computers and were making other changes, such as revamping users’ access rights.

It’s mine — mine, I tell you

But these changes did not make “Professor A” happy. He was notorious for claiming the largest computer lab as “his” and had gotten used to having admin rights over the old computers, adding programs and customizing them. He was annoyed that he didn’t have control over the new machines. But after a few days, he appeared to back off a bit. We hoped the worst had passed.

It wasn’t too much longer, though, before we heard from him again. Professor A waged a battle to have software installed that would give him control over the student machines. He claimed to need it to demonstrate computer exercises in class since he couldn’t easily wander among the students due to the lab’s layout.

To be fair, this lab is oddly shaped and arranged poorly. Unfortunately, our public university budget hasn’t allowed for a new setup, so we make do with what we have. This means the projector screen hangs to the side and slightly in front of the instructor’s desk — it’s an awkward floor plan. But the desks are arranged so that every student can see the screen for demonstrations.

I didn’t want this software installed for various reasons, not the least of which was because it seemed like an invasion of privacy to anyone who used the lab. But Professor A swore (at times literally) up and down that he would never dare use the software to spy. He would only use it in class, for instructional purposes, Scout’s honor. But the final decision came down and I was overruled. The software was installed.

Suspicious minds

Fast-forward one year: It’s 4:45 p.m. on the Friday of finals week, and Christmas vacation is just around the corner. The office is calm, and people are full of holiday cheer. Suddenly, the ticket system spews out an email worse than the Grinch, your great aunt’s leaden fruitcake, and ripping open a present as a kid only to find underwear combined.

Professor A had sent in a ticket letting us know that he happened to be in the lab and saw someone logged in as Professor B — who was nowhere to be found.

The first problem was that Professor A was not teaching a class at this time. Classes were over for the semester, although a few students hadn’t yet left the campus. Professor A had no good reason to be in the lab running the software program, but he was. In fact, he was spying like he swore he wouldn’t. But that problem swiftly took a backseat as soon as I dove a little deeper into Professor B’s disembodied login.

Assuming that Professor B had simply forgotten to log out, I messaged the mystery person to let him know he was not logged in as himself. Hoping to hear, “Oops, sorry, I’ll log out right away,” I was shocked when he replied that yes, he knew he was logged in as Professor B. “I needed to get a file from Professor B, but he couldn’t stay to give it to me, so he gave me his password.”

The mystery student alleged that Professor B simply gave out his university password — the same password that allowed access to his email, student rosters, student grades, and a number of other troves of sensitive data.

We immediately tried to get ahold of Professor B, but he must have been vacationing in the Bermuda Triangle. We forced the student to log off, explained to him why what had happened was very bad, and reported the incident to security so that they could watch for suspicious activity. At that point my supervisor took over and sent a doomsday email to Professor B demanding that he change his password immediately.

IT made me do it

It wasn’t until late that night that we received an email from Professor B. He offered no apology, simply a couple of lines explaining it was IT’s fault that he’d given out his password to the student because we’d neglected to give the student proper privileges at the beginning of the semester. By his reasoning, he was forced to share his password.

Apparently, this student was doing a sort of independent study with Professor B. This was the first we’d heard of that situation — our records showed no request for any kind of class access for the student. And who knows why he thought the solution was to give out his own university password?

Meanwhile, my supervisor spoke with Professor A about why he was using the software outside of class and heard asome poor excuse about transferring a file to a student who was in the lab at the time. He was told again that it was an inappropriate use of the software, but my cynicism says it’ll happen again (yes, we are keeping a record). Professor B had to change his password and got a scolding, but that was it. The only real change is that the sticky notes with passwords littering professor’s desks seem slightly less bad to me now.

The moral of the story is that when a professor does something really stupid, it’s IT’s fault. Also, if someone gets Big Brother-like abilities, they’re going to use them like it’s 1984.

Send your own IT tale of managing IT, personal bloopers, supporting users, or dealing with bureaucratic nonsense to offtherecord@infoworld.com. If we publish it, we’ll send you a $50 American Express gift cheque.

This story, “Book smart, security stupid: Rogue professors flunk Security 101,” was originally published at InfoWorld.com. Read more crazy-but-true stories in the anonymous Off the Record blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.