Go to my main page at alanmacek.com
Go to my WebCT Vulernabilities and Problems page.
This page contains the transcript of my discussion via email with the UBC WebCT administrators regarding my concerns outlined in my other page. I've removed all non WebCT administrator email addresses and names from the emails. I've also removed the redundant quoting of emails to save space.
It is frustrating to note that during many of the weeks when I was waiting for any sort of response from the WebCT administrators, my web server logs show the administrators accessing my web site. The logs are summarized in my November 3rd email.
The following issues are still outstanding:
| Date | Originator | Destination | Content |
| 10 Sep 2001 | webct-support@itservices | General inquiry about secure login procedure | |
| 10 Sep 2001 | ITServices Support | Auto-generated response with tracking number. | |
| 18 Sep 2001 | Prof for WebCT Course | General information about insecurity and request for separate log in or guest account. | |
| 18 Sep 2001 | ITServices Support | Follow up to my Sep 10th email since I have not received a response other than the auto-responder | |
| 18 Sep 2001 | APSC WebCT support | Reply to my email I had sent to my prof, informing me WebCT uses the same security as else where at UBC [false - AM] | |
| 18 Sep 2001 | APSC WebCT support | My reply to the above email informing the support person that in fact the rest of UBC's network is more secure. | |
| 18 Sep 2001 | APSC WebCT Support | Reply to the above email informing me that he would grudgingly give me a special ID for WebCT | |
| 19 Sep 2001 | APSC WebCT Support | My new WebCT ID that is not integrated with the UBC email system! | |
| 19 Sep 2001 | IT Customer Support | A reply to my Sept 10th message (with Sep 18th follow up) saying they were forwarding my message to the WebCT administrators. | |
| 29 Sep 2001 | IT Customer Support | My reply to the above message asking why there haven't been a response in 2.5 weeks for a security problem. | |
| 2 Oct 2001 | IT Customer Support | A reply to my above message, appologizing for the delay and passing on the message "security features in the next version of webct". | |
| 13 Oct 2001 | webct-admin@itservices.ubc.ca | An email outlining my concerns to the UBC WebCT Administrators after creating this web site on WebCT | |
| 19 Oct 2001 | webct-admin@itservices.ubc.ca | A follow up to the above email since I had not got any sort of response at all for almost a week. | |
| 19 Oct 2001 | Andreutti, Larry - WebCT Admin | A reply to the above message saying that Brock Smith was responsible for these issues but was away for the next 3 days. | |
| 22 Oct 2001 | Huang, Renbo - WebCT Admin | An amazing email saying, "IT Services does not see the security/privacy issues as a major problem." - This email was later retracted by another administrator. | |
| 23 Oct 2001 | Andreutti, Larry - WebCT Admin | A retraction of the above email saying it is the "opinion" of Renbo and not IT Services stance. | |
| 23 Oct 2001 | Larry Andreutti, Brock Smith, Jeanne Lee - WebCT Admins | I re-iterated my request for their comments on my concerns | |
| 24 Oct 2001 | Andreutti, Larry - WebCT Admin | Andreutti again said it was Brock Smith's responsibility to deal with it. | |
| 3 Nov 2001 | Dave Frazer, Brock Smith - WebCT Admins | I escalated my concerns to Dave Frazer after never hearing from Brock Smith (he had 2 weeks to respond and accessed my webpage numerous times.) | |
| 5 Nov 2001 | Dave Frazer - WebCT Admin | Frazer says he will look into my concerns. | |
| 5 Nov 2001 | Dave Frazer - WebCT Admin | Frazer responds saying, https to be installed, privacy concerns set to UBC Legal Counsel, Logout text to be added. | |
| 6 Nov 2001 | Dave Frazer - WebCT Admin | I press Frazer for a time frame of the improvements and ask for permission to post his message on my web site. | |
| 10 Nov 2001 | Dave Frazer - WebCT Admin | Frazer responds saying HTTPS by December and new 'web strategist' position for WebCT. | |
| 25 Nov 2001 | Dave Frazer - WebCT Admin | I thanked Frazer for adding the logout message but said it was not enough. I continued to ask for an update on the legal issues. | |
| 2 Jan 2002 | Dave Frazer - WebCT Admin | I continued to ask for an update on the legal issues (pending for 2 months!) and development of HTTPS (now a month behind his schedule!). |
Hello, I have a course that is hosted on the 'orange' webCT server. It seems that I should use my interchange/netinfo username and password to log in to this server. Is there some way to do this securely and/or set up a completely separate username/password for use with WEBCT? It seems sort of hypocritical to have all this secure web interface to change netinfo passwords (at https://www.admin.interchange.ubc.ca/netreg/ and www.admin.interchange.ubc.ca/interchg-v2/for_users/) and then require students to log in with no security at all for WEBCT. Some sort of warning such as "Do not log in to WebCT from your cable modem connection!" might be appropriate until this can be fixed. Alan
[Unfortunately this auto generated message was deleted. Only its content survives. - AM]
Thank you for your comment or question. Your submission has been automatically entered into our problem tracking system and you have been assigned this Call Tracking Number: 37941. You may use this number to keep track the progress of the call if you talk to one of our representatives. Depending on the nature of the problem, you will be contacted either by phone or e-mail, generally within a 48-hour period. > --------- > Hello, >
[ My orignal email was then quoted - AM]
Hello xxxxxxx[Name supressed], I was trying to log into the web page for EECE 450 through WebCT and the site does not seem to have the ability to log me in securely. I do not want to compromise my Interchange email account by sending my username/password in plaintext over the internet. I have emailed WebCT support (webct-support@itservices.ubc.ca) a week ago about this issue and have only received an automated response (Call Tracking Number 37941). It seems almost irresponsible of WebCT to force students to use their interchange email account usernames/passwords in such an extremely insecure fashion. Every other place students use their interchange accounts, they are either forced or have the option to encrypt all transactions. Is there a guest or temporary account students can use if they do not want to compromise their interchange email accounts? Or a way to get a separate account for WebCT that is not connected to interchange? Thank you, Alan Macek
Hello 'ITServices Support', Over a week ago I sent an enquiry to the WebCT support email address. Since then I have not seen any change with security on the WebCT web site and have not heard back from you. Please let me know what the status of WebCT login security is. Thank you, Alan Macek ITServices Support wrote:[The auto-responder message was then quoted - AM]
Jim Sibley ################################### Jim Sibley Educational Technology Coordinator Centre for Instructional Support Faculty of Applied Science - University of British Columbia 2006-2324 Main Mall Vancouver, BC Canada V6T 1Z4 Phone 604.822.9241 Fax 604.822.7006 Email XXXXXXXXX[removed] Web www.learning.apsc.ubc.ca ##################################################
Hello, Thanks for your reply. I really appreciate your response. I fully agree that the internet security for some of the online services are UBC is lacking but I don't think insecurity is that wide spread. According to the people running myUBC, the log in process is secure. In response to an email I sent them, they said, "I checked with the Portal development team and found that when you login it is a secure connection using a digital certificate. Access the web-site is not secure, but whenever you login or connect to a data sensitive channel (eg. mail channel) then the connection is secure." When students are logging into the text based netinfo system at the Library, the connection is not encrypted BUT the data only travels over ITservices system rather than over the Internet. It is possible for students to download their email from interchange securely. I use port forwarding over SSH to connect to the interchange server. This page describes how to access interchange email securely: http://www.resnet.ubc.ca/security/usingssh.html WebCT is the first insecure website I have been forced to use with my interchange account. I would still suggest that a warning be posted on WebCT of the inherent risks to students interchange accounts by logging in to WebCT. If it is impossible to access WebCT securely, could you please give me a separate account for WebCT and EECE 450. Thank you, Alan Macek "Sibley, Jim" wrote: [The quoted message then follows - AM]
jim -----Original Message-----[My message is then quoted - AM]
jim -----Original Message-----[My message is then quoted - AM]
Hi, Sorry for the delay in our reply, the HelpDesk received over 600 emails regarding webct problems and it has taken some time to answer them. Your call has been forwarded to the administrators of webct and we are now waiting for their reply. Either they will contact you directly or when we hear something we will get back to you on this matter. Cheers, Wayne Mah ITServices Internet Support Consultant
Hello Customer Support, I was just wondering what the status of WebCT security is. It has been over two and a half weeks since my original enquiry (and 1.5 weeks since your update). It seems that putting all WebCT users UBC email accounts in a vulernable position should be a reasonably high priority. Thank you, Alan > ITServices Customer Support wrote:[Quote of the 19 September Message - AM]
Hi, Sorry, for the delay in reply but I just heard from them. They have been discussing it and they are most likely going to implement the security features in the next version of webct. The current version "orange" doesn't have support for the security features. If you are not satisfied with the answer and wish to discuss it further, please email webct-admin@itservices.ubc.ca. Cheers, Wayne Mah ITServices Internet Support Consultant
Hello, I have several concerns with the current implementation of WebCT at UBC. I have put together a document outlining my concerns at http://www.alanmacek.com/webct.html I would like to hear the WebCT Administrator's side of these issues and if possible add their comments to the document. The quoted email below mentions security features of the next WebCT release. Can you describe or point me to descriptions of the new features. Will they address the issues I raise in my document? If the information is available, I would also like to know how many UBC students are using WebCT and how many UBC courses have a WebCT component. Have professors, TAs and students generally been happy with WebCT? Thank you and I look forward to getting your response. Alan Macek > ITServices Customer Support wrote:[The Oct 2nd email is then quoted - AM]
Hello again, It has been almost a week since I sent my original email regarding security and privacy problems with WebCT. I would appreciating getting your response or at least an acknowledgment that either these issues are not seen to be a problem or you are looking it to them. Thank you, Alan Macek -------- Original Message --------[My October 13th email message is then quoted - AM]
Hi Alan, Just so you know who I am, I'm covering for Jeanne while she's on vacation (she gets back on November 5th). Prior to go on vacation, Jeanne (the WebCT admin) forwarded your e-mail to Brock Smith who is the WebCT service manager and asked him to look into it. It will ultimately be his decision as to what is done to address these security concerns. Brock is away today but will be back in the office on Monday. You should address all future correspondence with regards to this issue to him. Brock, What are you planning to do to address these security issues? Larry Andreutti -----Original Message-----[My October 19th message is quoted - AM]
Hi Alan,
IT Services does not see the security/privacy issues as a major problem. WebCT has
been operating under the same security for a long time, and we've had no problems. Within
WebCT, passwords are encrypted to ensure that they cannot be tampered
with.
I have read your web page http://www.alanmacek.com/webct/webct.html
You are correct in that Orange (WebCT 3.1) uses the basic implementation of
authentication. WebCT 3.5 and above uses a slightly upgraded method of authentication. We
plan to upgrade Orange to WebCT 3.6 either in December or next summer. Also, we
have plans in the future to use our own type of authentication that uses secure transfers.
However, the current authentication scheme will not be altered before December.
Our implementation of Orange (WebCT 3.1) is totally based on WebCT's original
implementation of WebCT. We have no fewer security documents than originally provided by
WebCT.
WebCT 3.6 includes a logout feature that you may find useful. In WebCT 3.1, we
recommend closing the browser to ensure that logins are not compromised. I don't think WebCT
included this in any of its web pages. It is possible to display a warning
on the main page to shut down the browser. However, changing anything inside the WebCT code
may be interpreted as tampering with WebCT's copyright.
Personally, I agree with your requests to allow designers to have alternative login
IDs. Although I believe it is possible to also give students alternative logins, I don't
think it will as efficient due to the way students are processed.
I have no comments on the BC Freedom and Information and Privacy Act in so much that
I think it is WebCT's duty to implemented privacy documents into its core coding beyond the
scope of IT Services.
I understand the concern for higher security over the internet. Despite that, we have
no plans to disrupt overall WebCT services at least until this term ends.
-Renbo, IT Services
-----Original Message-----
[My October 19, 2001 message is quoted - AM]
Hi Alan, Actually, IT Services DOES see security/privacy as a major problem. Renbo claims to have read your web page but apparently not very well. The issue as I understand it is the unencrypted transmission of IDs/Passwords over the network not how they are stored internally in WebCT (I believe this is the point Renbo misunderstood). Anyway, we are examining different encrytion options. Please disregard Renbo's personal "opinion". That's all it is and it is NOT the official stance of IT Services. Larry -----Original Message-----[Renbo Huang's email is then quoted - AM]
Hello, Thank you for your email. It was reassuring to learn that Renbo's email did not represent official policy of IT Services. What was probably the most alarming was Renbo's comment that it is "WebCT's duty" to ensure that UBC complies with the BC Privacy Act. So now that I know what IT Services policy is not, can you please tell me what the policy is. It has been about a week and a half since I first emailed with my concerns and I am hoping you could tell me what IT services has done and/or is planning on doing about it. I think it is important that students using WebCT are informed about the risks they are taking using WebCT and I was hoping to be able to put some comments from IT Services on my web page before publicizing it. I look forward to hearing from you soon, Sincerely, Alan Macek "Andreutti, Larry" wrote:[Andreutti's Oct 23rd email was then quoted - AM]
Hi Alan, Well, like I said, it is really up to the service manager. Last I heard, Brock was tied up in meetings so I don't know when he plans to get around to it. If you don't hear back from him soon, you should escalate this to Dave Frazer (frazer@exchange.ubc.ca). Larry -----Original Message-----[My October 23rd email is quoted - AM]
Hello Mr. Dave Frazer, I am escalating my concerns to you because I have not heard anything from Brock Smith and it was my understanding I should escalate these issues to you if I did not hear from him. I have several concerns with security and privacy with the current implementation of WebCT at UBC. My concerns can be found on my web site at http://www.alanmacek.com/webct/ Outlined below is the communication that has occurred between me and IT Services. As you can see this concern was originally brought to IT Services on September 10th, almost 2 months ago, and I have NEVER heard anything about what IT Services is planning on doing about this or even that they are looking into it. It is especially disturbing that IT Services has been reading my concerns but don't feel it is important to even let me know that they are looking into my concerns. I think these issues are important and I also feel it is important that students are aware of the risks they are taking when they use WebCT. Currently the only link to my WebCT page is from my personal web page in the WebCT course I am taking (EECE 450). I would like to be able to put comments from IT Services on my page before I tell people about my web page on bulletin boards and newsgroups. I look forward to hearing from you soon. Sincerely, Alan Macek Here is an outline of my communication with IT Services. I have copies of all the emails and log files if you are interested in any aspects of this. Sept 10, 2001 - Email to webct-support@... with concerns about insecure log in Sept 18, 2001 - I follow up to my earlier email since I didn't get any response Sept 18, 2001 - Answer from 'Wayne Mah' saying basically wait longer Sept 29, 2001 - I follow up since I still haven't heard anything Oct 2, 2001 - Receive reply from 'Wayne' saying current version of WebCT doesn't support security and suggested I follow it up to webct-admin@... Oct 13, 2001 - I email to webct-admin@... after putting together my web page Oct 15, 2001 - both 'sage.itservice.ubc.ca' and 'smith2.itservice...' access my web page Oct 18, 2001 - 'jeanne.itservice...' access my web page Oct 19, 2001 - I follow up to my Oct 13 email since I didn't get any response at all Oct 19, 2001 - 'andretti.itservice...' accesses my web page Oct 19, 2001 - I receive a msg from 'Larry Andreutti' saying that Jeanne is away on holiday (Was someone else using her computer on the 18th?) and that Brock Smith was going to deal with the issue. Oct 22, 2001 - 'student4.itservice...' accesses my web page Oct 22, 2001 - receive an email from 'Renbo Huang' saying that the security and privacy issues are not important at all Oct 23, 2001 - receive a msg from 'Larry' saying to disregard Renbo's message since he is wrong Oct 23, 2001 - I reply to 'Larry' and 'Jeanne' saying that I want to hear what IT Services is planning on doing about this. Oct 24, 2001 - 'student4.itservice...' accesses my web page Oct 24, 2001 - receive msg from 'Larry' saying that it is Brock Smith's responsibility and to escalate to Frazer if I don't hear back from Brock. Oct 26, 2001 - 'smith2.itservice...' accesses my web page
Thanks for your feedback Alan. I will investigate the situation and get a response back to you this afternoon. I realize you have put a significant effort into your investigation and I do thank you for it. p.s. You may be interested to know that ITServices, with WebCT's assistance, is in the final stages of testing a WebCT channel for my.ubc.ca . This new channel will use the authentication facility provided by myUBC. This new channel uses a new API provided by WebCT in rel 3.6 . Therefore only courses created/managed in WebCT rel 3.6 and hosted by ITServices will initially be available thru myUBC. Our goal is to have all instructors convert their courses created under old versions of WebCT to the current release. -----Original Message-----[My November 3rd message is then quoted - AM]
________________________________________________________ The information contained in this e-mail message and any attachments (collectively "message") is intended only for the personal and confidential use of the recipient (or recipients) named above. If the reader of this message is not the intended recipient, you are hereby notified that you have received this message in error and that any review, use, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by e-mail, and delete the original message.________________________________________________________
Hello Mr. Dave Frazer, Thank you very much for your immediate response. I am very glad to see that these problems are being addressed. In what sort of time frame are you planning on rolling out the two security initiatives (using https and special hardware)? Will I be able to try them out next term? I'm looking forward to seeing the logout warning message soon. I am also interested and curious to hear what the legal department is going to say. I was wondering if I can post your email message on my webpage? Also, I was planning on listing an email address people can use to ask further questions about some of the issues raised on my web page. Is there an address you suggest I use? I was thinking of using the webct-admin@interchange.ubc.ca address at this time. Thank you again for your response. I really appreciate your time corresponding with me on these issues. Sincerely, Alan Macek "Frazer, Dave (ITServices)" wrote:[Frazer's November 5th email was then quoted - AM]
Alan, I don't have an estimate for completion at my finger tips, but assuming the testing and implementation does not having any hiccups, we should have the OpenSSL in place by the end of Nov (probably sooner). We are evaluating h/w that provides a variety of features such as server load balancing, global server load balancing, reverse proxy cache, content rewrite, clustering, web security, and SSL acceleration to support an "enterprise-level" web service. The results will determine how we proceed. The plan is to have this h/w in place in the first quarter of 2002. Of course this depends on the evaluation. While we wait for legal council to advise us on our existing situation, I should mention that we recently put in place a new "web strategist" position who will take on improving all facets of our (ITServices) web presence. Our target is to have an exemplary secure site compliant with all policies and laws .... and good useful information and services! -----Original Message-----[My November 6th message is then quoted - AM]
Hello Dave Frazer, Thank you for your information on developments on WebCT. I was very happy to see the new warning message on the welcome page of the Orange WebCT server about shutting down your browser. I have updated my web page (http://www.alanmacek.com/webct/) to reflect this improvement. I was disappointed that the message did not include a general warning about passwords traveling plain text over the internet when using WebCT. In my previous email I asked for permission to post your emails on to my web page. Would this be ok with you? I have a quick question about how passwords work with WebCT. The account initially given to students uses their UBC email usernames/passwords. The 'Student FAQ' page tells students to change their WebCT password by going to the Netinfo web site and changing their email password. In spite of this, there seems to be a 'Change Password' link inside WebCT. When a student changes their password using this link, does it change their email password? If it doesn't, and they now have different passwords for WebCT and their email, can they then change their email password using using the Netinfo web page without resetting their WebCT password? I fortunately can not test this because my WebCT account and my email account are disconnected. I am very glad that improvements are being made with WebCT. Thank you very much for your earlier responses and I look forward to hearing from you again. I also look forwarding to hearing the responds from UBC's legal counsel. Sincerely, Alan Macek On November 10, 2001, "Frazer, Dave (ITServices)" wrote:[ Frazer's November 10th email was then quoted - AM]
Hello Dave Frazer, This is my second follow up to your last message. I would appreciate hearing from you. In your November 10th email you said, "we should have the OpenSSL in place by the end of Nov (probably sooner)." I can not seem to be able to connect to the Orange WebCT server using SSL so I was wondering what is the status of this project. It has been 2 months since you said you forwarded my privacy concerns to the university's legal counsel and I would like to hear their response. Could you please forward me their comments or tell who I can contact in the legal department? In my 2 previous emails I asked if I could post your emails about WebCT on my web site. Could you please let me know if I can do that. I am enclosing the email I sent in November which I assume must have got lost. Sincerely, Alan Macek -------- Original Message --------[I forwarded my November 25th 2001 email - AM]
Return to top