<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Hi all -
<div><br>
</div>
<div>Earlier today we discovered that some of the contents of the admissions athena locker were being publicly indexed via a server which was serving AFS via FTP. As a result, some security-by-obscurity directories that we did not link to were nonetheless accessible
by Google and by manually crawling through a directory tree. </div>
<div><br>
</div>
<div>Upon some further review this seems to be the case for many AFS directories. See, e.g., </div>
<div><br>
</div>
<div><a href="ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/a/">ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/a/</a></div>
<div><br>
</div>
<div>While this may / may not be an issue for folks, it was unknown to me as of this morning, and so I wanted to make sure others were aware as well in case there is hidden stuff in your office athena accounts which shouldn't be available via this kind of crawl.
In order to check whether there is, you should go to your office's athena locker, which should be accessible at </div>
<div><br>
</div>
<div><a href="ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/">ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/</a><b>X</b></div>
<div><b><br>
</b></div>
<div>Where <b>X </b>is the first letter of the name of your athena locker. There will be a list of athena lockers under there. Find yours, and navigate through it. If there is stuff there that is accessible to this sort of browsing which shouldn't be, you may
want to contact Accounts to get help setting permissions appropriately. If, on the other hand, everything should be accessible, then it's all fine. </div>
<div><br>
</div>
<div>I just wanted to let other folks in the web community here know in case more things than you wished were being revealed via the FTP browsing. </div>
<div><br>
</div>
<div>Best, </div>
<div><br>
</div>
<div>- Chris </div>
<div>
<div><br>
<div>Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>Hi Chris, </div>
<div><br>
</div>
<div>Quentin can explain on more detail (or I can once I get to a computer) but basically it's the last part of the URL that's relevant. So the permissions in the "admissions" locker, in the "mitcpw_OLD2010" directory and/or its "pages" subdirectory are incorrect
and allowing this access. The server in question is serving the AFS filesystem but the contents are ultimately in the aforementioned directories. Accounts (x3-1325) can help with permission changes if necessary.<br>
<br>
Sent from my mobile device</div>
<div><br>
On May 11, 2012, at 11:29 AM, "Chris Peterson @ MIT" <<a href="mailto:chris.peterson@MIT.EDU">chris.peterson@MIT.EDU</a>> wrote:<br>
<br>
</div>
<div></div>
<blockquote type="cite">
<div>
<div>Hi Quentin -</div>
<div><br>
</div>
<div>Someone in DSL discovered a table of CPW host contact info while googling. It looks like it is hosted on<span class="Apple-converted-space"> </span><a href="http://amusing.mit.edu/">amusing.mit.edu</a>, which I am guessing, based on its<a href="http://stuff.mit.edu/machine">stuff.mit.edu/machine</a><span class="Apple-converted-space"> </span>listing,
is a SIPB XVM (I may be wrong). </div>
<div><br>
</div>
<div>From poking around in the directory tree I am not sure if this is a mirror or an archive of the MIT Athena system. I am also not sure why it seems to be open to anyone, or what we need to do to remove the stuff we would like to remove. From my experience
poking around it almost seems like someone just dumped much of Athena into a publicly accessible FTP directory...but I may be wrong. </div>
<div><br>
</div>
<div>Any insights into what this is, what we should do, or people to whom I should speak?</div>
<div><br>
</div>
<div>- Chris </div>
</div>
</blockquote>
</blockquote>
</div>
<br>
</div>
</body>
</html>