Follow Live Coverage of Reed's System Vulnerabilities
Reed Reactor is Thoroughly Protected, New Source Confirms
September 29, 1:04 PM
Quest reporters were approached by a new anonymous source associated with the Reed reactor, who was more willing to speak to the details of reactor security than those previously contacted by the paper. The Quest can now independently confirm that the Reed Research Reactor is protected from the flaws described here, and ID card duplication would pose no risk to the reactor. This is in line with our previous reporting, which stated that the reactor was "at least somewhat protected," but we can now confirm that statement to a much stronger degree.
New Vulnerability Continues to Expose PIDMs for All Users
September 29, 9:53 AM
Quest sources have independently confirmed a new vulnerability that continues to expose PIDM numbers for all students, staff, and faculty in the campus directory, which has not been patched by IT and is still active. The Quest will not print the details of an active vulnerability, but is alerting IT to the details of the issue now.
IRIS Was Built At Least Partially Internally, Quest Confirms
September 28, 11:05 PM
The Quest is now comfortable confirming that at least large sections of the IRIS system and other affected systems were developed in-house at Reed, rather than being purchased from a third party software company.
First Student Knowledge of Directory Flaws Pushed Back Further to November 2022
September 28, 8:53 PM
Student Tucker Twomey said in an interview with the Quest that he had become aware of the autocomplete bug — which printed PIDMs for all users in the database — as early as November 25, 2022. On February 11, 2023, he first discovered that Student ID numbers could be easily calculated from PIDM numbers. He did not alert the IT department, and was aware of no earlier alert prior to the May notification already reported by the Quest. Twomey said he regretted not bringing the issue to IT immediately, but attributed it to a belief that the college “wouldn’t do much about it,” and a concern that he might suffer disciplinary action for having discovered and tested the hole in security. Twomey was also able to confirm that the flaw remained open at the end of the 2022-23 school year.
This extends the minimum time period during which some degree of vulnerability in the system remained open to nine and a half months — November 2022 to September 16, 2023.
New Information Pushes Earliest Date of Student Access to IDs to January 2023
September 28, 7:31 PM
Since the Quest’s initial coverage of a vulnerability in Reed’s systems was published, a source contacted the paper to say that they and at least one other Reed student had knowledge of that flaw as early as January 2023. This means that the vulnerability was accessible to any user for at least eight months before it was fixed by IT in September 2023, after being contacted by the Quest. That student did not alert IT to the vulnerability, so the department’s earliest date of knowledge remains at either April 2023 (as claimed in their email to students) or May 2023 (as independently confirmed by anonymous sources in conversation with the Quest.)