Summer 2023 Plan to Fix Systems Security Flaw Halted by Administration Over Budget Concerns, Say Sources Within IT
According to leaked documents obtained by the Quest, the Reed IT Department was moving forward with plans to fix the systems flaw reported by the paper in late September — which exposed the campus IDs of all students, staff, faculty, and alumni — as early as May 2023, but was prevented from doing so over budget concerns. Students had given the department “plenty of time,” to fix the issue, one IT professional reportedly said in a private meeting that was later described to reporters, but “everyone higher up said no.”
The newly leaked documents also confirm that the constant offset exploit previously reported by the Quest has affected all ID numbers issued since 2018, five years before the earliest date of vulnerability that the Quest had previously established — although the earliest date of student knowledge of this flaw remains in November 2022.
The systems flaw originated at least partially with the Transact corporation, a third-party vendor that supplies and maintains parts of Reed’s campus ID system — although the IRIS campus directory, which ultimately exposed the majority of the vulnerable information, was built internally. According to an internal IT document dated May 2023, “[IT has] been using Transact (aka, Blackboard; aka, Onecard) at Reed for approximately 20 years now,” although the Quest has no reason to believe Transact’s systems exposed data in this way prior to 2018.
According to Administrative Computing Services Director Kerri Kreager — whom the Quest contacted in an attempt to verify parts of the initial leak — after first being alerted to the existence of the vulnerability by a student in April 2023, the department quickly moved forward in May to negotiate a contract with Transact for a systems upgrade that would generate student ID numbers separately from pidm numbers, making it impossible for IDs issued after that date to be exploited in the same way. This plan was on track to be completed during the summer of 2023.
However, after Transact quoted an estimated price for that upgrade, the planned fix stalled. The Quest has received conflicting reports as to why. In a phone call with the Quest, Administrative Computing Services Director Kerri Kreager said that she simply “didn’t have the money” to carry out the fix at the time. However, according to sources familiar with the matter, in private meetings, Ms. Kreager has been more specific in saying “I had the money in my budget, but I was told that money was already allocated for something, so we told Transact not to move forward.” (This statement has not been verified by Ms. Kreager herself, and while the Quest has confidence in the accuracy of our source, the paper has not sought independent confirmation prior to publication for the reasons explained in this week’s letter from the editors.) Such statements would suggest that the decision not to approve the money necessary to carry out the fix came not from Ms. Kreager, but from a higher authority at the college.
From that point forward, the planned fix stalled until September 16, when preliminary patches were implemented less than two weeks after the Quest first contacted the department.
Since the Quest’s coverage, sources within IT have said that issues related to the database and student IDs have been bumped to the top of the department’s priority list because “it’s political now.” In a phone call with a Quest reporter, Ms. Kreager said she was “given the go-ahead” to sign an upgrade contract with Transact during the week of October 9 — one week after the Quest’s initial reporting.
In private meetings that have been described to the Quest, IT professionals have referred to recalling and replacing all current magnetic stripe cards — the only certain way to protect already-printed IDs from previously exposed data, which remains at large — as an “ongoing problem.” Such a recall would cost approximately $6,000, which IT “[doesn’t] have in the budget at the moment.”
Again according to those with knowledge of the situation, some IT professionals have praised Reed students as “smart kids” for exploring the vulnerabilities of the system and alerting the department to them, and suggested finding better ways for students to be heard, such as the creation of a “white hat” hacker program. Such white hat programs, which are common in the tech industry, offer monetary “bug bounties” to programmers who attempt to break into systems ethically, with the eventual goal of collaborating with the designer to improve the security of the target system.
When asked in an internal meeting if his department would be interested in starting such a program, Cyber Security Architect Payam Damghani reportedly responded that his team had the bandwidth and time, but no money to pay a professional. Students would be cheaper, Mr. Damghani apparently said. However, Mr. Damghani also reportedly said that he worried about follow-through, and that the department would need to find ways to get students and faculty excited about such a new program. Perhaps, Mr. Damghani suggested, the Quest could do an article on it.