Last Wednesday, the new eCRS team released the University Information System (a new version(?) of what used to be the Computerized Registration System). It reminded me a lot of my security predictions for 2007. (Heck! They just made some my predictions come true.) This is a good example of a release that is not even alpha test quality. Over at their blogs, Sir Rom discussed the issues with the new system and nightfox focused on the app’s usability.
On porting the system to PHP
What I find really disturbing is that the new UIS is written in PHP. CRS was developed in Java. While Java security is not perfect, PHP security is worse. I mean, what’s the point of taking down a stable system if you can’t provide a better one?
Also, did anybody QA’d the system? Or atleast, studied the ‘old’ to determine the its features and algorithms (conflict-identification, overload-unit-checking etc.) used. Apparently, the new system seems a record-keeping system (add, edit and delete functionality).
I agree. It even looks like something from sourceforge(no offense meant. I mean, we are aware that not every code there are of the highest quality…). It reminded me of the my cs12 Machine Problem (it’s a record-keeping system). Just shows how much time and fund they wasted for a system that is not even at par with the previous one. The development for this is just, more or less, a semester (Depending on how fast they were able to come up with a new team and when they actually started.), if I am not mistaken. Pre-mature, indeed.
On encryption
It still amazes me that somehow, they forgot(?) to encrypt the page. In a previous press-release, one of the team members said:
We follow the rules on keeping [the students’ records] confidential.
I wonder, does that not include encrytion? The UIS contains the pre-enlistment data of students, their student informations (including student numbers) and their “unofficial” transcript of grades.
Is the system encrypted? Seeing how it is prematurely released. I strongly doubt it. A system full of bugs, will, most surely, have security left out. (Heck, if they weren’t able to do the code right, what’s the probability that they got the security right? 😛 )
On the absence of a digital certificate
No wonder they thought it was a phishing site. There was no digital certificate to begin with. The ‘previous’ CRS (also the UP Webmail and UVLE) issues a digital certificate to identify itself. It is interesting that the UIS, however unfitting the name is, does not have a digital certificate to identify it with the University.
Also I find it weird that sessions don’t expire anymore. So, please, don’t forget to logout especially is you’re using public / university terminals.
Honestly, I won’t be surprised if we soon hear student accounts being hacked.
Amazing, isn’t it? [read: sarcasm]
update: Now, this is interesting:
The post is dated 23rd of March this year. Now, I wonder… (AFAIK, taking a leave of absence does not curtail one’s CRS previlages.)
Update:
Apparently, it is an SOP to first present a certificate of readmission for someone who was on LOA/AWOL before s/he can log in. 😀
![We follow the rules on keeping [the students’ records] confidential.](http://aycu21.webshots.com/image/12260/2003761470697685305_rs.jpg){kind=link}
A person on LOA/AWOL the previous semester wouldn’t be able to log in to CRS until he or she presents a certificate of readmission from his/her college. That was the old CRS, at least.
FYI lang. 🙂
Cheers.
Posted by Hunny | March 25, 8:10 am, 8:10 amThanks for the info. Updated the post already. 😀
Hehe. I have never been on LOA/AWOL, myself. 😉
Posted by princess of antiquity | March 25, 10:46 am, 10:46 amActually there is priority given still to graduating and the freshmen. It was not official yet so we pointed out to people who asked that there is no priority.
You can try to hack the system if security is your issue.
We don’t neglect security. The system double checks every input. We wish we could let you see the codes written before ours. And maybe you would have a turn-around.
That’s all for the posts.
Posted by radical_mind | March 27, 2:03 am, 2:03 amAlso there are new modules in the UIS. It’s just that these softwares are currently being tested before deployment. Moreover, only those with priveleges can access them. That was a stupid comment from your tagboard friends. Are they really that pathetic? Please investigate more. You are short of information. It’s up to the developers to secure their code.
Posted by radical_mind | March 27, 2:08 am, 2:08 amNice site! kabababrubarta
Posted by kabababrubarta | March 27, 8:18 am, 8:18 amI’ll stay in this channel to see if there would still be bugs coming out. Thanks for pointing out things. This will help improve the UIS a lot. 😉
Posted by radical_mind | March 27, 8:44 am, 8:44 amActually, I pointed out the security issues in the hope that they’ll get addressed. If the system gets better security, we all win. If it doesn’t, we all lose. That’s all that’s in it for me.
And I do hope that the UIS will improve.
Posted by princess of antiquity | March 29, 9:52 am, 9:52 amsiguro dahil maxadong pressured yung current CRS team… pero the thing is… bakit do so much as to replace the system with something less secured than the previous? di ba it’s supposed to be upgraded, not the other way around?
sana man lang…inisip nila na marami kami na nag-ddepend sa CRS (este, UIS na pala) para medyo maibsan ang hirap ng enlistment pag dating ng enrollment period. like sir aldwin said, they’re toying with the academic lives of over 8000 students -_-“
Posted by shien | March 29, 10:29 am, 10:29 am