Last Wednesday, the new eCRS team released the University Information System (a new version(?) of what used to be the Computerized Registration System). It reminded me a lot of my security predictions for 2007. (Heck! They just made some my predictions come true.) This is a good example of a release that is not even alpha test quality. Over at their blogs, Sir Rom discussed the issues with the new system and nightfox focused on the app’s usability.
On porting the system to PHP
What I find really disturbing is that the new UIS is written in PHP. CRS was developed in Java. While Java security is not perfect, PHP security is worse. I mean, what’s the point of taking down a stable system if you can’t provide a better one?
Also, did anybody QA’d the system? Or atleast, studied the ‘old’ to determine the its features and algorithms (conflict-identification, overload-unit-checking etc.) used. Apparently, the new system seems a record-keeping system (add, edit and delete functionality).
I agree. It even looks like something from sourceforge(no offense meant. I mean, we are aware that not every code there are of the highest quality…). It reminded me of the my cs12 Machine Problem (it’s a record-keeping system). Just shows how much time and fund they wasted for a system that is not even at par with the previous one. The development for this is just, more or less, a semester (Depending on how fast they were able to come up with a new team and when they actually started.), if I am not mistaken. Pre-mature, indeed.
It still amazes me that somehow, they forgot(?) to encrypt the page. In a previous press-release, one of the team members said:
I wonder, does that not include encrytion? The UIS contains the pre-enlistment data of students, their student informations (including student numbers) and their “unofficial” transcript of grades.
Is the system encrypted? Seeing how it is prematurely released. I strongly doubt it. A system full of bugs, will, most surely, have security left out. (Heck, if they weren’t able to do the code right, what’s the probability that they got the security right? 😛 )
On the absence of a digital certificate
A few people thought it was a phishing site because it displayed an IP address instead of a URL. I do not blame them – with systems being hacked every few minutes, I wouldn’t be surprised if someone created a phishing site pretending to be UP’s and retrieve faculty, staff and student accounts… but then again, you can’t sell the info outside, no point in getting their data. :p
No wonder they thought it was a phishing site. There was no digital certificate to begin with. The ‘previous’ CRS (also the UP Webmail and UVLE) issues a digital certificate to identify itself. It is interesting that the UIS, however unfitting the name is, does not have a digital certificate to identify it with the University.
Also I find it weird that sessions don’t expire anymore. So, please, don’t forget to logout especially is you’re using public / university terminals.
Honestly, I won’t be surprised if we soon hear student accounts being hacked.
Amazing, isn’t it? [read: sarcasm]
update: Now, this is interesting:
CRS won’t accept me
i’m freaking out. i can’t log onto CRS. when i try to log in, it goes on saying that i don’t have permission to access my account. is it because i’m on LOA? or is it because i’ve already been kicked out of school? what? tell me!
The post is dated 23rd of March this year. Now, I wonder… (AFAIK, taking a leave of absence does not curtail one’s CRS previlages.)
Apparently, it is an SOP to first present a certificate of readmission for someone who was on LOA/AWOL before s/he can log in. 😀