[79] in Information Retrieval
[RE: Anonymous access to OPACS]
daemon@ATHENA.MIT.EDU (Tim McGovern)
Mon Mar 23 11:17:04 1992
Date: Mon, 23 Mar 92 11:14:14 EST
From: tjm@Eagle.MIT.EDU (Tim McGovern)
To: elibdev@MIT.EDU
Thought provoking...and chilling, too!
------- Forwarded Message
Date: Mon, 23 Mar 1992 09:01:12 CST
Reply-To: Public-Access Computer Systems Forum <PACS-L%UHUPVM1.BITNET@RICEVM1.RICE.EDU>
Sender: Public-Access Computer Systems Forum <PACS-L%UHUPVM1.BITNET@RICEVM1.RICE.EDU>
From: Marcia.Deddens%UC.Edu@RICEVM1.RICE.EDU
Subject: RE: Anonymous access to OPACS
To: Multiple recipients of list PACS-L <PACS-L@UHUPVM1.MIT.EDU>
----------------------------Original message----------------------------
The question of anonymous access to Internet library resources is very
important. If terminals and PC's which have public access are
provided with basic TELNET services any user can issue the Internet
address of any known (or unknown but cleverly figured out) node.
At the University of Cincinnati a terminal server was provided and
access was given through a "c internet" command. This all sounded
very good because general Internet access was there without having to
maintain individual accounts for the academic community of 47,000+
students and staff who might have a need to logon to an information
source on the Internet. Additionally, this server was available on
the campus network and could be requested not only from on campus but
from dial access. Dial access to the network requires no individual
identity. That is always established when the user makes an attempt
to connect to a specific computer. In the case of our library OPAC,
it is not requested at all, nor do we want it to be since library
services are used widely by the general community.
Now comes the story of an attempted computer break-in from this rather
anonymous server. When the remote computer detected a hacker making
that attempt the server could only identify that it was at UC but it
was not assoicated with an individual or a host computer. Needless to
say, the server is no longer in operation. We have all learned a
valuable lesson relative to library services and Internet resources.
Offering a group of specific library catalogs through the Internet
when the connection is system to system specific and the remote
library system can identify the requesting resource and where the
library offering the service has constructed it such that no general
and open TELNET prompt is given to the user, is one thing. Open
TELNET access without proper requestor identity is another.
We used to think that the hacking and danger won't happen here. We
certainly don't look at the issue with rose colored glasses any
longer.
------- End of Forwarded Message
