[ww-devel] [rt.webwork.maa.org #9598] Question Regarding My Webwork HW, including my entire name and college being posted to the internet without my permission

Sun Feb 9 17:06:00 EST 2020

1. "We" actually just leaked this persons name + email address + some of
his personal situation (from the request) not only to the recipients of
this list but via the public archive at:
http://webwork.maa.org/pipermail/webwork-devel/ . I edited the older mails
below so this message does not repeat that. Can someone manually edit the
email archive to clean up the prior postst?

2. I think that Arnie's idea may be a very good thing to consider  - as we
want WeBWorK to be compliant with the best practices of protecting personal
information, so files which are intended to include such information should
not be created as publicly available files even if hidden away under some
random looking paths, if at all possible.

Overall, AFAIK, most supporting material (images - standard or custom, CSS
files, JavaScript files) served as static content (at least once generated)
is not going to contain any PII (personally identifiable information),
while most WeBWorK pages which do contain PII are dynamically generated for
a logged in user.

The obvious exception (not that someone pointed a finger at it) seems to be
the "hardcopy" files.

At least one type of "specially generated files' - scoring files - seem to
be available only to a logged in user. Ex: In order to download the CSV
grading file I see a link like:

https://hostname.domain/webwork2/courseID/instructor/scoringDownload/?user=username&key=session_key&getFile=courseID_totals.csv&effectiveUser=username

and the CSV file itself is not under htdocs/tmp but instead
under courses/courseID/scoring/ so does not seem to be something which can
be severed without being authenticated and authorized by the WW code.

The processing seems to be handled
by lib/WeBWorK/ContentGenerator/Instructor/ScoringDownload.pm which is
activated by suitable code in lib/WeBWorK/URLPath.pm.

I suspect that a similar approach would provide a more secure means to
distributing the PDF files, and the expense of needing to manage a new
location for temporary files which should be periodically cleaned out and
otherwise managed, and the expense of needing to have the WW code (and
not  lighttpd) server them.

What do other people think?

Tani

On Sun, Feb 9, 2020 at 9:54 PM Arnold Pizer <apizer at math.rochester.edu>
wrote:

> Also maybe there is a more secure way to serve PDF files than we are doing.
>
> Arnie
>
> On Sat, Feb 8, 2020, 8:48 PM mgage <gage at math.rochester.edu> wrote:
>
>> This was on a TTU server.  And I expect you are right Arnie about the set
>> up.
>> Perhaps we should recommend a no-robots file as well.
>>
>> Take care,
>>
>> Mike
>>
>> On Feb 8, 2020, at 10:19 PM, Arnold Pizer <apizer at math.rochester.edu>
>> wrote:
>>
>> Hi,
>>
>> I assume when the new server was set up, cron jobs to remove temporary
>> files were not set up.  See
>>  "Using Cron Jobs to remove temporary files" in
>> http://webwork.maa.org/wiki/Clean_Out_Temporary_Files
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_wiki_Clean-5FOut-5FTemporary-5FFiles&d=DwMFaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=jRXCdpwzh-o5w-8JDJ0vGvcmMjMtZ5gHgVAoe8Dsn9E&e=>
>>
>> Arnie
>>
>> On Sat, Feb 8, 2020 at 11:45 AM mgage <gage at math.rochester.edu> wrote:
>>
>>> Hi Michael,
>>>
>>> Who is keeping track of notices like the one below at MAA? In my opinion
>>> this is part of customer service.  Were you aware of the notice?
>>> This message at least deserves investigation and a response.
>>>
>>> Longer term issue, you were going to send me a link to who ever at MAA
>>> is overseeing customer
>>> relations vis-a-vis webwork hosting so that we can start coordinating
>>> the handling of issues such as this one.
>>>
>>>
>>>
>>> Take care,
>>>
>>> Mike
>>>
>>>
>>> Begin forwarded message:
>>>
>>> *From: *"NAME REMOVED via RT" <rt at webwork.maa.org>
>>> *Subject: **[rt.webwork.maa.org
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org&d=DwMFAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=YguAJmYekTxbaUhi1Wt5AdBEB93g16oHv4FhQblXuqc&e=>
>>> #9598] Question Regarding My Webwork HW, including my entire name and
>>> college being posted to the internet without my permission *
>>> *Date: *February 5, 2020 at 11:18:17 PM EST
>>> *Reply-To: *"rt at webwork.maa.org" <rt at webwork.maa.org>
>>>
>>>
>>> Wed Feb 05 23:18:16 2020: Request 9598 was acted upon.
>>> Transaction: Ticket created by EMAIL ADDRESS REMOVED
>>>       Queue: General
>>>     Subject: Question Regarding My Webwork HW, including my entire name
>>> and college being posted to the internet without my permission
>>>       Owner: Nobody
>>>  Requestors: EMAIL ADDRESS REMOVED
>>>      Status: new
>>> Ticket <URL:
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org_Ticket_Display.html-3Fid-3D9598&d=DwIDaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=SVuCKwIQm6GsdPRvPeC4ukQK3r6ikdCIJ28_2yzDw_U&s=pDq8D7UprDAYEH67RMxGX4yps3hK183SfCWLyPwz7Fw&e=
>>>  >
>>>
>>>
>>> Hello,
>>>
>>> TEXT DELETED I was on google and shocked that Webwork homework
>>> assignments I saved to my personal computer appeared in a PUBLIC google
>>> search.  I am flabbergasted and I have no idea how to remove them.  TEXT
>>> REMOVED What can be done to remove them from Google?
>>>
>>>
>>> Thank you,
>>> NAME REMOVED
>>>
>>>
>>> _______________________________________________
>>> webwork-devel mailing list
>>> webwork-devel at webwork.maa.org
>>>
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=usc0JomieRdeU7o82gx6BI_gGWHbdDrDsEGuv-jwzeI&e=
>>>
>>
>>
>> --
>> Prof. Arnold K. Pizer
>> Dept. of Mathematics
>> University of Rochester
>> Rochester, NY 14627
>> (585) 766-8812
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=n_FBqL96JIR1wL_KIDbaaLu-mX_wszEHRDq3ZslPdf4&e=
>>
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=kivyjenc9roUxS9254suawYeR0J8WefsrgxM22uey5c&s=7U3-rKckcFCJ9h-1ZnkLBkaRQRFkd3ghl4YJYBKBp1c&e=
>>
> _______________________________________________
> webwork-devel mailing list
> webwork-devel at webwork.maa.org
> http://webwork.maa.org/mailman/listinfo/webwork-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webwork.maa.org/pipermail/webwork-devel/attachments/20200210/2ad80ea4/attachment-0001.html>