QuoteUnless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic -- and a great many universities do not -- that Web server is going to be visible and accessible by anyone with a Web browser. But wait, you say: Wouldn't someone need to know the domain name or Internet address of the Web server that's running the toolkit? Yes. However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server. But surely there are ways a network administrator might keep this information from being available to the entire Web, right? Yes. The toolkit allows an administrator to require a username and password for access to the Web server. The problem is that the person responsible for running the toolkit is never prompted to create a username and password. What's more, while Apache includes a feature that can record when an outsider views the site, that logging is turned off by default in the MPAA's University Toolkit.