[Dshield] "Academic Freedom" vs Computer Security

Alex Campoe campoe at usf.edu
Sat Feb 14 02:59:25 GMT 2004


Security in the educational environment is a balancing act, and the 
larger the University, the more difficult it is to maintain that balance.

Here at South Florida we have 6,600 employees, or 50+ different 
departments, just as many individual tech support entities. We have 
students with XBoxes, PDAs, running everything from Win98 to Linux, 
88,000 email accounts, 5,000 dorm users, wireless network throughout 
campus, ONE abuse address. Most of the 'security personnel' have also 
double up as help desk, systems administrator, policy maker, defender of 
the peace. This is not an uncommon scenario.

So, we are all overworked and underpaid. So what? Some University 
personnel may be forced to prioritize and, honestly, fixing the Dean's 
laptop some times may take precedence over closing a relay. Other times 
it may be difficult to track down the offending IP, since some 
departments run their own DHCP servers.

Now, having given the possible excuses for a certain delay in taking 
action, I personally believe there is NO excuse for not taking action at 
all. Here at USF we have a policy. It was not easy to put this in place, 
mind you. Everyone wants to be king of their own domain, but everyone 
agreed that it was for the common good. If I receive a report that is 
serious enough to threaten the well being of the network, such as Nachi, 
Blaster, etc, that machine is out of here immediately. If the issue is 
not severe, like a misconfigured open relay, the local admin has 72 
hours to take care of the problem where we pull the plug.

Where does Academic Freedom comes into scene? Well, with the exception 
of areas of the campus where legislation imposes more limits (HIPAA, 
GLB, FERPA), faculty are pretty much free to run anything on their 
machines as long as it does not create a problem for the network and it 
does not break any laws. Do we require faculty to load AV on their 
machines? No, not really, but we STRONGLY suggest they do. If they don't 
do it and someone reports that their machine is infected with a spammer 
virus, that faculty member will quickly find out their network 
connection is no longer there. The same applies for critical patches.

Most of the Universities I have contact with are very responsive to 
security issues. They run IDS, some have firewalls. Most have some sort 
of site license for AV software, which includes permission for home use. 
After Blaster, Nachi, MyDoom, Universities without a similar response, 
including those who hide their innactivity behind "academic freedom," 
are sure to change their minds when the computing infrastructure is 
brought down to its knees.

Alex Campoe

Jon R. Kibler wrote:
> Hello all,
> I have been debating for weeks whether to post this question or not. I can see where this topic 
> could easily start a flame war and I beg whoever is moderating this list to reject any inflammatory
> posts to this thread. I know that this is a REAL touchy subject... and that is why I would like to
> get other opinions on how to handle it.
> Background: Probably 80% (give or take a few %) of the spam attempts we see that originate from 
> academic institutions, originate from less than a half-dozen sources (unrelated to our IPs, geographic
> region, etc.). Several of these institutions do not even have working abuse email addresses. We have 
> attempted to contact all of them by telephone to discuss the problem. A couple of them will not even
> accept outside calls regarding abuse complaints. When I have been able to actually talk to someone,
> the response is almost universal: "We can't tell our students and staff that they cannot run open
> proxy servers (etc.) because it would be an infringement of their academic freedom." One school (who
> knowingly runs an open relay mailer) also stated that even suggesting that students and staff use
> AV software was an infringement of "academic freedom."
> So here is my question: How does practicing basic computer security infringe on academic freedom?
> Also, I am looking for suggestions on the proper (civil) way to discuss this issue. 
> Two other comments: 
>   1) We are just about to the point of blocking these institutions at our border router as a way 
>      of solving this problem. However, I can envision this creating a whole other set of problems.
>   2) Yes, when looking at the big picture, academic institutions are but a relatively small source
>      of insecure, spammer infected systems. That is not the real issue here. With the exception of
>      2 or 3 ISPs, everyone else takes immediate action when you notify them of an infected system.
>      The problem I am having is the use of "academic freedom" as and excuse for lax computer security.
> Bottom line request: Would someone from the academic world please explain the "Academic Freedom" 
> issue and why it can be viewed as superseding common sense computer security?
> I hope this posting did not step on too many toes... I apologize in advance if it did.
> ------------------------------------------------------------------------
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

J. Alex Campoe
Associate Director, Systems Group and Data Security Administrator
Academic Computing, University of South Florida
Phone: (813) 974-1796

More information about the list mailing list