[unisog] Slashdot's UCSB Article
Jim.Dillon at cusys.edu
Wed Oct 2 15:26:42 GMT 2002
From: Curtis Kline [mailto:ckline at housing.ucsb.edu]
Sent: Tuesday, October 01, 2002 5:32 PM
To: SANS (E-mail)
Subject: RE: [unisog] Slashdot's UCSB Article
+ It would be like an ISP running a NOS and using it to manage its
+ customers' configurations for them. Scary no matter what side of the
+ fence you look at it from. :)
[CURTIS] Therein lies the rub. I know there are schools that have
residential networking users join domains and such, but I am somewhat
surprised the student population puts up with it. As you said, if my ISP
came to me and said, "You have to join our domain and we will have domain
admin rights on your box", I would tell them they were insane.
[CURTIS] It is more like a public ISP or a 'hospitality network' (hotel)
than it is like a corporate environment or an academic network. Way, way
I think we're back to where this started. Members of our 'hospitality
network' don't play by the rules (of secure computing), and those with
certain configurations seem to cause more harm, therefore they are
disallowed. That's neither hospitable nor secure. Any group of diverse
persons who choose to interrelate must define the nature of appropriate
interrelations. To not do so is anarchy, and cannot lead to "security" as
there will be no definition of what security is. A 'hospitality network'
ceases to be hospitable without rules, enforcement, and consequences for
misbehavior. The way to accomplish that with current flawed systems appears
to be the solution you find so problematic. Ever feel you were chasing your
1. A network must serve its customers, not itself.
2. Customers must reach an agreeable state of risk control or management.
It cannot be different for everyone as there will be no solution.
3. Either the members self govern, or they elect a governor. (e.g. an
administrator/domain?) Given diversity in objectives, risk acceptance, and
methods of individuals, self-governance hasn't proven too successful without
the election of an administrator. This does not imply that the
administrator is not subject to the members!
4. Not all customers are created equal. (University Network != 1 Student)
I don't see a solution for a 'hospitality network' that cannot recognize and
implement accordingly. I'm not saying it requires a domain management
approach, but these elements must be accounted for or I think the system
will eventually consume itself or otherwise fail to accommodate risks to its
success. Domain management is one way to do this so I wouldn't discount it
too much, despite the negative consequences.
Failure to recognize the real total cost of accomplishing this is more at
the heart of the problem than the methods employed I think. Interesting
discussion... I suppose we wouldn't be having it if it had started with a
rule to disallow Commodore Amigas (!!!) and Atari STs rather than Microsoft.
Thanks for indulging the discussion, as Curtis is right, some of us have not
engaged this problem actively yet.
More information about the unisog