Slashdot Mirror
Handling Campus AUP (non-)Violations?
speby asks: "I am a CS student at Northern Illinois University and I recently compiled a working peer-to-peer file web-based file indexing system. I refused to sign their agreement that says I violated their Acceptable Use Policy because I sincerely believe I did not violate them. My system scans a large portion of my school's network hosts looking for openly accessible, anonymous Windows File Shares, and bandwidth usage is minimal. The AUP does not mention scans and I did not 'break' or 'crack' security in any way. I agreed to shut the service down for a period of time until I can figure something else out. I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service. I certainly did not see anything in their terms of service that would disallow such a system. Do these other universities that allow this kind of system care? Why can this system not exist here?" I have no problem with a student being told to shut down a homebrew service if they find it offensive, but I do have a problem with them treating said students like criminals, even when they do comply with their wishes. What should students do, when they are bullied by their colleges into signing violations that are more stringent than the situation merits?
"I was contacted by the IT department after a few weeks of its public running. I did not actively promote the system. It works in ways similar to the file search engines like the ones at Iowa State University and Georgia Technical Institute. In terms of programming, this idea is so trivial anyone could do it with the help of some simple scripting and a lightweight database."
That's about the only thing in the AUP that I could see them having a problem with. Perhaps you want to show the ISU and GA search engines to them as an example of what's going on. Also, you might implement a bandwidth throttle. My 2 cents.
Overrated / Underrated : Moderation
I don't know enough about how much trouble you're facing or what options you have, but you've violated Acceptable use of NIU information technology resources is based on common sense, common decency, and civility applied to the networked computing environment. and probably All authorized users have the right to expect reasonable privacy with regard to all computer files and e-mail.
More importantly...
I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service.
OK, now this is where you're being a dumbass. There are going to be plenty of idiots here telling you to keep sticking it to The Man. If you're smart, you'll do what Kevin Mitnick and Randal Schwartz wouldn't -- stop when you've been told to stop.
What I'm listening to now on Pandora...
You have to understand. College is Club Med for young people. You all are the customers. And what you all are buying can all be got for free at any good public library.
Colleges make up for this by providing all sorts of 'perks' that don't have anything to do with the service they are providing. Sports facillities, money for student associations and clubs, and a fat connection as well. They charge for these by tuition. It's a lump sum, so you can't opt-out of anything.
Since corporations are too badly mis-run to actually do real screening for ability in applicants, you need a bit of college. It's not such a bad place. Unfortunately, there are too many youngsters who are used to the authority of their parents and high school teachers. They don't understand the customer--business relationship. And college administrations take advantage of it.
So here's the solution. Like any badly run buearacracy, the college administration will fold, give in to your demands, and bend over for you, if you give them enough grief. Don't do anything that they can kick you out for, but give them a truck-load of pain through all the official channels possible. And if you run out of official channels, make some up. Don't give up until they give you a new car and a Phd as a settlement agreement.
If you are thinking of modding this funny--don't. It's all true.
This sounds like the basic child-raising dilema. You tell you kid what he can't do, he goes ahead and does something similar, but technically not the same. You find out about it and confront him, he says "but I didn't do that" and you say "you know what I mean" and smack him. You should have known that snooping around for Windows shares would get you in trouble sooner or later. Tell them that you didn't violate their agreement, offer to write up what you did so they can modify the agreement and promise not to do it again.
"Eve of Destruction", it's not just for old hippies anymore...
I'm a student at Georgia Tech and a heavy user of Buzzsearch. We used to have a previous system in place that was actually a resnet-created invention (browse.resnet.gatech.edu). However, with the increasing quality of buzzsearch and the aging code that powered browse.res, it was shut down and now our file-sharing is a student-run affair. Perhaps the biggest reason why our college support this (and many others should as well IMO) is bandwidth usage. Namely, external bandwidth usage (aka, the stuff your school PAYS for). It doesn't cost anything for our school to have me send a file from me to my roommate, but it costs a recurring fee of an OC12 line to send something to my friend in New Hampshire. Realistically, you could EASILY come accross to your school saying that you're saving their bandwidth costs wtih such a system in place. Plus, keeping it student-run will keep down on their liabilities. Oh, and you could always "lose" some logs if there's an incident :)
If I were you, I'd be fighting tooth and nail to keep that service up. You are browsing PUBLIC information. You're not exploiting some bug in an operating system. You're not spreading a virus accross campus. You're simply allowing students to find the stuff they want in a faster, less costly, and more privatized manner.
Put it back up and don't stop until they pull the plug. Then bitch and moan load enough to get them to allow you back up :)
Tim Dorr
Owner/Manger
A Small Orange
You should take a look at this line:
Unacceptable uses include, but are not limited to, the following
---
Always standing, I am a tree awaiting the lightning. -Samael, Crown
Hasn't any of these students learned that the word "Peer" scares the living bejoovies out of netadmins running open networks these days? Any thought (or mention) of p2p brings to mind 100% bandwidth utilization.
Instead, call it a "Client-side SAN", or my favorite: "Internal Email Network over Windows-Induced File-Transfer-Mechanisms" (or IENWIFTM) the 'email' label gives it a freindly name.
Oh yah, and next time you get caught doing this, have your BOFH calendar handy. (This calendar gave me "Domain Controller not responding". It would have been a perfect explanation on your windows network. Tell them your proggie was actually a DC backup that kicked in and it was notifying all the windows clients that it was up.)
HURD - Hurd's Under Research & Development
Dear Slashdot,
I am a college student.
Several time a week, I walk into every office building and college dorm and attempt to open every door to see if the door is unlocked, and to see if something is inside. If the door is open, I walk in, take a picture, and catalog my findings in an MySQL database.
I don't think this is unethical, but the school admins don't like this.
I don't like being treated as a criminal. What do I do?
When dealing with the campus IT folks, just remember that those positions are generally not paid very well, which means you usually get folks there that do not fully understand technology, nor do they necessarily have a desire to.
Obviously, that's not always the case, but where I went to school, we got into trouble more than once for things that we shouldn't have. When you deal with them, just remember that they have a job to do, and frankly, what you're doing falls outside of the 99.95% of what their used to. "Waah, my email got rejected", "Waah, there's not enough bandwidth for me to do my porn surf... Oops, I mean research"
And with all of the media attention that the RIAA and folks have brought to P2P apps, as soon as you mention that phrase it becomes a buzz phrase with a negative connotation. If you can prove what you were doing is benign, be patient and professional while you're doing it, and try to understand the situation from their perspective, you'll come out unscathed.
Good luck!
No no no ...ya'll get your mind outta the gutter now... ;)
If all your script does is comb through Windows shares, how did they decide that your application looked suspicious? They identified network patterns -- can you reproduce those network patterns by hand?
It'll take some time, but try doing what your program does by hand. Try to get some of your friends or supporters to do it also. Then, when IT complains again, you can honestly tell them that you were just browsing the Windows shares.
If they are going to allow NetBIOS traffic, what do they think you'll use it for?
10b||~10b -- aah, what a question!
It's pretty obvious as to what his program was designed to do. That is, scan for windows boxes ran by not-so-smart users that didn't password protect their shares, and for him to snoop in on them.
./ community to gain support.
He got caught, now he's going the rightous route to either justify what he is doing or pray on the general additude of the
Give me a break.
He got caught, get over it Cliff, "Being treated like criminals", my god, cry me a river.
http://www.archive.org/details/ThePowerOfNightmares
"I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service." Sorry pal, but not until you buy the bandwidth, the cable, the servers and the big Cisco box do you have the right. It's their network and they make the rules, even if it is make-it-up-as-you-go-along. Shut down your server, say you're sorry, get your degree, earn lots of money and buy your own network. Then you'll have the right to tell people what services they can run.
"Eve of Destruction", it's not just for old hippies anymore...
It sounds like you don't have a full understanding of why they are upset with the system. It could be misperception or that you're causing a problem without realizing.
I would try to work (in person) with whomever contacted you, and try to understand why this makes their life difficult, and try to address though concerns.
Without knowing why they are upset, there is little anyone on Slashdot can do to help you.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
When my friend was in residence (I was in my own house at the time), I helped him build a system very similar to the one you're describing. Exactly the same thing happened. IST found out about it, and shut it down. The reason they gave was that it was eating up internal bandwidth. When he inquired how his search system was eating up so much bandwidth, they told him it wasn't the search that was eating up bacndwidth, but the fact that everyone started getting files from other people's Windows Shares all the time. Now these aren't smart users either. They'd play files directly form others' HD's, without getting a local copy first.
Bottom line is, you may think you have some kind of right to do something like this, but the service is ultimately there for educational purposes. If you can convince them that you're using the search for educational purposes, you're in the clear. Otherwise, you're probably not going to get away with this one. Searching computers for random files, not related to your education, is not acceptable use, I'm sorry to say.
"Free beer tends to lead to free speech"
My friends and I wrote something similar to this at northeastern. A few months after we first started I got a letter from our "internet security" guy. When I contacted him he said that a netbios attack on one of ther computers had come from my computer. I told him what we were doing and that we were only looking at public windows shares. He said we needed permission from the owner of the computer before we could look at the computer shares. We havn't done much with it since unfortunately. However you have a good implementation over at umass. http://www.canofsleep.com What they did was have people who wanted to use the service sign up, which basically means they are giving permission to have people look at their stuff. It should be rather easy to implement and we are thinking of doing that here as well. Should make everyone happy.
this is the most important sig ever! In your face 446154!
Well, it is their network and they can do what they like on it.
However, in their AWP it has -
"Interfering with or disrupting another information technology user's work as well as the proper function of information processing and network services or equipment."
Which could nab you in the ass.
I think that they are toughening up on it because of the potential something like that could have and the fact that they don't really want something like that on the network.
Someone here at MTU runs a similar thing, I have yet to hear of s/he getting in trouble.
I scanned the ResNet here for NFS servers and haven't gotten in trouble either.
X(7): A program for managing terminal windows. See also screen(1).
...but, would your opinion about the scanning change if Microsoft was doing it? Or the college itself?
The shares are open to the network but they are not legally open to people. I left my back door open this evening when I took out the trash, but that doesn't give you a right to enter my house through that open door and rifle through my unlocked desk drawers.
Can you or anyone cite a legal precedent that states someone who has open shares on a PC in their possession retains no right to the privacy of those shares, and that that data on those shares is legally accessible by anyone who can get to it?
-- Slashdot: When Public Access TV Says "No"
Create and test your own software on an isolated network and stop using the public network for your experiments. If this is a research project, then you should be able to make a proposal and get access to such a testing environment.
If you had previously received written permission from an instructor or other university employee, then you could refer the matter to that employee. Since you proceeded to use the university's network for you own testing, you've already crossed the line and they're already suspicious of you.
Imagine it this way, if you went around to people's houses and checked for unlocked doors and then attempted to inventory the furniture in those houses, do you think the police would be forgiving?
Your computer was scanning other computers (without authorization) and probably setting off intrustion detection systems. There is nothing to differenticate your scan from any other hacking attempt, so the university's computer support staff must assume that you are trying to crack into their systems and take appropriate action.
One other thing, you will find that one of the primary concerns of any university is staying out of legal hassles whenever possible. If you do anything that could in any way possibly get them into any legal trouble, you'll end up getting shut down.
Ouch! The truth hurts!
start a pirate wireless ethernet in your dorm (i'm assuming you live in a dorm)... that'd be kind of cool, like college pirate radio.. but for warez :P
I would just sign the agreement if I were you (although I have no idea what the punishment is going to be if you do). If your network admins aren't bright enough to see what you were doing was a non-intrusive search, you're not going to be able to sweet-talk them into believing you're not "hacking" people's computers.
I wrote/administer the aformentioned search engine, Buzzsearch, at Georgia Tech. I've never had a problem with the network staff - I do everything I can to be a good campus netizen (blocking off campus searching, for example) and they don't acknowledge that I exist. But I'm definitely not doing this for my "ideals", or to "fuck the man", yadda yadda... I sure as hell wouldn't risk my degree for Buzzsearch - if OIT came knocking on my door I'd hand over my server in a second flat.
You're in a bad environment with uncool admins... deal with it and give up. It's not worth possibly fucking up your education.
It's the college's private network, not his. He uses the network because the college grants him the privilege. They can withdraw that privilege. He has no "right" to use it.
-- Slashdot: When Public Access TV Says "No"
Get a lawyer.
Is your school a state school or private?
You do have rights, and your school's objections will likely wither when they realize that you will defend yours.
And it will cost them a lot to violate your rights.
it's times like this i wish i had mod points.
I was actually starting to program a service very much like this at my college, and I stopped for two reasons: First, there were an unusual number of computers that had their hard drives shared as C, full access, no password or anything. I dunno if some local "we'll set up your internet access for you" was doing a little more than promised, or what, but they were all over the place. I didn't want to index shares that could be used maliciously. (Actually, I left notes in some of their 'desktop' folders saying how to disable the share, but there were too many to do this for all the ones I found). Also, during some early stages my program ran afoul of a router, and I got a phone call from ITS the next day. "Mess with us again, and we're pulling the plug on you".
Between those, I decided it would be best to leave off with the project.
I used to work at Ohio State University in the central IT department (provides general services to campus).
There was this guy, who was pretty smart and worked for the residentual halls for a while. He knew too much for his own good because he was constantly battling the director about how she was doing things. (His way was right most of the time.) Eventually, they fired him. However, he left with a lot of good information about how the residentual networks worked (specifically, in this case, he knew the DHCP IP Address ranges for at least his dorm.)
Six months later, on a Friday evening, his dorms network went down. He deduced that there DHCP had stopped handing out IP Addresses. After calling to get the issue addressed, and being ignored, he set up his own DHCP server, restoring service to his entire dorm. He was a hero to his classmates (but I bet it still didn't get him laid... but that's another story)
The director of the residentual internet services through a raging fit and was going to bring him up on charges and have him expelled for conducting a denial of service attack. When the director of security at Ohio State Security saw it for what it was, he patted the kid on the back, said be a good boy and stop fueding with the residential director, and sent him on his marry way. No suspension, no legal charges, no nothing.
Therefore, my suggestion to you is there are a lot of whack-jobs at a University, but there are a lot of reasonable people too. Find the reasonable ones to help you out.
This isn't the sig you are looking for... Carry on...
I ran Seek42 at Northwest Missouri State last year. This system runs at University of Missouri-Rolla and the university supports it. At Northwest however, they didn't tell me to turn it off. They deactivated my port and then sent me a summons. I was charged with copyright infringement, aiding in mass copyright infringement, and running a webserver in my dorm room. After presenting my case to the board, everyone on the board was VERY interested and supported my implementation of it, but I understand they had a job to do. I was found in violation of only running a web server in my room. (Yes, I knew this was a violation before I started I originally started this up there as a proof-of-concept project. I just wanted to know that I could get it to work up there. They've got a crazy network anyway. In the end, I got a $50 fine and banned from network usage until Dec 30, 2002. It's not fair, but that's life I guess.
Most likely, if the student actually had the knowledge to set up a directory for sharing on the dorm network, it was INTENTIONALLY left without a password. On my dorm network freshman year, it was pretty obvious from the contents of shared directories (MP3s, video clips - No pirate movies, DivX didn't exist yet, but stuff like badday.mpg) that these were INTENDED to be public-readable within the dorm.
The one exception was that by the end of the year, many people locked it down by IP (If they could) so that people couldn't connect from outside (This was the era of Scour), or else password-protected the content, and had a public README saying, for example, "The password for this share is the name of the dormitory I am in".
The "unlocked door" analogy doesn't hold because while you can forget to lock a door (Actually, depending on the lock, this can be hard, as "locked" is the default on many modern locks, i.e. you can open it from the inside while it's locked but not from the outside. I'd say it's FAR easier to lock yourself out than it is to accidentally leave the door unlocked.), Windows *DEFAULTS TO NO SHARING* - In fact, on a default Win9x box, you have to intentionally add the MS service.
Also, you have to *specifically* choose to make it world-readable without a password.
Given the fact that it takes *intentional effort* to create a Windows SMB share without a password for read access, it can be assumed that SMB shares without a password are intentionally public. (WLANs are a different story, since unWEPed APs are factory default behavior. If WEP was default behavior, then one could safely assume that unWEPed APs were intentionally public)
retrorocket.o not found, launch anyway?
What you are suggesting easily turns a "hey stupid, stop it" into a "hey stupid, here's your box of shit now don't come back". Where I work as a sysadmin, I don't have time to deal with the problems of you port scanning, or you moaning because you don't think its wrong. Most AUP's for campuses include something like "(We) provide service to students to further their education and research, any use beyond these provisions is subject to review and suspension.". That means if we say it is wrong, it is wrong. If you argue, then you are wrong. If you kick up too much fuss, we boot you because you are disrupting our administrative functions. Don't be stupid. I've seen it several times and I still laugh when I think back.
That would be the "Georgia Institute of Technology," otherwise known as Georgia Tech.
just before napster hit it big the only way to reliably get files was IRC, FTP's, and sometimes hotline. Then i went to school and the glory of windows file share became clear to me. I made it a habbit to browse the campus network, getting tons of random stuff for users. I returned the favor by leaving my rather large connection of mp3's read only. However, I did place an .exe infected w/ BO on the share, in case anyone got too nosey.
This reminds me of my college years. When I was a senior, a few things had happened to me-- among them was learning the value of silence and respect. Maturity was not one of them.
I had this neighbor, a sophomore, who exercised his free speech rights (on private property on the campus of a private school) by putting vulgarities, profanities, artwork (I've seen similar art and links to such moderated as trolls here, to give you the idea) on his door. And, he had the idea that, as long as his door was closed, his stereo could be as loud as he wanted. The stereo at 3am on a school night was too much for me.
One day, I had suffered the last time asking him to turn his stereo down and having him turn it up another notch and ask if THAT was better. Bastard had a friend who would watch out for campus security coming over to get him to turn it down and it would be quiet 100% of the time they came by. I figured out the IP of his "stereo". With my lack of maturity, limited experience of Linux and hatred of my neighbor, I found the site www.rootprompt.org and the ability to silence my neighbor.
From then on, the only way for him to know his stereo was too loud was a BSOD. His temper tantrums were louder than the music, but for a 2 minute screaming session I would get 2 hours of silence. A while :; do loop helped me get the sleep I needed finals week.
I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service.
It's simple. If the administration says you don't have such rights, you don't. It doesn't matter what the AUP says, it doesn't matter what you think, it doesn't matter what *anyone* thinks except those who control and administer the network and systems. If those people say you don't have the right, then you don't.
You don't own the network or the systems you're accessing. You don't have *any* "rights" on the network or systems except those that are explicitly given to you. And what rights you have can be taken away.
If it's a useful and legal tool, then make your case -- prove that it *is* both legal and useful. Prove that it doesn't use significant amounts of bandwidth, and that it is unlikely to ever use significant amounts of bandwidth. If you can't make a convincing argument that your tool is worth allowing, maybe it's really not all that useful anyway.
Sean.
I'm a CS student at Northern Illinois University, and someone has been constantly scanning my computer's hard drive over the network without my permission. What can I do about this?
Their network, they rule. You were responsible and took it off when asked, so you don't deserve any punishment. And if this project is part of your studies, then obviously they have to expect that if you make something that is network oriented, you're gonna use the college LAN to test it. That's what a college is there for. So as things stand, IMHO, things are all square. So I wouldn't sign the AUP thingy either.
This is a lot like the store I work at saying "Arriving for work under the influence of illegal drugs or alcohol shall constitute gross misconduct" then making me work New Year's Day.
Ali.
Ph33r m3!!!
http://mvs.cso.niu.edu
CSCI 360 kids will love you.
First off, if they tell you to knock it off, just knock it off. They rule the network so they set the rules, fair or not. (I don't think it is fair, but since I don't know the _exact_ situation I won't argue for it.)
More importantly, since they want you to sign something, write up a nice document saying what you did, and asserting that you will not continue to do so, and sign it. See if this will suffice. If you honestly don't believe that you violated their AUP, don't sign anything that says you did, but at least concede this much. I'm not sure why they would insist on your signing that particular document, but what they really probably want is a "confession" of some sort.
FYI, ISU's StrangeSearch is barely tolerated. "Services" like this leave people vulnerable who don't know better. If it becomes a problem, it will be blocked, no doubt.
It's their hardware. Their software. Their electricity. If they tell you to stop, stop !
Yeah right...
he should be expelled (and shot) for even using MySQL in the first place
If you hate MySQL so much, why are you posting to a site that uses it?
Will I retire or break 10K?
As cited in the article, Tech did have a system like yours, but it was recently troubled by our Office of Information Technology for being "an unauthorized use of the Georgia Tech computer infrastructure and the use of the Georgia Tech's trademark "Buzz"." It's currently shut down as the owner tries to resolve things with OIT. So now we have to go back to Kazaa and the others and wait for hours instead of minuits to watch a movie. The network is having issues again, too, because of the extra time and bandwidth people are using to download from external sources.
Lamer.