Handling Campus AUP (non-)Violations?

speby asks: "I am a CS student at Northern Illinois University and I recently compiled a working peer-to-peer file web-based file indexing system. I refused to sign their agreement that says I violated their Acceptable Use Policy because I sincerely believe I did not violate them. My system scans a large portion of my school's network hosts looking for openly accessible, anonymous Windows File Shares, and bandwidth usage is minimal. The AUP does not mention scans and I did not 'break' or 'crack' security in any way. I agreed to shut the service down for a period of time until I can figure something else out. I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service. I certainly did not see anything in their terms of service that would disallow such a system. Do these other universities that allow this kind of system care? Why can this system not exist here?" I have no problem with a student being told to shut down a homebrew service if they find it offensive, but I do have a problem with them treating said students like criminals, even when they do comply with their wishes. What should students do, when they are bullied by their colleges into signing violations that are more stringent than the situation merits?

"I was contacted by the IT department after a few weeks of its public running. I did not actively promote the system. It works in ways similar to the file search engines like the ones at Iowa State University and Georgia Technical Institute. In terms of programming, this idea is so trivial anyone could do it with the help of some simple scripting and a lightweight database."

excessive data storage or network bandwidth

[mhesseltine]

That's about the only thing in the AUP that I could see them having a problem with. Perhaps you want to show the ISU and GA search engines to them as an example of what's going on. Also, you might implement a bandwidth throttle. My 2 cents.

Did this at northeaster, briefly

[f0rtytw0]

My friends and I wrote something similar to this at northeastern. A few months after we first started I got a letter from our "internet security" guy. When I contacted him he said that a netbios attack on one of ther computers had come from my computer. I told him what we were doing and that we were only looking at public windows shares. He said we needed permission from the owner of the computer before we could look at the computer shares. We havn't done much with it since unfortunately. However you have a good implementation over at umass. http://www.canofsleep.com What they did was have people who wanted to use the service sign up, which basically means they are giving permission to have people look at their stuff. It should be rather easy to implement and we are thinking of doing that here as well. Should make everyone happy.

Unfortunately, you're basically screwed

[nutsack]

I would just sign the agreement if I were you (although I have no idea what the punishment is going to be if you do). If your network admins aren't bright enough to see what you were doing was a non-intrusive search, you're not going to be able to sweet-talk them into believing you're not "hacking" people's computers.

I wrote/administer the aformentioned search engine, Buzzsearch, at Georgia Tech. I've never had a problem with the network staff - I do everything I can to be a good campus netizen (blocking off campus searching, for example) and they don't acknowledge that I exist. But I'm definitely not doing this for my "ideals", or to "fuck the man", yadda yadda... I sure as hell wouldn't risk my degree for Buzzsearch - if OIT came knocking on my door I'd hand over my server in a second flat.

You're in a bad environment with uncool admins... deal with it and give up. It's not worth possibly fucking up your education.

Similar idea

[LastToKnow]

I was actually starting to program a service very much like this at my college, and I stopped for two reasons: First, there were an unusual number of computers that had their hard drives shared as C, full access, no password or anything. I dunno if some local "we'll set up your internet access for you" was doing a little more than promised, or what, but they were all over the place. I didn't want to index shares that could be used maliciously. (Actually, I left notes in some of their 'desktop' folders saying how to disable the share, but there were too many to do this for all the ones I found). Also, during some early stages my program ran afoul of a router, and I got a phone call from ITS the next day. "Mess with us again, and we're pulling the plug on you".

Between those, I decided it would be best to leave off with the project.

Had similar case

[kalvyn]

I ran Seek42 at Northwest Missouri State last year. This system runs at University of Missouri-Rolla and the university supports it. At Northwest however, they didn't tell me to turn it off. They deactivated my port and then sent me a summons. I was charged with copyright infringement, aiding in mass copyright infringement, and running a webserver in my dorm room. After presenting my case to the board, everyone on the board was VERY interested and supported my implementation of it, but I understand they had a job to do. I was found in violation of only running a web server in my room. (Yes, I knew this was a violation before I started I originally started this up there as a proof-of-concept project. I just wanted to know that I could get it to work up there. They've got a crazy network anyway. In the end, I got a $50 fine and banned from network usage until Dec 30, 2002. It's not fair, but that's life I guess.