Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling Campus AUP (non-)Violations?

Posted by Cliff on from the there-was-a-time-when-colleges-were-for-learning dept.

speby asks: "I am a CS student at Northern Illinois University and I recently compiled a working peer-to-peer file web-based file indexing system. I refused to sign their agreement that says I violated their Acceptable Use Policy because I sincerely believe I did not violate them. My system scans a large portion of my school's network hosts looking for openly accessible, anonymous Windows File Shares, and bandwidth usage is minimal. The AUP does not mention scans and I did not 'break' or 'crack' security in any way. I agreed to shut the service down for a period of time until I can figure something else out. I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service. I certainly did not see anything in their terms of service that would disallow such a system. Do these other universities that allow this kind of system care? Why can this system not exist here?" I have no problem with a student being told to shut down a homebrew service if they find it offensive, but I do have a problem with them treating said students like criminals, even when they do comply with their wishes. What should students do, when they are bullied by their colleges into signing violations that are more stringent than the situation merits?

"I was contacted by the IT department after a few weeks of its public running. I did not actively promote the system. It works in ways similar to the file search engines like the ones at Iowa State University and Georgia Technical Institute. In terms of programming, this idea is so trivial anyone could do it with the help of some simple scripting and a lightweight database."

25 of 134 comments (clear)

  1. Welcome to the real world... by Otter · · Score: 5, Insightful
    Sorry, but this isn't the sort of thing admins like, and it's not the sort of thing you can get away with. Just because you have read access to something doesn't mean you ought to be using it and certainly doesn't mean you'll be looked upon favorably if you write a tool to do it on a large scale.

    I don't know enough about how much trouble you're facing or what options you have, but you've violated Acceptable use of NIU information technology resources is based on common sense, common decency, and civility applied to the networked computing environment. and probably All authorized users have the right to expect reasonable privacy with regard to all computer files and e-mail.

    More importantly...

    I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service.

    OK, now this is where you're being a dumbass. There are going to be plenty of idiots here telling you to keep sticking it to The Man. If you're smart, you'll do what Kevin Mitnick and Randal Schwartz wouldn't -- stop when you've been told to stop.

    --
    What I'm listening to now on Pandora...
    1. Re:Welcome to the real world... by rtaylor · · Score: 4, Insightful

      Unsure where you are, but if you leave your blinds open you can expect to have zero privacy. Neighbours and others are well within their right to watch and record anything you do within your home.

      If you close your blinds, you can expect privacy. This is law enforcement authorities require a warrant for microwave or infrared monitoring, but standard video cameras don't. The general public can't see what you would be doing, so under general circumstances neither than the authorities.

      Now.. If you leave your computer open with full read access, I'd say you forgot to shut the blinds and can expect the privacy that goes along with it. Reading your email at a public terminal certainly doesn't grant you rights to privacy. You've used absolutly no precautionary rights.

      Bandwidth and sales (or general broadcasting) of such material may have cases, but the fact you were allowed to read the data means you're allowed to read the data.

      In summary, don't read those all important and secret corporate financial reports on a crowded subway. Those are you have the right to read them as well, regardless of whether you consider it rude to read over anothers shoulder.

      --
      Rod Taylor
    2. Re:Welcome to the real world... by MrResistor · · Score: 3, Insightful

      Just because you have read access to something doesn't mean you ought to be using it and certainly doesn't mean you'll be looked upon favorably if you write a tool to do it on a large scale.

      Read the article again, because you obviously missed some important parts. All he did was scan for open shares, he did not exploit or violate them in any way.

      Had he actually violated anyones privacy or trespassed on their systems I would agree with you. But just scanning? Unless scanning is srictly against the AUP, he didn't violate a damned thing and he is completely in the right.

      Or perhaps you are suggesting it is illegal for me to walk down the street and notice that someones door is open? If that's not illegal in the real world there's no reason it should be illegal in the electronic one.

      --
      Under capitalism man exploits man. Under communism it's the other way around.
    3. Re:Welcome to the real world... by Otter · · Score: 4, Insightful
      Oh, yeah. I forgot to tell him to ignore all the people who are going to be coming up with analogies about open blinds and unlocked doors and assuring him that he's fine.

      You and MrResistor are perfect examples of the advice I'm warning him against. Of course I understand why he doesn't think he did anything wrong. And I'm not arguing the right or wrong of it, although it's not clear to me if his "web-based" system involved redistributing those files publically, which I would say is wrong. But, anyway, I'm not arguing the right or wrong of it but rather explaining to him that he's going to get in trouble for it. Life isn't a programming contest, and cleverness doesn't carry the day. He can either follow the accepted norms of behavior on his network, or he can keep courting trouble, get bounced out of school and have the consolation of knowing that you said he's in the right.

      Go look in your neighbors windows and see how your justifications go over with them.

      (*Woohoo, my 700th post!*)

      --
      What I'm listening to now on Pandora...
    4. Re:Welcome to the real world... by toast0 · · Score: 3, Insightful

      By allowing a user to login w/out a password, the server has authorized the client to use its services. Further more, I would argue that by responding to connection requests, the servers have authorized the client to connect and attempt further authentication. Ater all, it is fairly trivial with most recent operating systems (OS X, many flavors of unix, windows 2000, and windows xp) to firewall ports to remove access from groups of ips that are 'unauthorized' to connect.

      I understand what you're saying, but I still think that that if the university or individuals have a problem with the search engine, they should focus on educating windows users on the basics of filesharing, and secure passwords.

      For instance, if everybody set a secure password for their administrator accounts (on NT based systems), and made sure to share everything with a password, then his search engine wouldn't do any damage.

      --
      Need a Catering Connection
    5. Re:Welcome to the real world... by Twirlip+of+the+Mists · · Score: 3, Insightful

      By allowing a user to login w/out a password, the server has authorized the client to use its services.

      That's exactly like saying that by leaving my back door unlocked, I've authorized the psycho down the block to come in to my house. It just doesn't hold water to me.

      Further more, I would argue that by responding to connection requests, the servers have authorized the client to connect and attempt further authentication.

      Ye-es... I would agree that the fact that I have a door means people are welcome to knock... to the extent that they don't make a nuisance of themselves. I'll buy this one.

      After all, it is fairly trivial with most recent operating systems to firewall ports to remove access from groups of IPs that are 'unauthorized" to connect.

      I think your definition of "fairly trivial" could use some revising. Yes, it's trivial to me and to you, but it's not at all trivial to the sociology major two dorms over who bought her computer to write her senior thesis.

      Besides, I have to go back to my analogy. Just because it's trivial to lock your door doesn't mean that the law requires it before offering you protection from illegal trespass.

      For instance, if everybody set a secure password for their administrator accounts (on NT based systems), and made sure to share everything with a password, then his search engine wouldn't do any damage.

      You're assuming that the school's only justification for prohibiting the kid's activity is the potential for damage. That doesn't necessarily have to be the case. If we were talking about a truly public network, then an argument based around the potential for harm (or the absence thereof) might make sense. But this is a private network. The school can revoke a student's access for any reason at all, with or without due process. So I don't think saying that the software wouldn't do any harm really makes a difference to anybody in this situation.

      --

      I write in my journal
    6. Re:Welcome to the real world... by walt-sjc · · Score: 4, Insightful

      Possibly you are taking analogies too far. If you scanned a computer and found open services, you must get authorization from the computer OWNER. The computer itself doesn't know who the hell you are, or whether you REALLY should be there or not. It's just following it's pre-programed tasks.

      But if we want to continue this analogy, even with all it's flaws, it needs to be thought as a conversation.

      Scanner: Knock Knock.
      Computer: Hi.
      Scanner: I'm comming in.
      Computer: OK. I assume you are authorized since you wouldn't just barge in if you wern't, and I have not been instructed on who is authorized and who is not.
      Scanner: Ahh. I see you have some nice files in here.
      Computer: Yes. I have files.
      Scanner: I'm copying them.
      Computer: Whatever.

      There is no "automated system" that invites you in. You have to turn the knob and open the door, step in, and do shit. It's a standard request / response protocol. If you don't make the request, you don't get a response.

      The basic reasoning flaw or morals problem you and some other seem to have is that you have default permission to go into any computer you want regardless of the owners wishes. Most computer users don't understand security. Period. They don't even know that their computer is wide open. Most users also don't want random unknown people plowing throught their files.

      Shit man, it's the stuff they teach you in pre-school. Be nice to others, don't take their stuff, if you want to play with someone elses toys you NEED TO ASK FIRST. Oh, and that't the PERSON you ask, not the TOY.

      You can't equate web searching (like google) to file share searching. When you put something on the web, you are usually publishing for others. File shares however are frequently enabled automagically by pooly designed and configured OS's. They are RARELY setup for the INTENT of general public access.

      The "intent" is everything.

      Does this help?

  2. College by Henry+V+.009 · · Score: 4, Insightful

    You have to understand. College is Club Med for young people. You all are the customers. And what you all are buying can all be got for free at any good public library.

    Colleges make up for this by providing all sorts of 'perks' that don't have anything to do with the service they are providing. Sports facillities, money for student associations and clubs, and a fat connection as well. They charge for these by tuition. It's a lump sum, so you can't opt-out of anything.

    Since corporations are too badly mis-run to actually do real screening for ability in applicants, you need a bit of college. It's not such a bad place. Unfortunately, there are too many youngsters who are used to the authority of their parents and high school teachers. They don't understand the customer--business relationship. And college administrations take advantage of it.

    So here's the solution. Like any badly run buearacracy, the college administration will fold, give in to your demands, and bend over for you, if you give them enough grief. Don't do anything that they can kick you out for, but give them a truck-load of pain through all the official channels possible. And if you run out of official channels, make some up. Don't give up until they give you a new car and a Phd as a settlement agreement.

    If you are thinking of modding this funny--don't. It's all true.

    1. Re:College by anthony_dipierro · · Score: 2, Insightful

      And what you all are buying can all be got for free at any good public library.

      A degree?

    2. Re:College by wdr1 · · Score: 4, Insightful

      Clearly you didn't do your homework before going to whatever party school you ended up choosing.

      Don't listen to this guy. It's not the truth. Far from it. Of course, there are party schools out there. I'm not denying that. But to go to a party school and be surprised you're really not learning anything & it's basically a club med... well, let's just say perhaps it's best you didn't go to a higher caliber school after all.

      There are quite a few schools, however, that challenge you. Raise your critical thinking skills. Teach you how to learn. Interact with experts. Help you grow. Looking back, while some of the most valuable lessons I learned where from books, a significant portion came from reading something like the Apology with a peer group at the same time and discuss it's ideas. To work all night in group trying to write an AI simulator for the brain of ant on a beach shore.

      Yes, you can learn from books. I love books. But a lot of the books you seem to be referring to can teach you nothing more than facts. In fact, a lot of good schools don't even waste time teaching you what you can get from a book. Go read & come back is usually the attitude. Oddly enough, despite being a CS major, I never took an introduction to Lisp, C, etc course. First day of my data structures class our processor announced all our homework would be in C. He understood none of us probably knew it, this was an intro course, gave us a few books titles, and told us to get cracking. The first homework assignment, in C, was due in a week.

      When I look to hire people, I don't really care what facts they know, how well they know C, etc. You can teach a monkey C. It's a lot harder to teach people how to think, analyze, adapt, and overcome.

      Then again, maybe I'm biased. After all, my school was chosen last, at 300, in terms of party schools. ;-)

      My two cents,
      -Bill

      --
      SlashSig Karma: Excellent (mostly affected by moderatio
  3. You know what I mean by HotNeedleOfInquiry · · Score: 2, Insightful

    This sounds like the basic child-raising dilema. You tell you kid what he can't do, he goes ahead and does something similar, but technically not the same. You find out about it and confront him, he says "but I didn't do that" and you say "you know what I mean" and smack him. You should have known that snooping around for Windows shares would get you in trouble sooner or later. Tell them that you didn't violate their agreement, offer to write up what you did so they can modify the agreement and promise not to do it again.

    --
    "Eve of Destruction", it's not just for old hippies anymore...
  4. College network vs College dorms... by Anonymous Coward · · Score: 5, Insightful

    Dear Slashdot,

    I am a college student.

    Several time a week, I walk into every office building and college dorm and attempt to open every door to see if the door is unlocked, and to see if something is inside. If the door is open, I walk in, take a picture, and catalog my findings in an MySQL database.

    I don't think this is unethical, but the school admins don't like this.

    I don't like being treated as a criminal. What do I do?

    1. Re:College network vs College dorms... by Anonymous Coward · · Score: 1, Insightful

      Dear Ask Slashdot,

      I'm a college student who thinks he knows it all and I run a program I wrote on the campus network that the admins don't like. Rather than take the (small) telling off and move onto other things I decide (Like most students) to make an issue of the entire thing.

      I'm really cocky. I'm *always* right and I can't understand why my snooping might not be liked. I'm also a pedantic tit who plays the letter of the rules rather than the spirit to suit my own ends.

      ---------------

      The above is true. Maybe not for this guy but for lots of students like him. I'm an admin at a university and we see a lot of this sort of thing. I don't care what the guy's intentions were. If he was trawling around my network like that I'd nail his arse to the wall. God only knows what v2.0 of the software would do.

      Oh and btw. Before anyone tells me to get my security sorted out so that the shares aren't open you're talking to the wrong admin. I'm a Unix admin. You want the idiot (PC) team.

  5. Come on... by dpete4552 · · Score: 2, Insightful

    It's pretty obvious as to what his program was designed to do. That is, scan for windows boxes ran by not-so-smart users that didn't password protect their shares, and for him to snoop in on them.

    He got caught, now he's going the rightous route to either justify what he is doing or pray on the general additude of the ./ community to gain support.

    Give me a break.

    He got caught, get over it Cliff, "Being treated like criminals", my god, cry me a river.

    --
    http://www.archive.org/details/ThePowerOfNightmares
  6. Umm, no. by HotNeedleOfInquiry · · Score: 5, Insightful

    "I do not agree with their stance on this issue and I believe I have a right to design, implement, and make available such a service." Sorry pal, but not until you buy the bandwidth, the cable, the servers and the big Cisco box do you have the right. It's their network and they make the rules, even if it is make-it-up-as-you-go-along. Shut down your server, say you're sorry, get your degree, earn lots of money and buy your own network. Then you'll have the right to tell people what services they can run.

    --
    "Eve of Destruction", it's not just for old hippies anymore...
    1. Re:Umm, no. by Raiford · · Score: 3, Insightful
      The property right is more like a lease on an apartment. You can use it and furnish it, but you can't just go and paint the walls bright red if the apartment owners say renters can't paint the walls

      --
      "player 4 hit player 1 with 0 stroms"
  7. Why are you asking us and not them? by wdr1 · · Score: 3, Insightful

    It sounds like you don't have a full understanding of why they are upset with the system. It could be misperception or that you're causing a problem without realizing.

    I would try to work (in person) with whomever contacted you, and try to understand why this makes their life difficult, and try to address though concerns.

    Without knowing why they are upset, there is little anyone on Slashdot can do to help you.

    -Bill

    --
    SlashSig Karma: Excellent (mostly affected by moderatio
  8. Been there, done that.... by egerlach · · Score: 4, Insightful

    When my friend was in residence (I was in my own house at the time), I helped him build a system very similar to the one you're describing. Exactly the same thing happened. IST found out about it, and shut it down. The reason they gave was that it was eating up internal bandwidth. When he inquired how his search system was eating up so much bandwidth, they told him it wasn't the search that was eating up bacndwidth, but the fact that everyone started getting files from other people's Windows Shares all the time. Now these aren't smart users either. They'd play files directly form others' HD's, without getting a local copy first.

    Bottom line is, you may think you have some kind of right to do something like this, but the service is ultimately there for educational purposes. If you can convince them that you're using the search for educational purposes, you're in the clear. Otherwise, you're probably not going to get away with this one. Searching computers for random files, not related to your education, is not acceptable use, I'm sorry to say.

    --

    "Free beer tends to lead to free speech"
    1. Re:Been there, done that.... by DavidTC · · Score: 2, Insightful
      I don't know what's going on in your school, but at SPSU, the internal network was paid for by the housing authority, which is completely paid for by the student living there.

      The college had no more right to demand that it was only used for educational purposes than they'd have the right to demand that your room was only used for educational purposes. Now, basic sanity rules are good, just like the 'can't have loud music at all hours' rule. But that is more like a housing covenant than university rules.

      Now, internet access, on the other hand, is iffy by default, because it's not entirely paid for by the students living there. But the internal network is, and not really the university's business.

      --
      If corporations are people, aren't stockholders guilty of slavery?
  9. Re:Did this at northeaster, briefly by PianoComp81 · · Score: 3, Insightful

    Since when do you have to have permission to browse public windows shares? The entire point of having them public (i.e., no password), is so you can do it with OUT permission. Sharing files publicly is the same thing as running a web server: anyone is able to access it, and they don't have to ask your permission to do so.

  10. Not To Butt In... by reallocate · · Score: 3, Insightful

    ...but, would your opinion about the scanning change if Microsoft was doing it? Or the college itself?

    The shares are open to the network but they are not legally open to people. I left my back door open this evening when I took out the trash, but that doesn't give you a right to enter my house through that open door and rifle through my unlocked desk drawers.

    Can you or anyone cite a legal precedent that states someone who has open shares on a PC in their possession retains no right to the privacy of those shares, and that that data on those shares is legally accessible by anyone who can get to it?

    --
    -- Slashdot: When Public Access TV Says "No"
  11. It is quite simple by yancey · · Score: 2, Insightful


    Create and test your own software on an isolated network and stop using the public network for your experiments. If this is a research project, then you should be able to make a proposal and get access to such a testing environment.

    If you had previously received written permission from an instructor or other university employee, then you could refer the matter to that employee. Since you proceeded to use the university's network for you own testing, you've already crossed the line and they're already suspicious of you.

    Imagine it this way, if you went around to people's houses and checked for unlocked doors and then attempted to inventory the furniture in those houses, do you think the police would be forgiving?

    Your computer was scanning other computers (without authorization) and probably setting off intrustion detection systems. There is nothing to differenticate your scan from any other hacking attempt, so the university's computer support staff must assume that you are trying to crack into their systems and take appropriate action.

    One other thing, you will find that one of the primary concerns of any university is staying out of legal hassles whenever possible. If you do anything that could in any way possibly get them into any legal trouble, you'll end up getting shut down.

    --
    Ouch! The truth hurts!
  12. He Uses The Nework at the College's Pleasure by reallocate · · Score: 3, Insightful

    It's the college's private network, not his. He uses the network because the college grants him the privilege. They can withdraw that privilege. He has no "right" to use it.

    --
    -- Slashdot: When Public Access TV Says "No"
    1. Re:He Uses The Nework at the College's Pleasure by reallocate · · Score: 3, Insightful

      Paying someone for services provided does not give you rights to their property. Paying my doctor bill doesn't mean I have a right to borrow his boat for a spin in the bay.

      Many self-desciribed geeks seem to think any network that they can get into is, therefore, public. That's not true. Private networks are private property.

      --
      -- Slashdot: When Public Access TV Says "No"
  13. Re:excessive data storage or network bandwidth by RevDobbs · · Score: 2, Insightful

    Excessive data storage shouldn't be a problem; this is an SMB lan where everyone has there own computers and storage, not one user taking up all of the scratch space on NIUVAX or the university UNIX box.

    Further, about the network bandwidth: what is the difference between his program doing this, and sitting up all night surfing the LAN? Before the WWW took off, my floormates and myself spent many a late night running through fellow student's computers looking for pron, .wav's, text files... anything interesting. File sizes were seldom the more than half a megabyte, but it was also on thinnet coax, and I'm sure bandwidth was much less than even 10mb/s.