More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security.
While you argue against contractors off base, I would argue that on post contractors and those in uniform would do no better and may even be worse. I am an admin (MOS 74B) in an AG unit on post and if I wanted to get away with taking most of the comuters here on post, I could EASY! Most of the military on post do have locks on their doors but most of them dont use it either. It may be locked up at the end of the day, but if a formation is called in the middle of the day or lunchtime is called, dont bet on the doors being closed much less locked and properly secured. Except for my office (the server room), there are no cameras set up to pull security for those offices.
For me to do my job 95% of the time I require no human intervention as the problem is dscribeed to me in my work order. Despite being a virtual unknown to most of the staff onsite, I am rarely challenged while I work and in some cases dismantle a computer. Taking the computer out to my car is not a far step from that. Given that I am supporting an entire brigade, I frequently go into a commanding officer/Command Seargent Major/1SG office to do work. As an AG unit, they control most if not all of the orders on post. Think about it for a second.
The Army needs to think alot more about IT security, not just about attacks from the outside, but how easy they make it from the inside.
NOTE: I have not abused any of the above, I am simply trying to point out the flaw in common DoD awareness on physical IT security.
PFC Gruhn Fort Lewis, Washington I Corps -- Americas Corps!
It's only illegal when you are making CDs to which you do not have copyright permission and then distributing them.
Since the above operation clearly is illegal becuase of the above sentance, quoting a burn rate makes perfect sense. I am sure that they probably DO have numbers on how many of these scale operations there are in any one area. Because they produce the legitmate copies in any area they also have the stats for legal copies therfore they could use the burn rate to make the case that 64,247 CDs/day is a signifigant portion of the total market in the area. Thats a whole lot more convincing than quoting a made up burner equivelant number instead. The non tech can look at 64K and say thats a big percentage; a made up burner number is meaningless to tech and non tech alike.
Seems like the Riaa needs to talk to some real people outside their own buisness. Comming up with numbers like that no wonder they cant convinve anybody that p2p is wrong. I dont think it is, but with an argument like they are needlessly making their life harder.
Not having an admin password does not help, but sounds like what he really needed to do was put a decent firewall on the box. They cant hack it if they cant find it...
No Firewall and No Other User account makes computer something something. Get Attacked? Dont mind if I do...
AS they are midshipmen and therfore under the UNIFORM CODE OF MILITARY JUSTICE (UCMJ) per article 2 subsection 2, all the naval academy had to do was cite them as being in violation of any of these three articles of the UCMJ. The highlights are my own.
933. ART. 133. CONDUCT UNBECOMING AN OFFICER AND A GENTLEMAN Any commissioned officer, cadet, or midshipman who is convicted of conduct unbecoming an officer and a gentleman shall be punished as a court-martial may direct.
934. ART. 134. GENERAL ARTICLE Though not specifically mentioned in this chapter, all disorders and neglects to the prejudice of good order and discipline in the armed forces, all conduct of a nature to bring discredit upon the armed forces , and crimes and offenses not capital, of which persons subject to this chapter may be guilty, shall be taken cognizance of by a general, special or summary court-martial, according to the nature and degree of the offense, and shall be punished at the discretion of that court.
Pay particular attention to article 134. This article basicly says that the military can charge you with anything as a crime on the spot. The only differnce between this and article 15 is that an article 15 does not reqiure a court martial. Once accused of being in violation of the UCMJ, the military is allowed to take immediate action. There is no innocent until proven guilty; your CO may take whatever action they see fit as long as it is within regulation ( Note about article 15 -- it is the only one of the articles noted above with set limits on penalties).
A reconnaissance platform needs survivability. A design such as this does not appear to offer any sort of low-observabilty, or alternatively, high speed for defensive requirements. This particular design could be brought down with the lowest-tech of weaponry. That said, it might serve well as a surveillance platform for peacetime uses...
For the reasons he already stated, this design would alos be unsuitable for peacetime recon. It may be even more important during peacetime than war for the plane to survive. If the plane goes down, its an international incident that may lead to war. Becuase of the instant implications, the plane needs to survive a few hits from the enemy. If they shoot at you but dont get you, most governments wont broadcast the info to the rest of the world, essentialy saying to others "See? They did it and so can you?" IF OTOH, they get the spy plane/drone, they broadcast it instantly as evidence of imperalism by the offender.
Secondly our current "peacetime" activities aint so peaceful. Iraq, Israel, Afganistan to some extent are all peacetime activities, but we get shot at quite a bit.
1) I was not talking about a democratic government per say, most military and some governmental groups are not run with the most eyes looking at it. So in that since for that particular sector of the government, its not democratic.
2) While they may not be making censorware, it would still apply in that they dont want other people looking at the modifications for security reasons.
3) Helping another military would be very out of line for Microsoft to do without U.S. DoD aprroval
If they need it to create a firewall-type software package for their machines, why not ask Microsoft to create that instead?
Most governments DO NOT want the outside to be messing with their own security apps, since you have to figure that for most everything, your weapon of choice is built by the lowest bidder. In terms of M16's this might be fine(never met a bad one yet), but in terms of software this definatly does not tend to work. Now that the Army understands much better technology, they are waking up from contractor over-dependance.
Secondly and perhaps more importantly, in a non democratic setting government work frequently has mission requirements that a contractor is unable to know about OR would take a long time to get them clearance. In these sensitive compartmentalized areas, whats better than to have the original source and do the work yourself with your own in house personnel? In this particular case, somehow I doubt Microsoft as a company in the U.S. would do well writing censorware for the ROC. They may also be unwilling politically to do so as they have just recieved a wonderful break from DOJ. Last thing they want to do in this enviroment is seem unpatrotic and obstructionist
They may have had lasers and the concept did come in the sixties. However the plan here is to have mobile laser sitest for this. If this was in such a great usage before btw then we sure have done a good deal to hide it.
The grunts on the ground are not going to use this stuff period. When you can talk much faster than you can type, this will go nowhere. OTOH, their commanders will love this. On a battlefield the person that is in charge of a particualar area might get changed on a frequent basis and, more importantly, its probably the person you need to talk to the most that just changed. For combat support units, this would be great. No more setting up phone lines everywhere as well as computer cable, you just IM the guy and you know that he understands and even better you get instant knowledge of if he is alive and kicking. It would jsut be another piece of the puzzle of automating the force.If their commander was smart enough to use it, the flow of info would be wonderful.
That said, most of the commanders are in a PHB type position in combat support, not to mention a distrust of the leading edge especialy in tech. Most of them use their computers soley for email, the enlisted do the rest.
We will be more interested on how clouds of nanomites can liquify a human in seconds than a hairline crack repairing coat of paint.
Not really. We already have enough stuff that can do that without the use of nanomites. With our current chemical, biological, and nuclear (NBC) weapon systems, who need nanomites? Granted it would be nice to hvae such a weapon, but we would still need a decent delivery system, in which case military lawyers would be all over our us on how a cloud of this stuff would be a war crime. Thats the main reason we don't use any of our NBC weapons these days anyway.
Compared to modern weapons systems it would probably be very high cost per victim, which in modern times with our budget, it would get cut by DoD or Congress real quick I think.
Convential radar can detect a stealth aircraft; the main advantage is time. A normal fighter aircraft you can see a long ways out, over open terrain more than 150 miles, long enough for you to scramble forces and maybe put up a decent defense. Stealth aircraft that detection range is down to about 30 miles. All this of couse assumes good weather, in bad weather stealth aircraft are in some instances worse. 30 miles is a whole lot of less time to get your act together before we kill you. Of course by the time the fighters and bombers come, the enemy has already blown it -- A UAV already probably saw them and put them on the hit list.
The problem with this is not that one is making secure devices standard. There is still the problem that all OSS systems face -- getting device drivers written for the propriety systems implementing security. Most of our current drivers today are done by volunteers and not the companies themselves. As a result, we may very well have systems that are compliant, but our favorite OS's are not because we cannot get drivers to use said devices. We have enough problems no getting up to date hardware running because of copyright deadlock.See the use of CSS.DVD is still waiting on getting legal use to that code.
If it were added to this bill that the said security algorithums were available to anyone whom requested them free of charge or for a small fee ( cost of publication most likely) we are set. Then this bill does nothing to us except we now have one extra dev device that implements the security if one chooses to use it. Make it an option in new programs so if one chooses to use it, one may. That way it can't be said that the OS is non compliant and our international friends don't have to worry about it. OSS is currently one of themost standards compliant set of OS's in existance, once we have the specs, a driver can be whipped up in no time. Most importantly after the driver is finished, we go on with our lives and ignore it. Back to making OSS the best software on the planet.
On a side note, hopefully we could get CSS termed a "security device" and then under my proposition, we could finally get hold of these drivers legally!
A gui development enviroment is only as helpful as the code is visual. For a RAD enviroment, having a gui is esential, otherwise you miss the point of RAD. RAD lets you speed up by alot your development time by just draging and dropping your parts into place. Much better than spending alot of time developing a gui that really is not the point of your app -- the algorithim really need that time. Keep in mind though that if your compiler does not make good code, all the gui effort is wasted. MS VC++ can be an ok development enviroment, but the compiler in it sucks as its no ANSI complient and probably never will be thanks to MFC. Oracle Jdeveloper on the other hand lets you use and installed JDK on your system to compile the code, so you get the best of both worlds. If it's a command line app you dont really get much out of the gui other than not having to fire up a new shell.
With the banning of the internet this makes the CIA's job of monitoring Afganistan much harder. Either Osama Bin Ladin will continue to use the interenet, in which case we continue on as normal. If he decides to abide by this new rule then it makes his ability to orginize terrorism more of a personal endevor and as a result much more costly for the US to monitor.Goodbye SIGINT, hello HUMINT. Problem is HUMINT is much higher risk and also much higher cost.
Since we currently know only what small town he is in, mostly as I understand it through SIGINT, then we now must move in to get any intelligence at all. If we are going to go through with that, we might as well send in the assination squad to get them for the cost of the mission. Im not sure how politically viable such a mission is because it would take alot of work to even get that mission off the ground, but it's also such a high payoff if we do...
Publishing how to pick a lock isn't going to keep the door locked long.
It may not keep the door locked for very long, but then again if you know how it works that means people have to build one damn fine lock. Rather than rely on a crappy lock with a small keyspace, it forces them to use a lock with a large and hopefully randomly generated keyspace. In the end this means better locks. The better the lock, the better the security for all concerned.
If the lock was too esay to pick in the first place, then keeping it secret just exposes this fact because if you publish how it works then you propose a challenge -- "I think I got you beat.Go ahead and try to break me!" About the only bad thing about telling how to break the lock is that it makes locks more expensive if you want to get real security. That said its usually better for the average consumer because it drives down the price of an ok lock. If your not to worried about security then your lock becomes easier to get.
This is not really a revolution that takes out the stealth plane since now all we have to do bomb the computer and all is well again. If we cant use lead bombs, just hack the box and turn it off. People used to say the same things about bombers becoming useless with antiaircraft missiles, but look at planes now.
The real issue is that this makes cell phones which would have great useage for first responders on the ground, specificly medical personel, into targets, thus bluring the line between the military hardware and purely civilian harware. As such this brings up such ethical issues as are brought up by destroying things such as power plants -- You cant have a discriminate attack. If you cant make a discriminate attack, its hard to argue that its a good target to hit. Its a public relations nightmare and we all know that the military already has its hands full of public relations problems.
It may not be the users problem to solve it, but they should be educated enough to avoid doing dumb things and creating security/viri holes. If they just learn enough to avoid making IT's life hell ( sending out fake email viri alerts,opening exe and vbs, and especialy downlaoding from an untrustable source), its worth it. Plus, its better for them since they get to the point of eventually reduce IT workload or make the questions they ask above dumb user status. Its a win win that way.
Working for a DoD university, I can tell you that even if you are in charge of all the computers on the network (all software, hardware, and internet usage is monitored) and viri are still a problem if your users are complete idiots. We have weekly and in some cases daily use of virus updates, and yet many users dont use the updates on out site licence. While our being on MS Outlook does not help matters, it never helps when people just blindy open attachments with no knowledge of what is in it.
You best bet is to inform your users of known viri alerts on your webpage, especially your webmail if you have one. Eliminate things such as everyone@yourdomain.edu which are common way of spreading viri. If you are running exchange server block attachments from the server that look like viri and cite the user with an immediate virus warning. And especcialy for central mission cirtical servers use IPSec to its full extent. An authenticated user is a user that you haev accountabiltiy for. No reason to mess up the universities essential equipment because of a dumb user.
In short, you cant prevent user stupidity but you can be ready to deal with them.
Slashdot Mirror
More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security.
/Command Seargent Major/1SG office to do work. As an AG unit, they control most if not all of the orders on post. Think about it for a second.
While you argue against contractors off base, I would argue that on post contractors and those in uniform would do no better and may even be worse. I am an admin (MOS 74B) in an AG unit on post and if I wanted to get away with taking most of the comuters here on post, I could EASY! Most of the military on post do have locks on their doors but most of them dont use it either. It may be locked up at the end of the day, but if a formation is called in the middle of the day or lunchtime is called, dont bet on the doors being closed much less locked and properly secured. Except for my office (the server room), there are no cameras set up to pull security for those offices.
For me to do my job 95% of the time I require no human intervention as the problem is dscribeed to me in my work order. Despite being a virtual unknown to most of the staff onsite, I am rarely challenged while I work and in some cases dismantle a computer. Taking the computer out to my car is not a far step from that. Given that I am supporting an entire brigade, I frequently go into a commanding officer
The Army needs to think alot more about IT security, not just about attacks from the outside, but how easy they make it from the inside.
NOTE: I have not abused any of the above, I am simply trying to point out the flaw in common DoD awareness on physical IT security.
PFC Gruhn
Fort Lewis, Washington
I Corps -- Americas Corps!
It's only illegal when you are making CDs to which you do not have copyright permission and then distributing them.
Since the above operation clearly is illegal becuase of the above sentance, quoting a burn rate makes perfect sense. I am sure that they probably DO have numbers on how many of these scale operations there are in any one area. Because they produce the legitmate copies in any area they also have the stats for legal copies therfore they could use the burn rate to make the case that 64,247 CDs/day is a signifigant portion of the total market in the area. Thats a whole lot more convincing than quoting a made up burner equivelant number instead. The non tech can look at 64K and say thats a big percentage; a made up burner number is meaningless to tech and non tech alike.
Seems like the Riaa needs to talk to some real people outside their own buisness. Comming up with numbers like that no wonder they cant convinve anybody that p2p is wrong. I dont think it is, but with an argument like they are needlessly making their life harder.
PFC Gruhn
US Army
Not having an admin password does not help, but sounds like what he really needed to do was put a decent firewall on the box. They cant hack it if they cant find it...
No Firewall and No Other User account makes computer something something. Get Attacked? Dont mind if I do...
PFC Gruhn
U.S. Army, Fort Lewis
AS they are midshipmen and therfore under the UNIFORM CODE OF MILITARY JUSTICE (UCMJ) per article 2 subsection 2, all the naval academy had to do was cite them as being in violation of any of these three articles of the UCMJ. The highlights are my own.
.
SUBCHAPTER III. NON-JUDICIAL PUNISHMENT
815. ART. 15. COMMANDING OFFICER'S NON-JUDICIAL PUNISHMENT
933. ART. 133. CONDUCT UNBECOMING AN OFFICER AND A GENTLEMAN
Any commissioned officer, cadet, or midshipman who is convicted of conduct unbecoming an officer and a gentleman shall be punished as a court-martial may direct.
934. ART. 134. GENERAL ARTICLE
Though not specifically mentioned in this chapter, all disorders and neglects to the prejudice of good order and discipline in the armed forces, all conduct of a nature to bring discredit upon the armed forces , and crimes and offenses not capital, of which persons subject to this chapter may be guilty, shall be taken cognizance of by a general, special or summary court-martial, according to the nature and degree of the offense, and shall be punished at the discretion of that court.
Pay particular attention to article 134. This article basicly says that the military can charge you with anything as a crime on the spot. The only differnce between this and article 15 is that an article 15 does not reqiure a court martial. Once accused of being in violation of the UCMJ, the military is allowed to take immediate action. There is no innocent until proven guilty; your CO may take whatever action they see fit as long as it is within regulation ( Note about article 15 -- it is the only one of the articles noted above with set limits on penalties).
You can browse the entire UCMJ here
PFC Gruhn
U.S. Army, Fort Lewis
I Corps -- America's Corps
A reconnaissance platform needs survivability. A design such as this does not appear to offer any sort of low-observabilty, or alternatively, high speed for defensive requirements. This particular design could be brought down with the lowest-tech of weaponry. That said, it might serve well as a surveillance platform for peacetime uses
For the reasons he already stated, this design would alos be unsuitable for peacetime recon. It may be even more important during peacetime than war for the plane to survive. If the plane goes down, its an international incident that may lead to war. Becuase of the instant implications, the plane needs to survive a few hits from the enemy. If they shoot at you but dont get you, most governments wont broadcast the info to the rest of the world, essentialy saying to others "See? They did it and so can you?" IF OTOH, they get the spy plane/drone, they broadcast it instantly as evidence of imperalism by the offender.
Secondly our current "peacetime" activities aint so peaceful. Iraq, Israel, Afganistan to some extent are all peacetime activities, but we get shot at quite a bit.
PFC Gruhn
Fort Lewis, Wa
I Corps, U.S. Army
As a counter point,
1) I was not talking about a democratic government per say, most military and some governmental groups are not run with the most eyes looking at it. So in that since for that particular sector of the government, its not democratic.
2) While they may not be making censorware, it would still apply in that they dont want other people looking at the modifications for security reasons.
3) Helping another military would be very out of line for Microsoft to do without U.S. DoD aprroval
PFC Gruhn
Fort Lewis, Wa
MOS -- 74B
If they need it to create a firewall-type software package for their machines, why not ask Microsoft to create that instead?
Most governments DO NOT want the outside to be messing with their own security apps, since you have to figure that for most everything, your weapon of choice is built by the lowest bidder. In terms of M16's this might be fine(never met a bad one yet), but in terms of software this definatly does not tend to work. Now that the Army understands much better technology, they are waking up from contractor over-dependance.
Secondly and perhaps more importantly, in a non democratic setting government work frequently has mission requirements that a contractor is unable to know about OR would take a long time to get them clearance. In these sensitive compartmentalized areas, whats better than to have the original source and do the work yourself with your own in house personnel? In this particular case, somehow I doubt Microsoft as a company in the U.S. would do well writing censorware for the ROC. They may also be unwilling politically to do so as they have just recieved a wonderful break from DOJ. Last thing they want to do in this enviroment is seem unpatrotic and obstructionist
PFC Gruhn
U.S. Army
Fort Lewis, Wa
MOS -- 74B
They may have had lasers and the concept did come in the sixties. However the plan here is to have mobile laser sitest for this. If this was in such a great usage before btw then we sure have done a good deal to hide it.
PFC Gruhn
U.S. Army -- Fort Lewis
The grunts on the ground are not going to use this stuff period. When you can talk much faster than you can type, this will go nowhere. OTOH, their commanders will love this. On a battlefield the person that is in charge of a particualar area might get changed on a frequent basis and, more importantly, its probably the person you need to talk to the most that just changed. For combat support units, this would be great. No more setting up phone lines everywhere as well as computer cable, you just IM the guy and you know that he understands and even better you get instant knowledge of if he is alive and kicking. It would jsut be another piece of the puzzle of automating the force.If their commander was smart enough to use it, the flow of info would be wonderful.
That said, most of the commanders are in a PHB type position in combat support, not to mention a distrust of the leading edge especialy in tech. Most of them use their computers soley for email, the enlisted do the rest.
PFC Gruhn
U.S. Army
We will be more interested on how clouds of nanomites can liquify a human in seconds than a hairline crack repairing coat of paint.
Not really. We already have enough stuff that can do that without the use of nanomites. With our current chemical, biological, and nuclear (NBC) weapon systems, who need nanomites? Granted it would be nice to hvae such a weapon, but we would still need a decent delivery system, in which case military lawyers would be all over our us on how a cloud of this stuff would be a war crime. Thats the main reason we don't use any of our NBC weapons these days anyway.
Compared to modern weapons systems it would probably be very high cost per victim, which in modern times with our budget, it would get cut by DoD or Congress real quick I think.
PFC Gruhn
U.S. Army -- Fort Lewis
Convential radar can detect a stealth aircraft; the main advantage is time. A normal fighter aircraft you can see a long ways out, over open terrain more than 150 miles, long enough for you to scramble forces and maybe put up a decent defense. Stealth aircraft that detection range is down to about 30 miles. All this of couse assumes good weather, in bad weather stealth aircraft are in some instances worse. 30 miles is a whole lot of less time to get your act together before we kill you. Of course by the time the fighters and bombers come, the enemy has already blown it -- A UAV already probably saw them and put them on the hit list.
PFC Gruhn
U.S. Army -- I Corps, Fort Lewis
The problem with this is not that one is making secure devices standard. There is still the problem that all OSS systems face -- getting device drivers written for the propriety systems implementing security. Most of our current drivers today are done by volunteers and not the companies themselves. As a result, we may very well have systems that are compliant, but our favorite OS's are not because we cannot get drivers to use said devices. We have enough problems no getting up to date hardware running because of copyright deadlock.See the use of CSS.DVD is still waiting on getting legal use to that code.
If it were added to this bill that the said security algorithums were available to anyone whom requested them free of charge or for a small fee ( cost of publication most likely) we are set. Then this bill does nothing to us except we now have one extra dev device that implements the security if one chooses to use it. Make it an option in new programs so if one chooses to use it, one may. That way it can't be said that the OS is non compliant and our international friends don't have to worry about it. OSS is currently one of themost standards compliant set of OS's in existance, once we have the specs, a driver can be whipped up in no time. Most importantly after the driver is finished, we go on with our lives and ignore it. Back to making OSS the best software on the planet.
On a side note, hopefully we could get CSS termed a "security device" and then under my proposition, we could finally get hold of these drivers legally!
A gui development enviroment is only as helpful as the code is visual. For a RAD enviroment, having a gui is esential, otherwise you miss the point of RAD. RAD lets you speed up by alot your development time by just draging and dropping your parts into place. Much better than spending alot of time developing a gui that really is not the point of your app -- the algorithim really need that time. Keep in mind though that if your compiler does not make good code, all the gui effort is wasted. MS VC++ can be an ok development enviroment, but the compiler in it sucks as its no ANSI complient and probably never will be thanks to MFC. Oracle Jdeveloper on the other hand lets you use and installed JDK on your system to compile the code, so you get the best of both worlds. If it's a command line app you dont really get much out of the gui other than not having to fire up a new shell.
With the banning of the internet this makes the CIA's job of monitoring Afganistan much harder. Either Osama Bin Ladin will continue to use the interenet, in which case we continue on as normal. If he decides to abide by this new rule then it makes his ability to orginize terrorism more of a personal endevor and as a result much more costly for the US to monitor.Goodbye SIGINT, hello HUMINT. Problem is HUMINT is much higher risk and also much higher cost.
Since we currently know only what small town he is in, mostly as I understand it through SIGINT, then we now must move in to get any intelligence at all. If we are going to go through with that, we might as well send in the assination squad to get them for the cost of the mission. Im not sure how politically viable such a mission is because it would take alot of work to even get that mission off the ground, but it's also such a high payoff if we do...
John Gruhn
National Defense University
Publishing how to pick a lock isn't going to keep the door locked long.
It may not keep the door locked for very long, but then again if you know how it works that means people have to build one damn fine lock. Rather than rely on a crappy lock with a small keyspace, it forces them to use a lock with a large and hopefully randomly generated keyspace. In the end this means better locks. The better the lock, the better the security for all concerned.
If the lock was too esay to pick in the first place, then keeping it secret just exposes this fact because if you publish how it works then you propose a challenge -- "I think I got you beat.Go ahead and try to break me!" About the only bad thing about telling how to break the lock is that it makes locks more expensive if you want to get real security. That said its usually better for the average consumer because it drives down the price of an ok lock. If your not to worried about security then your lock becomes easier to get.
This is not really a revolution that takes out the stealth plane since now all we have to do bomb the computer and all is well again. If we cant use lead bombs, just hack the box and turn it off. People used to say the same things about bombers becoming useless with antiaircraft missiles, but look at planes now.
The real issue is that this makes cell phones which would have great useage for first responders on the ground, specificly medical personel, into targets, thus bluring the line between the military hardware and purely civilian harware. As such this brings up such ethical issues as are brought up by destroying things such as power plants -- You cant have a discriminate attack. If you cant make a discriminate attack, its hard to argue that its a good target to hit. Its a public relations nightmare and we all know that the military already has its hands full of public relations problems.
It may not be the users problem to solve it, but they should be educated enough to avoid doing dumb things and creating security/viri holes. If they just learn enough to avoid making IT's life hell ( sending out fake email viri alerts,opening exe and vbs, and especialy downlaoding from an untrustable source), its worth it. Plus, its better for them since they get to the point of eventually reduce IT workload or make the questions they ask above dumb user status. Its a win win that way.
Working for a DoD university, I can tell you that even if you are in charge of all the computers on the network (all software, hardware, and internet usage is monitored) and viri are still a problem if your users are complete idiots. We have weekly and in some cases daily use of virus updates, and yet many users dont use the updates on out site licence. While our being on MS Outlook does not help matters, it never helps when people just blindy open attachments with no knowledge of what is in it.
You best bet is to inform your users of known viri alerts on your webpage, especially your webmail if you have one. Eliminate things such as everyone@yourdomain.edu which are common way of spreading viri. If you are running exchange server block attachments from the server that look like viri and cite the user with an immediate virus warning. And especcialy for central mission cirtical servers use IPSec to its full extent. An authenticated user is a user that you haev accountabiltiy for. No reason to mess up the universities essential equipment because of a dumb user.
In short, you cant prevent user stupidity but you can be ready to deal with them.