Educause MARC, 2003 Copyright 2002, Marchany 22 b
Educause MARC, 2003 Copyright 2002, Marchany 23 KaZaA KaZaA is another file sharing program that lets users download music, pictures, software, video clips and more. The fine print in the license agreement has something nasty.
Educause MARC, 2003 Copyright 2002, Marchany 24 KaZaA License Agreement You hereby grant Brilliant Digital Entertainment the right to access and use the unused computing power and storage space on your computer/s and/or Internet access or bandwidth for the aggregation of content and use in distributed computing. The use acknowledges and authorizes this use without the right of compensation.
Educause MARC, 2003 Copyright 2002, Marchany 25 It Can’t Happen Here 1984 – student sends obscene email to female faculty 1991 – Major Unix break-in, 18 machines, 5 depts, hackers from all over the world, discussed in the book @Large 1993 – Illegal music sites start to appear on VT systems 1995 – Student obtains test from faculty Mac ahead of time 1996 – Major relay attack, VT system used to attack other sites, AF-OSI/FBI involved
Educause MARC, 2003 Copyright 2002, Marchany 26 It Can’t Happen Here 1996 – Student changes grades on instructor’s PC 1996 – Anonymous email harassment from public VT systems 1996 – Hackers attack system in MCB, capture passwords from 3 depts 1996 – Secret Service investigates VT student for threat to the President via email 1996 – female instructor harassed via email on class listserv
Educause MARC, 2003 Copyright 2002, Marchany 27 It Can’t Happen Here 1996 – CO system attacked by BEV user 1996 – VT student captures 300 passwords in a dorm and changes them on 4/1/96 1997 – VT WWW site modified illegally 1997 – Dept. WWW sites attacked 1997 – VT student send hate mail to gay www site. VT Provost gets > 500 emails protesting this attack, story appears in NY Times, Washington Post, LA Times, CT, local PBS
Educause MARC, 2003 Copyright 2002, Marchany 28 It Can’t Happen Here 1997 – VT student sent to judicial review for email harassment & threats 1997 – Pirated software sites on VT systems 1997 – VT system attacked from outside, FBI involved 1997 – Hackers attack VT system to attack Canadian systems, RCMP/FBI involved 1998 – Hackers attack VT system to attack PSU systems 1998 – Dept lab attacked by disgruntled former grad student
Educause MARC, 2003 Copyright 2002, Marchany 29 It Can’t Happen Here 1998 – EE, Emporium labs attacked by hackers 1999 – BO, Netbus, Email attachment attacks arrive 1999 – +80 VT systems attacked to be used in DDOS attacks. FBI involved 2000 – Email harassment attacks continue 2000 – Remote control trojan attacks increase 2001 – VT systems continually probed for vulnerabilities
Educause MARC, 2003 Copyright 2002, Marchany 30 History 1989: I asked a question 1990: first draft of the AUP 2000 – adopted 1989, revised 1999 Management of University Records 2005 – adopted 1989, revised 1999 Administrative Data Management and Access Policy 2015(AUP) – adopted 1991, revised 1999 Acceptable Use Guidelines contain specific examples 2020 – adopted 1991, removal pending Policy on Protecting Electronic Access Privilege 2030 – adopted 2000 Policy on Privacy Statements on VT WWW sites
Educause MARC, 2003 Copyright 2002, Marchany 31 AUP Enforcement Philosophy Use Existing Policies and Sanctions Sanctions are described in Student, Faculty and Staff Handbooks Judicial procedure is defined there also Maintain compliance with Federal, state and local Computer Crime statutes. Academic freedom vs. illegal activity
Educause MARC, 2003 Copyright 2002, Marchany 32 Acceptable Use Policy Scope All VT computer & communications facilities dealing with voice, video and data VT Networks, mainframe, midrange, minicomputer, workstation and PC No individually owned computers
Educause MARC, 2003 Copyright 2002, Marchany 33 Acceptable Use Policy Demonstrates Respect of: Privacy rights of others Intellectual property rights (copyrights, patents) Data ownership Defense mechanisms Freedom from harassment, intimidation
Educause MARC, 2003 Copyright 2002, Marchany 34 Acceptable Use – The Do’s Use resources for authorized purposes only Porno, personal business – violation! Responsibility You’re responsible for anything that originates from your system/userid. Permission Access only what you’ve been given permission You can share your userid/system but see previous point Use only legal copyrighted software or data Refrain from overloading resources Spam, DOS attacks
Educause MARC, 2003 Copyright 2002, Marchany 35 Acceptable Use – The DONT’s Use another’s system, userid, data, files or password without permission Use hacking programs, willfully spread viruses to break system security or disrupt services Make illegal copyrighted materials, store them on VT systems or transmit them on VT networks MP3, Napster, DVD is ok as long as copyrights are respected.
Educause MARC, 2003 Copyright 2002, Marchany 36 Acceptable Use – The DON’Ts Use email or messaging services to harass, intimidate or threaten others Most common offense Use VT systems for personal gain Use VT systems for illegal purposes
Educause MARC, 2003 Copyright 2002, Marchany 37 Acceptable Use - Enforcement AUP violations are a serious offense VT reserves the right to copy and examine any file on VT systems allegedly related to AUP violations in order to protects its resources Done only with the approval of supervisory or legal entities. Does NOT apply to personal systems FERPA, ECPA, Computer Fraud & Abuse Act, Computer Virus Eradication Act, VA Computer Crime Law, HIPPA, Interstate Transportation of Stolen Property Act
Educause MARC, 2003 Copyright 2002, Marchany 38 Acceptable Use - Enforcement Students Office of Judicial Affairs (www.judicial.vt.edu)www.judicial.vt.edu Staff VP for Human Resources Faculty Provost and Department Head Legal Campus Police, State Police, FBI, Customs, ATF, Military OSI, Secret Service IS does NOT prosecute! It only collects data for the above entities.
Educause MARC, 2003 Copyright 2002, Marchany 39 Acceptable Use - Statistics Students 1998: 5 cases formally adjudicated 1999: 1200 complaints, 25 cases formally adjudicated Gender based harassment, copyright infringement pose significant contributory liability concerns for the University Data from Office of Judicial Affairs annual report
Educause MARC, 2003 Copyright 2002, Marchany 40 Response Strategies From RFC 2196 Protect and Proceed assets are not well protected continued penetration could result in financial risk willingness to prosecute is not present unsophisticated users and their work is vulnerable Pursue and Prosecute allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies but is the most difficult. Willingness to prosecute!!
Educause MARC, 2003 Copyright 2002, Marchany 41 Acceptable Use - Summary Comprehensive Flexible Use existing University Policies for enforcement Do not marry it to technology. Stealing is stealing whether done in the real or cyber worlds.
Increasing Awareness Once You Have a Policy, You Need To Tell People What It Is
Educause MARC, 2003 Copyright 2002, Marchany 43 Orientation Sessions Student Freshman Orientation Resident Computer Consultants (RCC) Faculty Faculty Development Institute Departmental presentations Staff New Employee Orientation
Educause MARC, 2003 Copyright 2002, Marchany 44 Sample Orientation Presentation The following presentation is one of the ones we give to GTA at their orientation.
GTA Workshop – Acceptable Use Guidelines Wayne Donald Randy Marchany
Educause MARC, 2003 Copyright 2002, Marchany 50 Passwords ARE the First Defense Bad Password Examples
Educause MARC, 2003 Copyright 2002, Marchany 51 Sharing Systems Never share userids. Log off when you’re done You have sensitive data about your students. You must protect it or you’ll violate FERPA regulations Make sure your system administrators have protected your operating system but you must do your part!
Educause MARC, 2003 Copyright 2002, Marchany 52 Protecting the System Get the VTNET software CD, it’s FREE! Antivirus Norton Antivirus Corporate Edition 7.6 Cleartext Secure Shell SSH 2.4, Secure Copy 2.4 Use especially if you have wireless systems Never disclose sensitive information via the WWW if the padlock icon is unlocked Use Personal Firewalls software to monitor access to your systems (Zone Alarm, BlackIce, XP firewall)
Educause MARC, 2003 Copyright 2002, Marchany 53 Acceptable Use You’re responsible for anything that originates from your userid Don’t download movies or music unless you bought them The Net is not anonymous so be careful Use email responsibly
Educause MARC, 2003 Copyright 2002, Marchany 54 Summary You are responsible for sensitive information stored on your computers You could violate federal laws if you allow the information to get out Make sure you’ve read the VA Tech Acceptable Use Guidelines Make sure you have a “safe” working environment Don’t share computers unless you have no choice
Educause MARC, 2003 Copyright 2002, Marchany 55 Eliminate the Excuses The following slides show some of the www pages we have to increase awareness at the general and technical levels.
Educause MARC, 2003 Copyright 2002, Marchany 63 Surplusing IT Equipment How To Surplus IT Equipment
Educause MARC, 2003 Copyright 2002, Marchany 64 Have We Been Successful? We tried for 3 years to get into the Faculty, Student and Staff orientation programs. We were told there wasn’t enough time for our short presentation This year, something changed. Faculty Development was ordered to give us time. Student orientation wanted something after 9/11. Orientation sessions have generated additional presentations for individual groups.
Educause MARC, 2003 Copyright 2002, Marchany 65 Technical Orientation/Training Provide security awareness and technical training to your sysadmins. In-house is the cheapest option. Hardest to do but the benefits are outstanding. Builds a support networks across depts. Hold regional training for local edus.
Educause MARC, 2003 Copyright 2002, Marchany 66 Technical Orientation/Training Regional training for local EDUs SANS-EDU – 3 day seminar on Network, Unix, W2K security Sponsored by SANS Institute (www.sans.org) and VA Techwww.sans.org Open to any EDU in the US, $100/person Aimed to help close the training gap Low price = no excuses
Educause MARC, 2003 Copyright 2002, Marchany 67 Conclusions Get the AUP in place. Build awareness programs for faculty, staff and student. Get technical training for your support staff. Establish links between the enforcement arms of the university. Repeat steps 2-4.
Your consent to our cookies if you continue to use this website.