The Responsibilities of IT (and lawyers too)

Well, it would appear that the lawyer for one of the students charged in Pennsylvania (the so-called “Kutztown 13”) has commented on my post about the “IT Responsibilities” in cases like these.

I assume it’s the lawyer – it may or may not be. I don’t really have much identity verification. The IP Address is a Pennsylvania IP Address though, and searching google for his name shows him quoted in a Washington Post story about the case.

What I assume is that he’s blanket posting in blogs his side of the story. I don’t necessarily blame him, he’s representing a teenager charged with a felony. It’s his job as a lawyer to get his client off or at least bargain the punishment down to something more acceptable to his client and to those charging his client.

But I really wish he had read my post. To be fair, I really don’t present a position in the matter (other than saying that an opinion column in the USA Today seemed to have the clearest explanation). So in the absence of a definite position, if you have a bias one way or another, you are going to take my words and twist them to whatever opinion you think I have. It’s life. I really would hope for better from an officer of the court (as well as having the comment written better, if he actually wrote it)

But I doubt he’s actually reading the post. Which did nothing but try and generate discussion about the responsibilities of the IT staff in these cases. This is why I don’t have all that much respect for lawyers.

But, Mike, since you accused me of calling the kids criminals. Here’s my view on the matter.

I think it is absolutely and positively ludicrous that teenage and college students are accused of felonies in matters like these. I think that more often than not, the IT staff or the programmers, or similar screw up, those screwups are taken advantage of, the organization in which they work gets embarassed, and that organization’s administration completely overreacts. Maybe because educators don’t like to be embarassed, probably because they do not understand the technology.

The reactions are not the same when the maintenance dude leaves the paint out, and one gets graffiti all over their building.

I also think it’s ludicrous that “computer trespass” in North Carolina is treated as a felony when it involves a government computer. But that’s a matter for the legislature and a whole other discussion another day.

That being said, I have little respect for students that try (and continue) to play the system, and cry foul when they get their metaphorical hand slapped. But they don’t deserve felony charges.

I don’t know the facts in this case, and I’m not going to editorialize any further about it. I don’t know whether the kids are right, or the school is right. I imagine both sides are doing whatever they can right now to cover their behinds.

What I do care about is three things:

1) I think this is what happens when the IT staffs and administrations, especially in educational institutions, try and control the student desktop. It’s a losing game. Turn over the computer to the student, teach him or her how to use it, or more, how to find the information that they can teach themselves how to use it. When they screw the system up and can’t complete their assignment? Call the Waahmbulance. The problem is, the students are often smarter than the IT staffs which leads me to…

2) I’m very keen on seeing that the IT staff start talking about what they can do, and how they can seek training opportunities that keeps them a step ahead of the technologies, and work with those that they support. I was unable to get discussion about this generated on our campus mailing list. But my core tenet was:

So, mistakes that we make are leading to felony charges and identity theft. This isn’t just “I can’t print my word document” anymore.

Which is serious business. I do not ever want to see a mistake that I make escalate into felony charges for students (unless they have malicious intent) or identity theft. It’s my responsibility to do my best with data and information and the systems that store that, to keep that from happening. It might happen anyway. But if I’m the one that screwed up, I don’t want to see an over-reactive administration go after students. And in the identity theft case, I better be treating that data like it’s the data of my family.

3) People turn their brains off when it comes to computers. It’s high damn time to start teaching the users of the system that they have a responsibility for the use of that system too (which goes back to (1) – when you control things tightly, the users of the system don’t take responsibility for their own use of it – because they think someone is always “taking care of it”)

I hope he gets his client off, or better, the charges reduced.

But what I really hope is that overall IT industry starts getting their act together here.

[update] It appears, from the aforementioned Washington Post article that the felony charges might be dropped, in a deal. I have no opinion on whether the punishment in the deal fits in this case or not.

Joke of the Day

From my friend James Robinson following up my query (as posted to the campus list):

_
On Aug 23, 2005, at 7:01 AM, James E. Robinson, III wrote:
On Aug 22, 2005, at 3:50 PM, Jason Young wrote:

[snip snip]

[snip, snip snip]

[snip snip snip, snip snip snip]

[snip, snip, oh good grief, (cranks up chain saw)]

[waaaaaahhhhhhhhh, waaaaaaahhhhhhhhhhhhhh – Timber!]

So, my question(s) for discussion are these: (and any you want to add):
_

I admit, I laughed heartily, out loud even. At myself 😉

(And in an ironic twist of fate, while writing this I just managed to stretch out my leg and put my foot down right on top of the switch for the surge protector [still waiting for the desktop UPS’s to get here]… and blam-o-lam, instant self-denial-of-service)

What are the IT Responsibilities

I sent this to a campus mailing list today, and the question is as relevant to be discussed among the blogs as it is on a campus network administrators mailing list. Perhaps even more so.

This last week has brought the computing world another high-profile so-called hacking incident. In this case, 13 high school students in Pennsylvania are being charged with computer trespass(*), a felony charge in their case. Obviously there is internet opinion on all sides of the issue. The most lucid exposition is likely in an opinion column in USA Today. (via: Bruce Schneier).

(* In North Carolina, computer trespass is generally a misdemeanor. However, for University computers, e.g. a Government computer, Unauthorized Access is a felony. These two sections are part of the general NC computer crimes general statute)


In something closer to the issues Universities face, earlier this year, a group of business school applicants hacked the Harvard Business School’s outsourced ApplyYourself system – and were (at least then) denied admission to the school. Again, details are sketchy and varied, though I’m inclined to accept the Philip Greenspun’s (opinionated as it might be) take on the matter. (see also a media story from boston.com )


Closer to home some of our students were initially charged last year with unauthorized access to a Government computer because they posted joke entries into the Public Safety police blotter. I do not know the details of this, and I really don’t want to know. I know some of the conjecture, I know most of what was said on a student web board on the matter and I know what the news media reported, none of which really highlight the actual details. I have never talked to an IT peer on this campus that might know any details. (and to be clear, the details one way or the other about that DO NOT matter for the purposes of my eventual question).


I DO NOT want to start a discussion about whether or not felony charges, or denying students access to a business school are appropriate punishments. I DO NOT want to start a discussion about the law, or the gray areas of the law, or the culpability of the students, or the parents, or the organization’s governance. I definitely DO NOT want to start a discussion about the details of any of the incidents, especially because the majority of us don’t know the story of any of them beyond the news reports and internet opinion.

(these are very valid discussions, however, they were not within the scope of the campus mailing list, and I’m not going to encourage them to be in the scope here)

What I am doing is posting them because these incidents, and others, highlight that there are serious ramifications to the IT support, the coding, the outsourcing, and the implementation of technology made by folks like you and me.

This is an inordinately complex business, decisions we make, and technologies we implement end up being used (and misused) in ways we never imagined. We can spend hours on hours in due diligence to make sure we keep up with security threats, that our systems are patched, fixing where we used or in our code when we meant to use and and still have our systems taken advantage of.

But it’s safe to say, our peers do some absolutely stupid things. In the first example in Pennsylvania, some of the first incidents resulted from the administrator password being taped to the laptops. (however if the USA Today is correct, there was a continued progression of misuse that led to the felony charges, it wasn’t a straight take advantage of the password => felony charge). The ApplyYourself issue, if Greenspun was correct, was possible only due to quite poor application design.

So, my question(s) for discussion are these: (and any you want to add):

What are the responsibilities of the IT staff? What can we do, in terms of best practices, to make sure that we aren’t doing the stupid things (stupid, of course, is a relative, and often hyperbolic term), that leave open the possibilities for illegitimate use? (continued misuse is a whole other story). What kind of self-oversight and peer support can we implement to protect ourselves and even more so, our system users from things like this? What are your thoughts?

I know that I’ve done my fair share of Self-Denial of Service attacks and very likely will continue, thankfully, none have ever escalated into the kinds of things where someone is going to be charged with a crime (or even get in trouble). My sincere hope is that we never do end up in that situation and the intent of these questions are to talk about things we can do to avoid that.

Stewpid

So three varying tales of customer no-service in my RSS aggregator this morning.

Alexei Kosut a series of conversations with Cingular this month, where customer no-service doesn’t seem to know how to deal with data service and a family plan at the same time.

(for the record, the only time I have ever in my life cursed at a customer service person was at Sprint, where I cancelled my service, and Sprint kept charging me three months in a row, and when I called Sprint customer no-service – multiple times – put me on hold, hung up on me and finally in the third month, transferred me to collections. I was livid by then. I sincerely and deeply apologized to the person I did it to, but that’s how frustrated I was.)

Jeremy Zawodny quotes another page from Seth Godin regarding experiences at a bank.

and last, but certainly not least, Bruce Schneir links to an article about the TSA detaining toddlers whose names show up on the No-Fly list.

Complete…. lack…. of… common…. sense.

So the real question for me is that most sane people will all read these incidents – our cell phone companies, our banks, the airlines, and will deride the lack of common sense, yet we will go back to our jobs and do very similar things, follow procedures, fail to think for ourselves, fail to allow our employees to think for themselves – and implement the same asinine procedures.

Do they address this topic in business schools anywhere? How can organizations create environments that foster people thinking for themselves and to not pay victim to the “procedure” or when the “computer says I have to do this”. Even more, how do you also have people think to ask their peers and supervisors to help sanity check their own thinking and to maintain consistency (which is why all those “procedures” are created in the first place)

On the Hump

Because I’m in a bit of a dead spot at work (we are largely in “startup” mode – and the funding to get the hardware we need to begin to ramp up and create new services is there, but it is still caught up in the bureacracy between the various contracts and grants groups, and the people to help create those new services aren’t here yet either) – it’s given me a chance to chip away at the mile long “Flagged Items” list in NetNewsWire.

Everyone and their mother’s brother’s cousin is linking to the trampling and all-around mayhem that was the Henrico County iBook sale. So I won’t link to it. Okay, I will – but only to Dave Barry’s link to it which is rather appropriate.

Sometimes security through obscurity is not a bad thing.

Via Chuq Von Rospach: a great list of recommend software for your macintosh. All of the linking to it apparently killed the site. All the more reason to get cracking on updating my own list today.

I’ve switched from Safari to Firefox again (I really missed type-ahead-find) but it was driving me nuts to switch between tabs with the mouse because I got used to CMD+Left Arrow and CMD+Right Arrow to switch between tabs. Thanks to the Firefox Keyboard Shortcuts list, I’m less frustrated, but still want to figure out how to change CTRL+TAB to CTRL+Right Arrow.

Switching to Firefox meant that I needed a way to synchronize my bookmarks between three Macs. Thanks to the Bookmarks Synchronizer. I can do that. And because I didn’t want to stick my .Mac password in the configuration for that synchronizer. I needed to setup both WebDav and SSL to go along with my Apache2 install on my Macintosh.

Setting up a SSL Certificate Authority and a signed certificate is a royal PITA, and something that I’m really not looking forward to writing up as a companion to my Apache2 article. Which is why finding this lovely menu item:

which produces this dialog:

seems to hold a tremendous amount of promise. Knowing what’s going on with a thousand obscure openssl commands is great – but if there’s a GUI to make that easier? All over it. I’ll hopefully figure out whether that dialog is actually useful or not today.

"binarypageSpeaking of updates. Another tutorial that needs to be finished is how to install Subversion via Fink. Which in turn will let me update EWE. One of the first things I’m doing is going to change every mention of RSS to “FEED” and likely add Atom support. Asa Dotzler is right RSS is a silly name. And I’m honestly tired of the internet Jerry Springer rants surrounding the whole thing, web feeds make a lot of sense to me. (The funniest commentary I read about that was this one, about Dave Winer living in a van…. by the river). I also need to build a few more wiki-friendly features in it – and I think I’m going to call the ewe categories what they really are – tags.

Most likely, I’ll end up screwing up the regular expression matching – so this Redet Software will come in handy. At the very least, it’s the best list of other regex tools I’ve seen so far.

I think all that will keep me occupied for a bit.

Your own BSOD

Excellent! Your very own BSOD on your Macintosh!

Funny, somewhat related story. My friends, after a few years of jokes and more than a few rants about Internet Explorer vs. FireFox, know that I’m Macintosh-oriented. They come over to my house on mondays to play Diamond-Mind baseball – which is owned by our league “commissioner” and one of the other guys has to bring their PC laptop (because I only have Macs). I have a new Airport-backed wireless network in the house – and was giving the WPA2 password to one of them to join the network. As soon as he entered the password in the Join Network dialog for the Windows XP wireless and clicked “OK” (or “Apply” or whatever it was) – the machine blue-screened on him.

Classic. Of course, now they think I’ve jinxed all windows machines in the house 😉

(and to be fair – his Dell gets much better signal than my Powerbook G4)

IE, is just, well IE

So I need to update my post from yesterday with a day’s worth of perspective (and additional reads from my RSS feeds).

Saner and clearer heads other than Paul Thurrott’s – and certainly saner than mine are more cautiously optimistic, like Jeffrey Zeldman’s (and the people he links to). Additionally, for what it’s worth, the IE team is actually communicating, in a good way. Internet Explorer 7 is being improved. The CSS 2.0 and 2.1 support is improving. They are fixing bugs and working with the web developer community to do so.

Internet Explorer frustrates me. It’s frustrated me for years. As a pseudo-web developer, and as a user. I switched from IE by switching to the Macintosh, I switched my Windows-using parents away from it, I convinced my friends that it shouldn’t be used at the height of its security problems last year. But they (the IE team) are improving the product. Likely for the good. Thurrott, like Dvorak, Orlowski, and a whole bunch of others, get a lot of press about ranting up and down about one tech thing or another. About the last thing I should be doing is linking to one of them. I’d rather spend time on positive things or even being vaguely funny than ranting or linking to the ranters.

mea culpa.

IE is a cancer on the Web

Thank you Paul Thurott

“My advice is simple: Boycott IE. It’s a cancer on the Web that must be stopped. IE isn’t secure and isn’t standards-compliant, which makes it unworkable both for end users and Web content creators. Because of their user bases, however, Web developers are hamstrung into developing for IE at the expense of established standards that work well in all other browsers. You can turn the tide by demanding more from Microsoft and by using a better alternative Web browser.”

I have been saying this for several years. Microsoft does a lot of good things, but Internet Explorer has not been one of them.

Multiple From Addresses in Mail.app

Thank you Justin French!

I have multiple addresses that resolve to the same email account. Since I’m subscribed to most NC State lists and in the address books for most people with my @ncsu.edu email address, I need to use that when posting to those lists, or sending mail on campus.

Externally though, I want to use my @extension.org address.

Separating the addresses with commas in the Account Preferences for Mail.app lets me click the Account: button:

and pick from multiple addresses:

Hooray for the lazyweb!