I sent this to a campus mailing list today, and the question is as relevant to be discussed among the blogs as it is on a campus network administrators mailing list. Perhaps even more so.
This last week has brought the computing world another high-profile so-called hacking incident. In this case, 13 high school students in Pennsylvania are being charged with computer trespass(*), a felony charge in their case. Obviously there is internet opinion on all sides of the issue. The most lucid exposition is likely in an opinion column in USA Today. (via: Bruce Schneier).
(* In North Carolina, computer trespass is generally a misdemeanor. However, for University computers, e.g. a Government computer, Unauthorized Access is a felony. These two sections are part of the general NC computer crimes general statute)
In something closer to the issues Universities face, earlier this year, a group of business school applicants hacked the Harvard Business School’s outsourced ApplyYourself system — and were (at least then) denied admission to the school. Again, details are sketchy and varied, though I’m inclined to accept the Philip Greenspun’s (opinionated as it might be) take on the matter. (see also a media story from boston.com )
Closer to home some of our students were initially charged last year with unauthorized access to a Government computer because they posted joke entries into the Public Safety police blotter. I do not know the details of this, and I really don’t want to know. I know some of the conjecture, I know most of what was said on a student web board on the matter and I know what the news media reported, none of which really highlight the actual details. I have never talked to an IT peer on this campus that might know any details. (and to be clear, the details one way or the other about that DO NOT matter for the purposes of my eventual question).
I DO NOT want to start a discussion about whether or not felony charges, or denying students access to a business school are appropriate punishments. I DO NOT want to start a discussion about the law, or the gray areas of the law, or the culpability of the students, or the parents, or the organization’s governance. I definitely DO NOT want to start a discussion about the details of any of the incidents, especially because the majority of us don’t know the story of any of them beyond the news reports and internet opinion.
(these are very valid discussions, however, they were not within the scope of the campus mailing list, and I’m not going to encourage them to be in the scope here)
What I am doing is posting them because these incidents, and others, highlight that there are serious ramifications to the IT support, the coding, the outsourcing, and the implementation of technology made by folks like you and me.
This is an inordinately complex business, decisions we make, and technologies we implement end up being used (and misused) in ways we never imagined. We can spend hours on hours in due diligence to make sure we keep up with security threats, that our systems are patched, fixing where we used or in our code when we meant to use and and still have our systems taken advantage of.
But it’s safe to say, our peers do some absolutely stupid things. In the first example in Pennsylvania, some of the first incidents resulted from the administrator password being taped to the laptops. (however if the USA Today is correct, there was a continued progression of misuse that led to the felony charges, it wasn’t a straight take advantage of the password => felony charge). The ApplyYourself issue, if Greenspun was correct, was possible only due to quite poor application design.
So, my question(s) for discussion are these: (and any you want to add):
What are the responsibilities of the IT staff? What can we do, in terms of best practices, to make sure that we aren’t doing the stupid things (stupid, of course, is a relative, and often hyperbolic term), that leave open the possibilities for illegitimate use? (continued misuse is a whole other story). What kind of self-oversight and peer support can we implement to protect ourselves and even more so, our system users from things like this? What are your thoughts?
I know that I’ve done my fair share of Self-Denial of Service attacks and very likely will continue, thankfully, none have ever escalated into the kinds of things where someone is going to be charged with a crime (or even get in trouble). My sincere hope is that we never do end up in that situation and the intent of these questions are to talk about things we can do to avoid that.