From kadie Mon Jul 29 10:13:05 1991
To: cafb-mail
Subject: Computers and Academic Freedom mailing list (batch edition)
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Mon Jul 29 10:12:33 EDT 1991
In this issue:
: Deprecating grad credit transfer as a restraint of trade
:
: Returned mail: unknown mailer error 1
olivea!news.bbn.co : Re: Hamline Univ shuts off account w/o notice or stated r
elroy.jpl.nasa.gov : Re: Administrator Access (Was Re: Ohio State)
The addresses for the list are now:
comp-academic-freedom-talk@eff.org - for contributions to the list
or caf-talk@eff.org
listserv@eff.org - for automated additions/deletions
(send email with the line "help" for details.)
caf-talk-request@eff.org - for administrivia
-------------------
Received: from GATEWAY by eff with netnews
for caft-mail@eff.org (comp-academic-freedom-talk@eff.org)
Date: 29 Jul 91 08:02:59 GMT
Message-Id: <1991Jul29.080259.13108@zorch.SF-Bay.ORG>
Organization: SF-Bay Public-Access Unix
References: <5493@orbit.cts.com>, <26367@well.sf.ca.us>
Subject: Deprecating grad credit transfer as a restraint of trade
nagle@well.sf.ca.us (John Nagle) writes:
> I respect this person for putting his money where
> his mouth is, by withdrawing from the school over
> this issue. An effort by the school to collect
> from him could be interesting, since he's raising
> a breach of contract issue. I doubt that they will
> make a major effort to collect if it is made clear
> that they will have to justify their behavior in
> court.
> John Nagle
> Prof: "Me professor. You student."
> Student: "Me customer. You employee."
Unfortunately, that option involves not just a
_little_ money for most folks, since university
graduate programs typically refuse to transfer in
more than six credits (two classes) of graduate
school credit toward a degree; this is monopolism at
its very worst, a vast conspiracy in restraint of
"trade"; and the result is that once you've put in a
little time toward an advanced degree, the
university has a pretty heavy mortal lock on your
billfold -- withdraw and lose most of those bought,
paid, and worked for credits -- so that they tend to
treat graduate students as infinitely abusable;
besides the bureaucratic stiff arm described at the
root of this thread, there is als the question of
treating grad students as a vast pool of cheap, on
demand labor, to be paid at 20% or below of the
rates for the same work in industry, if paid at all.
Were credits freely transferable, students could
shop for a better deal, and such abusive behavior
would quickly find itself without a target.
My (only modestly paranoid) contention is that that
is _exactly_ the true reason for the limited
transferability of grad credits, not the BS about
"unable to easily evaluate other universities'
course content value" usually given.
Comments?
Kent, the man from xanth.
-------------------
Received: from USENET by eff with netnews
for caft-mail@eff.org (comp-academic-freedom-talk@eff.org);
contact usenet@eff if you have questions.
Date: 28 Jul 91 20:07:43 GMT
Message-Id: <1991Jul28.200743.10036@eclectic.com>
Organization: Eclectic Associates, Inc.
From: olivea!news.bbn.com!nic!eclectic.com!kovar@uunet.uu.net
References: , <5493@orbit.cts.com>, <26367@well.sf.ca.us>lect
Subject: Re: Hamline Univ shuts off account w/o notice or stated reason
In article <26367@well.sf.ca.us> nagle@well.sf.ca.us (John Nagle) writes:
>
> I respect this person for putting his money where his mouth is, by
>withdrawing from the school over this issue.
Is he really to be respected? It sounds like he went off half cocked
and took a pretty drastic step over something pretty small. Free accounts
on machines in an environment that aren't familiar with the technology
aren't reliable. If everyone at school received an account as a matter
of policy, and then his was revoked, then I'd say he did the right
thing. In this case, it sounds like he overreacted.
-David
--
-David C. Kovar
Consultant Internet: kovar@eclectic.com
Eclectic Associates AppleLink: ECLECTIC
Ma Bell: 617-643-3373 MacNET: DKovar
"It is easier to get forgiveness than permission."
-------------------
Received: from USENET by eff with netnews
for caft-mail@eff.org (comp-academic-freedom-talk@eff.org);
contact usenet@eff if you have questions.
Date: 25 Jul 91 20:14:52 GMT
Message-Id: <1991Jul25.201452.836@zorch.SF-Bay.ORG>
Organization: SF-Bay Public-Access Unix
From: elroy.jpl.nasa.gov!swrinde!mips!pacbell.com!tandem!zorch!xanthian@uunet.uu.net
References <6620@gazette.bcm.tmc.edu>, <23.Jul.91.155137.81@cogsci.cog.jhu.edu>, =]
Subject: Re: Administrator Access (Was Re: Ohio State)
escott@clippers.shearson.com (E. Scott Menter) writes:
> wjb@cogsci.cog.jhu.edu writes:
>> As both a system administrator and a user this
>> seems quite reasonable to me. The only thing I
>> would add is that if a users' data has been
>> accessed as a result of an emergency situation
>> that the user must be informed of that access
>> after the emergency has been alleviated or a
>> fixed time period has passed. (a week or two?).
>> The user should also be informed what emergency
>> required this action. This would probably even
>> cover investigating possible "crackers" as that
>> would seem to be an emergency
> Not entirely. Say you thought a user might be
> doing something naughty, like keeping a personal
> copy of some company-owned source code. You take a
> look at his files, and find that not to be the
> case. Should you then send him email saying "we
> thought you might be a dishonest jerk, but we
> checked it out and decided you aren't one?"
> Even when I worked in academia this wouldn't have
> been a popular approach 8^).
And for good reason; that is not an _emergency_,
that is a "show probable cause" type of situation,
and at the least, the person's account should be
frozen or a protected copy of the file made, and a
procedure gone through in which evidence supporting
admin access to that file's insides is presented,
subject to owner's rebuttal, and adjudicated by
higher authority before the file is browsed by other
than its owner.
Kent, the man from xanth.
From kadie Tue Jul 30 10:07:51 1991
To: cafb-mail
Subject: Computers and Academic Freedom mailing list (batch edition)
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Tue Jul 30 10:07:13 EDT 1991
In this issue:
kadie (Carl M. Kad : CAF mailing-list header improvement
russotto@eng.umd.e : Re: (none)
smith@sctc.com (Ri : Re: Hamline Univ shuts off account w/o notice or stated r
llama@eleazar.dart : Re: (none)
William Hugh Murra :
kadie@eff.org (Car : student suspended for mailing passwords at U. of Georgia
kadie@m.cs.uiuc.ed : Stanford President Kennedy to resign
Bill Dugan
Subject: CAF mailing-list header improvement
The header of notes send via the Computers-and-Academic-Freedom
mailing lists has changed.
Before all notes where "From: comp-academic-freedom-talk-request@eff.org".
Now all notes are from their original sender, e.g. xanthian@zorch.sf-bay.org,
kadie@eff.org, etc.
The good part of this change is that it is the way that most other
mailing lists work and it allows you to see the author's name before
you read his or her note. The bad part is that it will be harder
to tell CAF email from more personal email.
Replies to CAF notes should work as before (going to caf-talk@eff.org,
not the original author).
I hope the change does more good than harm. (It has already cause some
problems with caf-batch; I expect to fix those problems presently.)
- Carl
-------------------
Date: 29 Jul 91 15:06:28 GMT
From: russotto@eng.umd.edu (Matthew T. Russotto)
Message-Id: <1991Jul29.150628.5083@eng.umd.edu>
References: <43910726214434.0003158580NA3EM@mcimail.com>
Subject: Re: (none)
In article <43910726214434.0003158580NA3EM@mcimail.com> 0003158580@mcimail.COM (William Hugh Murray) writes:
>History is clear that license encourages government. There are all
>kinds of bills working their way through the legislatures which are
>intended to limit what we do here in the name of public order. All of
>them look for their justification to a tiny bit of atypical, but
>outrageous behavior. Those who have perpetrated that behavior, and put
>our freedoms at risk, have justified that behavior on the basis that it
>is not prohibited or is a justified rebuke to abusive authority.
>
>What you are concerned about is protecting those freedoms already
>guaranteed by the Constitution. What I am trying to protect is that
>zone of freedom between what the government already regulates and that
>which the Constituion says it may not. That zone is very fragile; it is
>being put at risk by outrageous behavior, essentially gratuitous, by a
>small few. They are taking comfort and justification from your
>arguments which I do not believe that you intend. It is clear that you
>have a strong ethical sense which they do not share. Your refusal to
>characterize that behavior as extreme or outrageous, to personally
>forego it in the name of preserving freedom, contributes to the problem.
>
>I am willing to forego rude, extreme, and outrageous behavior in the
>name of order to and to forestall authoritarian intervention in an area
>where it is not needed or useful. I invite you to join me. I am
>willing to characterize and condemn as abusive of freedom, that behavior
>which invites authoritarian intervention. We need your support.
[Sorry for quoting the whole thing, but I can't divide it without distorting
it]
If we build the walls around ourselves, and attempt to convince others to
do the same, just to keep the govt from building the walls for us, then the
government has already won. This is the so-called chilling effect that is
often spoke of.
>Your example of gun control is perfect. I too do not and would not own
>a firearm. As a matter of conscience, I, the world's ultimate toy
>freak, forego a toy that I have every right to own and am trained and
>qualified to use. I too cherish the right to own one and do not want
>the government to interfere with that right. But if you do not believe
>that "the powers that be" will restrict that constitutionally guaranteed
>right to bear arms if all these shootings do not diminish, then you have
>not read enough history.
I really don't want to get into gun control on this newsgroup, but I should
point out that these things are not analagous-- the people which the government
is using as an excuse to eliminate our RKBA are people who are doing things
in areas which are correctly subject to governmental restriction: Murder,
assault with a deadly weapon, armed robbery, etc, etc.
>Now quite candidly, as much as I value the freedom to bear arms, I have
>already personally given it up. When little babies are not safe from
>stray bullets in their beds, I am ready to surrender some of your
>freedom. If things get much worse, I may be ready to support a
>constitutional amendment. If you believe that it will not get a lot of
>support, then you do not watch enough TV.
If you believe that restrictions on the RKBA will help.... try
talk.politics.guns. Similarly, restrictions on computers and computing will
not stop MCI number exchange, electronic funds theft, malicious computer
viruses, or hackers. Make computer programming a licensed profession, and
you will not affect the cracker community one bit.
--
Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu
.sig under construction, like the rest of this campus.
Just say NO to police searches and seizures. Make them use force.
(not responsible for bodily harm resulting from following above advice)
-------------------
Date: Mon, 29 Jul 1991 15:28:15 GMT
From: smith@sctc.com (Rick Smith)
Message-Id: <1991Jul29.152815.24048@sctc.com>
References: <5493@orbit.cts.com>
Subject: Re: Hamline Univ shuts off account w/o notice or stated reason
To summarize, whir@orbit.cts.com (Rick Allard) writes:
>..... It seems pretty clear that this Unix-naive guy
>above the system administrator was uncomfortable with the
>combination of Internet, administration parts of the file system
>and a user who wasn't using a mainframe in the manner that
>computers were used before communication merged.
I notice two things from this post. First, there's the security problem.
Allard notes that the university uses the computer in question for
"adminstration" and that Internet access is being provided for use by
a faculty member. I know that many people like to pooh-pooh the
security implications of Internet access. Personally and professionally
I think an organization is acting irresponsibly if they are putting
sensitive data on an Internet machine (i.e. administrative data
processing) unless they have a team of incredibly competent kernel
and security gurus on staff. Even then, it's probably not worth the
risk. This is why people install multiple computers and firewalls.
I'm sure that the computer administration at Hamline had no idea
that the implications of Internet access were so profound. In any
case, having a faculty member use a powerful and potentially dangerous
facility is different from letting a student use it. Maybe after
the Hamline administration has some experience with the Internet they
might figure out how to let students use it. But then, maybe not.
The relationship between students and their school is a weird one,
and not one in which trust is necessarily given and granted. It's
different (sometimes) with faculty, since they have an employment
relationship with the institution. It is no insult to Allard's
personal integrity if administrators at Hamline refuse to trust
him, it's just the way cautious institutions will act.
A second thing I notice is that there's no mention of how computer
access is related to Allard's graduate program. It's clear that he
didn't choose Hamline U. because it provided Internet access, since
he didn't bring any of this up until after he started there. It's
clear then that Internet access wasn't something he expected to
be part of his education there. Maybe it _could_have_been_ but then
he should transfer to a place that can provide it to students.
Rick.
smith@sctc.com Arden Hills, Minnesota.
-------------------
Date: 29 Jul 91 19:06:12 GMT
From: llama@eleazar.dartmouth.edu (Joe Francis)
Message-Id: <1991Jul29.190612.13162@dartvax.dartmouth.edu>
References: <43910726214434.0003158580NA3EM@mcimail.com>
Subject: Re: (none)
0003158580@mcimail.COM (William Hugh Murray) writes:
>I am willing to forego rude, extreme, and outrageous behavior in the
>name of order to and to forestall authoritarian intervention in an area
>where it is not needed or useful. I invite you to join me. I am
>willing to characterize and condemn as abusive of freedom, that behavior
>which invites authoritarian intervention. We need your support.
>Your example of gun control is perfect. I too do not and would not own
>a firearm. [... some delted...] But if you do not believe
>that "the powers that be" will restrict that constitutionally guaranteed
>right to bear arms if all these shootings do not diminish, then you have
>not read enough history.
I don't think I understand you. These "shootings" were not merely
"rude, extreme, and outrageous behavior", they were illegal. They
do not support your point as I understand it.
>And if you think that people cannot become sufficiently frightened of
>computer hackers to surrender your right and mine to use computers as we
>like, then you must think that they value freedom one hell of a lot more
>than I do.
I believe that the solution to this problem is to work to educate our
electorate about how valuable their freedoms are to them, and to instill
the same respect in our representatives. Self-censorship is not the
answer. "Freedom" is meaningless if you can't exercise it.
----------------------------------------------------------------------------
"Read My Lips: No Nude Texans!" - George Bush clearing up a misunderstanding
-------------------
Date: Mon, 29 Jul 91 22:23 GMT
From: William Hugh Murray <0003158580@mcimail.com>
Subject:
Message-Id: <95910729222359/0003158580NA1EM@mcimail.com>
>Self-censorship is not the answer. "Freedom" is meaningless if you
>can't exercise it.
I have now answered the charge that I am advocating censorship, "self"
or any other kind, so many times and in such explicit language that I
must conclude that those who insist upon that reading are maliciously
misreading for their own purposes. Nonetheless, I am now forced to the
conclusion that arguments that draw so much defense and rancor do my
cause more harm than good. Those who have not heard will not hear.
I am silenced.
William Hugh Murray
New Canaan, Connecticut
-------------------
Date: Tue, 30 Jul 1991 01:34:20 GMT
From: kadie@eff.org (Carl M. Kadie)
Message-Id: <1991Jul30.013420.19111@eff.org>
Subject: student suspended for mailing passwords at U. of Georgia
[Reposted from Effector Online 1.09 with permission of author - Carl]
STUDENT SUSPENDED FOR MAILING PASSWORDS
by Rita Rouvalis
The University of Georgia's (UGA) Student Judiciary has recently
sentenced a student to two quarters suspension for e-mailing Athena's
/etc/passwd file to an unauthorized user who wanted to break into the
system. Intense debate ensued when the following post was made to
eff.talk:
>The University will soon be issuing a news release about this incident.
>In the meantime, here is a summary:
>(1) A number of unauthorized users have been using various University
>of Georgia computers. Most of them have left much more of a trail than
>they realized and will be hearing from us.
>(2) The first person actually caught as part of this incident has now
>been sentenced to 2 quarters' suspension, plus a probated expulsion,
>by the Student Judiciary. This was a U.Ga. student whose name cannot
>be released due to confidentiality of educational records. What this
>student did was mail a copy of /etc/passwd from athena.cs.uga.edu to a
>"hacker" who had already penetrated another system, and who wanted to
>use a password-guessing program to break into athena. The student was
>fully aware that he was assisting in a break-in.
> -- Michael Covington, sysadmin UGA
Discussion was muddied considerably by confusion with other threads,
and opinions were posted without factual basis. If one looks at the
facts, one finds the student received surprisingly fair treatment from
the University of Georgia, whether or not one agrees with the actual
sentence.
Upon investigating an intrusion into one of the AI Lab's machines, the
sysadmin for the AI lab found that the intruder had saved, on disk, a
copy of Athena's /etc/passwd file with an email header indicating it
had come from the student in question's account on Athena. Assuming at
first that either the e-mail header was bogus, or that the student's
account had also been hacked, the Athena sysadmins deactivated the
account. Notice that this was a file saved under an unauthorized
username; no e-mail was ever intercepted.
Upon further investigation, the student admitted to being the
owner/sender of this e-mail message. He also apparently admitted to
being a member of an "elite group of hackers/phreakers," and knowing
that the /etc/passwd file would be used to try to crack Athena.
When the matter came before them, UGA officials felt the needs of the
student would be better served if he/she was brought before the
Student Judiciary instead of filing criminal charges. The only
punishments the Student Judiciary can hand out are expulsion,
suspension, and community service; all proceedings are kept
confidential as required by federal law.
According to UGA Student Judiciary policy, a student can choose either
an administrative hearing, or a student court hearing before three
specially trained students. In either case, the student is assisted by
a trained defender (also a student) and has the right to have other
people present for his defense. The hearing is supervised by UGA's
staff of Judicial Programs and follow the same rules of evidence and
procedure as a courtroom trial. If convicted, the student can appeal
to the Vice President and to the President (which this student has
done).
Despite protests from a few netters about the sentence the student
received, it is clear that the student court carefully considered the
intent and personality of the student when handing down the sentence
-- a consideration not taken in too many hacker cases. Officials felt
that two quarters suspension would effectively remove the student from
the influence of the hackers/phreakers and realign his priorities.
Community service involving computers was not chosen for the express
reason of not encouraging hacking to prove ability.
While some netters may disagree with the sentence handed down, they
should agree that this case was fairly and thoroughly handled by UGA
officials. Their measured deliberation of all the issues involved
should be used as an example in this era of hacker hysteria.
EFFector Online will keep you posted as the case progresses...
Portions of postings by Michael Covington, sysadmin of one of the UGA
machines involved, are reproduced by permission.
--
Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu
I do not represent EFF; this is just me.
-------------------
Date: Tue, 30 Jul 1991 02:24:36 GMT
From: kadie@m.cs.uiuc.edu (Carl M. Kadie)
Message-Id: <1991Jul30.022436.20322@m.cs.uiuc.edu>
Subject: Stanford President Kennedy to resign
According to the UPI, Kennedy will resign effective August 1992.
Kennedy is best known on the net for supporting a ban on
rec.humor.funny and for firing Stuart Reges (a Stanford instructor who
spoke out against the Federal War on Drugs). Kennedy is apparently
quiting because of the Stanford's misuse of Federal research money.
Here are some Kennedy quotes from the article:
``At present we are talking too much about our problems and too little
about our opportunities.''
He plans to ``help make Stanford the university of academic and policy
studies'' in environmental concerns.
``to be quite frank about it, there is entirely too much speculation
about my future at Stanford. It is very difficult ... for a person
identified with a problem to be the spokesman for its solution.''
--
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
-------------------
Date: Tue, 30 Jul 91 06:31:37 PDT
From: Bill Dugan
Message-Id: <9107301331.AA11186@teri.bio.uci.edu>
Subject: Legislating searches
Re: The proposed legislation from Donald G. Ingraham, whose summary I propose
as "You-need-a-search-warrant-to-read-someone-else's-files" legislation.
I am not a lawyer and am quite unaware of any side-effects or undesireable
loopholes this legislation would cause, but on a first reading it looks
reasonable. It only seems to deal with law-enforcement agencies though,
and although this is not necessarily bad, I think it misses the interesting
point. (The fact that it is a basic, logical extension of 'normal' search
laws and does not try to get creative is probably a good thing.)
What I think is interesting is the balance that will have to be created
between the freedom to hack around on a system and the freedom to privacy.
What about Joe Student who hacks around on his local unix box and happens
to read someone else's files, just to see what they are? I've done it;
probably 75% of readers here have done it. At some point in the future,
someone on a business account on a unix box will snoop in some other
business's files, and they will find out and squawk about illegal searches,
possibly invoking wiretap laws or some such nonsense.
Pardon the fact that this is my first attempt to consolidate my thought on
this matter, but I would have to say that in an academic environment, where
presumably, exploration and experimentation are encouraged, one should have
the freedom to hack around in someone else's directories *unless* that person
has used chmod to attempt to take away read-privileges for everyone else.
I think that in a university environment, you should assume that anything
you put up on your account is pretty much "public-domain" as far as searching
goes. If you attempt to protect it, though, it should be off-limits for
everybody, including superuser accounts. Of course, it isn't appropriate
for the superuser to be reading everybody's files just because he has the
access.
This brings up a couple of problems I can see right off the bat. Firstly,
novice users won't know how to use chmod. Simple; when the university gives
out accounts, it explains the policy in a brochure, and explains how to use
chmod to protect your files. Problem solved. Secondly, though, it would
seem to require a lot of clarifying policies emphasizing that yes, Joe
Student has more rights than Joe Policeman. A student snooping around the
files is OK; an authority snooping around the files to try to kill hackers
is not OK. Interesting. Enforcement is obviously almost impossible.
Bill Dugan
bdugan@teri.bio.uci.edu
From kadie Wed Jul 31 09:52:29 1991
To: cafb-mail
Subject: Computers and Academic Freedom mailing list (batch edition)
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Wed Jul 31 09:51:34 EDT 1991
In this issue:
smith@sctc.com (Ri : Re: Hamline Univ shuts off account w/o notice or stated r
amanda@visix.com ( : Re: (none)
amanda@visix.com ( : Re: (none)
Sanjay Kapur
References: <5493@orbit.cts.com>
Subject: Re: Hamline Univ shuts off account w/o notice or stated reason
To summarize, whir@orbit.cts.com (Rick Allard) writes:
>..... It seems pretty clear that this Unix-naive guy
>above the system administrator was uncomfortable with the
>combination of Internet, administration parts of the file system
>and a user who wasn't using a mainframe in the manner that
>computers were used before communication merged.
I notice two things from this post. First, there's the security problem.
Allard notes that the university uses the computer in question for
"adminstration" and that Internet access is being provided for use by
a faculty member. I know that many people like to pooh-pooh the
security implications of Internet access. Personally and professionally
I think an organization is acting irresponsibly if they are putting
sensitive data on an Internet machine (i.e. administrative data
processing) unless they have a team of incredibly competent kernel
and security gurus on staff. Even then, it's probably not worth the
risk. This is why people install multiple computers and firewalls.
I'm sure that the computer administration at Hamline had no idea
that the implications of Internet access were so profound. In any
case, having a faculty member use a powerful and potentially dangerous
facility is different from letting a student use it. Maybe after
the Hamline administration has some experience with the Internet they
might figure out how to let students use it. But then, maybe not.
The relationship between students and their school is a weird one,
and not one in which trust is necessarily given and granted. It's
different (sometimes) with faculty, since they have an employment
relationship with the institution. It is no insult to Allard's
personal integrity if administrators at Hamline refuse to trust
him, it's just the way cautious institutions will act.
A second thing I notice is that there's no mention of how computer
access is related to Allard's graduate program. It's clear that he
didn't choose Hamline U. because it provided Internet access, since
he didn't bring any of this up until after he started there. It's
clear then that Internet access wasn't something he expected to
be part of his education there. Maybe it _could_have_been_ but then
he should transfer to a place that can provide it to students.
Rick.
smith@sctc.com Arden Hills, Minnesota.
-------------------
Date: Tue, 30 Jul 91 03:13:28 GMT
From: amanda@visix.com (Amanda Walker)
Message-Id: <1991Jul30.031328.24491@visix.com>
References: <83910727134938.0003158580NA1EM@mcimail.com>
Subject: Re: (none)
0003158580@mcimail.COM (William Hugh Murray) writes:
I take what comfort I can in the fact that, while few will argue
for polite behavior, most of the net continues to be orderly.
I think that most people prefer polite behavior (aside from areas
with explicitly different expectations, such as alt.flame). Where
I, at least, may differ with you is in how to promote it. I promote
it be being courteous and polite in almost everything I post, but I
would be very disturbed at any attempt to *legislate* such behavior.
For example, there are people on the net (and, in fact, on this very
mailing list/newsgroup) whom I ignore, on account of their behavior.
However, I am not willing to ask that they be censured, and would
indeed defend them against it, however distasteful I myself might find
their mode of expression.
I also think I have a much lower estimation of the "orderliness" of
Usenet. I don't think it's very orderly at all.
--
Amanda Walker amanda@visix.com
Visix Software Inc. ...!uunet!visix!amanda
--
"I cannot and will not cut my conscience to fit this year's fashions."
--Lillian Hellman
-------------------
Date: Tue, 30 Jul 91 03:04:36 GMT
From: amanda@visix.com (Amanda Walker)
Message-Id: <1991Jul30.030436.24424@visix.com>
References: <43910726214434.0003158580NA3EM@mcimail.com>
Subject: Re: (none)
0003158580@mcimail.COM (William Hugh Murray) writes:
>Amanda Walker, I believe that we are kindred souls. I hope that I
>can win your support.
I think we agree on several basic principles, and disagree on some of
their implications. Some of these differences may depend on differences
in our experiences and our views of society and government.
>what concerns me here is the evidence in the thread that many take
>license from the limits of governmental authority. That is they
>believe that all things which are not prohibited by government are
>permissable, and perhaps even mandatory.
I am confused by your use of "permissible" here. To my mind, all things
not prohibited are in fact permissable (though not mandatory). In
particular, I permit behavior that I do not myself participate in, and
which I may find outright distasteful or pointless, in exchange for the
right to participate myself in behavior that other people may feel the
same way about. I feel quite strongly about this, which may stem from
having been on the minority side of public opinion any number of times
throughout my life.
>History is clear that license encourages government. There are all
>kinds of bills working their way through the legislatures which are
>intended to limit what we do here in the name of public order.
I tend to oppose any restriction whose sole justification is "to
maintain public order." This criterion is generally used to
consolidate power in the government. Viewing, as I do, the government
as a necessary evil which should be kept at a minimum, I look with
deep suspicion upon anything that grants the government more power
than it has already, especially in name of "public order." "Public
order" has been used to justify slavery, oppose women's suffrage, deny
civil rights to blacks and immigrants, and kill four students at Kent
State. This is something else about which history is very clear.
>All of them look for their justification to a tiny bit of atypical, but
>outrageous behavior.
I do not think that outrageousness, in and of itself, justifies the
imposition of restriction. One of the tactics of protest is to be
outrageous, whether it be an editorial cartoon, political satire, or
the Sisters of Perpetual Indulgence handing out condoms in from of
St. Patrick's Cathedral. The right to be outrageous is part and parcel
of the freedoms of speech, assembly, and the press.
>What you are concerned about is protecting those freedoms already
>guaranteed by the Constitution.
Well, in truth I am concerned about *restoring* them, since they get
very short schrift these days, but I am also concerned with extending
them to apply to situations that did not exist in the eighteenth century.
>I am willing to forego rude, extreme, and outrageous behavior in the
>name of order to and to forestall authoritarian intervention in an area
>where it is not needed or useful. I invite you to join me. I am
>willing to characterize and condemn as abusive of freedom, that behavior
>which invites authoritarian intervention. We need your support.
I think I understand this position, and in fact held it for some time,
but I no longer do. For one thing, people disagree about what constitutes
rude, extreme, or outrageous behavior. This is why I have switched to
using "harm" as my critical factor, not "acceptability." There are
people who would find my life to be rude, extreme, and outrageous, even
though I myself find it none of these things. Who is to decide? The
"tyranny of the majority" is just as dangerous as tyranny of government.
Again quoting from John Stuart Mill:
"When society is itself the tyrant--society collectively, over the
separate individuals who compose it--its means of tyrannizing are not
restricted to the acts which it may do by the hands of its political
functionaries. Society can and does execute its own mandates: and if
it issues wrong mandates instead of right, or any mandate at all in
things which it ought not to meddle, it practises a social tyranny
more formidable than many kinds of political oppression, since, though
not usually upheld by such extreme penalties, it leaves fewer means of
escape, penetrating much more deeply into the details of life, and
enslaving the soul itself." ... "There is a limit to the legitimate
interference of collective opinion with individual independence; and
to find that limit, and maintain it against encroachment, is as
indispensable to a good condition of human affairs, as protection
against political despotism."
>But if you do not believe that "the powers that be" will restrict that
>constitutionally guaranteed right to bear arms if all these shootings do
>not diminish, then you have not read enough history.
I believe that such restriction will happen. I also believe that "the
powers that be" are wrong, and I have fought and will continue to
fight such restriction. History may tell me what is likely to happen,
but that does not mean that what will happen is right.
>Now you and I agree that the right to use a computer is fundamental and
>subject to Constitutional guarantees. You likely agree with me that the
>use of computers is fundamentally orderly and does not need to be
>regulated.
I certainly do.
>But I guarantee you, if the extreme, but atypical, behavior
>in the net continues, government will be all too quick to step in.
They already have, in a number of respects. And, as with gun control, I
will resist such interference, and if by my conscience I find it necessary,
I will violate laws I cannot accept. Now, I would rather grapple with
the problem in advance, and as a result am quite politically active, and
try to do my part to educate my congresscritters and other politicians,
but I cannot accept the government as an ultimate authority. Rulers and
governments exist to serve the people. If they cease to do so, they lose
their right to power.
>Frightened people turn to protective government and they voluntarily
>surrender their rights. Government feels justified and is all too happy
>to oblige.
Agreed. And when this happens, I will be one of those who refuses to
surrender those rights, even when they are demanded of me. I'd even
try to fight income tax (which was originally prohibited by the U.S.
Constitution) if I could figure out an effective way to do so...
>And if you think that people cannot become sufficiently frightened of
>computer hackers to surrender your right and mine to use computers as we
>like, then you must think that they value freedom one hell of a lot more
>than I do.
I think it's quite possible. Because of this, I think it is my
responsibility to try to prevent it from happening, and to resist it if
it does.
--
Amanda Walker amanda@visix.com
Visix Software Inc. ...!uunet!visix!amanda
--
"Reformers must expect to be disowned by those who are only too happy to
enjoy what has been won for them." --Doris Lessing
-------------------
Date: Tue, 30 Jul 1991 11:39 EDT
From: Sanjay Kapur
Subject: Re: Legislating searches
Message-Id:
X-Organization: State University of New York, Stony Brook
X-Vms-Cc: SKAPUR
>This brings up a couple of problems I can see right off the bat. Firstly,
>novice users won't know how to use chmod. Simple; when the university gives
>out accounts, it explains the policy in a brochure, and explains how to use
>chmod to protect your files. Problem solved. Secondly, though, it would
The percentage of non-technical (non-engineering, non-CS) students who
actually read through these brochures is dismally low (about 5%) so the
problem is NOT solved.
>seem to require a lot of clarifying policies emphasizing that yes, Joe
>Student has more rights than Joe Policeman.
A systems administrator is not a policeman. A policeman's main job is to
prevent crime and apprehend criminals. A systems administrator hopefully will
not see a criminal act on the computer at all. What a systems administrator
is interested is in providing service and high availability. This high
availability covers a lot. It also covers problem resolution which may
require "snooping" on a Computer which is owned by the systems administrator's
employer. Another aspect of providing computer resources that users do not
appreciate is this: Sheilding users from faculty and beaurocrats who would
further restrict access. I have gotten several requests from faculty members
interested in running programs that would ferret out cheating in homework
assignments and programming projects. I have turned them down on the basis
that the faculty member's course is not the only course being taught that the
student may be taking and to run such a program without the student's express
consent is not right.
Part of a systems administrators job is to preserve "order".
> A student snooping around the
>files is OK; an authority snooping around the files to try to kill hackers
>is not OK.
The above is a most interesting statement that is also illogical. See below.
> Interesting. Enforcement is obviously almost impossible.
You would be correct if you remove the word "almost" from the above sentence.
How are you going to catch a supersuser who can browse files without any trace
of such browsing? What proof of violation of policy would you have? How
would you prosecute a superuser without proof?
>Bill Dugan
>bdugan@teri.bio.uci.edu
Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu
Systems Staff, Computing Services, |Bitnet: SKAPUR@USB
State University of New York, |SPAN/HEPnet: 44132::SKAPUR
Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046
-------------------
Date: 30 Jul 91 13:25:45 GMT
From: russotto@eng.umd.edu (Matthew T. Russotto)
Message-Id: <1991Jul30.132545.14832@eng.umd.edu>
References: <95910729222359.0003158580NA1EM@mcimail.com>
Subject: Re: (none)
In article <95910729222359.0003158580NA1EM@mcimail.com> 0003158580@mcimail.COM (William Hugh Murray) writes:
>>Self-censorship is not the answer. "Freedom" is meaningless if you
>>can't exercise it.
>
>I have now answered the charge that I am advocating censorship, "self"
>or any other kind, so many times and in such explicit language that I
>must conclude that those who insist upon that reading are maliciously
>misreading for their own purposes.
There are too many for me to believe that (not to mention that I know I am
not maliciously misreading). Perhaps your explicit language was misleading.
--
Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu
.sig under construction, like the rest of this campus.
Just say NO to police searches and seizures. Make them use force.
(not responsible for bodily harm resulting from following above advice)
-------------------
Date: Tue, 30 Jul 1991 16:08:08 GMT
From: ckd@eff.org (Christopher Davis)
Message-Id:
References:
Subject: Re: Legislating searches
SK> == Sanjay Kapur
BD> == Bill Dugan
BD> [...] novice users won't know how to use chmod. Simple; when
BD> the university gives out accounts, it explains the policy in a
BD> brochure, and explains how to use chmod to protect your files.
SK> The percentage of non-technical (non-engineering, non-CS) students who
SK> actually read through these brochures is dismally low (about 5%) so the
SK> problem is NOT solved.
Well, then, have the default account creation procedure put a umask 077
in the user's configuration files! That way, people who want to make
their files public can do so, but it takes some work (heck, put comment
lines in the .cshrc explaining it...)
This seems to work fairly well (I've seen it in action), and is not
unreasonable. However, you may wish to make sure your ftpd also
supports umask; many of them run with a default umask 0, which can cause
great gaping holes, especially for people who ftp their .rhosts files
around...
(If you need source for one that does, let me know. It also supports
logging anonymous ftp sessions, and a 'guest motd'.)
--Chris
--
Christopher Davis | ELECTRONIC MAIL WORDS OF WISDOM #5:
System Manager & Postmaster | "Internet mail headers are
Electronic Frontier Foundation | not unlike giblets."
+1 617 864 0665 | -- Paul Vixie
-------------------
From: William W. Arnold
Message-Id: <9107301613.AA05060@cabell.vcu.edu>
Subject: Re: Legislating searches
Date: Tue, 30 Jul 91 12:13:06 EDT
X-Mailer: ELM [version 2.3 PL11]
Bill Dugan writes ---
> novice users won't know how to use chmod. Simple; when the university gives
> out accounts, it explains the policy in a brochure, and explains how to use
> chmod to protect your files. Problem solved.
>
There's another way to get around this problem. Have the
accounts set up so that by default all files are protected. This way
if permisions are open then you know that the person wants his files
open to the public. This is how it is currently set up here at VCU,
and it works fairly well. Most of the users don't open their files,
and most of the people who are doing enough with the system to have
interesting files, open them to world.
/------------------------------\ /----------------------------------\
| William W. Arnold | Is the universe an accident, |
| has8wwa@cabell.vcu.edu | a mistake, or did someone |
| warnold@gnu.ai.mit.edu | do it to us on purpose? |
| someone.else@someplace.else | --ME-- |
\------------------------------/ \----------------------------------/
-------------------
Date: Tue, 30 Jul 1991 13:34 EDT
From: Sanjay Kapur
Subject: Re: Legislating searches
Message-Id:
X-Organization: State University of New York, Stony Brook
X-Vms-Cc: SKAPUR
> SK> == Sanjay Kapur
> BD> == Bill Dugan
>
> BD> [...] novice users won't know how to use chmod. Simple; when
> BD> the university gives out accounts, it explains the policy in a
> BD> brochure, and explains how to use chmod to protect your files.
>
> SK> The percentage of non-technical (non-engineering, non-CS) students who
> SK> actually read through these brochures is dismally low (about 5%) so the
> SK> problem is NOT solved.
>
>Well, then, have the default account creation procedure put a umask 077
>in the user's configuration files! That way, people who want to make
>their files public can do so, but it takes some work (heck, put comment
>lines in the .cshrc explaining it...)
>
>This seems to work fairly well (I've seen it in action), and is not
>unreasonable.
>Christopher Davis | ELECTRONIC MAIL WORDS OF WISDOM #5:
I agree that a default umask of 077 would be a good idea. Unfortunately this
step, which leads to increased security for the user also leads to reduced
access to the system for legitimate reasons like group projects.
Educating users in the correct use of umask and file protections is still very
important. Most non-technical users have difficulty understanding the concepts
of files and directories. Explaining masks and file protections is even more
difficult. (As an aside: IMHO This is the reason why the Macintosh is so
popular among the non-technically sophisticated.)
Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu
Systems Staff, Computing Services, |Bitnet: SKAPUR@USB
State University of New York, |SPAN/HEPnet: 44132::SKAPUR
Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046
-------------------
Date: Tue, 30 Jul 1991 17:53:23 GMT
From: ckd@eff.org (Christopher Davis)
Message-Id:
References:
Subject: Re: Legislating searches
SK> == Sanjay Kapur
SK> I agree that a default umask of 077 would be a good idea.
SK> Unfortunately this step, which leads to increased security for the
SK> user also leads to reduced access to the system for legitimate
SK> reasons like group projects.
Yes, this is true. However, it seems easier to get people to learn
about chmod and umask if they have a really good incentive (which your
group project scenario would be :-).
It would be nice if everyone learned chmod, but until then, best to keep
them "safe by default" and help them move forward if they want or need to.
SK> Educating users in the correct use of umask and file protections is
SK> still very important. Most non-technical users have difficulty
SK> understanding the concepts of files and directories. Explaining
SK> masks and file protections is even more difficult. (As an aside:
SK> IMHO This is the reason why the Macintosh is so popular among the
SK> non-technically sophisticated.)
I agree, though I might point out that with System 7 and personal
file-sharing, the Mac now has the equivalent of modes and permissions
(but no umask :-).
--Chris
--
Christopher Davis | ELECTRONIC MAIL WORDS OF WISDOM #5:
System Manager & Postmaster | "Internet mail headers are
Electronic Frontier Foundation | not unlike giblets."
+1 617 864 0665 | -- Paul Vixie
-------------------
Date: Tue, 30 Jul 1991 20:21:26 GMT
From: kadie@eff.org (Carl M. Kadie)
Message-Id: <1991Jul30.202126.7529@eff.org>
Subject: Authority of Public Universities
The United States Constitution limits the authority of public
universities and their employees. These limits are discussed in the
book "A Practical Guide to Legal Issues Affecting College Teachers" by
Partrica A. Hollander, D. Parker Young, and Donald D. Gehring.
(College Administration Publication, 1985).
The books says that the University is no longer considered "In
Loco Parentis". The relationship is now contractual. Thus, a
student at a public university has contractual and constitutional
rights.
=Freedom of Expression=
Students have a First Amendment right to free expression. "The
institution has a right, on the other hand, to reasonably regulate
this expression as to time, place, and manner of expression so as to
prevent disruption of the educationally process or interference with
the rights of others, and prevent placing persons or property in
danger."
"Student newspapers at public institutions generally cannot be
censored prior to publication. Student editors usually are permitted
to publish and take the risk of allegations of libel or obscenity.
The student press at public institutions is subject to restrictions
only where college official can 'reasonable forecast substantial
disruption of material interference' with educational activities, or
that the material is clearly libelous or obscene."
=Freedom Against Unreasonable Searches and Seizures=
"Teachers and administrators at public institutions generally are
considered to be public officials, so, in most instances, they should
search only with a warrant. Under emergency conditions, a search
without a warrant possibly would be permitted."
=Due Process=
"The Fourteenth Amendment requires due process before a governmental
entity, such as a public institution, may deprive one of life,
liberty, or property. In a college setting, a student's good name and
reputation arm considered a 'liberty' right, and a student's right to
attend college is considered a 'property' right. Due process would be
required before a student is deprived of either at a public
institution."
"Substantive processes requires, essentially, that policies and rules
must be related to the basic government purpose at hand that basic
fairness be employed. For instance, college rules should be related to
educational matters and applied fairly. Procedural due process
generally refers to the requirement of notice and hearing before being
deprived of a right. For example, before being expelled for
misconduct, students should have notice of what they have done wrong
and a chance to tell their side of the story."
=Rules=
"[T]he degree of specificity required [in codes of conduct] is that
which would allow a student to adequately prepare a defense against the
charge. Teachers should make plain the prohibited conduct, the
procedure for determining whether a student engaged in such conduct,
and what the penalty is."
--
Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu
I do not represent EFF; this is just me.
-------------------
Date: Tue, 30 Jul 91 16:37:44 GMT-0500
From: farber@central.cis.upenn.edu (David J. Farber)
Posted-Date: Tue, 30 Jul 91 16:37:44 GMT-0500
Message-Id: <9107302137.AA00250@pcpond.cis.upenn.edu>
Cc: comp-academic-freedom-talk@eff.org
Let me tell you a story about schools and freedom.
At the High School my sons went to they had rules about
"disturbances" on the school bus. My son was accused of excessive
noise (which he denied). They suspended him from the bus for a week.
The process was:
Paraphrasing the rule of the school.
The accused student is given the opportunity to present their case to
the Vice Principal after which the student will be SUSPENDED.
Now talk about due process and freedom. The worse part is that NO ONE
saw anything wrong with this in the school district. The ACLU in Penn
sure did!!!
-------------------
Date: 30 Jul 91 18:15:18
From: escott@clippers.shearson.com (E. Scott Menter)
Message-Id:
References: <16989@life.ai.mit.edu>, <1991Jul19.181817.5287@murdoch.acc.Virginia.EDU>
Subject: Re: Administrator Access (Was Re: Ohio State)
> It would make you think before violating someone's property, though.
> Such mistakes should be acknowledged. If you lose good employees as a
> result of too much spying, there will be a chance that you'll get the
> boot, as well. Trying to cover up such mistakes is dishonesty and I don't
> care to work for or with dishonest people.
One observation I had on this is that most of the responses I've seen so far
with this approach have been from Universities. You should at least
acknowledge that things might be different in the commercial world (some
posters did just that, of course). Most of the responses were pretty well
thought out, though I did have a problem with this one. Let's see...
> It would make you think before violating someone's property, though.
Well, right or wrong, my firm considers anything on its computers to be its
property. And I share that view. If I felt otherwise, I would agree with
that.
> Trying to cover up such mistakes is dishonesty and I don't
> care to work for or with dishonest people.
I'll assume that wasn't meant as the insult it appeared to be, and comment on
the content instead. I understand and agree that casual observance of
somebody else's files (regardless of whose "property" they are) is not a good
thing. I further understand that as part of the job of my staff it may be
periodically necessary to examine somebody's files (this has happened only
very rarely, at least here). If you find nothing that violates the rules and
regulations of the firm (somebody objected to "naughty", so I expanded), then
you go on with life. I'm not sure what's "dishonest" about that.
Scott
--
E. Scott Menter, First Vice President
Manager, Information Resource Management Group
Lehman Brothers
escott@shearson.com
-------------------
Message-Id: <9107310026.AA02625@zerkalo.harvard.edu>
Subject: Re: Legislating searches
Date: Tue, 30 Jul 91 20:25:53 EDT
From: "Manavendra K. Thakur"
>>>>> On Tue, 30 Jul 1991 11:39 EDT, Sanjay Kapur said:
> How are you going to catch a supersuser who can browse files without
> any trace of such browsing? What proof of violation of policy would
> you have? How would you prosecute a superuser without proof?
If the sysadmin knows something that could have learned only by
perusing a user's file, then that constitutes prima facie evidence
that the sysadmin has conducted a search of the user's files. What
then remains to be determined is whether or not the sysadmin had
proper and prior approval from a higher authority to conduct such a
search.
If a sysadmin wishes to introduce evidence against a user in the
course of a disciplinary hearing, the sysadmin would be required to
demonstrate, if challenged, the legality of any evidence introduced
against the accused any disciplinary hearing - i.e. describe exactly
what the evidence is; describe how, where, and when the evidence was
gathered; and cite both the specific approval initially sought and the
specific approval ultimately granted to conduct the search.
If the sysadmin is unable or unwilling to document the legality of the
evidence, then the evidence cannot be introduced in the disciplinary
hearing and can play no role in the hearing. Furthermore, failure to
document the legality of evidence could then open the door for charges
of privacy violation to be filed against the sysadmin.
Such a system would create strong incentives for sysadmins and their
bosses to get a proper approval for a search from a higher authority
in advance. Not only would illegally obtained evidence be barred from
any disciplinary hearing, it would also make the sysadmin and their
bosses liable for (possibly) conducting an illegal search.
Finally, it is important to have a firm policy against sysadmin
snooping, because it does happen now and then that a user will see
bits and pieces of a private file on someone's terminal or possibly
even in a publicly-readable file owned by the sysadmin. Sysadmin make
mistakes too, despite the ability to cover their tracks, and it's
entirely possible that a user might catch the sysadmin in the act.
Indeed, at least one contributor to this newsgroup has claimed to do
just that. Other contributors have suspected that a sysadmin was
reading their private e-mail.
To handle cases such as these, i.e. cases in which the sysadmin or
some other party inadvertently reveals that unauthorized snooping has
taken place, a firm policy against such violations of privacy would be
necessary for affected users to prosecute their case.
These are but some of the ways in which an anti-snooping policy could
be enforced. Such schemes are obviously not perfect, but one should
not demand a perfect enforcement scheme before implementing such a
policy. Even with its weaknesses, an enforcement scheme such as this
one has the potential for significant benefit. At the very least,
this enforcement scheme would address the most egregious cases of
unauthorized sysadmin snooping, and that alone is a significant
improvement over the situation that prevails today.
Manavendra K. Thakur Internet: thakur@zerkalo.harvard.edu
Systems Programmer, High Energy Division BITNET: thakur@cfa.BITNET
Harvard-Smithsonian Center for DECNET: CFA::thakur
Astrophysics UUCP: ...!uunet!mit-eddie!thakur
-------------------
Message-Id:
Date: Tuesday, 30 July 1991 14:57 PT
From: micheal.morrow@amail.amdahl.com
Subject: Re: your LISTSERVE request "dele
I get the mailings but the LISTSERV cannot find my id. Please remove me from
this list.
Thanks,
Mike Morrow
---
-------------( Forwarded letter follows )-----------------------
---
Date: Tuesday, 30 July 1991 14:50 PT
From: eff.org!listmaster@juts
Subject: Re: your LISTSERVE request "delete comp-academic-freedom-talk"
Per your request
"delete comp-academic-freedom-talk"
'micheal.morrow@amail.amdahl.com' was NOT FOUND on the 'comp-academic-freedom-talk' mailing list.
From warnold@gnu.ai.mit.edu Wed Aug 7 09:43:37 1991
Reply-To: comp-academic-freedom-talk@eff.org
Precedence: bulk
To: comp-academic-freedom-talk@eff.org
Return-Path:
Date: Wed, 31 Jul 91 20:27:58 -0400
From: warnold@gnu.ai.mit.edu (Probably Billy, I hope..)
Subject: Computers and Academic Freedom mailing list (batch edition)
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Wed Jul 31 20:22:47 EDT 1991
In this issue:
kadie@eff.org (Car : student suspended for mailing passwords at U. of Georgia
kadie@m.cs.uiuc.ed : Stanford President Kennedy to resign
bdugan@teri.bio.uc : Legislating searches
kadie@eff.org (Car : Re: Authority of Public Universities
jpe@egr.duke.edu ( : Re: Authority of Public Universities
kadie@eff.org (Car : Re: Authority of Public Universities
otto@fsu1.cc.fsu.e : Re: Administrator Access (Was Re: Ohio State)
Sanjay Kapur
Subject: student suspended for mailing passwords at U. of Georgia
[Reposted from Effector Online 1.09 with permission of author - Carl]
STUDENT SUSPENDED FOR MAILING PASSWORDS
by Rita Rouvalis
The University of Georgia's (UGA) Student Judiciary has recently
sentenced a student to two quarters suspension for e-mailing Athena's
/etc/passwd file to an unauthorized user who wanted to break into the
system. Intense debate ensued when the following post was made to
eff.talk:
>The University will soon be issuing a news release about this incident.
>In the meantime, here is a summary:
>(1) A number of unauthorized users have been using various University
>of Georgia computers. Most of them have left much more of a trail than
>they realized and will be hearing from us.
>(2) The first person actually caught as part of this incident has now
>been sentenced to 2 quarters' suspension, plus a probated expulsion,
>by the Student Judiciary. This was a U.Ga. student whose name cannot
>be released due to confidentiality of educational records. What this
>student did was mail a copy of /etc/passwd from athena.cs.uga.edu to a
>"hacker" who had already penetrated another system, and who wanted to
>use a password-guessing program to break into athena. The student was
>fully aware that he was assisting in a break-in.
> -- Michael Covington, sysadmin UGA
Discussion was muddied considerably by confusion with other threads,
and opinions were posted without factual basis. If one looks at the
facts, one finds the student received surprisingly fair treatment from
the University of Georgia, whether or not one agrees with the actual
sentence.
Upon investigating an intrusion into one of the AI Lab's machines, the
sysadmin for the AI lab found that the intruder had saved, on disk, a
copy of Athena's /etc/passwd file with an email header indicating it
had come from the student in question's account on Athena. Assuming at
first that either the e-mail header was bogus, or that the student's
account had also been hacked, the Athena sysadmins deactivated the
account. Notice that this was a file saved under an unauthorized
username; no e-mail was ever intercepted.
Upon further investigation, the student admitted to being the
owner/sender of this e-mail message. He also apparently admitted to
being a member of an "elite group of hackers/phreakers," and knowing
that the /etc/passwd file would be used to try to crack Athena.
When the matter came before them, UGA officials felt the needs of the
student would be better served if he/she was brought before the
Student Judiciary instead of filing criminal charges. The only
punishments the Student Judiciary can hand out are expulsion,
suspension, and community service; all proceedings are kept
confidential as required by federal law.
According to UGA Student Judiciary policy, a student can choose either
an administrative hearing, or a student court hearing before three
specially trained students. In either case, the student is assisted by
a trained defender (also a student) and has the right to have other
people present for his defense. The hearing is supervised by UGA's
staff of Judicial Programs and follow the same rules of evidence and
procedure as a courtroom trial. If convicted, the student can appeal
to the Vice President and to the President (which this student has
done).
Despite protests from a few netters about the sentence the student
received, it is clear that the student court carefully considered the
intent and personality of the student when handing down the sentence
-- a consideration not taken in too many hacker cases. Officials felt
that two quarters suspension would effectively remove the student from
the influence of the hackers/phreakers and realign his priorities.
Community service involving computers was not chosen for the express
reason of not encouraging hacking to prove ability.
While some netters may disagree with the sentence handed down, they
should agree that this case was fairly and thoroughly handled by UGA
officials. Their measured deliberation of all the issues involved
should be used as an example in this era of hacker hysteria.
EFFector Online will keep you posted as the case progresses...
Portions of postings by Michael Covington, sysadmin of one of the UGA
machines involved, are reproduced by permission.
--
Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu
I do not represent EFF; this is just me.
-------------------
Date: 30 Jul 91 02:24:36 GMT
From: kadie@m.cs.uiuc.edu (Carl M. Kadie)
Message-ID: <1991Jul30.022436.20322@m.cs.uiuc.edu>
Subject: Stanford President Kennedy to resign
According to the UPI, Kennedy will resign effective August 1992.
Kennedy is best known on the net for supporting a ban on
rec.humor.funny and for firing Stuart Reges (a Stanford instructor who
spoke out against the Federal War on Drugs). Kennedy is apparently
quiting because of the Stanford's misuse of Federal research money.
Here are some Kennedy quotes from the article:
``At present we are talking too much about our problems and too little
about our opportunities.''
He plans to ``help make Stanford the university of academic and policy
studies'' in environmental concerns.
``to be quite frank about it, there is entirely too much speculation
about my future at Stanford. It is very difficult ... for a person
identified with a problem to be the spokesman for its solution.''
--
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
-------------------
Date: 30 Jul 91 13:31:37 GMT
From: bdugan@teri.bio.uci.EDU (Bill Dugan)
Message-ID: <9107301331.AA11186@teri.bio.uci.edu>
Subject: Legislating searches
Re: The proposed legislation from Donald G. Ingraham, whose summary I propose
as "You-need-a-search-warrant-to-read-someone-else's-files" legislation.
I am not a lawyer and am quite unaware of any side-effects or undesireable
loopholes this legislation would cause, but on a first reading it looks
reasonable. It only seems to deal with law-enforcement agencies though,
and although this is not necessarily bad, I think it misses the interesting
point. (The fact that it is a basic, logical extension of 'normal' search
laws and does not try to get creative is probably a good thing.)
What I think is interesting is the balance that will have to be created
between the freedom to hack around on a system and the freedom to privacy.
What about Joe Student who hacks around on his local unix box and happens
to read someone else's files, just to see what they are? I've done it;
probably 75% of readers here have done it. At some point in the future,
someone on a business account on a unix box will snoop in some other
business's files, and they will find out and squawk about illegal searches,
possibly invoking wiretap laws or some such nonsense.
Pardon the fact that this is my first attempt to consolidate my thought on
this matter, but I would have to say that in an academic environment, where
presumably, exploration and experimentation are encouraged, one should have
the freedom to hack around in someone else's directories *unless* that person
has used chmod to attempt to take away read-privileges for everyone else.
I think that in a university environment, you should assume that anything
you put up on your account is pretty much "public-domain" as far as searching
goes. If you attempt to protect it, though, it should be off-limits for
everybody, including superuser accounts. Of course, it isn't appropriate
for the superuser to be reading everybody's files just because he has the
access.
This brings up a couple of problems I can see right off the bat. Firstly,
novice users won't know how to use chmod. Simple; when the university gives
out accounts, it explains the policy in a brochure, and explains how to use
chmod to protect your files. Problem solved. Secondly, though, it would
seem to require a lot of clarifying policies emphasizing that yes, Joe
Student has more rights than Joe Policeman. A student snooping around the
files is OK; an authority snooping around the files to try to kill hackers
is not OK. Interesting. Enforcement is obviously almost impossible.
Bill Dugan
bdugan@teri.bio.uci.edu
-------------------
Date: 31 Jul 91 14:49:39 GMT
From: kadie@eff.org (Carl M. Kadie)
Message-ID: <1991Jul31.144939.23532@eff.org>
References: <1991Jul30.202126.7529@eff.org>
Subject: Re: Authority of Public Universities
I wrote:
[...]
>The books says that the University is no longer considered "In
>Loco Parentis". The relationship is now contractual. Thus, a
>student at a public university has contractual and constitutional
>rights.
[...]
I have been asked "Can you give some details of the contractual rights
(of the student) and obligations (of the University)?"
Here is what A Practical Guide to Legal Issues Affecting College
Teachers says:
"Today, courts recognize that when a student pays tuition for a
college education, a legal contract comes into being. The student has
contracted for an education as advertised by the institution in its
catalog and by its representatives. Some like to think of the student
as a consumer of education, and an institution as a supplier of a
product called education. The consumers is entitled to receive what
was paid for. The old days of in loco parentis have been replaced by
the law of contracts and the concepts of consumerism. This contractual
relationship implies a property interest which also triggers
constitutional guarantees at public institutions."
...
"Teacher As Agent of Institution
When a teacher is acting within the scope of his or her employment, a
teacher generally is viewed as the agent of the institution. A
teacher's acts, then, are considered to be the acts of the
institution. Thus, a teacher's acts can form the basis for liability
of the institution. For example, if a teach of history refuses to
follow the syllabus for a history course and insists on teaching more
writing skills than history in the course, a dissatisfied student may
sue the institution as well as the teach for breach of contract of
enrollment."
"Sources of Legal Rights and Responsibilities at Public and Private Colleges
[... Constitutions ... Statutes ... Contracts ...]
Policies of Governing Boards
Policies of a board of trustees or board of regents usually set forth
the mission of the college, student admission and graduation policies,
and personnel policies. The policies become implicit and often
explicit terms of the teacher's contract or the student's enrollment
contract.
Handbooks
Student, faculty, staff and other handbooks contains the more detailed rules
and regulations that implement the basic policies set by the governing
board. These rules and regulations also become part of the contracts relating
to teachers and students.
[... Professional Standards ... Custom and Traditions ... Duty and
Reasonable Care Under the Circumstances ...]"
...
"Institutional Liability
[...]
Institutions may be solely liable where there is a breach of the
student contract of enrollment, as where courses advertised in the
catalog are not offered, or where students are suspended or expelled
for misconduct without proper due process."
...
--
Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu
I do not represent EFF; this is just me.
-------------------
Date: 31 Jul 91 14:28:34 GMT
From: jpe@egr.duke.edu (John P. Eisenmenger)
Message-ID: <1489@cameron.egr.duke.edu>
References: <1991Jul30.202126.7529@eff.org>
Subject: Re: Authority of Public Universities
> =Freedom of Expression=
>
> Students have a First Amendment right to free expression.
I know you spent a while searching out these quotes, and I'm sure we all
appreciate the effort, but the issue is not whether a student should be
allowed his/her Constitutional rights. The question (at least for me) is
whether a student should be able to use, without permission, university
resources to voice his/her (sometimes unpopular) opinions (or perform
any function not related to the purpose for their account).
My machines are there to support the educational process. A student saving
megabytes of data, or using 90% of available CPU time for some cause s/he
supports could interfere with the other students getting their homework
assignments done. Our priorities have to lie with the students trying to
do their classwork.
> "Student newspapers at public institutions generally cannot be
> censored prior to publication.
One example you have is the student newspaper. A perfect example for both
of us in that the student newspaper is run with the permission of the
university, and more than likely obtains funding from it. If instead the
paper editors embezzled resources from the university to run the paper, I'd
expect the university to do everything in its power to "stop the press."
> =Freedom Against Unreasonable Searches and Seizures=
>
> "Teachers and administrators at public institutions generally are
> considered to be public officials, so, in most instances, they should
> search only with a warrant. Under emergency conditions, a search
> without a warrant possibly would be permitted."
I agree whole-heartedly. I would never scan a user's files unless something
came to light against him/her. However if I find evidence in a public place
(/tmp, /usr/tmp, via ps, etc.) or if I receive complaints from other users,
I will consider that as due cause and take a quick look. It would probably
be a good idea for me to obtain a warrant from the department chairman and
serve that warrant.
> =Due Process=
>
> "The Fourteenth Amendment requires due process before a governmental
> entity, such as a public institution, may deprive one of life,
> liberty, or property.
I also agree with this. This is why colleges have Honor Codes and a court
where claimed violations can be contested. Whether on paper or on computer
the Honor Code is applicable. A good follow-up question is how many students
know their Honor Code and what may constitute a violation?
> =Rules=
>
> "[T]he degree of specificity required [in codes of conduct] is that
> which would allow a student to adequately prepare a defense against the
> charge. Teachers should make plain the prohibited conduct, the
> procedure for determining whether a student engaged in such conduct,
> and what the penalty is."
I also agree with this. Without concrete guidelines you'd be making the
rules up as you went along. It is easier and fairer to have a guide where
you can approach someone and say "I think you're in violation of this rule."
***
*** Personal notes (my users will like this):
***
I am an administrator for 30+ machines and it is not in my interest to become
a full-time policeman of my machines or my network. I do monitor this group,
but usually keep my opinions to myself (avoiding the flame storm :-). Before
I get labelled as a computer dictator, I'd like to say that I try to be as
fair as possible (incidents at my site are very, very low), and that I'm open
to reasonable suggestions. I would prefer that suggestions be posted to this
group instead of being mailed to me.
It would be nice if this group could turn its discussion towards the creation
of a template for a thorough and fair computing policy. Any possibility of
this happening people? I'd be willing to throw out topics for comments,
editing, etc., but only if the discussion could be constructive and not
degenerate into a flame slugfest.
-John P. Eisenmenger
Systems' Administrator
Dept. of Electrical Engineering
Duke University
-------------------
Date: 31 Jul 91 16:57:03 GMT
From: kadie@eff.org (Carl M. Kadie)
Message-ID: <1991Jul31.165703.25469@eff.org>
References: <1991Jul30.202126.7529@eff.org> <1489@cameron.egr.duke.edu>
Subject: Re: Authority of Public Universities
jpe@egr.duke.edu (John P. Eisenmenger) writes:
[...]
>It would be nice if this group could turn its discussion towards the creation
>of a template for a thorough and fair computing policy. Any possibility of
>this happening people? I'd be willing to throw out topics for comments,
>editing, etc., but only if the discussion could be constructive and not
>degenerate into a flame slugfest.
I think this is a great idea. It might be best, however, to wait
until September when more people are on campus.
- Carl
--
Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu
I do not represent EFF; this is just me.
-------------------
Date: 31 Jul 91 19:35:42 GMT
From: otto@fsu1.cc.fsu.edu (John Otto)
Message-ID: <1991Jul31.195743.17866@mailer.cc.fsu.edu>
References: <16989@life.ai.mit.edu> <1991Jul19.181817.5287@murdoch.acc.Virginia.EDU>
Subject: Re: Administrator Access (Was Re: Ohio State)
In article , escott@clippers.shearson.com (E. Scott Menter) writes...
>From John G. Otto:
>> It would make you think before violating someone's property, though.
>> Such mistakes should be acknowledged. If you lose good employees as a
>> result of too much spying, there will be a chance that you'll get the
>> boot, as well. Trying to cover up such mistakes is dishonesty and I don't
>> care to work for or with dishonest people.
>One observation I had on this is that most of the responses I've seen so far
>with this approach have been from Universities. You should at least
>acknowledge that things might be different in the commercial world (some
>posters did just that, of course). Most of the responses were pretty well
>thought out, though I did have a problem with this one. Let's see...
Appearances can be deceptive. Though I am now at the Florida State
University, I have worked for a number of years in the free sector,
and hopefully will once again.
>> It would make you think before violating someone's property, though.
>Well, right or wrong, my firm considers anything on its computers to be its
>property. And I share that view. If I felt otherwise, I would agree with
>that.
I recognize corporate ownership of the hardware and software they purchase,
but as a professional, I consider the work I do to be a service. As a
result, any file I create is mine; I simply license its use.
>> Trying to cover up such mistakes is dishonesty and I don't
>> care to work for or with dishonest people.
>I'll assume that wasn't meant as the insult it appeared to be, and comment on
>the content instead. I understand and agree that casual observance of
>somebody else's files (regardless of whose "property" they are) is not a good
>thing. I further understand that as part of the job of my staff it may be
>periodically necessary to examine somebody's files (this has happened only
>very rarely, at least here). If you find nothing that violates the rules and
>regulations of the firm (somebody objected to "naughty", so I expanded), then
>you go on with life. I'm not sure what's "dishonest" about that.
No insult was or is intended. I'm just telling it the way it is.
What's dishonest is putting forth the appearance that the privacy of
the people who are using the system(s) is being respected, when it
is not. If you look at the contents of files people have created,
it should be only after having established, to the satisfaction of at
least one third party, that in this particular circumstance, at this
particular time, you have reasonable cause to do so. If you go on
fishing expeditions, or if you look at a file someone has created on
without having to jump through the hoop of establishing before-hand
that there are valid reasons for you to suspect "violation of the rules"
then you are (or I would be, if I did it) demonstrating a cavalier
disregard of the individual's privacy rights.
What is really annoying is how easy it is for people to rationalize
themselves excuses to trample all over their fellows. One of the
big differences between so-called blue-collar and white-collar
criminals pointed out a few evenings ago on a tube program is the
extent to which white-collar criminals extrapolate and worm around
to justify to themselves e.g. robbery, in cases where the blue-collar
criminal uses more open and honest direct use of force just because he
wants whatever it is. Now, violation of privacy is not usually as
severe a form of theft as taking a book or a wallet off of someone's
desk, but it is still not a nice thing to do.
I grant that operating systems, even variants of Unix, differ widely,
but I have yet to see a case which required snooping into file contents
without establishing probable cause, in order to sustain ordinary system
operations. In cases where I have had to do so, it has been with the
owner/creator of the file standing beside me. Unauthorized users have
tended to expose themselves, with account owners occasionally requesting
a trace, themselves.
If a company or a university has an established practice (set of rules
and procedures) of violating the privacy of employees and/or customers,
it is dishonest for the people associated with that company or university
to neglect to disclose that fact before hiring, before doing any business
with outside parties and before matriculation.
-------------------
Date: Wed, 31 Jul 1991 19:39 EDT
From: Sanjay Kapur
Message-Id:
Subject: Re: Administrator Access (Was Re: Ohio State)
>From: otto@fsu1.cc.fsu.edu (John Otto)
>What's dishonest is putting forth the appearance that the privacy of
>the people who are using the system(s) is being respected, when it
>is not. If you look at the contents of files people have created,
>it should be only after having established, to the satisfaction of at
>least one third party, that in this particular circumstance, at this
>particular time, you have reasonable cause to do so. If you go on
>fishing expeditions, or if you look at a file someone has created on
>without having to jump through the hoop of establishing before-hand
>that there are valid reasons for you to suspect "violation of the rules"
>then you are (or I would be, if I did it) demonstrating a cavalier
>disregard of the individual's privacy rights.
I agree.
>
>What is really annoying is how easy it is for people to rationalize
>themselves excuses to trample all over their fellows. One of the
>big differences between so-called blue-collar and white-collar
>criminals pointed out a few evenings ago on a tube program is the
>extent to which white-collar criminals extrapolate and worm around
>to justify to themselves e.g. robbery, in cases where the blue-collar
>criminal uses more open and honest direct use of force just because he
>wants whatever it is. Now, violation of privacy is not usually as
>severe a form of theft as taking a book or a wallet off of someone's
>desk, but it is still not a nice thing to do.
>
I agree. Unfortunately, not everyone is nice. Being nice is in very few job
descriptions.
>I grant that operating systems, even variants of Unix, differ widely,
>but I have yet to see a case which required snooping into file contents
>without establishing probable cause, in order to sustain ordinary system
>operations.
I totally disagree. I grant you that such cases are rare, but emergencies do
arise. You have been lucky in that you have avoided them.
> In cases where I have had to do so, it has been with the
>owner/creator of the file standing beside me.
You have been extremely lucky (till now).
> Unauthorized users have
>tended to expose themselves, with account owners occasionally requesting
>a trace, themselves.
>
Again you are lucky.
>If a company or a university has an established practice (set of rules
>and procedures) of violating the privacy of employees and/or customers,
>it is dishonest for the people associated with that company or university
>to neglect to disclose that fact before hiring, before doing any business
>with outside parties and before matriculation.
But then some people insist that you can not sign your rights away. :-)
Unless explicitly told otherwise, I always assume that I do not have any
privacy. That way I will not expect what I do not have. Maybe I am more
of a cynic than you are, but I just do not expect people to be honest and
upfront about these things.
I keep all my personal information on my PC. I do not do so on my PC at work
but the PC I own that I keep in my house.
Let me be more explicit: ANYONE WHO EXPECTS PRIVACY BY DEFAULT
IS LIVING IN A FOOL'S PARADISE.
Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu
Systems Staff, Computing Services, |Bitnet: SKAPUR@USB
State University of New York, |SPAN/HEPnet: 44132::SKAPUR
Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046
-------------------
Date: 31 Jul 91 23:06:37 GMT
From: otto@fsu1.cc.fsu.edu (John Otto)
Message-Id: <1991Jul31.203038.19553@mailer.cc.fsu.edu>
Subject: Re: Authority of Public Universities
In article <1489@cameron.egr.duke.edu>, jpe@egr.duke.edu (John P. Eisenmenger) writes...
>From article <1991Jul30.202126.7529@eff.org>, by kadie@eff.org (Carl M. Kadie):
>> =Due Process=
>> "The Fourteenth Amendment requires due process before a governmental
>> entity, such as a public institution, may deprive one of life,
>> liberty, or property.
>I also agree with this. This is why colleges have Honor Codes and a court
>where claimed violations can be contested. Whether on paper or on computer
>the Honor Code is applicable. A good follow-up question is how many students
>know their Honor Code and what may constitute a violation?
Great! But a question needs to be answered: How many current students are
involved in formulating the code, the rules of procedure, etc.? I ask this
to point out that contracts, such as that between a student and a
university or between an employer and employee must be arrived at and
agreed upon by all parties.
>> =Rules=
>> "[T]he degree of specificity required [in codes of conduct] is that
>> which would allow a student to adequately prepare a defense against the
>> charge. Teachers should make plain the prohibited conduct, the
>> procedure for determining whether a student engaged in such conduct,
>> and what the penalty is."
>I also agree with this. Without concrete guidelines you'd be making the
>rules up as you went along. It is easier and fairer to have a guide where
>you can approach someone and say "I think you're in violation of this rule."
Right, again. As long as the guide is reached by some sort of consensus
rather than imposition, and subject to initiative and referendum.
>but usually keep my opinions to myself (avoiding the flame storm :-). Before
>I get labelled as a computer dictator, I'd like to say that I try to be as
>fair as possible (incidents at my site are very, very low), and that I'm open
>to reasonable suggestions. I would prefer that suggestions be posted to this
>group instead of being mailed to me.
>It would be nice if this group could turn its discussion towards the creation
>of a template for a thorough and fair computing policy. Any possibility of
>this happening people? I'd be willing to throw out topics for comments,
>editing, etc., but only if the discussion could be constructive and not
>degenerate into a flame slugfest.
I don't see disagreements and argument as a waste. It helps us discover
the exact points of disagreement - the cusp where people branch apart on
issues. With that in mind, consensus building must be the first step
toward developing any policy or rules. Without working down to the
minor picayune detail that is the source of the disagreement, you can
be madly flaming back and forth forever. Unfortunately, that process
takes time and work and patience with frustration, so everyone wants
to jump in and impose his own package of rules on everyone else (with
exceptions for themselves, because they can't do their jobs, otherwise).
John G. Otto jgo@fsu.bitnet jgo@rai.cc.fsu.edu
From helen@gnu.ai.mit.edu Wed Aug 7 09:43:38 1991
Reply-To: comp-academic-freedom-talk@eff.org
Precedence: bulk
To: comp-academic-freedom-talk@eff.org
Return-Path:
From: helen@gnu.ai.mit.edu (Helen O'Boyle)
Subject: Computers and Academic Freedom mailing list (batch edition)
Date: Thu, 1 Aug 91 20:26:45 WET DST
X-Mailer: ELM [version 2.3 PL0]
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Thu Aug 1 20:25:17 EDT 1991
In this issue:
jb3o+@andrew.cmu.e : Re: Authority of Public Universities
Sanjay Kapur
References: <1991Jul30.202126.7529@eff.org>
Subject: Re: Authority of Public Universities
jpe@egr.duke.edu (John P. Eisenmenger) writes:
> It would be nice if this group could turn its discussion towards the creation
> of a template for a thorough and fair computing policy. Any possibility of
> this happening people? I'd be willing to throw out topics for comments,
> editing, etc., but only if the discussion could be constructive and not
> degenerate into a flame slugfest.
Who thinks that they have a fair guideline? I think that if we
start from some sort of middle-of-the-road position, we'll get a lot
further and fewer flames.
I'm volunteering to keep the "policy template" up to date -
which policy should we start with (I'm assuming that the University of
Georgia's would NOT be a good middle-of-the-road policy <= isn't that
the shcool which just cut Internet access for the whole school?).
-=> iain <=-
Comp. Sys. Admin
Dept. of Statistics
Carnegie Mellon
----------------------------------|++++++++++++++++++++++++++++++++++++++++
| "He divines remedies against injuries; | "Words are drugs." |
| he knows how to turn serious accidents | -Antero Alli |
| to his own advantage; whatever does not | |
| kill him makes him stronger." | "Culture is for bacteria." |
| - Friedrich Nietzsche | - Christopher Hyatt |
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-------------------
Date: Thu, 1 Aug 1991 09:03 EDT
From: Sanjay Kapur
Message-Id: <670E43258EA0F95E@ccmail.sunysb.edu>
Subject: Re: Authority of Public Universities
>From: otto@fsu1.cc.fsu.edu (John Otto)
>
>Great! But a question needs to be answered: How many current students are
>involved in formulating the code, the rules of procedure, etc.? I ask this
>to point out that contracts, such as that between a student and a
>university or between an employer and employee must be arrived at and
>agreed upon by all parties.
How many current citizens are involved in formulating (not amending) the US
constitution, US law and US regulations? Social contracts between the
governed and the government must be arrived at and agreed upon by all parties.
>Right, again. As long as the guide is reached by some sort of consensus
>rather than imposition, and subject to initiative and referendum.
How many US laws and regulations can be changed by initiative and refrendum?
>I don't see disagreements and argument as a waste. It helps us discover
>the exact points of disagreement - the cusp where people branch apart on
>issues. With that in mind, consensus building must be the first step
>toward developing any policy or rules. Without working down to the
>minor picayune detail that is the source of the disagreement, you can
>be madly flaming back and forth forever. Unfortunately, that process
>takes time and work and patience with frustration, so everyone wants
>to jump in and impose his own package of rules on everyone else (with
>exceptions for themselves, because they can't do their jobs, otherwise).
I Agree that debate is essential to the development of policies and law.
Universities are not monopolies. Hopefully through competition, more students
will be attracted to universities with better (not always liberal) policies.
Universities with bad policies will have no students left and will be forced
to shut down.
Note: A restrictive policy or a non-privacy policy does not automatically
imply that the policy is bad or will be perceived by students or faculty as a
bad policy, especially if security and availability is enhanced. A student
will not be attracted to a University where hackers can get into everyone's
account and shut down the system at will because the staff are hamstrung by
policies that prohibits them from taking action.
>
>John G. Otto jgo@fsu.bitnet jgo@rai.cc.fsu.edu
Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu
Systems Staff, Computing Services, |Bitnet: SKAPUR@USB
State University of New York, |SPAN/HEPnet: 44132::SKAPUR
Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046
-------------------
Date: Thu, 1 Aug 1991 14:42:28 GMT
From: dysart@magnus.acs.ohio-state.edu (Mitchell D Dysart)
Message-Id: <1991Aug1.144228.13376@magnus.acs.ohio-state.edu>
References: <1991Jul19.181817.5287@murdoch.acc.Virginia.EDU>, , <1991Jul31.195743.17866@mailer.cc.fsu.edu>
Subject: Re: Administrator Access (Was Re: Ohio State)
In article <1991Jul31.195743.17866@mailer.cc.fsu.edu> otto@fsu1.cc.fsu.edu writes:
>
>I recognize corporate ownership of the hardware and software they purchase,
>but as a professional, I consider the work I do to be a service. As a
>result, any file I create is mine; I simply license its use.
>
I believe your consideration to be IN ERROR. Under the work for hire
concepts of the law, anything you produce for your employer as a paid
employee is the property of the employer. Now, other activity that is
not related to your job that you do on your employer's computer would
not be the property of the employer, but then, unless your employer
specifically authorized you to use the copmuter for personal use, you
would be guilty of theft of service if you used your employer's computer
for non-work related activities without approval.
The same argument would not hold for a student, because a contractual
relationship exists between the student and the school. Unless the
student was also employed by the University, and the student's computer
account was provided in connection with his employment rather than his
studies (such as with a work-study or graduate research appointment).
Of course, such student could have two separate accounts, one for educational
purposes and another for employment purposes (although these tend to get
blurred wrt graduate/professional education).
--
Mitch Dysart
dysart@magnus.acs.ohio-state.edu
-------------------
Date: 1 Aug 91 17:39:50 GMT
From: russotto@eng.umd.edu (Matthew T. Russotto)
Message-Id: <1991Aug01.173950.14765@eng.umd.edu>
References: <670E43258EA0F95E@ccmail.sunysb.edu>
Subject: Re: Authority of Public Universities
In article <670E43258EA0F95E@ccmail.sunysb.edu> Sanjay Kapur writes:
>>From: otto@fsu1.cc.fsu.edu (John Otto)
>>
>>Great! But a question needs to be answered: How many current students are
>>involved in formulating the code, the rules of procedure, etc.? I ask this
>>to point out that contracts, such as that between a student and a
>>university or between an employer and employee must be arrived at and
>>agreed upon by all parties.
>
>How many current citizens are involved in formulating (not amending) the US
>constitution, US law and US regulations? Social contracts between the
>governed and the government must be arrived at and agreed upon by all parties.
One of the reasons that violating such a "social contract" is not wrong in
itself. (but this belongs in talk.politics.theory). Regular contracts
are not the same animal.
>>Right, again. As long as the guide is reached by some sort of consensus
>>rather than imposition, and subject to initiative and referendum.
>
>How many US laws and regulations can be changed by initiative and refrendum?
How many university administrators are elected by the students?
How many corporate policymakers are elected by the employees?
How can you even put forth such a nonsense analogy?
>Note: A restrictive policy or a non-privacy policy does not automatically
>imply that the policy is bad or will be perceived by students or faculty as a
>bad policy, especially if security and availability is enhanced. A student
>will not be attracted to a University where hackers can get into everyone's
>account and shut down the system at will because the staff are hamstrung by
>policies that prohibits them from taking action.
I'm here at a University where the computer science center (NOT where I am
posting from) is hamstrung by no policy. They feel free to take any unilateral
action, from account suspension, to threats of blacklisting, to physical force,
and to death threats. Yet, I know for a fact that hackers can get into
everyone's account and shut down the system at will.
(In case you missed it, I AM NOT REFERRING TO ANY ADMINISTRATORS OUTSIDE THE
UMCP COMPUTER SCIENCE CENTER.. This ESPECIALLY excludes everyone in the
.eng.umd.edu domain)
Facism does not make for security. Competent administration may, but
incompetent administration often substitutes facism for security, to the
detriment of ALL users.
--
Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu
.sig under construction, like the rest of this campus.
Just say NO to police searches and seizures. Make them use force.
(not responsible for bodily harm resulting from following above advice)
-------------------
Date: 1 Aug 91 20:15:16 GMT
From: otto@fsu1.cc.fsu.edu (John Otto)
Message-Id: <1991Aug1.195244.13660@mailer.cc.fsu.edu>
References: <1991Jul19.181817.5287@murdoch.acc.Virginia.EDU>, , <1991Aug1.144228.13376@magnus.acs.ohio-state.edu>
Subject: Re: Administrator Access (Was Re: Ohio State)
In article <1991Aug1.144228.13376@magnus.acs.ohio-state.edu>, dysart@magnus.acs.ohio-state.edu (Mitchell D Dysart) writes...
>In article <1991Jul31.195743.17866@mailer.cc.fsu.edu> otto@fsu1.cc.fsu.edu writes:
>>I recognize corporate ownership of the hardware and software they purchase,
>>but as a professional, I consider the work I do to be a service. As a
>>result, any file I create is mine; I simply license its use.
>I believe your consideration to be IN ERROR. Under the work for hire
>concepts of the law, anything you produce for your employer as a paid
>employee is the property of the employer. Now, other activity that is
..
It sounds like, in an employee/employer relationship there must be a
mutual understanding of the conditions of the contractual relationship.
Just as many personal relationships have problems due to the conflicting
assumptions made by the two parties, so, it seems, such differences can
arise in the work place. The solution to both is to attempt to make
the agreement both objective and as explicit as is practicable before
the conflict becomes a problem. I would expect that the agreement
would best be reached by a process of negotiation as a part of the
contracting and/or hiring process.
John G. Otto jgo@fsu.bitnet jgo@rai.cc.fsu.edu
-------------------
Date: Thu, 1 Aug 1991 17:01 EDT
From: Sanjay Kapur
Message-Id:
Subject: Re: Authority of Public Universities
>
>How many university administrators are elected by the students?
>How many corporate policymakers are elected by the employees?
>How can you even put forth such a nonsense analogy?
>
>Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu
Exactly my point. Changing policy by initiative and refrendrum
does not work when bigger issues are involved. How do you assume that
inititative and refrendrum will (be allowed to) work in a University?
The concept is absurd.
Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu
Systems Staff, Computing Services, |Bitnet: SKAPUR@USB
State University of New York, |SPAN/HEPnet: 44132::SKAPUR
Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046
-------------------
Date: 1 Aug 91 13:10:17 GMT
From: jpe@egr.duke.edu (John P. Eisenmenger)
Message-Id: <1491@cameron.egr.duke.edu>
References:
Subject: Re: Authority of Public Universities
>
> jpe@egr.duke.edu (John P. Eisenmenger) writes:
>> It would be nice if this group could turn its discussion towards the creation
>> of a template for a thorough and fair computing policy. Any possibility of
>> this happening people? I'd be willing to throw out topics for comments,
>> editing, etc., but only if the discussion could be constructive and not
>> degenerate into a flame slugfest.
>
>
> Who thinks that they have a fair guideline? I think that if we
> start from some sort of middle-of-the-road position, we'll get a lot
> further and fewer flames.
>
> I'm volunteering to keep the "policy template" up to date -
> which policy should we start with (I'm assuming that the University of
> Georgia's would NOT be a good middle-of-the-road policy <= isn't that
> the shcool which just cut Internet access for the whole school?).
Hmm. Mine is meant to be fair, but it reads very harshly in some sections.
I think we should probably start out discussing what exactly should be in
a computing policy guide. After we decide on the outline (if we ever do),
we can attack the outline topics one-by-one. I jotted down some ideas
earlier (although numbered they aren't in any real order):
1. An explanation of why the policy guide exists.
2. Who is allowed to have an account.
3. The rights, responsibilities, and authority of users.
4. The rights, responsibilities, and authority of administrators.
5. How cases of policy violations are dealt with.
6. Specific policies, possibly with examples, minimum and maximum
punishments, etc.
My policy guide scans over 1 quickly and then delves directly into 6
("you shall not ..", "you shall not ..", "you shall not ..", etc.). I
expect most do the same (I know I modelled mine closely after one I
grabbed from an archive site). If someone out there does have a good
starting point it'd be a departure from the norm...
-John
From warnold@eff.org Wed Aug 7 09:43:39 1991
Reply-To: comp-academic-freedom-talk@eff.org
Precedence: bulk
To: comp-academic-freedom-talk@eff.org
Return-Path:
Date: Fri, 2 Aug 91 16:37:12 -0400
From: warnold@eff.org (William W. Arnold)
Subject: Computers and Academic Freedom mailing list (batch edition)
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Fri Aug 2 16:33:07 EDT 1991
In this issue:
composer@chem.bu.E : Computing policy template (was Re: Authority of Public Un
edguer@alpha.ces.c : Re: Authority of Public Universities
amanda@visix.com ( : Re: Authority of Public Universities
phillips@syrinx.um : Re: Authority of Public Universities
The addresses for the list are now:
comp-academic-freedom-talk@eff.org - for contributions to the list
or caf-talk@eff.org
listserv@eff.org - for automated additions/deletions
(send email with the line "help" for details.)
caf-talk-request@eff.org - for administrivia
Your fill-in list-admins can now be reached as
helen@eff.org and warnold@eff.org
-------------------
Date: 1 Aug 91 19:24:06 GMT
From: composer@chem.bu.EDU (Jeff Kellem)
Message-ID: <9108020324.AA17837@buchmg.bu.edu>
References: <1489@cameron.egr.duke.edu>
Subject: Computing policy template (was Re: Authority of Public Universities)
John P. Eisenmenger writes:
> It would be nice if this group could turn its discussion towards the
> creation of a template for a thorough and fair computing policy. Any
> possibility of this happening people? I'd be willing to throw out
> topics for comments, editing, etc., but only if the discussion could
> be constructive and not degenerate into a flame slugfest.
The upcoming National Conference on Computing and Values '91 (NCCV) will
have, as one of it's [6] tracks, a working group discussing "campus
computing policies". The outcome of these discussions will be presented
during and at the end of the conference; they will also be included in
the proceedings. FYI, the NCCV '91 is being held 12-16 August 1991 in
New Haven, CT.
If someone on this list will be participating in that particular track,
I'm sure it would be appreciated if a summary of the discussion/outcome
was sent to the list. I will also be attending the conference, but
participating in one of the other tracks. If no one else attending
posts a summary, I will try to write one up. But, someone participating
in that track would be able to provide a more detailed view.
Cheers...
-jeff
Jeff Kellem
Internet: composer@chem.bu.edu
-------------------
Date: 2 Aug 91 15:14:04 GMT
From: edguer@alpha.ces.cwru.EDU (Aydin Edguer)
Message-ID: <9108021514.AA12751@charlie.CES.CWRU.Edu>
References: <1491@cameron.egr.duke.edu>
Subject: Re: Authority of Public Universities
> Hmm. Mine is meant to be fair, but it reads very harshly in some sections.
> I think we should probably start out discussing what exactly should be in
> a computing policy guide. After we decide on the outline (if we ever do),
> we can attack the outline topics one-by-one. I jotted down some ideas
> earlier (although numbered they aren't in any real order):
>
> 1. An explanation of why the policy guide exists.
> 2. Who is allowed to have an account.
> 3. The rights, responsibilities, and authority of users.
> 4. The rights, responsibilities, and authority of administrators.
> 5. How cases of policy violations are dealt with.
> 6. Specific policies, possibly with examples, minimum and maximum
> punishments, etc.
I would suggest that a good starting point would be the policy issues listed
in RFC 1244 "Site Security Handbook":
- There are a number of issues that must be addressed when developing a
- security policy. These are:
-
- 1. Who is allowed to use the resources?
- 2. What is the proper use of the resources?
- 3. Who is authorized to grant access and approve usage?
- 4. Who may have system administration privileges?
- 5. What are the user's rights and responsibilities?
- 6. What are the rights and responsibilities of the
- system administrator vs. those of the user?
- 7. What do you do with sensitive information?
They are quite similar to those you have listed (great minds think alike?).
RFC 1244 is a very good document that gives many references to books and papers
on security, ethics, and the legal system. It does not try to answer
questions so much as give people some of the questions they must ask
themselves and some of the resources they can consult to answer them.
I think this is all that comp-academic-freedom can and should really do.
All these discussions of exactly what a policy should say are pointless.
They are nice as examples to work from, and perhaps having a pro- and con-
critique of each policy would be nice but trying to come up with a universal
policy is ineffective.
Each institution needs to decide for itself what its policy should be,
and once decided, it should try to uphold its policy in a fair and impartial
manner.
Aydin Edguer
-------------------
Date: Fri, 2 Aug 91 02:23:36 GMT
From: amanda@visix.com (Amanda Walker)
Message-ID: <1991Aug2.022336.19910@visix.com>
References: <670E43258EA0F95E@ccmail.sunysb.edu>
<1991Aug01.173950.14765@eng.umd.edu>
Subject: Re: Authority of Public Universities
russotto@eng.umd.edu (Matthew T. Russotto) writes:
They feel free to take any unilateral action, from account suspension,
to threats of blacklisting, to physical force, and to death threats.
Physical force? Death threats? This goes beyond "policy"--these fall
under the criminal code. If this has actually happened (and isn't just
hyperbole), you need a lawyer.
--
Amanda Walker amanda@visix.com
Visix Software Inc. ...!uunet!visix!amanda
--
"A free society is one where it is safe to be unpopular." --Adlai Stevenson
-------------------
Date: 2 Aug 91 18:06:56 GMT
From: phillips@syrinx.umd.edu (Felan shena Thoron'edras)
Message-ID: <9223@umd5.umd.edu>
References: <1491@cameron.egr.duke.edu>
Subject: Re: Authority of Public Universities
In article <1491@cameron.egr.duke.edu> jpe@egr.duke.edu (John P. Eisenmenger) writes:
> 1. An explanation of why the policy guide exists.
> 2. Who is allowed to have an account.
> 3. The rights, responsibilities, and authority of users.
> 4. The rights, responsibilities, and authority of administrators.
> 5. How cases of policy violations are dealt with.
> 6. Specific policies, possibly with examples, minimum and maximum
> punishments, etc.
Suggestion for a 7, or for a subset of 6:
7. The reasoning behind each policy described in 6, that is, answering
'why' the policy exists.
This is distinct from 1, as far as I can tell, because 1 describes the
policy guide itself ("This is so you know what rules we have and what
happens when you break those rules" is how I interpret 1, with perhaps
a bit more detail), and my 7 explains each rule. I've found that
explaining WHY helps a lot in getting users to agree willingly to the
rules (as opposed to trying to find a way around the rules out of spite,
for instance).
Leanne Phillips
"Do not meddle with the affairs of wizards, for they are subtle and quick
to anger."
Words to live by: "Violence is the refuge of the incompetent."
(Yes, I know it isn't right; it's deliberate.)
From helen@eff.org Wed Aug 7 09:43:39 1991
Reply-To: comp-academic-freedom-talk@eff.org
Precedence: bulk
To: comp-academic-freedom-talk@eff.org
Return-Path:
From: helen@eff.org (Helen C. O'Boyle)
Subject: Computers and Academic Freedom mailing list (batch edition)
Date: Sat, 3 Aug 91 19:18:49 EDT
Status: RO
Computers and Academic Freedom mailing list (batch edition)
Sat Aug 3 19:15:43 EDT 1991
In this issue:
otto@fsu1.cc.fsu.e : Re: Authority of Public Universities
FFDMG%ALASKA.BITNE : Intellectual Property
FFDMG%ALASKA.BITNE : University Marketplace
The addresses for the list are now:
comp-academic-freedom-talk@eff.org - for contributions to the list
or caf-talk@eff.org
listserv@eff.org - for automated additions/deletions
(send email with the line "help" for details.)
caf-talk-request@eff.org - for administrivia
-------------------
Date: 3 Aug 91 02:50:16 GMT
From: otto@fsu1.cc.fsu.edu (John Otto)
Message-ID: <1991Aug2.203613.8760@mailer.cc.fsu.edu>
References: , <1491@cameron.egr.duke.edu>
Subject: Re: Authority of Public Universities
In article <1491@cameron.egr.duke.edu>, jpe@egr.duke.edu (John P. Eisenmenger) writes...
>Hmm. Mine is meant to be fair, but it reads very harshly in some sections.
>I think we should probably start out discussing what exactly should be in
>a computing policy guide. After we decide on the outline (if we ever do),
>we can attack the outline topics one-by-one. I jotted down some ideas
>earlier (although numbered they aren't in any real order):
> 1. An explanation of why the policy guide exists.
a. how the people who developed the policy guide were selected
b. how the policy guide can be changed
> 2. Who is allowed to have an account.
a. who owns each account or group of accounts
b. feedback on resources used (reports, memos, bills?)
> 3. The rights, responsibilities, and authority of users.
> 4. The rights, responsibilities, and authority of administrators.
> 5. How cases of policy violations are dealt with.
> 6. Specific policies, possibly with examples, minimum and maximum
> punishments, etc.
This is a fair beginning. I've been giving some thought to the roll of
"system administrators". I must confess that my experience with people
holding that exact title is extremely limited (i.e. 1). Many of the tasks
and problems mentioned as being those of a sysadmin have been dispersed
among many people at most sites at which I've worked. I've seen operators,
system development analysts, financial/accounting people, applications
analysts and hot-line analysts separately performing the functions
discussed. At the one site where we moved a secretary to sysadmin,
the main jobs were making file backups (a task done mostly automatically
or by operators on other systems) and making sure the user validation
files were as they should be (a task done variously by finance/accounting,
sys dev analysts, applications analysts, operators and even qa/performance
analysts at different sites, systems and times). The reason I bring
this up is as it relates to the sysadmin role in policy development,
approval, and implementation...jgo
-------------------
Date: Sat, 03 Aug 91 14:35:59 -0900
From: FFDMG%ALASKA.BITNET@CORNELLC.cit.cornell.EDU (Dean Gottehrer)
Message-ID: <9108032238.AA02043@eff.org>
Subject: Intellectual Property
If you are hired by a corporation to do creative work, such as write computer
programs, write articles for publications, etc., under the copyright law your
work is a work made for hire and the owner of the copyright is the corporation
that hired you, provided all the resources for you to do your work, etc., and
*not* you.
Most universities consider that the articles and books that professors write
are their own intellectual property and not works made for hire. Off the
record that is often viewed as a way for to compensate faculty for otherwise
low salaries. Usually companies will make clear in your contract if you are
producing works made for hire that you do not own.
Patents are a different matter. The ownership of patents growing out of
inventions financed by research or other monies provided by universities are
often owned by the universities, although that can be a matter of contractual
negotiations often done at the time of hire.
As I have suggested before on this forum, if you are producing creative works
that you think you should own the property rights to and you do not have a
contract that specifies that, you should consult an attorney who knows about
copyright or patent law to see where you really stand.
Dean Gottehrer
Anchorage, Alaska
-------------------
Date: Sat, 03 Aug 91 14:37:14 -0900
From: FFDMG%ALASKA.BITNET@CORNELLC.cit.cornell.EDU (Dean Gottehrer)
Message-ID: <9108032240.AA02137@eff.org>
Subject: University Marketplace
On August 1, Sanjay Kapur wrote:
Universities are not monopolies. Hopefully through competition, more students
will be attracted to universities with better (not always liberal) policies.
Universities with bad policies will have no students left and will be forced
to shut down.
I wish I shared his optimism that market forces operated so neatly and cleanly
in higher education. When is the last time you heard of a university shutting
down, let alone shutting down because bad policies discouraged students from
attending. The AAUP has been censuring universities for breaches in academic
freedom for a long time. I donm't remember any of them closing down.
(Although some of them have changed their policies as a result of AAUP's
efforts to discourage faculty from accepting employment contracts with those
institutions.)
My experience is that students are attracted to universities that charge what
they can afford and that they look for the best quality within that price
bracket, assuming they have the wherewithal to leave their home town or state.
I've never know a student to pick a university because of its policies. They
do pick because of programs and quality of programs, but not because of
policies.
Dean Gottehrer
Anchorage, Alaska
