Educause Security Discussion mailing list archives
Re: Guideline for Restricting Software
From: Randy Marchany <marchany () VT EDU>
Date: Fri, 16 May 2003 14:50:02 -0400
Its purpose is to identify specific categories (and occasionally >
specific products) that are restricted, possibly prohibited, and would require
authorization to install / use.
The times I've seen the software restriction issue come up usually have to do with music/movie downloading software. The intent is that if we ban such software, the music download problem goes away. Then the authors realize that in order to achieve this noble goal, all transfer mechanisms (www, ftp, scp, etc.) fall under that nefarious category. TIn order to enforce the policy/procedure, it becomes necessary to monitor all software on the net to make sure it's not banned. Yes, this is same thing that shot down parts of the Communications Decency Act of a couple of years ago. It's simply not enforceable. I have a fundamental problem with software restriction clauses in that the problem is usually caused by WHAT is downloaded not HOW it's downloaded. For example, our AUP/AUG doesn't ban the use of p2p software like Kazaa, Morpheus, etc. It doess mention that you must not download illegal copies of copyrighted material. (yes, we flow monitor our resnet). As long as the files being transferred are "legal", who cares how they got transferred. To place restrictions of the transfer software instead of the data being transferred is like sanctioning the US Postal Service/UPS/FEDex etc. for allowing mail/packages containing questionable material to pass through their system. We're fortunate here at our edu in that the enforcement arms of the university (Judicial Affairs for students, Provost for faculty, VP of HR for staff) have bought into enforcing our AUP.
For example, products used in teaching information security courses are a >
deadly if not properly contained. I teach a grad level computer/network security class where the students do use porgrams that are potential killers of a system or network. However, we spend a lot of time reviewing our AUP and the relevant state and federal computer crime laws. That gets the point across to the students of the consequences of straying to the dark side of the force.
Its purpose is to identify specific categories (and occasionally >
specific products) that are restricted, possibly prohibited, and would require
authorization to install / use.
I think this is a management headache. If your Acceptable Use Guidelines contain general statements about not using software/hardware to attack other systems without permission, then I don't see the need for a guideline on acceptable classes of software. I just don't see this software categorization/authorization as being enforceable in an effective manner. I think proper education/awareness of your AUP and the "willingness' to enforce it are much more effective. -Randy Marchany VA Tech ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Guideline for Restricting Software Edwards, Francis (May 14)
- <Possible follow-ups>
- Re: Guideline for Restricting Software Edwards, Francis (May 16)
- Re: Guideline for Restricting Software Randy Marchany (May 16)
- Re: Guideline for Restricting Software Scott Bradner (May 18)
- Re: Guideline for Restricting Software Scott Wimer (May 18)