Re: Guideline for Restricting Software

[Randy Marchany <marchany () VT EDU>]

> Its purpose is to identify specific categories (and occasionally >
specific products) that are restricted, possibly prohibited, and would require 
> authorization to install / use.

The times I've seen the software restriction issue come up usually have to do 
with music/movie downloading software. The intent is that if we ban such 
software, the music download problem goes away. Then the authors realize that 
in order to achieve this noble goal, all transfer mechanisms (www, ftp, scp, 
etc.) fall under that nefarious category. TIn order to enforce the 
policy/procedure, it becomes necessary to monitor all software on the net to 
make sure it's not banned. Yes, this is same thing that shot down parts of the 
Communications Decency Act of a couple of years ago. It's simply not 
enforceable.

I have a fundamental problem with software restriction clauses in that the 
problem is usually caused by WHAT is downloaded not HOW it's downloaded. For 
example, our AUP/AUG doesn't ban the use of p2p software like Kazaa, Morpheus, 
etc. It doess mention that you must not download illegal copies of copyrighted 
material. (yes, we flow monitor our resnet).

As long as the files being transferred are "legal", who cares how they got 
transferred. To place restrictions of the transfer software instead of the 
data being transferred is like sanctioning the US Postal Service/UPS/FEDex 
etc. for allowing mail/packages containing questionable material to pass 
through their system.

We're fortunate here at our edu in that the enforcement arms of the university 
(Judicial Affairs for students, Provost for faculty, VP of HR for staff) have 
bought into enforcing our AUP.

> For example, products used in teaching information security courses are a >
deadly if not properly contained.

I teach a grad level computer/network security class where the students do use 
porgrams that are potential killers of a system or network. However, we spend 
a lot of time reviewing our AUP and the relevant state and federal computer 
crime laws. That gets the point across to the students of the consequences of 
straying to the dark side of the force.

> Its purpose is to identify specific categories (and occasionally >
specific products) that are restricted, possibly prohibited, and would require 
> authorization to install / use. 

I think this is a management headache. If your Acceptable Use Guidelines 
contain general statements about not using software/hardware to attack other 
systems without permission, then I don't see the need for a guideline on 
acceptable classes of software.

I just don't see this software categorization/authorization as being 
enforceable in an effective manner. I think proper education/awareness of your 
AUP and the "willingness' to enforce it are much more effective.

        -Randy Marchany
        VA Tech

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.