The Stanford Copyright Integrity Initiative

If you follow my blog, you’ll know that I’ve commented often on file-sharing, copyright, and universities certainly more than a few times and while my blogging has been sparse lately, today’s announcement of “The Stanford Copyright Integrity Initiative” deserved spending some time on a blog post. The initiative was apparently “introduced by Stanford University to demonstrate the university’s leadership in efforts to strengthen the integrity of copyrights and intellectual property.” As early as a little before 10am this morning, my department (Student Computing/Residential Computing) received an email from a worried student– after reading the announcement on the front page of The Daily, the University’s student newspaper, the student visited riaa.stanford.edu (as directed in the article) and after entering his name, found that Stanford “has likely reported” his name to the RIAA, MPAA, or ESA. The student was both confused and worried– you see, after receiving his first copyright complaint a little while back, he hasn’t illegally downloaded a single song, movie or anything else! Has his computer been hacked? Did file-sharing somehow get accidentally enabled on his computer?

This truth is that this clever little stunt was part of the annual fake Daily published by the Stanford Chaparral (or the “Chappie” as it’s affectionately called), Stanford’s student humor magazine. The article is actually quite well-researched and well-written, including references to actual facts, such as the highly publicized “three strikes” policy” in which students not only face increasingly severe disciplinary actions for repeated DMCA violations and complaints, but are also charged increasing amounts of money through associated “reconnection fees.” The article also says that over thirty students have reached their third strike in the past year with settlements with the complaining record companies totaling over $100,000. While the numbers are about right– over thirty students and settlements totaling about $100,000 in the past year– they actually apply to the results of the record companies’ “pre-litigation letter” campaign that started in 2007 and in which they target college students all over the country with the threat of lawsuits. As part of the new “integrity initiative,” the article explains, Stanford is now scanning its network for DMCA violations and actively reports the culprits to the “RIAA and other appropriate authorities.” In the first day alone, the article continues, “78 unnamed students” have already been reported and the University’s IT organization “predicts that approximately 34% of Stanford undergraduates will be contacted by the end of Wednesday.” (That’s approximately 2,274 students.) The article goes on to direct students on how to find out if they’ve been flagged (via riaa.stanford.edu) and in turn, find legal help (the EFF gets a nod).

The article itself was pretty funny– Stanford, like other universities, has been spending increasing amounts of resources dealing with illegal file-sharing and copyright and personally, I think it was a good jab at how ludicrous the effects of the DMCA and intimidation tactics of the entertainment industry have become.* Just last week, I was summarizing the results from the annual undergraduate computing survey and many students commented on their dissatisfaction with the University’s handling of file-sharing and copyright issues, wishing Stanford would take a stronger stance against the RIAA and the MPAA’s efforts.

The website though… I don’t want to be a spoilsport, but aside from probably breaking some basic network usage policies (for setting up riaa.stanford.edu, use of the Stanford seal, etc.), the website took it a little too far. The reality is that since the first lawsuits targeting students (circa 2003), the University really has been stepping up their efforts to stop illegal file-sharing and punish repeat offenders and something like this initiative isn’t completely impossible. The reality is that over thirty Stanford students– peers and perhaps even friends of the Chappie staff members– really have been sent pre-litigation letters and really have had to pay approximately $100,000 in settlement deals. The reality is that the entertainment industry really is targeting college students– people who have little knowledge of their legal options and/or resources to defend themselves. When you enter your name and hit submit at riaa.stanford.edu, it looks like they use your name to randomly** give you either a thumbs up (you haven’t been reported) or thumbs down (you’ve already been reported and look forward to a letter in the next three to four weeks). I would hate to think that a student who’s already paid out thousands of dollars because of a pre-litigation letter was tricked into going to the website and got a thumbs down.

I don’t know how long the site will stay up and working, so if you’re curious, here are some screenshots, etc.:

• riaa.stanford.edu front page
• PDF copy of the online version of the article
• screenshot of the “you’ve been reported” message
• screenshot of the “you haven’t been reported” message

Notes:

* If you’re curious about Stanford’s actual policies on file-sharing and copyright, check out my department’s FAQ on File-Sharing & Copyright (also used by the General Counsel’s Office as well as the Information Security Office as the University’s “official” FAQ on the issue).

** It’s pseudorandom– the algorithm they’re using is deterministic. Unfortunately, no matter what Leland Stanford, Jr. does, he will always show up reported to the authorities.

Twitter

Even though I haven’t really been blogging, if you happened to cruise by here, you may have noticed I added a Twitter badge for about a week.

It’s gone now.

Seven days, three posts. I’m over it, as expected. You don’t need to know what I’m doing all the time, mostly because either a) it’s not that exciting or b) it is exciting and if I wanted you to know about it, I’d tell you.

The Airports of My Dreams

Well, graduation weekend is basically over as I get ready to fly back home tomorrow. I’ve got a couple of blog postings in the works, but right now, the thing that really sticks out is the ridiculous hassle getting in and around airports has become. I know, it’s not exactly the most original comment ever, but every time I fly, the point gets driven home more and more. I fly fairly often for personal purposes, so I’ve got my process pretty optimized to get through security with the least amount of trouble (and if you ever have to travel with me, you better keep up). When possible and the weather permits, I prefer to fly in a velour sweatsuit to avoid the taking on/off of a jacket or coat. I wear flip flops for quick on/off through the scanner and in my carry-on, I’ve got my laptop (case with the zipper side up for easy access, of course) and all my 3oz. or less liquids in my little one quart plastic zip lock bag (for which I have a standing supply in my house just for this purpose) ready to be easily pulled out, put through the scanner, and quickly placed back into my bag. No getting practically half-dressed to walk two feet through the metal detector and no fumbling to then quickly gather your two or three trays full of things and hurry over to the little post-checkpoint chairs, awkwardly hurrying to put your shoes back in and hide that little plastic bag before strangers see what 3 oz. or less liquids you just had to have with you on that plane. And all this with the constant sound of TSA workers yelling, “No liquids, no knives, no lighters… all shoes must come off, all jackets… ” (I really hope they get more than two 15 minute breaks every four hours plus lunch because I think my head would explode if my job was to wear some rubber gloves and yell that all day.) No, none of that for me. I try to streamline the process as much as possible. I’m in and out. I am a leaf on the wind - watch how I soar.

But today was an even more interesting experience: we’re staying our last night at a hotel that’s actually attached to the airport (Hyatt Regency Pittsburgh International Airport– in short, pretty nice hotel, convenient for an early flight, but what else is really exciting about an airport hotel) and since the hotel restaurant was closed when we got in, we asked the front desk where was the closet place to eat. They directed us to go to the “AirMall,” a sort-of mall with restaurants, shops, etc., but since it’s on the airside of the airport, the hotel has a special setup to allow guests to pass through security without boarding passes. The process first began with the hotel issuing each of us a “passport” with our full names printed on them. In addition to the passport itself, the front desk then needs to call over to the information center at the airport letting them know our names and that we are headed over. Once over to the other side (and a little wandering around until we found the correct information desk), we then each had to fill out forms, providing yet more personal information about ourselves and our stay at the hotel, as well as provide ID.

Unfortunately, about halfway through this process, as I was reviewing the multiple page document explaining what I was agreeing to, I realized that if this whole setup is to help hotel guests pass through security to get to the AirMall, this also means that you have to abide by all of the TSA security regulations. I suppose this is obvious if you take a minute to think about it, but the woman the front desk didn’t really remind us about the safety restrictions, so it didn’t really dawn on me until then. Since we would be checking out tomorrow morning and all we really wanted to do was get something to eat, I realized going all the way back to the room to return the random lotions, lipstick and whatever else my mother and I had between us (ironically, all probably 3 oz. or less each, but no super-duper plastic bag to act as our magic key through security) just to get some airport food was definitely not worth it. So, in the end, our mission was aborted (the thought occurred to me aborting might raise some weird terror flags) and we just ate on the landside of the airport– airport food still, but without all the hassle.

At night, I dream of luxurious airports, staffed like five-star hotels, where polite, well-dressed people help you check-in and you always get the seat you want. Young, good-looking bellhops help you check your bags, bags that always make it safely to their destination. At worst, you have to pass through a metal detector, but the security staff is polite, reassuring and confident as they guide you through the security checkpoint. You feel safe and protected. Airport bathrooms are pristine oases with places where you can safely place your things while you use the toilet, wash your face, etc. There are soft towels and luxurious soaps to help refresh you after a long flight. And at the gates, there are always enough seats for passengers and they are comfortable seats at that– small lounges to relax while you wait for your flight, with couches and soft chairs, with little tables to place your drink on or to eat your sandwich or use your laptop. Power outlets are plenty, wireless is free and the signal is strong. Everywhere.

Unfortunately, this is closer to reality:

Read: Schneier on Security: On the Implausibility of the Explosives Plot
Schneier on Security: What the Terrorists Want

How do you prove a computer is yours and is this an illegal search?

I heard an interesting story from a friend the other day– he was biking in to work with his laptop bag on his back and a cop pulled him over. He wasn’t sure why he wasn’t being pulled over (maybe it was the bagel he was eating while biking), but he stopped and the officer started an interesting conversation. He asked my friend if there was a laptop in his bag, which seemed pretty likely considering it was a standard laptop bag. My friend answered, yes, at which point the officer pointed out that there had been some laptop thefts in the area. He then asked my friend if the laptop was his and if he could prove it.

Despite the strange request, my friend just wanted to get on his way, so willingly cooperated with the officer and was able to show the officer the address book on his computer which included his own information that presumably matched his ID. This was apparently enough to satisfy the officer and he sent my friend on his way.

Now, this situation brings up a lot of interesting questions– I’m no lawyer or legal expert in anyway, but it seems like to me that the officer would have to have some type of probable cause to stop my friend and not only search his bag, but in an effort to “prove” ownership of the laptop, search the contents/data of the laptop itself. Young people biking with laptop bags isn’t a rare sight in Palo Alto. Did my friend match the description of potential suspects? When he saw the laptop, did it match the description of recently stolen ones? Presumably, if the officer was aware of laptop thefts in the area, police reports have been filed and serial numbers should be available for those stolen computers. Finding the serial number on a laptop is relatively easy– if the officer did have probable cause to believe this laptop was stolen, he could have easily run the serial number.

But aside from all that, how did the officer expect to have my friend “prove” that the computer was his? Out there on the street, without purchase records, how do you prove that a computer is yours? Maybe you use your real name as your login name, but if you’re unlucky enough not to, you might have to show your address book or other private information to the officer in an effort to show that you’re not a thief. What is sufficient evidence in this impromptu courtroom out on the street? And what if the laptop isn’t yours? That doesn’t mean it’s stolen– plenty of students in my office borrow laptops while working for us and have generic logins and don’t necessarily keep any personal information on them. Then where are they left?

What is the definition of spam?

In the most technical sense, unsolicited emails advertising something, usually a commercial enterprise, that are sent out indiscriminately are clearly considered spam. However, in this age of endless email, most have a much broader definition of spam and those who email as much as I do can probably be heard calling any annoying emails spam. These email messages may even be sent under a legitimate umbrella, but once they become too frequent and completely unwanted, once they lose whatever initial value they may have had, they become spam. For example, if you buy something from an online vendor, they might begin to automatically send you followup emails on sales, deals, etc. While you may be interested in them at first, too often do online retailers abuse their relationships with their customers and end up sending too many emails with too little relevant information. In the end, you find yourself unsubscribing from all emails from the vendor, afraid that subscribing to even one newsletter or list will result in another onslaught of spam. In this case, the emailing isn’t completely indiscriminate since you provide your email address and establish a relationship with the sender through your purchase, but most people would consider those messages as spam. But this is old hat to those of us who regularly shop online– if given a choice, I always uncheck all options to receive promotional emails or any other communication from vendors outside of information about my orders– and we accept this constant process as a tradeoff for doing business online.

But what happens when it gets personal?

Two years ago, I attended a large New Year’s Eve party that was thrown by a group of semi-professional party throwers. Expensive tickets were purchased online and black tie was worn. Unfortunately, as a result, I was unwittingly subscribed to one of the organizer’s personal email list for advertising events. I didn’t make the connection between attending that party and getting on this mailing list until recently since there were a number of organizers whose names I can’t remember, but I have been getting emails from this person that I had never met before in my entire life ever since. The emails seemed to be personally addressed (using a suppressed recipient list rather than a formal mailing list) and there wasn’t an easy way to unsubscribe– sure, I could probably respond to the email and ask to be removed, but when it comes to spam, I don’t like to respond and make myself known. In most cases, it only increases the spam exponentially since then they know there’s a real person behind the email address.

In any case, I’ve been putting up with these emails for two years and they were getting more and more frequent as the latest event being advertised, this year’s New Year’s Eve party, neared. So, I finally responded to the email and asked to be removed from the list. Who knew that it would result in the ridiculous email exchange below?

My original request:

Please remove me from your list. You have subscribed me under [email address].

To which I received the following response:

Hello Sindy,

May I ask why you would like to be taken off my list?

Now, I would have preferred something more along the lines of, “You have been removed from the list. Out of curiosity, why would you like to be taken off of my list?” I would have considered that an appropriate and prompt response to my request and if I chose to, I could give him some exit information for his own purposes. Instead, I have now been pulled into participating in this guy’s own little marketing research survey and still didn’t have my request honored. Nevertheless, I simply responded:

I never asked to be added to this list and I am not interested in these events.

At this point, this should have certainly been sufficient and I should have been removed from the list. Instead, I received another followup message:

Hi there Sindy.

I apologize if you received my email by accident. I sent this to my friends and anyone who has attended my parties the past few years. I throw 2 parties each year, my annual Tailgate party at the Giants game and my annual New Year’s Eve party. I have your email address either because you went to one of my parties or you asked me to send you info or one of your friends requested for you.

Did you look at my party this year? Let me know what you think.

So, I finally realized how I had gotten onto the list in the first place, but that didn’t make this entire exchange any less annoying. I mean, what part of “remove me from your list” do you not understand? And certainly, if I was responding to your messages about this year’s party with a request to remove me from the list entirely, then I’ve probably taken a look and am not interested. So, I responded with the following message:

I may have been added to your list from having attended a New Year’s party 2 years ago, but I don’t recall ever asking to be added to the mailing list and even if you were to automatically subscribe me, I think an explicit request to remove me from your list should be sufficient. It’s ridiculous that you are making me jump through hoops to be removed. I am not interested in the events that you have been sending me emails about for 2 years and even if I were, I’m certainly not interested now. This is nothing short of spamming. Please remove me from your list.

Now, I was completely riled up and had decided that I would most certainly post this exchange here, expose this guy for the spammer that he was, and spread the word that nobody should go to his party lest they be supporting a spammer and be sentenced to annoying emails for the rest of time. However, he sent the following response that, while very misguided, was at least polite and so I’ll refrain from actually naming him here, posting his email address, or mentioning the actual event (although many might be able to figure it out):

Thank you for your eloquent response Sindy.

My list is my own personal list of friends and friends of friends. There is nothing corporate or spam-like about it. If you received this email, it is because you personally attended one of my parties or a friend recommended you attend. I apologize you have jumped through hoops in order to be removed. Your hoops are my attempt to get to know who you are. I apologize for that and will remove you from my personal list as it is crystal clear you want no part of me or the parties I create.

Have a terrific rest of the week and Thanksgiving. Enjoy your New Year’s as well.

Personally, I think what is and what is not spam is in the eye of the recipient. In this case, my relationship with the sender was a loosely personal one because while I had attended an event that was held by that person (among others), but so did several hundred, maybe even thousands other people and most of us probably have never actually met the organizer. Nevertheless, messages from your friend are not immune to being considered spam. Case in point: if a friend emails you to see if you’d like to buy one of his homemade t-shirts, that may be considered an unsolicited email advertising a commercial product, but since he’s your friend, you probably wouldn’t consider it spam. However, if he continues to send you email every week, continually trying to sell you his latest creation despite the fact that you continually choose to NOT buy one, you would probably start to find it annoying. At that point, you might say to him, “Could you stop spamming me with these emails?” And suddenly, what began as a simple friendly email has become that vicious thing we know as spam. Sure, its not as bad as some of the Viagra, penis enlargement and debt consolidation spam that plague us all, especially if he promptly honors your unsubscribe request, no questions asked, but in the broadest sense, its still spam. And the fact that you have a personal relationship with the spammer, that you actually know this person, doesn’t necessarily make it any better– it’s almost worse because you might be likely to not take future messages from this person as seriously or you might even be inclined to ignore them completely.

In the end, our ability to send valuable, useful messages becomes increasingly important everyday. With email becoming an increasingly important part of people’s everyday lives, being a trusted point of communication is essential. When you send out messages indiscriminately, when you abuse the convenience and power of email, you’re only losing stock in yourself.

The evil that is Sony

Okay, I won’t really do commentary on this since so many people have been talking about this for several days now (an eternity in the Internet world). If you aren’t aware, a programmer named Mark Russinovich discovered that “copy protection” (DRM) software placed on some of SonyBMG-produced CDs installs a rootkit to “protect the software” itself. The reality is that a rootkit may be one of the most evil things you can install on a person’s computer– it’s essentially a piece of software that can conceal all traces of certain activities on a computer. As you can guess, this is a tool often used by hackers and virus writers to hide their activities once they’ve gained access to a machine. The term comes from the fact that the software is usually a recompiled set of Unix commands that allows the intruder to act as “root” (the super user on a system with all rights and permissions in all modes) without being detected even by the system administrator. Although the term stems from Unix, rootkits exist for a number of operating systems, including Windows. Evil, isn’t it?

On top of that, once Sony was outed, they offered a Web-based uninstaller for the rootkit. However, if you were to use the Sony-provided uninstaller, it would leave a security hole open on your computer that could be easily exploited by a mailicious user (i.e., hacker). Again, evil, no?

In any case, I thought I would post on this for those people who might read this little blog and who might have not been paying attention to the Sony DRM fiasco because they didn’t readily understand words like “DRM” and “rootkit.” If you consume music, if you use a computer, this is an important thing for you to be aware of and to learn about. In my mind, in the name of balancing the demands of fair use and copyright, Sony took advantage of a malicious technology because the average person could not understand it, much less detect it. Of course, what really amazes me is that in among all of the software engineers, product managers, and others who were involved in the development of Sony’s DRM software, not one person thought that this was a bad idea? There most likely was and I’d be interested to see if one of those people could give some insight into the origins of this fiasco, to help us make sense of this ridiculousness. Maybe that lone voice of reason lost his job or took some cash to shut up or was forced to sign an NDA or other confidentiality agreement over it, but I’ve got a feeling that if he was brave enough to talk now, I’m sure many would be interested in what he had to say and I bet some would even champion him for getting out the truth.

For more info on this whole thing, review Russinovich’s original post on his discovery as well as Ed Felten’s ongoing commentary, including Alex Halderman and his analysis of the security hole caused by Sony’s uninstaller and their proof-of-concept exploit.

Individual-i

This is pretty cool. If you’re interested in protecting individual rights– specifically, privacy and anonymity in the information age– check it out:

Individual-i

BigFix followup in The Chronicle

I was interviewed for an article on patch management solutions at universities after a reporter at The Chronicle of Higher Education found my blog entry on BigFix. So, finally, after much anxiety and anticipation, here it is:

Plugging Holes in the Security Dike

Although I wish that somebody actually working for Information Security Services at Stanford was quoted (and not just the director emeritus), it’s interesting to see that we’re not the only ones who were concerned about privacy and liability. Now, if only we would act on those concerns rather than just recognizing that they are an issue and moving on in the name of security at all costs.

Temptation, thy name is BigFix

In an effort to deal with the rise in widespread security vulnerabilities and exploits over the past few years, Stanford has decided to use BigFix Enterprise Suite for patch management. Of course, patch management is certainly not the only thing this software can do (and will be used for) and as we at ResComp began to learn what BigFix is usually really used for and could really do, privacy alarm bells went off in our heads and for the past year, we’ve been fighting a battle to strike a balance between keeping student computers and the Stanford network secure and protecting student privacy rights. And despite how much time and effort has gone into this fight, I haven’t really written about this here because we were still in the middle of negotations. But the lid, at least for now, has been closed and I can sound off on some key privacy and security issues.

The deal is this: the decision to use BigFix was first made by the folks at ITSS (and given the go ahead, of course, by higher ups). At Stanford, the IT structure is a little strange. It’s divided into two main groups: ITSS, who focuses on administrative systems, infrastructure, etc., and the Libraries, who focus on academic computing needs (including residential needs since Stanford has a strong committment to residential education and most students live on-campus). But of course, real management of computing resources and services is even more decentralized than this strange arrangement, so as one can guess, managing the network and deploying technology throughout campus usually involves getting a lot of people from different groups to work together. You can imagine how folks in charge of administrative systems and infrastructure can often disagree with folks in charge of promoting the academic mission and student life. On one hand, allowing students to connect whatever computer they want to the network and experiment with their computers is, I believe, a key part of educational freedom and promotes self-learning. On the other hand, it’s a nightmare for network security and management, not to mention desktop support. Another part of this balancing act is the fact that a university computing environment isn’t necessarily a corporate computing environment and in addition to regular university employees , you have faculty who often have experimentation with computing technology at the heart of their research and you have students who live on-campus and make it their home, their community. Certainly, there are significant differences between what kind of programs a faculty member can run on computers paid for with research funds and what a residential student can do with his personally-owned computer and what a university employee can do with his university-owned computer.

In the end, the compromise was to provide supplementary documentation for residential students, hoping to educate students about the privacy concerns and let them make the right choice for their own computing needs. Our main goal was to make sure that students were educated (what a novel idea at a university) and had all the information necessary to make the right decision for themselves. The one thing we wanted to avoid was to have the University hand down BigFix as a requirement for getting onto the network. While I certainly agree that the University should be able to require students to patch and secure their machines, I do not believe they should be asked to install a potentially invasive piece of software on their computer and in the name of security, give up their privacy rights. Some may say that the list of retrieved properties is nothing to get so worked up over, that collecting this information automatically will help local network administrators and departments have better inventory information, and that most people won’t care if the University collects this information about their computers. Well, I hardly think that poor record keeping and inventory management on the part of local network administrators or the fact that most people just won’t mind are reasons to ask 10,000 students to install, in one sense, monitoring software on their personal computers.

Personally, BigFix for University-owned machines, especially those that store confidential information (including email), is a no-brainer– I believe that in those situations, computers should be imaged and employees should have locked-down configurations (no administrator access) anyway. And because we are talking about workplace resources, I understand that there is no reasonable expectation of privacy (although, I believe that a more relaxed approach fosters higher employee morale). But when it comes to my personal computer, I will not choose BigFix. In some ways, my situation is similar to those of the residential students my department supports– as part of my employment, Stanford provides me with “Stanford DSL,” paying for my service and giving me Stanford IP addresses for my home network. And realistically, when I come home from work, my employer can still monitor my network usage. In my home, my situation is very similar to students living on campus (although, unlike them, I have the option of a different broadband provider) and given that situation, I won’t be using BigFix at home. For me, I am more than capable of following good security practices to keep my computer, and in turn, my little part of the Stanford network secure. I don’t believe that there is an urgent and pressing need for the University to know how much total drive space I have or the serial number to my personal computer. Some of the retrieved properties might seem trivial– what my CPU speed is or what my computer name (something that’s already available via Windows networking)– but I should still be able to choose whether or not people know. It might seem trivial for people to know what color my couch is or what shape my dining table is, but it’s still my right to decide who knows these things. The most important thing, at least right now, is that we hold onto the right to choose because while it may seem trivial today, who knows what our “trivial” personal information could be used for tomorrow.

Which brings me to my final point: one of the big reasons why we must protect our personal privacy is that unfortunately, there are many out there who might use it against us. When we were in the thick of the privacy argument over BigFix, we realized there was a fundamental misunderstanding– some thought our reluctance to use and promote BigFix was because we feared that the information collected would not be secure, because we feared that the central databases would be broken into somehow or that console operators would abuse their access to this confidential information. These are concerns, of course, but our greater fear is that tomorrow, the next day, or sometime after that, suddenly the information would be used by the proper officials through the proper channels in a way that we do not agree with. Today, some collected information might be used only for inventory purposes, tomorrow, it could be used to unfairly profile network users. Today, total disk space might just be for statistical purposes, tomorrow, it might be used make unfair accusations about what that disk space might be used for. It’s a propos that I just finished reading Dan Brown’s “Digital Fortress.” A recurring theme is “Who will guard the guards?”

Last week, I finally got my console operator account access and logged in to take a look at the console software. I had sworn to myself, to my fellow console operator, and to the folks at ITSS that I would not be looking at the retrieved properties. We collect our own statistics during network registration and our yearly survey (with over 50% participation each year) and keep organized network node records– we don’t need to look at records for inventory purposes and we don’t want to look. And for us, we believe and have proven that spreading the word, using our RCCs and the dorm community network to educate and encourage students to follow good security practices, actively managing and policing our network, knowing our users, is the best way to maintain good security. We don’t necessarily need a 100% solution– we need one that keeps our networks manageable and usable. But when I pulled up the console software, I couldn’t help but look. Retrieved properties for hundreds of computers just come up automatically as soon as you login. Ah temptation, thy name is BigFix. I only looked around for a few minutes, but by the time I had logged off, I felt like I had violated so many with a few easy clicks. If I could do it so easily, believing so strongly against looking at the data, imagine how easy it would be for those who want to look, are dying to look and analyze and use this data for their own purposes. Who will guard the guards?

In the end, that question was never really answered– or rather, few believed somebody needed to guard the guards. But there was the final piece of our compromise: we asked that a notification list be created for all BigFix users, that the option to subscribe to the list was presented during installation, and that whenever the list of retrieved properties changed, everyone on the notification list would be notified. It’s not a perfect solution– we would have preferred mandatory and automatic subscription for all users who install the program and a heads up before the list was changed– but it’s something because it, once again, lets us hold onto choice. Today, I might be willing to give up this much privacy in the name of security and convenience; if you ask me tomorrow to give up a little more, I might decide that the price has become too high and I can exercise my choice to opt out. And isn’t that the basis for freedom, educational or otherwise– choice?

Does Microsoft mirror?

Another thought on the problems with SP2 on college campuses: does Microsoft have mirrors for Windows Update? Granted, I’m sure they have a sophisticated setup for handling load, etc. for customers trying to download patches as well as for pushing out patches over Automatic Update (although it’s not clear how they are choosing who gets SP2 over AU when), but taking a page from P2P, they should consider distributing patching resources throughout their network either by location and/or market type. If Microsoft could loosen their grip on patch distribution just a little (their reluctance evidenced by shutting down sp2torrent.com and their restrictive rules on what universities can do with their free SP2 CDs), they could set up some great mirrors to help lessen the load and get patches out faster and easier.

For example, if you set up some Windows Update servers on some big Internet 2 hubs, you could cover a huge part of the higher education market– millions of college students patched and thousands of IT workers who are a little less disgruntled at Microsoft (because trust me, most of us have some beef with the folks at Redmond). Certainly, it’s within MegaCorp’s capabilities to create a server image that’s locked down and can be pushed out to “Windows Update Affiliates” around the country.