Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/29/14 23:38, Jonathan Wilkes wrote: On 01/29/2014 04:50 PM, Guido Witmond wrote: On 01/29/14 19:57, Jonathan Wilkes wrote: On 01/26/2014 08:12 AM, Guido Witmond wrote: BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? I fully agree, being Microsoft free since 1999, myself. However, the apt-package manager doesn't upgrade anything compiled into usr/local, hence, the need for a scanner. Hi Guido, Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. I wouldn't know. Being an IBM acquisition, my first guess would be that it is proprietary. If you want something to scan you linux/bsd-box, there are good tools available. Even good-old tripwire could help you. Or Samhain, that also checks for setuid executables. regards, Guido. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
Jonathan Wilkes: Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. I also couldn't find confirmation it's Free Software. And the default in our world is being copyrighted, proprietary. In conclusion, Stanford liberationtech is promoting proprietary software? What are the chances, that IBM - as an US company - isn't or won't soon be subverted by NSA backdoor, now that we know from news how NSA infiltrated other proprietary software? Is this just a draconian enforcement of someone not aware or not caring about Free Software / liberationtech or are stronger mechanisms (ex: national security letter) at play here? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/30/2014 11:38 AM, Patrick Schleizer wrote: Jonathan Wilkes: Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. I also couldn't find confirmation it's Free Software. Someone from Stanford want to weigh in here? It's a very simple question, and I apologize in advance if I missed something obvious. If it is proprietary, is there a bold Stanford student on this list willing to take his/her Debian box (or whatever flavor OS) in to IT and report on the process of getting it up and running on the network without installing a proprietary binary? -Jonathan And the default in our world is being copyrighted, proprietary. In conclusion, Stanford liberationtech is promoting proprietary software? What are the chances, that IBM - as an US company - isn't or won't soon be subverted by NSA backdoor, now that we know from news how NSA infiltrated other proprietary software? Is this just a draconian enforcement of someone not aware or not caring about Free Software / liberationtech or are stronger mechanisms (ex: national security letter) at play here? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
This whole Stanford security policy featuring full scans of everything reeks of NSA+PATRIOT act crap stupidity, all in the same cocktail. It is SHAMEFUL using PII as an excuse - did the corporatized university bureaucrats assigned to Stanford consult with its Computer Science department? Because even the Wikipedia entry for PII mentions that, in this late anthropocenic era of TMI, with its Internet and social metworks, there are a zillion other ways to get that info without access to PII, I'm pretty sure IBM's sw doesn't detect that ! I just cannot believe it. Back to MIT I guess.. oh wait! MIT was the one institution whose inaction in defense of free speech and academic freedom was a significant contributing factor in the chain of events leading to the unfortunate suicide of that good fellow that took back to the general public digital truckloads of scientific papers, most probably paid for by our tax dollars to begin with.. On Jan 30, 2014 12:12 PM, Jonathan Wilkes jancs...@yahoo.com wrote: On 01/30/2014 11:38 AM, Patrick Schleizer wrote: Jonathan Wilkes: Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. I also couldn't find confirmation it's Free Software. Someone from Stanford want to weigh in here? It's a very simple question, and I apologize in advance if I missed something obvious. If it is proprietary, is there a bold Stanford student on this list willing to take his/her Debian box (or whatever flavor OS) in to IT and report on the process of getting it up and running on the network without installing a proprietary binary? -Jonathan And the default in our world is being copyrighted, proprietary. In conclusion, Stanford liberationtech is promoting proprietary software? What are the chances, that IBM - as an US company - isn't or won't soon be subverted by NSA backdoor, now that we know from news how NSA infiltrated other proprietary software? Is this just a draconian enforcement of someone not aware or not caring about Free Software / liberationtech or are stronger mechanisms (ex: national security letter) at play here? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/ mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/26/2014 08:12 AM, Guido Witmond wrote: On 01/26/14 10:20, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Dear mr Altman, From the link: No more Windows XP: Good riddance. BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? -Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/29/14 19:57, Jonathan Wilkes wrote: On 01/26/2014 08:12 AM, Guido Witmond wrote: BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? I fully agree, being Microsoft free since 1999, myself. However, the apt-package manager doesn't upgrade anything compiled into usr/local, hence, the need for a scanner. The important thing is that BigFix can report to the user of the PC, or to university sysadmins. What matters is how they deal with any findings. That's a classic case of Who watches the watchers. Quoting the Stanford policy: Other personally-owned devices used at home or on the wireless Stanford Guest Network are encouraged to follow these mandates, but not required to at this time. Other devices stands for those not used at campus or at home for use with PII-information. Translated: Other (for non-work related) devices, used at home ... are not required ... at this time That suggests that private devices are next. I stand corrected. It has feeling of control for the sake of control. My suggestions to mr Altman (from a private message): Buy some time and use Linux/FreeBSD or Qubes-OS for your private computer use, their scanning programs are not available on these platforms yet. Use these only for personal use. Leave these computers at home. Use a dumb phone to keep contact for family business, like picking up children after school, etc. It teaches the kids that when you are at work they can't expect an immediate reply if it is not an emergency. Keep a strict separation between work and private life. Laptops are cheap. Use a separate, university controlled laptop at home for work-stuff, such as collaboration with researchers and so. Tell everyone that you maintain that separation and spread the word amongst colleagues. It's hard, but I believe it's the only way to sanity. Regards, Guido Witmond. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/29/2014 04:50 PM, Guido Witmond wrote: On 01/29/14 19:57, Jonathan Wilkes wrote: On 01/26/2014 08:12 AM, Guido Witmond wrote: BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? I fully agree, being Microsoft free since 1999, myself. However, the apt-package manager doesn't upgrade anything compiled into usr/local, hence, the need for a scanner. Hi Guido, Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. Thanks, Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
Rich Kulawiec r...@gsp.org writes: Fourth, the simultaneous requirement that systems be backdoored and searchable while their disks are encrypted strongly suggests that they intend to have a central repository of encryption keys. Fifth, the requirement for use of centralized backup also provides one-stop shopping to an attacker. Thank you for your reply. The fact that you have this environment of pervasive searching personal property, coupled with incremental backups, means that people can be targeted due to having objectionable material at some time in the past. It creates a stifling environment where people will be afraid to express themselves, least it becomes a future liability. My $0.02, ~Tomer -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
Thank you for your reply Michele, I think I should point out that their interpretation of 'employee' includes faculty and students. As an example, here is the implementation page for the School of Medicine: https://med.stanford.edu/datasecurity/ Notice the flow-chart of who must adhere to the new policy. It explicitly mentions faculty and students. All School of Medicine affiliates (faculty, employees, students, etc.) are being forced to fill out a device attestation that provides information on whether people access PHI/PII, what kind of devices they use (whether Stanford owns them or not), external hard drives, thumb drives, etc. I tried to fill out the form, claiming that I was exempt. The form said that my answers were not correct, and that I faced administrative action if I didn't fix them. Technically I can apply for a variance, which I have. I have not received any reply in a week. Even if the official instructions make this sound like it only applies to employees that work with PHI/PII, don't be fooled. *Everyone* is being asked to do this, receiving emails from the administration to make sure that our attestations are up-to-date, and then sending follow-up emails to get our attested machines into compliance. As an engineer, my reaction to needing tighter security around PHI/PII would be to create a separate network for personnel which have a need-to-know. Tight security protocols like installing MDM and BigFix could be implemented on that restricted network only. Taking the entire university's network and enforcing that level of security, when the vast majority of the affected machines will never touch PHI/PII, is just ludicrous. Saying that those wanting to avoid these kinds of invasions of privacy can just go on to the guest network is like being forced off the interstate and only being allowed on side roads. I am all for Stanford improving its security practices. They are definitely justified in tightening controls on employees and their own equipment. But personal property of faculty and students should be left alone. That crosses the line. My $0.02, ~Tomer Mrs. Y. networksecurityprinc...@gmail.com writes: I worked in academia for 13 years. We were already doing most of this in 2010. We were one of the universities that proactively removed SSNs from general use and every administrative system except where necessary. Please note that the following provisions apply in the new policy: 1. requirement applies to university employees 2. equipment is university-owned 3. OR personal equipment touching PII/PHI I applaud Standford's efforts toward protecting students' private data: their customers. This is probably a reaction to the reported breach this past summer: http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/ They're actually being pretty fair, by allowing BYOD at all for employees and a guest network for personal devices. Many non-profits don't. There's also no requirement to meet these mandates if the personal device only uses the guest network, which is probably sandboxed with no access to PII/PHI and other confidential data. In the past, universities have been notoriously poor in protecting customer data and in the current climate could face large HIPAA or PCI-DSS fines/penalties if customer data is breached. Considering they also administer an FFRDC, the SLAC National Accelerator Laboratory, I'm surprised they haven't been stricter prior to this. The answer is pretty simple. If you feel these measures could violate your privacy, then don't use your personal equipment to access Stanford-classified PII/PHI. And don't put your personal data on university-owned equipment. As an employee using Stanford's equipment or accessing customer data, you do not have the same expectation of privacy as a student. Michele Chubirka On 1/26/14 5:36 AM, Rich Kulawiec wrote: On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ First, if they were serious about security, they wouldn't be using Microsoft products. Second, backdooring end-user systems en masse provides one-stop shopping to an attacker. Third, locating PII on systems is not a solved problem in computing, and for anyone to pretend otherwise is, at best, disengenuous. Not only that, but anyone who's been paying attention to the re-identification problem knows that non-PII is quite often just as sensitive. Fourth, the simultaneous requirement that systems be backdoored and searchable while their disks are encrypted strongly suggests that they intend to have a central repository of encryption keys. Fifth, the requirement for use of centralized backup also provides one-stop shopping to an attacker. Bottom line: this isn't about security, it's about control and
Re: [liberationtech] Concerns with new Stanford University security mandate
Paul Ferguson fergdawgs...@mykolab.com writes: Remember: Employee prescriptive measures are different that non-employee measures. This is being forced on faculty and students as well (their interpretation of employee). ~Tomer - ferg -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
Guido Witmond gu...@witmond.nl writes: snip Dear mr Altman, From the link: No more Windows XP: Good riddance. BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. Identity Finder: It gives a baseline scan for all files that contain personal identifiable information, like credit card numbers (that should never be on anyones computer at all, not even your own credit card number) and SSN (likewise). Good. Encryption: Good. Central file backup: Good. Anything in that document shows the intention of solving many IT-problems that PC-users face all the time, whether they realise it or not. I fully acknowledge that they are providing a lot of good here. But in some places they have crossed the line. And the university does not make it mandatory for private devices. They are making it mandatory, trust me. I attested that I have two private laptops, and they continue to hound me to get them into compliance. By taking these measures the university take responsibility for any breaches that happen from now. My thoughts are that if 10% of the campus deals with sensitive information, then by all means isolate and secure that 10%. Why lock down and spy on the rest of the campus; faculty, students, and all? There is one question remaining: do you trust the university to handle this responsibility? Only if faculty and students have a voice in how the system is designed, implemented, and maintained, with transparency and oversight. Otherwise there is no basis for trust. The answers to that will become clear with how they react when they find unneccesary PII on a computer. To whom go the reports of Identity-finder? How are they going to deal with it. The intentions may be good, it's all about the actions. Good luck with it. Guido. Thank you for your reply. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
Guido, Identity Finder: It gives a baseline scan for all files that contain personal identifiable information, like credit card numbers IMHO, w/o knowing details of the sw, the statement sounds like a compulsory violation of an individual's privacy by The Institution (that should never be on anyones computer at all, not even your own credit card number) and SSN (likewise). This is like saying Don't have a wallet! Disagree. IMHO, correct answer: devices used by persons should be secure, and no Institution, no matter how benign, should have compulsory access to personal information stored on them. The Institution may even own the device, but it doesn't own personal information of its employees that happens to be on its devices. Asking an individual to separate personal and business information is schizophrenic. Your wallet contains both your personal and corporate credit cards! How about your health insurance card? Driver's license? Passport? On Jan 26, 2014 11:05 PM, Guido Witmond gu...@witmond.nl wrote: On 01/26/14 10:20, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Dear mr Altman, From the link: No more Windows XP: Good riddance. BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. Identity Finder: It gives a baseline scan for all files that contain personal identifiable information, like credit card numbers (that should never be on anyones computer at all, not even your own credit card number) and SSN (likewise). Good. Encryption: Good. Central file backup: Good. Anything in that document shows the intention of solving many IT-problems that PC-users face all the time, whether they realise it or not. And the university does not make it mandatory for private devices. By taking these measures the university take responsibility for any breaches that happen from now. There is one question remaining: do you trust the university to handle this responsibility? The answers to that will become clear with how they react when they find unneccesary PII on a computer. To whom go the reports of Identity-finder? How are they going to deal with it. The intentions may be good, it's all about the actions. Good luck with it. Guido. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Concerns with new Stanford University security mandate
To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Biomedical Informatics Stanford -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ First, if they were serious about security, they wouldn't be using Microsoft products. Second, backdooring end-user systems en masse provides one-stop shopping to an attacker. Third, locating PII on systems is not a solved problem in computing, and for anyone to pretend otherwise is, at best, disengenuous. Not only that, but anyone who's been paying attention to the re-identification problem knows that non-PII is quite often just as sensitive. Fourth, the simultaneous requirement that systems be backdoored and searchable while their disks are encrypted strongly suggests that they intend to have a central repository of encryption keys. Fifth, the requirement for use of centralized backup also provides one-stop shopping to an attacker. Bottom line: this isn't about security, it's about control and monitoring. ---rsk -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/26/14 10:20, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Dear mr Altman, From the link: No more Windows XP: Good riddance. BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. Identity Finder: It gives a baseline scan for all files that contain personal identifiable information, like credit card numbers (that should never be on anyones computer at all, not even your own credit card number) and SSN (likewise). Good. Encryption: Good. Central file backup: Good. Anything in that document shows the intention of solving many IT-problems that PC-users face all the time, whether they realise it or not. And the university does not make it mandatory for private devices. By taking these measures the university take responsibility for any breaches that happen from now. There is one question remaining: do you trust the university to handle this responsibility? The answers to that will become clear with how they react when they find unneccesary PII on a computer. To whom go the reports of Identity-finder? How are they going to deal with it. The intentions may be good, it's all about the actions. Good luck with it. Guido. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
I worked in academia for 13 years. We were already doing most of this in 2010. We were one of the universities that proactively removed SSNs from general use and every administrative system except where necessary. Please note that the following provisions apply in the new policy: 1. requirement applies to university employees 2. equipment is university-owned 3. OR personal equipment touching PII/PHI I applaud Standford's efforts toward protecting students' private data: their customers. This is probably a reaction to the reported breach this past summer: http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/ They're actually being pretty fair, by allowing BYOD at all for employees and a guest network for personal devices. Many non-profits don't. There's also no requirement to meet these mandates if the personal device only uses the guest network, which is probably sandboxed with no access to PII/PHI and other confidential data. In the past, universities have been notoriously poor in protecting customer data and in the current climate could face large HIPAA or PCI-DSS fines/penalties if customer data is breached. Considering they also administer an FFRDC, the SLAC National Accelerator Laboratory, I'm surprised they haven't been stricter prior to this. The answer is pretty simple. If you feel these measures could violate your privacy, then don't use your personal equipment to access Stanford-classified PII/PHI. And don't put your personal data on university-owned equipment. As an employee using Stanford's equipment or accessing customer data, you do not have the same expectation of privacy as a student. Michele Chubirka On 1/26/14 5:36 AM, Rich Kulawiec wrote: On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ First, if they were serious about security, they wouldn't be using Microsoft products. Second, backdooring end-user systems en masse provides one-stop shopping to an attacker. Third, locating PII on systems is not a solved problem in computing, and for anyone to pretend otherwise is, at best, disengenuous. Not only that, but anyone who's been paying attention to the re-identification problem knows that non-PII is quite often just as sensitive. Fourth, the simultaneous requirement that systems be backdoored and searchable while their disks are encrypted strongly suggests that they intend to have a central repository of encryption keys. Fifth, the requirement for use of centralized backup also provides one-stop shopping to an attacker. Bottom line: this isn't about security, it's about control and monitoring. ---rsk -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
This is quite relevant now that BYOD (Bring Your Own Device) is becoming very popular in the business world: These requirements apply to all University-owned laptops, desktops, smartphones and tablets (devices), personally-owned devices used on the Stanford Network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other Restricted or Prohibited Data. Best Regards | Cordiales Saludos | Grato, Andrés L. Pacheco Sanfuentes a...@acm.org +1 (817) 271-9619 On Sun, Jan 26, 2014 at 3:20 AM, Tomer Altman taltm...@stanford.edu wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Biomedical Informatics Stanford -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Below: On 1/26/2014 2:36 AM, Rich Kulawiec wrote: On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ First, if they were serious about security, they wouldn't be using Microsoft products. Second, backdooring end-user systems en masse provides one-stop shopping to an attacker. Third, locating PII on systems is not a solved problem in computing, and for anyone to pretend otherwise is, at best, disengenuous. Not only that, but anyone who's been paying attention to the re-identification problem knows that non-PII is quite often just as sensitive. Fourth, the simultaneous requirement that systems be backdoored and searchable while their disks are encrypted strongly suggests that they intend to have a central repository of encryption keys. Fifth, the requirement for use of centralized backup also provides one-stop shopping to an attacker. Bottom line: this isn't about security, it's about control and monitoring. ---rsk I've got to agree with Rich here -- this *is* about control monitoring. Having said that, saying that this policy is simply about security is not quite correct -- it is about controlling *employee access to, and handling of, sensitive information in the Stanford University computer network systems. But let's remember that there are *different types* of security: Ones which control monitor, others which attempt to protect organizational users from external threats, etc. I don't believe this is pretty much /de rigueur/ and appropriate for virtually any organization which wishes to protect sensitive information, and provide some accountability. Remember: Employee prescriptive measures are different that non-employee measures. - - ferg - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLlMr8ACgkQKJasdVTchbJuuAD+PE+MsNYYu73+EX6TPMZgLiX3 zei8ig48GX7Xvy/duBABAMeS10yF5L7w9bc3WOQ7ASczRlnycozj0QeWyrcYyUJs =XHRk -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.