Date: Sun, 3 Oct 2004 22:19:13 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Bart Silverstrim" <bsilver@chrononomicon.com>, <freebsd-questions@freebsd.org> Subject: RE: IP address conflicts Message-ID: <LOBBIFDAGNMAMLGJJCKNCEGPEPAA.tedm@toybox.placo.com> In-Reply-To: <22D92B0C-1576-11D9-BD30-000D932C89A2@chrononomicon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bart > Silverstrim > Sent: Sunday, October 03, 2004 12:55 PM > To: <freebsd-questions@freebsd.org> <freebsd-questions@freebsd.org> > Subject: Re: IP address conflicts > > > > On Oct 3, 2004, at 2:11 AM, Ted Mittelstaedt wrote: > <locking your dorm room> > > Yup. This is self-defense in any college setting, there's too many > > juveniles around. > > > > Well, that's the point of college today...real life without the real > life consequences :-) It's training for taking responsibility, though. > > >> We try to have a policy where I work where if your account is used to > >> do something against the rules, like browse porn, you must have given > >> that person your account password or you left your account logged in > >> and walked away. There's no way to prove who the body was sitting at > >> that console, so it is assumed to be you. You get in trouble for it. > > > > We try to have a policy where I work of what you call common courtesy. > > That is, the stuff on someone's desk is their property and if you have > > to touch it, you don't damage it. > > You'd think this is a simple rule. Good luck. > > > Every once in a while we run across someone who don't understand this, > > they get away with this for a while but sooner or later we reach out > > and > > fire them. Apparently, they all go to work at your place. > > I work in public education. > > > I think the double negatives there are a bit too much for most people. > > > > It is unreasonable to expect people to have to act like they are in > > kindergarden when they are in the middle of a network room that has a > > sum total of 20 people who can access it, all of whom are paid more > > than > > 50K a year. > > You'd THINK so. Listen, chances are that you can, in rural areas, get > away with never locking your door. Nothing happens...no one marches in > and robs you. What are the chances an average thief notices your doors > aren't locked? Or that someone comes in and assaults you? Yet you > still get the person on the news saying "we never had to lock our doors > before...I guess it's just getting too dangerous a world to not do that > anymore..." > Not a correct analogy. To be correct, you would have to say that I built a tight fence around me and my 20 rural neighbors, all of us have a key to get through this fence, and none of us lock the doors of our homes that are -inside- this fence. > I'd rather go through that extra five second hassle and *take my keys > with me* and *lock the friggin' door*. > > You just never know when someone will want to pull a little "prank" > that you won't have patience or time for. > I would actually rather have the prank happen - you know why? Because if it does, then one of that 20 needs to be fired, simply because they cannot be trusted. It is worth it to me to suffer some inconvenience/dataloss/whatever to discover that one of that 20 is a prankster so we can fire them. People entrust their precious data with us. If we cannot even trust amongst ourselves we certainly don't deserve the trust of our customers. > > But people should not have to be looking over their shoulders > > where they live, eat, sleep. This is a college, not a kindergarden. > > True, and all security is a tradeoff. People should realize that the > five seconds it takes to lock and unlock a console is not a huge > detriment to their schedule, and that taking reasonable precautions > against theft and vandalism will save them time down the road that "one > time" that someone decides to do something to them for giggles. > Where I work there's no tolerance for even that "one time" You simply do not damage other people's data, whether they be co-workers or customers or the general public. If someone in our group cannot even control themselves with their co-workers data, imagine what they are doing with customer data! > Yes, it's a college. And like humans everywhere else, they act like > giant kids. Hell, they use college as an EXCUSE to act like idiots. > You know...all that PRESSURE they're under. The tests. The essays. > The reports. The heavy drinking. They have to vent SOMEHOW. Besides, > how high does a Dell monitor bounce from the third floor dorm window?? > Well, college dorms are a different environment than a corporate datacenter. I certainly expect this, after living in a dorm myself. If I was in the OP's position I would ASSUME that students in the dorms would be pulling this kind of stunt with regularity. BUT, I would EXPECT that they WOULD NOT do it. And I would tell them so. And when inevitably some of them figured I was some dumbfuck squarehead and pulled their tricks anyway, I would see to it that they got expelled, and I would let the rest of them know that this is the consequence of choosing to pull a trick like this. I would not, however, punish innocent victims, even if they walked off and left their systems logged in. This is counterproductive and just unites the troublemakers and their victims against you. I know perfectly well that there's people walking around that have big chips on their shoulders and just have this inner need to try to punch holes in the system. But, you need to do what is necessary to track them and root them out. The fact is that the OP has culpability as well - or more specifically his predicessors do - because you just don't put dumb unmanaged flat hubs and a big flat network into operation in a college with a lot of dorms on it. In this case the college shares some of the blame for cheaping out on the infrastructure, because they are enabling this behavior. > > Your logic is of the variety of "well, the security scanners at the > > airports didn't do what they were supposed to be doing, so we > > deserved to have the WTC collapsed". In other words, it only appears > > on the surface to be reasonable, and that is because the problems > > don't involve people dying. But it is fatally flawed. If the > > world really operated like you seem to think, it would be anarchy. > > What, that people will be people and it's better to take the five > seconds to take "reasonable" precautions is out of line? I see it as > taking responsibility for my belongings (and in college, those of my > roommate's as well). My roommate and I got into a habit of carrying > our keys...it kept us from being locked out of our cars, it kept our > belongings from disappearing from our college apartment. Nothing would > probably have happened if we didn't do this, but it was insurance. I > don't *expect* my house to burn down, but I am insured for it. > > Your parallel doesn't quite cut it. Smuggling things onboard a plane > that is contraband is a little different than playing pranks and using > your computer in an unauthorized manner. It crosses many lines. I am > taking responsibility for my data when I take a few seconds to lock the > console. If the console is in an insecure area then locking it is what I would expect that you would do. However it isn't good practice to put server consoles in such areas. I would consider a dorm room a secure area, I would consider smack in the middle of the Student Center to be an insecure area. > To search someone for every possible danger they may pose to > a plane not only crosses into crossing personal space and privacy, The plane owner would say that people do not have a right to fly on a plane. It's my plane and if I want to strip-search everyone who rides on it, that's MY right. If they don't like it they don't have to fly on it. > but > is impossible against someone who is *determined* to cause a problem. > Once again it is surprising you would say this - if this is really true then locking your computer's data is pointless because it's impossible against someone who is *determined* to cause a problem. I would have thought that you would have pointed out that Israel has never had a hijacking once they got serious about security on planes, which happened very early. And there's a LOT of determined people in that area that are determined to do whatever blows to Israel they can. > Maybe I'm not quite seeing what you are arguing in the comparison...how > the conclusion logically follows your line of reasoning. > I'll try to restate it. Your philosophy, as near as I can tell, is that if someone leaves a door unlocked or a computer unsecured, or they fail to adequately search a passenger boarding a plane, then they are just as guilty as the criminal if later on it turns out that a criminal stole all their belongings, or used their computer to commit a crime, or boarded a plane and crashed it into an office building. (by just as guilty I don't mean they get punished the same) I am saying this is a bankrupt philosophy, and when I framed it in terms of the WTC collapse you actually saw the light and started to agree with me. Now, I have made the transition between these 3 events so you can see now that the philosophy clearly has a problem. You cannot start defending the lax scanners for not catching the hijackers, then turn around and criticize the dumb blondes for leaving their computers unlocked and someone gets on their machine and trashes the network. This is inconsistent, and if you are an educator you know the dangers of an inconsistent philosophy - it produces people like Rush Limbaugh who say that the war on drugs is great because it's endorsed by the Republicans, then go home and feed their painkiller addiction. > >> Your reactions are your policies and your rules; if they work for you, > >> that's all and good. If students continue to play stupid and allow > >> things like this to happen to their computers, then so be it. Or you > >> can nail them a couple times and have them wise up for it. > > > > Much, much better to nail up the actual criminals not the victims. > > Of course. HOWEVER,...(isn't there always a however?)...there are some > people who invite trouble. The world isn't a happy merry place and we > can't always tell who did something vs. who is impersonating them vs. > if they're just plain LYING to cover their butts. Especially with > students. "You can't prove I was using that computer so you can't > nail me for it...someone else came in here and did it!" Well, fine. > Slap them on the wrist, tell them to take measures to prevent it from > happening in the future. After a few times, they shouldn't know > better. > It's been my observation with schools that proof is really irrelevant when it comes to expulsions. Expelling someone is like a speeding ticket, if there's a preponderance of the evidence then out they go. Proof is really unnecessary. And to the "not me" defense, well if you REALLY aren't positive that the student your accusing actually did it, well then you can make them sign a statement that they didn't do it - and that they will keep their systems secured from now on. That's YOUR way of handling it though, and in my opinion it weakens the administrators authority. It's much better that if something happens and you aren't positive you have the culprit, that you say nothing and accuse nothing, and just start watching that person a whole lot more closely AND clean your own house (ie: replace hardware with better hardware) so you don't get caught with your pants down again. And my point was that if you have the right network equipment then you CAN tell who did it. If I had Sam Smith on my shitlist, and at 2:00am the MAC address on his port changed and my switch notified me, I'd be on the phone with the RA asking him to take a walk down there and see if Sam was asleep, or was up, or was up swapping the NIC on his PC. I might even go down there myself. > I wasn't suggesting crucifying them for being stupid, but rather make > it inconvenient or enough of a hassle for them that they take > responsibility for their systems or their identities, or if they're > lying, enough to make them consider not doing it again. Unless you can > catch them red handed. Otherwise you're going to have a whole dorm of > people claiming some friggin' ghost is using their computer to mess > with the web server when they go take a leak for five minutes and of > COURSE, they have NO CLUE how it happened. Jails are filled with > innocent people. Just ask the prisoners. > Well your standard of proof here keeps changing. Frankly if I was running a college network and I actually caught someone red-handed with incontrovertible proof and witnesses and all that it would be calling the police and filing criminal charges time. I might not even bother expelling them, actually - all that does is send them back home to mother where the local prosecutor now has to waste a lot of tax money prosecuting them. Far better to leave them in school and let the local prosecutor fine them and make them do community service and all that. A few weeks cleaning ashtrays and wastebins at the local courthouse might be a far more effective punishment. But if it was a preponderance of the evidence thing, to where criminal charges wouldn't hold up, then expel them. Sure, they might actually be innocent. Tough. I've gotten a traffic ticket before where the cop lied and said I was going 45 in a 35 zone, I've also gotten trapped by a bunch of hillbilly cops one night and got a failure-to-dim-headlights-to -oncoming-traffic ticket when they searched me and my car simply because they didn't like the looks of me and pulled me over and found nothing, and were pissed about finding nothing. Both times I complained both times the judge still fined me. Innocents do get blamed sometimes. But if it was me doing the expelling, I wouldn't make an accusation in the first place unless the preponderance of the evidence was sky-high a-la OJ Simpson time. > > He is having money troubles. However, just because he is having money > > troubles does not change one iota what the only solution really is. > > 100% agree. > > > But I warned him that he is taking a huge risk here - if he really > > pisses off someone that is knowledgeable, then he's going to be > > royally screwed. 5 minutes with a packet sniffer will tell someone if > > they are on a switch or a dumb hub, and as long as he's got any > > dumb hubs on the network at all, he's taking a huge risk. And breaking > > into insecure Windows systems - and they got at least 2000 ones to > > try - is like shooting fish in a barrel. > > But of course. This conversely plays his ability for politics too. > Take down the campus systems after warning the holders of the purse > strings several times, then have it go all to hell for extended periods > of time...either he'll lose his job, or the "I TOLD YOU!!!" will loosen > the strings a bit. He's in a tough spot, and if management will NOT > support him for a true fix, it's time to start polishing the resume', > because it gets worse before getting better...if it ever does. Playing > cat and mouse with a fledgling black hat will help with his skills > though :-) > > Pissing off anyone who thinks they're "l337" carries risks. For all he > knows, he may find his tires slashed if the kid gets nailed with an > expulsion. Or servers that are vandalized from a breakin. He may be > targeted to the point where paranoia is no longer unwarranted. You > *never know*!! > So what. If it was me and my tires got slashed in this kind of circumstance I'd be asking my boss for a new set. If my boss told me to go to hell then I'd say "OK" and start looking for another job, and once I got it, the BSA and the SPA would get a dossier of all license violations on campus. But most decent bosses in this instance wouldn't tell the administrator to go to hell. They might, though, tell him to slide the new tires in under an expense report. And as for servers being vandalized - again, so what? What kind of an administrator are you if you cannot restore from your backups. That kind of thing HELPS you out because now you get all new servers without having to budget justify it. And the school can work with the police and decide if they want to investigate it further, in the meantime collect on their insurance policy. If your afraid of them you shouldn't be an adminstrator in the first place. > And I'm not making light of the situation...these are all possible > things. Maybe the kids will get bored and stop. Maybe they'll move on > to other things. Maybe they just wanted to test the waters and thought > this was amusing. Maybe they'll stop once they get a little nudge in > the "um...not funny guys..." direction. > > They obviously aren't very bright or have a personal grudge if they're > willing to take down school resources for amusement. They're shooting > themselves in the foot. Sounds like they are idiots who are miffed at > the school for something. > > > But, it really is like pissing into a fan to try to tell any of these > > academic types this sort of thing. All of them are so fragging hung > > up on the cost end that they will happily chop their fingers off > > to save a nickel - unless that is, they are buying new football jerseys > > for the football team, or other sacred cow. > > True enough. That's why I suggested the above...the system goes down, > it's amazing how that helps loosen the purse strings, because it's > *needed* and they don't see that until something happens. The guy is > trying to do his job but if they don't support him, that position will > always be a temporary stepping stone to a real position where it won't > lead to premature greying and nervous breakdowns. > Very true. Ted > -Bart > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNCEGPEPAA.tedm>