Duke ITAC - November 15, 2001 Minutes

DUKE ITAC - November 15, 2001 Minutes


November 15, 2001

Members Attending: Ben Allen, Landen Bain, Mike Baptiste, Pakis Bessias, Ken Hirsh (for Dick Danner), Angel Dronsfield, Brian Eder, David Ferriero, Nevin Fouts, Ed Gomes, Patrick Halpin, Billy Herndon, Ben Donnelly (for Ken Knoerr), David Jamieson-Drake, Roger Loyd, Melissa Mills, Caroline Nisbet, George Oberlander, Lynne O'Brien, Mike Pickett, Rafael Rodriguez, Fred Westbrook, Robert Wolpert, Stephen Woody.

Guests: Guests present: Bob Currier, David Jarmul, Debbie DeYulia, Chris Cramer, Rob Carter, Sue Wasiolek, Kacie Wallace, Ginny Cake, Tracy Futhey.

Call to Order: Meeting called to order at 5:05 PM

Review of Minutes and Announcements:

  • It was announced that there would be an opportunity after the ITAC meeting to meet with one of the final candidates for the currently vacant CIO position. The candidate, Tracy Futhey, the current Vice Provost and Chief Information Officer at Carnegie Mellon, was scheduled to join the ITAC meeting and be available to meet ITAC members afterward.
  • Chris Cramer's 30th Birthday was announced. Everyone wished Chris a Happy Birthday. Chris's birthday present was being allowed to make a presentation to ITAC later in the meeting.
  • There were some corrections to last meetings minutes - those corrections were sent to Mike Pickett.

Student web page content

Dean Sue Wasiolek and Kacie Wallace (Judicial Affairs Officer):

Dean Sue gave a brief background of one of the recent incidents that has led to investigating policies regarding content on student web pages. There was an incident where a student web page had a profane statement that disturbed a group of people at Duke.

Currently, there are no specific policies related to student web pages unless the content consists of harassing behavior. If this occurs, it is handled through the student conduct judicial code. In situations like the one listed above, the protocol would be for the Dean's office to contact the student, tell them that their content is offensive to a group of people, and to suggest that they consider changing or removing the content.

That is their "policy" now or how they deal with situations that arise today. Dean Sue said that when the student is told someone has concerns over the content of the page, they let the student know and the student usually takes the page down or changes the content.


What would they do if the student would not take the page down?
Dean Sue said that because they lack a policy, they hope they are lucky. They are not in a position to force a student to take down or change their web page content. If the page did not demonstrate harassment that warranted disciplinary action, but was simply immature or offensive, and the student refused to change the page, then the page would still remain on the web site. Any other course of action could be in conflict with the student's freedom of speech. If someone feels personally threatened by the comments, which people tend to do when they deal with angry people on a consistent basis, or if a person were threatened by name, it would be referred to Duke Police as a threat and sent to the judicial board for consideration.

Is there a difference because it was on Duke equipment? What if it was on a web page outside of Duke?

Dean Sue says again, that the same policy would be followed. The student would receive a phone call from her office asking the student to remove or change the webpage. The issue of a call from the Dean's office being intimidating to a student was raised. Dean Sue said she could understand that a student could feel like there is an implied threat, but her office calls and asks the student's cooperation. They try to be cordial and ask that the student make the call as what action to follow so it would be less intimidating.

"What if the statement was about Islamic people rather than employees of the Parking office- would there be a difference?"

Some felt like there would be due to the fact that there is a safety concern for Islamic people in the current state of the world. However, some disagreed, they felt there was no difference, free speech is free speech. It was also stated that it is implied once you censor sites and the content on the sites; you have accepted responsibility of the content of all the sites on your system.

Dean Sue said they struggled with similar issues concerning the bridge between east and west campus and whether or not graffiti on the bridge should be painted over. However, it is considered a "free speech zone" and painting over words on it is offensive. She understands the issues are complex, and it is not just the electronic system that they need to make sure is in accordance; there are also other issues, such as the bridge. How much control do you want to have over that space?

Proposed security plans

Chris Cramer - IT Security Officer:

Chris passed out a list of 4 Priority security items.

Proposed Duke IT Security Projects Through 2002

Priority 1 Items:

  • Continue moving away from unencrypted services by turning off unencrypted email in favor of SSL encoded IMAP and POP. (summer 2002)
  • Continue adding educational/instructional material for users and systems administrators to the website. (on going)
  • Create a comprehensive list of systems administrators in both academic and administrative departments. (December 2001)
  • Improved handling of DMCA, security and abuse notifications - possible move to Remedy (February 2002)

Priority 2 Items:

  • Scanning of University machines for known vulnerabilities (already begun, will be expanded through the year)
  • Local firewall solution with detailed documentation and instructions (March 2002)
  • Upgrade IDS infrastructure to handle multiple sensors (May 2002)

Priority 3 Items:

  • Campus patch repository (fall 2002)
  • Improved information about ResNet computers (summer 2002)
  • Vulnerability scanning services for home and dorm computers (fall 2002)

Priority 4 Items:

  • Tripwire-like utility for all platforms (including AIX and Windows)
  • Move to encrypted ftp (sftp)

He went over the list to make sure they were in the correct priority.


One top priority was encrypted email and ftp. The issue of doing the same thing with email as was done with telnet moving to SSH was discussed.
The problem with doing secure ftp right now is that there is no secure Mac client. In order to make ftp secure, they would need to turn off ftp in general and move to sftp, which would leave the Mac users without ftp ability. There was discussion about the use of tunneling for Mac users.

It was decided to move encrypted ftp to Priority 1 and move to create a timeframe to have all email encrypted.

Discussion continued with how to persuade the rest of the university to go with OIT's lead to secure email servers.

Others brought up issues of performances of certain email clients that cannot handle encryption. It was suggested that a date be set and that unencrypted passwords are not allowed on the system after that date.

Concern was expressed that Eudora does not have SSL capability. Solutions include using Snareworks and stunnel.

The goal is to have no unencrypted passwords crossing the net by a certain date yet to be established.

Discussion included the question of should sys admins be informed that they have unencrypted systems (non - acpub). - Working to create a list of sys admins - See handout - Planning to track DMCA with Remedy - See handout Chris is giving a security talk for Students on Monday, Nov 19, 2001.

Discussion continued - there is a need to upgrade intrusion detection software to scan for vulnerabilities, also software applications that create servers out of clients, such as XP, need user education. A suggestion was made - create a proactive CD that will scan for ports open, etc. and detect vulnerabilities.

Introduction and initial observations about Duke and web services

    1. We are all struggling with the same issues: such as design, content management, e-business, search engine options, statistics, etc.
    2. Great things are happening around campus, for example, e-business, Fuqua and distance learning, etc. There is a wealth of creative people, but the coordination is not where it should be.
    3. How do we develop systems and an approach to develop systems effectively?
  • David Jarmul, Associate VP News and Communication

    He's the "web guy". He has been here about one month and had 3 main points:

    Rob Little has created a report on the current state of the web and now it is time to move from his observations to what we should do to move forward.

    There is a need to provide expertise to others at Duke to help them - guidance, tools, and direction.

    We should be working together on what we want the website to portray. The main Duke pages need to convey excitement of Duke, show the essence of Duke on the main page. How can we capture the "Dukeness of it all" It can't come from a central place, we need more collaborative model.

    David indicated that we need to think more creatively about how we package services. He has to come up with a plan and wanted feedback on who should be there to give input. He indicated that we need to look at web services organizationally, ask what we need on the web, and what we want.

    David said the scope is the main www.duke.edu page and one link off the homepage. Gradually move to a more unified look and feel.

    A major issue is to make sure our web pages work on the largest majority of the browsers. What people need to be involved? It was said that it was essential to involve faculty. It was mentioned that it is very hard to find things on the main page or on Duke's webpage. You need to be able to go to the main page and be able to find the answers to your questions. It was decided that ITAC would be a focus group for this project. David Jarmul said to please send him any suggestions, etc to david.jarmul@duke.edu or call him at 684-6815.

Internet Traffic Issues

Bob Currier, Director ECI

Outbound Internet traffic was at an all time high due to peer-to-peer file sharing. Bob said two weeks ago Duke was the number one contributor to outbound traffic on NCREN. When they looked closer, the majority of the traffic was coming from peer to peer file-sharing applications on student PCs in the dorms (ResNet).

They looked at the volume of traffic being generated by UNC and NC State as a guide and set a goal of trying not to exceed their output (a little over 100 mb/sec). By putting a 25 mb/sec limit on outbound traffic to the internet from ResNet, ECI staff was able to reduce Duke's total output to the 120 mb/sec range. As a test, Duke ResNet limits were removed for 2 hours and outbound traffic rose from 120 to over 500 mb/sec. This rate approached the entire bandwidth available to all of the NCREN schools in the state of North Carolina and had a debilitating impact on other schools. With the 25 mb/sec limit in place, there are no restrictions on uploading from one Duke site to another Duke site, it is only outgoing from Duke.

The computer lab machines do not have outgoing limits at this point.

Without limits, Duke severely impacts other schools in the NCREN community. We must educate the students as to the max outbound and work with the student reps to come up with an education program. ITAC student representatives will work with OIT staff to come up with steps that students can take to reduce inadvertent outgoing traffic.