CIT News and Views Vol 2006-07, Issue 02

CIT News and Views
23-Mar-2007	Irvin E. Houck Center for Information Technology - Contact Us at: cit@oberlin.edu	Vol 2006-07, Issue 02
In This Issue: CALEA - What Does This Mean for Oberlin College and YOU? Network Authentication Required for All Computers Accessing the College Network Sponsored Accounts Self-Service Password Changing To Be Available Before Semester Ends! VPN Now Available for Use! Software Downloads Now Available From Off-Campus! Improvements in Network Security RIAA Takes Stronger Measures Against Copyright Violators - Don't Let This Happen to You! CALEA - the Communications Assistance for Law Enforcement Act of October 1994 Background: CALEA was originally established to aid law enforcement in conducting surveillance of citizens via digital telephone networks. The Act obliges telephone companies to make it possible for law enforcement agencies to tap any telephone conversations carried out over its networks, and to make call detail records available. (1) In September 2005, the FCC issued an order extending CALEA to providers of broadband Internet access and interconnected voice-over-IP services. A higher education or research institution should be fully exempt from CALEA if it satisfies two criteria: (1) its network qualifies as a “private network,” and (2) it does not “support” the connection of the private network to the Internet. This means that an institution should be exempt when it restricts the use of its network to particular classes of users (e.g., students, faculty, and administrators), and when the institution relies on a third party (such as a commercial ISP or a regional network) to provide the transmission and switching facilities used to route traffic to the Internet, rather than self-supplying such facilities. (2) What this means for Oberlin College: In order to be exempt from CALEA, and, thus, not be required to file CALEA-mandated reports (System Security and Integrity Report and Monitoring Report), Oberlin College must have a "private" network. In order to be considered "private" we must allow only access by faculty, staff, or students, or other "known" parties (such as visiting faculty, persons using our facilities for summer conferences, Oberlin Inn guests, etc.). In order to only allow access by "known" users, we must require users to authenticate to the network, using their assigned usernames and passwords. The College's law firm, Frantz Ward LLP, has stated "After reviewing Oberlin's network, used for the expressive use of the Oberlin College community, we believe that Oberlin will be considered a private network under CALEA with one very important change - requiring authentication of all network users." (3) Students have had to authenticate to the residential side of the network (Resnet) for almost three years now. This was instituted after the Fall of 2003, when most college campuses were hit hard by a wave of viruses. In order to ensure computers (especially Windows computers) are cleaned of viruses, and updated with the latest operating system security patches, before accessing Resnet, the students were (and are) required to "authenticate". The authentication process requires a user to open a web browser, where one can only reach the authentication page, and login using one's Oberlin College e-mail account username and password. The authentication process, known as Network Admission Control (NAC), checks the computer for viruses and updates, and directs the user to other online resources if problems are found. If the system is clean and up-to-date, the user can then access resources as usual. So, in order for us to be compliant with the requirements allowing us to be "exempt" from CALEA, we must institute the following measures: require all users of the College network to authenticate before being allowed access require all users of wireless capability to authenticate before being allowed the use of wireless require all "guests" to be assigned accounts (see Sponsored Accounts below) and then authenticate before being allowed access require logins on all Macintosh lab computers (as has been the case on all Windows computers) Network Authentication Required for All Computers Accessing the College Network Therefore, due to the requirements for exemption from CALEA (discussed above), all Oberlin College network users will be required to authenticate to the network prior to gaining access. This will be the case for faculty, staff, students, and guests. Faculty, Staff and Students will need to authenticate once a month, starting 24 April 2007.	To authenticate to the network, you must do the following: login to your computer, if a login is required open a web browser follow the online instructions Once you have authenticated, you will be able to access network resources as usual. Faculty and staff Windows users should be able to login to their computers as usual. If you cannot login, you will just need to select Workstation Only and then open up a web browser and follow the instructions. Guests: Guests will be assigned a Sponsored Account (see below) and will be required to login with that account and authenticate as described above. This will be the case for Oberlin Inn guests, as well as visiting faculty, visiting administrators, conference attendees, parents, and others sponsored by Oberlin College personnel. See details in the section below on Sponsored Accounts. Sponsored Accounts In order to allow visiting, non-Oberlin College personnel the ability to access the College network, and still be compliant with the requirements for a private network (thus maintaining exemption from CALEA), guest network users will also be required to authenticate. In order to authenticate, they must have an assigned account. Thus, we have developed the process of creating "Sponsored Accounts". Sponsored Accounts are accounts that can be created ("sponsored") by any Oberlin College account holder (faculty, staff, or student) for guest users. The account will have restricted privileges, essentially allowing Internet access only. Oberlin College account holders can sponsor up to six accounts, with each sponsored account remaining effective for a maximum of five days. Some account holders will be able to create sponsored accounts with larger allocations, such as Oberlin Inn personnel, and Conference Services personnel. Oberlin College account holders - faculty, staff, and students - will authenticate via a secure web page and then will have the ability to see their existing sponsored accounts, as well as create and delete accounts. Account USERIDs for the guest will be generated automatically. The sponsor will be responsible for the activity on the sponsored account, ensuring compliance with the College's "Policy for the Acceptable Use of Information Technology Resources". Details on creating Sponsored Accounts will be available soon from the CIT main web page. Self-Service Password Changing To Be Available Before the Semester Ends! The one CIT practice that has caused the most number of high-anxiety calls and visits to the Help Desk has been the manner in which password changes have had to be made. Users have had to use ObieMail to change their passwords, or visit the Help Desk or fax a photo ID to the Help Desk in order to get a password reset (for forgotten or expired passwords). We have developed a new process that allows users the ability to change their passwords, or reset them, themselves, via a web page. In order to do this, users will first need to establish responses to "password recovery questions". In conjunction with this new process, we are also combining Netware accounts with e-mail accounts. Faculty and staff users of College-assigned Windows computers will also have their computer logins synchronized with this account. This moves us closer to the concept of "Single Sign-On", wherein one account provides access to multiple systems. To date, one's e-mail account also provides access to one's personal web account (if established), and one's Blackboard account. Now, this single-account, which will now be known as one's ObieID, will provide access to e-mail, personal web account, Blackboard, Netware, and college-owned Windows computer (if assigned). The Netware account is used to access stu and staff LOCKER (personal storage space on a central server). (Note that ObieID Self Service will not function with the Safari web browser.) This service will become active in early May 2007. Full details will be available soon from the CIT main web page. VPN Now Available for Widespread Use! CIT now provides VPN (Virtual Private Network) access for use by Oberlin College personnel - faculty, staff and students. When your computer is connected to the Oberlin College VPN, all of your network traffic comes back to Oberlin College through a type of secure network "tunnel". The Oberlin College VPN provides Oberlin College personnel who are off-campus with full access to campus network resources, and provides secure transmissions while using on-campus wireless connectivity. VPN keeps your network traffic (such as passwords, credit card info, etc.) secure during the transmission process. To use VPN, you will need to use your personal (not group, departmental, or sponsored) Oberlin College e-mail account username and password, and you will need the VPN client installed on your computer. The VPN client is available from the CIT Software Download web pages. You can now download the client, even while off-campus, by entering your e-mail account username and password when requested in the pop-up box (see details in section on Software Downloads). Further details about VPN can be found on the CIT website.	Software Downloads Now Available From Off-Campus! In the recent past, being able to download software, such as the VPN client, required you to be on campus due to licensing requirements. This proved to be quite frustrating for people off-campus, needing certain software applications. They either had to await their return to campus, or contact CIT for delivery of the software via some other mechanism. Now, we have made the software on the CIT Standard Software web pages available to College personnel from either on or off-campus, by allowing authentication to a secure server. Thus, now when accessing the Standard Software pages, a pop-up window will request entry of the user's e-mail account username and password. Once this information is entered, the software will be available for downloading. You can try this by visiting the Standard Software web link, which is also available from the CIT main web page. Improvements in Network Security Starting in December 2006, CIT began making modifications to the network to greatly enhance security. We also changed our basic network configuration philosophy. In the past, we generally allowed most inbound network traffic and blocked only what we knew to be bad. Now, we've moved to blocking everything and allowing only what we know to be good and needed/desired. These days, there's just too much bad out there for us to track, and the impact of having problems has become increasingly complex and difficult to resolve. The changes we've been making restrict connections made from the Internet (external to campus) to devices and services on our campus network, but not those from Oberlin out to the Internet. Our intent is to allow some widely-used and necessary inbound traffic (e-mail, web, etc.) and disallow all other types of inbound network traffic. This process of enhancing network security is a continuing one. See complete details online. RIAA Takes Much Stronger Measures! The Recording Industry Association of America (RIAA) has recently instituted stronger measures in dealing with copyright violators. In late February 2007, they announced "...a new and strengthened campus anti-piracy initiative that significantly expands the scope and volume of its deterrent efforts while offering a new process that gives students the opportunity to avoid a formal lawsuit by settling prior to a litigation being filed." (4) RIAA is now sending letters to colleges and universities, informing them of a forthcoming copyright infringement lawsuit against one of their students or personnel. The RIAA requests that those letters get forwarded to the appropriate person. Under this new approach, a student (or other user) "can settle the record company claims against him or her at a discounted rate before a lawsuit is ever filed." (5) As noted in an e-mail message to the Oberlin College community from John Bucher, Oberlin College's Chief Technology Officer (CTO) and Director of the Center for Information Technology, dated 09 March 2007, the College's lawyers have advised the College to deliver (without revealing the user's name to the RIAA) any pre-litigation letters received. If the recipient declines the propitiation settlement, and the College then receives a subpoena seeking to identity the recipient, we will require RIAA to comply with the Digital Millennium Copyright Act (DMCA) and the Federal Education Rights and Privacy Act (FERPA) guidelines. (6) IT IS IMPERATIVE THAT YOU UNDERSTAND THE POTENTIAL CONSEQUENCES of downloading copyrighted material - music, video, games, etc. - for which you do not have the copyright holder's permission. You are responsible for the activity on your computer, even if you have allowed someone else to use it and they violate copyright law. We also sometimes hear from users that they didn't understand that they violated copyright law. As RIAA notes, "Ignorance of the law is not an excuse." (7) In instances of copyright violations the College has received thus far, the process has been as follows: Once notification of the alleged violation is received by the College's DMCA Agent, we are required to immediately remove access to the offending computer. We have then informed the user of the violation and notified him/her that network access for his/her computer will be removed for 30 days. For a first offense, the user must then send a message to the Director of CIT, noting that the offending material has been removed. For follow-on offenses, the user must also explain his/her activity to the Dean of Students Office judicial representatives. Once the 30-days has passed, access is re-established. Now, once a pre-litigation letter is received and delivered to the user, the 30-day timeline will still be in effect, but the user is no longer supposed to remove the material. RIAA notes: "...once litigation becomes a possibility, deleting music files or the P2P service from your computer would violate your obligation to preserve evidence." (8) We urge all Oberlin College personnel to be aware of the serious, and very real, negative consequences of violating copyright law, and to AVOID DOING SO! References: (1) Wikipedia (2) EDUCAUSE website (3) Memo from Gladstone, Klein, and Fenstermaker, Frantz Ward LLP, to John Bucher, Oberlin College CTO, et al, dated 26 January 2007 (4) RIAA website (5) RIAA website (6) E-mail message from John Bucher, Oberlin College CTO, to all faculty, staff, and students, dated 09 March 2007. (7) RIAA website - FAQs (8) RIAA website - FAQs

CIT News and Views

23-Mar-2007

Irvin E. Houck Center for Information Technology - Contact Us at: cit@oberlin.edu

Vol 2006-07, Issue 02

In This Issue:

CALEA - What Does This Mean for Oberlin College and YOU?

Network Authentication Required for All Computers Accessing the College Network

Sponsored Accounts

Self-Service Password Changing To Be Available Before Semester Ends!

VPN Now Available for Use!

Software Downloads Now Available From Off-Campus!

Improvements in Network Security

RIAA Takes Stronger Measures Against Copyright Violators - Don't Let This Happen to You!

CALEA - the Communications Assistance for Law Enforcement Act of October 1994

Background:

CALEA was originally established to aid law enforcement in conducting surveillance of citizens via digital telephone networks. The Act obliges telephone companies to make it possible for law enforcement agencies to tap any telephone conversations carried out over its networks, and to make call detail records available. (1)

In September 2005, the FCC issued an order extending CALEA to providers of broadband Internet access and interconnected voice-over-IP services. A higher education or research institution should be fully exempt from CALEA if it satisfies two criteria:

(1) its network qualifies as a “private network,” and (2) it does not “support” the connection of the private network to the Internet.

This means that an institution should be exempt when it restricts the use of its network to particular classes of users (e.g., students, faculty, and administrators), and when the institution relies on a third party (such as a commercial ISP or a regional network) to provide the transmission and switching facilities used to route traffic to the Internet, rather than self-supplying such facilities. (2)

What this means for Oberlin College:

In order to be exempt from CALEA, and, thus, not be required to file CALEA-mandated reports (System Security and Integrity Report and Monitoring Report), Oberlin College must have a "private" network. In order to be considered "private" we must allow only access by faculty, staff, or students, or other "known" parties (such as visiting faculty, persons using our facilities for summer conferences, Oberlin Inn guests, etc.). In order to only allow access by "known" users, we must require users to authenticate to the network, using their assigned usernames and passwords. The College's law firm, Frantz Ward LLP, has stated "After reviewing Oberlin's network, used for the expressive use of the Oberlin College community, we believe that Oberlin will be considered a private network under CALEA with one very important change - requiring authentication of all network users." (3)

Students have had to authenticate to the residential side of the network (Resnet) for almost three years now. This was instituted after the Fall of 2003, when most college campuses were hit hard by a wave of viruses. In order to ensure computers (especially Windows computers) are cleaned of viruses, and updated with the latest operating system security patches, before accessing Resnet, the students were (and are) required to "authenticate". The authentication process requires a user to open a web browser, where one can only reach the authentication page, and login using one's Oberlin College e-mail account username and password. The authentication process, known as Network Admission Control (NAC), checks the computer for viruses and updates, and directs the user to other online resources if problems are found. If the system is clean and up-to-date, the user can then access resources as usual.

So, in order for us to be compliant with the requirements allowing us to be "exempt" from CALEA, we must institute the following measures:

require all users of the College network to authenticate before being allowed access

require all users of wireless capability to authenticate before being allowed the use of wireless

require all "guests" to be assigned accounts (see Sponsored Accounts below) and then authenticate before being allowed access

require logins on all Macintosh lab computers (as has been the case on all Windows computers)

Network Authentication Required for All Computers Accessing the College Network

Therefore, due to the requirements for exemption from CALEA (discussed above), all Oberlin College network users will be required to authenticate to the network prior to gaining access. This will be the case for faculty, staff, students, and guests.

Faculty, Staff and Students will need to authenticate once a month, starting 24 April 2007.

To authenticate to the network, you must do the following:

login to your computer, if a login is required
open a web browser
follow the online instructions

Once you have authenticated, you will be able to access network resources as usual.

Faculty and staff Windows users should be able to login to their computers as usual. If you cannot login, you will just need to select Workstation Only and then open up a web browser and follow the instructions.

Guests: Guests will be assigned a Sponsored Account (see below) and will be required to login with that account and authenticate as described above. This will be the case for Oberlin Inn guests, as well as visiting faculty, visiting administrators, conference attendees, parents, and others sponsored by Oberlin College personnel. See details in the section below on Sponsored Accounts.

Sponsored Accounts

In order to allow visiting, non-Oberlin College personnel the ability to access the College network, and still be compliant with the requirements for a private network (thus maintaining exemption from CALEA), guest network users will also be required to authenticate. In order to authenticate, they must have an assigned account. Thus, we have developed the process of creating "Sponsored Accounts".

Sponsored Accounts are accounts that can be created ("sponsored") by any Oberlin College account holder (faculty, staff, or student) for guest users. The account will have restricted privileges, essentially allowing Internet access only. Oberlin College account holders can sponsor up to six accounts, with each sponsored account remaining effective for a maximum of five days. Some account holders will be able to create sponsored accounts with larger allocations, such as Oberlin Inn personnel, and Conference Services personnel.

Oberlin College account holders - faculty, staff, and students - will authenticate via a secure web page and then will have the ability to see their existing sponsored accounts, as well as create and delete accounts. Account USERIDs for the guest will be generated automatically. The sponsor will be responsible for the activity on the sponsored account, ensuring compliance with the College's "Policy for the Acceptable Use of Information Technology Resources".

Details on creating Sponsored Accounts will be available soon from the CIT main web page.

Self-Service Password Changing To Be Available Before the Semester Ends!

The one CIT practice that has caused the most number of high-anxiety calls and visits to the Help Desk has been the manner in which password changes have had to be made. Users have had to use ObieMail to change their passwords, or visit the Help Desk or fax a photo ID to the Help Desk in order to get a password reset (for forgotten or expired passwords).

We have developed a new process that allows users the ability to change their passwords, or reset them, themselves, via a web page. In order to do this, users will first need to establish responses to "password recovery questions".

In conjunction with this new process, we are also combining Netware accounts with e-mail accounts. Faculty and staff users of College-assigned Windows computers will also have their computer logins synchronized with this account. This moves us closer to the concept of "Single Sign-On", wherein one account provides access to multiple systems. To date, one's e-mail account also provides access to one's personal web account (if established), and one's Blackboard account.

Now, this single-account, which will now be known as one's ObieID, will provide access to e-mail, personal web account, Blackboard, Netware, and college-owned Windows computer (if assigned). The Netware account is used to access stu and staff LOCKER (personal storage space on a central server). (Note that ObieID Self Service will not function with the Safari web browser.)

This service will become active in early May 2007. Full details will be available soon from the CIT main web page.

VPN Now Available for Widespread Use!

CIT now provides VPN (Virtual Private Network) access for use by Oberlin College personnel - faculty, staff and students. When your computer is connected to the Oberlin College VPN, all of your network traffic comes back to Oberlin College through a type of secure network "tunnel". The Oberlin College VPN provides Oberlin College personnel who are off-campus with full access to campus network resources, and provides secure transmissions while using on-campus wireless connectivity. VPN keeps your network traffic (such as passwords, credit card info, etc.) secure during the transmission process.

To use VPN, you will need to use your personal (not group, departmental, or sponsored) Oberlin College e-mail account username and password, and you will need the VPN client installed on your computer. The VPN client is available from the CIT Software Download web pages. You can now download the client, even while off-campus, by entering your e-mail account username and password when requested in the pop-up box (see details in section on Software Downloads).

Further details about VPN can be found on the CIT website.

Software Downloads Now Available From Off-Campus!

In the recent past, being able to download software, such as the VPN client, required you to be on campus due to licensing requirements. This proved to be quite frustrating for people off-campus, needing certain software applications. They either had to await their return to campus, or contact CIT for delivery of the software via some other mechanism.

Now, we have made the software on the CIT Standard Software web pages available to College personnel from either on or off-campus, by allowing authentication to a secure server. Thus, now when accessing the Standard Software pages, a pop-up window will request entry of the user's e-mail account username and password. Once this information is entered, the software will be available for downloading. You can try this by visiting the Standard Software web link, which is also available from the CIT main web page.

Improvements in Network Security

Starting in December 2006, CIT began making modifications to the network to greatly enhance security. We also changed our basic network configuration philosophy. In the past, we generally allowed most inbound network traffic and blocked only what we knew to be bad. Now, we've moved to blocking everything and allowing only what we know to be good and needed/desired. These days, there's just too much bad out there for us to track, and the impact of having problems has become increasingly complex and difficult to resolve.

The changes we've been making restrict connections made from the Internet (external to campus) to devices and services on our campus network, but not those from Oberlin out to the Internet. Our intent is to allow some widely-used and necessary inbound traffic (e-mail, web, etc.) and disallow all other types of inbound network traffic. This process of enhancing network security is a continuing one. See complete details online.

RIAA Takes Much Stronger Measures!

The Recording Industry Association of America (RIAA) has recently instituted stronger measures in dealing with copyright violators. In late February 2007, they announced "...a new and strengthened campus anti-piracy initiative that significantly expands the scope and volume of its deterrent efforts while offering a new process that gives students the opportunity to avoid a formal lawsuit by settling prior to a litigation being filed." (4)

RIAA is now sending letters to colleges and universities, informing them of a forthcoming copyright infringement lawsuit against one of their students or personnel. The RIAA requests that those letters get forwarded to the appropriate person. Under this new approach, a student (or other user) "can settle the record company claims against him or her at a discounted rate before a lawsuit is ever filed." (5)

As noted in an e-mail message to the Oberlin College community from John Bucher, Oberlin College's Chief Technology Officer (CTO) and Director of the Center for Information Technology, dated 09 March 2007, the College's lawyers have advised the College to deliver (without revealing the user's name to the RIAA) any pre-litigation letters received. If the recipient declines the propitiation settlement, and the College then receives a subpoena seeking to identity the recipient, we will require RIAA to comply with the Digital Millennium Copyright Act (DMCA) and the Federal Education Rights and Privacy Act (FERPA) guidelines. (6)

IT IS IMPERATIVE THAT YOU UNDERSTAND THE POTENTIAL CONSEQUENCES of downloading copyrighted material - music, video, games, etc. - for which you do not have the copyright holder's permission. You are responsible for the activity on your computer, even if you have allowed someone else to use it and they violate copyright law. We also sometimes hear from users that they didn't understand that they violated copyright law. As RIAA notes, "Ignorance of the law is not an excuse." (7)

In instances of copyright violations the College has received thus far, the process has been as follows:

Once notification of the alleged violation is received by the College's DMCA Agent, we are required to immediately remove access to the offending computer.
We have then informed the user of the violation and notified him/her that network access for his/her computer will be removed for 30 days.
For a first offense, the user must then send a message to the Director of CIT, noting that the offending material has been removed. For follow-on offenses, the user must also explain his/her activity to the Dean of Students Office judicial representatives.
Once the 30-days has passed, access is re-established.

Now, once a pre-litigation letter is received and delivered to the user, the 30-day timeline will still be in effect, but the user is no longer supposed to remove the material. RIAA notes: "...once litigation becomes a possibility, deleting music files or the P2P service from your computer would violate your obligation to preserve evidence." (8)

We urge all Oberlin College personnel to be aware of the serious, and very real, negative consequences of violating copyright law, and to AVOID DOING SO!

References:

(1) Wikipedia

(2) EDUCAUSE website

(3) Memo from Gladstone, Klein, and Fenstermaker, Frantz Ward LLP, to John Bucher, Oberlin College CTO, et al, dated 26 January 2007

(4) RIAA website

(5) RIAA website

(6) E-mail message from John Bucher, Oberlin College CTO, to all faculty, staff, and students, dated 09 March 2007.

(7) RIAA website - FAQs

(8) RIAA website - FAQs