A guide prepared by the Office of Information Systems at Pittsburg State University
No jokes, please. Some of us in OIS have lost our sense of humor. It's not that we're bad people; we simply have a professional aversion to horseplay. If you disrupt one of our systems, and then plead that you were only "having fun", we react in approximately the same way as the airport security folks when you tell them you were only kidding about having a bomb.
Bottom line: we take this stuff seriously. The reason is simple. An awful lot of people depend on the systems we administer. It's bad enough that we (and you) have to contend with fickle hardware and buggy software. We do our best to keep things running despite crashed disks and fried network hubs. So after all that, we don't take it very well when some prankster tries to show the world how smart he or she is by disrupting the systems so many of us use every day.
You may be wondering what is and is not frowned upon. The purpose of this guide is to help clarify our position, as if that were really necessary. Let's be frank: if you're smart enough to cause trouble, you're smart enough to know you're causing trouble. If you need a simple rule of thumb, this is it: if you suspect that what you're doing might be against the rules, then it probably is.
Sounds like we have our back up, doesn't it? That's not really our intention. Truth is - we want you and all our clientele to get maximum use, utility and enjoyment out of the systems we administer. We want you to send and receive email, surf the net, browse the web, read news, work on programming assignments, collaborate on research, do statistical modeling, and - yes - have a good time. If your sole intention is to do exactly that, then you may not even want to read the remainder of this guide - it probably isn't meant for you.
If, on the other hand, you're fascinated with the notion of getting into places where you shouldn't be, then read on. We want to be sure we've reached an understanding about the types of behavior which are off limits in a community which depends upon mutual respect and equitable use of shared resources.
PSU has a formal policy statement about what is and is not allowed on our computers and network. That statement is necessarily general. This guide is an exposition which will speak at greater length about the kinds of things prohibited by the policy statement, but it is not a definitive description of each and every possible violation. After reading it you will surely know where we (and you) stand, even if the particular activity you contemplate is not expressly described.
Let us begin. The following (but not just the following) are forbidden on PSU's network and systems:
- Spoofing and Misrepresentation
- Using Unauthorized IP Addresses
- Scans and Probes
- Possession of Threatening Programs, Trojan Horses, Etc.
- Harassment
- Using Someone Else's Account
- Allowing Someone Else to Use Your Account
- Sniffing and Unauthorized Network Monitoring
- Denial of Service Attacks
- Malicious or Flippant Attempts to Degrade the System
- Exploiting Operating System Holes
- Attempts to Obtain Unauthorized Access to Any System
- Attaching Any Unauthorized Equipment to the Campus Network
We'll now cover each of these items in more detail.
Spoofing and Misrepresentation
Any attempt on your part to misrepresent who you are or where you are operating from while on PSU's network or any of its systems is strictly forbidden. Such misrepresentation must be viewed as an attempt to provide cover for an illegal activity or a policy violation. And, in fact, it is also against the law of the State of Kansas. This includes IP address spoofing, manipulating login program options to hide or fake the host from which you are connecting, fudging email headers, etc.
Using Unauthorized IP Addresses
OIS alone is responsible for administering the pool of IP addresses used on PSU's network. The alternative is no more workable than each household picking its own telephone number without regard for area code, exchange prefix, or whether that number is assigned to someone else. A rogue computer using an unauthorized IP address can cause severe disruption of the entire network, whether intentionally or not. All computers and computer equipment connected to the campus network must use only the IP addresses assigned by OIS. The rule is simple: if you don't work for OIS, don't mess with the network address on any computer, be it on your desktop, in your campus residence, or in one of the computer labs. If you suspect a problem related to your computer's network address, contact OIS for assistance.
Scans and Probes
Computer and network administrators are a touchy lot these days. They get nervous when their defenses are probed, fearing that it may be a prelude to an attack. It's kind of like how some folks feel when a suspicious stranger prowls the neighborhood looking for unattended houses. This is pretty much common sense, but let's make it clear: it is absolutely forbidden to use PSU's network or computers to probe any system, whether on or off campus. Don't even think about doing it. If you have in your possession software such as "strobe" or "SATAN", you're in violation of this rule. And if you get caught in this type of activity, don't tell us you were "only trying to help" alert the target system that it is vulnerable.
Possession of Threatening Programs, Trojan Horses, etc.
So we may as well get right to the point. Having in your possession software whose obvious intent is to do mischief is equivalent to doing mischief. It's against the rules. It doesn't matter whether it's source code or executable; whether you wrote it yourself or got it off the net. If you have it in your possession, whether or not you've used it, you're in trouble. This includes all kinds of software, but you don't have to be Einstein to understand the genre to which we refer. It includes software, such as was mentioned in the previous item, which allows you to probe systems for holes and vulnerabilities. It includes software "viruses" whose intent is to "infect" other software and systems. It includes software whose intent is to overwhelm the resources of a computer system, either from within or without, in an attempt to disrupt its operation (denial of service attacks). It includes software known as "trojan horses", such as a fake login program designed to capture other peoples' passwords. Don't even keep programs like these around; they'll only get you in trouble. And don't say you're only trying to "study" these programs. Only the bad guys care about this stuff. Spend your time doing something worthwhile and really challenging, like writing a string class in C++.
Harassment
One really good way to become persona non gratis around here is to use our systems or network for purposes of harassment. That includes harassment using email, talk, chat, whatever. What is harassment? It is threatening, pestering, persistently obnoxious or disruptive behavior directed toward an individual. It won't be tolerated.
Using Someone Else's Account
Each computer account at PSU is issued to a single individual. For reasons of security and accountability, only the person to whom an account was issued is allowed to use it. It is, of course, an especially egregious violation if you use a person's account without their knowledge, but it is also against the rules to use another's account even with that person's knowledge and permission. Every PSU student, faculty and staff member is encouraged to use the computer, but if you wish to do so please get your own account.
Allowing Someone Else to Use Your Account
Allowing anyone but yourself to use your account is forbidden. See the preceding item for details. It is especially important that you protect your password and keep it strictly to yourself. Persons who intend to violate the system like to do so using someone else's account in order to cover their tracks. Some folks just like to snoop around your personal stuff or delete your files. Don't become a victim by allowing others to see your password. Keeping your password safe also helps with overall system security and for that we thank you.
Sniffing and Unauthorized Network Monitoring
"Sniffing" the network, monitoring network traffic, setting your computer's adapter to "promiscuous" mode, and other such activities are all strictly forbidden, as is having in your possession software which does these things. Sniffing is akin to wire tapping, which is illegal. Don't do it in your campus residence. Don't do it in the lab. Don't do it anywhere. This kind of activity will get you into big trouble.
Denial of Service Attacks
"Denial of service" attacks are attacks upon a computer or network which attempt to disable it by overwhelming its resources. This can be done by flooding a network with noise or spurious traffic; by flooding a computer with TCP connection attempts; by sending "mail bombs", etc. It can also be done from within by writing a program which intentionally wastes system resources, be they CPU or other (see the next item). Doing this kind of thing puts you in the category of bomb thrower and saboteur - pretty unsavory company. It can also land you in jail.
Malicious or Flippant Attempts to Degrade the System
Sure, you could write a program which forks processes as fast as it possibly can. Or one which does nothing but spin, sucking up as much of the CPU as possible. But why would you want to do such a thing? You'd only upset some already grumpy people at OIS, and would probably get your own privileges revoked as well. Let's face it; you really don't have to be much of a genius to bring the system to its knees. Truth is, you don't have to very smart at all. So why not spend your time writing cool software that does something impressive?
Exploiting Operating System Holes
It's a fact of life that operating systems have holes, and that there are bad guys out there who spend a lot of time figuring out new ways to break into computer systems. It's not that hard to find a description of the latest hole and try to exploit it. You can get software off the net that does exactly that. Just don't think it's ok. Just don't think that because you can do it, it's ok that you do it. That's like saying its ok for you to walk into someone's house and take their TV because they didn't lock their front door. That could get you thrown in jail, and so can breaking into computer systems.
Attempts to Obtain Unauthorized Access to Any System
Don't mess with any computer that you don't have legitimate business with. Remember: curiosity killed the cat, and it could get you into trouble. Just because a computer is on the net doesn't mean it is fair game for your curiosity. If you're not invited, keep out. That goes for computers on or off PSU's network. And by the way, this proscription includes trying to obtain unauthorized access to certain off-limit areas of a computer on which you have a legitimate account.
Attaching any Unauthorized Equipment to the Campus Network
It is absolutely forbidden to attach any computer equipment to the campus network without prior authorization. OIS must know who is operating on the network, where they are operating from, and what kind of equipment they are using. OIS must further know the hardware address of the connected network adapter, and will usually insist on providing that adapter. OIS will also provide an IP address to any network computer equipment which will be using IP. The network is a shared resource, with many potential failure points. It requires careful, informed management. Security considerations aside (and there are many of those as well), the network cannot function without such management. It is no more appropriate to connect to the network without authorization than it is to climb the telephone pole outside your house to activate your cable service.
Possession of Threatening Programs, Trojan Horses, etc.
We've done this one already, but it's worth repeating. Now that we've covered a number of examples of forbidden activity, it is worth repeating that you must not have in your possession any software which does these things. We will state it again unambiguously: possession of software whose purpose is to cause damage or do mischief is will be treated as intent to cause damage or do mischief.
The Letter or the Spirit
We've talked about a number of ways you could, were you so inclined, disrupt the computer systems or network at PSU, or disrupt systems external to PSU. The intention has been to give examples of proscribed activity, not to itemize every possible violation. In fact, PSU's official policy statement (which this is not) is intentionally general for the simple reason that it is impossible to define in minute detail every possible way that a person might be in breach of computer propriety. We are more concerned here with the spirit than with the letter of the law. We hope that you'll abide by the spirit, which by now should be abundantly clear. If you instead prefer to split hairs, argue technicalities, and push the envelope of acceptable behavior, you are probably on a collision course with trouble.
Speaking of the Law
PSU's policies aside, there is a great deal of flux these days with regard to the legal definitions and consequences of computer crime. You may be surprised to learn that many of the activities we have discussed here could place you in serious confrontation with the law. In general, lawmakers are clamping down on computer crime, and Kansas is no exception. Gone are the days of the free spirit hacker who treats the net as his personal playground. Nowadays too many people depend on their computer systems, and the law increasingly recognizes this.
What We'll Do
As was mentioned at the outset, we at OIS take this stuff seriously. We intend to monitor our systems and catch the bad guys. That's our job. Not because we like it. In fact, we'd rather spend our time putting up new web servers and offering new services, and responding more rapidly to all the commitments we already have. Given that computer criminals waste lots of our time and lots of our clientele's time, we're rather inclined to take the severest possible measures that seem warranted. Would we turn over a violator to the authorities for prosecution? In a heartbeat. Are we busy collecting evidence? You bet we are.
You should also be aware that there is a time honored tradition of cooperation among system administrators with respect to mutual security. We are occasionally contacted by administrators from across the Internet when probes or attacks originate from one of PSU's systems. It is our normal practice to supply any pertinent information from our logs to assist other sites with building a legal case against violators of their systems.
Legal penalties aside, any person who violates PSU's computer polices runs the risk of having all his use privileges revoked. And, when conditions warrant, there are additional university judicial procedures available, with the most severe result being expulsion from the university.
A Full Accounting
You think we're overreacting? The criminal break-in of PSU's main academic and mail system in February 1997 resulted in:
- three days of down time and consequent lost productivity
- the loss of a significant amount of email, some of it pertaining to official university business, and all of it important
- scores of hours of staff time spent repairing the damage and securing the system
- the issuance of new passwords for our many thousands of user accounts (each one of those persons must come to our service window to pick up his new password before he or she can use the system)
- a total cost to the university estimated in the thousands of dollars
Clearly, computer crime is a serious issue. We must - and we will - treat it accordingly.
