Exeter On-Line

Fall 2002 Issue                        Publication of Information Technology  

Security Audit and Findings Spring 2002
by Shelley Nason

During the spring term, the services of an international technical security and auditing firm were engaged to perform an enterprise security vulnerability assessment of the Academy data network. A second firm was also enlisted to audit the voice component of the network. These audits consisted of a review of the physical environment, policies and practices as well as a technical review of potential external and internal network vulnerabilities. Although issues were identified in all four areas, the team stated, "overall, the technical security posture of Phillips Exeter Academy looked quite good comparative to other assessments conducted within the same market."

The two major recommendations for the Academy's implementation were as follows:

1. A system to alert network administrators when an attack is underway. This system would known as an intrusion detection system (IDS).

2. Creation of an added level in the network to ensure a physical separation of internet assets from internal assets, known as a demilitarized zone (DMZ).

The auditors completed a written summary report providing detailed findings and recommendations. While the executive summary was shared with members of the principal's staff and trustees, it was recommended by the auditors that information regarding specific technical vulnerabilities be made available only to those departments directly involved in the system management or those who are responsible for making changes or justifying the maintenance of their present system configuration. Vendors have also been consulted in those cases where servers have been configured outside the Academy. The findings and recommendations have been reviewed and adopted in some cases while other recommendations are still under evaluation.

Some recommendations have not yet been implemented, particularly in areas where there is a risk of loss of functionality to the community. Such an example would be, the filtering of approximately 100+ types of email attachment file formats plus requiring all MSOffice email attachments to be zipped. Although this recommendation would decrease the potential for viruses to impact the Exeter network systems, the IT department could not impose restrictions without involving the community and providing other options for users.

The physical security recommendations have been shared with the security department as they are assisting the IT and MIS departments with the implementation of changes. The policy recommendations will appear as agenda items for discussion by various committees during the upcoming academic year.

With the identification of security threats on a daily basis as well as dealing with an ever-changing network, the auditors recommend that the Academy remain vigilant by incorporating security tasks into procedures and routine practice. They emphasized the necessity of constant review of the network's ever-changing environment and the importance of integrating an on-going process into our daily practices to ensure a secure environment.

E-Links
by Celia Abrams

When you next visit the Lion Links splash page ( http://lionlinks.exeter.edu/ ), you will notice a link to
E-Links, just below the system status box. E-Links is a new web-based interface to the Academy's administrative database. Like Lion Links, community members will be able to view information about themselves directly from the database.

Because we want to protect your information from unauthorized access, E-Links is password protected and subject to inactivity timeout. You will use the same username to login as you do for your network account and Lion Links. You will be assigned a different password, however. We hope that sometime during the next year we will be able to synchronize the Lion Links and E-Links passwords so you will be able to use the same password to access both menus, and the distinctions between the two will disappear. For now, they will have separate names to remind you of the password difference. MIS will notify students and employees of their E-Links passwords in September. You may change your Lion Links and E-Links passwords through their respective Change Password options.

You will still use Lion Links to invoke web screens written by Datatel, our software vendor, such as those for registration and grading, and others that involve more complex database processing. Unlike Lion Links, all menu items on E-Links are created by the PEA MIS department. E-Links allows us more flexibility in the look and behavior of the web page but has some limitations in behind-the-scenes database processing, especially for functions that use Datatel proprietary software designed to ensure data integrity when information is being updated.

Summer School faculty used E-Links this summer to enter course and advisor comments. This is a totally new comment slips application and will be used by Exeter faculty for their Fall term comments. One of the first features students may want to try is the new view of student class schedules superimposed on the format grid. We hope this will be useful, especially during the first week of the term when the Lion Links My Class Schedule is disabled pending completion of sectioning. Advisors will be able to view a condensed list of all their advisees' schedules without having to select one advisee at a time. We are working on an on-line facebook, which we hope to have ready sometime shortly after the start of school. Photos for new members of the community won't be available until after the photo days in mid-September. New menu additions will be announced on the splash page as they become available.

If you have questions about logging in or using any of the E-Links menu items, you may contact the IT support desk at 3693. MIS welcomes your feedback and suggestions for future options; email us at mis@exeter.edu with your comments.

Training Tips
by Emily Merrill
Mac  Mac  Mac  Mac   Mac  Mac
Every type of computer has applications that run on them that freeze or stop running. If your Mac application has stopped responding, you don't necessarily have to restart the computer. Instead, try using Force Quit. Force Quit is the keyboard sequence of Apple + Option + Esc (all three buttons pressed at once). You should then be asked if you really want to Force Quit. Click the yes option, and the application should close, and return to the desktop, where you can continue working. If the application will not re-open correctly, or if the Force Quit sequence cannot close the application, go ahead and use the last resort: re-start the computer.

PC  PC  PC  PC  PC  PC  PC
 PC computers also have problems with applications crashing. However, a PC can be running one of several operating systems: NT, 2000, Windows 98 or Windows ME, among others. For all of these operating systems, Ctrl + Alt + Delete is the keyboard sequence that allows you to close an application that has stopped responding. For Windows 98 or ME, you would then click on the program and select End Task in the resulting dialog box. For NT and 2000, Ctrl + Alt + Delete gives you a dialog box with six options: Lock Workstation, Logoff, Shutdown, Change Password, Task Manager, and Cancel. Choose Task Manager, and on the Applications tab, select the troubled program. Then, click on the End Task button to close out of the program. Finally, click on the x in the upper right hand corner to close out of the dialog box.

Available Network Resources from the Web
by Donna Archambault

Over the summer the IT staff have been working to create "universal access" for all students and faculty to Academy network resources. If you live off-campus, you will no longer need to use VPN to access your home or department files. You may now get to these resources via the Internet.

Network resources available to you on the Internet are:

  • Blackboard (course building tool) http://blackboard.exeter.edu/
  • Lion Links and E-Links (on-line, real-time, web-based interface for information stored in the
    Academy's central administrative database)     http://lionlinks.exeter.edu/
  • ECal (personal calendar) http://ecal.exeter.edu/
  • Campus Email http://mail.exeter.edu/
  • Harkness (academic server) http://harkness.exeter.edu/
  • LionsDen (student server) http://lionsden.exeter.edu/

From a PC in order to save to your home directory or shared department folders, you will need to create web folders. A web folder is a web-authoring component that is included with Internet Explorer 5.5. When you create a web folder, it is similar to using Windows Explorer or My Computer. It allows you to use basic functions such as copy, move, delete and create folders. From a Macintosh, you will need to use Fetch, which is an FTP client for the Macintosh.

For instructions on how to create web folders or to install Fetch, please go to the IT website at http://it.exeter.edu/WebFolders.html.

We have also been working to make available from both the dormitory and off-campus Harkness applications, which we refer to as the Citrix Application Server. This server allows both faculty and students the ability to access applications that are used for class work, i.e. Sketchpad, Master Latin, Graphical Analysis, etc. Providing the software runs on a network and the Academy has sufficient licensing, the applications can be accessible through this technology.

The application server moves the Academy toward universal access to technical resources. Not only does it provide the same resources for those on or off campus, it also makes the personal machine platform irrelevant. For example, a Windows application can run on a Macintosh and vice verse. This service is in the testing phase. Contact the Support Desk for details and instructions.

If you have any questions or feedback on the network resources available, please contact the Support Desk.

Support Desk News

The Support Desk plans to be more visible
in the academic buildings to assist with
computer support. If there is a preferable time
that your department would like a member
of the support desk to make their rounds,
please contact us at ext. 3693 to set
up a schedule. If not, we'll see
you around the halls!

Klez Worm: "Empty Email"
by Marilee Tuomanen

For several months, many email users have been receiving "empty" emails and calling the support desk for assistance with these messages. Often these emails arrive with a subject that may entice you to open them, for example, the W32.Klez.A@mm worm will arrive with a subject line like....

How are you? Can you help me? We want peace! Where will you go? Congratulations!!! Don't cry … Look at the pretty … Some advice on your shortcoming … Free XXX pictures … A free hot porn site … Why don't you reply to me? How about have dinner with me together? Never kiss a stranger...

The likelihood is that any blank emails you receive are a result of a mass-mailing email worm called generically "The Klez Virus." There are multiple forms of this worm, listed here:

W32/Klez.h@MM
WORM_KLEZ.H
W32/Klez-G
I-Worm.Klez.h
Klez.H
W32/Klez.H
Win32.Klez.H
WORM_KLEZ.I

These worms are variations on a worm that uses Microsoft Outlook and Outlook Express to execute itself and mail itself to users in the Outlook address book when the message is opened or previewed. It copies itself to network shared folders and leaves another virus. It attempts to delete program files and, depending upon the additional virus it leaves as its payload, may have other side effects. It locates the system folder on any Microsoft operating system so it knows were to deposit the payload.

The PEA servers and workstations are protected with an up-to-date antivirus program. If you get a message that virus definitions are not up to date, please call the Support Desk. If you have a Windows95 or Windows98 laptop, manually run the antivirus software and live update at least once a month. If you un able or uncomfortable with downloading new virus definitions, please bring your laptop to the Support Desk and someone will assist you. When you see an empty email message from someone you do not know, you do not have the email worm; you are likely seeing the effects of it coming from someone else's computer. Delete the email. Other than delivering annoying email, this worm has not affected the workstations at PEA.

On your home computers, make sure that you have downloaded virus definitions from the most recent month, and scan your files weekly, if not automatically. See http://www.symantec.com/ for Norton Antivirus information and http://www.mcaffee.com/ for McAffee Antivirus information. These sites have information on identifying the attack and running a removal tool to get rid of the worm. The Microsoft website has information on patches that fix vulnerabilities in their software. You may be advised to run a patch or download a more recent version of the software to plug a security hole.

Mac users who are using Microsoft Outlook Express for their email, are not vulnerable to this worm. It will not harm your Macintosh because it only works on a PC using a Microsoft Windows operating system. But, please do not forward any suspicious looking emails to other users. Just delete!

When in doubt, follow the guidelines below to protect your home computer:

Happy Computing!

Copyright, Fair Use, and the Internet
by Vi Richter

In August I attended a class on the legal issues and educators' responsibilities surrounding website development and use." I registered primarily to learn the specifics of using copyrighted material in the classroom setting (to more fully understand what is known as "Fair Use") and came away with quite a bit more information regarding schools' responsibility in safeguarding students, student work, and student records. Please bear in mind that the following information is a summary of my understanding of the presentation. The instructor, an attorney, recommended seeking legal advice often for specific information, as the rules and their interpretations in this age of international intellectual property law change rapidly.

First, a little about copyright and fair use. In the past, an author, artist, composer, or other creator of a "work" needed to place a copyright statement on his or her creation to have it considered a copyrighted work. That is no longer the case. In fact, the moment someone puts pen to paper, or uses a computer or other medium to capture his or her creation, the work is copyrighted by the creator. That means that each and every time we use someone else's creation, whether it be a piece of music played in a film or slide presentation, an image from the Internet, or a videotape of a TV show, we are infringing on the creator's copyright, unless we have asked and obtained the creator's permission to use it (in advance).

Interestingly, I learned that copyright applies to student work also, but since students (those who are minors) cannot legally grant permission to bypass copyright, we must ask their parents for permission if we plan to use or distribute their work. Some schools now ask parents to sign a blanket permission to use student work on websites, in publications, and shows; some schools ask for that permission every time they use student work, particularly if it is going to be available to the general public (such as on a website). With regard to work produced by staff and faculty, unless spelled out otherwise in an employment contract, any work produced during the period of employment is the property (and falls under the copyright of) the employer.

Because educators often need to utilize many copyrighted works in the classroom, the Library of Congress has established some "Fair Use" guidelines that give schools a bit more leeway to use source materials. In general, the guidelines are as follows:

  • You may use "small segments" of photocopied, copyrighted materials
    • The lesser of 10% or 1000 words of text,
    • The lesser of 10% or no more than 30 seconds of a sound file,
    • No more than five illustrations of a single artist, or no more than 15 images from a work or 10% of that work, whichever is least,
    • 10% or 2500 cells or fields from a database or table, and
    • For the purpose of reserve copies, no more than two copies on reserve and a third for preservation, all of which must be destroyed after temporary use.
  • You may not use the same material in a class for more than two consecutive years without explicit permission of the creator.
  • The community of people using the material must be "closed," in that you are not distributing material to the public (such as via the web or a network).

Copyright law applies to TV shows recorded and replayed with a VCR, software, music, video, still images, and text from the Internet also. Despite that many copyrighted items are readily available across the web (there are whole sites dedicated to distributing "pirated" materials), they are not necessarily legal, licensed copies. When we purchase a copyrighted work, the license agreement contains very specific circumstances under which the product may be used. Possession of additional copies on any medium-paper, tape, computer or network--or distribution across the Internet constitutes a violation of copyright law.

There are some works that fall within the public domain; their use is no longer an infringement because the copyright has expired. Recently, there has been a flurry of litigation to try to extend copyright to the descendents of the original holder. With an American entertainment industry that flourishes on the re-make, it's not difficult to see why descendents might want a piece of the financial pie. Therefore, the current system is likely to change. Generally speaking,

  • Works that are published before 1922 are no longer protected and fall into the public domain
  • Works created after 1978 are protected until at least 2029
  • Works of the Federal Government are not protected, but many states hold their own materials under copyright

Courts that try infringement cases take into consideration a few factors before they'll hear a case, and each case is considered individually. The following are several questions the court would ask. Was the nature of the copyrighted work mostly comprised of available facts or primarily a new creation? Was the infringement for commercial or educational purposes? What effect did the violation have on the potential market for the copyrighted work? Did it reduce the potential or actual number of legitimate copies sold?

In my own classes, I find it difficult to explain copyright protection to my students, who generally respond with "well, if it's on the web, and I can get it, isn't it legal?" Rarely. It's true that the laws are somewhat murky and courts generally do not go after violators who didn't profit by using the work. And my instructor even said that "many of the violations fly so far below the radar screen that they're really not a problem [in a court]." My immediate response to him was that we are in the classroom and not the courtroom and we need to be particularly careful to be sure we don't implicitly teach students to make choices that fall into a gray area, simply because they are unlikely to be prosecuted. Rather, I will continue to question the creation of every piece of material they submit for assignments and I will use technology to help me try to protect the Academy from potential litigation (such as keeping student websites within our community while they are in the development stage).

The word is slowly starting to get out across the net about copyright. In the past few years many fan sites (websites about a book, movie, or character) have been shut down by the hosting web service provider because they allegedly contained copyrighted images, trademarks, or tradenames. The copyright holder has the legal right to determine where, how and in what context his or her work may be utilized. Under the recently enacted Digital Millennium Copyright Act (DMCA), when presented with a properly completed notification of possible infringement, a service provider should immediately remove or shut down access to the item, which usually results in taking the site down at least temporarily. Recently, the Academy has signed on to the DMCA, a law that applies to operators of computer networks, because it affords certain protections, known as "safe harbors," to those who host or store digital files.

The DMCA is large, complex, and a bit controversial. Much of the controversy stems from the fear that developers of digital media (music, movies, software, and images) could encrypt everything they create and require a decryption fee for every usage. In the words of my instructor, "this means buying the book would not be enough; you'd need to pay every time you chose to read it." Several recent music CDs and DVDs were produced with strong encryption to prevent their reduplication and illegal distribution. The Napster issues of late have brought this sharing debate front and center to the corporate world. But there is also a large group of enthusiasts of all types of media who heartily believe that the digital world should be all "shareware," totally free and open to all, that the reason the net was originally created was to freely share scientific research materials worldwide, a practice we should extend to all media. The concept of genuine sharing and openness to creativity seems certainly appealing, although it may prove less than appealing to the average corporate marketing director.

So, we once again find ourselves on shifting sands. Until the laws are nailed down to something comprehensible to the average reader (if that is even possible), and until the technology makes it possible to adhere to and enforce the laws as we understand them, I think educators and educational institutions need to do the best job they can to educate students and the community about appropriate use of copyrighted material. That means we need to keep questioning our own use of others' creations of all types to be sure we give credit and compensation where it is rightly due.

Finally, I learned that we also need to be very careful about how we utilize student information on the web. One of the first activities I do in my classes is to have students undertake a web search on their own names (if you haven't done this already, I highly recommend it). It constantly amazes me to find the depth and diversity of personal information available on the Internet about our students, either through their own websites, chat rooms, or sites from schools or groups to which they formerly belonged. Although each site on its own doesn't unlock the privacy door, we need to be sure that our school's Internet contributions do not hand out the missing key.