How Does the Code of Ethics Relate to Security? - Page 2

 By Josh Ryder
Page 2 of 2   |  Back to Page 1
Print Article

At the University I attend, the system administrators deal will several infractions a day, ranging from simply the printing of non- research information on the public printers, to users who regularly go over their disk quotas. Each case is dealt with as a fresh and clean incident, with none of the previous problems reflecting on how the current situation is dealt with. Most events are simply "Your account has been temporarily suspended because of such and such a reason; please come to our office and we will sort things out". Occasionally, however, there are certain difficult cases that must be dealt with at a higher level.

One such case was related to me by Rod Johnson, the head of the Undergraduate Computing Science system. A certain student blatantly ignored the rules on several occasions and as a result was causing a significant disruption to another student. Here's what happened:

To address the perpetual shortage of available terminals during crunch time, the Department instituted the policy that any student who left their terminal X-Locked for a period of 15 minutes automatically had a logout button added to their screensaver that allowed students that were in the lab and needed a terminal the ability to use the machine. One student, for our purposes "Joe", left his terminal locked for well over 15 minutes. Another student, "Frank", was waiting patiently in the lab for a terminal to become free so he could work on his assignments. Rather than simply clicking the Logout button and closing Joe's session, Frank contacted the lab admins and asked what he should do. The admin on duty said that he would go in, save all of Joe's work and then log him out. Once this happened, Frank was told that he could use the terminal. All was happy, right?

Unfortunately not. When Joe returned to find his terminal taken, he became verbally abusive to Frank. Even after Frank had explained that all of Joe's work had been saved prior to logout Joe simply kept ranting. After venting to no avail for several minutes, Joe found another terminal free and immediately logged in. Within five minutes, Frank noticed that his machine had slowed to a crawl. When Frank ran "top", he discovered that Joe had essentially fork bombed his machine. Not wishing to push matters further in the lab, Frank sent another e-mail to the administrators explaining what seemed to have happened, and logged out.

Sadly, this incident took a turn for the worse. In the following days, every time Frank logged into a machine, Joe mysteriously appeared and the machine slowed to a crawl. Desperate for a solution, Frank turned to the administrators, who in turn started monitoring the habits of Joe. After a very short period of time it was obvious that Joe had a program lurking to find out where Frank was, and then fork bomb the machine.

Joe's account was immediately frozen, and he was left with a stern message to come speak to the administrators immediately. Upon confrontation Joe outright denied the whole incident, and when confronted with the logs of his activity he claimed that it was a network project gone awry. This time being particularly for the students, the administrators re-instated Joe's account with a very clear message: "If this happens again, we're not going to take it in such a light manner".

Now, at this point at least 95% of the users would smarten up and put their grudge behind them. Not so with Joe. Not five minutes after he left the office the program was started again with the same affect on Frank. Once again the account was suspended, and this time Joe came in nostrils flaring and breathing flaming death. Because the administrators only have the power to suspend accounts, they are not allowed nor are empowered to discipline such misuse of the system. Joe was escalated to the second and final level of the two-tier proactive system, where the management (in this case the Departmental Supervisor and the Head Systems Administrator) reviewed the case, and decided to take action against the student. A board of inquiry was held, and Joe still denied all responsibility for the events up until the verdict was about to be passed (at which point he confessed and asked for lenience).

The second tier in the enforcement process is, by nature, seldom used. It should be invoked in only the most extreme circumstance, and each case should be dealt with in the utmost gravity and concern. While there are not many Joes out there, your policy enforcement should be prepared for them nonetheless.

If there was any justification needed before to include the administrators in the creation of the Code of Ethics and the Terms of Use, this should be more than enough.

In next week's column I will outline exactly what issues should be addressed in a Code of Ethics, as well as describing two or three of the most common enforcement methods.

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)

This article was originally published on Oct 16, 2000
Get the Latest Scoop with Networking Update Newsletter