<div dir="ltr"><div><div>+1!<br><br></div>I'm the admin. The machines are MINE. I WILL have the authority to do what is needed to fulfill my responsibilities. I have kicked a student off systems before (hyper-extreme case). His code was utter crap and resulted in a reboot EVERY time he ran it (all nodes on the cluster would lock up - he had been given sudo by his advisor - once I took it away his code wouldn't run at all). His advisor whined and complained and I made the case that his idiot student was effectively the turd in the punchbowl for the cluster (I think I actually used those words) and it broke things for everyone else. Advisor got him a workstation to use, it was offline most of the time as he still wrote crap. When he finally got sudo on the workstation (I had to cough it up as the box belonged to the advisor) the idiot ran his code as root. Justice happened swiftly as his garbage trashed the hard drive and deleted his home dir. I don't back up standalone machines like that so his work was gone. good riddance. He (without permission) installed ubuntu, was the admin and proceeded to crash that box daily/hourly until he was finally shown the door for failing to complete a single project assignment.<br><br></div>Dev make terrible admins. Devs make terrible security officers. Devs need to be throttled by hardware so they learn how to write efficient code. One faculty gets the cheapest old crap machines for new students to run their code on so they are forced to make improvements in performance. It's mostly a pretty good idea.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 5, 2017 at 10:37 AM, Jerald Sheets <span dir="ltr"><<a href="mailto:questy@gmail.com" target="_blank">questy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><span class=""><br><div><blockquote type="cite"><div>On Oct 5, 2017, at 9:27 AM, Todor Fassl <<a href="mailto:fassl.tod@gmail.com" target="_blank">fassl.tod@gmail.com</a>> wrote:</div><div><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">This list has really come through for me again just with ideas I can bounce around. I'll have to tread lightly though. About a year ago, I configured the machines in our shared labs to log someone off after 15 minutes of inactivity. Believe it or not, that was controversial. Not with the faculty but with the students using the labs. It was an easy win for me but some of the students went to the faculty with complaints. Wait, you're actually defending your right to walk away from a workstation in a public place still logged in? In a way that's not such a bad thing. This is a university and the students should run the place. But they need a referee.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"></div></blockquote></div><div><br></div></span><div><span style="color:rgb(51,51,51);background-color:rgb(255,255,255)">TL;DR: I disagree. Follow compliance guidelines. People could go to jail in a governmental (college) setting. The laws are the referee, not us.</span></div><div><br></div><br><div><br></div><div>I respectfully disagree. </div><div><br></div><div>Let me flex my ego muscle for a moment: “Jerald Sheets, Lead Security Architect - Infrastructure Hardening - PayPal, Inc” at your service.</div><div><br></div><div><br></div><div>Any university is bound by common rules and guidelines to adhere to “generally accepted security standards” in regards to systems connected to the university infrastructure for the purposes of satisfying protection of PII of students, faculty, and staff. This is also governed by FRPA and can include jail time under the right circumstances… Just saying.</div><div><br></div><div>Regardless of physical, network, and other similar security controls in place, host security demands that TMOUT be on, enabled, and unable to be circumvented.</div><div><br></div><div><br></div><div><br></div><div><font face="Georgia"><span style="font-size:14px"><br></span></font></div><div><font face="Georgia"><span style="font-size:14px"><b>HIPAA:</b></span></font></div><div><font face="Georgia"><span style="font-size:14px"><br></span></font></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia">A covered entity should activate a password-protected screensaver that automatically prevents unauthorized users from viewing or accessing electronic protected health information from unattended electronic information system devices. </font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><b>SOX:</b></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia">User session timeout is defined and in place for
authorized users
Audit and review user privil</font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><b>ITIL:</b></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia">ISO/IEC 27002</font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia">11.5.5 Session time-out</font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><b>PCI:</b></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255);font-size:14px"><font face="Georgia"><br></font></span></div><div><span style="color:rgb(51,51,51);font-variant-ligatures:normal;background-color:rgb(255,255,255)"><p style="margin:0px 0px 20px;color:rgb(95,95,97);font-variant-ligatures:normal;background-color:rgb(242,242,242)"><font face="Georgia"><span style="font-size:14px">8.5.15 Idle Session Timeout threshold</span></font></p><ul style="margin:0px 0px 0px 20px;padding:0px;color:rgb(95,95,97);font-variant-ligatures:normal;background-color:rgb(242,242,242)"><li style="margin:0px 0px 5px;padding:0px"><font face="Georgia"><span style="font-size:14px">Disconnect Idle session is less than or equal to 15 minutes</span></font></li></ul><div><br></div><div><br></div><div><br></div><div>These are the reasonings I use with CISOs, CIOs and CEOs to explain to them that just because Devs are yelling about various security controls does not mean they get to have what they want.</div><div><br></div><div>“You could go to jail over this one” has been uttered more than once by me, and I count it a great responsibility on my part as a Security guy first and a Systems guy second to ensure that the law and various compliance guidelines are followed.</div><div><br></div><div>If I have people continuing to demand non-compliance, I work up a business case for them to sign their name to “when the auditors come around on this, they’ll want to know who’s responsible and who should be prosecuted in the event of data loss or breach”. That usually gets their attention and gets them to think twice about these things.</div><div><br></div><div>The balance is ALWAYS security versus usability, and the security guidelines we are both legally and honor-bound to follow are the “referee” here. You aren’t. I implement what’s given to me within the confines of the law, and I do not step outside of it. No student, teacher, full or associate professor, department chair has the authority to overrule these guidelines.</div><div><br></div><div>The board or president of your university does, and they are ultimately responsible (as any CEO would be) for what goes on both physically and virtually on their campus. </div><span class="HOEnZb"><font color="#888888"><div><br></div><div><br></div><div>—j</div><div><br></div><div><br></div></font></span></span></div></div><br>______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div></div>
</div>