[liberationtech] Concerns with new Stanford University security mandate

Sun Jan 26 05:12:51 PST 2014

On 01/26/14 10:20, Tomer Altman wrote:
> To Liberation Tech:
> 
> Stanford is implementing a new security policy detailed here:
> 
> http://ucomm.stanford.edu/computersecurity/
> 
> I am personally very concerned about steps #2 and #3. BigFix is
> basically a back door managed by IBM that gives them and Stanford
> control over your device. The IDF tool effectively means that the
> Stanford administration can continuously search your personal laptop
> for any objectionable material.
> 
> While there are some technical cases where one may be exempt from
> these new requirements, the way that it is being pushed out at
> Stanford is making people believe that they cannot use their cell
> phones or laptops on campus (i.e., connecting to the Internet,
> checking Stanford email, calendars, etc.) without agreeing to all of
> these requirements.
> 
> I fully support Stanford improving security on their own computers
> and networks, but installing a backdoor and surveillance systems on
> personal laptops seems to cross a line for me. Especially in an
> institution devoted to open inquiry. Especially in light of the mass
> surveillance revelations this past year.
> 
> I tried reaching out to the EFF, but did not receive any reply.
> 
> I expressed by concern to the Stanford administration. They replied
> to a few of my emails, but it left me with more questions than
> answers.
> 
> I am asking for advice from the community on whether this kind of
> encroachment has any precedents.
> 
> I'm also curious to hear people's thoughts on this matter.
> 
> Thank you in advance,
> 
> ~Tomer Altman

Dear mr Altman,

From the link:

No more Windows XP: Good riddance.

BigFix: the missing package manager for Windows. What every self
respecting unix/linux/bsd/etc system already has. Good.

Identity Finder: It gives a baseline scan for all files that contain
personal identifiable information, like credit card numbers (that should
never be on anyones computer at all, not even your own credit card
number) and SSN (likewise). Good.

Encryption: Good.

Central file backup: Good.

Anything in that document shows the intention of solving many
IT-problems that PC-users face all the time, whether they realise it or not.

And the university does not make it mandatory for private devices.

By taking these measures the university take responsibility for any
breaches that happen from now.

There is one question remaining: do you trust the university to handle
this responsibility?

The answers to that will become clear with how they react when they find
unneccesary PII on a computer. To whom go the reports of
Identity-finder? How are they going to deal with it.

The intentions may be good, it's all about the actions.

Good luck with it.

Guido.