[liberationtech] Concerns with new Stanford University security mandate

[taltman1 at stanford.edu]

Guido Witmond <guido at witmond.nl> writes:

<snip>

> Dear mr Altman,
>
> From the link:
>
> No more Windows XP: Good riddance.
>
> BigFix: the missing package manager for Windows. What every self
> respecting unix/linux/bsd/etc system already has. Good.
>
> Identity Finder: It gives a baseline scan for all files that contain
> personal identifiable information, like credit card numbers (that should
> never be on anyones computer at all, not even your own credit card
> number) and SSN (likewise). Good.
>
> Encryption: Good.
>
> Central file backup: Good.
>
>
> Anything in that document shows the intention of solving many
> IT-problems that PC-users face all the time, whether they realise it or not.
>

I fully acknowledge that they are providing a lot of good here. But in
some places they have crossed the line.

> And the university does not make it mandatory for private devices.

They are making it mandatory, trust me. I attested that I have two
private laptops, and they continue to hound me to get them into
compliance.

> By taking these measures the university take responsibility for any
> breaches that happen from now.

My thoughts are that if 10% of the campus deals with sensitive
information, then by all means isolate and secure that 10%. Why lock
down and spy on the rest of the campus; faculty, students, and all?

>
> There is one question remaining: do you trust the university to handle
> this responsibility?

Only if faculty and students have a voice in how the system is designed,
implemented, and maintained, with transparency and oversight. Otherwise
there is no basis for trust.

> The answers to that will become clear with how they react when they find
> unneccesary PII on a computer. To whom go the reports of
> Identity-finder? How are they going to deal with it.
>
> The intentions may be good, it's all about the actions.
>
>
> Good luck with it.
>
> Guido.

Thank you for your reply.