On Sun, Apr 26, 1998 at 04:50:11PM -0400, Daniel R Ehrlich put this into my mailbox:
First, I am not speaking for Penn State, although I am a member of the University's CERT team. Second, I am not asking that any block be removed. Such a request would have to come from others at PSU.
It may require two weeks when you have to deal with the multiple domains of control one finds at this University. This means that you can not just walk up to some machines and pull the plug without have large quantities of excrement start flowing rapidly down hill from on high and sweeping everything in it's path away.
You may already know this, but it doesn't hurt to reiterate. I've had to deal with this to a certain extent at a local university. What you need to do is to draft a security policy that explains what action you can take when a machine connected to the campus network is used in some sort of hack/DoS attempt. The policy should say something like, "We will attempt to contact the maintainer of the box. If we cannot contact the maintainer or the maintainer cannot repair the box within 6 hours, we will disconnect the box from the network." Modify as required for your site. Then, go to the highest level of management you can, without pissing too many folks off (yes, university politics suck). Get them to sign off on it, and keep going all the way up to the chancellor, or whoever the Big Guy is. Make sure that you explain that every time someone uses a University box to hack or DoS, the university is wide-open for lawsuits and such - especially if folks knew about the problem and didn't take action. Then, you have the ammunition you need to disconnect problem boxes when they crop up. If the Whiny Researcher In Question throws a fit, wave the policy in their face and explain that they should have thought of that before putting an insecure box on the net. (You might also discuss with the researcher the fact that anyone hacking into their box can steal their data; I understand research types are very protective of their data, and paranoid that someone else might get ahold of it. This might at least encourage them to secure their boxes better.) -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Aristotle was not Belgian. The central Founder, the DALnet IRC Network message of Buddhism is not 'every man for himself.' And the London Underground e-mail: dalvenjah@dal.net is not a political movement." WWW: http://www.dal.net/~dalvenjah/ -- Wanda, "A Fish Called Wanda" whois: SN90 Try DALnet! http://www.dal.net/