Category Archives: Security

Reflections on the 2009 ResNet Symposium: Part 1

A few weeks ago I attended and presented at the 2009 ResNet Symposium. Held at St. Cloud State University in Saint Cloud, Minnesota from June 26 through June 30, the symposium was smaller than in previous years with only 134 registered attendees. However, the programs, activities, and interaction were all wonderful, interesting, and useful so the lower number of attendees didn’t seem to significantly hurt or change the nature of the conference.

I took detailed notes for most of the sessions I attended but I feel that too much time has passed for me to write detailed descriptions of each session.  I like to do that right away to help me reflect on what I learned.  But this time around I made more of an effort to socialize, network, and enjoy time with my colleagues and friends so I spent more of my time doing that and less time on my computer engaged in solitary activity.  Of course, having my own presentation on the last day of the conference and spending time each night to continue preparing for it also significantly impinged on the amount of time available for reflection and writing.

As I become more experienced and professionally mature, I find my interests and ideas changing.  Those changing interests led me to pay more attention this year to trying to ascertain the maturity of the programs and services represented at this year’s conference.  In particular, I was interested in seeing (a) the maturity of the assessment activities carried out by ResNet programs and (b) the levels of strategic planning and how well those plans are integrated with other plans (campus-wide, divisional, etc.).  In general, it seems that even the most mature of the programs represented at this conference are still in a relatively early stage of performing assessment as they are still heavily rooted in measuring opinion and input/output (number and type of computers, number and frequency of computer lab logins, amount of bandwidth consumed, etc.).  Learning outcomes seems to have not penetrated to many of these programs, perhaps because many seem to see themselves primarily as service centers with minor auxiliary educational responsibilities.  On the strategic planning side, it’s hard to gauge the level of depth and integration of these programs’ plans given the focus of many of these programs and the interests of the participants.

Brief reflections on some of the specific sessions I attended:

  1. Keynote address: Leading Geeks

    Paul Glenn, Computer World columnist and author of How to Manage and Lead People Who Deliver Technology presented the keynote address at 9:00 a.m. on Saturday. His talk focused on explaining how “geeks” are different from other people and how to lead geeks in an organization. I’ve become a complete academic snob so I didn’t really enjoy this talk as the depth of his research was very shallow. Luckily, much of what he said is relatively close to what the real research says (yes, there is actual research into the social and cultural phenomenon of “geeks” … and “nerds”). If you’re interested in learning more about Glenn’s thoughts about leading geeks, he maintains a website at leadinggeeks.com.

  2. Session 1: From Labs to Learning Space: Enabling Student Use of Technology

    Beth McCullough, Learning Spaces Manager for Stanford’s Academic Computing group, led a practical discussion of learning space concerns. Much of her discussion focused on her attempts to maintain and rehabilitate computer labs in Stanford residence halls. I greatly liked how much of her presentation and the decisions she has made are tied to data collected from and about Stanford residents as too often we make decisions in a void (see above regarding the current state of assessment in most ResNet shops). The most interesting discussion related to working with housing professionals in understanding and trying to reconceptualize how they understand (and use and fund and label and maintain and…) study spaces that happen to have computers.

  3. Session 2: Strategic Planning: Transforming Ideas Into Reality

    The second session I attended was presented by my good friend from Northern Illinois University, Jan Gerenstein. Jan is an Associate Director in their housing department and a former colleague in the ResNet Applied Research Group (RARG). She discussed with us how her group – Residential Technology – is participating in and integrating themselves into their division’s strategic planning process. This was a very interesting session for me as I strongly suspect that it would have been very different if Jan’s group were housed in a technology division instead of student affairs. Based on several years of observation, the cultural differences between these two groups – ResNet operations housed in central IT vs. those in housing – are clear (a topic that was the basis for my own program at this year’s ResNet Symposium and a potential program for NASPA’s 2010 conference). But I wonder if the different planning and assessment skills and emphases and driving these two groups farther away in terms of their goals and services. The reason why we ask about the program’s parent group (central IT, housing, etc.) on the ResNet surveys is because we – or at least I – strongly believe this to be one of the key lens through which we can and should examine and understand residential computing.

  4. Session 3: Millennial Misconceptions: How to Work Successfully with Generation X

    I didn’t take very many notes during this session. Karen McRitchie of Grinnell College did a great job with this program but I struggle mightily with programs that seem to arbitrarily lump together so many people and draw conclusions about those people from limited and flawed data (is my bias and academic snobbery showing?). During my darkest, bleakest moments in these sessions, I want to bludgeon Howe and Strauss with their own book. Karen was very complimentary of the students with whom she works and I was very happy that this was explicitly not a session that bemoaned the fate of the world today with Generation X taking the helm. I was most interested in this session as it closely mirrors so many (so many!) programs at student affairs conferences I’ve attended.

  5. Session 4: Adventures in Cyber Security: Tufts and Yale

    Judi Renni from Tufts and Loriann Higashi from Yale are ResNet old timers and they presented a wonderfully entertaining and informative session describing their latest efforts at getting students interested in and aware of better security practices. Unlike most ResNet Symposium programs, this one was not videotaped; the presenters showed us several videos that made fair use of copyrighted material and they (and their lawyers) didn’t want those videos to be recorded and distributed. Judi and Lori also took advantage of the privacy offered their session by sharing with us frank (but not disrespectful, disparaging, or unprofessional!) evaluations of their entire processes from start to finish. We very much appreciated their honesty, particularly when they were brave enough to share with us their challenges and failures. Some of the Tufts materials can be viewed online as can the Yale materials.

New SNS Resources and Research: JCMC, OCLC, ENIAS, and Facebook Pages

Several new resources and articles focusing on social network services (SNSs) (Facebook, MySpace, Bebo, etc.) have been recently published or released:

  • A special issue of the Journal for Computer-Mediated Communication (JCMC) focused on SNS edited by danah boyd and Nicole Ellison has finally been published. All of the articles are available online for free. Of particular interest to me are “Social Network Sites: Definition, History, and Scholarship” by danah boyd and Nicole Ellison and “Whose Space? Differences Among Users and Non-Users of Social Network Sites” by Eszter Hargittai. Hats off to danah and Nicole for pulling this together and seeing the project through to completion!
  • The Online Computer Library Center, better known as OCLC, released the 280-page document “Sharing, Privacy, and Trust in Our Networked World.” Although the report focuses in part on libraries and library directors, it also includes significant sections on (a) User practices and preferences on their favorite social spaces, (b) User attitudes about sharing and receiving information on social spaces, commercial sites, and library sites, and (c) Information privacy: what matters and what doesn’t. The research appears to be largely based on surveys of several thousand individuals from Canada, France, Germany, Japan, the United Kingdom and the United States.
  • The European Network and Information Security Agency (ENISA) released the 36-page document “Security Issues and Recommendations for Online Social Networks” (1.8 MB pdf). Contributors to this document include many familiar names for those who have browsed my bibliography: Alessandro Acquisti, Fred Stutzman, Nicole Ellison, and Ralph Gross, among others. While the focus of this document (threats and recommendations) may be slightly different than that of interest to many of you, the perspective is very valuable and many of the issues identified will be familiar. Among the issues addressed are: difficulty of complete account deletion, SNS spam, profile-squatting and reputation slander through ID theft, stalking, and bullying.
  • Karine Joly discusses a new Facebook feature, Facebook Pages, in the context of institutions of higher education seeking to market their institutions and connect with their constituents. Although intended primarily for commercial marketing purposes, Joly sees utility in this tool for higher education. Personally, I am becoming wary and weary of marketing efforts, particularly as they continue to infiltrate our personal lives and spaces. I recognize that much of that infiltration is occurring simply due to the blurring of boundaries between our personal and private lives but that does not make my any more comfortable with some of these developments.  Nor am I comfortable with the commercialization of higher education despite my understanding of the economic and social forces driving it.

Updates on Old Topics and Quickies

I’m as settled into my new place and job as I will get so I hope to resume substantive posts soon. In the meantime, here are a few updates on topics previously discussed here and a few quickies:

  • Lawsuits against college and university students accused of downloading or sharing mp3s continue and institutions continue to ratchet up the stakes for students accused of copyright infringement. Are institutions really getting more strict about this issue or are those who are instituting harsh punishments simply the ones who attract the media reports? And are they doing it in part to attract those media reports (“Look, we’re trying to do something about this! Didn’t you read about it in the newspaper?”)? Meanwhile, on the opposite side of the issue from the MPAA, the EFF has released a report entitled “RIAA v. the People: Four Years Later” (pdf file).
  • Universities and colleges have often (and rightly) complained that most of the congressional attention regarding copyright infringement has unfairly focused on them. No worries. Some in Congress are eager to attempt to do foolish things to regular Internet Service Providers, too.
  • One of the threads in our recent discussion regarding Facebook advertisements has focused on a shared desire to more accurately target Facebook users. Either we’re starting to see progress on this front or there were developments of which we were previously unaware (likely both). Not only are there applications built to specifically address this issue, Facebook is working to build this into their own ad system.
  • Among the lessons learned from Virginia Tech are many related to communications and technology. In addition to Virginia Tech’s official overview, the Roanoke Times has an overview of Virginia Tech’s internal reviews. Of specific interest is the Information and Communications Infrastructure Group report (147 page pdf). The two main recommendations in the report are to (a) install a “new fully integrated digital campus architecture for all telecommunications functions based on Internet Protocol (IP)” and (b) “make selected research and administrative IT capabilities available to local first responders to improve radio communications capabilities.”

ResNet Symposium: ECAR and RARG Security Survey Results

Two members of the ResNet Applied Research Group (RARG), Dave Futey and Clifton Pee, joined Rodney Peterson, EDUCAUSE Government Relations Officer and Security Task Force Coordinator, to present results related to security research conducted by those two organizations. Both of these organizations conducted work related to security last year: the EDUCAUSE Center for Applied Research (ECAR) released the results of their “Safeguarding the Tower: IT Security in Higher Education 2006” study (although the study is only available to ECAR members, the Key Findings are publicly available) and the RARG released results from their “2006 ResNet Security Practices and Policies Survey.”

The bulk of the presentation focused not on survey results but on their meaning. Rodney concentrated his presentation on relating the ECAR data to the new EDUCAUSE/Internet2 Security Task Force’s Confidential Data Handling Blueprint. (although I did not attend SIGUCCS’ Computer Services Management Symposium, I am told that Rodney presented a very similar presentation in Savannah). The RARG data was a selection of results from the larger body of results followed by several questions intended to stir discussion among attendees.

Items raised in the discussion included:

  • An observation (initially made by myself but echoed by other attendees) that the experience of small colleges may differ significantly from larger institutions. In particular, we have fewer staff less likely to have the specific skills necessary to address complex legal and technical challenges related to security. We also may perceive of ourselves as “not targets” due to our small sizes as we “fly under the radar” while attention is focused on larger institutions. In response, Rodney observed that some institutions are shifting and training staff instead of hiring new persons.
  • What has changed in the last year? Or have we finally caught up to 2003 (a landmark year for ResNet programs as various worms decimated our networks during fall opening)? The primary response to these questions was “there have been no recent incidents.” This perceived lack of incidents led us to question if we are being successful in our efforts, merely lucky, or just untested.
  • When asked how often we should evaluate our security plans, Rodney reminded us that the federal government is required to review their plans whenever an incident occurs and at least annually (as required by the Gramm-Leach-Biley Act).
  • One attendee noted that her institution is formulating a security plan that encompasses not only IT but also paper forms and data recorded on paper. Rodney agreed that was necessary and advised us to place security in the context of risk and not computers or IT (“people, process, & technology” was the exact phrase he used).
  • When asked how we should define success in relation to security, one attendee replied that success has occurred when a culture embracing security has been created. Another opined that you only know when you’re unsuccessful.

Stepping back away from the content of the presentation, it was quite heartening to see this joint presentation between an EDUCAUSE staff member and members of the RARG.  I believe that it’s a sign of healthy maturity that the ResNet organization is reaching out to and being reached out to by other professional organizations.

ACPA/NASPA Joint Meeting: Instant Access

The first presentation I attended today was entitled “Instant Access: Using Technology to Reach Students.” Despite the grand title and some mentions of multiple technologies, the real content was rather focused. Three ladies in career services at two different institutions, LSU and Florida State University, described how their offices employ Instant Messaging in serving students. Their use of the technology sounded rather simple (but that’s how most things start and the best way to start!) but the process by which they analyzed their options and presented their proposals to their departmental leadership is very interesting and worth examining and possibly replicating.

Other interesting highlights of this presentation and related discussions include:

  • Neither institution had pre-existing policies regarding institutional use of IM, despite the fact that one of the institutions already had multiple departments employing IM in official support capacities. Some of the policy-related issues mentioned by the presenters included dealing with inappropriate comments (rude or too personal, including psychological crises), security, and privacy. In addition to the “The Effect of Instant Messaging on the Social Lives of Students Within a College Dorm” article mentioned by the presenters, I can’t resist plugging my 2004 article outlining some policy considerations for student affairs units employing IM.
  • When asked about potential security implications, the respondents replied that at one institution the IT help desk uses the same software and the central IT group is unaware of the product at the other institution. An attendee also referred to the “IT security nazis” on her campus. While I’m sure there are some issues with some IT and security groups, I don’t think any student affairs professional would ever accept an IT or other professional referring to the “counseling nazis” or the “FERPA nazis” who religiously protect students’ privacy. Further, I don’t think that many student affairs professionals are adequately qualified to analyze the security of software or systems of software and merely ignoring the issue because “IT doesn’t know about it!” is a very poor way to protect the confidentiality and privacy of our students and staff.
  • A question from an attendee about the presenters’ use of “canned responses” was really a question about the use of chat bots, a topic that was very briefly raised in yesterday’s Net Generation pre-conference session. Unfortunately, the topic was not pursued or even fleshed out today.
  • Another question from an attendee focused on the logging capabilities of the IM software employed by the presenters. Specifically, he asked if the logs were being analyzed and that analysis used to create FAQs. I would suggest that the logs can not only be used to create FAQs but also answer other questions and provide other useful data but the general idea of mining logs for useful data is an excellent one and another echo of an idea mentioned yesterday. None of the presenters answered in the affirmative but their initiatives are relatively young so they may have simply not gotten to that stage yet.