Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!wuarchive!uunet!vtserf!marchany
From: marchany@vtserf.cc.vt.edu (Randy Marchany)
Newsgroups: comp.admin.policy
Subject: Re: IETF Security Policy Working Group Handbook (long)
Message-ID: <1762@vtserf.cc.vt.edu>
Date: 21 May 91 14:43:40 GMT
References: <1755@vtserf.cc.vt.edu> <1991May21.043947.20481@m.cs.uiuc.edu>
Organization: Virginia Tech, Blacksburg, VA
Lines: 43

In article <1991May21.043947.20481@m.cs.uiuc.edu> kadie@m.cs.uiuc.edu (Carl M. Kadie) writes:
>Are you using the word "obscene" in its legal sense (i.e. Miller vs.
>California, 1973)? Or do you mean harassment?

I'm not familiar with Miller vs. CA, 1973 and am not concerned with
defining what is "obscene" or not. I feel that is for the local courts
to decide. So, I guess I would say that "harassment" is the more general
term that covers what I was trying to say. The VA code doesn't
specifically contain any reference to "harassment" but it does have a
section on "personal trespass by computer" that mentions using a
computer or computer network w/o authority and with the intent to cause
physical injury to an individual. Again, that's not the main point of
my discussion. 
I'm more concerned that *in the event* of a violation such as sending 
harassing mail, and AFTER confronting the individual and asking them to
stop and AFTER all the other recourses have been taken, leaving the
sysmgr with only the legal enforcement option, that the sysmgrs are NOT
trained in proper evidence collection techniques that can hold up to 
court scrutiny. Sending harassing mail is just an example, other
examples include using userids other than your own, using CPU time w/o
authorization, etc.
The question of illegal userid access is of concern. As you know, there
are password checking programs readily available on the net. As you
also know, sysmgrs are not going to be the only ones getting copies of
these. How do you "prosecute" someone who uses such a program to gain
access to userids at your site? Do you make your "real" user responsible
for ensuring that they have a reasonably secure password?
With respect to Universities, there are numerous examples (see the
STGEORGE index at UNMVM listserv) of individual departments formulating
computer usage policies. This is usually as a result of the lack of
university-wide policies that SPECIFICALLY relate to computer abuse.
Another poster mentions the evolvement of university regulations. I agree
with his statement. I think the creation of a single uniform policy
statement eliminates any confusion. The real issue for creating such a
statement is NOT the enforcement per se but rather teaching the
ethics of computer use. The enforcement of the policy is the LAST
recourse in handling suspected violations.              

	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060

INTERNET: marchany@vtserf.cc.vt.edu