Tag Archives: security

Friday Links – December 5, 2014

Gates Foundation announces “world’s strongest policy on Open Access“. ‘from January 2015, researchers it funds must make open their resulting papers and underlying data-sets immediately upon publication — and must make that research available for commercial re-use. “We believe that published research resulting from our funding should be promptly and broadly disseminated,” the foundation states.’

Librarians as publishers. As an example – one of our own: Portulano (while the library may not be “a publisher” of this journal, certain library staff members provided instrumental support in making it accessible)

All About Those Books. The Mount Desert Island High School version of Meghan Trainor’s “All About The Bass.” (MDIHS has just 571 students!)

FSU Shooting Highlights the Need for Library Security.  Library Journal article – “Early in the morning of November 20 a lone gunman opened fire in Florida State University’s (FSU) Strozier Library.”  The library staff will be receiving training this month for how to handle such situations.

Use Dropbox? Consider middfiles instead

We advise our community to use Middfiles for all file storage needs. In fact, sensitive information should always be stored on Middfiles.

Dropbox, one of the most popular cloud storage providers, has had several security flaws and breaches over the past year:
– In June, for four hours, anyone could access anyone else’s Dropbox files.
Three other separate security flaws (or holes) were found this summer.
– Furthermore, FTC found that Dropbox was misrepresenting their security measures and protocols.
– In addition, Dropbox had changed then clarified its Terms of Service within a matter of days.

That’s why we promote Middfiles for “cloud” storage needs. Do not hesitate to contact me if you have any questions around Dropbox, cloud storage or security. If you have questions specific to Middfiles, please visit our documentation page.

PCI and Blocked Email Messages

The Payment Card Industry Data Security Standard (PCI DSS v2.0) is a standard that has been accepted by all major credit card companies and most credit providers. It is a standard that we must abide by if we are to accept credit cards as a form of payment. PCI DSS is broken into 12 requirements; each focusing on a different domain of security.

While PCI DSS is not an actual law, it is a standard enforced by the credit card industry, and the banks have stated and upheld the policy that they will no longer accept business from non-PCI compliant merchants. The government has used the PCI DSS as a yardstick by which they have measured such regulations as Gram-Leach-Bliley, Sarbanes-Oxley, and most recently the drafting of the Data Accountability and Trust Act.

We employ a device called a Barracuda here at Middlebury which helps us prevent SPAM from flooding our email system. Just shy of a year ago this system was updated to enable it to filter on cardholder information. By default this feature was turned on. We have left this enabled and have begun reporting on these blocked messages and alerting the senders of outbound messages.  The Barracuda is intended to serve both as a SPAM filter and a compliance tool.

Illegal File Sharing and the Higher Education Opportunity Act

In April 2008 the Department of Education drafted the Higher Education Opportunity Act (HEOA). HEOA deals with unauthorized file sharing on campus networks and enforcement of this act’s provisions began July 1, 2010. Institutions of higher education must make an effort to comply with the provisions of this act. The Educause website provides an excellent overview of the provisions of the act, as well as suggestions for complying. Here’s a relevant excerpt from Educause’s site:

Several sections of the HEOA deal with unauthorized file sharing on campus networks, imposing three general requirements on all U.S. colleges and universities:

  • An annual disclosure to students describing copyright law and campus policies related to violating copyright law.
  • A plan to “effectively combat the unauthorized distribution of copyrighted materials” by users of its network, including “the use of one or more technology-based deterrents”.
  • A plan to “offer alternatives http://www.educause.edu/legalcontent to illegal downloading.”

To comply with the act, Middlebury College has undertaken the following steps:

  1. Legal alternatives to illegal downloading are described in the Computing Policies section of the handbook: go.middlebury.edu/p2p
  2. Copyright laws and policies are published through Middlebury College’s copyright page (go.middlebury.edu/copyright), as well as the Computing Policies section of the Handbook, in particular go.middlebury.edu/p2p
  3. A plan is in place to combat unauthorized distribution of copyrighted materials. The plan relies on a combination of packet shaping and NAC technology, as well as education:
    • Every year, students register their computing devices through our network registration process. Part of the registration involves reading and agreeing to our Responsible Use policy. Network registration is enforced through a NAC appliance from Bradford networks.
    • We respond promptly and regularly to DMCA notices. The College has a DMCA agent that promptly contacts the user that is in violation according to the DMCA notice. Repeated offenses result in loss of network access.
    • The use of posters that regularly appear in commonly used public spaces, such as the Davis Family Library.
    • This plan is reviewed periodically through the work of the security team.

Note that Educause offers a selection of Role Model Institutions that have implemented a variety of similar compliance strategies.