An ITS staff member who wishes to remain anonymous sent us the following:
Today’s Argus will include an article related to Wesleyan ITS, sourced primarily by myself. I believe that this article fails to document the extent of dysfunction within Information Technology Services at Wesleyan, so I have decided to write a separate editorial on my own. As an ITS staff member, I offer an insider’s perspective into an institution which has profound influence on the entire Wesleyan community.
Our IT department steamrolls out new products for students, faculty, and staff alike, without proper testing and without enough discussion with the impacted users. Because of this, many of the new web applications and services produced by ITS do not work well, or are even worse than the products that they replace.
Many of our IT decisions are made based almost exclusively on funding, rather than on community welfare. I know we’re living in the real world, the bottom line has the final word, but our IT department has given in to the ‘get it done quick’ mentality without enough concern for quality. In the majority of cases I’ve been familiar with, ITS has released products without proper testing for bugs and without beta testing lasting longer than a week. After they release a product, they move on to something new, and don’t improve or fix previously released applications.
For example, consider the kiosk machines located in Usdan, Exley and elsewhere. For web browsing, they use a program called wKiosk. Until last month, wKiosk on these machines could not display Gmail’s web interface properly. ITS only became aware of the problem and fixed it after being notified by a student. That means that for one and a half years, no one from ITS tried to load the Gmail web interface on one of these machines. Even when ITS decided to switch student email over to Google Apps, no one made sure that Gmail would be accessible from all campus computers.
In Usdan’s basement there is multipurpose room equipped with speakers and a projector, which allow students and faculty to play music and project movies. However, the media cabinet’s sound cable has been routed to play music through an iPod, but is too short to connect to a laptop – as a result it is almost impossible to simultaneously project video and play the accompanying sound. The only way this could have gone without notice is for nobody in ITS to have ever tried to use this projector.
These problems go beyond simple inconveniences to serious security problems. As you will read about in today’s Argus, there was a huge security flaw in our Wesleyan Google Apps that ITS has failed to report. Until February 27, when a concerned student reported the flaw, the login page [mail.gapps.wesleyan.edu] did not require a password to log in to a student’s email account. Simply providing a valid user name and leaving the password field blank would bring a person to the email account associated with the user name.
Bugs happen, but this one could have been avoided with proper testing. When an engineer writes a proper authentication page, it is routine to test that blank passwords do not bypass security. Testing is all the more important on an application that safeguards personal information such as email. Needless to say, bugs that are this large in scope and this easy to exploit should under no circumstances occur in a well-functioning university IT department.
Additionally, I find it abhorrent that ITS did not voluntarily release details of this flaw. The flaw was fixed on Febuary 27, and publishing information about it no longer poses a security risk. Some students may have had sensitive passwords or other information in their email, and have the right to know if that information was visible to third parties. By not reporting the flaw, ITS puts students at risk for identity theft. On the other hand, by not reporting the flaw, ITS maintains a better public image and does not have to own up to its mistakes. If you had passwords stored in your Gmail inbox, especially important ones like banking details, you should change them immediately.
ITS has also failed to take action to prevent the spread of viruses on campus. For at least three years, the computer labs have had at least one widespread outbreak a year. Yet the Macs still don’t have virus scanners installed, which allows macro viruses to infect Microsoft Office documents, and the PC’s still have auto-run enabled, which allows viruses to spread via flash drives.
Two years ago, Blackboard was a vector for viruses, because it does not scan uploaded files. Professors unwittingly uploaded infected documents, and Blackboard helped distribute them to entire classes. Yet Blackboard still doesn’t have virus scanning, and such a problem could reoccur at any time.
ITS also recently released WesFiles, which is Xythos rebranded. Xythos wasn’t properly tested with Macs before it was purchased, and it was later discovered that it doesn’t integrate well with OSX. Consequently, our main software for server-based storage supports 50% of the community through only a web-based interface. Had ITS tested Xythos properly and decided that integration with OSX was not a priority, selecting it would have been questionable but acceptable. The problem here is that the decision was made before all the facts were known.
Cisco Clean Access (CCA) is another example of a product which was not properly tested before being released. In the fall of 2007, CCA was enabled on our entire network after being tested on fewer than five computers. As the class of 2011 probably remembers, nearly all the incoming freshman had no internet for days, and many had no internet for weeks. Despite improvements, Cisco Clean Access remains problematic. Over 250 students own computers that required a Helpdesk employee to manually allow their computer onto the network, bypassing Cisco.
So what should ITS do to improve this situation?
I see great promise in the relatively new ITS-WSA committee. Bringing students back into the decision making process would help to avoid technological changes which hinder the community rather than aid it as well as focusing attention on services that the student body actively desires.
Additionally, ITS needs to work more on improving its current services, rather than just releasing new ones. For example, ITS could put more effort into the into improving the lab computer system. ITS has long planned to switch the labs over to thin clients, but efforts have been stalled due to other priorities. The switch would largely eliminate virus infestations and students would no longer lose files by accidentally leaving them on the lab computer’s desktop. Your files and desktop would travel with you to wherever you logged in.
ITS should test its products more thoroughly before releasing them, as this would have prevented many of the issues listed above.
I also suggest that ITS hire students to test everything technological at Wesleyan in the way it is really used. The students would try to project something from a laptop in Usdan’s basement. They would try to load Gmail from a kiosk. Perhaps, had they started before February 27, they would have noticed that they could log into Wesleyan Google Apps without typing a password.
Finally, it is inexcusable, and possibly illegal, to not report security breaches in a timely fashion. ITS must begin reporting such breaches.
With these and other changes in mind, I believe ITS could once again become a respected institution on campus. I hope for the sake of the entire Wesleyan Community that they do.