An Insider’s Perspective of ITS

An ITS staff member who wishes to remain anonymous sent us the following:

Today’s Argus will include an article related to Wesleyan ITS, sourced primarily by myself.  I believe that this article fails to document the extent of dysfunction within Information Technology Services at Wesleyan, so I have decided to write a separate editorial on my own.  As an ITS staff member, I offer an insider’s perspective into an institution which has profound influence on the entire Wesleyan community.

Our IT department steamrolls out new products for students, faculty, and staff alike, without proper testing and without enough discussion with the impacted users.  Because of this, many of the new web applications and services produced by ITS do not work well, or are even worse than the products that they replace.

Many of our IT decisions are made based almost exclusively on funding, rather than on community welfare.  I know we’re living in the real world, the bottom line has the final word, but our IT department has given in to the ‘get it done quick’ mentality without enough concern for quality. In the majority of cases I’ve been familiar with, ITS has released products without proper testing for bugs and without beta testing lasting longer than a week.  After they release a product, they move on to something new, and don’t improve or fix previously released applications.

For example, consider the kiosk machines located in Usdan, Exley and elsewhere.  For web browsing, they use a program called wKiosk.  Until last month, wKiosk on these machines could not display Gmail’s web interface properly.  ITS only became aware of the problem and fixed it after being notified by a student.  That means that for one and a half years, no one from ITS tried to load the Gmail web interface on one of these machines.  Even when ITS decided to switch student email over to Google Apps, no one made sure that Gmail would be accessible from all campus computers.

In Usdan’s basement there is multipurpose room equipped with speakers and a projector, which allow students and faculty to play music and project movies.  However, the media cabinet’s sound cable has been routed to play music through an iPod, but is too short to connect to a laptop – as a result it is almost impossible to simultaneously project video and play the accompanying sound.  The only way this could have gone without notice is for nobody in ITS to have ever tried to use this projector.

These problems go beyond simple inconveniences to serious security problems.  As you will read about in today’s Argus, there was a huge security flaw in our Wesleyan Google Apps that ITS has failed to report.   Until February 27, when a concerned student reported the flaw, the login page [mail.gapps.wesleyan.edu] did not require a password to log in to a student’s email account.  Simply providing a valid user name and leaving the password field blank would bring a person to the email account associated with the user name.

Bugs happen, but this one could have been avoided with proper testing.  When an engineer writes a proper authentication page, it is routine to test that blank passwords do not bypass security.  Testing is all the more important on an application that safeguards personal information such as email.  Needless to say, bugs that are this large in scope and this easy to exploit should under no circumstances occur in a well-functioning university IT department.

Additionally, I find it abhorrent that ITS did not voluntarily release details of this flaw.  The flaw was fixed on Febuary 27, and publishing information about it no longer poses a security risk.  Some students may have had sensitive passwords or other information in their email, and have the right to know if that information was visible to third parties.  By not reporting the flaw, ITS puts students at risk for identity theft.  On the other hand, by not reporting the flaw, ITS maintains a better public image and does not have to own up to its mistakes.  If you had passwords stored in your Gmail inbox, especially important ones like banking details, you should change them immediately.

ITS has also failed to take action to prevent the spread of viruses on campus.  For at least three years, the computer labs have had at least one widespread outbreak a year.  Yet the Macs still don’t have virus scanners installed, which allows macro viruses to infect Microsoft Office documents, and the PC’s still have auto-run enabled, which allows viruses to spread via flash drives.

Two years ago, Blackboard was a vector for viruses, because it does not scan uploaded files.  Professors unwittingly uploaded infected documents, and Blackboard helped distribute them to entire classes.  Yet Blackboard still doesn’t have virus scanning, and such a problem could reoccur at any time.

ITS also recently released WesFiles, which is Xythos rebranded.  Xythos wasn’t properly tested with Macs before it was purchased, and it was later discovered that it doesn’t integrate well with OSX.  Consequently, our main software for server-based storage supports 50% of the community through only a web-based interface.  Had ITS tested Xythos properly and decided that integration with OSX was not a priority, selecting it would have been questionable but acceptable.  The problem here is that the decision was made before all the facts were known.

Cisco Clean Access (CCA) is another example of a product which was not properly tested before being released.  In the fall of 2007, CCA was enabled on our entire network after being tested on fewer than five computers.  As the class of 2011 probably remembers, nearly all the incoming freshman had no internet for days, and many had no internet for weeks.  Despite improvements, Cisco Clean Access remains problematic.  Over 250 students own computers that required a Helpdesk employee to manually allow their computer onto the network, bypassing Cisco.

So what should ITS do to improve this situation?

I see great promise in the relatively new ITS-WSA committee.  Bringing students back into the decision making process would help to avoid technological changes which hinder the community rather than aid it as well as focusing attention on services that the student body actively desires.

Additionally, ITS needs to work more on improving its current services, rather than just releasing new ones.  For example, ITS could put more effort into the into improving the lab computer system.  ITS has long planned to switch the labs over to thin clients, but efforts have been stalled due to other priorities.  The switch would largely eliminate virus infestations and students would no longer lose files by accidentally leaving them on the lab computer’s desktop.  Your files and desktop would travel with you to wherever you logged in.

ITS should test its products more thoroughly before releasing them, as this would have prevented many of the issues listed above.

I also suggest that ITS hire students to test everything technological at Wesleyan in the way it is really used.  The students would try to project something from a laptop in Usdan’s basement.  They would try to load Gmail from a kiosk.  Perhaps, had they started before February 27, they would have noticed that they could log into Wesleyan Google Apps without typing a password.

Finally, it is inexcusable, and possibly illegal, to not report security breaches in a timely fashion.  ITS must begin reporting such breaches.

With these and other changes in mind, I believe ITS could once again become a respected institution on campus.  I hope for the sake of the entire Wesleyan Community that they do.

100 thoughts on “An Insider’s Perspective of ITS

  1. Anonymous

    Here here, Sam.

    The security breach issue is really unforgivable–whether or not it was illegal.

    I have had only miserable experiences dealing with ITS. Especially when trying to get access to rooms.

    These people should burn for this.
    Speak truth to power.
    Fuck ITS.

  2. Anonymous

    Jolee West–Had this anonymous person not come forward with this information, we would not know that our e-mail accounts were accessible without passwords for a long period. ITS should have told us immediately. ITS did not tell us. It’s ridiculous that a student had to tell us anonymously, but I’m happy to know the facts. HOW is this information one-sided ranting? All of the points are valid and now both the student body and ITS have been made aware.

    2:52–maybe Gmail worked for you, but I had a lot of problems with it (until someone told me to click that link at the bottom). It’s something simple that should have been attended to. I don’t think the person undermined their point because they weren’t lying about that. I was hoping someone would fix the Gmail problem.

  3. Sam

    Jolee, #16 here is right: an open-door policy and good communication are not the same thing. ITS does have an open-door policy, yes. This is a good thing, and I commend and appreciate it. The problem is that an open-door policy isn’t useful unless you know whose door to walk through.

    ITS employs a lot of people and even for those of us who do regularly interact with ITS staff it’s often not at all obvious who is the go-to person for specific issues. I can ask other ITS employees, sure, but what if they’re not sure either? This has happened more than once to me (and is not at all the fault of the employees I’ve been asking).

    If ITS wants communication to take place, it needs to do a few things. First and foremost, students need to know who to talk to about what. ITS needs to provide information about the people who manage specific areas of ITS in general–people who handle network issues, people who handle website issues, people who handle policy issues, etc.–as well as the people to talk to about specific projects. Who do we talk to about WesFiles? Who do we talk to about the new E-Portfolio homepage? Secondly, ITS needs to make explicitly clear when it’s providing this information that people should use it. Sending an e-mail to someone you’ve never met can be intimidating enough–walking in their door is much more so.

    In the context of this post, though, this discussion is largely irrelevant. The problems with WesFiles and OSX that you specifically discuss are obviously not unknown or you wouldn’t be working with Xythos on a solution.

    At issue here is not communication, it’s quality control and accountability. Even the most basic of testing should have revealed the problems in the google apps login well before launch. And while not being a lawyer I won’t attempt to judge whether or not withholding knowledge of this security issue was legal, I will say that it is most certainly unethical. I’m fairly confidant that the nature of the problem means that you have no way of determining whether an actual breach of security occurred. That may or may not protect you legally (I believe that you’re only required to report when an actual security breach has occurred, not just the possibility of one–although again IANAL), but the very very real possibility of a breach means you should have informed students as soon as the problem was fixed.

  4. Anonymous

    Agreed with 22. And these aren’t even “criticisms” or “feedback”. This is an ITS employee pointing out at least one major security flaw, and several times that services installed on campus have been flops because ITS didn’t properly test (wKiosk).

    And Jolee,

    Anyone could read anyone’s email. If this is a flogging, then it’s a lot less than ITS deserves.

  5. Anonymous

    Agreed with 22. And these aren’t even “criticisms” or “feedback”. This is an ITS employee pointing out at least one major security flaw, and several times that services installed on campus have been flops because ITS didn’t properly test (wKiosk).

    And Jolee,

    Anyone could read anyone’s email. If this is a flogging, then it’s a lot less than ITS deserves.

  6. Anonymous

    I love how an ITS employee says that they welcome criticism and feedback but attack the person who came forward. No wonder they did it anonymously.

  7. Anonymous

    I love how an ITS employee says that they welcome criticism and feedback but attack the person who came forward. No wonder they did it anonymously.

  8. IMS employee

    Well, this actually gives me a better impression of ITS than I’d previously had. I had assumed that the vast problems at ITS were the result of incompetence, but apparently it’s actually a culture that doesn’t value quality in any way.

    The degree to which things here—simple things, like active directory authentication on lab PCs—just don’t work very well is apparent to anyone who uses the services ITS provides. And as someone who works with ITS, trying to effect change is a nearly impossible prospect. ITS seems to not see any value in student feedback (though the web-design process may indicate some of this is changing, as those working on the project seem very interested in student input) and also seems to hold a low opinion of students’ capabilities.

    Until there’s some accountability put on ITS by the administration for actually producing working solutions I don’t see any real change, though.

  9. IMS employee

    Well, this actually gives me a better impression of ITS than I’d previously had. I had assumed that the vast problems at ITS were the result of incompetence, but apparently it’s actually a culture that doesn’t value quality in any way.

    The degree to which things here—simple things, like active directory authentication on lab PCs—just don’t work very well is apparent to anyone who uses the services ITS provides. And as someone who works with ITS, trying to effect change is a nearly impossible prospect. ITS seems to not see any value in student feedback (though the web-design process may indicate some of this is changing, as those working on the project seem very interested in student input) and also seems to hold a low opinion of students’ capabilities.

    Until there’s some accountability put on ITS by the administration for actually producing working solutions I don’t see any real change, though.

  10. Anonymous-ish

    Thank you anonymous ITS insider for making today far more entertaining than I had been anticipating.

  11. Anonymous-ish

    Thank you anonymous ITS insider for making today far more entertaining than I had been anticipating.

  12. Anonymous

    continuing from 9:44,

    the fact that wesleyan is pushing xythos for a mac client is great, but dragon offered implicit support for os x, while xythos as of yet only offers website access.

  13. Anonymous

    continuing from 9:44,

    the fact that wesleyan is pushing xythos for a mac client is great, but dragon offered implicit support for os x, while xythos as of yet only offers website access.

  14. Anonymous

    Jolee,
    Attacking the insider who posted this is not a means to restore ITSs credibility. Also a someone who worked for ITS for 3 years, saying that an open door policy exists does not lead to good communication.

  15. Anonymous

    Jolee,
    Attacking the insider who posted this is not a means to restore ITSs credibility. Also a someone who worked for ITS for 3 years, saying that an open door policy exists does not lead to good communication.

  16. Anonymous

    jolee,

    were you aware of the permission issues associated with using the finder in osx? i believe the current instructions are to avoid the finder altogether because of permission and versioning problems as well as duplication issues.

  17. Anonymous

    jolee,

    were you aware of the permission issues associated with using the finder in osx? i believe the current instructions are to avoid the finder altogether because of permission and versioning problems as well as duplication issues.

  18. Wesleyan Definitely Violated Federal Law

    I differ with the anonymous ITS employee on one point. I think Wesleyan DEFINITELY broke the law in this case.

    The Federal Educational Rights and Privacy Act requires Wesleyan to notify students when a security breach has compromised sensitive student information. While this security hole was not a conventional breach in the sense of a hacker gaining access to student records (which is what the act directly covers), I think the notification requirement of the still applies. keeping out email secure is the University’s responsibility and we often send/receive emails with sensitive information (SSN’s, credit card numbers, etc.)

    I am utterly shocked at Wesleyan’s willful disregard for both our privacy and federal law. If anyone’s personal information was compromised, Wesleyan should be held liable.

    For more info on the law check out:
    http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

  19. Wesleyan Definitely Violated F

    I differ with the anonymous ITS employee on one point. I think Wesleyan DEFINITELY broke the law in this case.

    The Federal Educational Rights and Privacy Act requires Wesleyan to notify students when a security breach has compromised sensitive student information. While this security hole was not a conventional breach in the sense of a hacker gaining access to student records (which is what the act directly covers), I think the notification requirement of the still applies. keeping out email secure is the University’s responsibility and we often send/receive emails with sensitive information (SSN’s, credit card numbers, etc.)

    I am utterly shocked at Wesleyan’s willful disregard for both our privacy and federal law. If anyone’s personal information was compromised, Wesleyan should be held liable.

    For more info on the law check out:
    http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

  20. Anonymous

    the class of 2011 was the first class to come in with more macs than PCs. i’m sure ITS has the exact numbers, but if the trend continued it seems likely that 50% is about right.

  21. Anonymous

    the class of 2011 was the first class to come in with more macs than PCs. i’m sure ITS has the exact numbers, but if the trend continued it seems likely that 50% is about right.

  22. Anonymous

    People seem to be missing the main point here. The kiosks, etc., are secondary.

    Anyone who wanted would have been freely able to log into the e-mail of *any student* who got their e-mail switched over to gmail given only their *username*. (Which is publicly available information.)

  23. Anonymous

    People seem to be missing the main point here. The kiosks, etc., are secondary.

    Anyone who wanted would have been freely able to log into the e-mail of *any student* who got their e-mail switched over to gmail given only their *username*. (Which is publicly available information.)

  24. Jolee West

    I wish to comment on the Xythos concerns raised in this post.

    ITS did extensive testing of Xythos on the Mac and even provided Xythos with benchmark data on upload times via the Mac Finder versus the Java applet. We did this testing several months before releasing Xythos to the community. We were aware of the Mac OS webDAV issues and have been instrumental in pushing Xythos to produce a Mac client to match the Windows Xythos Drive client. The Mac client is supposed to be released later this year.

    I think this post not only represents unfair, one-sided ranting, but the fact that the ITS “insider” does not have the gumption to bring any of these complaints directly to us is inexplicable.

    I co-chair a WSA ITS Advisory committee with Cesar Medina…that’s one venue for voicing concerns. There is reporting through Instructional Media Services, any of the Academic Computing Managers, the Help Desk, plus every single ITS employee has an open door and is available for students wishing to get more information or voice concerns.

    This “insider” is no doubt aware of all this, but instead chooses to hold back on reporting problems until s/he can make it into a public flogging? That’s neither fair nor responsible. It makes me wonder what they’re doing on their work time.

  25. Jolee West

    I wish to comment on the Xythos concerns raised in this post.

    ITS did extensive testing of Xythos on the Mac and even provided Xythos with benchmark data on upload times via the Mac Finder versus the Java applet. We did this testing several months before releasing Xythos to the community. We were aware of the Mac OS webDAV issues and have been instrumental in pushing Xythos to produce a Mac client to match the Windows Xythos Drive client. The Mac client is supposed to be released later this year.

    I think this post not only represents unfair, one-sided ranting, but the fact that the ITS “insider” does not have the gumption to bring any of these complaints directly to us is inexplicable.

    I co-chair a WSA ITS Advisory committee with Cesar Medina…that’s one venue for voicing concerns. There is reporting through Instructional Media Services, any of the Academic Computing Managers, the Help Desk, plus every single ITS employee has an open door and is available for students wishing to get more information or voice concerns.

    This “insider” is no doubt aware of all this, but instead chooses to hold back on reporting problems until s/he can make it into a public flogging? That’s neither fair nor responsible. It makes me wonder what they’re doing on their work time.

  26. Anonymous

    I always had problems with gmail on the kiosks. Even if it worked some of the time, for a few people, it’s not acceptable if it didn’t work consistently, especially with Wes on Google apps.

  27. Anonymous

    I always had problems with gmail on the kiosks. Even if it worked some of the time, for a few people, it’s not acceptable if it didn’t work consistently, especially with Wes on Google apps.

  28. Anonymous

    This is totally fucked up.
    Also “our main software for server-based storage supports 50% of the community.” — WAY more than 50% of the community uses macs. I dont want to get into the whole obnoxious mac/pc antagonism, but on a college campus like Wes testing for macs should be the norm, and if one has to be left out (which of course it is ridiculous to do at all) it should be PC’s.

  29. Anonymous

    This is totally fucked up.
    Also “our main software for server-based storage supports 50% of the community.” — WAY more than 50% of the community uses macs. I dont want to get into the whole obnoxious mac/pc antagonism, but on a college campus like Wes testing for macs should be the norm, and if one has to be left out (which of course it is ridiculous to do at all) it should be PC’s.

  30. David

    On the topic of Kiosks:
    They apparently still aren’t all fixed. Today gmail failed to load for me when not in basic HTML mode on the Macs in PI. But I do remember gmail working for me a semester or two ago – perhaps something changed.
    I guess I will have to let ITS know tomorrow that the computers in their own building still aren’t working properly…

  31. Anonymous

    I think we know Gmail has been working on the kiosks because we see frozen kiosks that are still logged into people’s accounts.

    Which is a huge issue in and of itself.

  32. Anonymous

    I think we know Gmail has been working on the kiosks because we see frozen kiosks that are still logged into people’s accounts.

    Which is a huge issue in and of itself.

  33. Anonymous

    I don’t know about that, 2:52. I could use gmail on the kiosks this fall, but it then stopped working for me. I couldn’t access my e-mail from Usdan for months.

  34. Anonymous

    I don’t know about that, 2:52. I could use gmail on the kiosks this fall, but it then stopped working for me. I couldn’t access my e-mail from Usdan for months.

  35. Anonymous

    gmail definitely didn’t work properly on the kiosks until recently. It *did* work in basic html mode, but you had to know to click that little link at the bottom of the page. Until recently the regular mode just loaded a bunch of giberish.

    It’s true you could still get to your email if you knew what to do but I think the statement is generally true.

  36. Anonymous

    gmail definitely didn’t work properly on the kiosks until recently. It *did* work in basic html mode, but you had to know to click that little link at the bottom of the page. Until recently the regular mode just loaded a bunch of giberish.

    It’s true you could still get to your email if you knew what to do but I think the statement is generally true.

  37. Anonymous

    I wish this ITS employee didn’t undermine hir statement by simply lying about Gmail not working on Usdan kiosks. I’ve been using Gmail on the kiosks since Usdan opened.

    There are lots of legitimate issues here (and the kiosks are definitely one of them – for other reasons) but you make it hard for us to have a productive conversation when you start off with something we all know is false. How do we know everything else you said isn’t false too?

  38. Anonymous

    I wish this ITS employee didn’t undermine hir statement by simply lying about Gmail not working on Usdan kiosks. I’ve been using Gmail on the kiosks since Usdan opened.

    There are lots of legitimate issues here (and the kiosks are definitely one of them – for other reasons) but you make it hard for us to have a productive conversation when you start off with something we all know is false. How do we know everything else you said isn’t false too?

  39. Anonymous

    This is crazy. I’m glad an ITS employee had the guts to do this, especially because I’m sure these aren’t the only major problems with the computer systems on campus.

    And I’m glad the employee chose to speak directly to the community like this. I bet the Argus article will fuck up the facts royally.

  40. Anonymous

    This is crazy. I’m glad an ITS employee had the guts to do this, especially because I’m sure these aren’t the only major problems with the computer systems on campus.

    And I’m glad the employee chose to speak directly to the community like this. I bet the Argus article will fuck up the facts royally.

Comments are closed.