An ITS staff member who wishes to remain anonymous sent us the following:
Today’s Argus will include an article related to Wesleyan ITS, sourced primarily by myself. I believe that this article fails to document the extent of dysfunction within Information Technology Services at Wesleyan, so I have decided to write a separate editorial on my own. As an ITS staff member, I offer an insider’s perspective into an institution which has profound influence on the entire Wesleyan community.
Our IT department steamrolls out new products for students, faculty, and staff alike, without proper testing and without enough discussion with the impacted users. Because of this, many of the new web applications and services produced by ITS do not work well, or are even worse than the products that they replace.
Many of our IT decisions are made based almost exclusively on funding, rather than on community welfare. I know we’re living in the real world, the bottom line has the final word, but our IT department has given in to the ‘get it done quick’ mentality without enough concern for quality. In the majority of cases I’ve been familiar with, ITS has released products without proper testing for bugs and without beta testing lasting longer than a week. After they release a product, they move on to something new, and don’t improve or fix previously released applications.
For example, consider the kiosk machines located in Usdan, Exley and elsewhere. For web browsing, they use a program called wKiosk. Until last month, wKiosk on these machines could not display Gmail’s web interface properly. ITS only became aware of the problem and fixed it after being notified by a student. That means that for one and a half years, no one from ITS tried to load the Gmail web interface on one of these machines. Even when ITS decided to switch student email over to Google Apps, no one made sure that Gmail would be accessible from all campus computers.
In Usdan’s basement there is multipurpose room equipped with speakers and a projector, which allow students and faculty to play music and project movies. However, the media cabinet’s sound cable has been routed to play music through an iPod, but is too short to connect to a laptop – as a result it is almost impossible to simultaneously project video and play the accompanying sound. The only way this could have gone without notice is for nobody in ITS to have ever tried to use this projector.
These problems go beyond simple inconveniences to serious security problems. As you will read about in today’s Argus, there was a huge security flaw in our Wesleyan Google Apps that ITS has failed to report. Until February 27, when a concerned student reported the flaw, the login page [mail.gapps.wesleyan.edu] did not require a password to log in to a student’s email account. Simply providing a valid user name and leaving the password field blank would bring a person to the email account associated with the user name.
Bugs happen, but this one could have been avoided with proper testing. When an engineer writes a proper authentication page, it is routine to test that blank passwords do not bypass security. Testing is all the more important on an application that safeguards personal information such as email. Needless to say, bugs that are this large in scope and this easy to exploit should under no circumstances occur in a well-functioning university IT department.
Additionally, I find it abhorrent that ITS did not voluntarily release details of this flaw. The flaw was fixed on Febuary 27, and publishing information about it no longer poses a security risk. Some students may have had sensitive passwords or other information in their email, and have the right to know if that information was visible to third parties. By not reporting the flaw, ITS puts students at risk for identity theft. On the other hand, by not reporting the flaw, ITS maintains a better public image and does not have to own up to its mistakes. If you had passwords stored in your Gmail inbox, especially important ones like banking details, you should change them immediately.
ITS has also failed to take action to prevent the spread of viruses on campus. For at least three years, the computer labs have had at least one widespread outbreak a year. Yet the Macs still don’t have virus scanners installed, which allows macro viruses to infect Microsoft Office documents, and the PC’s still have auto-run enabled, which allows viruses to spread via flash drives.
Two years ago, Blackboard was a vector for viruses, because it does not scan uploaded files. Professors unwittingly uploaded infected documents, and Blackboard helped distribute them to entire classes. Yet Blackboard still doesn’t have virus scanning, and such a problem could reoccur at any time.
ITS also recently released WesFiles, which is Xythos rebranded. Xythos wasn’t properly tested with Macs before it was purchased, and it was later discovered that it doesn’t integrate well with OSX. Consequently, our main software for server-based storage supports 50% of the community through only a web-based interface. Had ITS tested Xythos properly and decided that integration with OSX was not a priority, selecting it would have been questionable but acceptable. The problem here is that the decision was made before all the facts were known.
Cisco Clean Access (CCA) is another example of a product which was not properly tested before being released. In the fall of 2007, CCA was enabled on our entire network after being tested on fewer than five computers. As the class of 2011 probably remembers, nearly all the incoming freshman had no internet for days, and many had no internet for weeks. Despite improvements, Cisco Clean Access remains problematic. Over 250 students own computers that required a Helpdesk employee to manually allow their computer onto the network, bypassing Cisco.
So what should ITS do to improve this situation?
I see great promise in the relatively new ITS-WSA committee. Bringing students back into the decision making process would help to avoid technological changes which hinder the community rather than aid it as well as focusing attention on services that the student body actively desires.
Additionally, ITS needs to work more on improving its current services, rather than just releasing new ones. For example, ITS could put more effort into the into improving the lab computer system. ITS has long planned to switch the labs over to thin clients, but efforts have been stalled due to other priorities. The switch would largely eliminate virus infestations and students would no longer lose files by accidentally leaving them on the lab computer’s desktop. Your files and desktop would travel with you to wherever you logged in.
ITS should test its products more thoroughly before releasing them, as this would have prevented many of the issues listed above.
I also suggest that ITS hire students to test everything technological at Wesleyan in the way it is really used. The students would try to project something from a laptop in Usdan’s basement. They would try to load Gmail from a kiosk. Perhaps, had they started before February 27, they would have noticed that they could log into Wesleyan Google Apps without typing a password.
Finally, it is inexcusable, and possibly illegal, to not report security breaches in a timely fashion. ITS must begin reporting such breaches.
With these and other changes in mind, I believe ITS could once again become a respected institution on campus. I hope for the sake of the entire Wesleyan Community that they do.
@Anon 50: I think ze meant current students, not graduates. Nice troll though.
@Anon 50: I think ze meant current students, not graduates. Nice troll though.
“I also suggest that ITS hire students to test everything technological at Wesleyan in the way it is really used.”
having trouble finding a job post graduation are we anonymous its insider?
dont worry i’m sure you’re daddy has a job lined up for you
“I also suggest that ITS hire students to test everything technological at Wesleyan in the way it is really used.”
having trouble finding a job post graduation are we anonymous its insider?
dont worry i’m sure you’re daddy has a job lined up for you
This anonymous comments almost beats them all
“We have staffing directed towards redundant and un-necesssary projects – like once, there was a full-time hire staff member whose sole responsibility was to set up blogs (read: install WordPress) for professors. And a entire team of designers/programmers dedicated to creating QuickTime/Flash animations for professors’ class material (read: 4 x $60,000/yr. = $240,000 for some art gallery online, or a ribosomes animation for BIO181).”
What planet are you on? There’s valid bitching (the email fiasco), then there’s stupidity. This one is really stupid.
This anonymous comments almost beats them all
“We have staffing directed towards redundant and un-necesssary projects – like once, there was a full-time hire staff member whose sole responsibility was to set up blogs (read: install WordPress) for professors. And a entire team of designers/programmers dedicated to creating QuickTime/Flash animations for professors’ class material (read: 4 x $60,000/yr. = $240,000 for some art gallery online, or a ribosomes animation for BIO181).”
What planet are you on? There’s valid bitching (the email fiasco), then there’s stupidity. This one is really stupid.
The Usdan kiosks are the most useless machines I have ever encountered. When they work, they log me out randomly about every thirty seconds… >_< I called ITS about this three times and every time they said they’d look into it..
The Usdan kiosks are the most useless machines I have ever encountered. When they work, they log me out randomly about every thirty seconds… >_< I called ITS about this three times and every time they said they’d look into it..
if ITS had properly tested the online TA evaluation system, it wouldn’t have crashed the night evals were due, loosing tons of student evals in the process. They would have known the database was going to fill up ahead of time, and allocated more space. Good thing after they screwed up they gave students until 2am (2 extra hours) to re-write the evaluations that ITS lost.
if ITS had properly tested the online TA evaluation system, it wouldn’t have crashed the night evals were due, loosing tons of student evals in the process. They would have known the database was going to fill up ahead of time, and allocated more space. Good thing after they screwed up they gave students until 2am (2 extra hours) to re-write the evaluations that ITS lost.
ITS pwn’d!!
Most people don’t realize this, but ITS has a lot of issues besides the usability issue.
* We use Oracle/Peoplesoft databases that cost a significant part of ITS’ annual budget (like high 6-figures, low 7-figures) when there’s free alternatives that fits for Wesleyan’s size and needs.
* We have staffing directed towards redundant and un-necesssary projects – like once, there was a full-time hire staff member whose sole responsibility was to set up blogs (read: install WordPress) for professors. And a entire team of designers/programmers dedicated to creating QuickTime/Flash animations for professors’ class material (read: 4 x $60,000/yr. = $240,000 for some art gallery online, or a ribosomes animation for BIO181).
* Real projects don’t get done. E-portfolio sucks, but ITS doesn’t want to fix it because it was written by Ravi in 1995, now the head of ITS who doesn’t want to see it go.
So yea, while ITS wastes literally millions of Wesleyan’s little operating budget and lots of man-hours, WSA has to cut back on NYTimes distribution and other departments don’t have enough money to do their projects. The administration really needs to clamp down on the laissez-faire style it has operated so far with ITS.
– Former ITS Helpdesk Employee (Not disgruntled, just graduated and works in the IT industry)
ITS pwn’d!!
Most people don’t realize this, but ITS has a lot of issues besides the usability issue.
* We use Oracle/Peoplesoft databases that cost a significant part of ITS’ annual budget (like high 6-figures, low 7-figures) when there’s free alternatives that fits for Wesleyan’s size and needs.
* We have staffing directed towards redundant and un-necesssary projects – like once, there was a full-time hire staff member whose sole responsibility was to set up blogs (read: install WordPress) for professors. And a entire team of designers/programmers dedicated to creating QuickTime/Flash animations for professors’ class material (read: 4 x $60,000/yr. = $240,000 for some art gallery online, or a ribosomes animation for BIO181).
* Real projects don’t get done. E-portfolio sucks, but ITS doesn’t want to fix it because it was written by Ravi in 1995, now the head of ITS who doesn’t want to see it go.
So yea, while ITS wastes literally millions of Wesleyan’s little operating budget and lots of man-hours, WSA has to cut back on NYTimes distribution and other departments don’t have enough money to do their projects. The administration really needs to clamp down on the laissez-faire style it has operated so far with ITS.
– Former ITS Helpdesk Employee (Not disgruntled, just graduated and works in the IT industry)
Thanks helpdesk. Maybe it’s because I don’t live on campus, but I assumed that helpdesk@wes was the e-mail to use for reporting computer problems. Either way, I think I should have heard back from someone and appreciate that ITS forwarded it to the correct department.
Thanks helpdesk. Maybe it’s because I don’t live on campus, but I assumed that helpdesk@wes was the e-mail to use for reporting computer problems. Either way, I think I should have heard back from someone and appreciate that ITS forwarded it to the correct department.
@Beau, 38: Also, I have confirmed that Beau sent in a report of the friend worm on Feb 26, and we forwarded the report to IMS the same day. I don’t know what happened after that.
The worm is pretty tricky to get rid of, so just because it’s still a problem doesn’t necessarily mean that IMS wasn’t actively working on it starting in February.
@Beau, 38: Also, I have confirmed that Beau sent in a report of the friend worm on Feb 26, and we forwarded the report to IMS the same day. I don’t know what happened after that.
The worm is pretty tricky to get rid of, so just because it’s still a problem doesn’t necessarily mean that IMS wasn’t actively working on it starting in February.
Okay, thanks for the help. -36
Okay, thanks for the help. -36
As far as I know, there were only a few scattered ITS staff members who had email in GoogleApps (such as myself, but I stopped wanting my personal email in Wesleyan’s hands some months back so no harm there) for testing purposes.
As far as I know, there were only a few scattered ITS staff members who had email in GoogleApps (such as myself, but I stopped wanting my personal email in Wesleyan’s hands some months back so no harm there) for testing purposes.
Fac & staff were not migrated by default, but we could migrate them on request. I believe that some had requested a switch-over before Feb 27, though I don’t know if they actually were.
Fac & staff were not migrated by default, but we could migrate them on request. I believe that some had requested a switch-over before Feb 27, though I don’t know if they actually were.
39. Good to know. Also, glad that I opted out.
39. Good to know. Also, glad that I opted out.
@Beau
Fac + staff were not migrated.
@Beau
Fac + staff were not migrated.
35. I don’t know how worried you should be, since Symantec hasn’t caught anything. However, if you want to be extra careful, you could run a web-based virus scan from Microsoft (click here) or Trend Micro (click here). Others might be able to refer you to different/better ones.
Back in February when I encountered this, I also e-mailed the Help Desk (helpdesk@wesleyan.edu) and didn’t even receive a canned response. Incidentally, I e-mailed them on the 26th, so it’s possible that someone exploited the breach to access the helpdesk e-mail account and delete my message. Heh.
I wonder if faculty/staff were migrated to Google Apps, and if so whether their accounts were also vulnerable. I’m sure that if MRoth’s account was accessed there would be hell to pay.
35. I don’t know how worried you should be, since Symantec hasn’t caught anything. However, if you want to be extra careful, you could run a web-based virus scan from Microsoft (click here) or Trend Micro (click here). Others might be able to refer you to different/better ones.
Back in February when I encountered this, I also e-mailed the Help Desk (helpdesk@wesleyan.edu) and didn’t even receive a canned response. Incidentally, I e-mailed them on the 26th, so it’s possible that someone exploited the breach to access the helpdesk e-mail account and delete my message. Heh.
I wonder if faculty/staff were migrated to Google Apps, and if so whether their accounts were also vulnerable. I’m sure that if MRoth’s account was accessed there would be hell to pay.
I don’t think the virus does do anything except spread itself and change your background.
That being said, ITS could have had a system in place that restarting a computer puts it back into a ‘clean’ state that contains no viruses, which would have prevented this problem from occurring (this is also called ‘sandboxing’, because changes to the OS do not actually change anything stored on the hard drive).
ITS really needs to work on the lab computers, they are a mess and have been for a long time.
I don’t think the virus does do anything except spread itself and change your background.
That being said, ITS could have had a system in place that restarting a computer puts it back into a ‘clean’ state that contains no viruses, which would have prevented this problem from occurring (this is also called ‘sandboxing’, because changes to the OS do not actually change anything stored on the hard drive).
ITS really needs to work on the lab computers, they are a mess and have been for a long time.
30: I could be wrong, but I remember once being told that it’s copying over an installation/home image for the user over the network, which takes x amount of time.
30: I could be wrong, but I remember once being told that it’s copying over an installation/home image for the user over the network, which takes x amount of time.
@Beau: I had this pop up in PAC once if I remember correctly. I was also told it was harmless. I’m not as computer-intelligent as I’d like to be… should I be worried/what do I need to check for? I’m not sure if I used a USB drive that day. Symantec AntiVirus hasn’t caught anything yet.
@Beau: I had this pop up in PAC once if I remember correctly. I was also told it was harmless. I’m not as computer-intelligent as I’d like to be… should I be worried/what do I need to check for? I’m not sure if I used a USB drive that day. Symantec AntiVirus hasn’t caught anything yet.
The Argus has posted their article here.
And here’s a link to a cell phone picture I took of the virus message that was popping up when logging into a PC in the Olin InfoCommons. The computer tech there (not sure of his title) told me not to worry about it, that they didn’t know what it was, but that it was harmless. Fortunately I didn’t use a USB drive.
The Argus has posted their article here.
And here’s a link to a cell phone picture I took of the virus message that was popping up when logging into a PC in the Olin InfoCommons. The computer tech there (not sure of his title) told me not to worry about it, that they didn’t know what it was, but that it was harmless. Fortunately I didn’t use a USB drive.
I’m not one to be a Windows cheerleader, but I think it’s safe to say running Windows alone doesn’t result in it taking that long to log into a machine.
I’m not one to be a Windows cheerleader, but I think it’s safe to say running Windows alone doesn’t result in it taking that long to log into a machine.
3:33- because they’re running windows!
3:33- because they’re running windows!
Saying things like “these people should burn for this” and “fuck ITS” is kind of ridiculous — hostile, mean-spirited, and unproductive. Let’s keep things in perspective, people.
Saying things like “these people should burn for this” and “fuck ITS” is kind of ridiculous — hostile, mean-spirited, and unproductive. Let’s keep things in perspective, people.
Other question: why do the PC lab computers take so long to log on? What is it really doing for those 90 seconds?
Other question: why do the PC lab computers take so long to log on? What is it really doing for those 90 seconds?
Lets be realistic about the flaw here.
For most students, the only email on google apps would have been sent or received after winter break, because the system was new. Although we’ll never know, its likely nobody outside of ITS figured out the flaw.
The chance that someone had sensitive data breached was minimal.
Even so, ITS of course should have released information.
Lets be realistic about the flaw here.
For most students, the only email on google apps would have been sent or received after winter break, because the system was new. Although we’ll never know, its likely nobody outside of ITS figured out the flaw.
The chance that someone had sensitive data breached was minimal.
Even so, ITS of course should have released information.
Why not outsourcing? it’s cheaper.
Why not outsourcing? it’s cheaper.
Here here, Sam.
The security breach issue is really unforgivable–whether or not it was illegal.
I have had only miserable experiences dealing with ITS. Especially when trying to get access to rooms.
These people should burn for this.
Speak truth to power.
Fuck ITS.
Jolee West–Had this anonymous person not come forward with this information, we would not know that our e-mail accounts were accessible without passwords for a long period. ITS should have told us immediately. ITS did not tell us. It’s ridiculous that a student had to tell us anonymously, but I’m happy to know the facts. HOW is this information one-sided ranting? All of the points are valid and now both the student body and ITS have been made aware.
2:52–maybe Gmail worked for you, but I had a lot of problems with it (until someone told me to click that link at the bottom). It’s something simple that should have been attended to. I don’t think the person undermined their point because they weren’t lying about that. I was hoping someone would fix the Gmail problem.