DUKE ITAC - August 8, 2002 Minutes

Minutes

August 8, 2002

Attending: Ed Anapol, Landen Bain, John Board, Ken Hirsh (for Dick Danner), Angel Dronsfield, Brian Eder, David Ferriero, Nevin Fouts, Tracy Futhey, Ed Gomes, Patrick Halpin, Alfred Trozzo (for Paul Harrod), Bob Newlin (for David Jamieson-Drake), Andy Keck (for Roger Loyd), Melissa Mills, George Oberlander, Lynne O'Brien, Mike Pickett, Rafael Rodriguez, Molly Tamarkin, Brandon Taylor, Clare Tufts, Fred Westbrook, Robert Wolpert

Guests: Chris Cramer, Susan Engelbosch, Sue Jarrell, Tallman Trask, Steve Woody

Call to Order: Meeting called to order 4:05 pm

Review of Minutes and Announcements:

Document Imaging Exploration - Mike Pickett

There have been pilot programs off and on, but there has never been anything that has stayed. The software and performance never fit. There appears to still be strong interest in this. If you have interest in document imaging or management, please send your name to Mike Pickett. Right now, it is being looked at as an exploration.

Duke University Campus Security Incident Procedure

Please read the message sent out on the ITAC mailing list detailing the procedure the security office is using to handle compromised computers at Duke.

John Board: Is this the current practice now?

Chris Cramer: Almost, Right now we don't have procedure if administrator does not deal with the problem

Robert Wolpert: Is it worth being any more aggressive?

Chris Cramer: Would like to have a schedule posted to re-scan the machines

Robert Wolpert: Should the message be sent to anyone else that the computer is compromised?

Chris Cramer: Right now, there is a list of administrators by subnet, we can put in other names or could put multiple names in and they can be contacted, it would depend on how the department operates as to whether that would work the best in ones environment.

Robert Wolpert - It would seem they would like to know sooner rather than later if they had a compromised machine.

Chris Cramer - Yes, He will try to post the list he has as soon as possible so people can see if there is anyone missing

Anyone trying to get Thawte certificates

Currently there is a problem, and they are working with the vendor on this. The process has changed, and the certificates are not working correctly.

I . Introduction to DSG student rep and observations on students and technology - Brandon Taylor

Brandon is a Junior at Duke majoring in History. He is self-taught with computers since about the 6th grade. This past year he worked with Academic Technology Services in OIT Customer Support. He feels that students don't realize the full potential that the Duke computer labs offer. It is important to improve advertising of the labs as well as the computing services available to the students, such as training or multimedia computer labs. This needs to start at the grassroots - show the students that they can use the labs and computing resources at Duke to do more than just write papers and surf the web.

II. Microsoft Research Faculty Summit - John Board

Most impressed with the work being done on the tablet PCs - they are going to change things. It is the first time he has seen useful device around the pen feature. The tablets are running full XP, so they can be use as full fledge computers, but they also fold up. They have high resolution ink to use for note taking. The pen input is not coupled just to Word as it has been in the past, it can be integrated into any application. The device hits the market in the fall. Wireless is also incorporated into it.

This could change how students in areas such as Engineering (or areas where there are graphs, etc.) take notes. There was also a pda/cell phone combo demonstrated - it allows you to carrying one device instead of two.
The conference ran a lot of parallel sessions. There was an interesting talk from MIT - by the heads of MIT counsel on Educational Technology. It seemed to be a great model for Duke to look at.

MIT feels the value is in the classroom interaction, so anyone can have the materials they use. It is the interaction with people that you are paying for at MIT, not the materials, so anyone can use those materials. They will be available on the web this fall.

Univ of Washington is doing a project with Microsoft to develop high quality of video confrencing to provide better video interaction.

There were many other sessions. Research at MSR, Security, etc. If anyone is interested in the presentations or the notes, please contact John Board.

George Oberlander: Were the tablets pure handwriting recognition?

John Board: They will support graffiti, but hand written

George Oberlander: Do you know what the typical recognition rates are for the tablets?

John Board: Not sure what the rates are as it relates to other recognition rates
Microsoft will only be using hardware vendors that will support the Software.

George Oberlander: Will they work in a variety of lighting situations?

John Board: Yes, there are already some that exist like that, but yes this one does.

III. CIT Year End Report - Lynne O'Brien

Significant activities this year:

  • There was some outreach: the faculty showcase, which received very positive feedback, CIT is planning to do this again. They also had a guest speaker from MIT, which you can hear on the CIT Website.
  • Events for fall include: faculty talking, training sessions, and speakers from other schools.
  • They have taken same materials from posters and talks and capture it as a profile on the CIT webpage, so people can come back to it and refer to it.
  • Blackboard - CIT will be creating course sites for every course this coming Semester. The course sites will only be public if faculty member makes it public This helps takes away the time and effort of having to request the course Site.
  • CIT has partnerships with companies and schools. They received wireless IPAQs from Microsoft, Palms, and Apples - they are keeping relationships with vendors and schools up to date.
  • There is coordination of effort across campus, CIT tries to put people in touch with one another by forming advisory groups, focus groups, etc.
  • Evaluations are important - this allows CIT to assess individual activity, it is harder to assess projects but they are working on getting that feedback as well.
  • Courses will be generated on the 19th - if a professor already has created a course webpage, they will be left out, there will not double courses created.
  • If the course is auto created, can you move materials to the new course site? Yes

Chris Cramer: How closely will Blackboard classes track enrollment?

Lynne O'Brien: It will be updated 3 times a day beginning August 26th.

Robert Wolpert: would you see if there was another site for a class if it was not in Blackboard?

Lynne: No you would not see the course site unless faculty activated it and it was a Blackboard site.

Clare Tufts: With the tighter integration with SISS data, will we be handling drops in addition to adds for the course rosters?

Lynne O'Brien: Drops have been managed by our process since we migrated to the Snapshot environment in Spring 2002. Students who are dropped from a Blackboard course web site do not see the course listed when they log on, and even if they navigate to the course, can only access it in a guest role if guest access is enabled for the course.

Students who are dropped still show up in the roster. There are a couple of visual clues that the students have dropped the course. In the instructor view of the roster, through the control panel, a red circular X appears on the row of the roster with the dropped student's name, and the word "Student" is grayed out. The student record doesn't show in other areas, like the gradebook..

Is there a way to remove all dropped records from all classes? There is a supported (ie Blackboard provided tool) way, but our Blackboard technical project manager is not convinced it is ready for production. Also, we would need to make some policy decisions before deciding to automatically remove all traces of dropped students from a Blackboard course. For example, on what day would be start doing that? The plus side to the way Blackboard currently handles drops is this: if a student is incorrectly dropped from the class, and re-adds, Blackboard retains all the students grades and homework assignments. If we explicitly delete these records, all that data is lost for good (not counting our standard backup and restore procedures).

What happens with a grade when a student transfers from one section to another? It depends: if a student transfers to a different section of a course and the section is taught by the same instructor and is mapped to the same Blackboard course web site. In this case, nothing will happen. The grade will remain.

If a student transfers to a different section of a course that is mapped to a different Blackboard course web site. In this case, the student is dropped (aka "disabled" in Blackboard terminology) in the first course and added to the second. The grade stays in the first course. It does not move or go anywhere. Because the student status is "disabled" in the first course, the instructor will not see the grade in the gradebook, nor will she see the student listed in the gradebook at all.

John Board: Do you have any demographics on the faculty that are using Bb?

Lynne O'Brien: Seems to be very little in way of graduate students, younger faculty more, but not exclusively Appears to be faculty who have some reason to be interested in technology

Pat Halpin: What about portals? Bb is sort of a portal to interact with student resources?

Lynne: We are trying it out this semester with organizations. It will look like a course, but organized around an organization, research group, etc. instead of a course. It can be used as a collaborative tool Don't think Bb should be a the University's portal, but not sure how it will interact with the University's portal

Tracy- this is a topic we will have to get on pretty quickly

Molly Tamarkin - The spring showcase was great, it would be great to have activities to expand audience

Lynne O'Brien: Yes, this is exactly what they would like to do

Robert Wolpert: It might help to have a place that says something like - "How can Bb improve my class" in a prominent place on the website, the information is probably already there, but it would be nice to have in one place.

V. Creating a help desk password change process (challenge/response) - Chris Cramer

Overview

One of the major problems faced by the Help Desk is verifying the identity of an individual trying to change their password. This process would be most accurate if everyone who wanted to change their password were to come in-person to the Help Desk and present a photo ID. Unfortunately, this is not possible in all cases. For example, many people travel and only find that they don't know their password when they are away. Over the past month, the Help Desk has received approximately 75 requests for the type of remote password change.
The importance of correctly authenticating attempted password changes is highlighted by a recent incident at the university of Delaware. A student at the university impersonated two of her professors over the phone, had their passwords changed and subsequently changed her grades in their courses.

Potential Solutions

The OIT Help Desk, the IT Security Office and OIT Systems and Core Services have considered several potential solutions to the problem of remotely authenticating password change requests, including:

  • -prohibit password changes over the phone
  • -use a call-back mechanism to try to authenticate users
  • -try to establish a password changing question for all accounts (challenge-response)

Recommended Solution

We recommend that Duke try to establish a password changing question for all of its user accounts. If a user needs to change their password over the phone, the Help Desk can read the question to the user. If the user answers correctly, the password will be changed. If the user does not have a password changing question or if they answer incorrectly, then they would be *required* to come in-person to the Help Desk with a photo ID.

Using this solution, the question and associated answer would be stored in the Enterprise Directory. The initial question and answer could be collected when new accounts are created for faculty and staff. For new students (which are created automatically) we could send a welcome e-mail to the students with information that included how to set a password changing question. This could be done over the web as part of the WebAcct page.

Password changing questions for our current accounts would need to be set up by the user. We propose making people aware of how to do this as part of the upcoming password strength campaign.

If you send email confirming that you changed someone's password, they might not be able to get the e-mail if it was an unauthorized password change.

Rafael - From the Health System side - interested because they are looking at a similar process. It would not be efficient to have several questions for different systems. The Heath System does have to move on this fairly quickly though Susan Engelbosch is here because the Heath System has to move more aggressively

George Oberlander: What is the feasibility of having appointees strategically across campus - probably not feasible

Rafael - In most home security systems, if alarm goes off, the company calls and you need to give phrase or name. That seems to work fairly well, if you make it specific question, it can be fairly predictable.

Bob Newlin: Filling out a form and faxing it with photo id doesn't seem secure, it leaves with pieces of paper with password on it

Melissa Mills-Worried about faculty out of country, or who might not have a challenge question Need to have an admin assistant or proxy, take into consideration situations where an administrative assistant could act as proxy for someone who would not be able to do so themselves

John Board- There does need to be a proxy mechanism for traveling faculty It could be the IT person for school

Molly Tamarkin - The times you need a proxy need to be only under extreme situations or else the IT person will be involved all the time.

Robert Wolpert - Here is an alternate suggestion - you have a network of trusted individuals like the school's IT person. It would be a relatively small list of individuals, you call in, say you want to change your password, call with 5 digit number - call back and give 5 digit number

Chris Cramer - in order to be effective, you have to have a relatively small ratio of users to trusted person. Establishing that trust becomes tricky.

Bob Newlin- does not want to be a trusted person because it will be a large workload

John Board - that person might not be there, then you need to have backups

Robert Wolpert - then you need to set the expectation that it can take a day to have the password changed

Rafael Rodriguez - In the Health System doctors, etc need clinical info immediately

Melissa Mills- Rafael, what are you using in HS?

Rafael Rodriguez - challenge/response

Robert Wolpert - the NetID is not just email anymore, a lot more now.

Chris Cramer - Does everyone agree that the next step from here is that we want to go through and see how challenge/response will work. Maybe use as a backup, a network of trust? Yes. The challenge/Response would be used for anything the help desk would be changing

VI. Other business

Send topics/agenda items to Mike please

Adjourned: 5:12