Residence Hall and Dedicated Remote Access Guideline
This guideline provides a clear understanding of proper procedure and usage. We reserve the right to modify this guideline as necessary.
All students residing in residence halls.
Some operating systems, specifically UNIX operating systems, allow the system administrator to create accounts for other users. While this is not discouraged for machines connected to the campus network, there are some things that should be considered.
Users must be accurately identifiable. The user name field for any given account should contain the user's real name. There is no valid reason to allow a user to have a fictitious name assigned to their account.
Off-campus, those with no affiliation to Carnegie Mellon University are not explicitly prohibited from having accounts on computers connected to the campus network, but the following items should be considered by the owner of the computer:
- Those using any system connected to the campus network are bound by the Computing Code of Ethics as outlined in the Student Handbook. Failure to adhere to this Code will result in either the loss of the account or the loss of campus network privileges for the system. In all cases, the owner of the system involved may be held fully responsible for such violations if Computing Services is not convinced that the situation is being addressed in a professional, timely and appropriate manner.
- Those who are not affiliated with Carnegie Mellon should be flagged as such. This could be done by an entry in the user's plan file or by putting an additional string, "(Non-CMU)" for example, into the user name field for the account.
- It should also be noted that university resources, such as the campus network, are provided for university purposes. Allowing unaffiliated users to have an account on residence hall or dedicated remote access systems could be considered as a violation of this policy.
As a system administrator you may be held fully responsible for the conduct of your users. If the users in question are violating computing policies or causing other problems, the system administrator will be expected to take appropriate action to resolve the problem. If Computing Services determines that the problem has not been resolved, the system used will be disconnected from the campus network for a period of not less than one full semester. In some cases, loss of network privileges could be permanent.
Under no circumstances will any individual be permitted to use their network connection or computing privileges for commercial purposes. Any commercial use of our facilities is explicitly prohibited by the University and is grounds for removal of campus network privileges.
Any computer which provides services for a commercial operation (e.g. a web site selling commercial products), provides services of a commercial nature (e.g. provides web services for a fee), or has a domain name with a commercial designation (currently .COM or .NET) is explicitly prohibited from the campus network*.
*This section reinforces the guidelines on DOMAIN NAMES.
Computing Services has noted a few "recurring themes" in the computer resource abuse area. Some of these will be discussed here, mainly to make you aware that some activities which you might not consider to be "bad", can get you into trouble.
File Sharing: It is a common misconception that anything that is downloaded from the Internet or that is copied from a CD is legal to share with others. Many files (movies, music, software programs, etc.) available on the Internet are provided in violation of U.S. and International copyright laws. The distribution of copyright protected files without the permission of the copyright holder is illegal.
If individuals want to configure a mechanism to access their own files (not distribute them), that care should be taken to use a password which restricts access. In the case of MP3 "shared folders" or web sites, the password "mp3" is NOT considered to be an attempt to secure the site, but rather will be interpreted as an implicit invitation to distribute materials from the site. If the files available in such a site are not protected by copyright law, then there is no problem. Any discovery of copyright protected materials in such a site will be considered to be a violation of the Carnegie Mellon University Computing Policy and of these guidelines. See our page outlining how we process DMCA notices for more information.
Denial of Service Attacks: Denial of service attacks are covered under the Computing Code of Ethics as follows: "No one should deliberately attempt to degrade or disrupt system performance or to interfere with the work of others."
Any attempt to disrupt service or performance on systems on or off campus can result in the loss of network privileges and disciplinary action. The following items are all examples of denial of service attacks, but are not completely inclusive:
- Mail bombing (sending thousands of mail messages to a group or individual)
- Ping flooding (launching continuous ping requests at a specific machine)
- "Smurf attacks"
- "SYN flooding"
Advertising: The internet has been inundated with various "make money fast" schemes, and other marketing ploys, as thoroughly as it has been with legitimate businesses. You should keep in mind that despite the fact that you may own your computer, it is using CMU's network, and has a CMU domain name. You are not permitted to run or advertise a business from a CMU-based system without explicit permission from an appropriate authority (see the Computing Code of Ethics). The following items violate the intent of the policy on commercial use:
Advertising "banners" on web pages served from hosts in the CMU.EDU domain. Advertising any commercial enterprise (business) from web pages, plan files, etc. on hosts in the CMU.EDU domain. Advertising any "make money fast" schemes, or "make money for browsing the web" services on hosts in the CMU.EDU domain. By making you aware of some of the activities that frequently cause problems for users on the campus network, we hope that you will be able to avoid situations which could jeopardize your network access.
All residence hall, network registered computers will be in the domain ".res.cmu.edu". All registered computers using a dedicated remote access service will be in the domain ".rem.cmu.edu." In some cases, systems may be configured with registered names in multiple domains. If you want to have multiple domains for your system, consider the following:
- Any domain which implies commercial use, regardless of the system's actual content or use, is banned regardless of where the registry is being served. This currently includes any systems registered in .COM or .NET domains, but is not limited to these domains. With the imminent creation of new domain hierarchies and changing use of current hierarchies, interpretation of which domain names imply commercial use is left to the discretion of Computing Services.
Systems violating domain name guidelines will be immediately disconnected from the campus network for a period of not less than one semester.
There may be times when a computer is unintentionally misconfigured and subsequently causes a problem on the campus network. In such cases, in order to preserve the best service possible for the majority of the users, the machine will be disconnected from the campus network immediately. The owner of the system in such cases will be notified via electronic mail and via telephone that the machine has been disconnected.
Windows systems has an option in the Network Connection dialog allowing one to select a pair of connections (wireless and wired, wireless and dialup, for example) to "Bridge Connections". This configuration is known to cause problems and should be disabled unless you are absolutely sure that you know what you are doing.
The machine will only be allowed back onto the network after the owner notifies Computing Services Help Center or the person who sent the electronic mail, that they have reconfigured the machine, resolving the problem.
Network traffic should be considered private. Because of this, any "packet sniffing", or other deliberate attempts to read network information which is not intended for your use will be grounds for loss of network privileges for a period of not less than one full semester. In some cases, the loss of privileges may be permanent. Note that it is permissible to run a packet sniffer explicitly configured in non-promiscuous mode (you may sniff packets going to or from your machine). This allows users to explore aspects of networking while protecting the privacy of others.
Residence hall and dedicated remote access service connections to the campus network, and to the Internet, are provided to allow students, staff and faculty to fully participate in the educational and research missions of Carnegie Mellon University. In general, we encourage individuals to provide useful, interesting and inventive content to the Internet community, so long as it remains feasible for us to do so.
It may not remain feasible to provide unlimited connectivity for systems which are not strictly serving the University's missions. Because of this possibility, we reserve the right to request that users reduce the amount of traffic being caused by their service, or where necessary, to remove such systems or services from the campus network. In all but extreme cases, we will contact the owner of the system before removing it from the network.
Restricted Operating Systems
There are some operating systems which are known to cause problems in Carnegie Mellon's network environment. These operating systems are banned from being used in residence halls or via dedicated remote access services.
For those who want to run Linux systems, but who do not have appropriate system administration experience, Computing Services suggests that you consider running "Andrew Linux". Andrew Linux is a port of the UNIX-based Andrew environment to RedHat Linux. As such, system administration problems are reduced and a rich suite of applications and services become available with no installation requirements on the part of the user. For more information on Andrew Linux, please contact the Computing Services Help Center.
Routers are not permitted on the campus network. Any device that provides routing service for IP, IPX, or AppleTalk traffic will be immediately disconnected from the campus network for a period of not less than the duration of the current academic year.
Ethernet hubs, that attach multiple devices to a single network outlet, are not routers and may be used on the campus network. It is important that computers connected to a hub be registered.
Most operating systems do not provide routing functionality and are safe to use on our network in any configuration. Most UNIX operating systems have the capability to provide routing functionality; for these operating systems, you should ensure that routing is not configured. Some operating systems (NetWare) and devices (terminal servers, commercial routers, etc.) act as routers by definition and are not permitted to on the campus network unless explicit permission is obtained in advance (firstname.lastname@example.org).
Some software such as MARS which provides Netware services via UNIX machines also emulates routers or provide router-like functionality. As such, these applications are not permitted to be run on Residence Hall or Dedicated Remote Access systems.
Routers are generally used to connect multiple network segments together and should not be necessary for individual use on our campus. If misconfigured, routers can cause severe problems for a network segment. Even if properly configured, routers can cause significant difficulties with the maintenance and support of network segments maintained by Computing Services. For these reasons, systems connected to the campus network in the residence halls are not permitted to act as routers.
Systems on the campus network are not permitted to be configured as DHCP servers. DHCP allows systems to obtain the correct IP address during the boot process. User owned DHCP servers may override the distribution of IP addresses by the official DHCP servers, causing the client system to obtain an incorrect address, denying it access to the network. Any system found to be running a DHCP server will be immediately removed from the network.
Individuals are responsible for the security and integrity of their systems. In cases where a computer is "hacked into", it is recommended that the system be either shut down or be removed from the campus network as soon as possible in order to localize any potential damage and to stop the attack from spreading. In such cases, if the system administrator cannot be contacted in a reasonable time, Computing Services reserves the right to disable the network connection. Once the system administrator is made aware of the situation and agrees to take reasonable steps to ensure that the machine is not compromised, network privileges may be restored.
In cases where, despite the efforts of the system administrator, the machine continues to pose a security concern, we reserve the right to require that the user switch to a single user OS before allowing the system back onto the campus network.
In cases where an individuals computer habitually causes problems, by action, as a "target" of incoming attacks, or because of a lack of responsible behavior on the owner's part, Computing Services may initiate action to permanently ban the user from having computers on the campus network.
Responsibilities and Procedures
Computing or communications resources at Carnegie Mellon University are bound by the Carnegie Mellon Computing Policy. Under no circumstances may computers be configured with IP addresses that have not been assigned by Computing Services.
Dynamically assigned IP addresses are considered to be "registered" for the period of the dynamic lease to a given computer.
Using a different ethernet hardware address than the one you have registered will also result in the computer being removed from the network.
Using an IP address that has not been assigned to you or using an ethernet hardware address that is different from the one registered is grounds for losing your campus network privileges for a period of not less than one full semester.
Review and abide by each guideline outlined above.