May 26, 2024

Penn State: No Servers in Dorms

Yesterday I attended the Educause Policy Conference in Washington, where I spoke on a panel on “Sharing Information and Controlling Content: Continuing Challenges for Higher Education.”

One of the most interesting parts of the day was a brief presentation by Russ Vaught, the Associate Vice Provost for IT at Penn State. He said that Penn State has a policy banning server software of all kinds from dormitory computers. No email servers; no web servers; no DNS servers; no chat servers; no servers of any kind. The policy is motivated by a fear that server software might be used to infringe copyrights.

This is a wrongheaded policy that undermines the basic educational mission of the university. As educators, we’re teaching our students to create, analyze, and disseminate ideas. We like nothing more than to see our students disseminating their ideas; and network servers are the greatest idea-disseminating technology ever invented. Keeping that technology away from our students is the last thing we should be doing.

The policy is especially harmful to computer science students, who would otherwise gain hands-on experience by managing their own computer systems. For example, it’s much easier to teach a student about email, and email security, if she has run an email server herself. At Penn State, that can’t happen.

The policy also seems to ignore some basic technical facts. Servers are a standard feature of computer systems, and most operating systems, including Windows, come with servers built in and turned on by default. Many homework assignments in computer science courses (including courses I teach) involve writing or running servers.

Penn State does provide a cumbersome bureaucratic process that can make limited exceptions to the server ban, but “only … in the rarest of circumstances” and then only for carefully constrained activities that are part of the coursework in a particular course.

Listening to Mr. Vaught’s presentation, and talking privately to a Penn State official later in the day, I got the strong impression that, at times, Penn State puts a higher priority on fighting infringement than on educating its students.


  1. X11 servers must fall under “server software of all kinds”. I guess X Windows is banned from the Penn dorms.

  2. Seth Finkelstein says

    Cypherpunk, my observations are that at MIT, most people run servers as general-purpose tools. Webservers are *standard* in Linux installations. It’s like forbidding CD burners because they obviously can be used to make copies of music CD’s. And while that is indeed an obvious use, it’s by far not the only use.

  3. Cypherpunk, my observations are that at MIT, most people run servers as general-purpose tools. Webservers are *standard* in Linux installations. It’s like forbidding CD burners because they obviously can be used to make copies of music CD’s. And while that is indeed an obvious use, it’s by far not the only use.

  4. Ravi Nanavati says

    Yes, freedom costs, but we are talking about students at a public university. Tuition ranges from $8K/year (PA residents) to $18K/year (non-residents) with a separate IT fee of up to $160/semester ($120 for the summer session). Especially when a decent broadband ISP (many of which permit servers) can be had for $50/month, I think these students have already paid for their freedom and their education and should get more of both…

  5. I would like to ask Jim, the IT .edu network admin, whether in his experience most students running “servers” are running file sharing systems that are largely used to infringe copyright? Or is it the case that the majority of student servers are for legitimate educational projects, research and the like, and their honest and above-board efforts are being compromised by a minority of bad apples who are sharing copyrighted files?

    In another forum I suggested that I thought it was the former, that in practice most servers would be doing bad things, but someone came down on me, saying that I had no basis for making that assumption. So I’d like to hear the real story from Jim’s experience.

  6. Simon Farnsworth says

    Jim refers to bandwidth and network worms as a reason to lock down students hard. While I can see network worms, I cannot understand the bandwidth issue; surely Jim is able to operate his border routers throttling system?
    In a sensible world, universities would make no attempt to stop me running servers, or restrict what ports I can access. I would have to request unfiltered access, and sign to say that I’m not going to do anything illegal or allow my machine to be used for illegal purposes. Any abuse from my machine would be reason to limit me to filtered access.
    Bandwidth use is a non-issue; give each student a daily speed average for external access, and throttle them to it. If you can’t afford to pay your router manufacturer for a class-based queueing or other throttling solution, OpenBSD’s ALTQ, or Linux’s traffic shaping both allow you to set up something like, “Students are allowed to average 10kbit/s over 24 hours”. Low users get much faster rates (saturate for less than 3 hours, and you’re getting at least 80kbit/s), and network admins get a guarantee that they will never use more than 10*60*60*24 kbits = 864 MBits of transfer per student per day.

  7. It’s unlikely that the CS majors are hurt the most, since most CS departments allow (and some encourage) students to experiment within their own network. From the title of the talk the motivation for such a policy is to comply with DMCA and Digital Copyrights Act. This sadly doesn’t achieve the mission, since there are so many other ways to circumvent around this. Just a thought, people can still share files through instant messanging, will they ban that too!

    As people have already pointed out, this only has a negative affect for those who are really interested in learning.

  8. While I may be a bit… well… not sober… I must say that this may explain why psu is so intent upon forcing their students to pay a fee to use napster. I’m not saying it’s right or that I agree with it (I don’t) but I think psu’s bigger problem is that to raise your students as adults, you need to treat them as adults. What they do, they can be held accountable for. This is a major problem with many universities, Princeton included.

  9. Anonymous says

    I’ve tossed this around a couple of different ways. I think Mr. Felton raised an excellent point that universities should be educating their students, not restricting them. I think that central point is often overlooked by higher ed. IT.

    However, getting compliance with security policies from literally thousands of users is no small task either. The policy in place at PSU does more than restrict students — in many cases it protects them.

    I don’t know if I’d recommend going as far as preventing access between residence halls and the rest of the school, however I am not necessarily against protecting the students from the dangers on the Internet. Be it paternalistic, sometimes restrictions are for our own good.

    I’d advise a combination of approaches — restricting access to residential servers from the Internet, but allowing full access within the school. Encourage students to use and run servers and set them up appropriately. Teach them security. If they can’t manage the security, teach them how to turn those embedded Windows server components off that cause so much risk to the unitiated.

    We need not shield the students altogether, and we shouldn’t be out to actively prevent learning in our schools. But let’s also remember that there is also a limited *obligation* by the University to provide Internet access in the residence halls at all! In most school IT departments, you’ll find that wiring the Residence Halls was driven by the economics of collegiate competition, not by any educational desire to add service.

    The best approach is usually in the middle ground somewhere. If I ran college IT, I think the best way to find it would be an open dialogue amongst real students and real staff where the issues can be brought out, discussed, and resolved. I think college IT gets a lot of unfair blame from students, and I think college IT tends to think too little of the students their school worked so hard to attract.

  10. I just wanted to point out that this does more than just hurt CS majors. Indeed, it may hurt non-CS majors more.

    I’m a biochem major, but I also have an interest in computer science. Yale doesn’t offer minors, and I don’t care to take a C# class, so I don’t take CS courses at school. However, I do run my own Linux-based webserver from my dorm room. It gives me both Linux and webserver/mailserver/FTP server experience, which I enjoy as a hobby (what a nerd).

    Were Yale to ban ‘servers’ (a ludicrous semantic argument), I would be unable to legitimately do any of this. In this sense, I, a non-CS major, would end up with virtually no experience.

    Quick final thought: Most people who run Kazaa don’t know that they are running a server, and wouldn’t care even if they did know.

  11. As an already-overworked higher-ed sysadmin, may I simply ask this question:

    How will you pay for it?

    How will you pay for the rapidly-increasing costs when 40% of your university’s bandwidth is being eaten by student servers and P2P clients, and legitimate research and university business is being negatively impacted?

    How will you pay for the networking hardware, administrative software, and wired (and unwired) infrastructure to support the exponential growth of bandwidth-eating projects?

    How will you pay for the people and expertise to manage all this, to support it, to respond to the network-threatening issues that will arise like clockwork?

    I work in Higher Ed IT, have been doing it for 14 years at some of the largest state universities in the nation. I get paid to Make Things Work. I can talk ethics, ideals, and philosophy with the best of them – it’s what my formal training is it. But at the end of the day, I have to maintain a reasonably stable and secure computing environment, within the ever-tightening resource constraints I have to work in.

    You want freedom? It COSTS, my friend. Come up with a scenario for funding unlimited IT that is more concrete than “the state/federal government should support this, it’s imperative!”

    When you have that, I’ll listen.

    Until then, well. I don’t have a lot of time for ivory tower thinkers with caviar ideals and bologna resources. I’ve got a freaking network to keep alive.

  12. This isn’t new, or limited to Penn State. I was at another top CS school and they have a very similar policy. I was mostly glad to get out (of the dorms, and then the school) when I did, because it became more restrictive all the time.

    For example, at first, you could give your computer any DNS name you wanted, so people got creative. Apparently they got /too/ creative, because The Powers That Be said they would only use xyz123 (initials + next free number) DNS names. At first they explained this away as “People were picking registered trademarks for names, and we don’t want to get sued for that.” I emailed admin, pointing out that dozens of administration systems had names which were also registered trademarks. They never responded to me, but they changed their webpage to a different fake reason. It reminded me of the “Independent Thought Alarm” from the Simpsons.

    IT administrators see computers as dangerous weapons, which must be restricted as much as possible so the students (troublemakers) can’t do too much. It’s quite sad, really. Universities seem to bring in IT people from “industry” who feel the need to lock everything down, and don’t realize that on a university campus most doors never even get locked.

  13. Will the school really be held reponsible if they’re taking reaonable percautions against P2P networks in the dorms? While getting my BS I ran a several differnt kind of servers (and wrote some server software of my own) and learned tons doing it. I’m glad I had that kind of freedom during my education. While I was greatful for the computer labs, you we weren’t allowed to take the computers down and install whatever kind of server we wanted to learn about on it. I only had one class (and it was a rather small class) where I was given a box and told to set it up to serve web pages and build a web app out of it. While this class was great I learned far more in doing my own stuff on my own time.

  14. Here at the University of Washington, we can run servers on campus all we want, but by default it is not accessible from off campus. It is possible to get permission to run off-campus servers, but if I understand it correctly we have to prove that we know what we’re doing so it’s not a security liability for the university. As far as I know there is no connection to copyright (it is not mentioned on the DMCA information page).

    We also have university-provided web space that can be accessed from anywhere.

  15. Andre Lehovich says

    X11 servers must fall under “server software of all kinds“. I guess X Windows is banned from the Penn dorms.

  16. Not only does PSU have a rather draconian policy on running servers but they also pretty much block everything else. IM file sends of any time were disabled atleast this year on the primary and subsidiary campsus. That wasn’t explained to the students but rather figured out by a few when we could no longer exchange some code that we were working on (I go to Drexel Unv. but have friends at PSU).

    They’ve also locked out IRC connections or atleast two people who I talked to from PSU could not connect to any outside IRC server.

  17. Dan Maas says

    Maybe instead of draconian lock-down policies, schools could ease their liability by purchasing some kind of insurance policy. It would be up to competing insurers to decide what specific policies would work best.

    (I’m not really comfortable with the recent practice of universities paying for blanket licenses to get music from a P2P service, due to the limited libraries offered by most services and the DRM issues)

  18. Student Run Servers

    There is a large buzz in the blogosphere with a number of serious thinkers upset at an admission made by Penn State during the Educause Policy Conference that just took place (more here). The admission was that Penn State has put in place a policy forb…

  19. To answer Mike’s question in part, I know at MIT the policies all revolve around how to operate personal web servers within the law, rather than the mere fact of if they’re permitted – the latter is a given.

    “Non-obvious MIT web policies

    Can I put anything I want on my personal web server on the MIT network?

    What defines a personal web server? Is this directed at students?

    Can someone put anything on their personal web pages that sit on MIT servers departmental, IS or otherwise?”

    MIT is a very computer-rich environment, and student/personal web servers have been part of the culture for decades (literally … going back to start of USENET).

  20. Penn State Bans Servers

    From Freedom to Tinker, via One of the most interesting parts of the day was a brief presentation by Russ Vaught, the Associate Vice Provost for IT at Penn State. He said that Penn State has a policy banning…

  21. There are two different parts to this server ban. One part is that they have a firewall and they won’t open up ports to your dormroom server unless you have a good reason. That’s probably reasonable for administrative purposes, and to protect the network against attack from outside.

    The other part is that you aren’t supposed to run servers even if they will only receive connections from other computers in the student network. That’s a lot more questionable. What exactly is a server, and a service? Presumably, it is any software which will respond to connections from outside your computer. What about Windows file sharing? That’s a service. Is it banned? Some other Windows features are effectively services, like remote access. Are those capabilities banned as well?

    In the end I think Seth is right, that the notion of “service” is not that well defined and that people will be able to work around it. Now, you can draw two opposite conclusions from this. One is that PSU shouldn’t be enforcing the ban because it is imperfect (but that style of argumentation is seldom valid). The other possible conclusion is that students who want to experiment with “legal” servers can go ahead and do so, ignoring the ban, and use these various tricks to avoid detection. Yes, it makes things a little more challenging for them, but in the end that is educational.

  22. minor point: in a graduate class (Doug Tygar and John Chuang’s “Distributed Applications” class) I took this semester, we had to write our own peer-to-peer client. This kind of software is part client, part server.

    We would probably have been in violation of this policy by merely doing our homework! That is, by testing our home-baked peer-to-peer clients from within Dorms, we would have automatically have been setting up “server” software. These guys don’t have geeks consulting with their policy folks.

  23. Rather than just expressing the strength of my agreement with Ed
    Felten, I’d point out that this scheme also doesn’t stop copyright
    infringement. In many architectures, a client initiates a
    connection and then waits for instructions. In response to those
    instructions, the client may transmit files, perhaps by making
    additional network connections. The client initiated all the
    connections, but it is nonetheless performing file transmissions
    at the request of others.

    For example, IRC (which was one of the most popular means of
    peer-to-peer file sharing before the invention of Napster) would
    conceptually allow this. You (hypothetical PSU student)
    initiate a TCP connection to an IRC server. You then communicate
    with other people in a broadcast channel maintained by the
    server. Your communications can include negotiations about file
    requests (which could even be performed automatically; there
    doesn’t have to be a person involved). When another person on the
    IRC server requests a file from you, your computer can make a
    new outgoing TCP connection (a “direct client-to-client
    connection” or “DCC”) to the other party. Your computer then
    transmits the requested file. In effect, you have become a file
    server, but you only accept requests communicated through the IRC
    server. (Another way of putting this would be to say that you
    operate as a client at one protocol layer but as a server at
    another protocol layer.)

    As long as other people can operate servers and can receive
    connections, you can easily infringe copyrights in an automated
    way without operating servers yourself. And, as the IRC
    example shows, it isn’t even necessary for the other people to
    operate proxies. (We could also imagine an FTP-like protocol
    in which the server requests file transmissions by the client
    rather than the other way around. Classic FTP would have to be
    extended only slightly in order to make this work, although the
    biggest problem would be communicating to a client information
    about where it should connect at what time.)

    Depending on whether PSU is using a firewall, students might be
    able to circumvent the policy by using SCTP instead of TCP (if they
    can find many applications that can run over TCP). SCTP is a
    relatively new connection-oriented transport protocol that I
    understand is used primarily in the telecommunications world. Its
    functionality seems to be a superset of TCP’s. TCP-oriented
    port scans won’t find SCTP services at all, because SCTP uses a
    different protocol number in the IP packet.

    But I think circumventing the policy is not the really
    important thing (although it might be an interesting thought
    experiment that might lead to other interesting ideas in
    computer security, since the PSU network operators could be
    considered an adversary from whom the presence of communications
    must be concealed). The important thing is getting universities
    not to adopt such silly policies in the first place!

  24. I’m copying my commentary from my weblog entry:

    I, too, disagree with the policy, but I don’t agree with everything Felten says. First I should note … that I graduated with a BS in computer science from Penn State three and a half years ago, I lived in the dorms the whole time, and I ran a web and e-mail server on my dorm computer for my last semester or two there. At that time, I wasn’t aware of any rules banning servers, although I was pretty sure that I was breaking a policy prohibiting non DNS entries from pointing to Penn State IP addresses.“Many homework assignments in computer science courses (including courses I teach) involve writing or running servers.” Unfortunately, no course I took as an undergraduate included any homework assignments that involved writing or running servers. As a part-time graduate student at another university, I have had grad-level classes involving writing and running servers, and these courses quite reasonably didn’t expect the students to supply the server hardware. That’s what we have computer labs for.“The policy is especially harmful to computer science students, who would otherwise gain hands-on experience by managing their own computer systems. For example, it’s much easier to teach a student about email, and email security, if she has run an email server herself. At Penn State, that can’t happen.” I totally agree with this argument. (And I’m delighted by Felten’s use of a feminine pronoun referring to a computer science student!) A university education is supposed to be about exploration and experimentation. For computer science students, and perhaps even more so for IT students (yes, there is a difference), writing and running servers is a valuable educational experience. Compsci students love to tinker and play, to try things out. Disallowing university students from writing and running servers on their dorm computers is an oppressive, thoughtless “solution” to fears of copyright infringement.

  25. Dead-on-balls-accurate, to quote Mona Lisa Vito(Marisa Tomei) in My Cousin Vinny.

    Question: Does Princeton have a policy on this? Does MIT? Does CMU? Even if the “policy” amounts to “we’re going to treat our students as adults and encourage them to explore the world,” it seems to me that more progressive institutions could and should get this message out. No one wants to be the target of a lawsuit, but unless the institutions speak out more publicly, places like Penn State will continue to get all the press.

  26. Below this comment are a few links that I think paint a frightening picture in which education falls to the wayside in the face of corporate interest. The exchange of and development of ideas is one of the fundamental components of modern civilization – any policy that impunes on the flow of information also condemns modern forward thinking society.

    For your consideration:

    Just more ways education in America is being undermined.