
The Great Firewall of Yale - shaufler
http://162.209.96.128/
======
zaidf
I thought my school was bad but reading this makes the administration at my
school look like angels. When I launched a similar service at UNC Chapel Hill,
the IT dept blocked requests from my server to theirs for scraping latest
data.

They claimed I was creating excess load, which is silly because if they really
did the math, given how many people were using my service I was probably
saving them resources.

~~~
javert
UNC invested in what was initially planned to be the most expensive academic
ERP system ever, and which then went way over budget and schedule.

The result? An even older version of PeopleSoft (which apparently is Oracle's
second-tier offering) than what was being sold to other universities in prior
years.

It's barely useable at all. It's utter shit-ware. The prior in-house system,
which was early-90s HTML presumably layered over 1980s mainframe software, was
MUCH better.

Personally, I am convinced that this was a MASSIVE kickback scheme. Tens of
millions, possibly hundreds of millions, have been stolen from the State of
North Carolina, and people need to go to jail for it.

IIRC the project actually did get a special appropriation from the NC
legislature, but don't quote me on that.

This isn't just incompetence, I think it is actually a cover for massive
fraud. I know, always blame things on stupidity if you can... but from what I
know, no, you can't in this case.

I wish some enterprising journalist would hurry up and investigate this...
could net them a Pulitzer or something. That is why I am posting this comment.

zaidf, if you didn't realize this already (and you probably did), when you
made your alternative portal, you were fucking with some very powerful people.

Meanhwhile, UNC has also been uncovered as using the Afro Studies department
to hand out free grades to athletes for _decades_. There were hundreds of
courses and grades listed that literally did not happen. Fraud is absolutely
rampant at UNC. Maybe that's why our new Chancellor left after like a year?
The state of NC needs to completely clean house.

~~~
jlgaddis
I worked at a .edu for ~8 years. While I never had to experience it firsthand
(thank $deity), I can't begin to count the number of horror stories I've heard
from my peers at other organizations with regard to PeopleSoft. I don't
believe I've ever heard of an implementation even going "okay".

Side note: those of you building apps aimed at specific industries, consider
education (both K-12 and higher ed). As I said, I was at a .edu for ~8 years
and, in my current role, I deal with a lot of K-12 schools. Both will spend
outrageous amounts of money for decent software applications.

------
jahewson
There is _no way_ that a valid copyright claim can be made over the underlying
data because it is _a statement of fact_. Such a work is not eligible for
copyright protection.

~~~
pkfrank
Does this apply even when the "copyright holder" has meaningfully manipulated
the information in order for it to be in a useful form? Have they imparted
some IP that is now protected in some way?

IE, could I mirror deep-level sports statistics without attribution? One would
think the agency I "took" it from had applied meaningful resources to
extrapolating this data, which may be in fact be _statement of fact_.

I'm purely playing devil's advocate.

~~~
teraflop
My understanding (as a non-lawyer) is that it depends on your jurisdiction. In
the US, copyright normally only applies to works of creative expression, and
not to facts or ideas. However, you can argue that the _selection_ of facts
that are compiled into a database involves creativity; in that case, the
database as a whole may be protected, even though the individual facts aren't.

See:
[http://en.wikipedia.org/wiki/Copyright_law_of_the_United_Sta...](http://en.wikipedia.org/wiki/Copyright_law_of_the_United_States#Compilations_of_facts_and_the_sweat_of_the_brow_doctrine)

~~~
icambron
IANAL, but since the database is just (presumably) all of the classes at Yale,
it's hard to see how their selection could be copyrightable. I haven't used
the app, but it's quite possible they have course descriptions in there too,
though, which are copyrightable.

But then there's the separate question of _why_ Yale wants to do any of this.

~~~
Crito
> _But then there 's the separate question of why Yale wants to do any of
> this._

I suspect that providing _easy /effective_ access to course and professor
ratings trampled on some feet. Somebody's course enrollment is hurting and
making somebody look bad.

~~~
curiouscats
But what are these people thinking? Do they really think Yale students are so
lame they can't get around censorship easily to get the data they want? If the
students are that lame they need to select better students, it seems to me.

------
jamesk_au
One of the principal issues raised here - and not squarely addressed in the
post or the article to which it links - is the extent to which average
subjective ratings of courses and professors should be permitted to dominate
the decision-making processes of students.

Note that Yale's complaint included concerns over "the prominence of class and
professor ratings", and the student developers' response was to remove "the
option of sorting classes by ratings". Subjective five-point ratings can be
useful in many contexts, but in the context of education they can also give
rise to genuine pedagogical concerns about the way in which students choose
their courses.

Looking at the screenshot in the post, it is not difficult to see that the
pattern of enrolments might very quickly become skewed towards those classes
with higher average evaluation ratings (whatever such ratings might mean). If
that happens, it suggests that some students may be making decisions about the
courses in which they enrol based principally on factors other than their
interests, abilities and future career paths, or without critical thought.
Whilst other factors are relevant, including those for which an average of
subjective evaluation ratings might be a plausible heuristic, that does not
mean those factors should be the primary or predominant factors.

Without seeking to defend or condone Yale's response, there is more to the
story than the tale of student censorship presented in the post.

~~~
Smudge
Yale has the same student feedback/rating data available in their official
online coursebook. From what I understand, ybbplus/coursetable was simply
aggregating it in a way that made it easier for students to use. If there is
something fundamentally wrong with subjective ratings, it seems strange that
Yale would provide it in one context and censor it in another.

~~~
khawkins
Maintaining data integrity is probably fairly important to them. By allowing a
separate service which is used by a significant portion of the students, the
system is open to serious exploitation. Professors can get black-balled by
disgruntled system administrators or hackers, just by screwing with the
numbers.

Yale owning both the data and the interface is understandably important to
them, though this might be an opportunity for the creators to work with the
administration to reform the current system.

~~~
Crito
Blackmail is illegal, and intentionally screwing with ratings is almost
certainly libel. Both of those hypothetical can be dealt with by the law
already; I don' think there is much sense in warping copyright law to protect
you from the _possibility_ of those things happening.

~~~
eru
If you improve ratings artificially, that's probably not libel. Would it be
any kind of crime?

~~~
Crito
Would it even _really_ be a concern? If a professor had their own rating
raised, they could be dealt with internally.

------
nmodu
If I'm paying $58,000 to attend an institution (rather, if my family is
sacrificing $58,000 for me to attend an institution...or,worse yet, if I am
taking out $58,000 worth of student loans per year), I should be able to use a
course listing service so that I can tailor my academic experience however I
chose. THAT is how we open this debate, not with comments about who the proper
copyright holder is or whether or not this constitutes as deep packet
inspection.

~~~
elwell
No, if you choose to go to Yale and pay 58k/yr then you get the product they
give you. It's up to them to design the product (your Yale education). It
might lead to unhappy customers, but I don't see how entitlement can be
argued.

~~~
nmodu
I disagree. Completely. First of all, I object to your classification of a
4-year educational experience as a "commodity" that is offered on a "take-it-
or-leave-it" basis. In fact, every student is guaranteed (and therefore,
entitled to) the right to chose the classes that he takes. Yes, there are gen-
ed requirements. Yes, there are majors. But, generally speaking, a STUDENT is
responsible for tailoring his education. The value of the "product" lies
within the choices that it offers students (both in terms of
courses/professors and in terms of post-grad prospects).

If Yale prescribed to your notion of higher education, each student would be
handed a list of pre-determined courses that he would have to take each
semester. Instead, Yale students are allowed to chose their own
courses/majors, and in some cases are allowed to create their own majors. Why?
Because "choice" is the underpinning of the liberal arts philosophy.

So, within this context, I believe that I should be able to use a well-
designed course listing platform as I am considering what courses to take.
Especially at 58k/yr.

------
Tossrock
I don't think blocking a specific set of IP addresses constitutes deep packet
inspection. If they were reading the payload contents for strings matching the
CourseTable site, that would qualify.

Still, this is a stupid move by Yale.

~~~
brianpgordon
If they were only blocking based on IP address then students wouldn't be able
to ping the server. So they're blocking on at least the TCP layer.

... not that that constitutes DPI either.

~~~
muppetman
You don't think they probably force their students through a HTTP Proxy (which
will have a different address) than the one a ping ends up originating from?

I'm with the parent, I doubt they're doing DPI here.

~~~
bhouston
HTTP Proxys can be transparent:
[http://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy](http://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy)

The way to get around transparent proxies is to use HTTPS btw.

------
thinkcomp
Harvard did this in 2003. It even went so far as to accuse me of using the
word "The" improperly, in a copyright line where I properly attributed credit
to "The President and Fellows of Harvard College," when
[http://www.harvard.edu](http://www.harvard.edu) at the time said the exact
same thing (and apparently still does). I left Harvard early (with a degree),
and then I wrote a book about it.

[http://www.aarongreenspan.com/authoritas.html](http://www.aarongreenspan.com/authoritas.html)

Some things never change.

------
dreamdu5t
What's the purpose of Yale censoring certain websites? I find it hilarious
that people spend so much money to go to Yale, and some of that money goes to
inspecting what they're browsing.

~~~
daurnimator
Same could be said of governments and taxes

~~~
silvertonia
You expect me to go to private industry to find someone to monitor my life? Do
you have any idea how much that would cost?

Some things just make sense to do at national scale, even if there are a small
minority who don't appreciate the benefits.

------
girvo
Frankly, if colleges receive public funds, they shouldn't be allowed to
_claim_ "copyright" on something like timetable information, in my opinion.
Actual intellectual property, maybe, but this? Not a time table. That's just
silly.

------
epmatsw
I'm sure no Yale student has ever heard of tethering and that blocking the
site on the Yale network will effectively prevent very smart students from
reaching this website.

You would think that the Yale administrators would know better than this.

~~~
ihsw
If anything, it's symbolic and indicative of future actions. The university
has demonstrated 'defending itself' and now they have evidence of anti-
authoritarian protest and dissent directed at the them, and the next logical
step is legal action.

This public shaming will be received as insulting and provocative, and the
deans will attempt to assert their dominance through the courts.

Preventing students from accessing the website is neither the goal nor is it a
desired side-effect -- the goal is intimidation and generating evidence of
wrong-doing. It's a game of poker for the administration and they showed their
hand, and now they're waiting for the OP to call their bluff. This will not
end well.

------
ojbyrne
"Universities are a bastion of free speech." LOL.

~~~
Steuard
There are valid objections to that claim, no question. But students asserting
this in their defense nevertheless has a great deal of power, because
universities still _want_ to be bastions of free speech. It is close to the
core of the self-image of university and college faculty members (and an awful
lot of the administrators, too), even when the reality falls short of that
ideal. So these words make a very strong moral argument in context, and might
succeed in building on-campus support where other arguments wouldn't.

------
dictum
I expect the official explanation to be something like "we cannot endorse an
unofficial service that might give misleading information to our students."

Every censor does it from an honest desire to keep _this terribly misleading
information_ away from the unknowing masses.

I don't think Yale is blocking the service in a conspiratorial effort to
stymie students, but from a not well thought out desire to babysit.

~~~
jessaustin
_...the unknowing masses._

So it seems you've met a few Yalies? b^)

------
ivanplenty
tl;dr -- the crux of the issue (right or wrong) is making the evaluation
information _too_ public. From the news story:

> _" [Administrators' primary concern was] making YC [Yale College] course
> evaluation available to many who are not authorized to view this
> information,”_

> _" [Administrators also asked] how they [the site operators] obtained the
> information, who gave them permission to use it and where the information is
> hosted."_

Edit: Agreed, I don't buy these are the _real_ reasons.

~~~
blahedo
They _claim_ that's the crux of the issue. But consider: if they're concerned
about outside access, why are they blocking access to the site for _precisely_
the set of people who actually _are_ authorised to view the information?

------
jlgaddis
It would have been really cool if the developers of this (really nice, AFAICT)
site moved it to (or also made it available via) a Tor hidden service.

The students would regain access to their data (I realize that it has now been
e-mailed to them) and it would be a great example of exactly how Tor can help
"bypass" censorship.

~~~
elwell
And their visitors would go from 2,000 to 2 overnight.

------
Nanzikambe
If it were only deep packet inspection, the solution would be simply to prefix
[https://](https://) and be done with it. As other posters have remarked, I
suspect the article means an IP based block.

~~~
dekz
That is until Yale than set themselves up to forcefully man in the middle all
outgoing https connections.

~~~
evv
Really, how?? Wouldn't that require the installation of a custom root
certificate on every client?

~~~
nwh
My university installed a root CA as part of the signup process for WiFi
access. Three of them in fact.

------
shtylman
I run a similar service for other schools (courseoff.com) and I have run into
this before. I bet what happened was their site failed to cache the course
data or seat information and was thus making lots of requests to the Yale
servers. To Yale it might appear like a DoS from this site.

Obviously I don't know for sure but I would venture to bet this block was more
an automated response than malicious intent against the site.

~~~
bentcorner
> _Over 2,000 students out of a campus of 5,000 were using it as of today
> noon, when the Yale administration began censoring it using traffic
> inspection. They had contacted us warning that we were using copyrighted
> data._

It doesn't seem automated, and if there was a DoS wouldn't they just go out
and say so?

~~~
jsrozner
The data was scraped quite some time ago. There is no issue with a DoS on the
Yale servers.

~~~
shtylman
This is very unfortunate that they are doing this if the data was scraped and
not hitting their servers. Is it that some part of the data they think is
copyrighted (like grades) versus just courses?

------
jrs235
"They had contacted us warning that we were using copyrighted data" last I
understood you can't copyright data or facts [in the US]. You can own
copyright to a particular published format though. One can't copy and publish
a phone book verbatim but you can certainly scrap a phone book for its
data/facts and publish them in a different format.

~~~
GhotiFish
Now I'm not sure if this is a slam dunk. My friend works developing a fantasy
sports startup, he's talked about all kind of legal grey areas around the
legality of where you get those stats. He didn't go into specifics though.

~~~
jrs235
There may be terms of use/service when using (agreeing to use and access)
data/fact providers. You might be violating a contract but not copyright.

------
klapinat0r
To focus only on the actual website issue:

Could it be in order to govern the information, rather than "copyright" per
say?

My thinking is that, _from Yale 's perspective, having a 3rd party (and
especially a student) be the go-to source for course info might be a bad shift
in power_.

When it's all in good kind, it may not look bad, and even if it is well
intended, there are a few problems that could arise:

\- Bugs in crawling code causing some course information to be false, omitted
or stale.

\- Changes in OCI causing said crawler to keep stale data and fail to update.
\- Students complaining to Yale with wrong information.

all the way to the more paranoid:

\- 3rd party maliciously falsifying information.

\- Generel confusion as to which information is reliable, driving students to
have a more, rather than less, difficult time finding and verifying class
scheduling.

I'm all for net neutrality and strongly against censorship in all forms, but
"playing devil's advocate" can't there be a somewhat "legitimate" reason to
shut the 3rd party page off for Yale students?

~~~
dalke
> can't there be a somewhat "legitimate" reason

Of course there can be legitimate reasons. If the 3rd party inserted wrong
data, or did 1,000 requests per second, causing high load on the servers, then
I would call it legitimate.

However, the ones you've listed are not legitimate, because of the term
"could." Anything _could_ go wrong. An editorial in the local newspaper could
have wrong information about the courses, but that doesn't justify the
university excluding that edition of the newspaper from campus stores.

Things go wrong all the time. Someone may have printed out an old copy of the
schedule, and based decisions on that. Or left a page on the screen for a
week. Which means the system must already have support for people using stale
information. Anything else is unreasonable. So long as the additional burden
is not substantially higher than background, I don't believe there is a
"legitimate" justification here.

As for copyright, this sounds very much like like Feist v. Rural. Quoting from
Wikipedia: "Feist had copied information from Rural's telephone listings to
include in its own, after Rural had refused to license the information. Rural
sued for copyright infringement. The Court ruled that information contained in
Rural's phone directory was not copyrightable and that therefore no
infringement existed."

------
benmarks
The experience seems like fair preparation for the reality into which their
charges will graduate.

------
auctiontheory
Yale Daily News reporting: [http://yaledailynews.com/blog/2014/01/14/yale-
shuts-down-yal...](http://yaledailynews.com/blog/2014/01/14/yale-shuts-down-
yale-bluebook/)

------
stormbrew
Something like this happened at the university in the city I live in. There
was an apparently awful service for signing up for classes called BearTracks
[1] and someone made a scraped version of it that was better called BearScat
[2]. Eventually the university basically incorporated the better version into
theirs (to, I understand, mixed results).

[1] [https://www.beartracks.ualberta.ca/](https://www.beartracks.ualberta.ca/)
[2] [http://www.bearscat.ca/](http://www.bearscat.ca/)

~~~
darkhelmetlive
I'm glad I was around as BearScat came out and before the killed it.

------
shaufler
Mirror:
[https://s3.amazonaws.com/yalefirewall/index.html](https://s3.amazonaws.com/yalefirewall/index.html)

------
ballard
This is an unacceptable, naked abuse of power. Any education institution
blocking any site on political or anticompetitive grounds flushes away any
vestiges of ideals of free speech and open learning. The administration should
have known better or it may find itself replaced for acting incompetently.

------
diminoten
Is the course listing software open-source? I'd like to do this for another
school...

~~~
ngokevin
I made it for Oregon State University and Portland State University (GPA data
only), you can check the source for a good data source.

[http://github.com/ngokevin/senioritis](http://github.com/ngokevin/senioritis)

------
xerophtye
Wow. This really makes me appreciate what we had at my college. For nearly a
decade now, the OFFICIAL portal for the university that lets students and
teachers manage courses and assignments (submissions included), has been the
one that was originally developed, and still managed by students. We have a
webmasters club for that whose responsibility it is keep it up and running and
add features to it as they see fit. The university has been nothing but
supportive of this, including assigning it an yearly budget for hosting and
other expenditures.

------
poizan42
If you actually go to [http://coursetable.com](http://coursetable.com) you
will be asked to login through Yale Central Authentication Service, which
sends you to:
[https://secure.its.yale.edu/cas/login?service=http%3A%2F%2Fc...](https://secure.its.yale.edu/cas/login?service=http%3A%2F%2Fcoursetable.com%2F%3Fforcelogin%3D1)

I hope I don't give the administration any good ideas here, but I would seem
that they have a much more efficient way to disable the site.

~~~
uptown
Yes, but CAS is a single sign-on system likely used throughout their internal
network, so they're probably not able to disable it without disrupting
authentication to a large number of other unrelated systems.

~~~
rajivm
But they could easily disable CAS for this specific service. In fact, I'm
surprised they didn't need University approval to integrate with CAS.

------
zamalek
> Universities are a bastion of free speech.

Incorrect - universities are now a business, nothing more. You can have your
free speech so long as it makes the shareholders happy. Having students
confused and lost (or being unable to chose the best education for themselves)
is a fantastic way to have them repeat courses in the long run.

Tertiary education is no longer what it used to be. It is now exactly the same
type of delusion that women face in terms of having to be slim; or consumers
face in terms of having to have the latest iPhone or what have you.

------
TylerE
I forwarded the link to a friend who works in the admissions office at Yale.
Can't promise anything but she said she'd be asking some questions.

------
sgarg26
I understand that Yale and Harvard have a rivalry and compete for students.
Out of curiosity, how might Harvard have handled a similar situation?

------
arkinus
Note that this site is also accessible at
[http://coursetable.com](http://coursetable.com)

------
windexh8er
If anyone is curious that's a Palo Alto Networks NGFW block page. Yale is at
least using some great hardware!

------
takeda64
It looks like [http://www.coursetable.com](http://www.coursetable.com) is
filtered on WebSense.

------
philip1209
Switch it to Cloudflare to obfuscate the source

------
ballard
Has there been an official response?

------
songco
GFW don't show any "blocked" message, it just "reset" the connection...

------
lightblade
I'm surprised that we haven't DDOS them yet, lol.

------
Ihmahr
So MIT murders a student (Arron S.), Yale does some ridiculous censoring...

What's next?

~~~
dkural
MIT did not murder anyone. This is a liberal definition of 'murder'.

------
zobzu
it's so disgusting that this stuff even happen.

------
epochwolf
This is not news. Most campus have filtering software and the university
administration will use it to block websites that make them look bad.

~~~
grecy
> _This is not news._

If you're numb to it, then it's imperative that it is news.

Imagine when the headlines read "Millions killed in Nazi camps" and people
said "This is not news."

~~~
nathancahill
Godwin's Law

~~~
Crito
_" Chinese crack down on Tibet" "Not news."

"Israel/Palestine peace talks halt." "Not news."

"Millions die of malaria." "Not news."

"Armed robbery at the corner of Ellis and Leavenworth St." "Not news."

"Your kid flunked his math exam." "Not news."_

Just because somebody chooses to use Nazi Germany as an example, does not mean
that they do not have a point. It certainly does not make them automatically
wrong.

------
robitor
"It threatens the very basis of academic freedom and net neutrality"

So pretentious, did a teenager write this?

~~~
foxhill
i don't think that's pretentious at all.

if my university implemented a scheme like this, i'd feel exactly the same
way.

