I thought my school was bad but reading this makes the administration at my school look like angels. When I launched a similar service at UNC Chapel Hill, the IT dept blocked requests from my server to theirs for scraping latest data.
They claimed I was creating excess load, which is silly because if they really did the math, given how many people were using my service I was probably saving them resources.
UNC invested in what was initially planned to be the most expensive academic ERP system ever, and which then went way over budget and schedule.
The result? An even older version of PeopleSoft (which apparently is Oracle's second-tier offering) than what was being sold to other universities in prior years.
It's barely useable at all. It's utter shit-ware. The prior in-house system, which was early-90s HTML presumably layered over 1980s mainframe software, was MUCH better.
Personally, I am convinced that this was a MASSIVE kickback scheme. Tens of millions, possibly hundreds of millions, have been stolen from the State of North Carolina, and people need to go to jail for it.
IIRC the project actually did get a special appropriation from the NC legislature, but don't quote me on that.
This isn't just incompetence, I think it is actually a cover for massive fraud. I know, always blame things on stupidity if you can... but from what I know, no, you can't in this case.
I wish some enterprising journalist would hurry up and investigate this... could net them a Pulitzer or something. That is why I am posting this comment.
zaidf, if you didn't realize this already (and you probably did), when you made your alternative portal, you were fucking with some very powerful people.
Meanhwhile, UNC has also been uncovered as using the Afro Studies department to hand out free grades to athletes for decades. There were hundreds of courses and grades listed that literally did not happen. Fraud is absolutely rampant at UNC. Maybe that's why our new Chancellor left after like a year? The state of NC needs to completely clean house.
I worked at a .edu for ~8 years. While I never had to experience it firsthand (thank $deity), I can't begin to count the number of horror stories I've heard from my peers at other organizations with regard to PeopleSoft. I don't believe I've ever heard of an implementation even going "okay".
Side note: those of you building apps aimed at specific industries, consider education (both K-12 and higher ed). As I said, I was at a .edu for ~8 years and, in my current role, I deal with a lot of K-12 schools. Both will spend outrageous amounts of money for decent software applications.
Haha you nailed it. I met with their main tech boss who was an older gentleman who basically kept telling me that the new system they have planned to roll out(from Oracle) will have the features that my site had. My site basically texted students soon as a class opened up. It got crazy traction.
I'm also well aware of the grading scandal as I still run a grade distribution site called blinkness.com which is heavily used on campis(even though I left unc years ago). We have a feature on the site called "Top A classes" and the professor in question always ranked very highly :)
Some students at my university created a website to turn your timetable into a file that could be imported into a calendar app by screen scraping the timetabling website. The University actually helped out with hosting it and providing access to their SSO system. Win win.
I've done the same at my university, and they've mostly turned a blind eye to it. The timetabling department expressed concerns about students relying on timetables that are outside the university's direct control but have thankfully not taken any action.
To me it feels like people protecting their little kingdoms within a large organisation.
There is no market in which you have to compete against the new (superior) competitor so the only tool you are left with are fallacies like referring to regulations and proper protocol.
Having worked in a large profit center IT dept at an Ivy League, I know first hand how many bad apps are developed and how many hundreds of millions are frittered away (or in some cases tantamount to stolen). I think working with students to open source and support apps is a way to go. The university concerns are: looking bad, students using an esoteric language, messy programming style or move on. If universities had more open APIs and data like the city of San Franciso, more apps could be developed to make use of the data in novel ways, as opposed to permission-based "culture of 'No.'"
Also this incident makes Yale look really bad... This could end some careers.
Semi-unrelated but, plenty of corporations see these fallacies as the best (and sometimes only) tools. In large markets money, political connections, and entrenched position are king.
From my experience working several times with a large state university, this is absolutely true. The managers and administrators in the university IT division tend to be lifetime employees, who have absolutely zero perspective on IT except what they've experienced internally. Nepotism is rampant, incompetence the norm, and the whole environment is incestuous, corrupt, and highly political.
I also created something somewhat similar[0] for my school (Penn), and the only reason we didn't get shut down was because we don't make it easy to know how professor stack up against one another.
I was just thinking, "they wouldn't have done this at Carolina" but I guess I was wrong. When I was there you could run a torrent server out of Old West and no one cared.
There is no way that a valid copyright claim can be made over the underlying data because it is a statement of fact. Such a work is not eligible for copyright protection.
Does this apply even when the "copyright holder" has meaningfully manipulated the information in order for it to be in a useful form? Have they imparted some IP that is now protected in some way?
IE, could I mirror deep-level sports statistics without attribution? One would think the agency I "took" it from had applied meaningful resources to extrapolating this data, which may be in fact be statement of fact.
In the US, yes, the selection and arrangement of facts _can_ be protected by copyright.
It needs to be an arrangement or presentation that involves a significant degree of creative choice, not an arrangement that is obviously inherent in or determined by the facts themselves. (For instance, an alphabetic arrangement of terms would obviously not be copyrightable either, but the order of a list of buildings ranked by prettiest might be).
The individual sports statistics are definitey not protected by copyright -- nobody can require me to get permission to tell you that Joe Blow has an RBI of X. But if you copy the entire database of sports statistics from someone, and present them in the same order/categories, those elements (selection and arrangement) _might_ be copyrightable -- it depends on the specifics and how well the lawyers make their case that the particular selection and arrangement involved were creative choices, not just obvious in the data itself.
In the U.S. , that you "applied meaningful resources to extrapolating" is completely irrelevant to copyright -- that it took lots of resources to assemble purely factual information still does not make them copyrightable. This is known as the 'sweat of the brow doctrine', and the courts in the U.S. decided that it did _not_ apply to copyright here. http://en.wikipedia.org/wiki/Sweat_of_the_brow#US_copyright_...
My understanding (as a non-lawyer) is that it depends on your jurisdiction. In the US, copyright normally only applies to works of creative expression, and not to facts or ideas. However, you can argue that the selection of facts that are compiled into a database involves creativity; in that case, the database as a whole may be protected, even though the individual facts aren't.
IANAL, but since the database is just (presumably) all of the classes at Yale, it's hard to see how their selection could be copyrightable. I haven't used the app, but it's quite possible they have course descriptions in there too, though, which are copyrightable.
But then there's the separate question of why Yale wants to do any of this.
> But then there's the separate question of why Yale wants to do any of this.
I suspect that providing easy/effective access to course and professor ratings trampled on some feet. Somebody's course enrollment is hurting and making somebody look bad.
But what are these people thinking? Do they really think Yale students are so lame they can't get around censorship easily to get the data they want? If the students are that lame they need to select better students, it seems to me.
One of the principal issues raised here - and not squarely addressed in the post or the article to which it links - is the extent to which average subjective ratings of courses and professors should be permitted to dominate the decision-making processes of students.
Note that Yale's complaint included concerns over "the prominence of class and professor ratings", and the student developers' response was to remove "the option of sorting classes by ratings". Subjective five-point ratings can be useful in many contexts, but in the context of education they can also give rise to genuine pedagogical concerns about the way in which students choose their courses.
Looking at the screenshot in the post, it is not difficult to see that the pattern of enrolments might very quickly become skewed towards those classes with higher average evaluation ratings (whatever such ratings might mean). If that happens, it suggests that some students may be making decisions about the courses in which they enrol based principally on factors other than their interests, abilities and future career paths, or without critical thought. Whilst other factors are relevant, including those for which an average of subjective evaluation ratings might be a plausible heuristic, that does not mean those factors should be the primary or predominant factors.
Without seeking to defend or condone Yale's response, there is more to the story than the tale of student censorship presented in the post.
Yale has the same student feedback/rating data available in their official online coursebook. From what I understand, ybbplus/coursetable was simply aggregating it in a way that made it easier for students to use. If there is something fundamentally wrong with subjective ratings, it seems strange that Yale would provide it in one context and censor it in another.
Maintaining data integrity is probably fairly important to them. By allowing a separate service which is used by a significant portion of the students, the system is open to serious exploitation. Professors can get black-balled by disgruntled system administrators or hackers, just by screwing with the numbers.
Yale owning both the data and the interface is understandably important to them, though this might be an opportunity for the creators to work with the administration to reform the current system.
Blackmail is illegal, and intentionally screwing with ratings is almost certainly libel. Both of those hypothetical can be dealt with by the law already; I don' think there is much sense in warping copyright law to protect you from the possibility of those things happening.
How are the students interests, abilities, and future career paths served by taking bad courses from professors with no interest in teaching, because they're too busy giving interviews / doing research? Perhaps Yale should let the students balance all factors, including what their peers thought of the class. It's not as if the website casts a spell on their feeble brains and removes any consideration of critical thought. Is it Yale's duty to protect its customers from truths they "cannot handle"? Would you say Yale should ban Amazon book rankings, in case the student doesn't know how to handle a one-star ranking and decides to burn the book?
Many rankings are indeed subjective (books.. classes.. movies) - in fact that's rather the point: to render ones opinion.
While there's potentially a debate to have over that topic (I'm sure the creators and some users of this site disagree with those concerns), the University's decision to censor the site strikes me as far less defensible than the existence of the site itself. So respectfully the fact that there's "more to the story" on that basis alone isn't terribly salient.
If I'm paying $58,000 to attend an institution (rather, if my family is sacrificing $58,000 for me to attend an institution...or,worse yet, if I am taking out $58,000 worth of student loans per year), I should be able to use a course listing service so that I can tailor my academic experience however I chose. THAT is how we open this debate, not with comments about who the proper copyright holder is or whether or not this constitutes as deep packet inspection.
No, if you choose to go to Yale and pay 58k/yr then you get the product they give you. It's up to them to design the product (your Yale education). It might lead to unhappy customers, but I don't see how entitlement can be argued.
I disagree. Completely. First of all, I object to your classification of a 4-year educational experience as a "commodity" that is offered on a "take-it-or-leave-it" basis. In fact, every student is guaranteed (and therefore, entitled to) the right to chose the classes that he takes. Yes, there are gen-ed requirements. Yes, there are majors. But, generally speaking, a STUDENT is responsible for tailoring his education.
The value of the "product" lies within the choices that it offers students (both in terms of courses/professors and in terms of post-grad prospects).
If Yale prescribed to your notion of higher education, each student would be handed a list of pre-determined courses that he would have to take each semester. Instead, Yale students are allowed to chose their own courses/majors, and in some cases are allowed to create their own majors. Why? Because "choice" is the underpinning of the liberal arts philosophy.
So, within this context, I believe that I should be able to use a well-designed course listing platform as I am considering what courses to take. Especially at 58k/yr.
I don't think blocking a specific set of IP addresses constitutes deep packet inspection. If they were reading the payload contents for strings matching the CourseTable site, that would qualify.
The type of block they're describing could easily be implemented in simple stateless firewall, something like iptables. No deep packet inspection is needed to block based off of header info like src/dst ip, port, or protocol.
DPI specifically means examining the payload of the packet. This is not DPI.
This looks like the block page you get from a Palo Alto firewall. The feature set includes traffic inspection, among many other things. We've got a couple where I work, they are pretty great firewalls actually.
You don't think they probably force their students through a HTTP Proxy (which will have a different address) than the one a ping ends up originating from?
I'm with the parent, I doubt they're doing DPI here.
Harvard did this in 2003. It even went so far as to accuse me of using the word "The" improperly, in a copyright line where I properly attributed credit to "The President and Fellows of Harvard College," when http://www.harvard.edu at the time said the exact same thing (and apparently still does). I left Harvard early (with a degree), and then I wrote a book about it.
What's the purpose of Yale censoring certain websites? I find it hilarious that people spend so much money to go to Yale, and some of that money goes to inspecting what they're browsing.
Preventing malware outbreaks on the Yale internal network?
Many University networks are intentionally pretty open on the inside. Last I was at Uni, for example, CIFS was not blocked. CIFS is a common vector for malware to spread across a network.
So, blocking access to known malware hotspots works as a form of preventative maintenance. With a student body of 5,000 you are virtually guaranteed to have a cohort of that archetype of user that acquires new malware on a daily basis.
Edit: Obviously that isn't a good reason to block THIS website, just responding to the general question of filtering in the first place.
Frankly, if colleges receive public funds, they shouldn't be allowed to claim "copyright" on something like timetable information, in my opinion. Actual intellectual property, maybe, but this? Not a time table. That's just silly.
I'm sure no Yale student has ever heard of tethering and that blocking the site on the Yale network will effectively prevent very smart students from reaching this website.
You would think that the Yale administrators would know better than this.
If anything, it's symbolic and indicative of future actions. The university has demonstrated 'defending itself' and now they have evidence of anti-authoritarian protest and dissent directed at the them, and the next logical step is legal action.
This public shaming will be received as insulting and provocative, and the deans will attempt to assert their dominance through the courts.
Preventing students from accessing the website is neither the goal nor is it a desired side-effect -- the goal is intimidation and generating evidence of wrong-doing. It's a game of poker for the administration and they showed their hand, and now they're waiting for the OP to call their bluff. This will not end well.
I bet you a significant portion of the traffic is now coming over the mobile phone. If 40% of the students preferred that site, I'd bet its enough of an improvement to warrant some small-screen browsing.
There are valid objections to that claim, no question. But students asserting this in their defense nevertheless has a great deal of power, because universities still want to be bastions of free speech. It is close to the core of the self-image of university and college faculty members (and an awful lot of the administrators, too), even when the reality falls short of that ideal. So these words make a very strong moral argument in context, and might succeed in building on-campus support where other arguments wouldn't.
Having FIRE's[1] RSS feed[2] in my daily reading has dissuaded me from that belief. "Unlearning Liberty" by Greg Lukianoff (FIRE's President) has a chapter of Yale.
I expect the official explanation to be something like "we cannot endorse an unofficial service that might give misleading information to our students."
Every censor does it from an honest desire to keep this terribly misleading information away from the unknowing masses.
I don't think Yale is blocking the service in a conspiratorial effort to stymie students, but from a not well thought out desire to babysit.
tl;dr -- the crux of the issue (right or wrong) is making the evaluation information too public. From the news story:
> "[Administrators' primary concern was] making YC [Yale College] course evaluation available to many who are not authorized to view this information,”
> "[Administrators also asked] how they [the site operators] obtained the information, who gave them permission to use it and where the information is hosted."
Edit: Agreed, I don't buy these are the real reasons.
They claim that's the crux of the issue. But consider: if they're concerned about outside access, why are they blocking access to the site for precisely the set of people who actually are authorised to view the information?
It would have been really cool if the developers of this (really nice, AFAICT) site moved it to (or also made it available via) a Tor hidden service.
The students would regain access to their data (I realize that it has now been e-mailed to them) and it would be a great example of exactly how Tor can help "bypass" censorship.
If it were only deep packet inspection, the solution would be simply to prefix https:// and be done with it. As other posters have remarked, I suspect the article means an IP based block.
Actually most SSL based browsers will transmit the domain cleartext as part of SSL handshaking. This was added so virtual hosting webservers can all have independent certs on the same IP
See the following link for the specifics ... but needless to say its easy to block SSL access with a transparent proxy or layer 7 firewall. (which based on the error page looks like a Palo Alto device which definitely can do this...)
It doesn't matter whether you control the user environment to covertly install the MITM certificate. You simple notify your network users this is happening with instructions on how to install the certificate.
Either the user installs it or not, it's their choice.
I am in no way advocating this abhorrent system of 'security'. Simply noting that it is obviously done in the workplaces and in many workplaces. That it can also be done here under 'security' pretences.
> It doesn't matter whether you control the user environment to covertly install the MITM certificate. You simple notify your network users this is happening with instructions on how to install the certificate.
Respectfully, I disagree. This is certainly possible, but from an operational perspective this would be a nightmare. Even setting aside the likely backlash that would follow in response to such a sweeping policy change, university networks largely consist of diverse, user-managed devices, and supporting a transition through such a change would have a non-trivial cost.
For what it's worth, at my university, UNC Chapel Hill, there are two networks, one of which requires you to install a custom root certificate, and is the network that the university prefers you connect to. For devices on which this is not possible, there is another network which only requires that you register your device's MAC address to your university id for access.
Regardless of which option you choose, you are required to install another program (unless the OUI of your MAC indicates that it is a device other than a computer) which scans your computer for malware and any software which the university does not allow you to have, such as torrenting applications, and will not allow you to connect to the network until after your machine is cleared. This program must be running the entire time you are connected to the network or you will be disconnected.
As a student who works as tech support in the dorms, it certainly is a nightmare!
Oy. Students at your university certainly have my sympathy.
I've always been leery of the mitm cert, not only from the users' perspective, but also from that of the organization. If a rogue administrator used the cert to set up a "real" mitm for a local bank's site, I think the school would be on the hook for that. That's just one example; one could imagine other variations on that theme. Whereas, if the school simply acted as a normal ISP, that whole class of vulnerabilities simply doesn't apply.
We are, of course, talking in only hypotheticals. Unfortunately, this is a trend that is becoming more popular in the private business sector on their networks. I cannot foresee a indicator that would prevent this trend crossing over to universities.
Individuals at their workplace do also have user managed devices, they also are 'outraged'.
I'd be really shocked if that's the case, they're essentially sabotaging their own security by exposing a single surface for attack for MITM attacks.
Most corporate environments typically do not "proxy" SSL, I know this from experience administrating networks and later abusing this with an SSH tunnel on port 443 allowing me unfettered access.
I'd be very interested in technical details on how that's implemented if it is.
I run a similar service for other schools (courseoff.com) and I have run into this before. I bet what happened was their site failed to cache the course data or seat information and was thus making lots of requests to the Yale servers. To Yale it might appear like a DoS from this site.
Obviously I don't know for sure but I would venture to bet this block was more an automated response than malicious intent against the site.
The issue isn't that Yale cut off the sites access to the school's servers. The issue is that Yale cut off their students access to the site. Furthermore Yale and the site were apparently in dialog before the block, and Yale raised copyright concerns (probably bullshit, unless they were copying course descriptions or something like that (I suspect course descriptions were involved initially): http://en.wikipedia.org/wiki/Sui_generis_database_right#Unit...).
It's not DoS, you don't present a splash page for offenders in that regard. I know the platform (PAN-OS) very well and that page is a URL filtering profile splash. It's actually a custom URL category (shown at bottom) that they can update via white and black lists.
> Over 2,000 students out of a campus of 5,000 were using it as of today noon, when the Yale administration began censoring it using traffic inspection. They had contacted us warning that we were using copyrighted data.
It doesn't seem automated, and if there was a DoS wouldn't they just go out and say so?
This is very unfortunate that they are doing this if the data was scraped and not hitting their servers. Is it that some part of the data they think is copyrighted (like grades) versus just courses?
"They had contacted us warning that we were using copyrighted data" last I understood you can't copyright data or facts [in the US]. You can own copyright to a particular published format though. One can't copy and publish a phone book verbatim but you can certainly scrap a phone book for its data/facts and publish them in a different format.
Now I'm not sure if this is a slam dunk. My friend works developing a fantasy sports startup, he's talked about all kind of legal grey areas around the legality of where you get those stats. He didn't go into specifics though.
Could it be in order to govern the information, rather than "copyright" per say?
My thinking is that, from Yale's perspective, having a 3rd party (and especially a student) be the go-to source for course info might be a bad shift in power.
When it's all in good kind, it may not look bad, and even if it is well intended, there are a few problems that could arise:
- Bugs in crawling code causing some course information to be false, omitted or stale.
- Changes in OCI causing said crawler to keep stale data and fail to update.
- Students complaining to Yale with wrong information.
all the way to the more paranoid:
- 3rd party maliciously falsifying information.
- Generel confusion as to which information is reliable, driving students to have a more, rather than less, difficult time finding and verifying class scheduling.
I'm all for net neutrality and strongly against censorship in all forms, but "playing devil's advocate" can't there be a somewhat "legitimate" reason to shut the 3rd party page off for Yale students?
Of course there can be legitimate reasons. If the 3rd party inserted wrong data, or did 1,000 requests per second, causing high load on the servers, then I would call it legitimate.
However, the ones you've listed are not legitimate, because of the term "could." Anything could go wrong. An editorial in the local newspaper could have wrong information about the courses, but that doesn't justify the university excluding that edition of the newspaper from campus stores.
Things go wrong all the time. Someone may have printed out an old copy of the schedule, and based decisions on that. Or left a page on the screen for a week. Which means the system must already have support for people using stale information. Anything else is unreasonable. So long as the additional burden is not substantially higher than background, I don't believe there is a "legitimate" justification here.
As for copyright, this sounds very much like like Feist v. Rural. Quoting from Wikipedia: "Feist had copied information from Rural's telephone listings to include in its own, after Rural had refused to license the information. Rural sued for copyright infringement. The Court ruled that information contained in Rural's phone directory was not copyrightable and that therefore no infringement existed."
Something like this happened at the university in the city I live in. There was an apparently awful service for signing up for classes called BearTracks [1] and someone made a scraped version of it that was better called BearScat [2]. Eventually the university basically incorporated the better version into theirs (to, I understand, mixed results).
This is an unacceptable, naked abuse of power. Any education institution blocking any site on political or anticompetitive grounds flushes away any vestiges of ideals of free speech and open learning. The administration should have known better or it may find itself replaced for acting incompetently.
Wow. This really makes me appreciate what we had at my college. For nearly a decade now, the OFFICIAL portal for the university that lets students and teachers manage courses and assignments (submissions included), has been the one that was originally developed, and still managed by students. We have a webmasters club for that whose responsibility it is keep it up and running and add features to it as they see fit. The university has been nothing but supportive of this, including assigning it an yearly budget for hosting and other expenditures.
Yes, but CAS is a single sign-on system likely used throughout their internal network, so they're probably not able to disable it without disrupting authentication to a large number of other unrelated systems.
Incorrect - universities are now a business, nothing more. You can have your free speech so long as it makes the shareholders happy. Having students confused and lost (or being unable to chose the best education for themselves) is a fantastic way to have them repeat courses in the long run.
Tertiary education is no longer what it used to be. It is now exactly the same type of delusion that women face in terms of having to be slim; or consumers face in terms of having to have the latest iPhone or what have you.
"Armed robbery at the corner of Ellis and Leavenworth St." "Not news."
"Your kid flunked his math exam." "Not news."
Just because somebody chooses to use Nazi Germany as an example, does not mean that they do not have a point. It certainly does not make them automatically wrong.
They claimed I was creating excess load, which is silly because if they really did the math, given how many people were using my service I was probably saving them resources.