Here is a policy statement about responsible computer use we have adopted here at RIACS (Research Institute for Advanced Computer Science). It draws heavily from the MIT Project Athena policy statement posted earlier in RISKS. Enjoy. --Peter ----------------------------------------------------------- PRINCIPLES OF RESPONSIBLE USE OF RIACS COMPUTING FACILITIES February 1, 1989 P.J.D. The RIACS computing facility is designed to support the research and related activities of RIACS. It consists of a networked system of workstations and services, and includes communication features that offer many opportunities for members of the RIACS community to share information among themselves and with outside collaborators. With that ability to share comes the responsibility to use the system in accordance with RIACS's standards of honesty and personal conduct. Those standards call for all members of the community to act in a responsible, ethical, and professional way. This note offers guidelines in applying those standards to use of RIACS facilities. The RIACS system is a closed network of workstations and servers that are mutually trusting. Access to any workstation constitutes access to the whole system. Under normal operation, the many workstations and servers are transparent to the users of the system. INTENDED USE The hardware granted to RIACS, and the software licensed for that hardware, are intended for research and educational use, broadly construed, by members of RIACS and selected outside collaborators. Use of RIACS resources by anyone outside requires approval of an assistant director, and the sale of such use is improper. The use of RIACS resources for immediate financial gain is similarly improper. RIACS computing facilities are intended to augment, but not replace, existing NASA computational facilities such as supercomputers. Computer accounts (and network mailboxes) will be given to all employees, to outside collaborators with written agreements, and to guests who are collaborating with a project. All outsiders must be sponsored by a member of technical staff. All guest accounts will be closed after the termination date unless the RIACS sponsor renews the agreement. Account holders should not share their accounts or passwords with others. PRIVACY AND SECURITY The operating systems used by RIACS encourage sharing of information. Security mechanisms for protecting information from unintended access, from within the system or from the outside, are minimal. These mechanisms, by themselves, are not sufficient for a large community in which protection of individual privacy is as important as sharing. Users must supplement the system's security mechanisms by using the system in a manner that preserves and respects the privacy of others. For example, no user should attempt to gain access to the files or directories of another user without clear authorization from the other user; typically that authorization is expressed by setting file access permissions that allow public or group reading. No user should attempt to intercept any network communications, such as electronic mail or user-to-user dialog. A shared program should not secretly collect information about its users. Personal information about individuals, which a user would not normally disseminate, should be stored in private files inaccessible to to anyone other than the owner, and should be distributed only to authorized individuals. Examples of such personal information are performance reviews or letters of recommendation. Superuser privileges will be granted only to immediate system staff. The staff are responsible safeguard the system and the information within it. They will respect the privacy of personal files and mail within the system. RIACS makes best efforts to defend against unauthorized use of the RIACS system. RIACS people should respect the security and access policies of other systems, and the desire of other institutions to defend themselves against instrusions. SYSTEM INTEGRITY Actions taken by users intentionally to interfere with or to alter the integrity of the system are improper. Such actions include unauthorized use of accounts, impersonation of other individuals in communications, attempts to capture or crack passwords, attempts to break encryption protocols, compromising privacy, and destruction or alteration of data or programs belonging to other users. It is unacceptable to create worm or virus programs. It is unacceptable to conduct experiments that demonstrate network vulnerabilities without the prior permission of network authorities. It is unacceptable to engage in acts that would restrict or deny access by legitimate users to the system. INTELLECTUAL PROPERTY RIGHTS Some software and data that reside on the system are owned by users or third parties, and are protected by copyright and other laws, together with licenses and other contractual agreements. RIACS people are expected to respect and abide by the terms and conditions of software use and redistribution licenses. Such restrictions may include prohibitions against copying programs or data for use on non-RIACS systems or for distribution outside RIACS, against the resale of data or programs or the use of them for noneducational purposes or for financial gain, and against public disclosure of information about programs (e.g., source code) without the owner's authorization. RIACS people who develop new packages that include components subject to use, copying, or redistribution restrictions have the responsibility to make any such restrictions known to the users of those packages. Software developed by RIACS is considered to be in the public domain and is to carry certain copyright notices at all times. A separate policy document provides the details.