[Web4lib] RE: [DIG_REF] IM & Security

Bridge, Frank BridgeF at chesterfield.gov
Tue Jan 31 13:01:51 EST 2006 

Hello Everyone--

I'm not a gearhead when it comes to IM and the related security issues.
About all I can contribute is a series of URL's where others have cited
the risks associated with IM.  I retrieved them by Googling four terms
together without quotation marks:  instant messenger network security

I'll leave it up to the gearheads to dissect the reasons cited on these
Web pages or from elsewhere.  I make no claim as to the technical
accuracy of the information or the expertise of the authors:

http://www.technicalinfo.net/papers/IMSecurity.html

http://www.windowsecurity.com/whitepaper/Network_Security/Instant-Messen
ger-Security.html

http://www.facetime.com/pr/pr051028.aspx

http://www.sans.org/top20/#c8

http://www.infoworld.com/article/03/12/03/HNyahooimflaw_1.html

However, if a library does not permit the downloading and installation
of IM software packages onto public stations, then that library also has
the additional burden of maintaining these IM clients.  There are a fair
number of them and there are frequent updates.  I know that DeepFreeze
has an Enterprise edition that permits remote unfreezing of stations and
the ability to push out software updates.  But if you don't have that
kind of software, you may find yourself in the position of having to
touch each station to upgrade the IM clients.  

So depending upon a library's available resources, the maintenance issue
may be reason enough to disallow this functionality.

---
Frank R. Bridge
Technology Management Administrator
Chesterfield County Public Library
PO Box 297
9501 Lori Rd.
Chesterfield, VA  23832-0297
Voice:   804-748-1980
Fax:      804-751-4679


-----Original Message-----
From: K.G. Schneider [mailto:kgs at bluehighways.com] 
Sent: Monday, January 30, 2006 5:04 PM
To: 'Web4Lib'
Subject: RE: [Web4lib] FW: [DIG_REF] IM & Security


> I am curious how the word security is used here. Is Andrea's library 
> planning to host the server Jabber etc.,? In this case then the 
> concern is warranted *IF* and only if they do not have a good system 
> administrator.  If not then I am really confused. Is the concern that 
> the use of IM might compromise their network. How is that different 
> from any software (including web based chat) that is not kept current?

> Are they allowed to install any other software on these computers? Is 
> this how the word "security" is used?
>

Without trying to hard to second-guess Andrea's network operating
environment, one reason I forwarded this post from DIG_REF is that I've
*frequently* heard this statement used to justify...

1. Not installing IM clients on staff workstations (let alone promoting
IM between library users and library staff) 2. Purchasing specialized
virtual reference (VR) software 3. Not allowing IM on personal laptops
brought into the library (e.g. I've been blocked on more than one public
library wifi network, using *my* computer, as if I could do the library
damage from my IM client)

I've heard it from state library networks; I've heard it from individual
librarians; I've heard it fly here and there. (I've also heard it in
reference to Skype, where it could be more justified--though I gotta
say, luv that skype.)

I just felt like this was a good time to "press to test" on this issue.
I have done a lot of one-on-one virtual training where I work, because
we HAVE no facility. IM for us is as natural as breathing. I could not
work without IM. (I also like it for family, friends, etc. But I *need*
it for work.) 

I cannot tell you how often I have had to make convoluted arrangements
(or simply given up) because a librarian cannot use IM at work because
the client is not installed and the librarian tells me that "IT" says it
is not allowed *due to security.* 

I also am a bit concerned how often major product decisions are driven,
sometimes at very high levels, by "because we can't install IM." 

I am also concerned that far too many librarians are unfamiliar or
uncomfortable with IM because they aren't allowed to be exposed to it in
a work setting. (I mean, think of all the damage you can do with one of
those rods that run through card-catalog drawers. You could kill
someone...)
 
> Or do we *also* mean the integrity of logs generated by Trillian or 
> <insert preferred chat client>?

Nope. Not really. I mean, that might be a concern, but that's not part
of the justification. 

My cow-manure flag pops way up on this one every time I hear this, and I
thought it would make a good thread to take off the service/reference
lists and pose to the wise and wonderful Web4Lib and LITA gearheads. 

Karen G. Schneider
kgs at bluehighways.com
AIM/Skype: liichief

More information about the Web4lib mailing list