While reading a story about a security incident at the University of Pennsylvania, one particular line stood out: "In addition, Engineering students must now register for permission to run CGI script, a technology used in web servers."
Having been out of the academic setting and being used to running security labs at corporations, this surprised me. The first thing I do nowadays when setting up a lab is place it in a DMZ separate from any other production equipment. One would think that a CS department would do the same thing, but after talking with several colleagues, this doesn't appear to be the norm.
We need our students (or really, anybody getting into the IT field) to have that sandbox where they can really see how this security stuff works, without them or administration worrying about the outcomes of those experiments. Obviously the Penn example wasn't experimentation, but I'm sure their new cgi rule will effect many curious students.
For those still in the "other" (academic) world, I'd love to hear about experiences in this area...
