Voir en

français

Computer Security: Virtual Misconduct – Real Consequences

“Academic” and “freedom” do not imply “devoid of rules”

|

In the academic environment of CERN, given the freedom it provides to undertake research and development, it is sometimes forgotten that “academic” and “freedom” do not imply “devoid of rules”, and also do not mean that there are no consequences for inappropriate or illegal behaviour.

The CERN Computing Rules – as set out in Operational Circular No. 5 (OC5) – are based on common sense and apply to everyone using CERN’s computing facilities: staff, users, students, sub-contractors, visitors...  In terms of content, it is easy. Anything you would not normally do outside the privacy of your own home, or anything that obviously violates the law or is offensive, inappropriate or immoral, should not be done at CERN. The browsing of pornographic material is one such example. Whether in your office or on a dedicated public screen, it is simply not appropriate in a workplace context such as CERN and has led to the termination of contracts or persons no longer being welcome on the site. (See also our Bulletin article “Offensive Public Browsing”).

Equally inappropriate is the dissemination of material which sheds a negative light on the Organization (or, as the Staff Rules say, creates moral or material prejudice for CERN). An example is the uploading to social media of inappropriate content to do with CERN or filmed on site, which can create a negative reaction in the media and thus impact CERN’s reputation adversely. On one occasion, for example, such activity required the mobilisation of significant resources by the Organization to address the media consequences, as well as for the internal follow-up procedures that were necessary. In that case, disciplinary action was taken in collaboration with the home institutions of the individuals concerned.

Copyright violation and licence infringements are also taken seriously: one university student found herself in a very tricky situation after she downloaded software from a dubious web portal, ran the software without a valid licence key, filed a support request using her university professor’s CERN account, and was caught by the company in question. The bill for licence infringement, which was initially sent to CERN, was passed on to her university.

As far as the use of CERN’s computing resources is concerned, common sense prevails once more. The CERN computing facilities are intended for professional use exclusively. While some personal activity is tolerated (like privately browsing the web, hosting personal webpages, or use for the benefit of CERN’s clubs), extensive misuse is not. An obvious CERN exit strategy? Bitcoin mining! While it might be tempting for a user to run Bitcoin mining on the Worldwide LHC Computing Grid, there are strict rules and extensive security monitoring in place. All violations are systematically escalated and followed up…! At least one person once tried to benefit from these resources to generate Bitcoins – to print virtual money for free, while the community paid the costs. The consequence for that person: a formal investigation.

Perhaps most serious of all, and something nobody can pretend to have thought was permissible, is sabotage. Hacking into the computer of a colleague, manipulating his analysis and deleting data is definitely outside common sense and is morally unacceptable. Planting back doors into CERN computing services for usage following your departure from CERN is too. In these cases, the perpetrators were dismissed by CERN or their new employer, respectively… 

These examples are not intended to scare you. We just want to remind you that your work at CERN is subject to a set of rules: primarily, the Staff Rules and Regulations and the Organization’s Administrative and Operational Circulars, as well as the CERN Code of Conduct. They are there to protect you and ensure a respectful workplace. In particular, your use of CERN’s computing facilities is governed by OC5, which is intended to protect the Organization, and therefore you, your data and your work, from any reputational or operational difficulties. So, please familiarise yourself with these rules if you have not already done so, and respect them!


Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.