Why free things are so attractive in universities
I've seen a number of people saying that universities who took advantage of ipsCA's offer of free SSL certificates for educational institutions are now getting their money's worth, and that it clearly would have been better to pay a real SSL CA vendor for real certificates. Would that it were so simple.
The real attraction of the free ipsCA certificates here (and likely at other universities) was not that they saved you $40 US or so. Their real attraction was that you could get them without bureaucracy.
Spending actual money on SSL certificates would have raised a horde of questions that had to be answered. Who was the best and cheapest vendor? Did we really need a proper SSL certificate for this purpose, or could we either live without SSL or use a self-signed certificate (or even create a local CA)? What budget category and area paid for this certificate, and who had to authorize it? If this service costs $40, is it actually worth it (and can you convince the authorizer of that)?
Getting an ipsCA certificate took one sysadmin ten minutes. It was no contest. And of course we wound up getting more certificates because we didn't have to cost-justify them. A proper certificate for our inbound MX so that even cautious people could do TLS-encrypted ESMTP? Sure, why not, it's free.
This applies to far more than SSL certificates. It is the universal attraction of free stuff at universities, because spending money (even quite trivial amounts of money) can take huge amounts of effort, annoyance, and time. Naturally, things that let you avoid all of this are very attractive.
(In theory the staff time and effort required to spend money acts to drastically raise the real cost of small purchases. In practice, universities generally consider staff time to be free.)
There is an immediate corollary to this for people who want to offer free stuff to universities. The important thing is not that it is free, it is that it requires no bureaucracy; free is a necessary but not sufficient condition for this. A free thing that requires the departmental chair to sign an official agreement that must be inspected by a university lawyer might as well cost a thousand dollars, for all the interest that you're likely to see from us.
Look at your pull-based system for things that push
Here is a corollary on how push technology breeds spam: even if you have carefully built a pull based system that is thus insulated from spam, you need to carefully take a fresh look at it to see if you have any features that do (implicit) push actions that could be exploited by clever spammers. You'll probably have some push features (because they're useful for your users), in which case you need a plan for dealing with spam through them.
To be clear here, by 'push features' I do not mean things like 'invite your friends' email (that's a whole different issue); I mean any feature that lets user A put something in front of user B without user B explicitly asking for it. Internal private messaging is an obvious push feature but there are lots of others.
Twitter makes an interesting example for this. In theory Twitter is all about pull; you decide who to follow and who not to follow, and that's it. Except that there are at least two push features, and spammers exploit them both:
- people are notified when you start following them. So you follow
somebody and either hope that they'll reflexively follow you back
(in which case you start spamming) or look at your profile and
perhaps your website.
- people can be notified if you reply to one of their messages (or to them in general). So, well, you reply to messages with spam or (possibly vaguely relevant) marketing messages.
Both of these features are clearly useful to real users, which is presumably why they exist, but spammers have figured out how to exploit them just as we'd expect.