Slashdot Mirror
P2P Programs on K-12 Networks?
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
then chances are they're just plain stupid. Block the ports and if they come complaining, say you don't know what's going on, you don't use such programs.
This is obviously a problem that lies in every school district and also in college. Just take charge and let the teachers know (in a non-technical and informative way) the reasons that you want to block these specific P2P networks from being accessed. If you set a standard, people will conform
Set up a web proxy. Firewall off everything else. Only allow port 80 traffic from workstations. It will kill off all the bandwidth eating crap, but still allow use of the internet for school.
Michael Loves Me!
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
Simple,
You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.
In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.
If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
You've got problems with p2p users and virus idiots? Just block all the relevant p2p ports and blame it on a computer virus. Then sit back and watch the two groups destroy each other.
Would you let the children drive a car without proper training, and consequences if they do something wrong?
If not, then why on earth would you allow someone to just wantonly use a computer however they see fit?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
My favorite method at this time is to just shut off whatever I need to shut off. Limit access where it needs to be limited.
Then when the questions start flying I just shrug and try to look dumb. "I don't know what happened to your ability to download porn at work."
They wont know what's going on and most people despite all reason believe that computers act in a random and hurtful manner of their own volition.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.
I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.
Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!
I find that most often I end up learning from necessity, rather than for enjoyment.
I'd come up with an AUP explicitly banning P2P, not for any ideological reasons, but stating the bandwidth/virus concerns.
Take it to the principal (or whoever administration is if you're above the individual school level), and get it approved. Use logical reasoning. By pointing out that bandwidth is very limited, and such programs are interfering with the educational use of the 'net (YES -- a legit "for the kids" argument!), you should be able to get the AUP approved. At that point, you can ban all such things, and block your incoming/outgoing ports.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
How would you approach solving it without totally alienating your users?
Talk to (or email or interoffice mail or call) them. Ask them if they can remove the software from their network. I really don't see why a K-12 teacher would decline. If they do, then worry about talking to their supervisor.
Seriously, use those english classes for something good. Start blocking ports left and right, shutting stuff off at the routers and tell them it's a system problem on their machine and you'll fix it when you get around to it.
If they're as clueless as the teachers and students I had in K-12, you'll have no problems whatsoever.
Besides, how exactly is the pansy ass administration going to get the balls to audit if they can't be bothered to come up with some decent guidlines.
Just figure out a hitlist of things to blame it on. M$, Real, Kazaa, Spyware.... whatever.
I'd be suprised as hell if you got caught.
Arrogance is Confidence which lacks integrity. -- me
...outweighs the good of the few. Or the one... -JCD
When it comes to implementing technology policy in any organization unfortunately the only way to be successful is to have 100% support from upper mgmt (or in your case administration). You can always regulate on your own and act like you have the authority, but sooner or later you'll piss off the wrong person and that person will just so happen to be best buds with your boss. Good luck.
It truly amazes me how many times I've been hired or contracted to do something but not had the authority to follow through.
Just block the ports for the p2p. What are the teachers or students going to get all pissed, run up and say,"WTF!? You're phreaking the l33t h4x0r thing we got going! Daaaamn you!" ?
Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.
I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.
Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.
My Karma was at 49, then they switched to words. All that work for nothing!
Well, if you can't pen policy, you can create paranoia in order to create harmony. In you case, big brother is watching. You might not be able tell people to stop, but you can pen a friendly letter explaining the legalities, liabilities, oh, and that you have the technology to log and track all internet traffic going on the network.
A little paranoia goes a long way. And as an added benfit those you don't have to stick up for anything because you're not changing policy at all. You are "executing the due diligence required by law".
I know that I have worked in a large agency (I would prefer not to name names) and we had a similar problem. We just cut them off, and waited to see who got mad. The thing is that most people have a tendency to not complain if they know that what they are doing is not completely in the best interest of where they work. The bottom line is that it is not there private connection, it is the school districts, and the school district should be aloud to limit if necessary. Now stopping these connections, that can be a bit more tricky, but there are software apps out there that will do it, or if you are really good do what we did, and write your own :).
You'll need it.
Try for an acceptable use policy first. I would recommend you implement it at the beginning of
the next school year (assuming non-year round school here)
Try and get buy in from the high up muckity mucks
and or a technology "team". I went through guiding a whole district onto the internet.
The policy part was the toughest......
I assume we are talking multiple k-12 sites with point to point links? If you do have routers between the schools, you could block most of the ports, (to give you breathing room)
What are you running for OS and Network OS?
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
Send out a schoolwide e-mail to administrators, teachers, etc... everybody. Make it say something like the following:
It has come to my attention that certain individuals have installed software which is negatively impacting the performance of our network infrastructure. I do not know if these individuals are students, faculty or staff, but it will be necessary for me to disable access to this software in order to preserve the usability of the network. If this causes any inconvenience for anyone, please contact me.
Your Sysadmin Type Person.
Then just close all of the p2p ports. When people complain explain to them that their software is introducing viruses onto the network and eatting up all of the bandwidth. Then add their name to a list of 'troublemakers' and wait for the chance to hose them good... Or you can just compile a list and turn it in to the administration as a list of people who are violating the network usage policy (If one is in place).
Kintanon
Check out JoshJitsu.info for Brazilian Ji
In this case, I'd start with the usual corporate arsenal. Block unnecessary ports out, unless a teacher requests access to a particular port for a school project. Possibly put an http proxy server into place if there are particular sites that need to be blocked (but don't block carte blanche)
Unfortunately, these policies aren't going to make you friends with any of the teachers or students, so tell anyone who wants access to the blocked ports to just get approval from the principal or superintendent, and let them make the decision to unblock a port.
This program is really annoying for students, but can solve all you problems. It's called Deep Freeze and it restores the hard drive back to a set state whenever the computer is restarted. Go here.
I would go to the administration and talk about it. They will probably want to ban it entirely, for most of that type have an intrinsic instinct to censor things of this nature. However, my suggestion is probably going to back them. Though I graduated high school within the last few years and would have completely disagreed at the time, I don't think it is wrong for you to disallow use of these programs whatsoever. The small benefit of freedom is far shied by the potential impact that this can have on the network (virii, bandwidth, etc). It is NOT wrong for you to deny users use of this at an educational institution. There really is no necessity for any software of that nature to perpetuate education.
I would have shot myself for saying something even rhyming with "censorship" back in the old times, but I realize the necessity under this situation. I'm not sure how you'll approach it, but I'll bet a lot of these chaps have some good things to say. Keep reading on!
My little sad piece of the internet: www.mtndewd
you could always put a packet sniffer on the gateway and start emailing people the text of their online conversations and the searches they did on BearShare. That'd probably scare the shit out of them enough to stop.
At my old high school, it wasn't p2p that was the problem. It was people streaming shit from other networks. On our tiny t-1, we had at least 10 people in our room listening to rap at max volume playing full screen music videos streaming off of a server. The admin responded immediately to the threat by blocking off Slashdot, AntiOnline, Something Awful, and all the other sites I read. I promptly downloaded Kazaa and began to download anime to watch. Moral of this story is, find the real cause of the problem, and act on that, instead of just against the nerds.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Since there's no such thing as a "virii" , introducing one should not be difficult to deal with
With a linux firewall this is easy to do with qos and such.
They can still use p2p systems, you just limit the bandwidth to levels not harming genuine educational use. This shouldn't be hard to sell to your supervisors.
Jeroen
Secure messaging: http://quickmsg.vreeken.net/
If he blocks P2P for everyone where does he get hiz own warez?
enjoy the pr0n man, don't fight it. If you can't beat em, beat *it* bro.
Yes, block the P2P ports with a firewall. However, this is also a social problem that must be handled in a skillful way.
...I can tell you that you will be widely hated for your stance on this. But with limited bandwidth and the inhernt legal problems, I really can't blame you. I'd sugest that whatever means you find to stop people, you lay out the reasons why it absolutely cannot be tolerated at school, and mention that you don't view p2p file trading itself as bad, just the use of school resources for it.
A "no gnutella" policy alone without explained reasoning will just make you look like a typical asshole-school-administrator type, and that will only make your job more miserable.
__
Choose mnemonic identifiers. If you can't remember what mnemonic means, you've got a problem. - Larry Wall
Hi.
I sympathise. These people aren't *evil* and they aren't *misguided*, they have just ben (ignored) and allowed to get away with too much useage for too long.
They are intelligent, else they wouldn't be teachers. So be reasonable.
Post something [physical] somewhere [physically] obvious and non-threatening.
'Hi I'm your new sysadmin. Nice to meet y'all. I have a problem: We have xKb/ month for education, and yKb/ month is being taken up with (all the things you are concerned about)
Here are my rules....(name them)
If anyone has a problem with these, I'd be really interested in your thoughts.
You can come find me in room z, or mail me at roomz.wherever
Regards
BOFH (or whatever your real name is)
__
I promise, this will shift 70, 80% of the problem, then you can start to worry about the ones that ignore this.
george
http://milkshake.dexy.org
Without the backing of the higher ups, you are doomed to failure. Been there, done that, move along now as you will only end up beating your head against a wall. Another version: this fight is not worth as the people you are trying to serve do not care.
If you've been given responsibility of managing the networks and systems then you have been given the rights to stop whatever you see fit.
Computer networks are not democracies. Start closing accounts, add firewalls, put in traffic management, routing ACLs, file space quotas, virus scanning.
The administrators job is to make sure that the systems and networks function smoothly. If you're not up to that and the personality clashes that inevitably includes then you shouldn't be an administrator.
You don't need backed up by spineless management. *You* have the administrative control. Use it.
Deleted
I am from the RIAAA [as far as you know] and am hereby officially notifying you, as an administrator or electronic services at your institution, to cease and desist illegal activity or face civil and criminal prosecution.
;)
When they complain, just tell them you were given a cease and desist notice
... but shutting them down is neccesary to maintain harmony (and legality)
That right there is all the argument you need. These services are being used for illigal purposes.
Every school I've ever heard of is so scared of lawsuits they can barely teach their students. Tell anyone who complains to tell the principal who will almost certainly side on the 'legally safe' side.
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
I am taking over after a bunch of goofballs have really messed things up ... I have near infinite problems, but the hairiest are with ... P2P file sharing programs ... I have virtually no policy to back me up ... and ... I don't have the authority to pen new policies myself
Hmm, are you sure those "goofballs" really "messed things up"?
Sounds like a problem with administration. Maybe the "goofballs" you're referring to were simply working with what they had.
The technical term for your problem is between a rock and a hard place. You need to fix the problem with the administration.
If you don't fix the problem with administration, when you leave, the person who replaces you probably have the same opinion of you that you have of the "goofballs" you're taking over from. (and maybe think about that before you publically insult someone next time.)
Just tell them about the legal liability issues involved with downloading virii and warez. If anything, schools are afraid of lawsuits. They'll do pretty much anything if there's a threat of being sued. Or you could just take your problems to the local news and offer them some cheap "investigative reporting".
YOU MUST MAKE + GLUE OOPS SLIP FINGER
o re id=cyber0ne9
YOU! AS MEDIA USSR!!!
oops slip finger
changes hasn't get in yet
now there is
http://www.cafepress.com/cp/store/store.aspx?st
SUPPORT P2P PROGRAMS ON K-12 NETWORKS! YOU! AS MEDIA USSR!
Do it the other way around, instead of shutting off access, have a meeting, talk to them, find out what they are using it for, if its anything legal great, let them know its eating up a lot of bandwith and that you may have to throttle it (linux CBQ stuff is great for that).. :)
if they cant come up with a legal use your problem is solved
How to introduce new policies to supervisors? Reread what you said in the story you posted. You outlined the core issues regarding the inappropriate use of bandwidth and its affect on the network and potential liabilities for the school. Done.
Keep it simple. Don't be afraid of "offending" or "alienating" people. They are bandwidth abusers.
But here's a question. Do the bandwidth abusers include people who are "over-your-head?" If so, just go straight to the principal. Be candid.
Just one thing. Don't let yourself fall into the role of "bandwidth police". It sucks and everyone will hate you.
Let us know how things turn out.
-Captain Abstraction
Let's see... you have no policy, you can't get one, you can't just cut people off....
You could make the P2P stuff run so slow as to be useless... or you could send your own trojans that will erase the drives of the problem users...or you could send them porn, and get them fired...(oh, and don't get caught doing any of the above.)
Or, perhaps you're just screwed because you're trying to enforce rules where you have no authority to do so. I'm not neccessarily saying you shouldn't have the authority... just that you clearly don't, and any attempt to enforce your idea of policy is bound to cause you trouble. You time is probably best spent figuring out how to get a policy.
You say that you can't enact policy and that the teachers are not covered by any current policy. I assume then that means that students are. You could therefore enact measures that also affect the teachers and claim that those measures must be taken to ensure that students can not circumvent the policy. Therefore if you shutdown ALL outgoing ports and force users through a proxy, you can claim that it is the only effective way of preventing misuse by the students.
So far, there have been comments on a few things:
Blocking ports:
Good idea in any situation. This allows for the non-adept users to be halted. The adept ones will realize that you can check a box in most programs, or change the port, and it will go through.
Throttling traffic to a crawl:
A good initial idea, but this will lead to teachers complaining about the network being slow in general, and when you ask what they are doing when it is slow, they will "Not know". Think on this if you are going to do it. See the "blocking ports" section.
Informing teachers:
Remember when someone younger than you told you that you couldn't do something? Did you listen? Most likely not, and this may or may not be any different. It is probably a good idea to do it anyways, seeing how some will get onto others for doing it. Tell them that they are taking away from other needed resources, such as books for their department. Back this up though, show them documents. Teachers are normally good with realizing what is good to do and not good to do, if you show them as to why. Least mine were.
One other aspect you could try. Disallowing certain apps from even entering the network. Setup your dns to go to 127.0.0.1 for musiccity.com or kazaa.com. This is a pretty cheasy work-around, but most teachers will not know a way around it.
One last though, perhaps. Allow them to use it for a set amount of bandwidth. Once the bandwidth is eaten for the month, tell them all they have to wait till next month. This way they get what they want, and you get what you want.
Cheers
If you block the P2P software and make it the official policy that it should not be used, document that thoroughly. Make sure that it's expressly for the purpose of keeping unlicensed software out of your system. Then, insist that everyone show their licenses for their software. Put up big posters explaining that you are doing this because it's important to comply with the law. Become the biggest pain in the butt to everyone who opposes you.
Then, just before you think they've all had enough of you and can fire you, call the BSA on yourself. When that phone call from the BSA comes, you can point at all your policies and say that all along you were just trying to avoid that exact situation. Suddenly all the babies who were crying because you took away their Kazaa will be viewed as the real problem in the organization. You will have achieved Total Management Support (TM).
If tits were wings it'd be flying around.
What I have done in the past is to write out the policy in a form that would only require a signature. Then present it to the powers that be. If they need explainations, then explain why this policy is necessary.
The trick overall is to do as much legwork as possible so the boss has very little to do but read and sign. If you approach the boss saying "I need you to write a policy to ban people downloading porn." then you add to your bosses workload. If you say "Here is a policy that prohibits downloading porn on the network, please approve it", then the bosses time committment is significantly reduced and the likelyhood of it being implemented is high.
Of course, stay on it, daily if needed. It may not hurt to create a graph or two showing bandwidth utilization vs. time of day, broken down by workstation. It would probably be even better if use used something to capture the stream so you could show your boss exactly what these people are doing.
If all that doesn't work, don't be afraid to document (via email or other dated message delivery service like sending it to yourself in a USPS letter) everything that you asked to have happen, when you asked, the results, etc, etc... create the paper trail. Then be prepared to go above the boss (PTA, School Board, Press).
Ron Gage - Westland, MI
While I sympathize with you, my many years of experience have taught me that one man crusades are fatal to the psyche and morale. Do your best of course. Report the problem so that it is on the record in writing somewhere. This will cover your ass at some future date. Then make sure you buck the ball into someone else's court. It really doesn't pay to fight the system. And it wouldn't hurt to start looking around for a better situation with another employer either.
Been there, done that, nearly got sued.
Block the ports. Clearly (and simply) explain the problem. Tell them that your supervisor must make that kind of (legal) call.
Talk to your supervisor/Dean/Principle. Make *them* sign off on any open ports/applications.
You're in a school, this is would be one of the BEST environment to educate the people about all of these issues. You'll say that some people won't give a rat, but that's like in society in general, if people don't give a rat and anarchy reigns, stronger measure needs to be taken.
:) ) , and it put the user in a situation where he would have to go look his manager to ask to waste time leeching (which he will obviously won't do :) ) and I get no heat. Dunno up to what it could extend since where I work most people are reasonable and mature, and school isn't the same environment, but then again, it's a suggestion and I'm sure a lot of people here will have many more.
I might have gotten something wrong but if you're managing the network, usually it falls within your responsibilities to make sure to implement EVERYTHING (including some policy, or at least submitting them) for the proper operation of the network, which includes both load balancing, security and legality (to a certain extent, at least proving that you thought about it and implemented it to a certain level won't hurt).
Now if we tell you to cut down trees for a paper company and we hand you a kitchen knife, you'll say "you're crazy", well same goes with being an admin, if you're ADMIN and you can't do zit, it's a big issue. If it was a mess before you arrived, probably that the organization was a mess in the first place, I'd document everything, put up a structure of the network and who's responsible for what, limit the number of people that have "power" over the administration because as we all know, the more admins on a box, the more potential problems. So you have to do your part, be professionnal, use people's experience and be opened to suggestion, but at the same time, document every problem, and don't always go to your supervisor saying all of the problems, he's probably already familiar with them, for every problem, bring in a solution or two with arguments and documented facts (and normally supervisors like having a choice and feel like they did the work so... use that to your advantage).
As for the P2P application, I've fixed the problem at work, I've putted QoS and 1-2K/s on the total bandwidth, it's transparent "it's still working so I didn't do anything" and when those dead weights would come and see me "well probably its not optimized for our network structure and I have enough work to do, if this is a priority, go see your manager or big boss". It's politically correct since you didn't block the port and the user has no idea on what's really going on (unless reading slashdot
Good luck.
--- Metamoderating abusive downgraders since my 300th post.
Block the ports these programs use! This has been an issue at my school (at which I am a student that loves using the 10 MBps fiber connection for filesharing :D). The network administration didn't even bother to tell us they were doing it. They just blocked the ports. No one complained because everyone understood that it was illegal to use these programs at school. If anybody bothers you, explain the legality problems with downloading warex/mp3s/movies, especially when the school administration can be held liable.
It would be so simple, talk to a computer illiterate supervisor, tell them you have a big problem with something, act suprised when they tell you you should talk with supervisor x, and have said computer illiterate supervisor introduce your problem to supervisor x, and you take it from there.
depending on the setup just restrict access from the network to the net. block the ports. make it so you can't install programs unless you are in admin mode. basically go Nazi on them. they will learn.
That's what Qualtity of Service is for. Slowly throttle back the bandwidth allocated to "non-critical" IT tasks. This doesn't need a major change in the admin mindset, it's just good management.
Use a FreeBSD gateway machine with DUMMYNET. FreeBSD can be configured so that it: a) doesn't have to replace the existing firewall; and b) is invisible so it doesn't show up on traceroutes. This is so that clueful users are not tipped off in a way that lets them complain like pornhounds on a free NNTP service. DUMMYNET will let you set up bandwidth policies based on (groups of) IPs, ports, and more. Client subnets can have full bandwidth on port 80, but the gateway can shut them down to 28.8 on the P2P ports. The possibilities are really open in a situation like this, and any junk computer can be used.
When I was a kid, we only had one Darth.
You go to the beancounters and draw up how much the "extracullicular" activities are costing the district. You then bring that to the powers that be, and you will have instant carte blance to block it all down.
There is one flaw in this plan...It does not take into account any and all companies servicing bandwith or other computer services to the district, that happen to be the brother/sister/uncle/old frat brothers/wife or otherwise owned by someone with a relationship to a person or persons on the school board. In this case, you are fucked.
Except..there is the third option. This involves shutting down the activities regardless of permission, and then using IT buzzwords to scare the higher ups into submission.
game on.
security through obscurity = modding down anti-linux posts so maybe noone will see them
Why don't you guys try to use Firewall to block all the traffics except HTTP/SMTP/POP
I know that won't solve all the problems, but at least it's the first step
kawai
Inform the head that illegal activies could take place using such software, virus' may require extra budget to clean up and bandwidth doesnt go to proper educational use. he or she will probably ask you to implement any measures you deam fit to block the software and also let the users of the network know that what there doing is not on.
So what if you alienate the users on the network, your a computer person, which usually means your alienated already.
(n/t)
contact the Technology Coordinator at Bay City Public Schools (Bay City, MI) (http://www.bcschools.net) He would be able to share with ayou a handbook that We put together that may help your situation.
Write a nicely worded, simple letter or memo on district letter head that states the following:
1) You have seen and witnessed 'warez' downloading
2) You know that various people are habitually breaking the copyright laws.
3) That you feel that a policy needs to be written that addresses these concerns.
4) Tell them you know what this thing needs to say, but don't know how to write the 'legal mumbo-jumbo' that would make it an offical policy and procedure.
5) Site a few specific examples of the problems, tell them that these are but only a few examples.
What ever you do, do not shotgun this to everybody out there - you will burn more bridges then you want to.
The last thing a district wants is big legal problems.
Send the memo to your boss.
Create a paper trail.
Confirm your conversations about this back to your boss, "So that I understand what we discussed to day... you said: blah blah blah"
If you don't get a good answer in 5 days.
Take this to the next level in the district.
You probably have this chain of command:
a) Your boss - the "computer person"
b) the superentendent of the system
c) The school board.
Within 4 weeks, you should be at the school board level.
At that point - it's out of your hands.
At my school, we have computer lab aides. They are given more rights than other students and help remove these applications. There's not that many, but it does help. Also, suppose one of the students who has been using this just happens to lose everything in their account. Whoopsy, that's what these things can do. Nothing you can do about it now ;)
As a coder and not an admin, I can't agree completely that P2P programs have absolutely no educational value.
In addition, isn't bandwidth wasted if it's not completely used? A good idea would be to find an acceptable bandwidth limit per workstation (total, and throttle each machine to that limit. That way, it doesn't matter what they're doing, they won't be hurting anyone else.
Although the complaints about viruses seem legitimate, I've never gotten one from an mp3.
The possibility of legal exposure isn't your concern. You're a network admin, not a lawyer.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
The next step is get some policy together regarding appropriate usage, and throwing some carrots in there about privacy, etc. as long as resources aren't abused, court orders, etc. should help ease the pain, along with a few days for people to burn their warez onto CD and clean up their own mess.
Then you need to go through with the heavy duty broom and for heavens sake, get your license documentation in order before you get audited.
First thing to do is ask them if they were happy with the level of support they had before. Since you are claiming that some goofballs messed things up, it's best to start with the goofballs and try to define what they did and didn't do right. I wouldn't expect most K-12 institutions to have a good network security policy in place.
In order to get one defined, you need to start talking to administrators. Find out which services they desire to provide and which they don't. Point out that most security and network use policies these days start by defining what you are allowed to do and blocking the rest of the traffic. Put out an request to the staff that they give you a list of applications that they use for purposes of education and then get a group together to review that list. If something strikes you as questionable, ask the person to justify it.
You'll also, more than likely, want to get a list put together of officially supported software and a procedure for getting a piece of software onto the officially supported list. This keeps people from coming to you and saying "I can't download files with Morpheus" because you can just say "Is it on this list? No? Then not my problem." Part of the process of getting something on that list might be a written justification of why it should be there, and for comercial software proof of license.
You don't want to be the only one makeing decisions. You should get a committee together. You'll want an administrator and a staff member on the committee. Decisions about what will and will not be supported will be made by the committee. You need these people because they understand the classroom, that's not your job.
If it comes to it, you might want to take a look at your job description. Figure out what parts of your job you can do, and which parts will need a more defined policy to enable you to do your job properly. This is important -- if your job description says "support educational activities requireing network access and use of the internet," whacking traffic that doesn't fall into those categories is clearly a part of your job as it increases bandwidth availability for educational purposes. When somebody complains, you need something you can point to for the purpose of defending your actions.
Start at the top, schedule some meetings with administrators and express your concerns to them. Most school administrators are reasonable people and when you explain that these things are necessary for a smooth running system they'll understand. Also, most school administrators are scared sh*tless of the words "potential lawsuit", don't be afraid to use it.
I dealt with this for many years in the public schools. The simple answer to dealing with the supervisors is... don't. They don't understand the technology, they don't have time for it, and they often use their egos to make the decisions anyways. Use good reason and implement the necessary things as you and your staff see fit, then apologize later. Chances are you won't need to apologize, they will be too busy thanking you. Use your state technology plan as a guideline and refer to the one for your particular district if they have one.
I know it's cruel, but reality is sometimes that way. I tried doing it the 'right way' for three years, but things remained in disarray and nothing ever got done. In fact, that's probably why things are as bad as they are where you are now - people went about things the 'right way'.
If you haven't worked for a public K-12 school district you have no room to argue what I'm saying - you haven't been there. I've seen trivial topics go into meetings and get held up for six months to a year in the system, and that is when the money is already appropriated.
School districts need to learn to let competent people do their jobs. They hire them, underpay them, then micromanage them until they get burned out or quit.
Feel free to e-mail me if you want to talk specifics. My address is spamme at socal.rr.com
Good luck
--SONET
Any fool can criticize, condemn and complain and most fools do. --Benjamin Franklin
Since you don't have the capability to dictate policy, try to sell your superiors on the idea of a proxy server, such as Squid.
Give the the line of acceleration of downloads by caching. They will like that you are trying to make better use of the bandwidth that you have. Also sell them in the direction of a small (CPU, memory) box with a big HD for the cache.
Later during implementation, tell them that your firewall needs to be locked down to only allow connection from the proxy and other essential boxes (try for only servers that need the outside access, go from there). After you have everyone going through the proxy you can lock down from there to prevent P2P programs from going to the internet. It doesn't get you all the way out of the tunnel, but you can see the light at the end.
Keep the network going and mind your own fucking business, you dumb fucker.
I'd suggest thinking about playing the political game - sometimes it actually is effective. Are there existing policies, that, if applied correctly, can be used to shut down p2p sharing programs? For example, are there policies regarding personal use of computers? You could use that to stop or slow down serious offenders. Are there policies about scanning of files brought in from outside, for viruses? You can use that to install a virus scanner on every system, or disable programs which violate that policy. If you have the authority to enforce existing policies, you may be able to find a way to use those policies to accomplish your goals. And, if you get called on it, you can always use those policies to back up your position. As long as you can rightfully claim you were enforcing existing rules, you should be safe.
My HS uses a proxy server that filters unwanted material. Even though it sometimes filters out some wanted stuff, and as we discovered from a recent incident, it doesn't filter out some unwanted stuff. But for the most part, it does the job.
Linux 2.4.x networking supports traffic control / quality of service.
Read up on the advanced networking: http://www.fibrespeed.net/~mbabcock/linux/qos_tc/
I use this on my home network to keep bandwidth usage allocated correctly on my cable modem connection. It works great. I have 20ms latency while gnutella, kazaa, and FTP uploads are all running concurrently.
This prevents you from the task of blocking them out completely, while ensuring that high priority student/teacher use of the net remains fast.
well it was supposed to be funny anyway :P
BOFH!!!
If ever a circumstance called for some BOFH TLC, it would be this...
"Hi... my KaZaA isn't working."
"Well, let me take care of that... what's your password?"
I agree with the limiting the bandwidth factor over outright blocking it. Your normal user will stop using something if it starts moving at unbearably slow speeds.
There are some really expensive commercial products on the market, but it doens't sound like it's in your budget. (a href="www.zebra.org")Zebra(/a) can run QoS, and I'm sure there are other open source alternatives. Hell, even M$ has had an implementation since 2k.
have we become that disgusted of our law enforcement officials that no one recommends calling the cops when you sense illegalities?
oh thats right, the economy sucks and you might lose your job...
oh thats right, warez isn't illegal...
oh thats right, cops are too dumb to deal with computer crime...
hell if you aren't gonna call em, you might as well blackmail for some extra cash geez..
man, this is like pointing out all the crack dealers in your school and NOT showing them the door.
All the authority you have is locked up in your expertise. Having worked for a City government with a completely fucked IT policy (my HR director once told us that she doesn't want to hear that "the cause of the problems are the users"), I can honestly tell you your Legitimate Authority lay in what you know, and what they don't know.
First, get with other IT directors from Corporations or other City Governments/School Districts (preferrable) and get copies of their IT policies. Highlight the sections they have that you want to implement, and then pass them around - not just to your uppers, but to everyone who asks (or doesn't ask). Even users. Be prepared to discuss in layspeak why these policies are necessary. Keep in mind who you're talking to in terms of how you phrase your reasoning. For instance, when talking to a user, explain "some of these people don't respect the other users need for equal resources". When you talk to administration, frame it in the context of liability and security, and find stories of big monies being lost by school districts because little johnny found porn while looking at whitehouse.com.
Finally, what they don't know won't hurt them. For instance, if you can get your hands on bandwidth throttling software, implement it quietly and don't tell anyone. I made a habit out of installing spyware when I was in charge of desktop systems, and any napster/winamp/happy99.exe type stuff that showed up got remotely uninstalled after dark. Whenever anyone called me about X not working, I told them that that software was not authorized or supported by me.
And don't be afraid to be frank. More than once I threatened to quit my job over big issues, and I would have.
Well, if you live in the U.S., this is something due by either August or July 1st (CIPA). If you receive TARP or E-Rate $$, you need to have web filtering to prevent bad access to pr0n.
Two http proxy solutions (i.e., squid) are free that you could plug into your firewall -- iirc, they are squidguard and dansguardian, and have free blacklists.
I've also heard rumors (rumors, mind you) that secure computing is releasing their web proxy app, smartfilter, to the k12s free of charge. No ideas or clues as to how you work that. That's also a squid plugin, although you can install it on a bunc of windows / etc. products.
If you can scare them with loss of e-rate money, that's probably the best way to go about it.
Be wary of N2H2, I've heard that they purloin your students' browsing data through the logs and sell them for profit. Evil, bad.
mike
Hi! ( hang my head ) I'm an anonymous coward, and I'm a politician.
I'm on a county board of education in Calif. Send a note to your supervisor detailing the legal liability your district is in. Perhaps include the latest Microsoft tactics in auditing school districts with a heavy fist.
Tell him this is something which needs to be fixed with a written policy ASAP, or you'll need to go to the board. Tell him you'll be willing to draft this policy. If he and the board have any sense they will thank you. Likely they are all unaware of the legal problems which they could face. Legal problems gets noticed.
RK
In my experience in this type of academic environment, you really have as much authority to create policies as you give yourself. The question to ask is: can you be fired for preventing people from using Kazaa, or whatever, by blocking its port or minimizing that port's use of bandwidth?
The answer is probably no. If people do complain, you have the reasons to back up your actions. A good supervisor will realize that this. Often when you can't make policies on paper, you make them in your system settings instead. (Example: when I came to the research/university environment where I now work, people could have whatever user account name they wanted. A person named John Smith could be jsmith, or johnny, or smithj, or whatever. It made admministration difficult and no one could remember anyone else's e-mail address. So I created a policy about user names, and when people ask for a specific name I say that, no, I can't do it. Sorry. They think it's a firm, unalterable rule, don't realize that I made it up off the top of my head while surfing Slashdot, and no one has yet complained to my boss.)
You can do what you have to to prevent legal liability, or to protect your system. That one is pretty easy to defend if defending is needed. You do not need a policy to say "it is illegal" or "it will destroy our system". Your job is to make sure that the resource is used apropriately, and if it is being abused by some, and the entire institution is effected, you should let the top administrators know of the situation. I have been a network admin for schools for several years now, and the Administration as a whole has tended to respond well to such advice/warnings. If it causes a policy that comes from the district level, you will not be alienating anyone by enforcing the policy because you were told to do so. Some may choose to hold it against you anyway, but that type of person is not usually the kind that you want to hang out with anyway.
you N33D 2 install L1NUX on a11 the w0rksteatons s0s becuz L1NUX IS THE AnSW3R TO A11 PROB1mes
I'm a teacher/sysadmin at a Canadian High School, and my opinion is: kill P2P anyway. School computers are about education and turning young folks on to technology.
Although it is great that the teachers are having a great net experience, but the whole idea is to build the next generation, who probably are experiencing painfully slow and frustrating net connections. Explain to the teachers and bosses that teacher abuse of bandwidth is stealing a exhaustible resource from the kids.
Not only in there a moral aspect to this, but a legal one to this as well. Consider the not-impossible notion of a license audit. You are the first person they are going to ask, and the person who will be considered most cupable if anything is awry. Want a good reason? Print out some of the BSA v. School Board disputes and give them to your superior. You'll be able to dictate the board-wide memo after that!
I don't think I have to say much more about this. Do a security sweep for trojans, viruses and backdoors. Give the results to teachers and bosses, noting that many of these uglies can easily be passed to their home computers, and those of the students. For drama points, remotely change a senior persons' wallpaper. (Well, maybe not.)
It does smack like censorship, (especially since it concerns schools), but if you are like most school sysadmins, you have *way* too much stuff to do to worry about people doing things that make your life harder in terms of legal obligation and workload. Teachers are a pretty moral group, and they will snap into place if asked, or more drastically, if firewall rules break their toys. Just tell them that it the way it has got to be, and throw technology behind that to enforce it: the kids get smarter, your job gets easier, and the whole board is in a much better legal situation.
I was an admin in a situation where the users had way more clout than the admins, and the problem was very similar.
My boss was old and smart. He gave them a 'new' network. It had excellent speed, access, and all the features needed to do 'real' work, and the necessary restrictions for technical reasons. He left the old network intact, with no intention of maintaining it. The users had a 'choice'.
Eventually they all moved over and the issue died.
it's a nice solution if you've got enough wires!
If my Tron program was working, that would shut the MCP down...
Find information detailing schools that have been held liable for crimes committed using school PC's. Show this to your supervisor and if he won't listen, go above him. And if you get lucky, you'll get his job :)
:)
Once the administrative staff can be made aware of the huge potential costs, perhaps you will get your way. If that doesn't work, I would walk, or call the BSA or something evil like that... I am a total bastard, however
Robots are everywhere, and they eat old people's medicine for fuel.
In a K12 institution, a "whitelist" approach to Internet access is perfectly appropriate. The opposite of a blacklist, what you do with this approach is say, "We don't have Internet access. We have access to these specific Internet features."
Then implement a simple and cheap packet-filtering firewall to enforce it.
That'll be the end of your PtP problem. Then, all you'll need is to create a policy for how additional Intnernet features are added.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
There are lots of things you can do to solve these problems, then when thay come to you say "technical limitation", hawever that is the wrong way to handle this.
Lay it out for them.
we have X bandwidth, your unauthorized programs use Y bandwidth, and we can't afford that.
People downloading certian programs have set us up for legal liability.
Peopledownloading unauthorized programs have cast the school X amount in IS labor.
Then tell them your putting in a firewall, and blocking ports.
Write a letter up the chain. send it to your boss, and his boss. if they don't like it, have them send you an email, or written request telling you not to do it. then don't do it.
This way you've a)found the problem b)proposed a reasonable solution that doesn't block the staff from using the system as a learning and business tool.
c)you've covered your ass.
If they give you too much grief, send a write up to the board and to parent, clearly explaining that there tax dollars the go to the schools tight budget is being wasted with legally dubious activities by the teachers.
if your feeling nasty, just monitor email until something incriminating come along, use it.
Did I type that last part?
The Kruger Dunning explains most post on
That is, explain that the current firewall setup puts the schools at all kinds of risk: virii, copyright violations, etc, etc.
Then, propose that the proper firewall setup will allow only certain types of "safer" access. (Make sure to throw in a comment about how this should have been done by your predecessor(s) when the network was set up.)
Once you've got approval, your email should include a blurb saying that additional requests will be handled on a case by case basis. (And, don't be queasy about asking faculty members what they're asking for, and how it relates to their educational objectives...)
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
I work for a large library system spread over hundreds of miles. Our users are not tech savvy. The don't understand why certain types of behavior are risky.
What we do to bring it home is post descriptions of incidents on our daily news page that everyone reads. If Martha from the Podunk public library gets a virus through an attachment that wipes out her computer and she's stuck writing barcodes on paper while we fix it, we describe the situation in the daily news. We post the activity, the consequences and how to prevent it in the future.
We do not make the name of the people involved public. Embarassment is usually not necessary.
We find that this technique is very effective and does not limit our staff's freedom to do what the need to do.
I'm also a schools administrator, and the exact same problem has actually been neatly resolved for me by my ISP... because we have Internet access supplied by our local County Council, we only have access to a (filtered) web proxy and the smtp/pop3/imap/rtsp ports, which is very nice.
;)
So when users come and say 'why can't I use xyz' I can just say 'The county council block it!' A tad annoying when I want to use rsync or get to a website that is blocked by the proxy like certain security / cracking sites, but that's why I run a squid proxy on my home computer on the imap port
Admittedly, it doesn't solve this person's solution, but making it impossible in a way that is genuinely out of your control is very nice sometimes.
However, on a practical note... as a schools IT administrator IMHO there are some decisions that have to be made that will inevitably bring flak. I'd probably block the ports and put on your bullet proof vest if I were you.
' Ore stabit fortis a fine placet ore stat '
- found on a park bench
This is a specific follow-up to the parent.
Before you do anything, get some logs of the worst offenders. Zip it, stuff it, tar to tap, whatever. Stick that in your back pocket becuase that is your golden parachute.
Then block the ports. If an audit does come down and someone who has half a clue (in terms of systems and networks) is turned loose on you, simply provide an extra copy of your blackmail^D^D^D^D^D^D^D^D^D insurance policy.
You can even run some awk scripts to show bandwith usage per minute, etc. You can make a pretty pie chart/bar graph of how screwed the offending teachers are.
But that is only if push comes to shove. Protect yourself, block the ports, blame it on the "unapproved", virus-riddled software and silently smirk to yourself. You've earned it!
You have your forward plan (block the jerks) and your backup plan (expose them for the bandwith hogs they are). You are officially a BOFH!!!!
In the future, I would want to not be isolated from my friends in the Space Station.
have all ports blocked except for some useful ones... it was kinda nice, except when some stupidshit who should be learning to code (I'm in a programming class @ the career center) interupts you (who already has his shit done for the day) to ask "hey man, how i gets on napsta yo?". Then the dumbfucks discovered proxy servers, and i get 15 questions a day relating to finding proxies.... The Moral of the story, block the p2p ports, only allow http outgoing traffic, and lock down the machines. BTW, don't use FoolProof, cus it aint. THe people who know how to get arround your network, are the ones you don't need to worry about. (ya know, guys like us)
Ummm, err, say what, now?
and how it (Napster) could circumvent blocked ports on the firewall by finding any open ports that were allowed throughput ?
That worked thanks to all you 'network administrators' yelling 'block the ports!'.
Doesn't exactly solve the issue, only encourages the malicious user to find other ways of getting past the firewall/proxy.
A real solution would be to put a policy in place that states that if any user of the k12 network uses its (network's) resources for personal use such as p2p programs will be fired, expelled, and prosecuted to the full extend of the law governed by localities.
All such malicious activity will cease immediately.
At our school we have deepfreeze, policies to prevent registry access, and so we can't modify the internet options. As a school with 2000 kids, and only a T1 to the internet, things can be bad at times. To prevent 'non educational' material getting through, all the computers have a proxy installed through internet explorer's settings. The box is running debian and bess proxy software. While this was effective for a while, most people have figured out how to disable it. I'm guessing you have an NT box or Linux box that's acting as a gateway, right? Well what you need to do is edit your hosts file and 'reroute' the sites that need not be visited. If you don't want them to go there, make the host resolve to localhost or 127.0.0.1. This is a quick and easy way to stop people from going to the P2P download sites, and even their master servers. Also easy to block all the IM programs and Mail sites. If you are unsure how to do this feel free to email me.
-=LaptopZZ=-
My friend and some associates started a wireless ISP sharing a T1. A few residential users started using P2P such as Bearshare and Morphius to share out 'their' files. That saturated our T1 line. We used FreeBSD and the altq program which allowed us to throttle traffic and bandwidth as we saw fit. The current setup is that http traffic gets about 70% of priority with all 'other' traffic sharing the remaining 30%. If the http traffic is not in use, then the 30% group and grow. But if http starts back up again, then the 30% group is throttle back to 30%.
A suggestion to the gentleman in the school district would be to evaluate the 'critical' traffic that your teachers and administrators need. I would think http would be the first priority. Start by giving 60% to 70% of bandwidth to http then the remaining 30% to 40% to everything else. This includes ftp, RealPlayer, Streaming music, IRC chat, anything. Now, what this gains you is that you give limited bandwidth to other programs, but you don't shut anyone down. Your users with complain that ftp downloading is slow, but their web surfing is extremely fast.
On our network we have noticed that the amount of use on BearShare and Morpheius and P2P file sharing has dwindled. Only those that put up with the slower speeds are using them.
Good luck.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/>CS d(+) s:+ a- C++$ UB++++ P+>++ L- E--- W++>+++ N o+ K? w-->--- O- M>+ V-- PS(+@) PE+>() Y+>++ PGP+>++ t(+) 5- X(+) R+(++) tv+ b+ DI D+(++) G++ e+>+++ h---() r+++ y?
------END GEEK CODE BLOCK-----
What I am I once was. What I now become I long to be. Life is a journey not a destination.
My school runs a program called Deepfreeze on all of the computers (windows 9x that is). It automagically restores the computer to the state it was when booted, even if the user tries to reformat the harddrive. It works like a charm, they can download a game, install it, go to reboot, and find it not there :)
Have you thought about leaking word of the activity to some media outlet (asking for confidentiality, of course)? Seems to me a story of malfeasance by employees and waste of government resources would be irresistible . A call or two from some reporter asking about it would get a new policy put in place at light speed I'm betting.
"I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either."
This statement is so absolutely typical of K-12 education, it's not even funny -- let me guess your boss, or somebody not far above you in the command structure is a clueless educator, who the district considers "tech savvy" becuase they can use a web browser. The district refuses to hire technical people in true management positions, because only an educator "can truely understand the needs of education." As a result, you spend most of your time cleaning up their messes, teaching them how to right-click or helping them find files that they saved on their hard disk.
But you certainly don't get much of anything useful done because every idea you have has to be approved by a committee -- and that committee can't understand anything remotely technical, even when explained to them in terms a four-year-old should understand. And heaven-forbid you should be given direct authority over technology issues, you only have a CS degree and decades of experience in computing. (Remember, there's absolutely no way you could understand the needs of eduators.)
Man, I'd hate to be in that situation -- it would really suck.
(Somebody kill me. Now. Please .)
When life gives you lemons, make lemonade. But when life gives you crap, please don't make a beverage out of it.
If you don't have the authority to do your job, manage your limited resources or ever get the authority to do so, you will never be able to do your job. If you can't tell someone to stop, and they will never be punished for doing so, then they never will stop doing what they are doing.
I would simply brush up my resume and tell the school district that if you don't get the complete and absolute authority to manage the limited resources they have given you, you will quit. Make sure back it up if they say no. If you pull a hollow threat, you can kiss any future ability to manage your limited resources goodbye.
Linux O Muerte!
As others have posted, the best way to do it is just cut off anything that doesn't serve an education-related purpose.
Back when Napster was hot, we had a sort-of-high-level person at our company call the helpdesk complaining that he couldn't swap files on it, and felt this was a problem that needed to be "fixed". I don't know what was said directly back to him (probably something like "it's not supposed to work"), but the call was just pushed aside by the IT staff. No complaints since.
Though this would take more effort, and has little to no practical basis, you could (in addition to blocking the ports) run a program/script locally which intercepts their searches, creates a few positive results, all of which are either blank image files or ultra-short MP3's (depending on the search criteria) with a short message of your choosing.
Just a Tuesday afternoon thought.
Any spoon would be too big.
This is mostly about how to bring this topic to the attention of your supervisors, since if your users are already saying there's no official policy against using p2p apps, they'll likely to just tell you to get bent on further discussion.
Over the past year or so, there have been plenty of universities that have made decisions on P2P apps, going in both directions. You can use some of these instituions as examples of why you need to police this kind of traffic. Bring up the same reasons that these universities did, and that you brought up in your question (mainly legal protection and consumption of resources).
Here are a few examples:
There are also articles on other sites that list some of the universites that have banned Napster. Here's one article: http://www.ecommercetimes.com/perl/story/4172.html . They mention the following universities: Kent State, Rice, Seton Hall and Villanova. I'm sure there are others.
You can argue that if these major universities with plenty of money can't handle this traffic, how is your small public school district supposed to handle it? Hopefully, the money argument will help you out.
One final thing you can do (and this is fighting dirty), is point out how much pr0n is out there on p2p apps. That should get someone's attention.
If all you have are silver bullets, everything looks like a werewolf.
Common Be a man! If they are not using the network resources for educational or administrative purposes then they are STEALING said resources.
I run the firewall for a school district with about ten thousand students and about 1500 faculty/staff.
/24 at the firewall. It works, since they know they're supposed to use the proxies anyway, and the "direct IP" stuff like streaming audio isn't guaranteed by us anyway.
Yes, we have a few warez pups among the staff, but obviously most of the traffic comes from the students.
My solution is simple - send the packets across a logging firewall, and send *humans* to check on a machine that appears to be running something like Napster, Gnutella, or what have you. I don't block any ports outright, since that's silly - they'll just change ports and keep right at it, while making it harder for me to detect.
Eventually I'll just rate-limit the mix from the schools down to a few kbps, but for now this works.
There is a human solution to this technological problem. If you lack the human resources to enforce your rules in person, then just block everything and force them to proxy out for things like HTTP and FTP. When all else fails, become the BOFH.
There is one other approach that is great when you can get away with it. One of my elementary schools had some twit firing up massive filesharing stuff every Saturday morning. I'd block the host, but he'd just pick another one the next time around. Finally I just bitbucketed the entire
I used to work for a school district with the same sort of problems that you are dealing with now and had to deal with solving them. What we ended up doing is hosting forum and open question meetings for anybody that wanted to come and explained the legal and dangerous implications of having an unrestricted network. Most people understood, but there were quite a bit of self proclaimed computer gurus at the individual schools that challenged the new policies that we drafted up so we made certain changes but still kept a pretty secure network. Most system administrators will say lock it up and throw away the key then play ignorant, unfortunately this is a very harsh and usually not a wise move, considering the ramifications could come back to you and you would have to unlock the firewall or proxy again and wouldn't solve anything. I would consult with your county office see if they have any policies in place if not then I would go to the state level. If you want an example of the User Agreement and procedures we put in place go to http://www.sduhsd.k12.ca.us/district/technology/ that should give you at least an idea of how to get started.
Have them arrested and imprisoned under the DMCA and NET Act. The DMCA should be posted in every classroom and the students be monitored for and reported for any violations. Make sure to tell the FBI that it is likely the parents also have illegal software or hacking tools like DeCSS on the home computer. The FBI will then arrest the parents and seize all their property which they won't be able to ever get back. TYRANNY IS A *REQUIREMENT* OF A FREE SOCIETY!
GOD BLESS AMERICA, LAND OF THE FREE AND HOME OF THE BRAVE!!!
just database content challenged.
At my university here in the UK, we have just had a campus-wide residential network installed. P2P and plain SMB sharing of, well, legally challenged material is high, but (luckily) the admins have opted to impose as few restrictions as possible. We are behind a firewall, but proxy use is optional, so no filtering and the like. I believe this is the way to go - at my old school, our ISP (Edex, the worst ISP in the history of mankind) had various filters installed, blocking out things like ESR's homepage (nope, not kidding... they *were* running Microsoft software) and Userfriendly. Those kinds of controls are more trouble than they're worth, and likely to alienate most users, including those who wish to use the network for legitimate purposes.
However, P2P did become a bandwidth problem here. The answer was to limit bandwith on the ports used for P2P to 1Mbit/sec (which is a tiny proportion of our total bandwith - we're on SuperJANET). This was introduced gradually and based on ananalysis of where bandwidth was going (i.e. ports other than 80, 21, etc.). The result was gradual abandonment of P2P software, as it become too slow and impractical to use. By choking use this way, the network admins avoided the inevitable uprising/cracking attempts/moaning from users that would've resulted had they simply blocked the ports. It was eventually confirmed that bandwidth limitation was indeed taking place, but there were very few complaints, as people had already moved to other services (which eventually also has gotten or will get choked) or abandoned P2P and other bandwidth hogs entirely.
I'd recomment you give all ports other than http, ftp, telnet, ssh, pop/smtp etc. a total bandwith of something like 1% of your total available. If people complain, you can rightly tell them that (a) too many people are using it, and bandwidth is a limited resource (you'll probably have to explain what bandwith is), (b) most use of such software is illegal and cannot be condoned by the school and (c) because certain things (i.e. P2P) were using a disproportionate amount of the bandwith, it became necessary to allocate available bandwidth proportionally based on educational potential.
Those are hopefully terms that teachers and more enlightened students should be able to come to terms with, and you should have a strong case if anyone above your rank starts asking around.
Best of luck!
Martin
Author of `Professional Plone Development`, available from Packt Publishing.
taken from this article
Second, administrators that attempted to block the AIM service by blocking the default port of TCP/20379 were in for a shock. The AIM client/server model is extremely versatile and doesn't pay any attention to WKS (Well Known Services); the login server allows connections from every TCP port under the sun, including the ports that are likely permitted for business reasons: TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). While we would never do something nasty like run nmap against login.oscar.aol.com, we think you'd be surprised if you knew just how many AIM-open ports there are.
AIM also runs over proxy; and the client has an "auto-configure" button that makes it really easy for Nancy in Human Resources to bypass your perimeter security. In a nutshell, AIM's a slippery little devil and just about impossible to block unless you're using a perimeter device with content inspection capabilities. We can expect more user toys to start exhibiting these perimeter-security-bypassing traits, which means that you will not know what applications are actually in use on the network layer, since the port number will become meaningless.
Remember when the RIAA did their experiment with those kids downloading a ton of music before the Grammys, well those same kids said they got most of their content with AIM. Shutting down everything except HTTP/SMTP/POP may not even cut it nowadays
Install Linux schoolwide cos there isn't any good p2p software! :)
I am a system administrator at a small elementary school. I have encountered this problem myself and I solved it with a very simple solution... Using clout as being the "resident computer geek". If you are the system administrator, you are working under the assumption that all computer related issues funnel through you. The best way to get the administration to listen is to show them why P2P programs are not appropriate and potentially harmful to the educational system. Would they allow teachers to bring in smut to the class room or to abuse school facilities for non-educational and personal reasons? Probably not. This should apply to the use of the computers as well, after all they are mearly an extension on the school. Being aware of these issues that come with P2P programs is your job and its your responsiblity to do what you can to maintain the integrity and "cleaness" of the network. If something were to go wrong, its your head that would roll, so basically you would just be saving your ass from a lot of unecessary headache.
100% Insightful
(First, as a bit of friendly advice, I'd suggest not publishing comments that refer to your colleagues as "a bunch of goofballs". Perhaps they are, but perhaps they were subject to restrictions such as those that you're now encountering and weren't able to do their jobs effectively. In any case, such criticism won't help you now and might hurt you later.)
Getting something to happen in an organization involves building a business case for it, and presenting the case to your supervisors. Briefly, a business case justifies an action by demonstrating a benefit, usually a financial one. So, perhaps a case based around an argument such as "We're spending X dollars per month for our Internet access, but Y percent of that access is for non-school purposes. We could save Z dollars if we implemented policies A and B." would be effective. Risk reduction, such as protection from the legal liability you mentioned, can also be a justification. So if you have proof that the school's computers are being used for illegal purposes, then present it and describe the steps you could take to protect the school from liability. Another justification might be improved service to your clients (the staff and students, in your case); this sort of justification is harder to use, because it's harder to quantify, but it can be effective.
You might find that a supervisor who wasn't willing to act based on a verbal discussion will take action based on a written business case, which he or she can pass up the chain of command. Remember that your supervisor might, quite justifiably, not understand the issue well enough to create a case for it, and therefore might be unable to take any action unless you provide some hardcopy ammunition.
It shouldn't be too hard to find some resources on the net that help you to learn how to build a good business case. It's a great skill to develop. Good luck!
Please donate your spare CPU cycles to help fight cancer and other diseases
The school that i go to has been lucky enough to receive huge amounts of money from different educational grants to finance our ever growing tech department.
:-)
My schools solution to the problem is to just delete the program from all of the computers (very time consuming when you have a thousand computers to worry about). I know this isn't very practical, but it's the best we can do with the very lackluster group of people running our network.
Now, i have no idea how your network is set up, but assuming that your network is like ours, every student has their own user id that they use to log on to the network.
Would it not be possible to execute a login script that scans the users computer for any instance of any p2p program and just remove it? I am not too sure of any problems this may cause, but it sounds good in my head
Nice to see intelligent, practical topics such as this on Slashdot. I was starting to wonder if it wasn't just for Spam/M$/Govt bashing...
And yes, shut down all ports except http,smtp,pop and others SPECIFICALLY needed for school sponsored applications. Having to administrate a similar network, I see problems all the time surrounding these same issues. Unfortunately, all gateway filtering here (at UofW) is controlled by the university-wide computer folks...meaning NONE! So we watch and hope/pray students will be somewhat respectful. Our little dept can't do a lot outside our lan, and I see porn, p2p all over the place...I can't wait to see what happens after we get the slew of new computers...with cd burners! OUCH...can you say REIMAGE?
Take a machine in the corner and set it up to cache a bunch of content locally. (squid, etc.) This will free up a bunch of bandwidth.
Hack it up so that it will also sniff and cache downloads (a hundred GB goes a long way) from filesharing programs. Have it sniff popular search terms and proactively download some as well.
Put it up on the internal Gnutella network and make sure that your local clients can connect to it without having to know that it exists.
Throttle down to a trickle the filesharing ports for all users except your designated machine.
At the end of the day, users will be able to download things if they need to but won't burn up the shared bandwidth.
I have to admit that I was a bit shocked, when I first read this post, as every K12 district I've seen (and before you ask, it's quite a few, as I have several teachers and an educational IT consultant in my family and close friends) already has a policy limiting use of the Internet on their network to approved educational tasks. This almost universally includes the teachers, as well. These policies are usually worded so as to restrict everything by default, and explicitly allow only certain ports/hosts to carry important services (web browsing, email, etc.)...kind of like a good set of firewall rules.
Really, this shouldn't be an issue. Your district should have policies in place to protect the network from user stupidity, and if it doesn't, you're just going to be up shit creek. Cutting off ports, throttling bandwidth, etc., are only going to be successful as long as your users are complacent, effectively computer (or at least networking) illiterate, and willing to believe the BS you hand them by way of explanation. One competent user in the bunch could cause serious problems for you, once you've established a pattern of simply lying through your teeth about what's going on.
How do you broach the subject of introducing new policies with supervisors?
You don't need new policies. Your job is to provide a safe, secure, and stable computing environment. If something your users are doing is jeopardizing those three goals, then tough for them because it's your job to stop them.
I have been in this position before. At my current position, I inherited the administration of about a dozen different unix boxes. There was no security in place whatsover. Several boxes had been cracked. Users had the root passwords. When I took over, I didn't have any policies; I just used common sense as my policy.
If I were you, I would start securing things as you see fit, policy or no. If the users whine because their p2p stops working, imply that they were inappropriately using the network. That might get their attention. Just remember that security is part of your job, and you can't have your users running amok with your network.
Frankly, anyone who says that you should be scretly throttling the P2P ports is giving you bad advice. You are paid to give a service to the school - which is to provide IT services.
Part of that, as you have capably done, is identifying areas that need improvement or fixing (such as the P2P problem you mentioned). Your position doesn't entitle you to be judge jury and executioner though!
If illegal downloads are a problem, then you need to talk to the head of the school. You need to explain the legal and financial risk of allowing these downloads to continue. You need to highlight the the financial and bandwidth cost that the downloads are incurring etc etc. If the head of the school says, 'Yes, we agree. Do something to fix it' Well you just got your policy and you have carte blanche to fix it - ie block ports or whatever.
If the head of the school says, 'No, I don't want you to do anything'. Then don't. It's not your problem anymore. The head of the school has just accepted responsibility for any related issues that will occur from this continued use of P2P.
You shouldn't be doing underhand sneaky tech tricks to get the results you want on a problem that is more political in nature than technical. Doing so will mean you get out of your depth and fired.
Say, what happens if an educational institution buys a machine from an OEM that pre-installs Windows on them? Aren't they, in effect, paying for that same copy twice?
If I was in charge of buying computers for a school I'd certainly want a price reduction because I'm not about to pay twice for that OS.
This sig has been temporarily disconnected or is no longer in service
block the p2p ports and when they start complaining ask what software they want and to put it in an email....then use the emails to talk with your boss and hey! no more p2p
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Hold a meeting explaining what is going on. Be sure and explain just how much your bandwidth bill is, and how much it should be. Convert the cost difference into the following statement:
"If we eliminate unnecessary all P2P filesharing traffic, our school district can afford to hire (two) more teachers."
----
The significant problems we face cannot be solved by the same level of thinking that created them. -Einstein
It is extremely amusing to see SlashDotters who, as a group, feel they have a right to P2P, fair use etc. adopt EXACTLY the same viewpoint the content owners adopt when the individuals under consideration are their own user group and the issue is their own jobs.
What is it about systems administration that makes people all high and mighty all of a sudden.
There are reasons that this administrator can't arbitrarily set policies or change things according to his own whim. Now, if his job was to set up initial access to the internet, perhaps it would of been more appropriate (but not completely) in so far as a exercising certain level of discretion in how the connection to the internet is structured (proxies/firewalls/etc/).
However, the system is in a steady state, and this administrator has no basis to change it. Its (in all likelyhood) not this administrator's job to manage legal liability or even determine if p2p applications are an appropriate use.
Just as teachers can't change their curriculms as they see fit, without some oversight by the administration - administrator's have no right to make these kinds of decisions based on "what they feel is best."
The administrator however is completely within the realm of what is right and proper to make an observation, (p2p is consuming all our resources), and share it with those people that are in a position to change policy. If you really feel p2p is this horrible, find some users who are affected by it (complain they can't use or their use is substantially affected by p2p traffic.) Bottom line is, if upper management doesn't care, you shouldn't either. Run the network with a hands off approach, much like slashdot does with its comments section. If there are technical problems fix them, if there are ethical problems save the decision making to the people whose responsibility it is to make these decisions.
Turn it into a game.
:)
Idea number 1: Wear all black and a gas mask. Bust into people's classrooms and offices commando-style and do a spot check on why they're using 1 Mbs of bandwidth. Be sure to have two or three other guys with you to get every thing on camera. Post footage on the net.
Idea number 2: Every week email the entire administration the top 10 bandwidth (ab)users. Award the #1 user a giant dunce cap. Encourage the students to wager who's going to make #1 the up-coming week.
Idea number 3: Send out an email saying that you've volunteered the school to participate in a survey on internet usage at K-12 schools, conducted by the FBI, and that people shouldn't be worried about the invisible key-stroke-loggers that have been installed on all computers the night before. Also note that in exchange for the school's cooperation, the FBI has generously agreed to install numerous tiny hidden cameras around campus to help with campus security.
Do people have more ideas?
-Captain Abstraction.
This is not to say that the solutions that have been suggested aren't worthwhile or effective from a technical standpoint.
But from a political view, using any of the suggestions will not be good if you are found out. Yes, you can go on about how as the sysadmin, you should have full rights over the network and IT facilities, but that is not how staff will view your position.
To them, you will be seen as implementing your own personal adgenda without consultation with staff or admin. That is not a good impression for people to have of you. So don't lie, don't secretly throttle bandwidth, don't secretly block the ports. Get admin onside first, then do those things.
It manages traffic though a web (or command line), supports partitions and policies on classes created from just about anything you can thing of.Easy to change on the fly for when someone in IT needs to dlownload so ISOs in a hurry...
Watch out for it sending clear text passwords - perhaps it's worst problems are it's a bit sluggish on the web interface, and it does not support a secure authenication method. You can, however, create a policy that will limit access to it's web and telnet interface to particular workstations, which helps a bit...
- Block the ports + all other unnecessary ports. :-P
- Write a policy using common sense, explaining why the school needs it.
- Tell them you're doing what you were hired to do: keep the network going, keep it secure and clean.
- Take a deep breath; it might just take a 'miracle'...
-iie1195
I wouldn't block the access if I was you. I used to run a fairly large k-12 network (100k users). The political backlash will put you out the door. Just cover your ass. Send an email to your boss describing the risks and let him decide. People get really mad when we (sysadmins) make decisions like this because they (management) feel that only they should have the power to make the choice. good luck...
Policy changes have to be handled carefully. If you're the top of the decision chain, you'll find this out the hard way..
:)
What I'd want to do is set policies on every machine so that no one could install software, remove every piece of objectionable software, and set firewall rules to only allow port 80 access. You'll find out that you just pissed off every one of your users if you do so..
Work with what you have. Try to "encourage" your users to cooperate. Start doing a bit of monitoring. Find out which machines are passing more traffic than the rest. Find out what those machines are doing. Do it in the name of security. Your looking for outside intruders, and happened to see that one machine is taking up all the bandwidth. Mention to the user that the machine is taking up all the available bandwidth slowing everyone down.
Most importantly, keep notes of everything you do.
The viruses should be fixed with a good virus software. If the kids are using the computers, they aren't going to be happy when they stop working. If they're doing it on purpose, disable the machine after hours, and leave it down for a few days, "scheduled" for repair later in the week. They like their toys, and will be more careful.. Get yourself a good remote access program (radmin is good), so you can fix stuff without running all around the facility.
If you have people that don't cooperate, they can have mysterious problems. Hmmm, I guess Kazaa is just having problems today, odd that no one can get on..
If you have consistant problems, luckly you've been keeping notes of everything you've been doing. Bring it to the attention of your boss, his boss, the school's lawyers, the school board, or whoever it takes (press?)
Piracy is illegal. Pirated software and music are illegal, no matter how nicely someone dresses it up. Doing illegal things on city/county/state money is usually not looked upon favorably. But there's no need to get a bunch of teachers fired. For some of them, this is their lives. Of course, for some it's just a way to make an easy buck and look at porn between classes.
Damaging school equipment is probably against some policy. That's what the viruses do. If it takes anyone time to repair it, that cost the district money. If you spent 2 hours reinstalling Windows and updating all the service packs again, that's 2 hours you could have been doing something more productive (hopefully). You should be accountable for your time. Keep logs of how you spent your time. This will probably be in your favor later, when your boss says, "Why wasn't xxx done!". "Because I was fixing 47 virus infected machines."
Serious? Seriousness is well above my pay grade.
Most P2P apps allow you to turn off uploading, so I'd recommend you go around and do that. Just removing uploads from these apps alone makes a huge difference in bandwidth utilization (I know this from experience on similar LANs)
I liked the suggestion of throttling the bandwidth on the ports in use. But make it more gradual. When you start, throttle it to about 1/4 of the total bandwidth, then decrease it by a rather sizeable percentage every few days until you're at the bandwidth that ping uses.
The network is already running slowly as it is, so the teachers and other abusers already are expecting it to run somewhat slowly. If someone DOES complain about it, draft a well written proposal to your supervisors or the school board or both, claiming that more money is needed for additional bandwidth because the teachers (and include the names of those who complain) NEED these programs so they can trade music, illegally copied programs, and porn while at work. Specify that you don't see any legitimate use for these programs at school, but since their policy doesn't forbid them, you need the bandwidth increase so the teachers can continue to use them.
I'm guessing that anyone with half a brain will take a look at that and you will have your broad policy change that's needed.
-Restil
Play with my webcams and lights here
Next, you're going to want to set up a firewall and IDS system to keep P2P off your network. We use redundant Cisco Pix units, but a dual-homed machine with Linux or xBSD will work fine if you don't have that kind of change lying around :-) Set up rules for the IDS to check for P2P, Porn, Games, etc. We are in the testing phases of doing just this. The security-focus IDS list can be has been a big help.
As for the virus problem, Norton Corperate has great educational pricing, and can be set up so the (l)users can't play with it. Requires NT, though, but educational pricing is still cheap (before MS's new school licencing rolls out) and I'm sure you probably have a box laying around :-)
My email is real.
I've discovered that most problems dealing with school networks could be quickly and easily solved by just throwing Linux on them. G-d knows that if I went back to my small parochial school as IT man in charge, Windows would be off them ASAP. I've seen what a useless OS it is for people who want to abuse the system.
Forget about ease of use, which always seems to be the biggest whine about switching from Windows to Linux. Make them teach classes on how to use X properly if you have to, even though it should be brain-dead simple to operate GNOME/KDE and OpenOffice if you know MS Windows. Knowledge of the internals of a *nix will serve the kids far better than Windows in the future. Screw the teachers if they don't like it - school's about educating the students properly, not serving their warezing asses.
Think about the gains from Linux integration:
1. Security issues vanish due to general lack of virii and strict permissions.
2. People are generally caught offguard with Linux if they're used to Windows, and won't even think of hunting down gnutella and such. "There are games for Linux? "
3. You won't need to upgrade all the computer hardware every 2 years to keep up with the latest version of Windows and MS Office.
4. You'll save the school money. You'd be surprised what sort of reaction you'll get when you tell the administration you can chop their revenues to 10% of what they used to pay, _and_ eliminate all those nasty issues with the BSA.
You won't be able to up and change all the computers one summer. But you should be able to gradually change them one month at a time, and let people get used to the idea.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
Propoganda Posters!
The shareholder is always right.
Great caching proxy server + firewall combo. Very tricky to set up, but allows auth on a per-user basis if needed. Also gets you a subscription to CyberPatrol to block "objectionable" sites if need be. The firewall is pretty good, just remember to turn off dynamic NAT or you're back to square one (duh).
Talking of which does anyone have a complete list of p2p ports that all p2p programs use?
My high school had a problem like this when Napster was breaking on to the scene. A few students downloaded and installed it and left it running over a holiday weekend. Those student were later expelled from the computer science "prep" program the high school offered and returned to their regularly zoned high scools
I thought the punishment was rather harsh at the time, but I can understand where they were coming from... it wasn't a liability at the time (Napster was new and "unknown" at the time) but they still got the point across.
There are only 10 kinds of people in this world... those who understand binary and those who don't
A lot of the posts here seem to favor arbitrary action. In my experience, the real world doesn't often work this way. From the sound of it, you're in a situation where you have all of the responsibility but none of the decision-making power. Here's what I would do if I were you: talk to your boss about the problem. Your supervisor may not want to create policy by him or herself, but would probably be more than happy to let a committee come up with one. So you send around a note to the faculty letting them know that there will be a meeting to discuss the state of the network. Encourage them to attend. Their opinions are valuable to you. You will emerge from this meeting with the following things: an understanding of what they want to use the network for, a policy statement regarding network use, and a mandate for doing your job. They will come out of this meeting appreciating that you allowed them to be involved in the decision making process and didn't just cut off their access. They will also have a better understanding of the legal ramifications of network use, something they probably never even considered. You'll have mutually arrived at an understanding about network use, the administration will have good reason to back you up when you implement changes based on this new policy, and the factuly may not be happy about it but at least they'll have had their say. Working in a school district can be a tricky thing and - as in many other jobs - politics can play a large part in anything getting done. Handle it carefully and make the faculty feel that you're handling it democratically, and chances are better that you'll get the sort of outcome you're looking for.
As Manager of Technology for a K-12 school division, I can tell you how we do it. First of all, your system should have an Acceptable Use Policy (AUP). Students and parents should receive a copy of it each year during registration. Ours is included in the Parent/Student Handbook. All students who use the Internet must have a signed form from their parents granting privileges. Ours includes language that states that Internet access is for educational use only! Even though it isn't strictly enforced (we do allow entertainment sites for example), that language is there to back us up on content and P2P decisions.
Since students and teachers use the same network and computers, all are subject to the same policies and filters. We transparent proxy all requests to port 80 and 554 through iPrisms which filter and then pass the request on to a Squid proxy that generally runs at about a 40% hit ratio. All other Internet traffic passes through our Cisco firewall which performs NAT based on an access list. That access list denies NAT for all the popular instant messaging and P2P applications. Since all computer addresses are private, no NAT means no access. Instant messaging is blocked after an incident where a bomb threat came in that was untraceable according to AOL. P2P filtering is obvious due to copyright violations and bandwidth usage. It is interesting to watch the hits on our access lists from P2P apps that are denied. Kazaa seems to be the most popular, we block several million Kazaa packets each week.
That's how we do it, if you have any questions, let me know.
Jason
"FORMAT C:" - Kills bugs dead!
Be very cautious when adopting acceptable use policies originally developed for other state and county agencies. It's usually a bad idea.
The needs of an educational evironment are quite different from those of a standard workplace. A policy designed for an office full of adults doing a rather limited set of tasks will not be a good fit for a K-12 institution filled with teachers and kids. And once you've given that policy your blessing you may find yourself stuck with it for a very long time, especially if you've appealed to a higher power to enforce rules on your co-workers that you cannot. By that point you're as bound by it as anyone else, and those same co-workers are unlikely to forget that.
If your goal is strictly to "stay out of trouble" by preventing people from doing as many things as possible then yeah, this'll probably do it. But if you're actually trying to craft workable policies and put them into practice then it'll call for some forethought, compromise, and -unavoidably - actually sitting down and talking to people about what you're trying to accomplish and why. No short cuts.
From what I gathered from your post, you are actually taking over at a district level, which is good as far as making decisions, but poor for implementing them. I've actually been a School Technology Coordinator at a school here in KY for 2 years now, and I've experienced some of the problems you are encountering.
Most of these problems are handled (at least on paper) at a State level. So implementing the policies at the local level was/is not as difficult as it might be in your situation. So you need to ask these questions:
1.) Where does the funding for your technology equipment and maintenance come from? If its from the State, as in KY, they will already have some firm guidelines, that you can easily start implementing. If teachers and administrators start to balk, you can just politely refer them to such documentation. The problem could have arisen if the actual state-wide policies were not even glanced at by your predecessors, so I'm sure a call to the state Dept. of Education would bring up some type of support for you to start making changes.
2.) How will you implement such changes? These have basically been covered repeatedly in previous posts, but a strictly http proxy server is a huge start. You (your district) should have complete control over this type of function, especially since filtering obscene material in public schools is one of the few places where its really important.
If going the state route doesn't yield any results, I'm sure bringing this to the attention of district administrators would easily raise their eyebrows. An effective approach would be listing possible "dangers" that students could easily encounter on the internet without some sort of central control. Most school board members are rather conservative, and would err on the side of giving your technology department more control rather than less.
While none of what I said adresses the huge problem of bandwidth hogging, the actual effects of such policy changes give ample room to filter for "band-width appropriate" material.
Xavodim.com
I'm in a simmilar situation I work at a small K-12 charter school in Phoenix Az. We had some real morons before I was hired on. To improve bandwidth issues:
Port blocking, others have posted about this but, hey It's a good idea.
A slow way to gain authority is to setup a website where teachers can submit requests for help and get tutorials and other information. If you can grow the site carefully and make sure the teachers use it, you can turn in into a policy instrument. If someone asks why, you just say "check the website".
After 6 months of work, teachers seldom call unless there is a real emergency and what I've put up on the website has become policy by default. (The one thing I can't seem to get them to do is wash their hands before using the keyboard. Coca Cola, syrup, old food. Thank god I've an FRU policy)
If one of those warez people downloads one illegal aplication then M$ has the right to audit your institution in order to find it and charge them for the audit.
You signed it on the EULA.
Have a good day.
When his defense asked, "Which computer has Jon Johansen trespassed upon?" the answer was: "His own."
Download all the things they have downloaded. Invent fake large binaries that satify their requests.
Some gateways give you the ability to throttle the bandwidth. For example, if you have a Linux system as the gateway, you can use the iproute package to perform limitations.
Just identify which IPs those suckers use, and throttle them. It's not like you're cutting them off, you just limit the amount of B/W they can use.
Simple, eh?
A lot of people have suggested that you need to throttle the traffic, block ports, etc. That's a good start, but ideally you need to have a managed desktop too. Users should not have administrative privileges on their PCs (which is what they do have right now if they're able to install software themselves). You're the administrator; it's your job to install software. That privilege (and responsibility) belongs to you alone. Build a small set of ghost images that will satisfy the different needs of people in your organization, spend the time to lock down those systems tight, and deploy throughout the organization. This will save you numerous headaches because you'll only have a few different software configurations to support, you'll know for sure whether or not your software is properly licensed (because you're the only one who can install software), etc. Your users may initially complain, but they'll be happier in the long term because they'll experience better uptime and performance on a managed PC.
Hi Speaking from a little experience
- You have a Tech Dept in disarray with a lot of problems.
- One of your major problems (from your own point of view) is that users are abusing the system, sometimes for personal benefit.
- The easiest solution would probably be to restrict access to the internet by introducing a block on specific ports. However you want to solve these issues without "alienating" yourself from your peers who are: the users.
There are many different ways of approaching these three issues, because you have a problem with users doing something that is not "appropriate" then perhaps you should start by helping them to see what is appropriate. Try discussing the situation with everyone. Tell them that the resources are limited, and something will have to be done to help free up some resources. See if the users as a group are willing to cut down the amount of non-appropriate usage of your network. If not, then you may have to become more forceful, remember that humans will use their social power in groups to get what they want i.e. pushing you down the social ladder, so that they may have a form of control over you, or attempt to do this any way.
Of course the users may not feel as though it is any of their concern, the network still works (sorta) and they can still do their own thing without too much hassle. They may also see this all wrongly and to them internet access is a "right" and not a "privilege", so again cutting access may not work here. However in conjunction with your first big issue (dept in disarray) I have found that people tend to treat things better if these things are somehow a possession. Realistically you can't ask the users to donate and become shareholders in the network resources. But you can help them to feel more affiliated by allocating time where users with no current commitments (i.e. students to teach, classes to go to) come and spend time with the Tech Dept, and Help you clean up the mess. (One problem I have found with this method, is that if you use the same people over and over, the begin to get a little power hungry and start using there position for personal gain. So you have to constantly cycle the workers, so that every available user gets a turn. If a user has little or no experience in this area, they can at least sweep the floor of the tech dept.)
Another option is to allow the un-appropriate software, but limit the amount of usage, or give a quota.
Or you could give everyone an account, and give the account a quota. This may cause problems if the user has no discipline and uses their quota for non-school related activities, having none left for relevant activities.
The forth option is to let users moderate other users, but then not themselves. Hmmm does this sound familiar?
Anyway, There are so many options available to you, I haven't even scratched the tip of the iceberg in the end (and I have rambled on an written too much), you just need to sit down and nut it out for yourself, every situation is different, and you can always rely on human nature to play an important chaotic effect type roll in the matter. (from experience) I think you have already answered your own questions anyway. "Can you fix the network, and retain social kinship at the same time". You just have to choose your desired outcome. (at least you have that much)
If you're going to lie to the users (which I strongly advise against) then at least use the "goofballs" that are no longer around as scapegoats.
You have the legal responsibility to be blocking such programs. Start by finding which programs are most commonly used. I assume the school's network is run through a firewall of some sort? Block the ports that those program run on. Then, set up all the machines so that the users can not run any of the executables except those approved by the school. Then worry about implimenting a policy.
T Money
World Domination with a plastic spoon since 1984
Here is a solution. Put a sniffer (Linux/Etherpeek) on the network and post up the 10 worst abuser list on a bulliten board near the office. Do this each week and see what happens. Yeah, you might get some students trying to break the old record but at least when someone complains about the slowness of the network you can direct them to the bulletin board so they can complain to the people on the list.
This way the performance of the network cannot be attributed to your performance as a network admin.
From excellent karma to terible karma with a single +5 funny post...
Don't do it.
You don't need to. You work in a public school district, which is a government operating organization. Even where I live, with very strong university systems that have opted out of many state security and authentication programs, the school systems are still bound by the state's general laws on proper use of facilities. Without much doubt, you can find enough existing law in your locale that stipulates that state/county employees will not take government facilities/materials for their own benefit. Your approach should be one of "State law prohibits this type of use, and we have to come into compliance before all of us get reprimanded/penalized/fired." To back up this argument, you should have a look at:
- copies of state/county/city law regarding (prohibited) private use of public facilities
- copies of school regulations and school board decisions restricting use of educational resources to educational purposes
- examples in your locale of educators penalized for excessive*** misuse of resources -- copiers, long distance phone, etc etc
- specific examples of educators -- not necc. in your area -- penalized for misuse of internet-specific resources (examples that include fines and jail time are good)
- printed sniffer logs that show the ratio of school-related vs. non-school-related (~95% if P2P media?) traffic
- etc etc
***This is important to counter the argument that downloading 1.5GB/day of music is "incidental" and therefore permitted.With this in hand, schedule a meeting and embarass/scare the hell out of them with the state govt looking over your shoulder. The key here is NOT to invent new policy, but to adapt your operating procedures to conform to existing requirements and regulations. Remember, as the sysadmin, you have much more power to control the technical interpretation of existing policy, than to invent new policy to make technical implementation more straightforward. Your legislature is probably on your side on this one -- you just have to dig up the relevant bits before you jump on the soapbox.
JEspenschied
I think not...(*poof*)
At our school in Rome, GA, almost all the music for prom, school events, sports, etc, are all downloaded off of file sharing programs by the teachers. Kazaa is even running on the computers in the library.
:), so it will be pretty hard to remove these programs without an upheaval from teachers.
Teachers use this constantly in computer class burning cds (to teach students
Since you're going to be taking charge, eliminate the support program of preference for more than 99% of viruses.
Rather than just blocking ports, put up an FTP server as well, and hand out forms asking people what they want the school to make available on them. That way, they have to write it down and put their names to it. Explain that people making multiple downloads of the same thing was costing the school a fortune. Redirect any web or FTP request for a file ending EXE COM ZIP RAR ZOO BAT TGZ TAR.GZ RPM ISO MP3 etc to the FTP server, so if you have it, they get it and if you don't, they have to ask (put a form for that in Squid's file-not-found page).
Actively scan the Squid logs for porn, and if you're getting reliable requests for same from a specific user or machine, print out a list, walk down and ask them if they knew that their class was downloading pornography, and could they please stop because the principal is very busy and doesn't want to get involved. Log these incidents and CC the log to the principal's office regularly. If you don't, and someone else does the busting, your ass is on the line.
Just do it, fait accompli, and when the complaints start rolling in, log them, hand out a form, and if they refuse the form ask them why they want to send the school broke. Instantly, in writing, and CC it to the principal.
You're in the right. Act like it. Otherwise that job's not worth having for less than USD$100k a year.
Got time? Spend some of it coding or testing
Let's see if I understand this. Some of the people here are advocating changing the network settings and then outright *lying* to your *professional* colleagues about why you've done what you had to do to preserve the integrity of the network.
And then you complain that the same people you've lied to are such utter incompetents about technology. How can you expect them to ever learn if you tell stupid lies to them?
Furthermore, some of these crackpots are the same people who will whine and complain if something about their own workplace were changed and they weren't given satisfactory answers. Hypocrites, the lot of them.
Just do what you have to do and be honest in why you're doing it. Sure you can gloss over some of the specifics, but explain to any reasonable person that you're having bandwidth issues and that person will begrudgingly accept your explanation. If you run into problems, you have to advocate your position with your supervisors better until they do understand the costs and headaches that the current system has.
My $.02
...after working in school systems for 3 years as a net admin, you must not act with a heavy hand without the backing of the district/administration, its very different than the business world. the key is that much of the activity is illegal and prohibiting educational usage.
If your school does not have an Acceptable Use Policy, congratulations, you dont have anyones prior fuckups to hinder you, build one from scratch. be sure to compare AUP's from other schools in your region, and from completely different school systems, take the good from them and eliminate the bad. less rules = better, efficient and complete will be much more effective.
the more complicated it is, the harder it will be to be accepted by the schools and enforced.
If you act with the heavy hand and just start blocking things, the staff and students will both hate you, and make you life a living hell, your goal is to make your life easier and the network work better, if you go the block it/kill it route, they will try anything to get around it and cause you even more problems. if you do these things, you better have the administration behind you.
i would highly recommend the formation of a "power users group", with both students and teachers, who will be become your messengers, they will best understand the rules and will convey them to their students/peers. In the process they will learn and could create content for the network (local web, etc).
If your school system is actively getting support from local businesses, seek advice from their tech admins. if the school isnt actively being supported by local businesses, question that, get some support ($$), its your students that will power their companies.
sm
I work at a Small College with approximately 4500 students. We have had our share of problems with both students and faculty whom want to use the P2P systems. Monitoring the usage of our Internet connection, we decided to increase it by 50%, within 10 seconds it was completely consumed. I couldn't even read slashdot anymore due to my packets being dropped. We tryed to block ports, and while it worked (mostly!) there was a massive uprising within the student population. "It's our 'RIGHT' to be able to download" was a quote in the school newpaper (tabloid). The administration would not support us in our quest to stop these applications, even though we received several threats from the RIAA and Sony each week. Students were threating to leave the school, and with enrollment being down school administrations don't like that.
Our solution: We purchased a Packeteer Traffic Shaper (neat hardware!). With it we not only set rules, but we also purchased it with multiple interfaces so we could segment off our dorms. That 50% bandwidth we purchased earlier, we dedicated to our dorms, and the rest to the academic network.
Movies and Music can now be downloaded again, but they don't come down nearly as fast, plus we can give priority to web and email. (We even give online games higher priority then P2P)
Not so much of a cheap solution, but it's cheaper then bandwidth.
I worked in the tech. dept. of a K-12 district for 2 years and have done contract work with them intermittently since then, including a network traffic analysis of a local K-12 district that showed almost exactly the same sorts of madness that you mentioned. My suggestion to you is that you prepare a report (with numbers and graphs, written in clear tech-speak-free language) that shows how your bandwidth is being used. Talk to the district users and get quotes from those whose experience is hampered by low bandwidth availability and high traffic. Put those essay-writing skills to work and write up a defense of the district's need to deny access to P2P clients, streaming media, etc.
Present the report to the technology director. Any tech director with half a brain will gladly put a stamp of approval on your report and allow you to start blocking ports as well as send out memos to your teachers telling them to stop. If this does not work (hell, even if it does), TRY TO GET THE SUPERINTENDENT'S EAR. I can't stress this enough. The people (regardless of departmental affiliation) who make an impact at the district level have good connections with the superintendent. Supes are most often curriculum people and do not know technology, so the guy that can be clear and concise and help the Supe understand in minimal time and with minimal fuss what is going on becomes very valuable to them. Offer them a copy of your report, ask them for their help and a SMALL chunk of their time. Even if it's just 5 minutes in the hall where you tell them you think there is a problem and offer to send a copy of your report to their office, get their attention. If your report is well written and easy to understand, or you can catch the Supe's interest in passing, your credibility goes up a notch and it will be much easier to get their sign-off on policy. During our traffic analysis for the K-12 district, we focused almost entirely on the Supe during our presentation knowing that they had a problem with bandwidth usage. Once we had him understanding the problem, every recommendation we made was met with a nod of his head and the word "Done." It's much easier to fend off complaints by saying that the superintendent is behind you than by saying the technology director is behind you.
Then, block ports like it's going out of style. Any teacher that tells you they're using streaming media or P2P sharing for valid educational purposes has a dubious claim at best. They're the ones screwing up everybody else's bandwidth experience. The onus is on them to defend themselves. They should have to submit forms to defend their use of bandwidth and opening of the associated ports. I've heard of teachers complaining about port blocks by saying that their valid educational use streaming media was to let their classroom listen to music while they worked on their unrelated in-class assignments.
And finally, if you manage to get support in place and ports blocked, I would also recommend a scare tactic that I've seen used effectively. Normally, I don't support this sort of thing, but educational networks have the additional burden that children are constantly nearby and constantly sticking their noses where they don't belong. If you have or can get a web filter to block out adult content, make the "You can't go to that site!" error as intimidating as possible. Have it say that the user's web request has been logged and sent to the district administration. Yes, people will HATE it, but it will help (maybe only a little, but every little bit helps).
Teachers are always locking up their desk drawers in their classrooms so students can't steal and snoop. You should be afforded the same privilege in managing the network.
Don't TALK like this guy WRITES they'll just think your a SPAZ.
Send out memos (or post printouts on physical bulletin boards) explaining what fraction of the bandwidth is being wasted on crap. And also include a paragraph that explains what next week's memo will be.
Subsequent weeks' memo: a report of who the biggest bandwidth users (or which machines if they are shared) and what they have been doing.
Fear and embarrassment will keep them in line. And if it doesn't stop them, eventually word will get out to whoever does have authority over the offenders.
In all seriousness: you should read BOFH. You don't need to electrocute people, though. Just learn his lessons on blackmail. BOFH has a surprisingly enlightened attitude on this issue.
Start by blocking all peer-to-peer ports. Post a message somewhere stating that you have made some changes to the network settings for security purposes, but that internet access should still work fine for all school-related activities.
If someone whines that "the network isn't working", explain that you have disabled all non-essentials for security purposes, and if they'd like to have a port opened, they need to send you an explanation of why the port is necessary, so you can verify that the port is indeed necessary.
Then... take a look at your PCs, and see how much obviously illegal software has been installed by your users. If you have a significant amount of warez, send out a memo explaining that this is very illegal, the school could get sued, etc... make SURE all school-approved software (wiindows, office, etc) is licensed, and give your users every opportunity to verify that other software they've installed is properly licensed. Whine, scream, turn off the hubs 'til they comply.... do anything that won't get yourself fired immediately.
Then... call the BSA. Let them know that there has been a lot of p2p activity on the school network recently, and recommend an audit. Anonymously, of course.
You can get rid of all your legality problems and consolidate your power as a sysadmin at the same time.
Once upon a time, social engineering was a valuable part of a hacker's skillset. I suggest buying (and reading) a copy of Dale Carnegie's "How to Win Friends and Influence People" -- or just going directly to the teachers. Tell them you're the new guy working on the networks and you're trying to analyze and optimize and [insert other techincal sounding word here] the network. Ask them if you can schedule 5 minutes of their time, say next Thursday just before lunch? Explain the bandwidth problem, tell them that programs such as Kazaa and Back Orifice are not allowed on the school network. You can even type up a list of what's inappropriate yourself (and put a graphic border around it) and title it "Official District Network Acceptable Use Policy." Explain that you've been given the job to set up a firewall and set up bandwidth caps to prevent viruses and potential access to porn and pirated MP3s. Express your sympathy for their inconvenience (at this point they will admit it is hardly any inconvenience at all to have to wait to get home and download porn), and ask if there is anything you can do to help them out. You can show them a couple cool sites, teach them to defrag, dust out the chalkboard erasers, and leave an apple on their desk. Let them know that all traffic is being logged, and that your superviser receives a weekly summary, so they shouldn't feel any need to narc on their fellow teachers. Tell them if they have any questions, don't hesitate to call you or your superviser.
I did just that, made and grouped everyone into their respective OU's in active directory (300 user company) found out what programs people where using then locked their ass down, I have a list of allowed programs, and if you program isn't on that list a nice big old error box will appear telling you that you do not have permission to run this program and to contact your system administrator. Also configed a bunch of other stuff, you can barely change any setting in windows. It is impossible to install any software without comming through me first. This is your work pc it's meant to do work, it's not there for you to goof around on.
Only took effect on a few poeple at first as most users had win95 instead of win2k, but i did the same thing with the nt4 policiy editor, and have been slowing moving people from 95 to nt4.0 (or 2k for those machines that can handle it).
Network bandwidth has increased (die webshots !!) and user complaints about machines freezing and crashing have gone down. I wasn't even the sys admin when i did this, but i got promoted to it afterwards.
If you get yelled at about it, a few simple clicks and rebooting the client machine will put you back where you started.
My users don't seem to mind it at all when I give them a 'new' (redone) pc with nt4.0 and 128 megs of ram instead of 32 megs they are joyous and just accept thats how nt4 is when compared to win95.
I work for a Community College that is on the K20 network.
We are forced to follow the State Acceptable Use Policy. Yes it is very difficult, if not impossible to get a change to it, but you live with it.
However, it gives us the ability to not only block via firewall, but to remove the offending software from the machines when found.
I am a freshman in a TN high school. Aparently, the teachers all run napster during its glory. Now all of the traffic must go through a single 486 running NT4 as a proxy. It wouldn't be so bad if the proxy worked, and we also had an ssh proxy and X servers on all the computers, but it doesn't, and we don't. I am currently experimenting with getting a command prompt through the http proxy, but I shouldn't have to. I will probably smuggle a laptop in and nmap the proxy when I get a chance, but this is all so rediculus. How would I contact the person in charge of the school network?
The sysadmin's biggest gripe at my school - well, one of several - is that teachers are really a worse problem in terms of browsing "inappropriate" sites in school than students, but the teachers need to be handeled with kid gloves when caught.
I'm the stranger...posting to
Your best bet is probably to just act without concent from those above you. Most of the time asking clueless authority figures to take a stance on specific policy is a bad idea. If you tell someone "P2P filesharing is bad" they will extend it to absurd levels of stupidity. You are the administrator, do your job as such.
A good idea is something like dummynet between your internal network and your router. You can throttle bandwidth or add queues (simulates lag) to specific services over your network according to IP addresses or service ports. You can force an even bandwidth distribution between all the hosts connecting through port 80 but throttle back the speed of anything coming through other ports. You don'y necessarily have to block file sharing requests but you can keep them from dominating your network. Once you remove the incentive for people to use P2P services on the school's network they will knock it off.
I'm a loner Dottie, a Rebel.
The vast majority of comments posted to this thread would make one think that network admins, on average, are power-crazed and pretentious, performing such tasks as antagonizing the actual network users, playing bandwidth gestapo, employing such colourful techniques as outright lying to the users (after gleefuly fucking them over in innumerable ways) or sending them virri and porn in hopes of getting them fired/otherwise compromised.
I've dealt with a very similar problem. I work at a university, and we have a very fat pipe to both the internet and I2. The specific problem is students living in the dorms using all the bandwith with P2P type traffic.
Not wanting to play 'police', we didn't stop them from using P2P, we just used our firewall to limit the total use of specific protocols and ports to 5 percent of the total traffic.
It has been a very effective solution.
Just a couple of ideas, though some are perhaps repeats of the ones already given, by other peole.
1. Block all ports that are not necessary.
A simple but effective way of getting rid of the leeches, though perhaps a bit draconian.
2. Use QoS, or other throttleing techniques.
This lets them do it, but keeps them from hogging bandwidth.
3. Install Linux on all of the machines in the school.
This provides a number of positive effects. It gets rid of licensing cost. It teaches the students about OS's other than Windows. And it makes adding other, unacceptable, programs a bit tougher.
Personally, I would use all three of these ideas in a multi-layered secutity setup. First, I'd start blocking ports that I didn't want open. Second, I'd throttle all traffic that relates to P2P software, drop it to 3kb/s per user. That way, its better for them to go home and do it. Third, I would have the school running on Linux. This would stop a lot of the users from doing anything outside the basics.
And, of course, I would audit stuff like mad. So that, if someone manages to get outside the box I have set up for them, I could go congratulate them, and ask them to keep thier mouth shut on how to do it, and to keep their activities to an acceptable level, or I would lock them in tighter.
Necessity is the mother of invention.
Laziness is the father.
at a school district in Washington State to end the P2P problem. Well first of all, there's higher ups who understand the legal implications of running a P2P program, so we got those type of programs banned by the administration. Then we gave the teachers a week to remove the programs from the machines in their classrooms. After the week was up, we made it clear that if the programs were found running on the network without permission first, they'll get in some serious trouble.
Problem solved and our bandwidth usage dropped by half.
My suggestion is to get some news articals online about Microsoft smacking down school districts and show them to the administration and point out if your teachers download an XP program that "calls home" and trys to register it and Microsoft traces it to your district's IP, the school had better hope they have some serious bucks to pony up to Microsoft.
I'm not sure what it is like over on your area, but here in Washington State, according to the K-20 AUP (the state-wide telecommunication network), one may not use the K-20 network for illegal activites, and I would assume trading warez and MP3s would consitute illegal activites. So I would contact whomever provides your bandwith and see if there are any AUPs that ban those kind of activites.
Tell your principal that people trade porn on p2p networks (true) and come up with a (greatly exagerated) number of porn files on a given network on any day. Yank that number out of your rear - it should have an impressive number of zeroes in it, though. Knee-jerk reaction will kick in, and the software will be banned instantly. Just make damn sure you will never, ever have a legitimate need for p2p on your network - once it's gone, it's gone.
I'm the stranger...posting to
Obviously, you've never worked in a school enviroment before. I'm guessing you're corporate, but a much smaller level (even Fortune 500's have more politics than your work). Small but growing regional business? Anyways, let me get back on topic.
I briefly worked on a smallscale rollout project for a major (top 50 in population) city school system. There were ongoing political issues at the the superintendent level, unrelated to our technical problems, but likely to affect everyone's job one way or another. But virus problems were becoming impossible to deal with, so they moved the date forward for another rollout project, and added a Norton AV procedure.
Let me tell you, even the smoothest Windows rollout project sucks, they are never interesting no matter what. You never learn much, but when times are tight like they have been...
Well, the firm I usually deal with, calls up with this job, and they tell me 5-7 months of steady work. Those in the know, know that this means at best 3-5 months of less than 40 hours per week, but that was figured into my equations. They make it out that this is as simple as it gets, just me and another fellow, to make it last longer, and spread out the cost for the school system (Don't these places have an annual budget?!? Don't ask me...). No problem. Only after awhile, does it become apparent that this guy was only barely competent to begin with.
Well, this tech firm (which will remain nameless, they've sued ex-employees before over such) put the new sales rep on the school. That was bad. When the school says they just want the 2 grunts, and want to use one of their admins for the project manager, he agrees. Doesn't even diplomatically suggest different. He meets with her several times, still doesn't suggest otherwise. She was, unfortunately, a total ditz that apparently passed a CNE bootcamp course a few years back. But if her technical competency was horrible, then her management skills were absolutely abysmal. This had disaster written all over it, right from the beginning.
Well, you remember how I said that it was a rollout already planned? Well, the bulk of it was for some Novell Netware software, zenworks client, a few other things that I never actually learned of. Well, the ditz CNE's boss (also a woman, hate to be sexist but...) was having a power lunch with the VAR who was pushing the nw software. And she signed the deal, I think this was for at least $90,000... only this particular software only works with NT. There was no netware equivalent. 100 grand, gone like that. I don't know what was worse, that she would buy software that she obviously had no clue about, or that there is a VAR out there that sleezy.
I go into the briefing, just the tech firm, no client people there. I ask, time and again, was this tested, was that... "Yes, everything has been tested thoroughly, we expect you to be able to do the installs 20 minutes tops, per station". We start the next week, at City Hall (the admin offices are the top 3 floors). It's a total mess. The dumbass CNE/admin decides that first morning, that she would like us to do an inventory at the same time. Hands us some copies of paperwork, standard SN, asset #, etc. We're talking close to 25,000 machines throughout the school district (though not all are in scope for this rollout, maybe only half that). What does she think, that it means anything on paper? Is she gonna do data entry herself, when we turn these in? Or is she just trying to sabotage us even more?
In the administrative offices, there is a mixture of Win95a/win95b/win98/NT4/win2k. Wide variety of machines, including some new ones being installed by school technicians. The new ones are compaq... but they have no contract with compaq at all. I'm guessing Compaq salespeople somehow knew what a mess it was, and wanted nothing to do with it. We are given nothing at all like real procedure documentation... I could write docs better than this. A single page. 1. The grammar was awful, and it basically said install this software. We ended up discovering for ourselves just what options were needed. In the offices, close to 1 in 3 machines broke badly when installing the software, even after we figured out the correct options. Bloated registries, version dll soup, user installed software, all kinds of different things. We were spending up to 2 hours per machine, and the one week at city hall turns into 3. The sales rep lets us know the client is a little bit upset, and can't understand what the problem is.
Well, we move on to the first school. God, it was horrible, when I was in school, there were 3 Apple IIe's in the science room, for a month (They got switched out to another school in the county after that). In this school, there were no less 14 computer labs, all with 20+ machines. Every other room had at least 1 and sometimes 2 machines. 95% pII +. What did they teach these kids? Well, they taught them to be secretaries and other minimum wage type things. Any number of incredibly cool things to be teaching them, but no, just word processing, maybe spreadsheets (though I could never confirm that one).
We get there, and no one has even heard there will be any work done on the computers. 2 days to straighten that out. We can do work now, but only after 2pm (but the doors lock at 4pm, have to be out by then). Most of the labs lock all the keyboards up, and no one has a key (apparently they get vandalized or stolen). Lose another 3 days there. We get permission from individual teachers to do this, before 2pm. But code red alerts happen at least twice per day. This is when even though the bell rings, and its time for a new class, the kids all have to stay in the current one. The teacher locks the door, and the sherrif and deputies go through the halls grabbing all the dope dealers. Code red's never happen at a set time, so we end up missing a progress meeting with the ditz CNE. That was bad.
Then, most of the lab machines are win95b, but haven't been reinstalled in over 4 years. Registries bloated so badly, that maybe only 15 out of 25 machines in any given lab are usable (and they've been like that for months, since the school techs refuse to support any machine not in the administrative offices). Of the 15, roughly 5 will have one set of win95 lockdown software on them, another 5 will have a different lockdown software, and 2 will have a third lockdown app. The rest have none. No one remembers or ever knew the passwords. When we do manage to disable it, if we can, it takes forever to learn just how to make it behave. But once our software install is complete, the machines become more unstable than anything I have EVER seen before. We end up rendering an entire lab unusable. We call up the ditz, she says if they still boot, proceed. They do boot up (most of the time), so we end up doing every lab in the school. We end up rendering all of them unusable. Complaints fly all over the place.
The sales rep arranges an emergency meeting with the ditz, her boss, and us. Plus another engineer from our firm, whom I question even his competency. We explain everything, including how this could only be expected when absolutely no testing was done beforehand. We explain that win95 is completely unsuitable, but even more so, when it isn't pristine (which is unbelievably generous, these had NEVER been reinstalled) you'll see these sorts of problems. We explain that the lockdown software is part of the problem, but not all of it. So they decide that the other tech will go work on another project, and that I and the engineer will go see if there is any salvaging it. We manage to go back to one of the labs we'd done. 2 hours there were enough to convince him (I winced at first, the first machine he turned on had almost no probelms). Every machine would BSOD. It would do the windows partial freezes, the buzzing mouse, all your favorite win95 problems. Some of the machines died at bootup, conflicts with the lockout software. He agrees that we can't go on as we had.
So, we make a proposal to spend a few weeks building install images and doing testing. We'll install 95 back on them, since that's all there is for licenses, but it will be pristine, each machine will have an identical image build. We'll standardize on one lockdown app, with documented passwords, etc.
Offer rejected. Too much embarrassment, I think that we made it clear that we had a clue, and all along knew how retarded they were. Also had a little bit to do with their strict no reinstall policy (I'm not making that up). Seems that at least 3 other dept's had claims on certain machines/labs, donations and what not. And their was enough inter-departmental rivalry, that IT wouldn't reinstall OS's, mostly because each dept wanted the same apps installed that were on the machines when donated. Which is utterly ridiculous, since M$ office was all that was ever used.
I got 6 week's worth of paychecks out of it. For trashing an entire school's worth of computers. Which, as far as I know, are still not functioning. Not that anyone cares. I do in a way, but have zero control over any of it. Makes me sick that my tax dollars pay for it.
Solution for the original slashdt asker:
Find another job in a non-k12 setting.
Nothing can fix your situation. You may be the only one there qualified to teach anything having to do with computers, and you are not a teacher. The computers are a waste of tax dollars in their current capacity, and are only ever used for the most outrageous abuses. The shit will hit the fan, though maybe not for awhile yet, and you do not want to be there when it does.
The sad part about schools is that the buracracy is thick and goes on forever. Just do what my boss always told me: "Act now and ask for forgiveness later."
Seriously though, just block or limit it. If someone somewhere complains with a *valid* complaint, such as a teacher needing to download Bach for their music class, let them through. Policies eventually come back to bite you in the ass, don't bother trying make new ones unless you have to.
When I setup my first webserver at my High School, we didn't look around asking for permission and policies. We just did it. 2 years later when the rest of the staff discovered the Internet, the administration allocated resources (a teacher) to maintain it and take it off our hands. No harm done.
Thankfully, our K-12 district was online with a T1 way back in '94, so we were able to work out a lot of these problems early before they became potential disasters.
1) Firewall & Proxy Server: Allow all information to go in and out of port 80 through your proxy, and block all the rest of them, period. Ocasionally, there will be some class projects that actually do need additional ports open (webphone links to Congressional events, for example), but you can open and shut those as need be.
2) Because you hold a ton of responsibility at that school, you also hold a lot of authority. Show it. The only key is to make sure that you have support from the administration. Talk to the principal and assistant-principal/s and tell them specifically this:
"The teachers in this school district have been and still are pirating illegial software and music online. The activity is undoubtedly illegial and needs to be stopped. There have been instances of software companies suing school districts because they have discovered the activity as it was taking place, and if that happens, the district will lose millions of dollars for the illegial software. Not only this, but the technology that we are supposed to be using for educational gain is instead being supplimented for illegial use, and those who try to use it for educational purposes are being limited by the personal activities of the teachers. We need to stop this now. I suggest we hold an informative meeting right away about new computer policies that need to be established so that we can get the most educational use out of this technology for our money being spent on it."
If that does not get the administration on your side, leave the district; if something goes wrong, guess who's going to deny any understanding of what went on? Everyone. Guess who's going to receive 150% of the blame? You are.
As soon as you have the support from the administration, pass out policies and have teachers sign them. Let them understand that you will not be held responsible for their own actions.
I know I sound harsh in this plan, but you do not want to be caught holding the buck when something goes wrong. There are a lot of teachers who will take a foot when you give them an inch. Don't let them walk all over you when you're the one responsible for the use of the network.
Look at it this way: I wouldn't expect that the teachers there would be very happy if you interrupted their classroom and passed out test answers during class, since you're disrupting the process of the students' education. Don't let them do the same to you.
I didn't bother to wade through most the messages, so this might have been said, but
My school uses a program called Deep Freeze, what it does is it stores an image of the computer as the Admin sets it, and then when a user logs off all changes made are undone and it's restored to the image.
When students (and teachers) have to save a file, it's done on a seperate fileserver. It's mildly inconvenient for we students, but tech people don't have to reformat every computer once a month anymore.
i found this review of it: http://www.ncesd.org/etsc/etug/pricelists/DEEP%20F REEZE.htm and here's another site with some info: http://www.winselect.com
Explain that the school needs a "security" policy", for the "protection of the children". Use one of the many government policies out there as the basis. Get "buy in" from teachers, etc. by telling them it will stop spam and and viruses, etc. Anyone who objects is risking liability, endangering the children, being obstructive, etc. Tell everyone that everyone else thinks it's a great idea. Make sure the policy is nice and general.
Once the policy has been accepted by administration, implement it selectively. Anything you don't want to do is too expensive or has technical problems, but the things you want to do are cost effective and acheivable.
The important thing is to get the authority by doing what is obviously common and good practice - having a security policy. There's plenty of time and ways to abuse the authority once you get it.
If you're in a California school district, I'd recommend the GAMUT software. It's a monthly subscription service with legal policies and sample language for every item the California Education Code. Works great - just pick and choose the policies you like, tweak them for your district, and put them on the next school board agenda for approval. Once that's done, you introduce the policy to the staff. If you're the Director of IT, you're already in administration and you're all set. If you're not in administration, then present the issues to your superintendent, and get her support. Bring it up at the next staff meeting, if you must. Once the policy is in place, and teachers understand the issues (bandwidth, copyright, liability, etc.), then see if that gentle method works. If not, then simply use network security to tighten things up. There are many resources online for free or cheap firewall solutions that can stop most P2P apps cold. At my district (http://www.buhs.k12.ca.us) we simply block the default servers for most P2P apps at firewall for standard port 80 traffic, and then block the default ports for Kazaa/morpheus/LimeWire/Bearshare/AudioGalaxy and the rest. Simple, effective, no whining involved. If teachers complain about the lack of P2P availability, refer to the written policy, have them specify the educational benefit of the service, and have your superintendent sign off on it. If she signs off, then you've done what you could, and be on your merry way. Email me directly if you'd like more specific practical solutions for a K-12 school. It's what I do for a living. Regards, Joe Griego Dir., I.T. Bishop Union Elementary and Bishop Union High school districts Bishop, CA Bishop High Bishop Elementary
Don't Die Wondering
While I was still going to my 8-12 school (a few years ago) I did some work for the current computer science teacher. I also fixed the network (they are still doing this my little brother goes there) as they were having very similar problems. I found a program called Deepfreeze it is cheap and it restors the harddrive to how it was when it was installed. All saving must be done to a disk or burned on a cd (unless you know the password). If will bring it back even if they fdisk the drive, as soon as they restart. The only way to get around it is to run a linux shell and disable the program that way. It is still very complicated to so that and even the average computer geek is not able to. Check out the website at http://www.deepfreezeusa.com/ .
Get more bandwidth.
Ok, so maybe the p2p apps don't provide much 'educational value', but shouldn't teachers be given a little leeway as far as what they do on their work computers?
As far as legality goes, well, that's not a problem with p2p software itself is it? after all "guns don't kill people...". By banning P2p software outright. You're no better then the RIAA or MPAA or Mr. Fritz Hollings.
Finally I'm not actually sure that having mp3s, etc, is illegal, only the act of transferring them to others is. Not sure about that though.
Anyway, if you can't write policy don't. Find a technical sollution. Like more bandwidth.
autopr0n is like, down and stuff.
As a senior in high school and one of three student administrators in my 2000+ student high school, I have seen (and helped) with many issues such as this. However, you are not going to be able to resolve this problem with technology only, there needs to be other policies in place.
Any actions you choose to take or network policies you implement will be very unpopular. Almost daily I get complaints from people who wonder why their 2 gigs of ISOs were deleted from their network drive, or why they can't download mp3s at school. It usually takes a week for someone to figure out a way around new policies or some alternative way to download mp3s or whatnot.
However, we do have an AUP that everyone must sign that states these activities will not be allowed and will result in disciplinary action. Unfortunatley, they are rarely enforced and as such people get away with just about anything.
After three years of helping resolve these issues and spending hours trying to limit network traffic to what it should be used for, we have adopted a new policy that I am very dissappointed in. Our computers previously all had their own public IP address, but we are now switching every computer to a private address. Not because we have run out of IPs, but for more control. The only network traffic allowed now is internal traffic, and the ONLY way out is through a private http proxy.
This means I can no longer telnet into my linux server at home, I can no longer download my computer science homework from my home computer... you get the idea.
So, I urge you to seek support from the district's administration, implement an AUP, make sure the consequences for violating it are clear and strictly enforce those. Once someone loses their account and computer access for a month, they will think twice before downloading that VCD at school again.
What you want is equal access for all and no bandwidth hogging. you need to setup a firewall with rate limiting. But not based on port but instead based on workstation. Because the problem isn't one of which service or program is being used. But that when some kid does his research from the computer room he isn't competing for bandwidth from the bandwidth hogs. Every workstation gets throttle after an acceptable amount of bursting. If your doing research the only thing you'll notice is that surfing is faster. If you are downloading large files and sharing files you will only see the hit if you go past a certain threshhold. From there you can fine tune it.
Check out iptables' queues in the netfilter package on linux. There are a lot of howto's for them. Don't start out too confrontationally or you may find your but replaced.
If you find you really need to kill off some P2P access throttle them down to 0bps for 1 minute after every 10 minutes of bursting access tcp/ip will take care of the rest. Just know that they can and will switch to P2P software that works through firewalls and proxies and such.
Worry more about cleaning up the mess and creating administrative policies one at a time. If the network bandwidth already sucks you may have an easier time than think getting things running smoothly again. Setup squid or some other proxy, then kill all the ports, and open up IM and other apps as people complain. Just remember to distribute a memo beforehand on how you will be making changes to the network to speed up everyones access. Don't mention all the other stuff. Just make it clear that you will help anyone that is having problems.
A word of caution. Don't try to implement NAT at the same time as you do this as everybodies IM will stop working and you will have to setup port redirections for everyone at the same time to fix their problems. They will probably make you feel the heat.
You can also do a stealth method but people will think you don't know what you are doing. And that you are causing the network to fail.
I would take the network down a few times during peak times and when they complain, blame it on P2P traffic. Most would rather have the network all the time than the P2P and other services sometimes.
Once you have their support, analyze and gather data. Get proof of how much network bandwidth is being consumed by non-educational applications. A good sniffer can do this for you. I'm an old school Mac user. I use Etherpeek for this task. It's cheaper than most other sniffers. You could also see if a peer school could assist you if they have already purchased a sniffer. That would save you some cash up front. Gather the data. Graph the results (suits are usually illiterate so you'll need nice pretty graphs). In your initial report, don't list specific people. K-12 school politics run rampant. If some jackass teacher thinks you're infringing on their "rights", they'll run screaming to their KNEA rep (or whatever it's named in your state). Then you'll lose you suits' support. Keep it personel neutral unless they ask for it. Present to the suits how much this non-educational software is costing the school district in the form of bandwidth and how it's affecting educational uses of the network. Find horror stories of what allowing the students to access porn, warez, and other things like that have cost other schools. Throw in a bit of security preaching too. Show them the effects of lack of security (defaced websites, compromised personal information, grade altering, etc..). Demonstrate a few of the apps for these people. Show them how to find a copy of Photoshop on the 'Net. Then show them how much it costs in a magazine. Toss is a little threatening material about the bastards that threaten to sue you if you don't let them install their auditing software. BSA, IIRC. Show the suits how you can save money by eliminating the non-educational uses of the I1 bandwidth (don't attack local traffic, just 'Net traffic). Emphasize the use of cheaper (read: free) alternatives like Linux for firewalls. Remember, money counts right now. Money, security, etc.. should do the trick. Good luck!
Why in the hell has the job of system administrator for an entire school system been given to someone who hasn't a clue about setting up a firewall and closing ports?
Good god. No wonder their classrooms are filled with porn-guzzling, warez-pirating teachers. They are applying the same low standards to the hiring of teachers as they are to sysadmins.
No, no, no. This is not a sig.
Politics!
Anyone who says otherwise doesn't have a real job in IT as an admin. If you get political backing for your mission, the rest is easy.
This is a policy issue not a technical issue. I'm assuming you know how to do the necessary firewall/proxy work if the policies are in place. Well, in your place this is what I did:
Write a list of policies with detailed explanations of why the policies need to exist. My list was simple enough for the sales dept. Pass the list on to your supervisor telling him these policies need to be put in place by someone who has the authority to do so. He doesn't have to do any work, he just forwards the policies as though he wrote them.
If the users don't like it, tough. If you alienate them, who cares? It's the right think to do, and that's all there is to it.
public school? bandwidth for warez, virii and p2p?
Just say no. Why is this so difficult?
Let them go to the administration or taxpayers
to ask for money for Kazaa ware.
If you were guardian of the paper clips
and pencils, you'd have no problem defining
appropriate use policies.
Same thing here. Money being spent. Bits are not free. Picture your taxpayers finding out the use
of bandwidth on your net, when you go to them
to ask for more money for expansion for legitimate
needs.
Get a spine.
If you don't want to just outright block everything, you could always set up an IDS to track the usage of the problem clients. Whip up some scripts to create a summary of userids and what they were dowloading and how much bandwidth they were wasting (include some $$$ amounts). Post it up where everyone will see it.
Also, read BOFH.
----
All of whose base are belong to the what-now?
My school (A K-12 boarding institution with 2 T-1s and 550 students) had the same problem. The solution? A box called a "Packeteer" (brand name, unsure of the manufacturer) that sits between the firewall and the network and analyzes incoming and outgoing packets. All data for Kazaa, morpheus, etc. is throttled down so that all those services share the equivalent bandwidth of a 56k modem. We're not blocking it, so no tricky political situation, we're just keeping it from hogging our pipes. Of course, the services are rendered useless because 550 users cannot possibly compete for 56k worth of bandwidth and get many packets, but that's not our problem, is it?
--Bennett Prescott
Former Lord Of Packets
You're worried about this? You sure you're a sysadmin? :-)
Anyway, start by firewalling the route to the Internet and limit access to only those services reasonably necessary in a K-12 environment (I'm guessing http, ftp, and smtp for starters, your list will vary of course.)
You then follow up with a polite email/memo regarding the dual requirements of security and cost minimization, and that's why access has currently been limited to what you've enabled. Be sure copies get all the way up the food chain; hand-deliver if you must.
I'm assuming you are with a public school district, ie you receive your funding from public tax money. If so, you make sure your memo gets into the minutes of whatever your next public meeting happens to be. Phrase it nicely: "we've done this to minimize financial impact on the district and enhance security for our students."
Here's your dash of evil. By all means invite written requests for additional access. Log those too, and get them into the minutes of the next meeting. Don't forget to get names!
Not many people want to be in the limelight for grabbing pr0n and warez, and especially not if you make it look like they're doing so on the public's dime.
I don't need to mention the profit potential here, do I? A port or two quietly opened up in exchange for a small number of unmarked non-sequential pieces of currency can do wonders for your finances. You do deserve a decent vacation this summer, yes?
Jack
Suggest application lays packet filtering. It's expensive, but you can get e-rate funds for this.
Do what I do - send out an email saying you are upgrading / installing a firewall (OpenBSD is my choice :), block all bad ports, if they come complaining say you are working on fixing an email or a web problem - they'll forget in a few weeks :)
- When all you have is a hammer, everything looks like a nail -
Yup, huge multinational corporations are being ripped off, what better way to fight it then to antagonize your fellow coworkers!
autopr0n is like, down and stuff.
If you've been given responsibility of managing the networks and systems then you have been given the rights to stop whatever you see fit.
An admin's job is to make sure the network works smoothly within the parameters of it's use. The admin can't change the parameters of use. Unless he can get the school to change it's policy
autopr0n is like, down and stuff.
This brings up a great ppoint...and I think the problem is one of communication between faculty and staff (are those terms used outside of Universities?) Its usually bad at this level (in my experience).
The best way to go (in my opinion) is to start compiling stats... show graphs of what th enet is being used for, and make them public...then show them to everyone...then sit back. When the teachers complain "the net is too slow for my class" point at the graphs and show them how the bandwith is being taken up.
Emphasize that bandwith is a limited resource and people need to learn to share it. Frankly its not really a problem (given that none of us are lawyers, I will ignore the legal angle... which is full of nastiness, loopholes, conditions etc etc) if someone is using all the bandwith, until someon eelse needs some.... file sharing isn't the problem...its irresponsible and uninformed use of bandwith thats the problem.
In fact, this is what we do. Our Noc put up router traffic graphs for all the segments. They point people to them... many of our students know where to find them and do look at them. We also bandwith limit the segmetns now so our real inital issue (segments being saturated) isn't much of an issue...
Heavy handed tactics are just plain bad all around. They foster dislike between people who should be working together. Frankly, when people are made aware of the issues involved, they tend to act much nicer.
Frankly, I think if we spent half the time and energy that is currently spent bitching abou thow bad things are and how dumb people are on giving people the tools to understand and educating them, then we would have a hell of alot less to bitch about.
In short... treating symptoms (p2p network usage) only gets you so far, and garauntees that you will have to fight this same battle again, in a new form.
-Steve
"I opened my eyes, and everything went dark again"
To the IT guys who make ~60k+/yr: realize these people, who are teaching your kids, make 30-60k @ most. If you can, make it a perk of the job.
I'd much rather they spend their time thinking about how to help David learn math instead of trying to figure out why LimeWire isn't working. I like the idea of restricted use 4pm - 6am. Funnel that down if bandwith is still a problem.
There will always be people who abuse the system, but don't play the lowest common denominator game.
-L
I want one good reason to have P2P software in a school at all? Is their anything educational that can only be used or found using P2P software? Can anyone here give make a point that the pros out number the cons when P2P is in a school?
I have a similar problem at my school. I just took over the sys admin / head of technology job at a small private k-12. We also just installed a new 3Com VoIP system so now bandwidth is critical to smooth network and telcom operations. The way I solved my P2P problems was to simply cut them off at the firewall level, use firewall packet filters to screen out undesirable attachments, and then use an email virus scanner on the SMTP server to scan what does come thru. This has worked really well for me so far. With over 250 users and 660 computers we have been spared the majority of wide spread viruses and worms due to Outlook. As far as P2P goes, it was almost impossible to stop the students (and some faculty) from installing it. Trying to keep the computers locked down so software could not be installed without permission was too difficult to implement with a limited tech staff and "Now Now Now" type demands from teachers. By cutting off the P2P at the firewall level it saves me TONS of band witch and the users just give up trying to make it work, and do not complain b/c they no they aren't supposed to be using it in the school environment anyway. As far as setting policies I was able to draw on published ones from other schools and re-work them to meet my needs. Also talking to other school sys admins and then using that info to approach school directors who are not tech people but understand legal issues and wasting resources. I was able to make arguments like "At school xxx they had the same problem and implemented this policy to keep a handle on it" stuff like that. I've found that the non-tech school admins are unwilling or unsupportive in writing tech policies b/c it is out of their range or knowledge and they are afraid to expose their ignorance to their peers. By brining them a Ready-Made-Plan I've found it very easy to push thru my own policy ideas to keep the network running, reduce exposure to legal problems and maintain sanctity and control of the systems. Dustin
I work for a small higher ed institution, facing this exact problem. Being higher ed, the term "ban" doesn't go over well with anyone (particularly myself), but usabillity dictates you do something. My solution was to install a PacketShaper 4500 behind our gateway router, which in the first fifteen minuites, recovered it's value twice over in terms of recovered bandwidth. Users performing "academic" related persuits get priority, as dictated by university policy, but the students still get unlimited access to do whatever they want when the "academic" applications aren't hogging the line. This box is disturbingly smart, paying attention to the application type, not the port number, meaning napster on port 80 is still treated like napster, not http. Very slick.
This comment was not generated by Uber Elephants...
Two years ago when they opened the current High School the (IT) plan was to deliver all applications to the desktop through the implementation of powerful servers. This prevented the students from saving to the C:\. At about midterm the "non saving C drive" had been cracked so many times that the restrictions were laughable. Last year they took off the entire deliver applications to the desktop approach in favor of a piece of hardware that allows for the deletion of temporary files (any new file) created since the last reboot. This has been probably one of the best ways to ensure stability of the computers. The network procedures are some of the most easily defeated. We use a URL blocker for web requests. This solves most problems, however several other ways exist to get around the "fire wall". There are the annomylizer proxy services, and translator pages. In addition to this the network administrators have not blocked P2P specific port trafic on the LAN because they are unsure about what other traffic happens on the same port. The school's network is wonderful for using a P2P service, connecting to a MUD, warez-ing, and many other shady actions. As a informed student I laugh at the AUP (Acceptable Use Policy). The idea that they can track down my few requests through the thousands apon thousands of requests others make daily is extremely unlikely. In addition the enforcement of the AUP only happens when there has been a serious breach of security.
I'm a highly tech-savvy teacher (gave up a tech career to spend my days dealing with 13 year olds, yadda yadda) in a district that's, well, not so tech savvy. Tech savvy people are rare in K-12, and they usually don't last long. They just don't work very well within the "establishment" -- just look at the comments on this post..
One thing I will say: teachers are not your enemies. Sure, they're mostly clueless technophobes, but they're also human beings who get kicked around and treated like dirt by everyone, on a daily basis: students, parents, administration, district, and state officials are all guilty. Don't get me wrong -- complain as we might, most of us think it's worth the pain (and the rest quit). But we don't like it.
You'll have much better luck working with the teachers. I'm sure they all notice how slow the network is. Meet with them, discuss their priorities -- it will come up. When it does, tell them you've noticed a lot of software downloads.. name the programs, talk about what they do, and say "those are tying up our limited resource. Sometimes they're useful, but for the most part we don't need them at a school. If you can spread the word that teachers should avoid using these things during school hours, we can all enjoy a faster connection immediately." Remember, teachers sacrifice daily for the greater good. We know what that's about. You'll find this method to be more effective than you might expect.
I think you'll find your life much easier if you present yourself as an ally of the teachers, instead of an adversary. With an easier job, you'll be more effective. That might net you a promotion ("might" because this is gov't, after all), and with that promotion better ability to make and modify policy. And so on.
Keep at it. K-12 needs you.
In college I cooped as an assistant sys admin in two different IT departments. I
know exactly the same problems you are having and for us it was impossible to fix
some of them. But since your in a K-12 facility, and you appear to have sole control
of the network then you should have an easier time. Our problem primarily stemmed
from multiple IT departments battling each other for control of the network instead of
working together to solve our problems.
The biggest problem I see is that teachers will actually look down upon IT workers
as peons to do there bidding. Often we would ATTEMPT to stop professors from
installing there own software on instructor work stations in classrooms (we found
morpheus kazaa etc...). Also virii was a problem introduced by students who thought
it would be funny to destroy a workstation. Our solution to take control of the
workstations was simple but powerful. We managed 4 classrooms in one
department which saw continuos virii infections and vandalism (obscene marquee
screen saver messages, porn desktop backgrounds). We took control of the
workstations quickly and with an approach that did not limit there usability. First we
kept windows 98 on the aging but still useable pentium 233's and made a "virgin
install" using only software that pertained to the courses that used those systems
(including virii software). We then imaged it using partition magic and stored the
image on a hidden partition in each system (2 primary dos partitions created by
partition magic, win 98 only sees the first primary partition.) We then wrote a script
for PM that deleted the partition and then recreated it and restored the image on
EVERY reboot. This completely solved our virri and vandalism problem while still
letting the students and professors have full system control without using crappy
software like fortress. Even if the student was knowledgeable enough to delete the
image partition we just used a cd with the image and it took just a few min to bring
the system back to normal state. We could even use the network to restore using
dos lan services.
Although this won't solve the network problems of p2p and virii on non faculty
systems it does let you take back allot of control on what is installed on student
workstations.
You have a problem on a couple of fronts.
:-) ). Because there is a legitimate concern for filters blocking sites of educational value, make an easy procedure/form for getting a site unblocked. You can actually leverage this to your advantage in a lot of areas, because these naughty behaviors flourish when no one is looking. By having a form that a teacher has to fill out to have a blocked site unblocked, it forces these people to record their intentions to paper. I doubt any teacher would be so bold as to request to have a warez site unblocked, but the presense of a form also raises the potential of having "no" as an answer. I doubt anyone would be so bold to push it farther than that...if so, then you district has worse problems than low bandwidth.
Social Behavior - you have teachers acting irresponsibly and unethically. Frankly, teachers should know better, and they ought to conduct themselves in such a way that demonstrates responsible and ethical behavior to their students. Inform building principals of this behavior(and its implications) under the context of "not wanting to get anyone in trouble....yet." Building principals usually get twitchy when unethical behavior and whittling school resources are mentioned at the same time. If the behavior continues, get someone in a little bit of trouble.
Technological - this is probably the easiest front to handle, since it is your training. IMO, the best option for you is a filtered http-only proxy (for now). Add the "starting points" of these p2p programs to the filter's block list (to stop tunneling...just in case
Also do some research into e-rate, which offers schools fractional or full T-1 at reduced rates. It is (or at least was) a federal program, and it required applicants to filter sites. It may provide justification for installing filters in the first place. Also research state grants for technology funding that require filters (just in case you aren't already using them). Talk to your colleagues in other area districts, or other districts in the state. Visits to larger districts should be fruitful. Many independent schools also have a strong tech program, and have jumped all of these hurdles already. Most educational IT people are happy to meet with colleagues, share ideas and complain about annoyances. Running a tech program at a school has a number of unique challenges, that frankly NO ONE has fixed yet.
Legal - Your district is in a potential legal quagmire without a well-written acceptable use policy that defined acceptable behavior for users (students and faculty) and defined enforcement powers of administration (educational and network). Do some research into legal cases that went poorly from organizations without a policy. The 1993-1998 era should be full of them. Talk to the superintendent, district legal person, school board, etc to get the district moving on an acceptable use policy. Have sample policies from other schools. Many schools post them on their web site, so a purusal of the k12.us domain should be fruitful. You don't want the administration to stumble off to "fix" this problem without your guidance, so be prepared to focus knee-jerk reactions to well-thought-out and constructive responses. In the face of a lawsuit, most supers are content to have a friggin policy written and be done with it.
Hopefully this helps!
-Troy
excuse me? a real operator would never need to ask for your password. the question is simply "what's your username?" and it's not because the operator couldn't find out on her own, it's just to save her the time of having to look it up herself.
I am a sysadmin for a school with exactly the same problem. The simple solution is to turn the problem back upon the P2P users. These links outline how to devide your pipe to direct trafic.
. ht mla bles -tutorial/index.html
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO
http://www.boingworld.com/workshops/linux/ipt
This is a great solution because it still allows P2P usage, so no one can get mad at you for just shitting it down, but allows normal users (read people wanting to use the Web for educational reasons, or standard communications, ie email.) to get the bulk of the benifits.
I know this does not deal with the legality issues, however I would suggest that you not bother yourself with thoes. Follow the news and know that if and when there is a crack down, large Universities will be targeted first in massive public trials. At that point you simply kill the minor virtual pipe.
Hope this helps, and sorry I could not post it directly to you but slashdot was overloaded on this topic.
Your district should have an acceptable use policy to protect itself from legal policy. It needs to say that the district does not condone the violation of copyright law. Since a preponderance of P2P involves such violations, preventing the source of such a violation would be in line with such an AUP.
Russ
In previous discussions I have read about how overworked, underpaid and professionally dedicated teachers were... so how could this be true?
Does this guy mean to say that these dedicated professionals are surfing the web all day?
Conformity is the jailer of freedom and enemy of growth. -JFK
Ask your supervisor to delegate to you the authority needed to set domain policy.
This authority may be pen-and-paper authority to write new regulations that he affixes his name to, or it may be network-level authority in a computer system to edit security policies and permissions on the routers.
Or, do what usually works:
Write what *you* think the ideal proposal for the situation is, and give it to your supervisor saying "I've noticed a problem and I realize you're really busy so it may not have been a priority for you; however, I took an initiative to try to address it. If you find this acceptable, perhaps you could pass it on to someone else?"
You'll get points for initiative at least.
My college recently implemented something called PacketShaper which they claim has sped up the network a lot. I can't vouch for it myself since there were several upgrades that happened at the same time, but the network is much faster now (used to time out 9 times out of 10 looking at any web page). Anyway; this program basically slows down anything they want to. P2P is last on thei priority list, AIM, email, and web is pretty high. From what they report, it's very friendly and configurable.
Liability....
Mention that, and suddenly things at the county level begin to happen.
----- LoboSoft specializes in Digital Language Lab
I'd suggest two things...
:)
1) You could get an internet filter to filter out bad and questionable sites.
2) Get a program called clean slate installed on the computers - it will bring each computer back to a preset configuration every time the computer is reset.
Problems with these:
1) Don't forget IPs of the sites. My school has a filter and forgot to put many of the IPs of the domains they blocked and thus i can ping the domain and use the IP to go and surf through the site.
2) Using a boot disk, I've found that you can edit the config.sys/autoexec.bat files so that clean slate only turns on and off when you want it to. (thus you can turn it off and install a program, then turn it back on and it will thing that that program is part of the default config.) I discovered this after my school installed clean slate and i was frustrated with it removing the programs/settings that i installed/changed. This could be fixed by disabeling the floppy boot in the BIOS but the admins at my school don't understand such things.
If the school is running AV software (NT kernels), as any good school should, you can set your respective AV software to QUARANTINE files with certain names. Such as "morpheus.exe", or "grokster.exe".
Its Quarantine, the perpetrator CANT delete it, (assuming privledges are set up so users have no power, and why should they really?), Now you have a file with his/her name attached to it. And it cant be run either. Just make sure that EVERY file that enters the system gets scanned immediatly.
If you are on 9x, dont waste your time. install NT based OS's, or Linux. Most kids wont know what to do with linux....
.
Carpe Noctem -=- Seize The Night
A simple meeting or emailing.
Ask if the teachers remember folks calling in an airstrike on thier own position.
It doesn't matter if the answer is yes/no/no response. It's BSA or FBI time Mr. Gym Teacher.
Dustpuppy has given a very sound solution.
The problem you're facing isn't technical, it's political. It sounds like your management is afraid to take a stand. This could be due to several reasons. One is they simply don't understand the issues and don't want to accept responsibility for making a bad decision. Another reason is that they may not want to take an unpopular position against the faculty.
Whatever reason they may have, be sure to get it all on paper. This serves primarily to protect you. If the unripe manure should hit the circular ventilator, a paper trail will demonstrate that you attempted to resolve a situation that management was unwilling to face.
Propose to your management that the legal department should institute an Acceptable Use Policy. Chances are there may already be something that can be applied to this situation. This way management can save face by saying 'Legal made us do it' and you also get a policy that should conform to the applicable laws.
DO NOT, repeat DO NOT attempt to impose a solution on your own without an explicit written and approved policy to back you up. The worst that can happen is losing your job. You also unnescesarily risk alienating any potential support you may have. You are in the right and do not need to resort to doing the wrong thing.
Just install webcams pointing at every single monitor in the building, all displaying on your own console in a dark room behind a one-way mirror. When you spot any pr0n or other undesirable usage, just put on some cool shades and walk up to the luser's box, right in his face. Put on some gloves and snip the PC's power cord with cable cutters while saying "Access Denied" through a portable voice morpher.
Then punch the living shiznit out of the fuckin' unrespectful perv.
-Billco, Fnarg.com
This is a change management issue - so it's going to involve people, and will be a bit messy. So you have to prod them into compliance... Here's some ideas:
1) Go to the Superintendent and explain the situation - viruses, lowered productivity, legal liability, increased bandwidth costs, etc. Get the Super's support for #2
2) Create an edict, policy, whatever. Say "Henceforth, the following programs also referred to as Peer-to-Peer file sharing programs are specifically prohibited. They may not under any circumstances be installed on any computer connected or making use of District networking and/or computing resources. This is to reduce risk, liability, and bandwidth costs. Any questions? Contact the Superintendent."
3) Block all ports used by P2P programs. Monitor all attempted accesses. Cross-ref attempts with IP addresses and pay those users a visit. Say "hey, I got an alert from the firewall about some P2P software on your PC... Did you get the memo? Did you remove the software? I can help..." Don't blame them, make it seem like maybe they didn't know (we know better but...)
4) Do #3 for about a week. Then issue another memo - "Many thanks to all the users for complying with our prohibition of P2P programs. Unfortunately some individuals are still attempting to use these programs, or are trying to circumvent the restrictions on their use. This is to notify you that all such uses and circumvention attempts will be immediately reported to the Superintendent, for whatever action is deemed appropriate. Thanks for your compliance."
That's it. No bullshit - just get rid of it. If your supervisor doesn't want to play ball, then have a chat with whomever pays the bandwidth bill and handles the legal issues. Have a nice talk with the district's legal counsel - ask Counsel to take it up with the apropriate people on the QT because your supervisor isn't helping, and you think it's a potential legal minefield. Ask Counsel to get back to you or your supervisor with recommendations, but not to say you advised him so you don't get burned...
The WORST offenders for mp3s where I work are the teachers. You're generous. We gave them a week before whacking the mp3s from the their network shares. We didn't bother with the warning when we found some 200 Dancing Baby AVIs......WHACK!!
It's really cute the way the p2p thing broke down. The High School and the Middle School share the same T1 line. The Middle Schoolers loved Gnutella. One teacher had something like 4 GB of MP3s in his share (quotas have since been put on the network storage). At the High School, Kazaa was King with AudioGalaxy running second. I'd sit there watching the network monitor when lunchtime rolled around. The P2P ports just absolutely spiked through the ceiling....greedy....greedy.
I'm fortunate enough to have an Administration with some clue. We unceremoniously blocked the ports and had an intercom announcement. There's already an AUP but it will be more heavily emphasized next year. It will also be made clear that the technological measures are only there to keep em honest. We don't intend to have an arms race. If someone gets busted then they're busted As I said, the Administration is with us on this one.
I just tell people: "Gnutella's cool but we don't use it at school. Do it at home or at your buddy's house. I like it too but I don't do it here."
At my school we have Deep Freeze and installing any software is fruitless or only of temporary use. Therefore, we have resorted to web-based peer-to-peer sites for queueing downloads. Of course you need your servent to be online elsewhere, but that is the least of the problem.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Virii is the plural of 'vir'. That means 'Man' in Latin. Virii means 'men'. 'Virus' in Latin was intrinsically plural--There is no word 'virii' in Latin referring to 'virus'. The English version is singular. Therefore, you treat it like any other English word, and use 'viruses'
I work as an IT support person in a university, and I'm under very similar circumstances. Me and one other guy were hired on in a division where there previously was no centralized IT support, and quite frankly the entire division was in complete chaos. However, we didn't have any 'official' authority to say how to use computers properly, or how to centralize different services such as file sharing. The best thing we found was to just do what needed to be done, and then explain your reasoning, and the consequences of what they were doing previously, to the users afterwards. If your boss complains, ask him to clarify why exactly he hired you if he won't let you do your job. You can't expect management without any IT training to make informed decisions regarding the computing environment, you have to do it yourself.
Just do like the BOFH.
Because, I think the crowd here should be able to confirm this, administrating works exactly like it does in the BOFH stories doesn't it?
It's your job to keep the network running smoothly; the biggest obstacle to that is (l)users. Therefore, you straighten them out using whatever means are necessary. High voltage is particularly effective, of course.
I'm sure you'll have no trouble at all if you stick to site management as prescribed in the Bastard Bible. ; )
redo the whole network during the summer! use firewalls to block ports used by commons p2p programs and other utils like xblock to block unwanted or inappropriate web sites.
thats what our school district does anyway...
There is no responsiblity for anyone to enforce the law on their own.
autopr0n is like, down and stuff.
kindly explain how "some" mp3/warez got on to the school computers through students. let them know that theyve been busted and they stop, but dont let them get indignant about it. allways refer to "a", "the", "those", mp3's NEVER "your". show them and easy way to get out of trouble and they will probably take it.
;), OR should you need new hardware... there was a virus called chernobyl a coupla years ago that wasted us... just find sometihng similar and poof, no more problem and you got a stricter tech policy
WAEF - sign the administartion and teachers up to pr0n email lists, and wait for them to ask you to do somthing
PS- dont be an ass about it. if a teacher want to come in on there own time after school or on the weekends, let them download the bloody stuff...(exept porn)
Log all traffic. Then sort the logs by user and post them somewhere that can be seen. Examples include:
On the wall of a hallway
In a monthly report to the principle
In a monthly report to the Superintendent
In a monthly report to the President of the PTA/PTO
In a monthly report to each school board member
In a monthly report to the local newspaper(s)
In a monthly report to the local TV station(s)
Your school district web server
Be sure to provide an explaination of the logs as well.
Go ahead and mod me up. I dare you!
Goddammit with you guys! Don't you have any better things to do than to figure out ways to block my warez-progz? Like, get a life or something. Anyway, looks like our network has been slowed down for p2p-software ports. Really sucks. If I ever meet the guy who did this, I'm propapbly gonna punch him.
Achtung!
You would deign to communicate with people before flying into a power mad rage and cutting off their priviledges??
Komrad, you let us down. Better to rule by fear than by respect. That is the hallmark of human intelligence. Scream, threaten, wear a chaplin moustache, call them ignorant, or better yet, smugly tell them nothing and cut them off.
If you have no policy, then neither do they. So, make up some rules designed to humuliate any and all humans who don't spend their lives thinking about bandwidth. Computers exist for programmers. Punish schoolteachers for taking an interest. One only learns about computers by beginning with Fortran.
Require Fortran classes then. That will effectively keep teachers who might discover valid uses of technology including improved understanding of their students, to just leave well enough alone.
That's only fair. I can't fix a jet so I don't fly, can't fix a car so I don't drive, and can't think outside an arm's length context so I don't think. Slashdot Ubber Alles! Workers... isolate!
They must be made to know how smart they are not.
I think thats what the software is called, its a firewall, antivirus and everything all in one, when I tried to download programs and tried to install them, I needed Admins permission to install it.
Traffic shaping. Set the max bandwidth ptp programs can get to a very low amount simply in the name of "traffic prioritization". Much easier to make the argument that email/web site views are higher priority, sigh that you are suffering along with the others.
Purchase a Cisco PIX Firewall. Yes they are expensive as hell and yes a cheap Linux Firewall can do the exact same thing but
a) Linux is a pain in the butt at times
b) The Cisco is built for this purpose
My school district is like this ( duh )
Internet CSU/DSU PIX Linux Web Cache Only Proxy Cisco Router SW Bell Equipment that connects a T1 to every (50+) school through a dual ring fiber optic connection across the city
Each school just has a simple Cisco Router connected to a large switch that then links to other switches in the same server room and to Fiber Optics to the other switch rooms across the school
Now if you don't have money to blow like that (keep in mind this is a city of 140000 people), just stay simple with THE PIX FIREWALL and a Cobalt.com Chache RAQ server.
The PIX will allow you to throttle each service/port a certain amount of bandwidth. You can say web full bandwidth available and most everything else just basic access. As an addedd bonus they are like magic. Any hacker will have a hard time even getting into your network and you will be alerted of most attacks as they are happening. (by pager if setup correctly) Plus outgoing attacks will also trip an alarm to the pager and will record the MAC address of the offender. It is even possible to catch the offender before they even leave their terminal.
Yes Linux can be made to do the same thing but usually schools boards will pay the extra for the piece of mind (a correctly configured Cisco firewall will sound better in court if something BAD was to happen).
This is a pretty basic situation in my mind. You are an administrator providing service to youir users. You're supervisor is your superior. You have apretty back and white case. The authority that allow's the users to infect their machines, and the use of P2P can negatively affect the ability to provide any servise to the users. The P2P could also bring sever (and draconian) consequences down upon the school. He needs to write (or atleast ok) policies that will enable you to correct these situations or else he has to state that it is user's responsibility to deal with this.
If your supervisor is ok with what your users are doing, then you have to accept that as policy and the users have to live with the impact. The questionable legality does give you a trump to bring up in potentially awkward situations. FUD is FUD, but it isn't always a lie.
Edd
But it is sometimes better NOT to keep records of activities of questionable legality.
IANAL, but ignorance can be bliss. My understanding is that under the DCMA's Safe Harbor provisions OSPs can't be found liable for copyright infringement of which they are unaware. There are certain steps you need to take to cover yourself, but most of them boil down to informing your users about these policies and removing questionable content once you've been notified of a breach.
Incidentally, I am sure many teachers consider the free Internet access as part of their overall employment package. You could earn yourself a lot of enmity preventing them from engaging in legal activities online. Why should you do the RIAA's dirty work???
Consider implementing cost recovery, so that each department is charged proportionally for its bandwidth usage. Provide a per machine bandwidth usage report to heads of department, then watch said heads of department jump upon wasters.
Although the teacher's attitude towards "piracy" and "stealing" are good, considering the fact that my particular institute of learning has teachers who are, in all honesty, not good enough with the technology to know how to use said programs. But, I've seen the various cases of students downloading BearShare and KaZaA for use on school computers. The point is, people, that this is causing or will cause a severe bottleneck. This isn't fair to the students who have to use the networks for *gasp* school related projects. If everyone's using HD/bandwidth to download illegal files while two or three people are trying to research the science project, the people doing what they're supposed to do aren't gonna get in. So, what I would do in the situation is block the ports, and blame spyware. Make sure to exaggerate about the spyware. Most non-techno savvy teachers will repulse at the thought of KaZaA, Inc. collecting their personal information, and hate junk mail with a passion. Take (albeit, unscrupulously [sp?]) advantage of their relative ignorance here. And block the ports for good measure.
Jesus told you to mod me up.
I hate those losers who can't come up with a decent sig. Oh, wait...
I hate firewalls, proxies, and that crap. They don't really stop anything.. they just funnel it all into 1 port. Instead.. I would suggest per user bandwidth/disk quotas. Also.. like lockers.. the systems are school property, not faculty or student. Thus, I don't think there's any right to privacy. Snoop, spy, sniff till your heart's content. As important as I think privacy is, I don't feel it is a right at school or at work. I feel it is a privaledge that can and often is abused. Legality aside, if you're doing something you don't want other people to know about, it's probably not too smart to do it at work or school. Faculty or students can probably look at the post-it note under your keyboard and violate your privacy just as easily as the administration. If you get caught doing something you shouldn't do, you have noone to blame but yourself.
Of course, I would not outlaw all recreational use. If some kids would like to play a spirited match of BZFlag during their lunch break, so be it. Turn students and faculty onto legal ways to enjoy computers. A policy of, "NO FUN 4 U!" will only succeed in turning teachers and students off of computers. There's tons of free fun crap on the net.
Never mind that they could download porn off of browsers, that was supposedly all firewalled off from them. Seriously, teachers really do care about porn more than they care about software piracy.
So the easy answer is repeat this as a mantra:
I suggest you ignore all the advice to do something behind everyone's back and then lie about it. If you get caught once in a lie, everyone views you as a liar. This is tactially unsuccessful, quite aside from moral issues.
You really ought to set up a good firewall and Squid proxy server, though. That's just common sense; you don't want people hacking in to the school, and when a whole class hits a web site, you want 1 person to load the cache and 29 people to read the cache (not 30 people pulling down the web page from the site). That will give you a good position if and when you do get the authority to set a policy: instead of saying "Don't do X", you make it very difficult to do X. It's better to make it hard to do the wrong thing, than to try to punish those who do the wrong thing.
You could suggest a really strong firewall, with only specific ports opened, and require a request in writing to open any other ports. Like someone else suggested, you could write up a proposal for what you want, and see if you can get someone above you to say "go ahead and do that".
If your superiors require you to let the teachers continue to run riot, just get a good paper trail going: get your orders from above in writing, document in writing all the time you have to spend running around putting out fires. When it's time for your performance review, pull out the paperwork and say that you have been doing the job they ordered you to do; you don't want them to give you a poor performance rating because you didn't get much else done while you were running around putting out fires.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
just wait until some kid couldnt get access to his favourite pre-written-essay cheat site, fails his classes and sues you for it :P
I go to Purdue, and the way they screw us over (heh heh) is to only allow us a set amount of bandwidth, per rolling 24 hour time period, that is not either local or through port 80. So, you can leech pr0n to your heart's content from any other Purdue student, and view as many webpages as you like.... but outside of that, you are eating at your 100 megs a day or whatever. In your case, you might make it only 25 MB or 50 or so, whatever it takes. After their quota, they are throttled down to a couple k/sec. This policy certainly keeps my outside downloads to a minimum; but they are also fast when I do need them.
They would love to help you persuade the teachers not to use all of your bandwidth for file sharing.
This is what we're working on at work now (at a Univ. with approx. 400 desktop users). We just got ZENworks 3.2 (ugh, Novell....) and it has some pretty nice features like inventorying all the workstations and showing you what software is installed on each machine. Combine this information with bandwidth-usage statistics by user/application and perhaps some HTTP proxy information, and go to your management and discuss all of this with him/them.
It's touchy, but you may want to go around your direct manager if he's unwilling to fulfill his duties....
Linux: The world's best text-adventure game.
There are two things you could do on the software level: 1) Firewalling: Firewall your gateway server to block ports used by P2P software (eg; gnutella is 6346). On linux you can use IPTABLES. (Try not to use IPCHAINS it is not secure - and the same guy that wrote IPCHAINS also wrote IPTABLES!) There is a howto at linuxdoc.org. Of course, this will completely disable P2P from within your LAN. 2) Quality of Service (QoS): As an alternative you could keep the relevant ports open (though a firewall should always be present on a LAN gateway) and "shape" the traffic for packet types. Eg; you give port 80 (Http) full priority and any P2P ports are queue filtered. That way if there is no or little http traffic P2P will utilise the bandwidth but if there is http traffic present P2P bandwidth will be limited or even cut completely until http usage decreases again. You can also make email, FTP etc priorities and even at several discrete levels. Again, there is a linux tool - tc (traffic control) and there is a howto at linuxdoc.org. Cheers, dan.
Then why is that all the old school warez web sites I used to go to had the disclaimer "for educational purposes only!!!" ?
--All your stolen base are belong to Rickey Henderson
Perhaps if you write a nice note to the top bureaucrats concerning BSA audits and reference this recent Slashdot story?
9 21 8&mode=thread
http://slashdot.org/article.pl?sid=02/04/22/171
You may then find yourself in a position to create/modify and enforce a policy. Remember, bureaucrats hate being in the hotseat.(although asking for more $$$ never brings any shame)
Myself, I'd probably re-image all of the PCs with Windows2000 and use TweakUI to auto-login to a basic restricted user account so the users can't add or change anything.
Then I'd filter ports and throttle bandwidth as well as logging offender's actions.
Finally, you have a chance to do some intellectual Triage...
Pick your *NIX distro of choice and start building images for the assortment of PCs in your school. Quietly begin to deploy them.
You will quickly find 3 sorts of users:
*Your future peers.
*Users who can't tell the difference.
*Boneheads who should be learning to read and write before they are allowed to touch computers or just perhaps need to focus on their future vocation of digging ditches.
Cultivate your peers
Educate/tolerate your users
Hire the boneheads to mow your lawn
It's not your job to enforce the law, so don't.
My other first post is car post.
I'm network administrator for a school in north England, and our county uses the SmartFilter software (I forget the web site) which has the ability to block access to direct IP addresses. That might be useful in blocking some of the warez sites that never bother to register a domain name, though it'll also block the Google cache IP too... (however I believe IPs can be selectively allowed). Just a thought.
I was in a similar situation.
...
Don't nazi-filter ports. I had to fight here with company policies to get my ssh through.
The way I did it was by plugging my portable with dsniff installed. dsniff offers a few nice tools: tcpnice (does not work well) and tcpkill (works VERY well).
tcpkill -1 port 4665
Most connections to edonkey servers will simply fail. I said "most". And you just start it for 10 minutes and then stop it 5 minutes,
Since every usefull application will work smoothly, they will not be able to complain and the p2p usage will get easier by itself. And from then on, it will be easier for you to enforce a complete blocus.
Another thing you can do, is spread a rumor that you are security auditing the traffic and that you might publish on the web site the usage statistics.
This solution reminds me of the bit in Full Metal Jacket where the drill sergeant decides that peer pressure will be effective at forcing an out-of-line trainee to conform. It worked.
:-)
Of course, it pissed everyone off and ended up getting the drill sergeant shot.
May we never see th
Just because you teach kids about P2P does not mean that you have to do it in practice.
You dont get them drunk and put them behind the wheel when you teach them that drinking and driving is illegal?
By no means listen to the firewall nazis here that say "AUGH! No! Firewall everything but 80 and filter even that to death!"
I mean, if you're the one in class and need some hard to find information, would you rather search it to death or hop on IRC and ask somebody that does it for a living? So with all that said, I'll throw out my run of the mill solution: block nothing at all, but make it horribly unbearable to do anything w4r3z d00d with, i.e. kill sockets that have been open for a long time or P2P ports, say 20 meg or so, drop random packets, cause timeouts, whatever, but after most everything non-school related starts failing, most people will get the point and everything will speed up.
I think even making what you do clear to everybody wouldn't be a bad idea. Say a student needs a huge simulation dataset or a teacher needs a DivX movie to show in class (assuming you have permission, of course, the video store's just.. out of stock :P), they can ask you to open that machine (watch it while it's fully open, though)
my HR director once told us that she doesn't want to hear that "the cause of the problems are the users"
To which your reply should have been (the clasic)
"Tell me Mrs X, who's interest does ignorance serve?"
Never fails :-)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Block all ports for a short time, say a couple of hours. See who whines, and quiz them gently (over a low heat). Apply look of deep concern. Mutter about security issues. Restore ports with/without throttling. Continue randomly. Rinse. Repeat. Eventually try to get culprits to complain officially. Drop on culprits like ton of dung. Read riot act and hang them out to dry. Continue until world domination is complete. Exterminate! Exterminate! eXT... OOPS, GOT CARRIED AWAY...anyway, you get the idea, annoy and then scare the critters..
...and he grinned, like a fox eating shit out of a wire brush.
Most local governments have acceptable/appropriate use policies. Most school districts are about of the city or count/parish/whatever government and are bound by the same policies. "In order to comply with county regulations, certain services have been blocked..." - YMMV
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
s/illegial/illegal/
s/supplimented/supplemented/
I've solved it using QoS with Linux. Setting up queues in order that p2p traffic don't interfere with critical applications such as web browsing.
This is my stats page:
http://omega.resa.es/stats/inetout/
I have a company full of million-dollar consulting and design engineers. All of them are idiots when it comes to computers. It's taken me and my supervisor five years working together to get anyone to have the slightest clue about virii, worms, trojans, spyware, malware and the like. And they still have a knack for screwing things up. Even when company policy explicitely states "Don't" they do because they're engineers and they know better than the silly little CS and IT majors who aren't real engineers anyway. Screw it and screw them. I just laugh in their faces now, quote the regs, laugh some more and tell them their projects can sit on the backburner because of their incompetance until I get a chance to fix what they screwed.
My suggestion to the poster is to tell the school board and whatever passes for authorities exactly what's going on, what the cost is in dollars for his time to fix it, what the cost is in time lost for staff and tell them that he is implementing regulations. A draft will be posted the following monday. Implementation will begin one week from posting. Staff are suggested to comply voluntarily or risk losing personal and professional data because uninstalls of such software cannot be trusted to be clean and safe and security breaches caused by spyware require slah'n'burn techniques. Then screw 'em all.
I was appointed Network Manager at a senior school (high school for you US people?) and they had been through 4 network technicians when I was appointed and the network was in (and still mostly is) in a state.
Well now that I have some staff (I had no technicians when I started) the problems are being sorted out! Luckily a company that runs filters and port blocking so p2p isn't a problem provides the schools broadband Internet connection.
The desktops all run Windows NT with policies in place so that only authorised applications can be run. This means that they can't run limewire et all but we can!!! Hurrah for power!!!
-- Do not bite the bait of pleasure till you know there is no hook beneath it.
The best advice mentioned in most responses I read were to slow or shut down the ports after getting some kind of backup (policywise, school board or else). This is the simple one. A security guy pointed out to me one day that because more and more firewalls just block certain ports more and more services run over port 80 in order to work. So at some near point in the future internet security will have a big problem, because now all the programs run over that port and can't be blocked any more.
Now I am not suggesting that because of this you should put internet security first, since apparently nobody else does, but I just wanted to mention this point, since nobody else has done it so far.
Get over the petty turf war and use your knowledge of the problem to excite kids to learn about Useful Real Life Skills. Illustrate the problem in the format of a class seminar and speak to each class. Solicite everyones opinion to contribute to the learning process and side yourself with the teaching staff.
Easy Peasy,
Make note of all the teachers who are doing it, place some porn in a convinient position.
Approach them one by one, explaining that you've found porn on their computers/in their user areas/in the logs.
Now, either say you'll overlook it, they will be greatful and you'll reap the rewards in any favours you may need (say asking them to eas off on their net traffic) Or get both by mentioning an audit is being done on the web logs and you've nicely cleared off all the porn and mp3 downloads from the logs so they don't get in trouble, tell them they should be safe if they wait a couple of moonths befoe downloading anything inappropriate again. Recycle and reuse until they are gone.
You could just proxy them away form their dodgy downloads but you just won't be their saviour that way.
Thats pretty unusual for a school district NOT to take more of a stance on legitimate use of its networks. The schools here (in San Antonio) are VERY strict on legitimate uses, with the exception of the colleges. I remember the high school I was in we couldnt use those systems unless were were under total supervision. But, if your a system administrator an use of P2P clients and virii plague the performance of your network, your going to have to be administive. If your stuck in a web of red tape, first thing you do is gather statistics and evidence to the fact about the possible legal and performance issues that the use of these networks entail, especially in a education enviroment. Theres been a few cases of the IT worlds legal battles with the education world of late, an if you bring proof of legal repercussions to the school boards attention, with words like "LAWSUIT" an "AUDIT" that will get their attention. Next, set up some sort of monitoring to get the actual amount of this traffic, Id recommend a SNORT setup with some sort of custom rule set to set off alerts for the type of stuff your looking for, since it is packet based. Boards like numbers, and if you show something like 5 hours of continuous P2P activity in an 8 hour school day, the school board will have no choice but to wonder whos wasting this much time, if its a teacher are they doing their job? And if its a student, why are they wasting so much time in class. With enough evidence to back you an to support your claim of protection against legal repercussions, and the performance loss on a limited bandwidth network, not to mention the amount of MONEY ----- (big key word there, very very important to education institutions) that is wasted on repairs of virii infected systems, time wasted waiting for legitimate sites to pop up, an d the cost of misappropriated hardware. I'm sure you can get the authoritive backing you need. A preventive measure would be to set up a firewall/router an shut down the ports that are in use for these activities. It kind of sucks to have to go through these measures, but some times being an administrator means being administrative, even if it means you are the "asshole". Look at it this way, when shit hits the fan and noone can work because of virii, who gets blammed? CYA!!!
I dont know how your network is set up, but a neat variation of this idea would be to read those logs every now and then, and send a network message popup to their machine saying "I see you like piracy... ~FBI"
Wow, hplasm, you are an excellent writer!
However, I don't agree with the method. It is adversarial. It invites retaliation.
The patient, but firm, non-adversarial way takes longer to get the first results. It requires a lot more creativity. However, there is no danger that it will be merely the first shot in a long-running battle.
Teach, don't sneak. Teach, don't fight.
"When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground."
:>
;>
You may be able to get away with the "You are really all 8 year olds on your pa's computer, so I am smarter than you" thing on other message boards, but that doesn't work on me. Why?
Well, I am alot older than 8.
You seem to have the idea that teachers are genious. Well, I have tutored far too many k-6 teachers to believe that. In my U, women who are too dumb to become nurses go the teacher route. I have tutored teachers-in-the-making who were going nuts on pre-med/pre-nursing classes and ones who took CPSC 1301 mistakenly thinking that it tought them how to use computers (In CSU that is intro to C++ programming).
Maybe your wife is smart, but she is an exception rather than the rule.
I do volunteer work at a local k-6 school. There are about 4 people there who are even marginally computer literate. One of those is the librarian, who has been desperately trying to fix their nonstop computer madness. Actually, she is pretty good, but she has problems having to fix things and run the library at the same time.
One of the neat things about teachers is that they are often nice people. You may not have to have policy to back you up. You may not really need to go blocking ports. I bet that most of the teachers will stop if you as them to. Maybe tell them a horror story two about the BSA, but I think that most teachers will stop running p2p programs when asked. Especially if you are actually helpful. If you(the origional person who asked what to do) are actually fixing their computer woes and making life easier in general, I have found that the teachers will be happy fulfill any simple requests (not running p2p in this case).
Note: As you may have noticed, the one edge most teachers would have over me is spelling abilities.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
Taking charge will get your ass fired. That statement is written in blood. I know whereof I speak.
Your only course of action is thud factor.
Produce a prodigious, deliberately obfuscated, massive report of why Things Are Bad and that you need to fix them. Document actual examples of problems they have experienced as a result of their policyless approach to Internet use, and constantly reference the need for effective policies.
If this report is met with resistance, write an incident report every time something bad happens, pointing out that if policies were in effect, none of this would have happened, etc.
Even if this doesn't work, it will CYA.
Best of luck.
I'm in a similar position regarding P2P software. What we did was install a Packet Shaper between our router and out network (It's a 1U box that sits in our rack). It lets us reserve bandwidth and set priorities of what services (so even if Kazaa and Audiogalaxy is able to use all of the availible bandwidth, the packet shaper starts dropping packets for that service. We group all the P2p services together, throttle down the outbound bandwidth for p2p (don't want to pay for bandwidth that my users aren't using), set http as top priority and let them (teachers and students alike) share as much as they want. From the user point of view, the program is very slow. We do get some complaints, but when we explain (and demonstrate) that when the filter is off, then the web stops working (and show some handy charts showing what is using the internet connection) most users understand (even the 15 year olds trying to download LOTR)
You will make yourself crazy trying to find and plug every hole. There are a couple of stock answers to your problem and well as a solution. One thing is to try to figure out some good educatioanl uses for P2P and Instant messaging. This technology is part of the culture of the students so to try and stop it is impossible and not a good use of your time. As educators we have to turn this to our advantage. We use chats in class to have discussions--it is amazing how a student who is shy and afraid to speak in class with have something rich and substantive to say in a chat. We also use file sharing to swap materials. So use the techonology! That said, we do face the fact that our incoming bandwith is not unlimited nor free. We had a real problem with our line being saturated with students downloading music. Doubling our capacity did not solve the problem either. We subscribe to online resources that we couldn't use because of congestion. Our philosophy is that as a school we guarantee the bandwith for legitimate educational purposes and anything leftover is for anything else. I discovered a device that shapes bandwith from a company called Packeteer. It is called Packetshaper and with it I can very, very easily allocate bandwith by application. For example, for P2P I can limit the total available bandwith to say, 56K. So all the remaining bandwith is available for whatever we want. Also, if I wnat to guarantee that e-mail gets all the bandwith it needs I can easily specify that. It is a terrific solution that works. I tried other things including blocking ports at the router, but that just swamped the poor router. steve
...and possibly bordering on stupid yourself.
POW!
Your passive voice insults sure do pack a punch! Ouch!
My wife is a Chemsitry and AP Env Studies teacher. If there is ever anything she wants done all she does is bring up safety. Write the word safety on a request and it's done in less than twenty-four hours. Now maybe you can't make this a safety issue, but along those same lines bring up legality issues. Write a memo or email or whatever to your boss, use the words "illigal actions" or something along those lines. If they ignore it, send it to the people of them and right up the line. And ALWAYS document. If someone comes down on you for not improving things, you always have documentation what needs to be done but you did not get the support for it.
Another good thing is get to the administration and faculty. You may need to work at it, but you get the administration on your side and it's amazing what you can get done. Get along with the faculty and you'd be amazed by the response you get simply by talking to them about things (but you need to have some sort of relationship before hand.)
When YOU use the word "stupid" YOU should always use a mirror. Unless that technology is too tough for you.
Replacing the offending executables with a self-extracting Mandrake installer in auto mode might get the message across.
`The copy of WonderPorn that you had installed is suspected of running things at random from time to time, and it looks like it's run the automated upgrade system this time. I'll stick it on the end of my to-do list... let's say, about five weeks if nothing goes wrong. I hear the Frozen Bubble game is quite addictive. Ta-ta!'
Got time? Spend some of it coding or testing
If I was one of the teachers, I would place a call to whoever is the NEA equivalent to the shop steward and have you administering a Windows 3.11 network in Point Barrow, Alaska.
Not the cheapest route (I don't order stuff or do budgets, just admin) but it is the best thing that happened here on campus. 80% used to be going to P2P programs on 6 T1's. I can now consistently pull updates and such at over 100K/sec via FTP/HTTP etc.
i nd ex.cfm
http://www.packeteer.com/products/packetshaper/
All the technical fixes are nice, but your supervisor needs to back you up or you'll be walking soon, either out of disgust or management defined incompetance - both of which won't get you unemployment. Present to your supervisor not only the why (you need to impose rules for the operability of the system), but also the legal implications of letting it continue this way, and a method of implementing it. Have several proposed implementations, and for each include costs/benefits and it wouldn't hurt to include newspaper articles as to the legal possibilities (the more mainstream the news, the better). And yes, it sounds like a lot of work, but if you don't do this, absolutely nothing will happen in the bureacracy of which you are now a part of.
My high school has had the exact same problem. (you can skip the first two paragraph as it's mostly explaining the situation)
;) I'm just singing the praises.
We've had a business lab for years containing roughly two dozen Compaq's, mostly used for computer graphics classes. Over the years, they have gone to all hell. With various P2P programs, freeware, and warez installed on each one, they've become near to useless. Last year they were nearly wiped out by the Chernobyl virus. No one knew what to do about keeping the kids from screwing them up. The OS's had to be reinstalled before every semester just for the things to stay functioning.
More recently, the school aquired a grant for a $700,000 IT lab used for modules and instruction. It contains about three dozen custom-built computers (plus various software and multimedia used for the specific modules). Murphey's law has of course set in over the past school year, and the computers are wrought with literally over 70 spyware components each, several gigs in downloaded bullcrap off P2P like Kazaa, and more pirated games than you can imagine. Recently we had to shut it down for two weeks due to THREE different viruses (including chernobyl) infecting the entire lab and wiping out several of the stations' hard drives and motherboards.
(begin useful talk here)
My friend Brad, who does troubleshooting for the school's computers, installed something called a HardGuard Card (http://www.hard-guard.com/). It was the best investment the school has ever made.
What it is, is a card that you put into the computers, and it can be configured to save the state of the hard drive that you choose (i'd suggest a CLEAN install to make sure it doesn't save any scumware or viruses), and when the computer is reset, it COMPLETELY RESTORES THE HARD DRIVE TO THE PREDETERMINED STATE.
You can literally FORMAT the drive, and it will STILL restore it. Anything they put into the computer will be erased next time they restart. It makes the thing invincible. I suggest it for every computer used by kids in your school.
It's also a good idea to have a networked drive that no one uses, in order for people to store their files on, or encourage the use of floppy disks.
And just in case you're wondering, I don't work for the company
Trust me on this one.
IIRC, ^H is what some misconfigured ancient Terminals would show when the 'backspace' key was pressed, instead of deleting the last character on screen.
Check the jargon file for more info on this.
First off, document everything on paper including a list of each of the problems, why they are problems, possible legal liabilities associated with each of them, etc. This also protects yourself in case something happens and people try to pin it on you. Make sure all such documents are signed and dated. Be concise and make sure you write in such a way, as non-techies can understand you.
Second, do whatever it takes to schedule a meeting between you and your superiors. Most management above you should be open to a formal meeting especially if you have taken the time to formalize your concerns in writing. Explain to them why you need a strict enforced policy when it comes to computing/network resources and how it can prevent a lot of trouble in the future.
Assuming they are open to your concerns you should provide them with a written draft of policy you feel will solve the problems. Do your best to explain each line of your policy document and make sure they approve/agree with it. Chances are they won't care about the details as long as what you are doing is in the best interest of the school and its resources, but always be open to any suggestions they may have. Once they approve of the draft/changes type up a final policy paper, get it signed, etc, and make sure it is enforced. As an admin it is your job to report to your superiors situations where policy has been broken, but not your job to hand out punishment.
As you correct these problems on your network try and do one at a time and don't make major changes all at once. And as always- document everything (including why you did it).
In the end the network/computing resources only exist to serve the users needs, but you have to draw the line when it comes to abuse. Hopefully you can make your superiors understand this and get them to work with you vs. ignoring the problems. Without them nothing will be enforced.
I work at a big 12 college. We typically use the "misallocation of resources" rules that are written by the state. It says (here in my state) that materials, goods, and infrastructure paid for by the state, will not be used for personal use.
We tell our users that it is the same thing as not being allowed to take a State vehicle to your childs softball game.
Within reason, most people seem to understand, although Its probably a safe bet to say that 1/2 of our bandwidth is used by our students/staff for downloads that do not meet w/ our Terms of Service.
Take a look at a few college (they have been on the forefront of these troubles) many of them have very good policy statements on their websites
If there is no policy, there is no violation of policy.
QED
You need to build support for your actions with your users, or they will inevitably try to circumvent any controls you put in place. Try starting with some security education, including an emphasis on privacy. Make them aware they are opening themselves up both to security problems as well as privacy invasion.
Then take the initiative to create a policy.
Have you thought of resigning unless you're given the necessary authority to do that job you're required to perform?
;)
An organization without a command structure is either a very small organization, or one doomed to chaotic consequences. If you're sincerely dedicated to the well-being of the organization then it behooves you to point this out, and to coerce them as much as necessary to make changes.
Just a thought, but a damn good one.
"There are 11 kinds of people: those who know binary, those who don't, and those who could not care less!"
Wow, and I thought my job sucked...
These sound like fudged configurations.
Most k-12 nets use Windows, so set up a domain server, create group Students, only allow them to run programs pertinent to school work. It's not that hard to limit p2p activity.
Just my 2 cents.
Tell the teachers that p2p is for terrorists and that after September 11 everything has changed. Tell them that if they are not soft on terrorists, if they are American, if, in the end, they care about the CHILDREN, will they, for the love of god, stop using those satanic P2P programs?
Only allow 56k of bandwidth to each station.
Michael Loves Me!
When I am confronted with a problem I don't have a ready solution to, and the problem involves co-workers I turn to those tomes of wisdom and learning... BOFH. I just say "WWBOFHD"...
"Boys have a Penis, Girls have a Vagina", kids say the darndest things!
this post doesn't make sense, but all the discussion seems off, if you will block things :-)
one way another way will appear, you will see it again, trust me
the answer, you wanted is:
do allow your p2p users to limit their bandwith by themselwes, post patches for it to p2p developers
yours coward
good night
Sounds like you boss is spineless, so go to him and be assertive (not belligerent) and tell him that during the summer break the network will need to upgraded (at little or no cost) to comply with state and federal policy. Also stress that this upgrade will increase available bandwidth greatly.
On the teacher front, when they lose their warez ability remind them that file sharing activity could possibly jeopardize their tenure and happily refer them to legal.
I have no
viri is the plural of vir, man. virii, with the double i, is using a different root word, virus -i, a second declension masculine noun meaning "venom" or "slime". So, in fact, virii would be correct. If you're gonna be a knowitall, at least take some Latin first.
Quite frankly, I'm ashamed of you Slashdoters that are encouraging the spread of FUD (Fear, Uncertainty, and Doubt) as means to accomplish an end in an systems/network management task. I think that this is partly why most Users think people in our profession are unapproachable, disrespectful, or generally useless when it comes to a "meeting-of-the-minds" on technology issues. It's no wonder our jobs are difficult, if we are consistently sabotaging ourselves within the User Community in this fashion. It may be the easy way, but it is not the right way!
Now, I'll step off my soap box for a minute and address the issue raised. I think that looking at the issues presented from a School District/School/Administrator liability and accountability perspective may open a few eyes. Someone suggested getting legal council involved. As painful as this might be, it may be worth talking to your superior and requesting some clarification. "Say, Boss, if the RIAA Storm Troopers broke down the school gate 'cause someone was illegally downloading the new Britney Spears album, who would be held accountable? Who would lose their job(s) over it"? If they don't know, or don't give a good answer, request in writing that they pursue the issue with legal council. Also ask, "Do the network and systems work in a manner that you see as acceptable? I think that the learning experience could be elevated through technology, even on our restrictive budget, if...". Raise your concerns "for the good of the community", and as someone else mentioned already, have solutions written out or diagramed in-hand as you present the problem.
You may not get the satisfaction that comes from shutting down the ports without notice, and then watching the chaos that ensues, but you will be more likely to be seen as a competent professional that has the good of the whole in mind. And this, my friend, will spread, changing the opinion some have about our profession in general.
Weblogic Server and Portal - 100MB :-)
Oracle - 600MB
All the latest distro ISOs - 8GB
Latest patches/updates of all *nix software - ~1GB
Windows Security Updates - 100MB/Month
Always being at the top of the list of bandwidth hogs and proud of it - priceless.
My $0.02 will always be worth more than your â0.02, so
I would make sure everyone knows that the major use for these programs is not only non-educational (and likely illegal for that reason) but copyright violations. Make it clear that you are monitoring the network for such violations and you will get the police involved if they are using the network for illegal purposes. Then do some monitoring.
You only need to put one teacher (or administrator) in prison for the rest the get the point. You should have a policy of turning all evidence of something illegal over to the police when you get it, and make sure everyone uses it. No teach will complain about legal use of p2p programs being blocked because you are not doing that.
Note that if you discover porn on the network, it might be legaly, but leak to the local press that someone is looking at porn at school and most communities will see to it those responsible are punished. (those who don't mind porn will generally stay silent while those who hate it will become vocal)
Do not do anything without consulting with the school's lawyers! You now have many ideas of what you can do, get the lawyers to approve them before implimenting them.
If ever a circumstance called for some BOFH TLC, it would be this...
"Hi... my KaZaA isn't working."
"Well, let me take care of that... what's your password?"
Why on Earth would any true BOFH ask for a password, rather than a username?
They are the ones with the big ass keychain hanging out with the tacky cell phone case shown to make it seem like they are important. The fact that some networking guy doesn't know how to resolve these simplistic issues just convinces me even more network admis are tools.
Yes, I have been in almost exactly the same position. To make a long story short, get administrative buy-in, monitor and document network usage, block the abused ports, but most importantly is a comprehensive technology policy that includes what is and isn't an appropriate use of your limited resources. This last piece is the most difficult, but is imperative for any long-term solution.
Good luck.
i was kind of in the same problem u are i used a program called Deep Freaze it dosent actually stop any thing but when the computer is restarted it basicly loads a fresh imig of the computer this is also nice for things like virese to and for the band with thing get a firewall
every thing burns, all you have to do is make the fire hotter
Take action, put a firewall up and block some ports, then I m sure teachers and students will see a rise in the bandwidth speeds and be a little pleased. But if any teachers complain about not being able to use there P2p programs then tell them you had to take action becuase students where using them. Blame the students not the teachers, it works cuz no one wants to admit to hogging bandwidth.
"I change by not changing at all."
If the CEO was running a Warez server the Sys-admin would have no authority to shut him down. It may be 'the companies' but it's not the sys-asmin.
The company or organization should have some sort of system to doll out responsiblities. Either the sys-admin has the authority to make policy decisions or he dosn't.
The responsiblity rests with the management.
autopr0n is like, down and stuff.
If the US public school system had more people like you this country would be a better place.
UP UP UP DAMMIT!
Okay, I see your point about bandwidth. If it is a limited resource, you may indeed have an issue. But what I don't understand is the problems you have with P2P in the legal sense. Since when are you or even your institution responsible for anything that travels across your network? If you ask me, any public institution that caves into demands from various groups to shut down it's network so users can't use some service are pussies. Stand up for something for christ's sake. It seems that libraries are about the only institution that seems to understand this issue. A network (in say a campus) is a piece of infrastructure like a road running through the campus is. The campus cops are under no obligation to ensure that every user of that infrastructure is doing something legal with it. You don't have to stop every car using your campus road to make sure it is not stolen, or is driving through your campus on the way to a crime. It's like saying you have to stop people using your computers to break in to another computer. Bullshit. Just because these services make it easy to shut down by using a known port does not mean you SHOULD. Where is the common sense any free-thinker has? What about privacy issues? This is a very slippery slope, and I think you are on the wrong side of it. This can only lead to more surveillance, where we watch every packet to make sure it is not copywritten.
You guys just seem like you are drunk with power. Limiting what people can do because you feel like it. You suck. At various institutions I have worked at, the admins seemed to think it was their job to decide how I was going to use their system. (Now this is circa 1988 when the net was oh so young). From deciding whether we could see news as students, to what newsgroups we could see, to whether or not we could even access the internet (the net was VERY young, and profs and grad students had accounts on the machines hooked into the net), the admins always seemed to think it was their job to act as guardians of the resources, instead of the maintainers of them. That attitude blows.
To all the people who are saying 'Yeah, you're the boss, do whatever you want!': Back off. You are there to maintain a resource. You are NOT A COP. You are not there to say how a resource should be used, but to maintain it. Using some 'legality' issue to prop up your authority makes you pussies. You just need something to make you feel like your abuse of power is justified.
It is not.