P2P Programs on K-12 Networks?

deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"

Take Charge

[ouslush]

This is obviously a problem that lies in every school district and also in college. Just take charge and let the teachers know (in a non-technical and informative way) the reasons that you want to block these specific P2P networks from being accessed. If you set a standard, people will conform

Re:Take Charge

[spudnic]

Yeah, right. You must not do much work in schools. A policy is nothing unless you have a way to enforce it and penalties when it isn't followed. Teachers for some reason just can't resist downloading Gator and Bonzai Buddy for some reason.

To the guy in the story,
The first thing you need to do is to write a letter to whoever is directly above you and request that it be forwarded on to administration. Outline your concerns, explain any legal liabilities the school may have, cite lost man hours (translated into $$$) and instructional time caused by what's going on, and be sure to give a way (or ways) the problems can be addressed. If you don't include a potential resolution, then all you will have accomplished is that everyone knows about the problem. If the right people don't get it after you've followed the chain of command, submit it to the school board.

The technical side of this is the easy bit. Get the political support you need from the top and then start to implement. But be sure to do your homework before you start screaming. It'll pay off in the end.

I have worked as a consultant to quite a few K12 IT Directors who were in the same situation that you are in. This path usually works. However, some school districts want their teachers to be able to do whatever they want. If that's the District's opinion, and you can't just pack up and go elsewhere, make sure to do a good job of CYA.

Good luck!

.

Re:Take Charge

[spudnic]

Sorry to reply to my reply, but I missed something that needs to be included in your letter. Put in there that downloading some software could open your network to attack from the Internet where bad people could gain access to student and financial data. The school board will be very protective of that and will sometimes come around if you point things like this out.

.

proxies

[The+Turd+Report]

Set up a web proxy. Firewall off everything else. Only allow port 80 traffic from workstations. It will kill off all the bandwidth eating crap, but still allow use of the internet for school.

Filtering/Throttling

[Ramses0]

I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)

As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.

--Robert

Re:Filtering/Throttling

[Ioldanach]

throttle them down to 0.5kbps

Ooh, now that's one I had completely overlooked... Outstanding idea. 0.5kbps might be a little low, even for this, since you'd get connections dropped and they'd probably mention it. Put it at 5kbps, though, and you should be fine, and it shouldn't impact much, either.

Just make it extremely inconvenient to do, and people won't be as likely to do it...

Re:Filtering/Throttling

[CmdrPinkTaco]

Or instead of throttling them down, you install a logging proxy and show them that you know exactly what they are doing and when they do it. Print out a monthly report and post it in the teacher's lounge.

If information wants to be free, then let their peers handle any wrong-doing amongst the staff by giving them all the information that you can.

Re:Filtering/Throttling

[Kwikymart]

Why pay for something they dont need? School is about learning, not listening to mp3s, and it isnt like they kids are living in dorms. The money should go to something worthwhile like books or better teachers (preferrably ones that dont require downloading music via P2P or anything else of the sort). Even if the school doesnt need anything new, putting money into bandwidth to allow people to use P2P services is futile. No matter how fast your connection gets, you will always saturate it given enough people if unregulated. People will notice that it is really fast, then download even more stuff, and then tell other teachers/students/other people that should be working/. Filtering it or Denying it completely is the only long term solution.

Re:Filtering/Throttling

[bloggins02]

This is becoming the stock answer to every question in existence.

"Say, how do you show that every simply connected manifold is homeomorphic to the 3-sphere?"

"I don't know, but I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program."

Re:Filtering/Throttling

[ftobin]

The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)

because it's so illegal to use P2P applications. All those people on Usenet are doing illegal activity too

Re:Filtering/Throttling

[G-funk]

... because it's so illegal to use P2P applications. All those people on Usenet are doing illegal activity too...


Of course they're all using p2p to download their favourite indy bands, the ones the man holds down so we couldn't hear them if it weren't for kazaa, just like the rest of us.

Re:Filtering/Throttling

[ftobin]

Of course they're all using p2p to download their favourite indy bands, the ones the man holds down so we couldn't hear them if it weren't for kazaa, just like the rest of us.

It doesn't matter if they are or aren't. The use of the application itself is not illegal, and rightly so. " need merely capable of substantial non-infringing uses ."

Re:Filtering/Throttling

[singularity]

This past weekend I was speaking with a friend who mentioned that his company had gone to a policy like this. They printed out a simple report that showed the top ten users of bandwidth at each location and the top ten domains that each person was accessing.

The reports were made available to all company employees (I do not remember if they posted the information or just distributed it).

He said that the total bandwidth used at each site had dropped dramatically.

I imagine this system would also help get people to log off the system when not using it, since they do not want someone using a computer while they are logged in to access porn and use bandwidth.

I think this system, combined with blocking several ports used by P2P systems, is the best way of dealing with it.

Re:Filtering/Throttling

[smnolde]

If you want to be sneaky about this, every morning, throttle it down a little bit, rather than all at once. The rate you choose to do this will limit the number of angry people banging on your door the moment you start it.

Let's say the connections are soaking up 150KB/s and you want it down to 1.44KB/s in 30 days. You can do it linearly, which is noticeable, but not as noticeable as an exponential reduction. The most sneaky way would be to use the exponential method in series.

For you electronics geeks (and ChE's out there, like myself) this is known as a second order filter.

Spend ten minutes with a calculator and figure the time contants and put those numbers to use limiting the bandwith.

Re:Filtering/Throttling

[hendridm]

Our school uses a more gradual approach. I'm not sure how it works, but every connection to the Internet through the school is given full throughput. Some script monitors usage over time and throttles your throughput down to almost nothing on all ports when it "senses" heavy bandwidth. If I left my P2P software on full, it would take about 1-2 hours before my connection would be nothing. Changing my IP address works, but I have to hard-code it and change it often, and it conflicts with DHCP leases. It sucks that it kills all ports!

Once your usage begins to go down, it increases your throughput.

Probably the worst part is that it also throttles the off campus cable modem users who are connected through the University (and pay $30/month). You can get around it by paying $50/month, but most people deal with it for the discounted $30/month access.

Re:Filtering/Throttling

[G00F]

Or the reverse could happen, could have some people competing to do the most. Of course I doubt it would be things of illeagle nature . . .

Re:Filtering/Throttling

[G-funk]

I'm not saying that the software isn't or shouldn't remain legal.

Not at school tho. I'll bet any money you like (and you wouldn't take that bet) that the teachers are downloading stuff they shouldn't be at work, and they're wasting your tax dollars (assuming you're from the US) to do it.

Re:Filtering/Throttling

[Yottabyte84]

Squid can also be set up as a transparent proxy, which is less intrusive to the users (ie, they don't even know it's there)

Re:Filtering/Throttling

[sean23007]

That's how I figured out how to do the Rubik's Cube. A properly configured linux server/firewall along with some kind of proxy program sure did the trick...

Take your first finger and turn the middle side topwise. Topwise!
--Bart Simpson

Re:Filtering/Throttling

[bloggins02]

Ok, I'm being pedantic with myself, but that should read: "Any simply connected closed 3-manifold is homeomorphic to the 3-sphere." This is, of course, the Poincaire Conjecture.

Re:Filtering/Throttling

[singularity]

Actually, I work in education. I also know that what I view on the Internet while sitting in my office is watched.

The nice thing about this system is that it does not prevent anyone from going to these sites or doing these things. If you find that you need to go to a porn site to help you learn about pornography laws (as I had to do just today - some porn sites have a better defense of pronography, and therefore definitions of common terms such as "indecent" as well as arguments concerning the First Amendment, than most other sites), and you go there frequently enough to make the list, then you can simply tell people what reason you were going to the sites.

If you do not want to explain yourself, then do not.

Get the teacher's union to write it up in the contracts that teachers cannot be fired based on what the reports show.

While you might talk about how you think that you should be able to do personal web browsing on your work computer, let me give you another reason: Someone pays for that bandwidth. If you are working for a school, more than likely it is the state government that is paying for it.

I, for one, do not like the idea that my already under-funded schools are having some of their budgets taken away by a teacher who is browsing the Internet for their own pesonal use. Take a coffee break and drink the coffee that my tax dollars are paying for. But when you start doing a lot of P2P stuff that I have to pay for, that is where I, as a taxpayer, draw the line. This is especially true when you might be downloading copywritten material illegally.

I do not mind a lttle web browsing every now and then. The line is massive bandwidth usage.

One other thing - my friend continues to do personal web browsing while at work. He simply limits it to the amount that he knows will cause him not to make the list. This is a great solution for the employer (who knows that its employees are not using too much time to do personal things) and the employees (who do not have the right to surf taken away completely).

The system is not so much about taking away your ability to surf (blocking ports and domains would do that) so much as limiting the amount that you are able to .

Re:Filtering/Throttling

[mpe]

The thing is most people don't even recognize that is an illegal act, they think that they are aloud to download thier songs or what ever else.

End users installing anything on a machine owned by their employer is typically against an AUP. It's also frequently covered by anti hacking statutes.

New hardware

[GigsVT]

Simple,

You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.

In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.

If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.

Re:New hardware

[Shipwright]

Or find software to throttle down all ports but email, ftp and http - Teachers might complain about completely blocked P2P access but will they complain about horrible speed?

Re:New hardware

[zaius]

This is what we do at the school where I work.

It has the additional advantage that, if they have a problem with it and decide to bring the issue up with a higher power, they probably won't be able to explain why it's so important for them to be able to download music or images or whatever, and therefore probably won't get anywhere. A few weeks after we started blocking Napster, Gnutella and friends, the school principal sent out an email without consulting us saying that those programs were no longer allowed... most likely because he had no idea before people started complaining of what these programs were even for.

Re:New hardware

[Bios_Hakr]

Then they say, "It worked with the old guy, why can't you make it work?"

From years as a government worker, I have noticed that if you really want change, break something and blame it on the users.

Your systems are in chaos? Good! Stop pushing anti-virus updates, stop pushing win32 hotfixes, tftp a known bad image to your premise router, secretly push installs of quake3 and UT to all the workstations. If the users ask, say that their systems need to be reloaded to make things better.

If they will let you install Linux, do it! If not, install win2k and all the updates. Add the user to the box as a USER and remove USER permissions to WRITE anywhere but their desktop.

When they ask what is going on with the ability to install stuff, LIE...a lot. Claim that the latest hotfixes from M$ implement a security policy on corporate systems that only allow apps to be remotely installed from the Domain Application Server.

In short, users expect to be lied to and they want their computers to be fast and reliable. They want their Net(not)work(tm) to actually pass packets via some type of IT system and not have to be hand-carried via a Cuban waterboy. In your situation, the users needs and expectations are converging. Take advantage of the situation and become...The Network Natzi, The BOFH, whatever you want to call it.

Re:New hardware

[dirkdidit]

At the school district where I work we block all P2P software from 6am to 4pm everyday. This way teachers or other network users can still use P2P software but without slowing down the entire network.

Re:New hardware

[Wintersmute]

I have got to hand it to those suggesting the "TCP header length blah blah string theory homeomorphic protocol" whatever. Damn, even made my eyes glaze over.

However- there is another way to achieve that... just look up the school's legal counsel and send him an email saying that you're concerned about the liability implications of all this file sharing, and when he writes a memo to the faculty going on for 50 pages (only lawyers can write a 50-page memo) about "contributory infringement res ipsa loquitur blah blah mutatis muntandis damnum absque injuria" and how he'll want to have the server logs copied to him, your faculty will never wish they knew what a Gnutella client was.

See, lawyers can be technocrats too.

Re:New hardware

[Bios_Hakr]

Uuh, win2k supports disk quotas on a user. Now the actual implementation of this is tricky. You want them to have plenty of documant and internet cache, but not enough room to download Metalic tunes.

In practice, few users even realise that there is a difference in dirctory permissions. They just think, "I can't install this. I don't have permission. Oh well, I'll work on a Word doc instead." It never dawns on about 90% of them what the difference is.

Even if the user does understand what is going on, that user is probably smart enough to "Get It" and would never install P2P warez anyway.

The obvious answer

[dachshund]

You've got problems with p2p users and virus idiots? Just block all the relevant p2p ports and blame it on a computer virus. Then sit back and watch the two groups destroy each other.

Re:The obvious answer

[sharkey]

Dude, "luser" isn't hyphenated.

Ask your supervisor this:

[freeweed]

Would you let the children drive a car without proper training, and consequences if they do something wrong?

If not, then why on earth would you allow someone to just wantonly use a computer however they see fit?

Re:Ask your supervisor this:

[doooras]

i'm not aware of any pedestrians being run over by a computer being used by some kid.

Re:Ask your supervisor this:

[kmactane]

> i'm not aware of any pedestrians being run over by a computer being used by some kid.

You mean you've never heard of some poor innocent person getting DDoSed halfway to eternity... by a bunch of Winboxen on cable modem hookups, that had been cracked by skr1pt kiddies?

Heck, Yahoo got knocked flat by DDoS. And where did the skript kidZ get the systems they used for it? Simple: those systems were left wide open by people just like the ones that are causing the questioner so much grief: people who will download any virus-laden executable they can get their hands on.

On a global network, one person's insecure box is everyone else's potential attacker.

Re:Ask your supervisor this:

[NanoGator]

"If not, then why on earth would you allow someone to just wantonly use a computer however they see fit?"

In an office that'd work, but at a school it doesn't fly. Computers are there for education. The more restrictions you place, the less likely a kid will learn from them. Even if they are doing things like downloading songs, they're still learning quite a bit.

I liked the bandwidth throttling idea. At least the students can still explore the net.

When you have no authority, help just control

[stoolpigeon]

My favorite method at this time is to just shut off whatever I need to shut off. Limit access where it needs to be limited.

Then when the questions start flying I just shrug and try to look dumb. "I don't know what happened to your ability to download porn at work."

They wont know what's going on and most people despite all reason believe that computers act in a random and hurtful manner of their own volition.

.

Re:When you have no authority, help just control

[bricriu]

They wont know what's going on and most people despite all reason believe that computers act in a random and hurtful manner of their own volition.

True. But do we really want to encourage that attitude? The more someone fears his/her computer's caprice, the less likely that person is going to be to experiment with programs or OPERATING SYSTEMS (cough, cough) of slightly-less-than-average user-friendliness. I've always thought that part of having Open Source software is the ability to control your computer -- but first you must have the inclination.

Re:When you have no authority, help just control

[Xerithane]

But do we really want to encourage that attitude?
Yes, it's kind of fun to be treated as a witch doctor by certain less educated people.

The more someone fears his/her computer's caprice...
The more power I have to think I'm magic and powerful. Gimp gets chicks, I have proof.

Re:When you have no authority, help just control

[autopr0n]

Yes, it's kind of fun to be treated as a witch doctor by certain less educated people.

And by 'less educated' I assume you mean 'less educated in computers'. If you were truly educated you wouldn't have been taken by Carr auto group in such an obvious scam. but, obviously people who are well educated in the feild of computers are smarter and more important then anyone else. right?

Re:When you have no authority, help just control

[Xerithane]

Rejecting the spawn of Satan on the computer, but accepting them in your mug? (And if they both come from Seattle, is this evidence of some greater conspiracy?) :)

Just for atmosphere. The 24 hour starbucks is great around here. Much different than any other starbucks I've seen, but you have to go there a few times (or once, and be there for a while) to really see the culture.

I'm usually sitting in the corner there with my laptop coding away.. I suppose that I have gained a bit of mystique based off of that. I've had people refer to me as, "The guy in the corner", or other strange references, on multiple occasions.

...after all, it could have been you, or the laptop, or the coffee, rather than the Gimp :)
True, I am one sexy bitch. ;-)

Yeah I have a suggestion

[BlkPanther]

Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.

I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.

Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!

Re:Yeah I have a suggestion

[Amazing+Quantum+Man]

Explain it so THEY will understand what you are talking about, without talking DOWN to them

Point out that bandwidth is like budget. They've all had to cut something so that everyone get some budget, and therefore understand that short budget is a zero-sum game. In this situation, your bandwidth is zero-sum.

Re:Yeah I have a suggestion

[sporty]

Or you can do it the hard way. Throttle their speed down to almost nil for legitmate work. When they complain about not being able to do anything, tell them it is because of the software they run. They need to shut it off. Make them learn from their errors...

Go to Administration

[Amazing+Quantum+Man]

I'd come up with an AUP explicitly banning P2P, not for any ideological reasons, but stating the bandwidth/virus concerns.

Take it to the principal (or whoever administration is if you're above the individual school level), and get it approved. Use logical reasoning. By pointing out that bandwidth is very limited, and such programs are interfering with the educational use of the 'net (YES -- a legit "for the kids" argument!), you should be able to get the AUP approved. At that point, you can ban all such things, and block your incoming/outgoing ports.

Re:Go to Administration

[Amazing+Quantum+Man]

I hate replying to myself...

Sorry, I didn't make myself clear. No, you don't have authority to impose an AUP on your own, but if you write one for the higher-ups, that's work *THEY* don't have to do, so it should be easy approval, as long as the AUP makes sense.

Re:Go to Administration

[jvbunte]

I have worked for a local ISD (Intermediate School District) for K12 and I had to deal with the same problem on a countywide basis. Your best bet is to bring the problem to the attention of your school principal or superintendant. What I did was firewall it all, lock everything down except outgoing WWW and Mail (and some other misc specicialized stuff) and as the complaints rolled in (and they will) I simply told them that if they can justify the need/use to the superintendant of the school and the superintendant authorized it, I'd be happy to reopen the service. The key is shifting the authority to re-open the service from you to the people in charge. I'd be willing to be you won't find one teacher who will ask his boss (the superintendant) to allow them to use a warez/porn/whatever P2P program.

Educate the superintendant on how those things are costing money, whether its lost productivity, money spent cleaning up the virus mess, whatever. Every K12 institution in the USA's main priority is MONEY (Education is an end, not means). I would also look into the laws governing content in K12 environment. I know in Michigan, there is a law called the Childrens Internet Protection Act which stated that all publicly accessed computers within the school must have content filtering enabled in order to qualify for several popular grants (a source of free money from the state). Explain that the lack of content filtering (this is pretty broad, you can extrapolate this to include P2P I'm sure) can jeopardize some serious grant money or prevent you from qualifying for it at all.

Last but not least, leave everything open the way it is and install some traffic logging. Anonymously log traffic going to www/porn/whatever and if possible, log the traffic lost to P2P and present that evidence to the Principal/Superintendant/SchoolBoard (School Board Meetings are public forums, you probably need to get on the agenda ahead of time however they have to let you speak) and show them the stats. Even if its "10% of all web traffic from this K12 school is to WWW Porn Sites, 20% is P2P filesharing with no educational benefit" and you have documentation for it, they will not ignore it. Always document everything and Cover Your Own Ass.

Re:Go to Administration

[altair87]

Administration sees things in dollars and resources (man hours). That's their job. Take the above and add dollar signs.

* More pipe to download means more $$
* More viruses means more of your time devoted to clean up and removal and more downtime resulting in higher costs etc.

You get the idea.

Figure out what the cost of *your* time will be in dealing with P2P.

Administrators know the IT staff are stretched thin, and a carefully worded statement saying something else is going to have to give or we are going to need to spend $$$$ goes a long way.

unfortunately you're screwed

[-ryan]

When it comes to implementing technology policy in any organization unfortunately the only way to be successful is to have 100% support from upper mgmt (or in your case administration). You can always regulate on your own and act like you have the authority, but sooner or later you'll piss off the wrong person and that person will just so happen to be best buds with your boss. Good luck.

It truly amazes me how many times I've been hired or contracted to do something but not had the authority to follow through.

Block the ports

[God_Retired]

Just block the ports for the p2p. What are the teachers or students going to get all pissed, run up and say,"WTF!? You're phreaking the l33t h4x0r thing we got going! Daaaamn you!" ?

Acceptable use

[Publicus]

Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.

I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.

Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.

Paranoia In Place of Policy

[Kagato]

Well, if you can't pen policy, you can create paranoia in order to create harmony. In you case, big brother is watching. You might not be able tell people to stop, but you can pen a friendly letter explaining the legalities, liabilities, oh, and that you have the technology to log and track all internet traffic going on the network.

A little paranoia goes a long way. And as an added benfit those you don't have to stick up for anything because you're not changing policy at all. You are "executing the due diligence required by law".

Re:Paranoia In Place of Policy

[Kagato]

While I certianly don't doubt that Finland has very progressive laws on the subject I can tell you there is no expectation of Privacy in the US. Not only is your employer allowed to sniff your traffic and read your email, but your ISP is allow to pretty much do the same if they state it in the privacy policy.

Having worked at a national ISP before I can assure you that US traffic is monitored/collected for all sorts of marketing data. And it's all nice and leagal because they burried the fact they were doing that in the AUP/Privacy policy.

Been there

[CS_Bucky]

I know that I have worked in a large agency (I would prefer not to name names) and we had a similar problem. We just cut them off, and waited to see who got mad. The thing is that most people have a tendency to not complain if they know that what they are doing is not completely in the best interest of where they work. The bottom line is that it is not there private connection, it is the school districts, and the school district should be aloud to limit if necessary. Now stopping these connections, that can be a bit more tricky, but there are software apps out there that will do it, or if you are really good do what we did, and write your own :).

Good luck......

[isotope23]

You'll need it.

Try for an acceptable use policy first. I would recommend you implement it at the beginning of
the next school year (assuming non-year round school here)

Try and get buy in from the high up muckity mucks
and or a technology "team". I went through guiding a whole district onto the internet.
The policy part was the toughest......

I assume we are talking multiple k-12 sites with point to point links? If you do have routers between the schools, you could block most of the ports, (to give you breathing room)

What are you running for OS and Network OS?

Let everyone know

[Kintanon]

Send out a schoolwide e-mail to administrators, teachers, etc... everybody. Make it say something like the following:

It has come to my attention that certain individuals have installed software which is negatively impacting the performance of our network infrastructure. I do not know if these individuals are students, faculty or staff, but it will be necessary for me to disable access to this software in order to preserve the usability of the network. If this causes any inconvenience for anyone, please contact me.

Your Sysadmin Type Person.

Then just close all of the p2p ports. When people complain explain to them that their software is introducing viruses onto the network and eatting up all of the bandwidth. Then add their name to a list of 'troublemakers' and wait for the chance to hose them good... Or you can just compile a list and turn it in to the administration as a list of people who are violating the network usage policy (If one is in place).

Kintanon

Alienating Teachers

[Ioldanach]

Unfortunately, as you probably are aware there's not much you're going to be able to do without alienating most of the teachers. Many teachers tend to react towards control of their resources very harshly, since they're used to being in a position of control.

In this case, I'd start with the usual corporate arsenal. Block unnecessary ports out, unless a teacher requests access to a particular port for a school project. Possibly put an http proxy server into place if there are particular sites that need to be blocked (but don't block carte blanche)

Unfortunately, these policies aren't going to make you friends with any of the teachers or students, so tell anyone who wants access to the blocked ports to just get approval from the principal or superintendent, and let them make the decision to unblock a port.

Re:Alienating Teachers

[SuiteSisterMary]

Or, do some logging, then start closing down ports. When somebody complains, check their logs, and assuming that they're using said ports for stuff other than their jobs; i.e. piracy and pr0n, quietly inquire as to why they need such things. Then offer to grab a supervisor 'to act as an arbitrator; I don't want to seem like the harsh ogre here.' Then watch them flee like the cowards they are. Oh, and if your software can do it, unblock the ports at non-peak hours. Or implement QoS that lets the software run, but gives it lowest bandwidth priority. That way, ANYTHING else will take away their bandwidth, but if the link is idle anyway, they can rock. Unless you're running burstable. Then just mention the cost.

Back in the Day.

[Renraku]

At my old high school, it wasn't p2p that was the problem. It was people streaming shit from other networks. On our tiny t-1, we had at least 10 people in our room listening to rap at max volume playing full screen music videos streaming off of a server. The admin responded immediately to the threat by blocking off Slashdot, AntiOnline, Something Awful, and all the other sites I read. I promptly downloaded Kazaa and began to download anime to watch. Moral of this story is, find the real cause of the problem, and act on that, instead of just against the nerds.

Don't block, Limit them

[pe1rxq]

Simple: don't block them, just limit traffic to and from the ports the p2p systems use.
With a linux firewall this is easy to do with qos and such.

They can still use p2p systems, you just limit the bandwidth to levels not harming genuine educational use. This shouldn't be hard to sell to your supervisors.

Jeroen

Re:Don't block, Limit them

[pe1rxq]

This would only work if all p2p use were illegal...
Although most likely most is, it can be used for legal purposes.
Just like selling blank cds is not illegal just because most are used for illegal copying.

Jeroen

Also irreducibly a social problem...

[Futurepower(R)]

Yes, block the P2P ports with a firewall. However, this is also a social problem that must be handled in a skillful way.

As someone not long out of highschool...

[phyxeld]

...I can tell you that you will be widely hated for your stance on this. But with limited bandwidth and the inhernt legal problems, I really can't blame you. I'd sugest that whatever means you find to stop people, you lay out the reasons why it absolutely cannot be tolerated at school, and mention that you don't view p2p file trading itself as bad, just the use of school resources for it.

A "no gnutella" policy alone without explained reasoning will just make you look like a typical asshole-school-administrator type, and that will only make your job more miserable.

make your views knows, give 'em 30 days

[fiddlesticks]

Hi.
I sympathise. These people aren't *evil* and they aren't *misguided*, they have just ben (ignored) and allowed to get away with too much useage for too long.

They are intelligent, else they wouldn't be teachers. So be reasonable.

Post something [physical] somewhere [physically] obvious and non-threatening.

'Hi I'm your new sysadmin. Nice to meet y'all. I have a problem: We have xKb/ month for education, and yKb/ month is being taken up with (all the things you are concerned about)

Here are my rules....(name them)

If anyone has a problem with these, I'd be really interested in your thoughts.
You can come find me in room z, or mail me at roomz.wherever

Regards

BOFH (or whatever your real name is)

__

I promise, this will shift 70, 80% of the problem, then you can start to worry about the ones that ignore this.

george

You're the admin? Act like one.

[Colin+Smith]

If you've been given responsibility of managing the networks and systems then you have been given the rights to stop whatever you see fit.

Computer networks are not democracies. Start closing accounts, add firewalls, put in traffic management, routing ACLs, file space quotas, virus scanning.

The administrators job is to make sure that the systems and networks function smoothly. If you're not up to that and the personality clashes that inevitably includes then you shouldn't be an administrator.

You don't need backed up by spineless management. *You* have the administrative control. Use it.

Hi, I'm from the RIAAA...

[rufusdufus]

I am from the RIAAA [as far as you know] and am hereby officially notifying you, as an administrator or electronic services at your institution, to cease and desist illegal activity or face civil and criminal prosecution.

When they complain, just tell them you were given a cease and desist notice ;)

You've got all the argument you need

[SuperguyA1]

... but shutting them down is neccesary to maintain harmony (and legality)

That right there is all the argument you need. These services are being used for illigal purposes.
Every school I've ever heard of is so scared of lawsuits they can barely teach their students. Tell anyone who complains to tell the principal who will almost certainly side on the 'legally safe' side.

Hmm...

[ryanr]

Let's see... you have no policy, you can't get one, you can't just cut people off....

You could make the P2P stuff run so slow as to be useless... or you could send your own trojans that will erase the drives of the problem users...or you could send them porn, and get them fired...(oh, and don't get caught doing any of the above.)

Or, perhaps you're just screwed because you're trying to enforce rules where you have no authority to do so. I'm not neccessarily saying you shouldn't have the authority... just that you clearly don't, and any attempt to enforce your idea of policy is bound to cause you trouble. You time is probably best spent figuring out how to get a policy.

Re:Hmm...

[ryanr]

He said it was faculty mostly who were the problem. But at the K12 level (in the US, at least) you most certainly can get expelled for porn at school. I can't imagine a faculty member who was caught with porn at school would have much of a career.

What to do, half serious

[PD]

If you block the P2P software and make it the official policy that it should not be used, document that thoroughly. Make sure that it's expressly for the purpose of keeping unlicensed software out of your system. Then, insist that everyone show their licenses for their software. Put up big posters explaining that you are doing this because it's important to comply with the law. Become the biggest pain in the butt to everyone who opposes you.

Then, just before you think they've all had enough of you and can fire you, call the BSA on yourself. When that phone call from the BSA comes, you can point at all your policies and say that all along you were just trying to avoid that exact situation. Suddenly all the babies who were crying because you took away their Kazaa will be viewed as the real problem in the organization. You will have achieved Total Management Support (TM).

How to implement a policy

[rongage]

What I have done in the past is to write out the policy in a form that would only require a signature. Then present it to the powers that be. If they need explainations, then explain why this policy is necessary.

The trick overall is to do as much legwork as possible so the boss has very little to do but read and sign. If you approach the boss saying "I need you to write a policy to ban people downloading porn." then you add to your bosses workload. If you say "Here is a policy that prohibits downloading porn on the network, please approve it", then the bosses time committment is significantly reduced and the likelyhood of it being implemented is high.

Of course, stay on it, daily if needed. It may not hurt to create a graph or two showing bandwidth utilization vs. time of day, broken down by workstation. It would probably be even better if use used something to capture the stream so you could show your boss exactly what these people are doing.

If all that doesn't work, don't be afraid to document (via email or other dated message delivery service like sending it to yourself in a USPS letter) everything that you asked to have happen, when you asked, the results, etc, etc... create the paper trail. Then be prepared to go above the boss (PTA, School Board, Press).

Cover your ass

[grendel's+mom]

Been there, done that, nearly got sued.

Block the ports. Clearly (and simply) explain the problem. Tell them that your supervisor must make that kind of (legal) call.

Talk to your supervisor/Dean/Principle. Make *them* sign off on any open ports/applications.

Re:COVER YOUR ASS

[mekkab]

I'm such a dork.... those ^D's should be ^H's !!!

Wow. What a lame-o.

So kids, let this be a lesson on why you should always hit the preview button FIRST.

I'm gonna go hang out with my lawyer wife. She doesn't care if I get the geek jokes wrong.

Education.

[tcc]

You're in a school, this is would be one of the BEST environment to educate the people about all of these issues. You'll say that some people won't give a rat, but that's like in society in general, if people don't give a rat and anarchy reigns, stronger measure needs to be taken.

I might have gotten something wrong but if you're managing the network, usually it falls within your responsibilities to make sure to implement EVERYTHING (including some policy, or at least submitting them) for the proper operation of the network, which includes both load balancing, security and legality (to a certain extent, at least proving that you thought about it and implemented it to a certain level won't hurt).

Now if we tell you to cut down trees for a paper company and we hand you a kitchen knife, you'll say "you're crazy", well same goes with being an admin, if you're ADMIN and you can't do zit, it's a big issue. If it was a mess before you arrived, probably that the organization was a mess in the first place, I'd document everything, put up a structure of the network and who's responsible for what, limit the number of people that have "power" over the administration because as we all know, the more admins on a box, the more potential problems. So you have to do your part, be professionnal, use people's experience and be opened to suggestion, but at the same time, document every problem, and don't always go to your supervisor saying all of the problems, he's probably already familiar with them, for every problem, bring in a solution or two with arguments and documented facts (and normally supervisors like having a choice and feel like they did the work so... use that to your advantage).

As for the P2P application, I've fixed the problem at work, I've putted QoS and 1-2K/s on the total bandwidth, it's transparent "it's still working so I didn't do anything" and when those dead weights would come and see me "well probably its not optimized for our network structure and I have enough work to do, if this is a priority, go see your manager or big boss". It's politically correct since you didn't block the port and the user has no idea on what's really going on (unless reading slashdot :) ) , and it put the user in a situation where he would have to go look his manager to ask to waste time leeching (which he will obviously won't do :) ) and I get no heat. Dunno up to what it could extend since where I work most people are reasonable and mature, and school isn't the same environment, but then again, it's a suggestion and I'm sure a lot of people here will have many more.

Good luck.

Judicious use of DUMMYNET

[rhizome]

Use a FreeBSD gateway machine with DUMMYNET. FreeBSD can be configured so that it: a) doesn't have to replace the existing firewall; and b) is invisible so it doesn't show up on traceroutes. This is so that clueful users are not tipped off in a way that lets them complain like pornhounds on a free NNTP service. DUMMYNET will let you set up bandwidth policies based on (groups of) IPs, ports, and more. Client subnets can have full bandwidth on port 80, but the gateway can shut them down to 28.8 on the P2P ports. The possibilities are really open in a situation like this, and any junk computer can be used.

Re:Judicious use of DUMMYNET

[TheSync]

...and FreeBSD/Dummynet is just a LITTLE CHEAPER than Packeteer...

Re:If they're K-12 teachers...

[Archfeld]

exactly what we did...block ports and make them send you a note detailing why they want a specific port open. Most people will realize how stupid what they're asking is if they have to sit down and write it out. errr please open these ports so I can run my p2p software to pirate music using school resources...umm maybe I better not send that one :) Use SECURITY as the overall kicker, in order to maintain the security and integrity of the network it is essential the Admin knows whats going on. BTW if you do get a moron asking for P2P ports forward it to the rest of the staff for a good laugh.

Follow the examples of the Bastard Operator from Hell and you cannot go wrong :)

Bandwidth Throttle

[Computer!]

As a coder and not an admin, I can't agree completely that P2P programs have absolutely no educational value.

In addition, isn't bandwidth wasted if it's not completely used? A good idea would be to find an acceptable bandwidth limit per workstation (total, and throttle each machine to that limit. That way, it doesn't matter what they're doing, they won't be hurting anyone else.

Although the complaints about viruses seem legitimate, I've never gotten one from an mp3.

The possibility of legal exposure isn't your concern. You're a network admin, not a lawyer.

that's a tough situation

[cballowe]

First thing to do is ask them if they were happy with the level of support they had before. Since you are claiming that some goofballs messed things up, it's best to start with the goofballs and try to define what they did and didn't do right. I wouldn't expect most K-12 institutions to have a good network security policy in place.

In order to get one defined, you need to start talking to administrators. Find out which services they desire to provide and which they don't. Point out that most security and network use policies these days start by defining what you are allowed to do and blocking the rest of the traffic. Put out an request to the staff that they give you a list of applications that they use for purposes of education and then get a group together to review that list. If something strikes you as questionable, ask the person to justify it.

You'll also, more than likely, want to get a list put together of officially supported software and a procedure for getting a piece of software onto the officially supported list. This keeps people from coming to you and saying "I can't download files with Morpheus" because you can just say "Is it on this list? No? Then not my problem." Part of the process of getting something on that list might be a written justification of why it should be there, and for comercial software proof of license.

You don't want to be the only one makeing decisions. You should get a committee together. You'll want an administrator and a staff member on the committee. Decisions about what will and will not be supported will be made by the committee. You need these people because they understand the classroom, that's not your job.

If it comes to it, you might want to take a look at your job description. Figure out what parts of your job you can do, and which parts will need a more defined policy to enable you to do your job properly. This is important -- if your job description says "support educational activities requireing network access and use of the internet," whacking traffic that doesn't fall into those categories is clearly a part of your job as it increases bandwidth availability for educational purposes. When somebody complains, you need something you can point to for the purpose of defending your actions.

Start at the top, schedule some meetings with administrators and express your concerns to them. Most school administrators are reasonable people and when you explain that these things are necessary for a smooth running system they'll understand. Also, most school administrators are scared sh*tless of the words "potential lawsuit", don't be afraid to use it.

Re:I'd Lie like hell...

[Iltamies]

This is exactly the kind of mentality that continues to harm the IT Industry workers more than it helps. Depending on the lack of education of our user bases to provide a cover for our collective bad attitudes, grudges, and lies is no answer.

Explaining these things reasonably to users without making them feel like your hating on them is perhaps a better solution. Tell them it's illegal, sometimes they just don't know. If they don't care, as has been pointed out prior to my posting they have no basis to argue with you if/when you block the ports. But tell them it's happening before you do it, or right after you do.

If somebody above you tells you to open the ports or allow the illegal activities to continue, explain to them what kind of ethical, not to mention legal issues they are bringing onto you.

I have at previous jobs had my employers sign written up and sometimes notarized documents saying that it was their decision and their action allowing the illegal activities to continue. (After I said no they got somebody else to do it against my recommendation.)

And one question: Do you like or need this job so badly that you can't explain to them your points of view without fear of losing it?

Use Quality of Service to keep P2P traffic low

[PureFiction]

Linux 2.4.x networking supports traffic control / quality of service.

Read up on the advanced networking: http://www.fibrespeed.net/~mbabcock/linux/qos_tc/

I use this on my home network to keep bandwidth usage allocated correctly on my cable modem connection. It works great. I have 20ms latency while gnutella, kazaa, and FTP uploads are all running concurrently.

This prevents you from the task of blocking them out completely, while ensuring that high priority student/teacher use of the net remains fast.

hehe...

[rufusdufus]

well it was supposed to be funny anyway :P

Computer policy in educational institutions

Hi! ( hang my head ) I'm an anonymous coward, and I'm a politician.

I'm on a county board of education in Calif. Send a note to your supervisor detailing the legal liability your district is in. Perhaps include the latest Microsoft tactics in auditing school districts with a heavy fist.

Tell him this is something which needs to be fixed with a written policy ASAP, or you'll need to go to the board. Tell him you'll be willing to draft this policy. If he and the board have any sense they will thank you. Likely they are all unaware of the legal problems which they could face. Legal problems gets noticed.

RK

be honest.

[geekoid]

There are lots of things you can do to solve these problems, then when thay come to you say "technical limitation", hawever that is the wrong way to handle this.
Lay it out for them.
we have X bandwidth, your unauthorized programs use Y bandwidth, and we can't afford that.

People downloading certian programs have set us up for legal liability.

Peopledownloading unauthorized programs have cast the school X amount in IS labor.

Then tell them your putting in a firewall, and blocking ports.
Write a letter up the chain. send it to your boss, and his boss. if they don't like it, have them send you an email, or written request telling you not to do it. then don't do it.

This way you've a)found the problem b)proposed a reasonable solution that doesn't block the staff from using the system as a learning and business tool.
c)you've covered your ass.
If they give you too much grief, send a write up to the board and to parent, clearly explaining that there tax dollars the go to the schools tight budget is being wasted with legally dubious activities by the teachers.

if your feeling nasty, just monitor email until something incriminating come along, use it.

Did I type that last part?

Use fear...

[Corporate+Drone]

Well, instead of trying to get policies written to prohibit certain uses, couldn't you instead appeal to your bosses' sense of fear?

That is, explain that the current firewall setup puts the schools at all kinds of risk: virii, copyright violations, etc, etc.

Then, propose that the proper firewall setup will allow only certain types of "safer" access. (Make sure to throw in a comment about how this should have been done by your predecessor(s) when the network was set up.)

Once you've got approval, your email should include a blurb saying that additional requests will be handled on a case by case basis. (And, don't be queasy about asking faculty members what they're asking for, and how it relates to their educational objectives...)

COVER YOUR ASS

[mekkab]

This is a specific follow-up to the parent.

Before you do anything, get some logs of the worst offenders. Zip it, stuff it, tar to tap, whatever. Stick that in your back pocket becuase that is your golden parachute.

Then block the ports. If an audit does come down and someone who has half a clue (in terms of systems and networks) is turned loose on you, simply provide an extra copy of your blackmail^D^D^D^D^D^D^D^D^D insurance policy.

You can even run some awk scripts to show bandwith usage per minute, etc. You can make a pretty pie chart/bar graph of how screwed the offending teachers are.

But that is only if push comes to shove. Protect yourself, block the ports, blame it on the "unapproved", virus-riddled software and silently smirk to yourself. You've earned it!
You have your forward plan (block the jerks) and your backup plan (expose them for the bandwith hogs they are). You are officially a BOFH!!!!

A small ISP with the same problem. What we did.

[maquaro]

My friend and some associates started a wireless ISP sharing a T1. A few residential users started using P2P such as Bearshare and Morphius to share out 'their' files. That saturated our T1 line. We used FreeBSD and the altq program which allowed us to throttle traffic and bandwidth as we saw fit. The current setup is that http traffic gets about 70% of priority with all 'other' traffic sharing the remaining 30%. If the http traffic is not in use, then the 30% group and grow. But if http starts back up again, then the 30% group is throttle back to 30%.

A suggestion to the gentleman in the school district would be to evaluate the 'critical' traffic that your teachers and administrators need. I would think http would be the first priority. Start by giving 60% to 70% of bandwidth to http then the remaining 30% to 40% to everything else. This includes ftp, RealPlayer, Streaming music, IRC chat, anything. Now, what this gains you is that you give limited bandwidth to other programs, but you don't shut anyone down. Your users with complain that ftp downloading is slow, but their web surfing is extremely fast.

On our network we have noticed that the amount of use on BearShare and Morpheius and P2P file sharing has dwindled. Only those that put up with the slower speeds are using them.

Good luck.

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/>CS d(+) s:+ a- C++$ UB++++ P+>++ L- E--- W++>+++ N o+ K? w-->--- O- M>+ V-- PS(+@) PE+>() Y+>++ PGP+>++ t(+) 5- X(+) R+(++) tv+ b+ DI D+(++) G++ e+>+++ h---() r+++ y?
------END GEEK CODE BLOCK-----

Leak to media?

[John+Jorsett]

Have you thought about leaking word of the activity to some media outlet (asking for confidentiality, of course)? Seems to me a story of malfeasance by employees and waste of government resources would be irresistible . A call or two from some reporter asking about it would get a new policy put in place at light speed I'm betting.

Your screwed.

[Mullen]

If you don't have the authority to do your job, manage your limited resources or ever get the authority to do so, you will never be able to do your job. If you can't tell someone to stop, and they will never be punished for doing so, then they never will stop doing what they are doing.

I would simply brush up my resume and tell the school district that if you don't get the complete and absolute authority to manage the limited resources they have given you, you will quit. Make sure back it up if they say no. If you pull a hollow threat, you can kiss any future ability to manage your limited resources goodbye.

Just cut 'em off

[barzok]

As others have posted, the best way to do it is just cut off anything that doesn't serve an education-related purpose.

Back when Napster was hot, we had a sort-of-high-level person at our company call the helpdesk complaining that he couldn't swap files on it, and felt this was a problem that needed to be "fixed". I don't know what was said directly back to him (probably something like "it's not supposed to work"), but the call was just pushed aside by the IT staff. No complaints since.

Cite Examples (Especially Other Academic Spots)

[Chibi]

This is mostly about how to bring this topic to the attention of your supervisors, since if your users are already saying there's no official policy against using p2p apps, they'll likely to just tell you to get bent on further discussion.

Over the past year or so, there have been plenty of universities that have made decisions on P2P apps, going in both directions. You can use some of these instituions as examples of why you need to police this kind of traffic. Bring up the same reasons that these universities did, and that you brought up in your question (mainly legal protection and consumption of resources).

Here are a few examples:

• Bandwidth Demand at American Universities
  
• Working With The Bandwidth Problem?
  

There are also articles on other sites that list some of the universites that have banned Napster. Here's one article: http://www.ecommercetimes.com/perl/story/4172.html . They mention the following universities: Kent State, Rice, Seton Hall and Villanova. I'm sure there are others.

You can argue that if these major universities with plenty of money can't handle this traffic, how is your small public school district supposed to handle it? Hopefully, the money argument will help you out.

One final thing you can do (and this is fighting dirty), is point out how much pr0n is out there on p2p apps. That should get someone's attention.

Well

[martissimo]

taken from this article

Second, administrators that attempted to block the AIM service by blocking the default port of TCP/20379 were in for a shock. The AIM client/server model is extremely versatile and doesn't pay any attention to WKS (Well Known Services); the login server allows connections from every TCP port under the sun, including the ports that are likely permitted for business reasons: TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). While we would never do something nasty like run nmap against login.oscar.aol.com, we think you'd be surprised if you knew just how many AIM-open ports there are.

AIM also runs over proxy; and the client has an "auto-configure" button that makes it really easy for Nancy in Human Resources to bypass your perimeter security. In a nutshell, AIM's a slippery little devil and just about impossible to block unless you're using a perimeter device with content inspection capabilities. We can expect more user toys to start exhibiting these perimeter-security-bypassing traits, which means that you will not know what applications are actually in use on the network layer, since the port number will become meaningless.

Remember when the RIAA did their experiment with those kids downloading a ton of music before the Grammys, well those same kids said they got most of their content with AIM. Shutting down everything except HTTP/SMTP/POP may not even cut it nowadays

Business case

[Mannerism]

(First, as a bit of friendly advice, I'd suggest not publishing comments that refer to your colleagues as "a bunch of goofballs". Perhaps they are, but perhaps they were subject to restrictions such as those that you're now encountering and weren't able to do their jobs effectively. In any case, such criticism won't help you now and might hurt you later.)

Getting something to happen in an organization involves building a business case for it, and presenting the case to your supervisors. Briefly, a business case justifies an action by demonstrating a benefit, usually a financial one. So, perhaps a case based around an argument such as "We're spending X dollars per month for our Internet access, but Y percent of that access is for non-school purposes. We could save Z dollars if we implemented policies A and B." would be effective. Risk reduction, such as protection from the legal liability you mentioned, can also be a justification. So if you have proof that the school's computers are being used for illegal purposes, then present it and describe the steps you could take to protect the school from liability. Another justification might be improved service to your clients (the staff and students, in your case); this sort of justification is harder to use, because it's harder to quantify, but it can be effective.

You might find that a supervisor who wasn't willing to act based on a verbal discussion will take action based on a written business case, which he or she can pass up the chain of command. Remember that your supervisor might, quite justifiably, not understand the issue well enough to create a case for it, and therefore might be unable to take any action unless you provide some hardcopy ammunition.

It shouldn't be too hard to find some resources on the net that help you to learn how to build a good business case. It's a great skill to develop. Good luck!

Policies for K12 net access

[baka_boy]

I have to admit that I was a bit shocked, when I first read this post, as every K12 district I've seen (and before you ask, it's quite a few, as I have several teachers and an educational IT consultant in my family and close friends) already has a policy limiting use of the Internet on their network to approved educational tasks. This almost universally includes the teachers, as well. These policies are usually worded so as to restrict everything by default, and explicitly allow only certain ports/hosts to carry important services (web browsing, email, etc.)...kind of like a good set of firewall rules.

Really, this shouldn't be an issue. Your district should have policies in place to protect the network from user stupidity, and if it doesn't, you're just going to be up shit creek. Cutting off ports, throttling bandwidth, etc., are only going to be successful as long as your users are complacent, effectively computer (or at least networking) illiterate, and willing to believe the BS you hand them by way of explanation. One competent user in the bunch could cause serious problems for you, once you've established a pattern of simply lying through your teeth about what's going on.

Re:Policies for K12 net access

[cowboy+junkie]

I felt the same way. I know of a school district that had policies in place several years before their network was even completed. The administration in this guy's district has REALLY dropped the ball. Bandwidth usage is really the least of their problems.

Re:If they're K-12 teachers...

[xWeston]

Computers in K-12 situations are for education use only. Downloading the newest screener or a gig of mp3's is not educational, even though it is quite fun
At my high school we originally had no internet, then ISDN, then T1 for the entire district, and people were always trying to run these programs.
If it is the teachers that are doing it, it's harder to monitor the computers because you cant make a script that deletes things that arent supposed to be on the computer, etc, but blocking all of the ports except for the necessary ones definitely will help. There arent that many ports needed to check email, surf the web, etc.
As was mentioned earlier, it can be a security issue and there should be polocies for both that as well as the educational use agreement. Teachers have to sign the agreement not to look at porn/do illegal things etc on school computers just as the students do in the local district here.

Stupid Responses

[dustpuppy]

Frankly, anyone who says that you should be scretly throttling the P2P ports is giving you bad advice. You are paid to give a service to the school - which is to provide IT services.

Part of that, as you have capably done, is identifying areas that need improvement or fixing (such as the P2P problem you mentioned). Your position doesn't entitle you to be judge jury and executioner though!

If illegal downloads are a problem, then you need to talk to the head of the school. You need to explain the legal and financial risk of allowing these downloads to continue. You need to highlight the the financial and bandwidth cost that the downloads are incurring etc etc. If the head of the school says, 'Yes, we agree. Do something to fix it' Well you just got your policy and you have carte blanche to fix it - ie block ports or whatever.

If the head of the school says, 'No, I don't want you to do anything'. Then don't. It's not your problem anymore. The head of the school has just accepted responsibility for any related issues that will occur from this continued use of P2P.

You shouldn't be doing underhand sneaky tech tricks to get the results you want on a problem that is more political in nature than technical. Doing so will mean you get out of your depth and fired.

High and mighty systems admins

[intuition]

What is it about systems administration that makes people all high and mighty all of a sudden.

There are reasons that this administrator can't arbitrarily set policies or change things according to his own whim. Now, if his job was to set up initial access to the internet, perhaps it would of been more appropriate (but not completely) in so far as a exercising certain level of discretion in how the connection to the internet is structured (proxies/firewalls/etc/).

However, the system is in a steady state, and this administrator has no basis to change it. Its (in all likelyhood) not this administrator's job to manage legal liability or even determine if p2p applications are an appropriate use.

Just as teachers can't change their curriculms as they see fit, without some oversight by the administration - administrator's have no right to make these kinds of decisions based on "what they feel is best."

The administrator however is completely within the realm of what is right and proper to make an observation, (p2p is consuming all our resources), and share it with those people that are in a position to change policy. If you really feel p2p is this horrible, find some users who are affected by it (complain they can't use or their use is substantially affected by p2p traffic.) Bottom line is, if upper management doesn't care, you shouldn't either. Run the network with a hands off approach, much like slashdot does with its comments section. If there are technical problems fix them, if there are ethical problems save the decision making to the people whose responsibility it is to make these decisions.

Re:High and mighty systems admins

[bay43270]

I think this quote says it all:

"...if upper management doesn't care, you shouldn't either."

Until I took my current job, I had know idea there were so many educated adults in this world who care so little about their the jobs they worked so hard to get into. Its disgusting that so many people take the attitude that any task not specifically written in their job description should be ignored and blamed on others.

I admire the poster for trying to fix things, even if the administration doesn't care. Some people like what they do, and they want to do it right. For those of you who don't, please feel free to step out of the way.

Re:High and mighty systems admins

[intuition]

Your argument does not apply to this situation.

My quote was taken horribly out of context.

If you want a summary quote, heres one.

I am saying that it is outside a system admins role to censor access to the internet - especially in a academic institution, and that decision should only be made by those in the administration or "upper management."

Never at any time, did I imply people should not do things because they weren't in their job description. I outlined an argument as to why it would be inappropriate for the sys admin to act in this matter. This argument never included things like dont work hard, or blame things on others, or dont do things that aren't recorded verbatim in your job description.

Re:Stupid Responses - some additional comment

[dustpuppy]

This is not to say that the solutions that have been suggested aren't worthwhile or effective from a technical standpoint.

But from a political view, using any of the suggestions will not be good if you are found out. Yes, you can go on about how as the sysadmin, you should have full rights over the network and IT facilities, but that is not how staff will view your position.

To them, you will be seen as implementing your own personal adgenda without consultation with staff or admin. That is not a good impression for people to have of you. So don't lie, don't secretly throttle bandwidth, don't secretly block the ports. Get admin onside first, then do those things.

Re:If they're K-12 teachers...

[jovlinger]

Perhaps you can do something inbetween: start downgrading the performance of said ports, depending on length of connection. Short connections on a p2p port go through, while longer transfers start getting slower and slower because you're dropping every nth packet.

So instead of making it impossible, illegal, or whatever, just make p2p really inconvenient. If everything else works fine, the culprits can't really complain -- in fact, this will likely make everything else faster.

Limiting bandwidth

[Restil]

I liked the suggestion of throttling the bandwidth on the ports in use. But make it more gradual. When you start, throttle it to about 1/4 of the total bandwidth, then decrease it by a rather sizeable percentage every few days until you're at the bandwidth that ping uses.

The network is already running slowly as it is, so the teachers and other abusers already are expecting it to run somewhat slowly. If someone DOES complain about it, draft a well written proposal to your supervisors or the school board or both, claiming that more money is needed for additional bandwidth because the teachers (and include the names of those who complain) NEED these programs so they can trade music, illegally copied programs, and porn while at work. Specify that you don't see any legitimate use for these programs at school, but since their policy doesn't forbid them, you need the bandwidth increase so the teachers can continue to use them.

I'm guessing that anyone with half a brain will take a look at that and you will have your broad policy change that's needed.

-Restil

Experience from the trenches

[Hal_9000@!!!@]

I work in a K-12 district in Michigan, and have some experience with all the problems that come with such work. I have a few tidbits to share. First of all, check out about getting eRate money to buy a bigger pipe. This is almost a must, expecially as you get to be bigger. Second, get support from your administration. If you can't get someone like a Superintendent or Asst. Superintendent (ours in an Ex-Programmer which makes life so much easier) to help you, you're virtually screwed. With their support, having an uninstall fest will be a lot easier.

Next, you're going to want to set up a firewall and IDS system to keep P2P off your network. We use redundant Cisco Pix units, but a dual-homed machine with Linux or xBSD will work fine if you don't have that kind of change lying around :-) Set up rules for the IDS to check for P2P, Porn, Games, etc. We are in the testing phases of doing just this. The security-focus IDS list can be has been a big help.

As for the virus problem, Norton Corperate has great educational pricing, and can be set up so the (l)users can't play with it. Requires NT, though, but educational pricing is still cheap (before MS's new school licencing rolls out) and I'm sure you probably have a box laying around :-)

Obvious solution

[jesser]

Propoganda Posters!

Novell BorderManager

[cscx]

Great caching proxy server + firewall combo. Very tricky to set up, but allows auth on a per-user basis if needed. Also gets you a subscription to CyberPatrol to block "objectionable" sites if need be. The firewall is pretty good, just remember to turn off dynamic NAT or you're back to square one (duh).

Re:Novell BorderManager

[cscx]

Not if you're on a Novell network! (Most K12 Schools are.)

Re:Novell BorderManager

[stinky+wizzleteats]

I am a CNE. The first five years of my professional career were spent working with Novell, including hundreds of Border Manager implementations.

BM sucks.

• You can telnet to port 2000 on a BM box and abend it.
• You cannot set up stateful firewall rules for UDP or ICMP traffic
• Occaisonally, BM will simply go nuts. You will have to scrub out the cache to fix it.
• Occaisionally, BM's NLS provided connection licences will just "go away". The only solution is to wait for them to "come back".

BM should only be used if you must implement different proxy cache user policies per user AND those users cannot be distinguished by any other factor AND you don't know how to use Squid's ACLs and LDAP.

Server firewalls should be OpenBSD. Proxy cache should be Squid, running on the OS of your choice (I usually use Linux).

How We Do It - K-12

[JLester]

As Manager of Technology for a K-12 school division, I can tell you how we do it. First of all, your system should have an Acceptable Use Policy (AUP). Students and parents should receive a copy of it each year during registration. Ours is included in the Parent/Student Handbook. All students who use the Internet must have a signed form from their parents granting privileges. Ours includes language that states that Internet access is for educational use only! Even though it isn't strictly enforced (we do allow entertainment sites for example), that language is there to back us up on content and P2P decisions.

Since students and teachers use the same network and computers, all are subject to the same policies and filters. We transparent proxy all requests to port 80 and 554 through iPrisms which filter and then pass the request on to a Squid proxy that generally runs at about a 40% hit ratio. All other Internet traffic passes through our Cisco firewall which performs NAT based on an access list. That access list denies NAT for all the popular instant messaging and P2P applications. Since all computer addresses are private, no NAT means no access. Instant messaging is blocked after an incident where a bomb threat came in that was untraceable according to AOL. P2P filtering is obvious due to copyright violations and bandwidth usage. It is interesting to watch the hits on our access lists from P2P apps that are denied. Kazaa seems to be the most popular, we block several million Kazaa packets each week.

That's how we do it, if you have any questions, let me know.

Jason

Re:How We Do It - K-12

[CaseyB]

We transparent proxy all requests to port 80 and 554 through iPrisms

Why do you proxy filter RTSP streaming media, while ignoring HTTPS traffic?

:)

Re:How We Do It - K-12

[JLester]

Oops, should have typed 443 instead of 554!

Jason

Re:Acceptable use - a word of caution

[5KVGhost]

Be very cautious when adopting acceptable use policies originally developed for other state and county agencies. It's usually a bad idea.

The needs of an educational evironment are quite different from those of a standard workplace. A policy designed for an office full of adults doing a rather limited set of tasks will not be a good fit for a K-12 institution filled with teachers and kids. And once you've given that policy your blessing you may find yourself stuck with it for a very long time, especially if you've appealed to a higher power to enforce rules on your co-workers that you cannot. By that point you're as bound by it as anyone else, and those same co-workers are unlikely to forget that.

If your goal is strictly to "stay out of trouble" by preventing people from doing as many things as possible then yeah, this'll probably do it. But if you're actually trying to craft workable policies and put them into practice then it'll call for some forethought, compromise, and -unavoidably - actually sitting down and talking to people about what you're trying to accomplish and why. No short cuts.

Beware the BSA!!!

[javilon]

If one of those warez people downloads one illegal aplication then M$ has the right to audit your institution in order to find it and charge them for the audit.

You signed it on the EULA.

Have a good day.

Don't make policy, take charge.

[MoneyT]

You have the legal responsibility to be blocking such programs. Start by finding which programs are most commonly used. I assume the school's network is run through a firewall of some sort? Block the ports that those program run on. Then, set up all the machines so that the users can not run any of the executables except those approved by the school. Then worry about implimenting a policy.

Re:Don't make policy, take charge.

[autopr0n]

You have the legal responsibility to be blocking such programs

No he dosn't, you idiot. p2p software is not illegal.

Re:Don't make policy, take charge.

[MoneyT]

But if the people using them are using them for clandestine purposes (and he can prove such) he has the responsibility to stop it.

Parry, then thrust -- not a frontal assault

[xeno]

My view on this is heavily influenced by my location in the US, and my experience with other public institutions. My simple advice about trying to make up new policy:

Don't do it.

You don't need to. You work in a public school district, which is a government operating organization. Even where I live, with very strong university systems that have opted out of many state security and authentication programs, the school systems are still bound by the state's general laws on proper use of facilities. Without much doubt, you can find enough existing law in your locale that stipulates that state/county employees will not take government facilities/materials for their own benefit. Your approach should be one of "State law prohibits this type of use, and we have to come into compliance before all of us get reprimanded/penalized/fired." To back up this argument, you should have a look at:

• copies of state/county/city law regarding (prohibited) private use of public facilities
• copies of school regulations and school board decisions restricting use of educational resources to educational purposes
• examples in your locale of educators penalized for excessive*** misuse of resources -- copiers, long distance phone, etc etc
• specific examples of educators -- not necc. in your area -- penalized for misuse of internet-specific resources (examples that include fines and jail time are good)
• printed sniffer logs that show the ratio of school-related vs. non-school-related (~95% if P2P media?) traffic
• etc etc

***This is important to counter the argument that downloading 1.5GB/day of music is "incidental" and therefore permitted.

With this in hand, schedule a meeting and embarass/scare the hell out of them with the state govt looking over your shoulder. The key here is NOT to invent new policy, but to adapt your operating procedures to conform to existing requirements and regulations. Remember, as the sysadmin, you have much more power to control the technical interpretation of existing policy, than to invent new policy to make technical implementation more straightforward. Your legislature is probably on your side on this one -- you just have to dig up the relevant bits before you jump on the soapbox.

JEspenschied

Delete Windows, put up an FTP server

[leonbrooks]

Since you're going to be taking charge, eliminate the support program of preference for more than 99% of viruses.

Rather than just blocking ports, put up an FTP server as well, and hand out forms asking people what they want the school to make available on them. That way, they have to write it down and put their names to it. Explain that people making multiple downloads of the same thing was costing the school a fortune. Redirect any web or FTP request for a file ending EXE COM ZIP RAR ZOO BAT TGZ TAR.GZ RPM ISO MP3 etc to the FTP server, so if you have it, they get it and if you don't, they have to ask (put a form for that in Squid's file-not-found page).

Actively scan the Squid logs for porn, and if you're getting reliable requests for same from a specific user or machine, print out a list, walk down and ask them if they knew that their class was downloading pornography, and could they please stop because the principal is very busy and doesn't want to get involved. Log these incidents and CC the log to the principal's office regularly. If you don't, and someone else does the busting, your ass is on the line.

Just do it, fait accompli, and when the complaints start rolling in, log them, hand out a form, and if they refuse the form ask them why they want to send the school broke. Instantly, in writing, and CC it to the principal.

You're in the right. Act like it. Otherwise that job's not worth having for less than USD$100k a year.

Re:Delete Windows, put up an FTP server

[Lurgen]

This opens up a whole different can of worms - just printing out the list and handing it to them (or waving it in their face, or even just generating it in the first place) can be an invasion of privacy. If you can't reliably tie the activities to the person, you risk being accused of defamation, which from what I hear about US law is begging to be sued.

I worked in an education institution a few years ago, and this sort of thing was commonplace. Initially, there were no rules or procedures in place that applied to staff. Students were covered, but staff continued to be a problem. Until formal rules and policies were put in place, there was no real option other than to break the software and plead ignorance.

It was not uncommon for us to hunt down executables that were doing "bad things", and corrupt them. People rarely complained, knowing that they were breaking the law in the first place.

Re:If they're K-12 teachers...

[jrp2]

OK, make them smarter then.

- Install Linux on all the workstations, make them work a little harder to install their P2Ps and they might learn something along the way. The ones that can't figure it out will not bother and just focus on their work.

- That will save the school lots of money and make the kids and teachers smarter.

- Use the money saved to buy more bandwidth. ;)

Am I kidding, well, yeah, a little. But, quite seriously, kids (and us big kids) are curious and at times a bit mischievous. I know when I was a kid (a long, long time ago) a roadblock like this would just get me going and I would figure out how to make it happen, a learn a lot along the way. They aren't learning shit by downloading some Windoze setup.exe and loading up Kazaa or whatever. They are learning quite a bit by figuring out how to do it in Linux.

Some of you are utterly amazing

[NJVil]

Let's see if I understand this. Some of the people here are advocating changing the network settings and then outright *lying* to your *professional* colleagues about why you've done what you had to do to preserve the integrity of the network.

And then you complain that the same people you've lied to are such utter incompetents about technology. How can you expect them to ever learn if you tell stupid lies to them?

Furthermore, some of these crackpots are the same people who will whine and complain if something about their own workplace were changed and they weren't given satisfactory answers. Hypocrites, the lot of them.

Just do what you have to do and be honest in why you're doing it. Sure you can gloss over some of the specifics, but explain to any reasonable person that you're having bandwidth issues and that person will begrudgingly accept your explanation. If you run into problems, you have to advocate your position with your supervisors better until they do understand the costs and headaches that the current system has.

My $.02

Re:I'd Lie like hell...

[leonbev]

The only problem with this plan is that there is almost ALWAYS one or two people in every organization who would be smart enough to figure out what you're doing. It might be a CS teacher who used to work as a network admin, or perhaps some 11th grade "hacker in training" who's Dad used to work at Cisco. If it irritates them enough, they're going to figure it out eventually.

If you're smart, you'll get to know these people and get on their good side, so they keep their mouths shut. Perhaps you could give them first dibs to new equipment, or offer them advice with problems on their home computers. Otherwise, they might start bitching to the "right" people to get you in trouble.

The CS teacher could go to the school superintendant stating that these blocked ports "are imparing his teaching ability". The superintendant probably isn't going to know what he's talking about, but it won't stop him from giving YOU a hard time about it! The student could write a article in the school paper with the headline of "Yadda Yadda High secretly CENSORS music from school network!" I've seen this approach used at my local University, and it did a great job of getting the President's attention. Either way, you're going to get in trouble for not stating your plan in the first place.

Seriously, I liked the bandwidth throttling plan better than this one. As long as the P2P applications are working to some extent, you have a good chance of no one figuring it out.

Its time to brush off your people skills

[ahde]

Once upon a time, social engineering was a valuable part of a hacker's skillset. I suggest buying (and reading) a copy of Dale Carnegie's "How to Win Friends and Influence People" -- or just going directly to the teachers. Tell them you're the new guy working on the networks and you're trying to analyze and optimize and [insert other techincal sounding word here] the network. Ask them if you can schedule 5 minutes of their time, say next Thursday just before lunch? Explain the bandwidth problem, tell them that programs such as Kazaa and Back Orifice are not allowed on the school network. You can even type up a list of what's inappropriate yourself (and put a graphic border around it) and title it "Official District Network Acceptable Use Policy." Explain that you've been given the job to set up a firewall and set up bandwidth caps to prevent viruses and potential access to porn and pirated MP3s. Express your sympathy for their inconvenience (at this point they will admit it is hardly any inconvenience at all to have to wait to get home and download porn), and ask if there is anything you can do to help them out. You can show them a couple cool sites, teach them to defrag, dust out the chalkboard erasers, and leave an apple on their desk. Let them know that all traffic is being logged, and that your superviser receives a weekly summary, so they shouldn't feel any need to narc on their fellow teachers. Tell them if they have any questions, don't hesitate to call you or your superviser.

Re:various options we've considered.

[JLester]

I-Gear has gone way downhill over the past couple of years and has driven off many school systems including mine. Their Linux version never ran properly on a multi-processor server. With no support for load-balancing and sharing of user accounts, that was a killer for a large system. If that wasn't bad enough, their support really went in the crapper when Symantec bought them out. I used to be able to talk to the programmers directly when we had a problem. Now, the support people don't have a clue about Linux or Solaris. Their DDR and auto-lock features are excellent, but the company has spoiled us on their product for good now.

Jason

Re:If they're K-12 teachers...

[ahde]

He didn't say that he though someone is stupid just because they are a K-12 teacher. He said "chances are" -- just the same if someone is jailed for possession of drugs "chances are" they are black or latino.

Similar problem at my school

[ColGraff]

The sysadmin's biggest gripe at my school - well, one of several - is that teachers are really a worse problem in terms of browsing "inappropriate" sites in school than students, but the teachers need to be handeled with kid gloves when caught.

Re:If they're K-12 teachers...

[Rufy]

Well I can speak from experience that becoming a teacher is no easy task. My wife was an "education major" as you like to call it, and the list of classes she had to take was quite impressive. She was taking classes on foreign cultures, philosophy, mid-to-high level math, literature, environmental studies, child development, etc... My classload of 6 CS courses was weak compared to her schedule. And that's just to get the BA degree.

Then it's off to at least another year to get the credential (though since we live in California it's currently not required, but for the sake of the argument, go with me...) That program involves supervised and unsupervised time in a classroom, preparing and presenting lessons, and dealing with whatever age-level class you're in while trying to teach children who, for the most part, just want to go out and play. I've known several people who went through the entire program only to wash out in the classroom. Imagine devoting years of your life to an unpopular, low-paid career only to find out you can't cut it. People become teachers because they want to. People become IT drones because of the pay.

How good are you at keeping the attention of a room full of 1st or 2nd grade kids? If you're like most readers here you're probably working in an office somewhere and dealing with people who, for the most part, know how to do their jobs at least minimally. You can communicate with them on the same level. And you spend most of your time in an 8-foot-square cubical interacting with a machine that will do whatever you tell it to do (unless you're running WinME). Not exactly a rough existence, eh? Now imagine yourself in a room with 30 PCs, each with a different OS/CPU/GUI, and someone has broken into each machine and is installing and removing programs and drivers at random while you're trying to share a printer to each machine. You can't just yank the network and power cords. Wanna come to work today?

I will admit that "liberal studies" is kind of a fall-back major, but becoming and being a teacher in this country is not easy. I come to work every day and have no fear that a co-worker will pull out a gun and shoot me. I get paid well for the work that I do, and I don't consider it to be difficult work. But in the end, the work I do is inconsequential compared to what teachers do. Sure, there are some teachers who just don't care anymore, but wouldn't you get burned out if you can droves of people shooting down your profession after you've given years of yourself to it?

When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground.

SciFi channel for Dummies

[Graymalkin]

Your best bet is probably to just act without concent from those above you. Most of the time asking clueless authority figures to take a stance on specific policy is a bad idea. If you tell someone "P2P filesharing is bad" they will extend it to absurd levels of stupidity. You are the administrator, do your job as such.

A good idea is something like dummynet between your internal network and your router. You can throttle bandwidth or add queues (simulates lag) to specific services over your network according to IP addresses or service ports. You can force an even bandwidth distribution between all the hosts connecting through port 80 but throttle back the speed of anything coming through other ports. You don'y necessarily have to block file sharing requests but you can keep them from dominating your network. Once you remove the incentive for people to use P2P services on the school's network they will knock it off.

Regulate/Throttle traffic...

[killthiskid]

I've dealt with a very similar problem. I work at a university, and we have a very fat pipe to both the internet and I2. The specific problem is students living in the dorms using all the bandwith with P2P type traffic.

Not wanting to play 'police', we didn't stop them from using P2P, we just used our firewall to limit the total use of specific protocols and ports to 5 percent of the total traffic.

It has been a very effective solution.

Re:Regulate/Throttle traffic...

[ninewands]

Hear, hear ...

I work at a state uni with an obscenely fat pipe (redundant OC-12s + the I2 hookup), and 40% of that pipe is taken up by the kids in the dorms running Kazaa to download the world while they are in class ...

A state law here says that a private entity cannot use state property in a profit-making enterprise ...

The day ALTNET goes live Kazaa dies on our campus ...

Re:If they're K-12 teachers...

Okay, I AM a K-12 teacher, and one of the problems is we have heavy-handed network admins shutting off random ports and websites without ever asking what they are being used for.

For instance, I teach my econ. kids about napster and p2p and the concerns that raises to copyright laws. Then we go and experiment with it.

I teach my computer class about yahoo, hotmail, and other services that they can access from comptuers once they leave the school.

But some tech, 50 miels away, in the (los angeles) district office has decided to start blocking my access. Every day I play a cat and mouse game with someone I don't even know, because nobody from the administration will tell me who is blocking me.

All I ask is there be some failsafe built in, to allow teachers will real uses for certain services to teach their kids.

This is the Golden Lie:

[ColGraff]

Tell your principal that people trade porn on p2p networks (true) and come up with a (greatly exagerated) number of porn files on a given network on any day. Yank that number out of your rear - it should have an impressive number of zeroes in it, though. Knee-jerk reaction will kick in, and the software will be banned instantly. Just make damn sure you will never, ever have a legitimate need for p2p on your network - once it's gone, it's gone.

Let me tell you a horror story that will explain..

[NoMoreNicksLeft]

Obviously, you've never worked in a school enviroment before. I'm guessing you're corporate, but a much smaller level (even Fortune 500's have more politics than your work). Small but growing regional business? Anyways, let me get back on topic.

I briefly worked on a smallscale rollout project for a major (top 50 in population) city school system. There were ongoing political issues at the the superintendent level, unrelated to our technical problems, but likely to affect everyone's job one way or another. But virus problems were becoming impossible to deal with, so they moved the date forward for another rollout project, and added a Norton AV procedure.

Let me tell you, even the smoothest Windows rollout project sucks, they are never interesting no matter what. You never learn much, but when times are tight like they have been...

Well, the firm I usually deal with, calls up with this job, and they tell me 5-7 months of steady work. Those in the know, know that this means at best 3-5 months of less than 40 hours per week, but that was figured into my equations. They make it out that this is as simple as it gets, just me and another fellow, to make it last longer, and spread out the cost for the school system (Don't these places have an annual budget?!? Don't ask me...). No problem. Only after awhile, does it become apparent that this guy was only barely competent to begin with.

Well, this tech firm (which will remain nameless, they've sued ex-employees before over such) put the new sales rep on the school. That was bad. When the school says they just want the 2 grunts, and want to use one of their admins for the project manager, he agrees. Doesn't even diplomatically suggest different. He meets with her several times, still doesn't suggest otherwise. She was, unfortunately, a total ditz that apparently passed a CNE bootcamp course a few years back. But if her technical competency was horrible, then her management skills were absolutely abysmal. This had disaster written all over it, right from the beginning.

Well, you remember how I said that it was a rollout already planned? Well, the bulk of it was for some Novell Netware software, zenworks client, a few other things that I never actually learned of. Well, the ditz CNE's boss (also a woman, hate to be sexist but...) was having a power lunch with the VAR who was pushing the nw software. And she signed the deal, I think this was for at least $90,000... only this particular software only works with NT. There was no netware equivalent. 100 grand, gone like that. I don't know what was worse, that she would buy software that she obviously had no clue about, or that there is a VAR out there that sleezy.

I go into the briefing, just the tech firm, no client people there. I ask, time and again, was this tested, was that... "Yes, everything has been tested thoroughly, we expect you to be able to do the installs 20 minutes tops, per station". We start the next week, at City Hall (the admin offices are the top 3 floors). It's a total mess. The dumbass CNE/admin decides that first morning, that she would like us to do an inventory at the same time. Hands us some copies of paperwork, standard SN, asset #, etc. We're talking close to 25,000 machines throughout the school district (though not all are in scope for this rollout, maybe only half that). What does she think, that it means anything on paper? Is she gonna do data entry herself, when we turn these in? Or is she just trying to sabotage us even more?

In the administrative offices, there is a mixture of Win95a/win95b/win98/NT4/win2k. Wide variety of machines, including some new ones being installed by school technicians. The new ones are compaq... but they have no contract with compaq at all. I'm guessing Compaq salespeople somehow knew what a mess it was, and wanted nothing to do with it. We are given nothing at all like real procedure documentation... I could write docs better than this. A single page. 1. The grammar was awful, and it basically said install this software. We ended up discovering for ourselves just what options were needed. In the offices, close to 1 in 3 machines broke badly when installing the software, even after we figured out the correct options. Bloated registries, version dll soup, user installed software, all kinds of different things. We were spending up to 2 hours per machine, and the one week at city hall turns into 3. The sales rep lets us know the client is a little bit upset, and can't understand what the problem is.

Well, we move on to the first school. God, it was horrible, when I was in school, there were 3 Apple IIe's in the science room, for a month (They got switched out to another school in the county after that). In this school, there were no less 14 computer labs, all with 20+ machines. Every other room had at least 1 and sometimes 2 machines. 95% pII +. What did they teach these kids? Well, they taught them to be secretaries and other minimum wage type things. Any number of incredibly cool things to be teaching them, but no, just word processing, maybe spreadsheets (though I could never confirm that one).

We get there, and no one has even heard there will be any work done on the computers. 2 days to straighten that out. We can do work now, but only after 2pm (but the doors lock at 4pm, have to be out by then). Most of the labs lock all the keyboards up, and no one has a key (apparently they get vandalized or stolen). Lose another 3 days there. We get permission from individual teachers to do this, before 2pm. But code red alerts happen at least twice per day. This is when even though the bell rings, and its time for a new class, the kids all have to stay in the current one. The teacher locks the door, and the sherrif and deputies go through the halls grabbing all the dope dealers. Code red's never happen at a set time, so we end up missing a progress meeting with the ditz CNE. That was bad.
Then, most of the lab machines are win95b, but haven't been reinstalled in over 4 years. Registries bloated so badly, that maybe only 15 out of 25 machines in any given lab are usable (and they've been like that for months, since the school techs refuse to support any machine not in the administrative offices). Of the 15, roughly 5 will have one set of win95 lockdown software on them, another 5 will have a different lockdown software, and 2 will have a third lockdown app. The rest have none. No one remembers or ever knew the passwords. When we do manage to disable it, if we can, it takes forever to learn just how to make it behave. But once our software install is complete, the machines become more unstable than anything I have EVER seen before. We end up rendering an entire lab unusable. We call up the ditz, she says if they still boot, proceed. They do boot up (most of the time), so we end up doing every lab in the school. We end up rendering all of them unusable. Complaints fly all over the place.

The sales rep arranges an emergency meeting with the ditz, her boss, and us. Plus another engineer from our firm, whom I question even his competency. We explain everything, including how this could only be expected when absolutely no testing was done beforehand. We explain that win95 is completely unsuitable, but even more so, when it isn't pristine (which is unbelievably generous, these had NEVER been reinstalled) you'll see these sorts of problems. We explain that the lockdown software is part of the problem, but not all of it. So they decide that the other tech will go work on another project, and that I and the engineer will go see if there is any salvaging it. We manage to go back to one of the labs we'd done. 2 hours there were enough to convince him (I winced at first, the first machine he turned on had almost no probelms). Every machine would BSOD. It would do the windows partial freezes, the buzzing mouse, all your favorite win95 problems. Some of the machines died at bootup, conflicts with the lockout software. He agrees that we can't go on as we had.

So, we make a proposal to spend a few weeks building install images and doing testing. We'll install 95 back on them, since that's all there is for licenses, but it will be pristine, each machine will have an identical image build. We'll standardize on one lockdown app, with documented passwords, etc.

Offer rejected. Too much embarrassment, I think that we made it clear that we had a clue, and all along knew how retarded they were. Also had a little bit to do with their strict no reinstall policy (I'm not making that up). Seems that at least 3 other dept's had claims on certain machines/labs, donations and what not. And their was enough inter-departmental rivalry, that IT wouldn't reinstall OS's, mostly because each dept wanted the same apps installed that were on the machines when donated. Which is utterly ridiculous, since M$ office was all that was ever used.

I got 6 week's worth of paychecks out of it. For trashing an entire school's worth of computers. Which, as far as I know, are still not functioning. Not that anyone cares. I do in a way, but have zero control over any of it. Makes me sick that my tax dollars pay for it.

Solution for the original slashdt asker:
Find another job in a non-k12 setting.

Nothing can fix your situation. You may be the only one there qualified to teach anything having to do with computers, and you are not a teacher. The computers are a waste of tax dollars in their current capacity, and are only ever used for the most outrageous abuses. The shit will hit the fan, though maybe not for awhile yet, and you do not want to be there when it does.

Take Charge ... in two ways...

[Pollux]

Thankfully, our K-12 district was online with a T1 way back in '94, so we were able to work out a lot of these problems early before they became potential disasters.

1) Firewall & Proxy Server: Allow all information to go in and out of port 80 through your proxy, and block all the rest of them, period. Ocasionally, there will be some class projects that actually do need additional ports open (webphone links to Congressional events, for example), but you can open and shut those as need be.

2) Because you hold a ton of responsibility at that school, you also hold a lot of authority. Show it. The only key is to make sure that you have support from the administration. Talk to the principal and assistant-principal/s and tell them specifically this:

"The teachers in this school district have been and still are pirating illegial software and music online. The activity is undoubtedly illegial and needs to be stopped. There have been instances of software companies suing school districts because they have discovered the activity as it was taking place, and if that happens, the district will lose millions of dollars for the illegial software. Not only this, but the technology that we are supposed to be using for educational gain is instead being supplimented for illegial use, and those who try to use it for educational purposes are being limited by the personal activities of the teachers. We need to stop this now. I suggest we hold an informative meeting right away about new computer policies that need to be established so that we can get the most educational use out of this technology for our money being spent on it."

If that does not get the administration on your side, leave the district; if something goes wrong, guess who's going to deny any understanding of what went on? Everyone. Guess who's going to receive 150% of the blame? You are.

As soon as you have the support from the administration, pass out policies and have teachers sign them. Let them understand that you will not be held responsible for their own actions.

I know I sound harsh in this plan, but you do not want to be caught holding the buck when something goes wrong. There are a lot of teachers who will take a foot when you give them an inch. Don't let them walk all over you when you're the one responsible for the use of the network.

Look at it this way: I wouldn't expect that the teachers there would be very happy if you interrupted their classroom and passed out test answers during class, since you're disrupting the process of the students' education. Don't let them do the same to you.

Simple solution....

[autopr0n]

Get more bandwidth.

Ok, so maybe the p2p apps don't provide much 'educational value', but shouldn't teachers be given a little leeway as far as what they do on their work computers?

As far as legality goes, well, that's not a problem with p2p software itself is it? after all "guns don't kill people...". By banning P2p software outright. You're no better then the RIAA or MPAA or Mr. Fritz Hollings.

Finally I'm not actually sure that having mp3s, etc, is illegal, only the act of transferring them to others is. Not sure about that though.

Anyway, if you can't write policy don't. Find a technical sollution. Like more bandwidth.

Re:Simple solution....

[mpe]

Ok, so maybe the p2p apps don't provide much 'educational value', but shouldn't teachers be given a little leeway as far as what they do on their work computers?

Considering that quite a few of these apps come bundled with various types of malware you probably don't want them anywhere near your network in the first place.

As far as legality goes, well, that's not a problem with p2p software itself is it? after all "guns don't kill people...". By banning P2p software outright.

Unless it was obtained for a relevent education reason and installed by a sysadmin it has no business being on there in the first place.

Finally I'm not actually sure that having mp3s, etc, is illegal, only the act of transferring them to others is. Not sure about that though.

It dosn't really if the use of the software is illegal or not. Considering that the installation of the software in the first place probably wasn't "legal".

Steps

[macdaddy]

By far the most important thing you can do is get the administration on your side. They can be absolute idiots (most are) but you still need them to believe what you tell them. You'll need their support for $$ and for creating new policies. This is the most important step. Without their support, you'll be pissing into gail-force winds wearing white pants.

Once you have their support, analyze and gather data. Get proof of how much network bandwidth is being consumed by non-educational applications. A good sniffer can do this for you. I'm an old school Mac user. I use Etherpeek for this task. It's cheaper than most other sniffers. You could also see if a peer school could assist you if they have already purchased a sniffer. That would save you some cash up front. Gather the data. Graph the results (suits are usually illiterate so you'll need nice pretty graphs). In your initial report, don't list specific people. K-12 school politics run rampant. If some jackass teacher thinks you're infringing on their "rights", they'll run screaming to their KNEA rep (or whatever it's named in your state). Then you'll lose you suits' support. Keep it personel neutral unless they ask for it. Present to the suits how much this non-educational software is costing the school district in the form of bandwidth and how it's affecting educational uses of the network. Find horror stories of what allowing the students to access porn, warez, and other things like that have cost other schools. Throw in a bit of security preaching too. Show them the effects of lack of security (defaced websites, compromised personal information, grade altering, etc..). Demonstrate a few of the apps for these people. Show them how to find a copy of Photoshop on the 'Net. Then show them how much it costs in a magazine. Toss is a little threatening material about the bastards that threaten to sue you if you don't let them install their auditing software. BSA, IIRC. Show the suits how you can save money by eliminating the non-educational uses of the I1 bandwidth (don't attack local traffic, just 'Net traffic). Emphasize the use of cheaper (read: free) alternatives like Linux for firewalls. Remember, money counts right now. Money, security, etc.. should do the trick. Good luck!

Re:Steps

[macdaddy]

Sorry, this didn't actually get written in numbered step like the Subject implied. A storm wsa fast approaching and I didn't have to time organize it.

Something I don't think I mentioned is that once you have shown the suits the data and have their support, you need a very strong AUP. Require every single student (and a parent) to sign it. Make sure it prohibits the kind of activity that you want banned from the network (don't attack after-hours gaming or you'll create a big disturbence in the force). Require them to sign it before they get their local account. Also write up one for the teachers that prohibit certain things like streaming radio stations (spinner.com). Add wording to the AUP that outlines their responsibilities for the students in their class that are using the computers for their work. This is the policy making that you need the suits support on. Good luck

OK,, call this a "troll," but . . .

[raresilk]

it seems to me that the biggest problem here is:

Why in the hell has the job of system administrator for an entire school system been given to someone who hasn't a clue about setting up a firewall and closing ports?

Good god. No wonder their classrooms are filled with porn-guzzling, warez-pirating teachers. They are applying the same low standards to the hiring of teachers as they are to sysadmins.

Re:OK,, call this a "troll," but . . .

[mpe]

It seems like the author understands how to stop teachers from using the programs, but doesn't have the authority to do so. The problem seems social, not technical.

In which case maybe a social solution, such as querying exactly what authority these staff had to go installing this software on the machines in the first place.
Of course if they had no authority (and quite possibly breached an AUP, their conditions of employment or criminal statutes) they probably should be thankful if all that happens is that the software simply ceases to work.

Re:If they're K-12 teachers...

[malfunct]

Nope, the original poster is 100% correct. Shut the ports down tight. Allow whatever is necessary (probably only port 80 in all actuality, maybe the port that POP clients use if you allow mail to be recieved at work) and shut down the rest. Present it as "locking down the network to prevent attack" and the facilty is going to have a very hard time arguing against it.

On a 2nd front go directly to the school counsil and work with them to develop a "technology directive" for the school that outlines the vision for technology in the school. This vision will be used directly in order to form policy that allows techology to enhance the school experience for the students while avoiding some of the pitfalls. It took my high school about 1 week after getting its first internet connect to pen out this vision (and it was actually good, I was was suprised) and develope the first policies toward the use of that technology in the school. This vision statement also helped them solicit technology help from the community and corporations because the purpose was clear. It was less than 1 year later and the school had all of its hardware and internet 100% provided on grant with upgrades of 1/3 of the hardware each year and all that good sort of stuff.

FIGHT CRIME WITH CRIME!!!!

[autopr0n]

Yup, huge multinational corporations are being ripped off, what better way to fight it then to antagonize your fellow coworkers!

WTF are you talking about?

[autopr0n]

If you've been given responsibility of managing the networks and systems then you have been given the rights to stop whatever you see fit.

An admin's job is to make sure the network works smoothly within the parameters of it's use. The admin can't change the parameters of use. Unless he can get the school to change it's policy

Solve the right problem - and have less pain later

[TheCarp]

This brings up a great ppoint...and I think the problem is one of communication between faculty and staff (are those terms used outside of Universities?) Its usually bad at this level (in my experience).

The best way to go (in my opinion) is to start compiling stats... show graphs of what th enet is being used for, and make them public...then show them to everyone...then sit back. When the teachers complain "the net is too slow for my class" point at the graphs and show them how the bandwith is being taken up.

Emphasize that bandwith is a limited resource and people need to learn to share it. Frankly its not really a problem (given that none of us are lawyers, I will ignore the legal angle... which is full of nastiness, loopholes, conditions etc etc) if someone is using all the bandwith, until someon eelse needs some.... file sharing isn't the problem...its irresponsible and uninformed use of bandwith thats the problem.

In fact, this is what we do. Our Noc put up router traffic graphs for all the segments. They point people to them... many of our students know where to find them and do look at them. We also bandwith limit the segmetns now so our real inital issue (segments being saturated) isn't much of an issue...

Heavy handed tactics are just plain bad all around. They foster dislike between people who should be working together. Frankly, when people are made aware of the issues involved, they tend to act much nicer.

Frankly, I think if we spent half the time and energy that is currently spent bitching abou thow bad things are and how dumb people are on giving people the tools to understand and educating them, then we would have a hell of alot less to bitch about.

In short... treating symptoms (p2p network usage) only gets you so far, and garauntees that you will have to fight this same battle again, in a new form.

-Steve

Wait?!? I thought that teachers were so overworked

[duffbeer703]

In previous discussions I have read about how overworked, underpaid and professionally dedicated teachers were... so how could this be true?

Does this guy mean to say that these dedicated professionals are surfing the web all day?

Ask for the authority.

[man_ls]

Ask your supervisor to delegate to you the authority needed to set domain policy.

This authority may be pen-and-paper authority to write new regulations that he affixes his name to, or it may be network-level authority in a computer system to edit security policies and permissions on the routers.

Or, do what usually works:

Write what *you* think the ideal proposal for the situation is, and give it to your supervisor saying "I've noticed a problem and I realize you're really busy so it may not have been a priority for you; however, I took an initiative to try to address it. If you find this acceptable, perhaps you could pass it on to someone else?"

You'll get points for initiative at least.

Document, document, document.

[Global-Lightning]

Dustpuppy has given a very sound solution.

The problem you're facing isn't technical, it's political. It sounds like your management is afraid to take a stand. This could be due to several reasons. One is they simply don't understand the issues and don't want to accept responsibility for making a bad decision. Another reason is that they may not want to take an unpopular position against the faculty.

Whatever reason they may have, be sure to get it all on paper. This serves primarily to protect you. If the unripe manure should hit the circular ventilator, a paper trail will demonstrate that you attempted to resolve a situation that management was unwilling to face.

Propose to your management that the legal department should institute an Acceptable Use Policy. Chances are there may already be something that can be applied to this situation. This way management can save face by saying 'Legal made us do it' and you also get a policy that should conform to the applicable laws.

DO NOT, repeat DO NOT attempt to impose a solution on your own without an explicit written and approved policy to back you up. The worst that can happen is losing your job. You also unnescesarily risk alienating any potential support you may have. You are in the right and do not need to resort to doing the wrong thing.

Go voyeuristic!

[billcopc]

Just install webcams pointing at every single monitor in the building, all displaying on your own console in a dark room behind a one-way mirror. When you spot any pr0n or other undesirable usage, just put on some cool shades and walk up to the luser's box, right in his face. Put on some gloves and snip the PC's power cord with cable cutters while saying "Access Denied" through a portable voice morpher.

Then punch the living shiznit out of the fuckin' unrespectful perv.

Re:If they're K-12 teachers...

[databank]

Seeing as how I worked at an academic institute for several years myself...I understand the desire to keep it open. Academically, we want to encourage free expression and not limit students/faculty from using the Internet for what it was intended for.

Ultimately though, you as a sysadmin has the responsibility to maintain the reliabilty and stability of the network. People WILL ALWAYS complain about how slow the network is just like people WILL ALWAYS complain about traffic, even if it delays them by a few minutes. What people will NOT accept is if there is the network is down for prolonged periods of time or if a road stays closed for an inordinate amount of time.

I would recommend placing a firewall to monitor the amount of traffic (Linux for example is a great tool and you only need an old computer and two NIC cards). Analyze what ports are causing congestation and block them. If users start to complain, state that the cost of the network bandwidth is more important unless they can give a VALID justification to keep those ports open. If they can give a VALID justification to keep it open, then USE the justification to increase the bandwidth as a whole. Faculty/Staff who are told that they need to allocate their "precious" budgets to help pay for the bandwidth upgrades will cause one of two things to happen:

1.) They seriously need it, and therefore are forced to accept the reality they have to pay for the additional bandwidth. You get the additional funding and everyone's happy.

2.) They decide they don't need it QUITE so badly that they're willing to lose a portion of their budget and they can't give a valid complaint because they're not willing to help pay for the expense that they are accruing on the system.

Either way, they get off your back and start to take responsibility for using the system and not abusing the system. (IE-similar to how the photocopiers at my college were being abused until the teacher were forced to use an account ID and password to track their spending. If they went over a certain limit, it came out of their budget....funny how all of a sudden, people started paying attention to how much photocopying they were doing and less paper got recycled!)

It's a harsh reality but people will continue to abuse a system so long as they think they are anonymous. When they realize that they can be held accountable, that's when they stop abusing it.

30 days too long.

[dmaxwell]

The WORST offenders for mp3s where I work are the teachers. You're generous. We gave them a week before whacking the mp3s from the their network shares. We didn't bother with the warning when we found some 200 Dancing Baby AVIs......WHACK!!

It's really cute the way the p2p thing broke down. The High School and the Middle School share the same T1 line. The Middle Schoolers loved Gnutella. One teacher had something like 4 GB of MP3s in his share (quotas have since been put on the network storage). At the High School, Kazaa was King with AudioGalaxy running second. I'd sit there watching the network monitor when lunchtime rolled around. The P2P ports just absolutely spiked through the ceiling....greedy....greedy.

I'm fortunate enough to have an Administration with some clue. We unceremoniously blocked the ports and had an intercom announcement. There's already an AUP but it will be more heavily emphasized next year. It will also be made clear that the technological measures are only there to keep em honest. We don't intend to have an arms race. If someone gets busted then they're busted As I said, the Administration is with us on this one.

I just tell people: "Gnutella's cool but we don't use it at school. Do it at home or at your buddy's house. I like it too but I don't do it here."

Lay it down anyways

[Goose42]

I work as an IT support person in a university, and I'm under very similar circumstances. Me and one other guy were hired on in a division where there previously was no centralized IT support, and quite frankly the entire division was in complete chaos. However, we didn't have any 'official' authority to say how to use computers properly, or how to centralize different services such as file sharing. The best thing we found was to just do what needed to be done, and then explain your reasoning, and the consequences of what they were doing previously, to the users afterwards. If your boss complains, ask him to clarify why exactly he hired you if he won't let you do your job. You can't expect management without any IT training to make informed decisions regarding the computing environment, you have to do it yourself.

It's very easy.

[Pig+Hogger]

Just do like the BOFH.

Re:Deepfreeze

[TheOnlyCoolTim]

Some of these things, although I'm not familiar with "Deepfreeze", involve a physical component inside the computer that:

1.) Only allows access (by ANYTHING, linux or not - this is done in hardware) to a certain partition on the Hard Drive.

2.) Restores that partition from a second one that only it can access every time you boot up.

It can be deactivated with a key, but if you don't have the key you have to actually open the computer and disconnect the thing.

And even then it puts drivers on Windows to bitch at you when you do that...

Tim

No he dosn't.

[autopr0n]

There is no responsiblity for anyone to enforce the law on their own.

Re:No he dosn't.

[MoneyT]

As the systems administrator for a school disctrict it is his responsibility that the district computers and networks are used for "appropriate uses" and not being used for illegal purposes. Since the district apparently does not have a current policy, "appropriate uses" is arbitrary as determined by the sys-admin and the board of ed untill a policy is drafted

Your argument is like saying that the company who knew that their employees were running a Warez server off their workstation has no responsibility to shut down that employee.

Re:If they're K-12 teachers...

[rowdent]

At the high school I used to attend, the board techies once blocked all common incoming ports (ie. ftp, sendmail, telnet) except 80 out of spite because we had a linux server serving webpages that students and staff created as well as the official school website. They even denied doing this until we asked them why nobody could remote ftp to upload webpages. They quickly fixed that port, and whenever we needed a service opened we would have to petition them to get it opened. We won an outstanding new project award from the school board as a whole, but all we received from the board techies was strife over the linux machine. Unfortunately a lot of techies tend to hate what they can't understand, but in the case of p2p I can understand the predicament.

P2P in K-12 networks

[thefuckedupgenius]

Although the teacher's attitude towards "piracy" and "stealing" are good, considering the fact that my particular institute of learning has teachers who are, in all honesty, not good enough with the technology to know how to use said programs. But, I've seen the various cases of students downloading BearShare and KaZaA for use on school computers. The point is, people, that this is causing or will cause a severe bottleneck. This isn't fair to the students who have to use the networks for *gasp* school related projects. If everyone's using HD/bandwidth to download illegal files while two or three people are trying to research the science project, the people doing what they're supposed to do aren't gonna get in. So, what I would do in the situation is block the ports, and blame spyware. Make sure to exaggerate about the spyware. Most non-techno savvy teachers will repulse at the thought of KaZaA, Inc. collecting their personal information, and hate junk mail with a passion. Take (albeit, unscrupulously [sp?]) advantage of their relative ignorance here. And block the ports for good measure.
Jesus told you to mod me up.

My two bits.

[_aa_]

I hate firewalls, proxies, and that crap. They don't really stop anything.. they just funnel it all into 1 port. Instead.. I would suggest per user bandwidth/disk quotas. Also.. like lockers.. the systems are school property, not faculty or student. Thus, I don't think there's any right to privacy. Snoop, spy, sniff till your heart's content. As important as I think privacy is, I don't feel it is a right at school or at work. I feel it is a privaledge that can and often is abused. Legality aside, if you're doing something you don't want other people to know about, it's probably not too smart to do it at work or school. Faculty or students can probably look at the post-it note under your keyboard and violate your privacy just as easily as the administration. If you get caught doing something you shouldn't do, you have noone to blame but yourself.

Of course, I would not outlaw all recreational use. If some kids would like to play a spirited match of BZFlag during their lunch break, so be it. Turn students and faculty onto legal ways to enjoy computers. A policy of, "NO FUN 4 U!" will only succeed in turning teachers and students off of computers. There's tons of free fun crap on the net.

Lie to no one

[steveha]

I suggest you ignore all the advice to do something behind everyone's back and then lie about it. If you get caught once in a lie, everyone views you as a liar. This is tactially unsuccessful, quite aside from moral issues.

You really ought to set up a good firewall and Squid proxy server, though. That's just common sense; you don't want people hacking in to the school, and when a whole class hits a web site, you want 1 person to load the cache and 29 people to read the cache (not 30 people pulling down the web page from the site). That will give you a good position if and when you do get the authority to set a policy: instead of saying "Don't do X", you make it very difficult to do X. It's better to make it hard to do the wrong thing, than to try to punish those who do the wrong thing.

You could suggest a really strong firewall, with only specific ports opened, and require a request in writing to open any other ports. Like someone else suggested, you could write up a proposal for what you want, and see if you can get someone above you to say "go ahead and do that".

If your superiors require you to let the teachers continue to run riot, just get a good paper trail going: get your orders from above in writing, document in writing all the time you have to spend running around putting out fires. When it's time for your performance review, pull out the paperwork and say that you have been doing the job they ordered you to do; you don't want them to give you a poor performance rating because you didn't get much else done while you were running around putting out fires.

steveha

Survey your network and write a report for mgmt

[jhoffoss]

This is what we're working on at work now (at a Univ. with approx. 400 desktop users). We just got ZENworks 3.2 (ugh, Novell....) and it has some pretty nice features like inventorying all the workstations and showing you what software is installed on each machine. Combine this information with bandwidth-usage statistics by user/application and perhaps some HTTP proxy information, and go to your management and discuss all of this with him/them.

It's touchy, but you may want to go around your direct manager if he's unwilling to fulfill his duties....

Are you the police?

[Cryptnotic]

It's not your job to enforce the law, so don't.

Teach, don't sneak. Teach, don't fight.

[Futurepower(R)]

Wow, hplasm, you are an excellent writer!

However, I don't agree with the method. It is adversarial. It invites retaliation.

The patient, but firm, non-adversarial way takes longer to get the first results. It requires a lot more creativity. However, there is no danger that it will be merely the first shot in a long-running battle.

Teach, don't sneak. Teach, don't fight.

cute, but wrong

[BlueboyX]

"When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground."

You may be able to get away with the "You are really all 8 year olds on your pa's computer, so I am smarter than you" thing on other message boards, but that doesn't work on me. Why?

Well, I am alot older than 8. :>

You seem to have the idea that teachers are genious. Well, I have tutored far too many k-6 teachers to believe that. In my U, women who are too dumb to become nurses go the teacher route. I have tutored teachers-in-the-making who were going nuts on pre-med/pre-nursing classes and ones who took CPSC 1301 mistakenly thinking that it tought them how to use computers (In CSU that is intro to C++ programming).

Maybe your wife is smart, but she is an exception rather than the rule.

I do volunteer work at a local k-6 school. There are about 4 people there who are even marginally computer literate. One of those is the librarian, who has been desperately trying to fix their nonstop computer madness. Actually, she is pretty good, but she has problems having to fix things and run the library at the same time.

One of the neat things about teachers is that they are often nice people. You may not have to have policy to back you up. You may not really need to go blocking ports. I bet that most of the teachers will stop if you as them to. Maybe tell them a horror story two about the BSA, but I think that most teachers will stop running p2p programs when asked. Especially if you are actually helpful. If you(the origional person who asked what to do) are actually fixing their computer woes and making life easier in general, I have found that the teachers will be happy fulfill any simple requests (not running p2p in this case).

Note: As you may have noticed, the one edge most teachers would have over me is spelling abilities. ;>

If you don't have power, use paper

[stinky+wizzleteats]

Taking charge will get your ass fired. That statement is written in blood. I know whereof I speak.

Your only course of action is thud factor.

Produce a prodigious, deliberately obfuscated, massive report of why Things Are Bad and that you need to fix them. Document actual examples of problems they have experienced as a result of their policyless approach to Internet use, and constantly reference the need for effective policies.

If this report is met with resistance, write an incident report every time something bad happens, pointing out that if policies were in effect, none of this would have happened, etc.

Even if this doesn't work, it will CYA.

Best of luck.

P2P at Schools

[KingFoo]

I'm in a similar position regarding P2P software. What we did was install a Packet Shaper between our router and out network (It's a 1U box that sits in our rack). It lets us reserve bandwidth and set priorities of what services (so even if Kazaa and Audiogalaxy is able to use all of the availible bandwidth, the packet shaper starts dropping packets for that service. We group all the P2p services together, throttle down the outbound bandwidth for p2p (don't want to pay for bandwidth that my users aren't using), set http as top priority and let them (teachers and students alike) share as much as they want. From the user point of view, the program is very slow. We do get some complaints, but when we explain (and demonstrate) that when the filter is off, then the web stops working (and show some handy charts showing what is using the internet connection) most users understand (even the 15 year olds trying to download LOTR)

Corrupt them... hmmm...

[leonbrooks]

Replacing the offending executables with a self-extracting Mandrake installer in auto mode might get the message across.

`The copy of WonderPorn that you had installed is suspected of running things at random from time to time, and it looks like it's run the automated upgrade system this time. I'll stick it on the end of my to-do list... let's say, about five weeks if nothing goes wrong. I hear the Frozen Bubble game is quite addictive. Ta-ta!'

you must have policy

[rakerman]

If there is no policy, there is no violation of policy.

QED

You need to build support for your actions with your users, or they will inevitably try to circumvent any controls you put in place. Try starting with some security education, including an emphasis on privacy. Make them aware they are opening themselves up both to security problems as well as privacy invasion.

Then take the initiative to create a policy.

Re:Filtering/Throttling - I would be at the top

[SkyLeach]

Weblogic Server and Portal - 100MB
Oracle - 600MB
All the latest distro ISOs - 8GB
Latest patches/updates of all *nix software - ~1GB
Windows Security Updates - 100MB/Month :-)

Always being at the top of the list of bandwidth hogs and proud of it - priceless.

Warning about illegal content and call police

[bluGill]

I would make sure everyone knows that the major use for these programs is not only non-educational (and likely illegal for that reason) but copyright violations. Make it clear that you are monitoring the network for such violations and you will get the police involved if they are using the network for illegal purposes. Then do some monitoring.

You only need to put one teacher (or administrator) in prison for the rest the get the point. You should have a policy of turning all evidence of something illegal over to the police when you get it, and make sure everyone uses it. No teach will complain about legal use of p2p programs being blocked because you are not doing that.

Note that if you discover porn on the network, it might be legaly, but leak to the local press that someone is looking at porn at school and most communities will see to it those responsible are punished. (those who don't mind porn will generally stay silent while those who hate it will become vocal)

Do not do anything without consulting with the school's lawyers! You now have many ideas of what you can do, get the lawyers to approve them before implimenting them.

Re:If they're K-12 teachers...

[mpe]

Okay, I AM a K-12 teacher, and one of the problems is we have heavy-handed network admins shutting off random ports and websites without ever asking what they are being used for.
For instance, I teach my econ. kids about napster and p2p and the concerns that raises to copyright laws. Then we go and experiment with it.

Maybe you should actually explain that this is legitimate usage.

I teach my computer class about yahoo, hotmail, and other services that they can access from comptuers once they leave the school.

There is a very good reason to block these, since they can be easily abused to send difficult to trace abusive messages.
As for the other bit it's not hard to set up a mail system with a web interface, check out www.courier-mta.org

Re:Deep Freeze

[mpe]

at my institute of higher learning *cough* we tried a program called centurian guard. (that spelling is probably wrong) Long story short it introduced more problems than it was worth. not being able to save an item to the hard drive is a total waste.

Which shouldn't be an issue, because users should be saving into their user area in the first place...

Re:There is only one reference for this situation.

[mpe]

If ever a circumstance called for some BOFH TLC, it would be this...
"Hi... my KaZaA isn't working."
"Well, let me take care of that... what's your password?"

Why on Earth would any true BOFH ask for a password, rather than a username?

Re:Do it anyway

[mpe]

I don't think I have to say much more about this. Do a security sweep for trojans, viruses and backdoors.

Probably wouldn't hurt to mention that much P2P software itself has trojan issues.

Re:One word: Linux

[mpe]

2. People are generally caught offguard with Linux if they're used to Windows, and won't even think of hunting down gnutella and such. "There are games for Linux?"

Also even if they do find any it's rather hard to ensure that they can install these without winding up with their "fingerprints" (or rather UID) on the relevent files.

no

[autopr0n]

If the CEO was running a Warez server the Sys-admin would have no authority to shut him down. It may be 'the companies' but it's not the sys-asmin.

The company or organization should have some sort of system to doll out responsiblities. Either the sys-admin has the authority to make policy decisions or he dosn't.

The responsiblity rests with the management.

Re:If they're K-12 teachers...

[Archfeld]

If your techies can't understand Linux then they are NOT TECHIES. What you have is the "I am an Authority guys" who claim to speak for ANY and EVERYTHING. They are really hard to get around with out DOCUMENTATION to contradict them, usually ON THE SPOT as they can't handle being held up under a light...