Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
I didn't hear apples mentioned?
Anyone seen my jagged little pill?
Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.
:)
Students are at college to learn. Educate them
Error 407 - No creative sig found
Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
My campus will disconnect any computer it finds vulnerable. I suppose this could be considered the next step in that direction, but this time students have a way to be sure that they don't end up disconnected at an inconvenient time.
If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
My sister attended the University of Arkansas last year. The network was terrible, even with the required virus software installed. Automating the process is a great idea. The privacy concerns are a bit of a drawback, but an external harddrive with some basic encrytion would solve most people's fears. Although, to be fair, all Mac OS computers should have the same thing; Mac OS is NOT 100% secure (check apple.com for the Mac OS security updates.) This is a bit 1984/Big Brother-ish.
next step:
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
Personally, I'd much rather just get cut off and be notified why. I don't like the idea of giving over control of my computer like that.
I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P
Clueless users get their hands held; clueful users just use linux.
Give me Classic Slashdot or give me death!
Seems like just another reason for these students not to use Windows
virus? worm? huh?
My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.
There was Cowboy Neal at the wheel of a bus to never-ever land.
No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
At my University we boot you off the network when we detect worm-like or spamming activity and only let you back on after you've proved you've regained control of your machine. It works, and doesn't shift the burden of work from students to IT employees.
Automating the process is just going to make users even more lazy than they already are anyway, cause they'll just come to rely on the IT department to fix everything on their computer that they cause to break.
I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.
I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.
Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
As far as I know, nothing like that is going on in the dorms here. Then again, most kids don't live in dorms 'round here (unless they're freshman). In any event, I'm pretty sure you're worries are unfounded...unless the software goes through a central machine on your network, everything should be safe. Automating Windows update and (insert anti-virus software here)-update shouldn't do any harm to anybody...unless microsoft/norton/mcaffe/whoever starts releasing malicious patches...but i don't think that would do much for their business and therefore i don't think they would do it.
I'm against picketing but I don't know how to show it.
Yeah, similar situation. My university is always becoming infected with viruses, if I ever do a reformat and have the system hooked up to the network before applying the firewall...BAM! I get a virus. No, the school shouldn't be the ones that monitors and automatically apply updates to your computer. Like Windows updates, I don't apply every single update (some of them end up causing more problems). I like to have total control of my system. What schools should emphasize is that everyone should be using a firewall and keep their antivirus software updated. Occassionally also run Windows Update, whenever a security flaw is discovered.
Is there a legal precedent for educational institutions handing over their database of students pc inventories?
:P
Am guess ing the answer is 'yes' and some RIAA/MPAA manager is rubbing his hands together gleefully...
Yes. To the _extent_ that the threat you dezcribe, however unlikely they think it is that someone could break their security, is extremely realistic and plausible. Regardless of what penalties they threaten to implement on the person(s) that do such a thing, happening once is happening once too often.
Personally, I'd tell them that the only way I'd agree to this is _IF_ a malicious user got into the system and caused me to lose data, that they would assume complete accountability for said loss, to the extent of giving me perfect scores on my finals or refunding 100% of my tuition.
File under 'M' for 'Manic ranting'
The policy at my alma mater was to shut off your (wired) network connection if your computer was infected with a worm and spewing garbage. The monitored network traffic to make sure you weren't doing port scans or hogging bandwith with Gigabytes of P2P downloads, but that's it. Now there was also a wireless network, but you had to use a special client program to logon/authenticate.
This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.
Will the college be taking responsibility for data lost when a Microsoft patch installed a system that's less than generic is rendered unbootable? That seems to happen on at least 1 out of every 20 systems EVERY time there's a security update, in my experience.
Interested in open source engine management for your Subaru?
While they're at it, why not go all the way?
</obligatory>
That does seem like a lot to expect out of students. I hate to have very much running on my own PC, and it's likely to cause more trouble than it's worth. They could probably reduce their demands to automatic updates, and use snort to tell them when someone's been infected. They don't have to write the snort rules themselves. There are a variety of people who publish them whenever something major comes out.
Well if it's ok then, gimmie your IP and root pw so I can scan your computer to make sure you dont have anything that will cause problems to everbodys intarweb.
Your hair look like poop, Bob! - Wanker.
Perhaps they will get pressure from RIAA etc.. to put DRM software etc... on your computers as well(I am assuming that we are talking about student-owned computers). The college could well try to justify it as being moral, but I'm sure many students would consider it a violation of trust.
I would suggest one of the following...
1) University provided computers can connect to the network only. It is difficult to enforce, but if someone breaks the rules and infects the network that is their fault. This is common university policy although staff at many turn a blind eye to violations.
2) Firewall and block worm ports as the need is required. This works well in some circumstances, depending on the hardware available. If peer-to-peer operation is not required, only allow packets if either on end or the other is a server on the network. Perhaps limit to needed ports(80, etc...) and alert the admins if someone tries to make many repeated connections to other ports.
3) Require the use of another operating system such as Linux. There are less viruses targeting it because, unlike most Windows users, people use Linux as non-root accounts(in general). Forcing Linux on the masses might, however, not help such user derived problems.
X-Has-Sig: yes
Then they can sell the video feed in the internet and help to reduce tution fees with the income they make.
Is a win-win situation, ppl around the world can get unscripted reality web bradcast (maybe pr0n) and let a lot of students to complete a college education it doesn't matter if it is to flip burgers at Mc Donald's
Think man! Stop drawing attention to it, and start trying to hack it. Don't be a fool!
-- http://thegirlorthecar.com funny dating game for guys
Linux has less virii, less security flaws, not compatible with this bigbrotherware, and Wine to run all your cracked apps and games.
... run Linux. At least I tell them that, and they believe it well enough.
In truth, I run XP with a good firewall most of the time.
The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Ok, I give up, why you?
I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.
Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.
I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
This is the wrong solution. If they have a problem with a machine on the network, cut it's access until they can verify the problem is fixed.
There's no way they should be requiring that personal machines should be subject to THEIR updates.
Here they don't care what you do. They have a policy in place so they "can" get you, but they really don't care. If you start using ridiculous amounts of bandwith, they will cut you off. But you have to be like, hosting an anonymous ftp that gets slashdotted for that to happen. Also if you are sending spam they cut you off. They don't care about your computer, just their network. And if you muck around they cut you off at the switch level. Its as simple as that.
The GeekNights podcast is going strong. Listen!
This doesn't sound like a very good idea. Even if the school itself is trustworthy and doesn't examine student files for content, such as illegally downloaded copyrighted materials, it is far too tempting a target for hackers--a nice centralized system with which he or she can control the entire campus's Windows machines. I much prefer Dartmouth College's response to the problems of viruses and worms--if something is detected, you'll be kicked off the network and you won't be allowed back on until your computer is clean.
Many companies use features available for Windows Servers and third-party software to force updates and patches if you connect a computer to their network, or, more specifically, attempt to get a network address or login to the company domain.
For Windows users, this isn't really a bad thing as a whole, since it's not your job (and nor would you want it) to remember and know every frickin' problem that Windows has or its severity. So, let the campus ITs do their work to keep you and other computers playing nice-nice on the network.
On the other hand, the campus IT needs to be careful what they send as compulsory updates. Some PCs do not take certain updates well for God Knows Why, which could hose your system in some way. If that happens, I wouldn't know what your recourse would be to have your campus IT fix what it broke.
And don't think I'm just picking on Windows, either--other operating systems, including Mac OS X and Linux, need some necessary updates, too. Those operating systems (so far) have had far, far fewer viral attacks than Windows that cause Bad Days.
That could change someday.
Vos teneo officium eram periculosus ut vos recipero is.
it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.
Just get a freakin' Mac. I'm serious. When a bureaucracy starts doing heavy-handed stuff like this, it means they are backed into a corner and will not be any fun to live with. Escape now.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Use VMWare, and do all of your important stuff on a virtual machine. Back up the machine-state file regularly.
Most College students are still at that stage where they think they are immortal, nothing bad will happen to them, etc.
Shoot, how many of them even back up their term papers while writing them??
Provide a licence of VMWare Workstation 4.5.2 to each student + one virtual machine with all the required School security. The virtual machine will be controlled, privided and mainained by the school. Access will be controlled and allowed only using the specific VM, that can be configured to be read-only, and expiring. The student still can do whatever they want with their laptop, even run Linux if they want, but the access to the school will be uniform and totally controlled.
I just attended ResNet 2004 which is a conference devoted to the Information Technology departments of all Colleges and Universities across the globe. There are usually around 300 participants and many other who do not make the guest list. I think the biggest conversation among those at the conference was how where is the line between appropriate and not appropriate actions to help keep the networks clean as well as the students computers. You can check out http://www.resnetsymposium.com for the website or http://web.princeton.edu/sites/resnet/ for a list of those who attended. There is also a listserv for @ http://listserv.nd.edu/archives/resnet-l.html. All of these sites will give you contacts for people who have answers to your questions. A trend for schools is purchasing solutions such as Perfigo www.perfigo.com or Bsi's campus manager http://www.bradford-sw.com to help them do their dirty work.
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
-RockDoggy
it's my machine, not the schools
if the school was buying me the machine, i'd say fine
the school should not be playing mommy and daddy to the machines... if they see someone spreading worms then they should disconnect them and send a polite note saying why and how to fix it
special software may be good for the kl00 phucked lusers, but to the people who know what they're doing it will be an annoyacnce
besides, are they going to send people around to check? what's to stop me from uninstalling the software when the pimple-faced "support tech" leaves the room?
...and that's all there is to it.
You can't ban people just because they have a Mycobacterium Avium Complex!
...insensitive clod...
Or did you mean people with Macintoshes? Of course, that's also intolerant!
Don't even try to argue. It is NOT worth the while to go round the world to count the cats in Zanzibar.
If you're running Windows, this is the kind of thing you have to put up with. I know it's chiche, but it's true. Windows is and always will be unsecure.
The only problem would be if they required you to install Windows antivirus software onto your Mac or Linux box.
A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?
AccountKiller
Most schools have a "free resources" policy that states that no class can require students to have to provide materials or resources unless get the exception approved and noted on the class listing announcements at sign-up time.
To that end, at most schools you theoretically can complete all of your coursework without having a computer of your own since every program you need will be available at the computer clusters at which you have a vaild logon to reach those programs.
At that point, having network access connected to your dorm room computer is not an accademic need. Sure, it makes course work a whole lot easier to get accomplished, but you officially can survive without it.
In short, you have to play by the house rules when you're living in a dorm, and so does your computer.
EOM
Well, maybe they shouldn't... but they should require a personal firewall and set network resource limits... requiring another controlled firewall between the room and the network. They should protect the network and not control the PC.
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
"What do you care what other people think?" -Richard Feynman
What liberal arts college is this? I attend one and we have a policy of cutting of net access to people who have viruses/trojans. And we're required to register our computer so they can track IPs with our usernames. But nothing so draconian.
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Don't blame me, I didn't vote for either of them!
I think a better approach to this situation is block the MAC addresses of people infected with viruses and such and notify them. Only then should the school's official AV packages and stuff be offered to the students. Some people have effective protections of their computers and aren't electronic Typhoid Marys. Requiring these people to potentially break their working systems with the school's software as a matter of policy is ridiculous. It should be optional and a well definied portion of the ResNet's TOS.
Eventually such a policy will lead to non-Windows systems being banned from the network. If some AV package is required by unavailable and not likely to be needed on MacOS or Linux some jackass will eventually rule that those OSes shouldn't be allowed to break the network policy. Linux and Mac users (along with savvy Windows users) should be punished because Windows is ubiquitous and insecure.
I'm a loner Dottie, a Rebel.
Get a small used windows box and a cheap NAT router. Configure the windows box as the DMZ host, so they can install all the software they want, keep it up to date, and will authorize your connection (IP/MAC/whatever).
Then connect the rest of your machines, masq'd behind the router, free from their spyware.
I wonder if they even considered adding this provision in a user agreement you have to sign to get access?
The college in question is DEAD ON topic, and the deliberate vagueness of the article poster calls this post into question.
AccountKiller
I'll allow anyone that can root my machine to monitor and regulate what I do and can do. Until that time, my freebsd will keep going and going and going...
This functionality is already enabled by using Windows 2003 Domains with "Quarintine" routing enabled.
Basically -- you log in to the domain, the AD server authenticates your system for a number of factors: installed security patches, security settings, user-configurable data (AV signatures match such and such a date) and depending on whether or not you pass, you are either assigned a standard address or routed into a segmented network where you cannot address the machines that did pass.
GPOs in a Windows domain can be used to push patches, security updates, and specially configured Antivirus packages (sdat comes to mind: publish sdat as a GPO and it will instll itself; no prompts required.) They can also be used to install software (publish an MSI or ZAP of the software as a GPO) and automate network configuration.
Tools such as Altiris and Viewpoint automate this for more granular control, but are built on top of an AD framework.
Basically, nothing new here.
> I am a CS student at a small Liberal Arts college
When I read this my mind immediately expected it to be followed by something like:
"I am a CS student at a small Liberal Arts college. I've never been lucky with girls and nothing like this has ever happened to me before. One night I was up late in the laundry room and this beautiful girl walked in..."
- For the complete works of Shakespeare: cat
Any time an institution requires software to be installed at all, it's a red flag that says that institution is doing something else wrong. While it's a good idea for students to keep their computers up to date with virus scanners and security patches and the like, it's not a good idea for the institution to take that responsibility away from the students themselves.
I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.
The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.
So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
one step foreword
He sure isn't a spelling major
I got to the University of Virginia, and the entire network took a huge hit last year with all the viruses. So, they started requiring people to register their MAC addresses. Basically, before they could tell what room you were in by IP address, but to be able to contact you, they would have to search who is living in that room, and which jack a person is on. Anyway, with the new system, they can easily send you an email saying "your computer is infected" and send you a link to the updates for norton antivirus (which is free for students). It seems to work pretty well and its not that much of a pain. Much less involved on the network admin's part, and much, much, much less over-the-shoulder monitoring.
I think my principles are reachin' an all time low
Instead of requiring this monitoring/updating service, it should be offered as an option to those who don't want to be bothered with maintain their own machines and/or lack the know-how to do it themselves.
Those who didn't want to use the service and preferred to patch their machines would be welcome to do so-- but would be charged a reconnection fee (~$100) if their PC got owned and had to be disconnected from the network. I'd add a "three strikes" aspect to this, so the third time the same person's PC got owned, they'd have to pay the fine and be required to use the monitoring/updating service.
~Philly
At my school (Michigan Tech), i remember receiving several emails stating that student's internet access would be disabled if they were infected with $latest_worm. The IT department typically caught the worms as the first few machines were infected, and killed their network connection. The network performance never suffered as far as i could tell.
At the other end of the spectrum, some friends of mine at other schools were unable to use any network related stuff because their IT departments completely ignored the worm problem. I'm not sure if this was because of incompetence, indifference, or a little of both.
Funny anecdote, I'm sitting here at Million Man LAN. Someone brought in a machine infected with sasser, and within minutes there were hundreds of people infected. You'd think that the gamer crowd would be up to date with their patches.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
of someone who went to a "liberal arts" college, where you learn that there's no such thing as an abstract principle, that we must be pragmatic, and consider every new situation with no bias from past experience. I find it difficult to believe that you are in fact, responsible for anything.
"Overall, I think that this is probably better for the system"
Of course you're more interested in "the system", you're a liberal.
In my new position I can completely understand it. When I was in college, I would have despised the very concept.
Of course you retain no concrete beliefs, you're a liberal.
I want to delete my account but Slashdot doesn't allow it.
how about blocking netbios, many virii spread by searching writable netbios shares on a windows network and modifying the files it finds.
setup your routers to block netbios traffic, also have incomming and local network packets scanned with a virus scanner in route. you can also block ports used by common virii.
just some thougths
At my school they would just block any IPs from machines that looked infected. The students would then have to call up techical services to get the block removed.
Boy-oh-boy, that's gotta be tough. "CS101: Introduction to Point-n-Click", "CS110: Introduction to Powerpoint Animation Techniques" (and the follow-up course: "CS210: Intermediate Powerpoint Animation Techniques") and the popular elective "CS495: Advanced Regedit".
CUR ALLOC 20195.....5804M
Well, welcome to the real world. This is exactly the policy you can expect to find in an enterprise environment. I see no good reason why it should not be applied to colleges/schools as well. After all, you are being plugged into their network infrastructure, and it's their job to keep the network running and available for all students.
Never, ever lose a file again. Ever.
in a university were administered by the faculty and students (E.E. CompE., C.S.) and not by some IT bureaucrats who couldn't pass Programming Languages 101.
But it is THEIR network.
Many institutions have had similar policies for employee computers for years. I knew of a university computer department in the mid-90s that required that professors either 1) install a 2nd root account (on Unix boxes) so the network managers could force-install security patches or 2) install a hardware firewall in their office to prevent crackers from breaking in.
Part of any solution should involve quarenteening any machine that displays suspicious behavior. Business are starting to do this - if your box starts acting like it's infected with a virus, all network access is shut off except for the company's internal anti-virus/software-update/disaster-recovery web site. Any large network should have such a system.
Another good long-term solution is to block all inbound and outbound traffic on all ports except those used by almost all students at each machine, and only give additional access when it's asked for.
For each IP address, port, and direction (in- or out-bound) access would be BLOCKED (default for most ports), CAMPUS-ONLY (default for campus-only services), or OPEN (e.g. outbound port 80). With OFF and CAMPUS-ONLY, SPECIFIC MACHINES or nets can be added (e.g. email goes to/from campus mail server), and for CAMPUS-ONLY and OPEN, SPECIFIC MACHINES or nets can be BLOCKED (e.g. Russian spam-hosting machines, or machines in the campus virus research center). The university would have a standard "default" setting and if you needed specific changes, "ask and ye shall receive."
If more ISPs took an appoach like this, the motivation for writing zombification viruses would lessen, as most machines would be harder to take over and less useful once compromised.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I am a student employee in the IT dept. of a state university with a student population of about 10,000. Our network admins have the network set up to require windows PCs to have the patches against blaster, etc. before the students can register their connection (done over the network, required before it'll let them use network resources). They have automated processes that scan the network for infected or vulnerable computers and disable the port of any such PCs. They have done very well the last few years keeping things working smoothly. My only gripe was that they disabled the ability to use port 80 to serve (because of code-red); I now live off campus and have DSL so I don't have to worry about that any longer.
I read as far as "I am a CS student at a small Liberal Arts college", Gee, I wonder what _your_ opinion on the subject would be.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
It would be a huge step forward for computing, innovation, and education if higher education would require a higher standard.
Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.
Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill Gates mess with it. It's already compiling lists of all the music and movies you play and it sends all sorts of information back home. Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?
LSU can and does monitor traffic at building routers. Unusual activity has them block the MAC address. It's much easier than requiring expensive commercial software that does not work.
Unfortunately, LSU is moving toward just that kind of stupid requirement. They are specifying that Winblows machines on their network have "up to date" virus software. That's fine, so long as they don't require Winblows in the first place. The student senate is considering a laptop and Active Directory requirement. What a nightmare.
There's lots of room between turning every computer on campus into a campus owned DRM'd dumb terminal and letting the Windows machines destroy the campus network. They could continue blocking actual problems at the router instead of requiring the very source of the problems be run by all. They can offer the service voluntarily to those who simply have to have winblows. Macs, Linux and commercial Unix do not have the same problems and should be encouraged. Computing services should make running Windows as easy as they can and that includes offering virus protection, but they defeat themselves when they dumb the network down for it.
Friends don't help friends install M$ junk.
Double shoot ... how many of them even bother writing their term papers? Just download 'em!
I have a very simple solution to the problem of mass exploited windows machines: USE LINUX! I am a CS major at a similarly small private institution, and i have been using linux on my desktop for 2 years, gracias, Gentoo. Thank you Linux for not sucking... also, it seems that the be-all-end-all solution for the college tech support-ist is, in cases of windows infestations:"yea, we're going to have to reformat your NTFS harddrive". I think that is BS, but its so easy, and security issues in MS software are so plentiful, how can they do anything else, having to deal with the volume of cases to support. We have avoided the issue of realtime management altogether, and in its place, we employ a reactive approach. This software though intrusive, is necessary, because if one idiot doesn't apply patches, every user can/will suffer. Its just another trade off decision that needs to be made, at the university's, and the people paying said university's tuition costs discretion. IMHO, however, i say roll it out, anyone who lags on patches deserves to have a defunct (more defunct) MS box.
sigSEGV - doy!
Set up a firewall between the dorm networks and the campus backbone and configure it similar to how you'd set up the one between the internet and the campus backbone.
Assume the machines in the dorm networks are hostile and are run by people (in effect) who want to screw up your machines:
If these machines cause too many problems, just cut them off from the network for abuse. The university isn't the student's personal system administrator.
This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network.
This all depends on HOW they set up the system. If they have a server with all the updates on it that it sends out, then yes this would be a bad system. However I highly doubt they would set it up like that for multiple reasons. First it would create the problem stated above, and second it would cause a big bandwidth issue with that server when every computer on the networks is trying to download the update...
This wouldn't be an issue if they just sent an update requirement to the system, informing them which patches to download off of MICROSOFT's servers. This would also be true for virus protection, using Panda's or Norton's servers for antivirus/firewall updates.
You know, before college campuses start taking such intrusive measures, they really should get their *basic* security right. I've attended several universities and am appalled by the lack of basic security measures. For starters, subnets should be firewalled from each other with a very limited set of services exposed (e.g. there isn't really any compelling reason why resnet computers should have NetBIOS/SMB/RPC access to computers on the admin subnet). Such a simple step would go a LONG way toward limiting the spread of worms. Secondly, the resnet computers should not be able to accept inbound connections from the public internet, *period.* (better yet, stick your resnet on a NAT so none of the student PCs even have publically routable IP addresses). This will stop 3l33t Linus hackers from running their own servers, but guess what - the school is not in the business of providing you bulk bandwidth so you can run an e-business. You want to run a server? Pay for colocation, buddy.
The campus should provide antivirus screening at the e-mail gateway to limit that entry point, and should limit or monitor outbound SMTP activity from resnet PCs so they can catch infection through 3rd party hosts. Finally, the school should be running IDS on all it's networks and quarantining any system that's found to be infected/0wn3d until it's demonstratably been cleaned up. Iff the school has PROPERLY implemented their network using common best practices (to reiterate, firewall those subnets from each other - in this day and age there is NO EXCUSE for leaving your internal network wide open so a single compromised system can comprimise the whole thing) and it still isn't doing a good enough job containing infections, THEN we can talk about more intrusive measures.
If all you are useing the net for is uploading your papers and downloading assignments...dial up rox. UH? You have other uses for the net? Oh, well then dial up sux, and no, you cant run kazaa on the network - yeesh grow up
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
The reality is, of course, that even if it would be desireable to have a policeman walking his beat through your living room, it's not possible to keep up with all the activity in a free society to be able to prevent it. Crime happens. So put locks on your doors. Be aware of your surroundings. Don't make yourself a target.
In the same way, it is unrealistic to say to users, look, we've got this relatively open network that allows almost anyone to connect, so let us police your machines and nothing bad will happen. It's better to say, this network is a pretty chaotic place, and anything could be out there. You need to protect yourself and take responsibility for your property. Put a firewall in place. Know what ports are open on your machine. Have an updated anti-virus scanner. And so on. Know what software you have and be cautious about installing programs.
If the attitude of educational institutions is not to teach people how to be responsible on computer networks, can we hope for anyone to learn it anywhere?
Technology cannot cure crime or sociopathic behavior. The same level of technology used to prevent and punish the current modes of attack is being used to develop the next generation of attack. Until education becomes a fundamental principle for network security, there will never be a shortage of victims.
The restrictions on PCs become a lot more relevant since this restrictive college sounds like they basically force people to live on campus. Kinda odd, don't you think?
AccountKiller
many universities require students to reside in campus housing for at least the first year, many for 2 years.
"Sic Semper Tyrannosaurus Rex."
Network Associates has an Intrusion Prevention System (IPS) that will can automatically isolate viruses.
However, some of the ideas you mentioned, like not allowing SMB traffic between administrative subnets and residence hall subnets, may not work in many environments.
I was at a very large university in the mid-90s, back in the days of MacOS 7.x, OS/2 2, and Windows 95 and NT4. Oh, there was a lot of *nix too of course :)
If you were logged in anywhere on campus, or even dialed in from home, you could get to any Apple or Windows file or print server your login gave you access to. This was A Very Good Thing.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
In an enterprise environment, the enterprise most likely owns the computer and is responsible for its upkeep.
In a University/dorm setting, the computer is most likely privately owned by the student.
Look, it's your computer. You paid for it. You paid for the RAM, drive space, and CPU that they want to use to run their Orwellian management software. Tell them that they may not install their software on your PC.
Better yet, tell them that you wish to review the license agreement for the software. See if you really agree to it. Does it say that the software may cause a loss of data, crashes, etc. and that the publisher is not responsible? If so, ask why you should put it on your PC. Insist that they prove that they have adequate licenses for all copies installed. Demand a signed letter stating that they are taking responsibility for the security of your system and all network data transfers to and from it. If you don't control the software, how can you be expected to be responsible for the computer?
What's to stop them from pushing RIAA-supplied software onto your system to scan for "illegal" MP3s? How do you know what they are loading on your PC?
Our campus is using cisco routers. So we enable netflow and dump the output to another host running FreeBSD. (FreeBSD have netflow implementation using netgraph if you don't use cisco routers though we haven't tested using it).
The FreeBSD is actually our main gateway before going out to the Internet. Then, we wrote a script to detect flow counts to ports used by common worms/viruses and if its more than 100 at one time, we will save the IP address to a database. This scripts runs every 10 minutes using cron. The script will first delete all entries and insert the new IP addresses for every 10 minutes.
Then, we set the firewall running on the FreeBSD box to block all connection from the IP address and transparently route any http connection to our emergency response page. The page will notify the students that his/her PC is infected with a certain virus (based on the port it tries to connect to).
We only allow them to connect to Windows Update, Symantec website and our Emergency Response website. All other conections are blocked. We cache all the windows patches using our transparent proxy so that when they want to update their PC, they won't have to wait for several hours.
On our Emergency Response page, we provide free antivirus, the latest symantec antivirus pattern update, spybot and its updates and also dcombobulator. A short description of the suspected virus infecting their PCs is given on the website.
The emergency page also list out all the IP addresses of PC suspected to be infected with worms, the location in our campus (based on the VLANS), the number flow counts detected coming from the PC, the MAC address, the name of the PC (windows), and the user currently using the system. Some of the details, we got using netflow and others we got using nbtscan.
Every semester, the user will have to sign a document saying that his/her PC have an antivirus software installed and up-to-date.
We are planning to use snort to detect suspicious packets using snort's signatures and block the IP address detected.
We do receive complaints from students regarding this implentation where the students said that their PC is up-to-date and free from virus. But after further investigation, their PC was infected. It seems that they just assume that their PC are free from viruses without actually scan using antivirus.
Giving a college employee (who is likely a student) access to run any program with administrator rights is ripe for abuse. Even if this is limited to running a batch file daily (or weekly or ...) it would be trivial to add functionality to, for instance, copy all .gif files to look for an off color photo of any of the female students... or delete a research paper, install a keylogger, (re)enable a webcam's image capturing to see what you were missing while the owner thought it was off etc.
Of course, you also mentioned the problem of the machine giving out all these patches being compromised. Even if your college were lucky enough to find someone honest enough to not do anything intentionally evil, compromise of that one machine would provide the attacker access to run anything as administrator on all connected systems.
This is reminiscent of landlord/tenant laws. The landlord is required to give notice before entering someone's living space. And similar to the difference between department stores monitoring their dressing rooms for shoplifting vs. your landlord putting a camera into your bedroom and bathroom "to make sure you aren't using drugs / damaging anything/etc"
It may be legal for the college to do this, but certainly isn't something it should be doing.
Anyway, I'd be configuring VMWare run the university-accessible copy of Windows and only use that for NAT. Anything you send over their network cleartext is fair game, anyway.
If you are going to write in English, do it properly.
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Friends don't help friends install M$ junk.
I've got the laptop in question right here, (I'm typing on it now) and yeah, I dual-boot Linux (Knoppix knx-hdinstall) and Windows 2000 SP4. I need to upgrade the hard drive to give both systems the space they need to coexist happily, but even now they both are happy together. The hard drive is 10GB, there is 228MB of RAM in here, and I have both a wired NIC and a Prism-based 802.11b card to use with it. It won't run Neverwinter Nights or Doom 3, or anything like that, but from what I understand Starcraft will probably run on this. I can certainly play KMahjongg on this until the cows come home.
However, I intend to use this machine primarily on Linux...*especially* when it is hooked up to the University network. Everyone knows just how good OpenOffice.org is as an Office alternative, and how much it needs to evolve, so I won't say much about that. However, the SPSS requirement is something that takes some thought.
After some judicious googling, I found two SPSS alternatives: The R Project and GNU/PSPP. I don't know much about either program, (nor do I know much about SPSS) but it's good to know there are at least two alternatives that leap out at you when you look for it.
Linux should be a supported alternative at all Universities and Colleges throughout the world. Actually, I think Linux should be promoted over Windows, and I am not alone in thinking this..
Linux solves a lot of problems that bedevil IT departments at Colleges and Universities. It comes with great Free/Open Source alternatives to widely-bootlegged proprietary software. It is less prone to malware, viruses and trojans. It is more secure than Windows. And if you look beyond full-figured GUIs like GNOME and KDE and use trim window managers like IceWM, BlackBox, XFCE and so on, you can run graphical Linux on modest computers. Linux + KDE is actually quite nimble on my 400MHz ThinkPad 600E, and I have seen it run OK on 233MHz Pentium systems with 128MB RAM or better. If Windows 2000 will run on a machine, Linux and KDE will also run.
All these problems the article we're discussing enumerates would be ameliorated if not completely sidestepped by encouraging alternatives to a Windows Monoculture.
Knowledge is power. Knowledge shared is power multiplied.
UNC Greensboro demands XPpro and no other. They offer ZA and Norton for free or almost free. They scan ports to look for specific Windows patches and fixpacks and if you are lacking they turn off your port until you address the problem. They have a policy about P2P sharing. There do not appear to be any other restrictions.
Hm. What if someone decided to hook up the schools connection to a router, then put their windows boxen behind it? This would show up as a *NIX based computer would it not? I wonder if the school(s) would find ways to figure out things like this type of walk-around?
What's the state of the public computer labs?
I work for the engineering department's IT office and the campus computer people, even without worying about dorm machines, has their hands full. The public labs are -constantly- getting infected & flooding the network with garbage. I wouldn't trust these guys to format a floppy, let alone manage my system.
OTOH, if they can keep the rest of their network pretty clean & the dorms are the last thing, they really only have 2 options - firewall the hell out of the dorms or try to force users to maintain their own systems. IDSes are of limited use when a new bug hits (or hits after 5p on a Friday) and that's when you're paying the kind of money it takes to get competent people; with the kind of budget most colleges are willing to spend on IT staff (especially when it's something as un-sexy as a liberal arts school), you're lucky if they don't flag your counterstrike packets as viral.
my sig's at the bottom of the page.
Forcing students to meet some very sensible minimum computer security requirements (such as up-to-date anti-virus and operating system software) will not limit their academic freedom or ability to express themselves in anyway, so what's the problem? Other technical solutions that would warrant investigation include separating academic and administrative network resources (my alma mater had the administrative systems on a separate physical network) and performing regular "un-cooperative" vulnerability assessments of the student and residential networks (i.e. a safeties-off penetration test with Nessus or similar).
Now, if we were discussing unfiltered Internet access for said students, I could see room for several good arguments (e.g. granting students the ability to develop Internet-accessible systems, but balancing that against the abuse of these projects to affect the instution or other students or other Internet-connected systems, etc.) But "Academic freedom" doesn't free a student of basic adult responsibilities. Just as an institution issues students keys for their doors and badges for building access and passwords for their email, an institution should teach a student to be a responsible network citizen by issuing them anti-virus software. This is not unreasonable. So why the "Ask Slashdot"?
I'm proud of my Northern Tibetian Heritage
... on how far they take it. The college I live next to, which shall remain nameless, went through a similiar situation. When Blaster, Welchia, et al. hit last year, they sent around the RA's with copies of "utility" cd's containing the patches & virus fixes. Needless to say, they were (and still are) a small college. That was fine right up until they hit a Mac... because the RA and the student who owned the Mac refused to sign the form stating that the patches and fixes had been run (obviously, they couldn't), the "IT dep't" required that the unit be brought physically to their office for inspection.
I'd hate to have someone pawing over my Linux machine every time the latest virus hits the Windows boxes. I'd throw a fit if they forced me to install software on it. I'd really create a fuss if they kicked me off the 'net simply because I'm not running Windows.
And none of this "Let's 'scan' my system and see what's on it, in case I'm breaking copyrights, or doing something else I shouldn't be." What's on my system is none of anybody's business, unless it's impinging upon the network (spam, anybody?). If it's transmitted across the network, it's fair game... if it's already on my hard drive, hands off.
Guess it's just like everything else... as long as it's held to a moderate level, and some common sense is applied, it ought to be fine.
Look at it all from the college's prospective. It's EXTREMELY expensive to contantly identify and quarentine infected machines. Viruses and malware in general take a huge bite out of the universities limited bandwidth. After months/years of fighting the losing cycle of identify -> block, something else has to be done. Yeah, it really sucks, but you'll be glad when your connection becomes 50% faster overnight. It's really not their fault Windows is a piece of crap and that end users don't do anything about their infected machines. From their prospective, they've got a 10 megabit connection, and 5 megabits of that is being used by complete and utter crap. Not even p2p, but machines scanning other machines to try and infect them. You just eventually reach a frustration point where nothing else works and you have to punish everyone because there is little other choice.
I work at IT at Washington State University. Our campus internet connections (one university-owned apartment complex, the dorms, and the fraternities and sororities) are all managed by IT. Connections are regulated by MAC address--students provide their MAC address to us and we certify them onto the network. DHCP assigns a specific IP to one MAC address per student (if the student has multiple computers, each MAC address after the first is randomly assigned a dynamic IP). This allows us to disconnect any student who we notice excessive bandwidth from. This lets us catch most viruses as well as most file sharing (RIAA also provides us with IP addresses that they catch, we disconnect them). When disconnected, the student is required to have their computer cleared of whatever was causing the bandwidth violation (and, in case of file sharing, properly "re-educated" about the vagaries of copyright).
I can't tell you how many dumb students go and get their computers infected with viruses because they haven't ever patched Windows. Now, if it wasn't for our policy of charging students for doing work on their machines when they get them infected with viruses or something like that, we would love this. As it is now, we just turn it into a revenue stream.
We do, however, require students to use antivirus software (we have a site license for AVG and distribute it promiscuously) and to keep their computers up to date. This is part of what justifies us charging them when they don't and end up getting infected as a result. If it continues to be a problem, Student Affairs penalizes them further.
We have essentially the same policies for filesharing, and will enforce them at the request of RIAA. In fact, our penalties for filesharing are higher. So this isn't that much more strict than what we do at WSU.
In Repressive Burma, it's not just your connection that dies. slashdot.org/comments.pl?sid=314547&cid=20819199
In general the majority of users do not know how to properly maintain and service their vehicles (as most people do not properly maintain and service their cars). As there are check points to ensure vehicle saftey is appropriate checks need to be put in place for computers.
The down side is that computer saftey is a contanstly moving target. It most certainly is not reasonable to constantly scan every machine on a network to see if it is vilnerable to a new security issue, or has been reverted and is vulnerable to an old issue. Then comes the question if the network guys are scanning all these machines and testing exploits they then need to manage the lock outs, lets face it false positives are something that is going to plague such a system. Lets not even get on to theoretical weaknesses that no known exploit code exists.
Reasonably why not throw a small service on a windows box, when it is plugged into the network the network says, give me a list of patches and your AV engine/pattern versions. Compares that to current and updates if needed.
While in a utopian world people would do this themselves vigilantly, but this is earth - people dont, people want to start their copy of BORG Word and write their thesis, they do not give 2 hoots about viruses or security as they most likely siffer the common thought of "It won't happen to me".
Here in Australia I know of a few large networks brought down due to poorly maintained machine combined with viruses that were effectly shutdown for several days to 2 weeks. Not really acceptable now is it?
The fact of the matter is networks need to protect themselves and reactionary measures are just NOT working. Cutting someone off once they are infected to too bloody late, as one infected is likely to be 10 is likely to be 100 etc. Cutting someone off after they become a spambot is too late as they nay have already sent enough messages to be noticed by a blacklist - especially bad if the messages go through the university mail relays. Cuting someone off after they have been hacked is also pointless, not you have to go on hunt to see if the hacker(s) got into anything useful.
Remeber the more time the IT department has to spend monitoring tracking cutting people of, reinstating peoples access is also more money they spend on something that is likely to be able to be easily and cheaply managed with a small agent on each machine.
On a side note I wonder if this is the Trend Micro System I had them in my office a short while ago trying to sell us something very similar. From a network admin/system admin perspective it seemed very cool
"requiring all Windows-based computers"... sounds like an excellent excuse for a Linux migration!
This isn't the sig you're looking for... Move along.
I think this is a great idea. Well, banning windows outright would be preferable, but that might get in the way of microsoft cash donations to the university. As a CS student you wont be using windows anyway so wheres the problem? After seeing all the damage that microsoft software such as IE and Outlook have inflicted on the net as a whole, (I notice theres yet ANOTHER IE flaw permitting the slient installation of a keylogger just by visiting a webpage!).
Yeah, this is almost as good an idea as banning windows full stop. Its not like there arent much better alternatives such as linux anyway.
The college is thinking MONEY. How much money cost them by dealing with worm-infected computers in the last years? How much money will cost them doing this proactive approach?
If you want to convince them that there is a risk of a malicious user might break the central system, you have to give them numbers. How many users have compromised central systems in the last years? How much did it cost to the central system owners? If you can't find actual numbers, it is not a valid argument. As is pointed out in another thread, the college might have some liability problems, but IANAL and can't comment on the matter.
If you can't give them actual data, the risk for them is neglectable.
You do not connect!
If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.
If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.
I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.
Never argue with an idiot, they drag you down to their level and beat you with experience.
The choice you offer is: Be rooted or flunk out. How do you get your homework assignments, notes and other stuff required by your classes?
People should be outraged at the imposition of having their computer owned by their school for yet another winblows boon-dogle that won't work. I don't even own a M$ operating system, so I'd have to go out and buy one as well as find some crappy computer to sacrifice to the cause. You don't think I'd trust real work to a networked M$ box do you? The aggivation something like this would cause any clueful computer user is endless.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Careful what you call people. If you are running Windows, you are that careless idiot and I'm pissed at you for clogging my network. Even the best maintained Windows boxes get owned through unpatched Microsoft holes like this. If banks and other fortune 100 companies can't avoid being auto rooted, neither can you. The army of broken Windows bots is a threat to everyone, but we should not blame the user.
Operating Systems that have not exhibited these kinds of problems should be encouraged, not saddled with a backdoor or banned. It's easy enough to monitor traffic at building routers and chop off the MAC address of problem machines. Wouldn't you like to know if you had been rooted and that the perpetrator had not used your machine to harm others? Winblows need special help, but it does not have to go as far as the Big Brother bot proposed.
Friends don't help friends install M$ junk.
At least if they had common sense and wanted to go draconian, they could block all incoming connections, and all outgoing connections except on port 80 (and maybe 21 and 23).
Moll.
What you hear in the ear, preach from the rooftop Matthew 10.27b
Basically what we've done is this. On move-in day we have some of our techs handing out cd's and brochures with our latest anti-virus software and patches, as well as advice for securing your PC. We figure the best we can do is recommend. After that, we have extensive monitoring. Any PC found to be infected and sending out malicious traffic is quickly located and it's network connection cut off in the hubroom.
There's a big difference in trust. I don't have to trust my Linux distribution because I can prove that it's AOK. With Windoze update, you must trust Microsoft and it's very difficult to check. M$ has proven that they can't be trusted.
With Windows update you get binary junk and have no idea where it goes or what it does.
With free software, you get stuff that's open for inspection that can easily be checked.
Sure, you can get into trouble with non-free software on Linux. That's why distributions like Debian clearly denote what is free and what is non free.
Friends don't help friends install M$ junk.
While you are 100% correct on your statement what about the fact the school will be able to spy on what ever the students are doing. Look at there files, delete files they dont like fully control the computer. My school would not let me use my laptop on there network because they could not spy on me. The tech people in schools really have no idea what they are doing this is just going to bring more problems on with privacy and as you said someone taking over the central server. Note: now that I think about it they would probably use novell which is very easy to hack and take down, just google it.
At my uni, If you lived on campus, Dialup was not an option, The Uni switchboard blocked the digital access numbers
(telecom requires ISP's to use special numbers, to reduce network load)
With no cable, no ADSL, and no wireless available, we were all limited to uni network. which was inherently slow, and artificially limited, also, it was prohibitively expensive to use (wonders of a monopoly). and plauged with nimda, of all things.
Judging by the links the Wheaton student included, the College appears to be using ZENworks, which is a separate product with its own client. Does Sophos use its own update client as McAfee does? If so, that's another, separate client. MBSA I've never used except as a local app.
My main security concern would be that these folks use Patchlink, which seems to require Active Directory -- are these folks integrating Novell's eDirectory and Active Directory? That can be chancy, as anyone knows who's seen a cracker leapfrog from a Windoze system to a connected server.
I use ZENworks and Active Directory, though not together [shudder], and I administer networks on multiple campuses for a commuter college; these measures seem reasonably less than draconian.
A valid question might be: What exactly are students worried about? Is the concern over authorities seeing their porn stashes, pirated software or MP3 and MPEG collections? Hey, you takes your chances when you connect to any network.
Sometimes I have to say to hell with it and just eat my jellybeans.
A few factors to consider here
1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.
I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.
As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.
What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.
Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.
But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....
An AC asks for proof that WMP roots your machine and spys on you. OK, Read your EULA and then inspect your files. You should find a file with the name of every song and movie you've ever played. Where it's located may be version dependent. They have given themselves the right to determine it and the ability to do it easily.
Friends don't help friends install M$ junk.
When I arrived on campus to my school my freshman year, they required a series of programs installed on all computers. I was fine with it because they said they were installing network access stuff and anti-virus. Okay. Fine. But then also happened to install a little gooddie known as WinVNC. I'm at a school with no computer majors available, so I'm one of the very few people in the population who realized what this was. I immediately disabled WinVNC on my computers and on every box I worked on (students to this day ask me to help them before asking IT, because they're so ridiculously condescending). Turns out they tried to connect to my computer via VNC and couldn't, so they disconnected my internet access. When they asked why I disabled it, I told them because of how insecure it was -- that anyone with minor coding knowledge could extract their password from the registry. They said that wasn't possible... wrong thing to say to a computer geek. It took me all of 10 minutes to download the source code to WinVNC and implement the password decoding code into a nice little command line app... and BAM -- I was able to take control of any computer (including administrative computers) on campus because they were foolish enough to use the same password on every install class. All this to say that you should NOT trust the school's IT department with too much control. The potential for abuse is too high. You don't know who's got access to the ability to manipulate YOUR machine.
I am not going to have any crap "School approved" software running on my computer. I am alright with the tactics that the ISP's are employing that cut off your computer if you are obviously propagating malware. However, to require that computers run this school's software is completely out of the question. What happens if somebody hacks into the school's administration of this software: Now everyone in the network is garunteed to have the malware, and have their data compromised. I would sue the school for so much money that I wouldn't need an education. It doesn't matter whether you have to sign an agreement that to be on the network you have to run the software. Any decent lawyer could point out that the "no liability contract" was actually unlawful, because once the school puts that administrative software on student's computers they take responsibility. To run an anti-virus, and firewall on my machine is only ethical. In fact, to run protective software is in my interest. I can't even be wondering if my computer will fail the night before a term-paper is due. Also, what happens if I run Linux or Mac and the software "protection" is Windows only? Would I then be forced into the operating system that so dearly needs the subsequent protection? Fact is: I value my OWN computer, and the data on it. There is no way that I would trade freedom on my PERSONAL computer. If the computers subjected to this software were owned by the school, the school has a right to maintain the computer's integrity. However, since the topic is concerning a computer that is privately owned, not only would I refuse the software, I would test the administration every way I could to avoid the software. If the school, or it's students made it clear that your computer was required to run this software, from day 1. I would look elsewhere: I value my data too much, to let it fall under the jurisdiction of a 3rd party.
I attend a small liberals arts college that will remove net access for abuses like Kazaa and worm-spewing computers. Last year, they banned any Windows machine from coming on the network until the user installed McAfee and removed Blaster and other worms on their system. I spent numerous hours trying to explain to people why their "IE" wouldn't work. (The Apple and Linux users could log on without having to go through the hoopla.)
As for me, I'm delighted. The network runs faster without p2p clients, and downloads of important files (like the multiple-MB database files I need for work) goes much faster better. The only way to make people understand that they need to change their behavior is to create consequences for actions, or their negligent inaction. Example: unpatched XP machine. Result: viruses. Consequence: you don't play nice in the sandbox and you get kicked out. Result: student learns to patch Windows box, or gets a CS major to do it for him/her.
install programs "deemed necessary", force windows updates? seems to me like your school needs a better network structure rather than playing big brother on your users. I can understand requiring a specific antivirus software (get a deal with norton or some other antivirus company where you can provide students w/ the software for free and require them to run it to be on the network) but I feel that "monitoring the status" of a students computer is an unforgiveable intrusion on their privacy I work as a network technician for my small liberal arts college and we have yet to have our network go down. we employ vlans to segregate computers, there is an on campus vlan, an off campus vlan, a staff vlan, and a lockdown vlan (and numerous other small vlans for different departments). the lockdown vlan is a vlan where the computer doesnt even have permision to request an ip from the dhcp server. the result is that the computer cannot infect any other computers other than the computers in that building which are on lockdown, and those are already infected anyway. We have 7 student network technicians working 20 hours a week or less and we have yet to have our network go down due to a virus for more than a few minutes. our gateway has dropped once or twice because of a veritable dos from msblast when it first came out but a few setting changes and we had it up and running in an hour or less. we've implemented a system that automaticaly detects infected computers and adds them to lockdown and creates a log of their ip and user if they are a registered computer. my suggestion to your college would be to find a better network solution to remove infected computers before they can infect others rather than invading the privacy of its users.
Red Hat is for people who hate Windows, FreeBSD is for people who love Unix.
www.putertech.net
Is it UCR perhaps? If so, my thoughts are that UCR has taken a blame-the-user approach to solving its problems. I contracted a little virus (did not realize the firewall was not on), and they disconnected me entirely for a good 3-4 days. There was no warning, no message telling me I had something, did not even give me a chance to disinfect it myself. So here I am paying 40$ a month for a line having to wait 4 days without notice to get put back on during midterms. The people running the UCR networks are terrible policy makers. Here are some gripes: 1.) They use Packetshaper and have all traffic but HTTP set to low priority. This makes virtually all latency-critical applications behave like shit. 2.) 5-gig down and 2-gig up limit. Wtf, for a 40$ line that cap should be a lot higher. I am sorry. The students are paying their fair share for their bandwidth. They are not to decide how we spend our leisure moments. Yes, we go to school... Yes, we work hard... And no, we don't need somebody to tell us how we are supposed to allot our time. I study, I play online videogames all the time, and I have a 3.8 GPA here. There is absolutely no reason they should be telling us how we are to use our bandwidth assuming what we are doing is illegal. When I got busted for piracy here, one thing the lawyer here I spoke with told me was that UCR has been under a lot of pressure from the BSA, RIAA, ect... A year after he told me that the following year all these policies came into effect. They should only have bandwidth limits or caps. But they seriously need to get fucking rid of Packetshaper. I have one application that works right on here: firefox! All of my other data has to be tunneled. What can I say, the people making the network policies at UCR are absolute idiots.
I make sequential backups to CD-R on any long-term project, just in case something happens.
Snowden and Manning are heroes.
It's hard talking about computers with those who support their platform with the vehemence of a holy warrior -- and that can apply to Windows, Apple and Linux users, although the latter two make a lot of noise -- and it's just as hard trying to explain why an IT policy like the one you describe is just.
But I say: good for your school.
If I was one of your students I would just be grateful that the policy is not "all computers must have this software istalled" thus cutting off Linux (and possibly) Mac users. Plenty of places do assume that everyone uses Windows.
I work for a Liberal Arts college in NE Iowa (www.luther.edu) and we do something like this:
When a student plugs in their computer, Bradford Campus Manager does a quick sweep of their system and checks to see if they are vulnerable for a few specific viruses such as Blaster or Sasser. If they are, it throws them into a Quarantine VLAN and the only thing they can do is visit a pretty page that explains what the problem is in general terms (You are unpatched, you may have a virus, etc) and to come to the Help Desk. There, we have a AutoClean CD which happily installs the necessary patches and if they want to, Sophos Anti Virus which we offer to all the students for free.
The students don't have to install the patches. That's completely up to them. Likewise, we don't have to (and won't) let them onto the network. So far about 99% of students have complied. Returning students remember how our network was down for two weeks last year due to Blaster and I don't think many want to repeat that.
It's worked out pretty good and in a few months, I think we'll know how good it works.
On a side note, it's my personal favorite to listen to the students who say "But I'm paying $27,000 a year for this network!" Our response "No...you're paying $27,000 a year for an education." I weep for the future.
Have you tried to teach an art major to use Linux? I'd almost want to give the art major the $2,000 just to shut it up.
- registration of MAC address tied with student ID, contingent upon:
- mandatory XP SP2, with Automatic Updates on and installing without prompting
- mandatory use of site-licensed Symantec Anti-Virus (in "unmanaged" mode)
- system initially scanned by staff and certified virus-free
Blaster hit us really hard last year, the network was essentially unusable for close to a week. Terminals in the library, students, everyone got infected.We're not using any kind of remote administration tools, and we don't really want that responsibility. But the majority of users simply aren't knowledgable enough about security, patching, worms, and so on to leave the fate of the campus network in their hands. Capable users will still manage their computers as they see fit (which is realistically probably the biggest threat: overconfidence), but Joe Luser will have good defaults.
Several colleges in my region recently held a conference to deal exactly with the back-to-school Windows worm problem, and I was amazed that about half of them had the same approach as your institution: don't trust the user, consolidate your own administrative power, sacrifice a little liberty for a little security. Interestingly, these people also tended to be the most in bed with Microsoft. The other half seemed to be taking necessary precautions, but not overstepping their boundaries. My impression is that it's simply really easy to get burned out and cynical in this business.
Of course, as a user the way to avoid all this is to simply not use Windows. We're a primarily Mac campus, and Mac OS X users are only asked to keep Software Update checking weekly for updates. Anti-virus on OSX at this point is a bit like snake oil. And it goes without saying that Linux users are simply left alone. poster: if you don't like the draconian Windows security policy, use a secure OS!
(just teasing, your question seemed more philosophical than practical.)
Reminds me of my 1st year where I learned why living in residence sucks... the walls are paper thin, the food stinks and the internet sucks. Do what I did - get a real place off campus.
When you leave college you'll be using someone's computer at the office. Most compaines don't let you connect your own gear to their office network, for obvious reasons.
... I can't begin to tell you how much hassle and how quickly these things spread if they get onto the network.
Any large campus network should place restrictions and what you can and cannot do, the good of the many outweighs the good of one.
To be honest, even on my home network I won't allow windows boxes to run wild. The price of admission here is a unix type machine.
In my office I look after the network (I'm really a coder, but got lumbered)
We force updates and scans every day.
Get over it, or get DSL / Cable. If you can't, then you made a bad choice, suck it up.
What will you do if the next boot takes a little longer than usual? You can't fight a rooted computer. All you can do is save your data, then wipe and reload.
Friends don't help friends install M$ junk.
I read that article (and the comments on the Slashdot page) and didn't see anything about a file containing "the name of every song and movie you've ever played". Maybe I missed it. Please point it out to me, or tell me where I can possibly find this file. I'm completely up to date with all patches, and have played things (no DRM'd files, though) in Windows Media Player, so the file should be there. I'm not questioning whether or not Microsoft would do something like this (I believe they most certainly would), but I need to see it with my own eyes.
From the BSDvault article, it seems to me that the updated EULA says that only Secure Content (DRM protected WMA/WMV files) could be blocked. I don't see why they would need to make a list of every file you've ever played to accomplish that. I think you're just (typically) stretching the story to the extreme. So, tell me where to find this file. The proof is in the pudding.
Hmm, looking at your posting history I am afraid I am being trolled like a motherfucker. If that is the case, I salute you! Also, if you were a real Linux zealot I think you would have been consistent with your spelling of Windows.
If you find this post offensive, don't read it! THINK ABOUT YOUR BREATHING! I am what I am because of how apes behave.
I may be white, but I'm no cracker!
Please go back to your crackhouse and continue to get your bitches pregnant so you can live off of welfare, you fucking nigger!
Of course one of the under-reported advantages of linux is its incompatibility with most comman viruses, spyware, drm hijackers, etc. Not trying to be too much of a smart-ass, but this is one of those few time when having compatibility with 'popular' software is more of a boon.
Quack, quack.
You guys can bitch all you want, but the problem of having an entire ResNet filled with unpatched, virus/worm/trojan infected windows boxes show up on the last week in August is very real. As is the problem of outbound traffic from compromised windows machines consuming all the available bandwidth. The quarentine until proven clean methodology is becoming fairly standard in the ResNet management circles, as is some sort of authenticated access control that ties a human being to a machine address.
The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.
Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
Well, it's the university's network, no matter if the government or the students' collective tuition helps pay for it.
Seems reasonable to require precautions on the part of anyone who wishes to connect to the network. To that end I figure they should provide at minimal cost an anti-virus and firewall package to help keep infections and intrusions to a minimum. But installing software which monitors the individual computers...I don't like that idea at all.
Seems like from there it's just a short hop to "We have to monitor your computers to make sure you don't have any MP3s or videos or (insert potential copyright violation here) so we can avoid lawsuits."
Maybe-and this is a big maybe-but MAYBE the universities should work a little harder to educate the students (say, a required class during freshman orientation?) on the importance of running a firewall and a/v software. Set up a live demo with a honeypot on stage, and show them how quickly it can happen. Sort of a digital "scared straight".
This sounds very very familar to my locale. They do the exact same thing... what a coincadnce.
My personally opinion. Set up everyones computer with virus checkers (any one will do), and MS update and all that jazz. If students know more about computers, let them adjust them acordingly.
snowulf.com
Yes, you do want this. I just spent a year working a university help desk. The standard call went something like this:
Now, multiply that single call by however many non-CS students you have, then multiply that by the number of silly viruses and worms that will hit your campus next year. Then consider that if you're at a small school, the IT staff there is going to be small as well. Automatic pushing of updates is a lot cheaper than sending a tech out to every computer. You keep up to date because you're a CS major who has a clue. The rest of the campus does not.
As far as privacy... repeat after me: the university does not care how much goat porn you have on your computer. I was at a decent sized school (~30k students). We had a large IT staff plus a crapload of student employees, and we barely had time to do our own work, much less go snooping around student's computers... unless there was a complaint from someone, and most of the time that involved copyright infringement and student web pages.
I will note that we didn't get too many calls from CS majors. There was one, but that's a whole other story
Karma only matters to me now and zen.
At the University of Massachusetts in Amherst they disconnect your connection if they detect that your machine has a virus or any other form of malware.
It works quite well. You have to establish that your machine is clear, using the campus computer techs.
Just as most schools require a 'basic computer' course - so too, either as part of this course, or as another, there should be a class on basic principles of networking and securing computers - generic for most OS's (linux, OSX, Windows).
Before a student is allowed to connect - they must pass this course.
Once they are connected, the IT department should have the authority to then remove them from the network if the network user in question becomes a nuisance. Expulsion should be tied to grievious violations.
To ameliorate the effects of brain dead students - the network should be set up in smallish segments using switches in a star topology; this will allow you to take away the magic electrons from the ports of the marching morons on an individual basis; hubs are bad - if one becomes infected - they soon all will be.
DNS (WINS resolution) should be set up in such a way as to deny automated resolution of student computer names/addresses within the network. This won't stop students who are smart enough to put their buddy's address in their hosts/lmhosts file - but it will stop the majority of idiots. Disable windows authentication domains...everyone logs into their own computer, and you won't be doing remote administration anyway - you don't need that headache.
Default to disabling known nasty protocols - with the caveat that students can negotiate a legitimate need for ports to be opened up for their use.
Assign static IPs to allow fine grained filtering - to accomidate the variations in students. Some students will have everything turned on and can be fully trusted; conversely, others will barely have any services beyond email enabled. This requires work on your part; automate this functionality of your network, then delegate responsibility for maintaining it to your most responsible students. You would be amazed how fast people become experts at network administration when they are responsible for making it work for everyone. To add a little fat to the fire - if they are dragging their feet on a network effecting problem - shut down all access to the outside world until they resolve the issue. Once you get the people trained, you shouldn't have to lift a finger.
Email is another big hairball - I won't discuss; given a college/university environment, you will probably have to deal with alot of spam. On the other hand, if your students and faculty are savvy enough, you could perhaps go to a public key authentication system (everything without a valid key gets bounced). This won't help your internet facing interface much; but will help your internal traffic volume to your mailservers.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Just let them do what ever they want, and let them think that they have you under control.
Let them patch & update the host O/S to their heart's content.
I have this same problem at work, except it's corpate control just install everything and do everything from within a un-controlled VM.
i live off campus and dont deal with my schools silly network. my cable is just as fast as their (insert uber fast connection thingy here) split between 11000 people.
Bungo!
My school used a (relatively benign) version of collective punishment.
We had many smaller living units - fraternities, sororities, independent living groups, dorms. They used a policy where each living group had a network administrator, and if a computer on that living group's subnet was found with a virus or a vulnerable port (through active port scanning, etc.) they would notify the computer user and the net admin. Failing to correct the problem or take the computer off the network usually resulted in the entire living group's connection being dropped.
In my fraternity, this led to the offending individual getting the piss beat out of him, which was usually a pretty good incentive to fix (or beg someone else to fix) the problem.
I understand the need to balance out control; in my corporate situation, we do insist that anyone who wants to use their windows PC in the office must allow us to add it to the windows domain and have full administrative control, as well as use the corporate antivirus. IN all cases so far, this is welcomed, but that's due to the users in question who really just want to do their work and take a bit of it home.. they are more than happy to let us manage it. Certainly, a university is a very different situation.
How about a situation like this: In order ot use the network, there would be a custom authentication agent. Said agent makes sure your windows PC has the appropriate patches and virus updates, and if not, ASKS you if you would like to perform them in order to use the network. Presented the right way, this could work well... and still leaves control in the hands of the user.. balance is restored.
Before you scream about your rights, though, you have to realize the fact that a significant number of poeple do not keep their computers up to date, and that a few misbehaving, out of date, worm infected computer can cause large problems.. if they didn't, then sysadmins wouldn't be bother with policies like this... we are control freaks, but we really would rather NOT have access to your personal computer.. managing that is YOUR problem, not ours... our power just comes from unplugging you from the rest of our beloved networks.
iowa state has a pretty simple system for these types of things. at the begining of the year you must register your MAC address with your university email. then every once in a while they scan the entire network for ports that are open that shouldn't be, or just large ammounts of activity on ports of worms and the such. if your MAC address is found to have a worm you are sent an email to clean it. in X number of hours they rescan your machine to see if you took care of the problem yourself. if you didn't they cut off all access besides their webpage and the university email servers. once you take care of it you shoot them an email, they recheck you, and restore your access. (great way to piss off your roommate, clone his MAC onto an infected machine) as far as the role of the student goes i think this is an awesome system. there isn't any sort of software from them running on my machine, and its not like I'm getting scan any more than i would while i am sitting at home on my cable line. from the aspect of the admins though I'm sure this sucks. i'm not sure how much of the process is automated. i know for a fact though that the unblocking process is manual. but hey it works pretty well
We've got a very good network here at baylor. I work for our Information Technology Services (ITS). We handle the staff and faculty computers. Our policy is to yank the connection of a malicous PC as soon as it is detected. Once that happens the we simply wait for the user to call and say "my intarweb is gone" then our help line looks up the users information and says "oh according to our records you have virus X" and then we either walk them through cleaning the virus if it can be done by a virus scan alone. If it can not we send out a tech from our software department. Once the PC is clean some one from my group is sent out to reactivate the line. However our resnet is a different story. We are technically two separate entities and they make their own policy to deal with problems. As far as i know each incoming studen who lives on campus is given a CD. This CD installs NetAuth which is our firewall authenticaion program to allow students access to the internet. It also installs NAV. The responsibility of updating NAV is placed upon the student. We are also constantly scanning Our resnet network for open windows shares or computers that have no password on the administrative account. If one is found the student is contacted and helped through the problem. You have to work pretty hard to get your resnet connection yanked. When I was a freshman my friend got his yanked because he DoSed the University's servers in retaliation to a windows share scan (not a smart move on his part). As far as I know we also do not route very many ports between our ResNet network and the rest of the university network. But I guess you could say we're not as invasive as some Universities.
See Sig! See Sig Zig! Zig Sig Zig!!!!!
as a CS student at what seems to be the same liberal arts college as the original poster (cough,cough,swarthmore), i must stand up for the values of all liberal arts colleges attacked above.
there is a specter haunting slashdot, the specter of pragmatism
pragmatism has already been realized by this guy above as a major power in academia, intelligentsia, liberals, commies, pinkos, and everyone in between (the whole world)
we hippie geeks are strongly pragmatist and dare to speak up for experimental knowledge
a naturalistic/impiricist outlook (ie i learn from experience that i have no soul) leads to the conclusion that the abstract is built from the specific (even plato the king of the abstract admitted that it was shaped in the phaedrus and the meno)
engaged experience shapes one's knowledge, habits, personality, etc. dialectically
dewey's model of experimental knowledge encourages change in individuals, groups, and institutions (dewey, who better to speak for dialectical materialism, pragmatism, liberalism, and liberal arts?)
my lack of concrete beliefs makes it easy to tolerate ITS policies (aside from the fact that they don't care about linux machines)
I say f*ck no. Not only because
a) colleges are supposed to support free speech
and
b) colleges are supposed to treat their students as citizens of society.
but because colleges are places of higher learning, and not supposed to care about what you think or do with said learning. they should just provide you with the services that they charge you for (as i recall, $40,000 a year is a little steep, and should at least provide a decent isp)...and let you do with that what you will..
dude, harvard had the fuckin unabomber... nobody is going to do worse than that.
deal. motherfuckers.
p.s. i r teh durnk.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
I work for the University of Hawaii's ITS department. Our network security is ensured by studying traffic at every switch on campus. Each switch (and router) is capable of detecting suspicious activity ranging from high traffic and port scanning to traffic on common virus and filesharing ports. Any questionable activity is forwarded to our networking center, where further analysis can determine the exact nature of the threat, even down to the name of the file you are transferring through bittorrent, for example. The main server then decides whether or not to block the machine, which it can do by MAC, IP, and even netbios name. The blocked users must then have an ITS staff member clean their system before they are re-enabled. As a whole, I think our system is far less intrusive, more effective, and harder to defeat than the system your college is proposing.
People in management can get very bright; you just need to burn them at a higher temperature until they glow a nice, pretty blue.
:)
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
It is obvious to me, young sir, that you know nothing on the subject about which you have chosen to raise the noise pollution level.
I am one of those "IT bureaucrats" of which you speak. I administer Unix and Linux systems at a University with approximately 2500 faculty, 2500 staff and 25000 students.
I probably wrote my first computer program before you were born. I can code in assembler for a couple of processors that are no longer even manufactured and I remember when an IBM 24 inch disk pack held a whole 10 megabytes per platter.
It is my experience that faculty and students in the disciplines you named are so focussed on their research projects that they are completely clueless on any other subject and they don't want to invest the time it takes to BUY a clue in learning anything outside their personal research topics.
At the university where I work we DO have some profs and students who maintain their own (n*x) systems. Two to three times a semester one of the three Unix admins have to go do a forensic study on one of these non-maintained systems because the prof, or his student admin, didn't keep his system up to date and his box got rooted. During the three-plus years I have been at the university we have had exactly two professionally-maintained n*x boxes hacked.
In the days when faculty and students were the primary adminstrators of computer systems there was no public internet (it was still a closed network), and a major research university might have had fifty computers on campus and all connections to the internet were dial-up. The internet was a friendly collegial environment where it was possible to trust all of the other users because you were personally acquainted with ninety percent of them. The Morris Worm changed all of that.
In contract, the campus where I work has some 300 megabits/second of bandwidth directly to the backbone and the College of Engineering's computer lab has some 200 Windows boxes, approximately 50 Unix workstations and a Beowulf cluster. IIRC, the entire campus has some 8000 administerable computer systems ranging from PCs to Origin 3000s and Sun E10Ks and a couple of multi-hundred-node Beowulfs. Even if they were competent to manage systems of that nature, faculty and students do not have the time to cope with computers at that pervasive a level.
If the rules we are required to enforce "cramp your style" try complaining to the President of the university or the Dean of the college you are connected with. They are the ones who SET the policies.
utter rubbish
my college has a rather interesting way of montoring our computers. They don't see what we're doing exactly, unless it starts to disrupt the campus network. This is how they turn off all the ports of Windoze machines that get infected by the newest worm that appears (although, it seems the infections have reduced...mainly thanks to no incoming connections allowed outside of our campus' intranet). Anyway, they'll turn off your port for violating their TOS (which is pure BS in my opinion, and about 90% of the campus, including professors).
And copyright violations, oh boy. Our campus has a packet filter installed to prevent us from using Bittorrent, Kazaa, insert your p2p client here. Then again this also prevents many files from being downloaded at full speed (many are throttled to 1k/sec!).
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
In my experience, the suckiness of the Internet connection is almost directly related to the competence of your university's CAC (Computing and Communications) department.
If they allow non-Windows PCs to connect without that invasive software, then set up one Linux PC that directly connects into their network. If you can do everything you need in Linux, you can stop there.
However if your academic work requires Windows software such as Excel or Visual Basic, you then proceed to set up a Windows PC that connects to your Linux PC which serves as a router. As far as the university is concerned, all they see is a Linux PC connected.
Yes, I know college students are usually strapped for cash which could make having 2 PCs unaffordable. But if the Linux PC is used just as a router, they can use any throwaway 200MHz machine for that purpose, probably even getting one for free from the University itself.
---------
There is inferior bacteria on the interior of your posterior.
In most business or campus environments there are going to several IT people with the administrator for every computer on campus. Thanks to administrative shares, this creates a one point of failure. And I've never really heard of any widespread problems arising from this.
The issue is the University having so much control over computers that aren't theirs. You won't see this approach used much since it gives the IT dept. a lot more responsibility then it wants. And unlike with machines that IT maintains fully, changes they will have much more unintended consequences.
The right way to do it is to hand out the virus updates, encourage folks to enable Windows Firewall, automatic updates. And then quickly disable ports that recieve virus's. Which might mean disabling hundreds at a time (like with Sasser) but thats what you gotta do. At my school are Internet was out for a few days due to Blaster; Sasser wasn't much of a problem since IT knew how to handle it by disabling port.
Well, one more reason to use Linux I guess.
When I was an undergrad, I copied an IP address from MacTCP on one of the lab machines onto my PowerBook 140.
After this, I could plug my PowerBook into any LocalTalk port on campus. Nobody really worried about filtering, nobody really even cared that I was stealing a lab IP address. The lab guys didn't really even notice that I was walking in, yanking the cable out of one of their computers, and plugging into mine.
I'd hate to be going to school these days.
1.block ports used by viruses (RPC and whatever) both at external firewalls and inside the network (e.g. at internal links between subnets etc)
2.scan for viruses/malware and force those running that stuff onto restricted subnets untill they clean their system.
3.dont force use of any software. Forcing the use of a specific program (e.g. "you have to use mcafee because we say so") is bad. If they choose not to run an anti-virus program or to run one that doesnt work, its their fault when they get locked off the network (see point 2)
4.Give out free easy-to-use CDs containg a complete set of updates for windows (make one for each windows version) as well as whatever other usefull cleanup tools are deemed important (removers for various worms/virii, spyware removal tools and so on). If the campus has a site licence for an anti-virus program, make this available the same way (again, dont force people to use it but tell poeple that they should use it since its there and its free)
5.Scan all mail with a mailserver virus checker installed on all campus mailservers. Given that most college studens will either use a free email provider like hotmail or yahoo (which has virus checking) or the student mail on campus (which will have virus checking), it should stop most email viruses. Should some get past somehow, they will (hopefully) be blocked by the blocking in point 1 and/or caught by the checks in point 2. Banning outlook would also help but would probobly be VERY unpopular (and also how do you check without being invasive?)
and 6.educate users and tell them why keeping their system up-to-date and why running a virus checker and why doing the other things for security are important. Put this into the student welcome packs (the same place where all the other "new student" information goes, like stuff about not having loud music and stuff)
By blocking ports used by viruses, quarantining infected machines, scanning email for viruses and making good cleanup tools and patches available at no charge, you should be able to catch most viruses, worms, trojans and nasties without being invasive.
Also, if you include tools like lavasoft ad-aware and spybot in the cleanup tools, block spyware at firewalls (e.g. block ports used by spyware to "phone home" or whatever) and educate users about spyware, you can clean up that problem as well.
kick 'em off the network. That's what the network guys at my school did, and within a week, we were essentially Blaster-free. They distributed CDs with fixes for the worms, as well as instructions to turn ICF on. A week later they started banning anyone trying to remotely reach RPC ports. Worked like a charm. People think "oh, I don't have a virus, I don't need to patch." Kick em off, it'll learn em.
I mod down pyramid schemes in sigs.
I know, you might think I'm a grammar nazi but get it straight. The plural of virus is viruses, not virii or viri. You can look it up on Google.
The AUP disallows all servers. Students aren't even allowed an Ethernet switch or network hub in their dorm room. One computer per outlet, one outlet per student, enforced by MAC address.
whether this is your PC or not. Granted, life would suck when it comes to communicating & researching things for class(es). And it sucks to be you when it comes to your PC working when you leave for class then return and find it's hosed. Later, you find some squidlicker who works for the campus computing center foobar'd a bunch of PCs (even one is bad enough) and didn't provide a notice in advance, let alone one afterwards.
Based upon the geek::student ratio, they should[1] try making the odds against them as small as possible. Even a relatively small school would be kept perpetually busy because of the challenge to keep all of the PCs running.
Perhaps they could insist everyone submitting their machine to a Ghost CD and anything you do after that is at your own risk? - and any other problems means the Gost CD [again]?
If there is a centralized update... then there is a centralized point of failure.
From the sound of it, the college described, before the "let the school remotely update your system" method... a malicious user would need to use normal worms and such to spread to various machines.
With a centralized system, that same user would only need to plant trojans on the centralized server's update set to have that trojan updated to every users' desktop, notebook, home system.
This can be used to DDOS, wipe systems right before the midtems/finals projects, or steal personal information from students.
Such a system has its place, but not in a school environment where the users who are pushing the boundaries of security are not the ones at the helm of security for the school.
The school would be better served to have each network section isolated from each other, allowing only secured ports. This would prevent most of the normal worms and virii from spreading.
One such setup has the switch/router detect when a particular network port/segment is carrying traffic which is considered malicious. Once detected, the port is blocked or the particular MAC address and IP address are blocked. This effectively cuts off computers which are infected and trying to spread.
If the user is innocent and goes to the desk for help about why their network connection went away, THEN they can attempt to scan the system for virii and clean the system.
You limit the spread of the virii/worm/etc.
You limit the amount of software installation/checking only to systems flagged as potentially bad.
This would work to support any platform, just have the right port numbers and protocols entered into your switch/router/firewall as a recipe/rule.
Then, it wouldn't matter if the machine was windows, mac, Linux, etc. You would be able to support the blocking of attacks across the entire campus. THrough this means, you would also be able to block P2P softwares as well as identify who is using P2P.
The downside is the cost of the switches and routers. However, the cost savings in labour and support for custom update software and the potential cost of the central update server being compromised more than pays for the more expensive switch hardware.
Winged Power Photography
I think it's a great way to demonstrate how irresponible it is to run MS Windows at all!!
Jedis are stupid. If they were so powerful, why couldn't they handle counseling for a kid who missed his mom?
not any more. because the studends will all have their own computers, there's no need to provide general use labs! at least, not at any reasonable capacity. shift that cost awaaaaay.
No. nobody here is anal enough to care; and let's keep it that way :)
You sound like you went to school where the department was run by crappy CS profs. I got my undergraduate degree at a liberal arts college and 99% of my Computer Science experience there was gained while using Linux (and even a bit of Solaris my first year) systems. We all knew BSDs, open source alternative software, and more. Many of us used it daily; some developed and tested for the open source community. Windows was pretty much shunned by all but one prof. Even the necessary evil of connecting to the IT Windows systems was considered highly undesireable.
In reference to the topic at hand, I have to say this University is taking the wrong course of action. My school took the "lock the port" approach. Quite simply, if they could tell your computer was infected and you weren't doing jack to fix it, you lost your internet. Didn't like it? Well fix it. Otherwise you're gonna be going to another dorm room to try to hook up (and remember, your roommate isn't gonna like you either, cause you cost both of you an internet connection).
PS to grandparent of this message - The author states he/she is a CS student; the author never states the CS department is the head of this action (I'm strongly willing to believe it is not).
It comes down to this: the university needs to protect it's network. If a student is using that network, the university ought to be able to monitor for illegal downloads just as much as they should protect the accessibility of transcript or payroll data. The actions are different, monitoring bits vs maintaining a secure system, but their end is the same. Does capability to block spyware compromise a student's privacy?? fw
The school and college network is permenently infested with viruses. The technicians blame it on students infecting the computer with infected disks. So to 'counteract' this they decided to prevent all disk access except through them. This would have worked well if the viruses weren't actually coming from the internet through the techinicians computers, this was because of their overuse of p2p networks. I remember at one point I was getting about 30 emails a day containing sobig in my mailbox, this lasted for about 2 months as each computer was periodically hit.
I had an imaginary sig once, he said I was a loser and ran off.
Invasion of privacy? ... Yes. However in this day in age when the "average joe/jane" prefers to not stand up for his/her rights others are somewhat painted into a corner. And as the famous Bugs Bunny said "If you can't beat them, join them"
And here's is how I do it. I have three spots I can toss a headless server running linux in a basement. (My Dad's basement - Cable, My Mother's basement - Cable, and My Grandmother's basement - DSL) Most ISP's don't block or legaly restrict port 22 for SSH access. So I set up some secure Linux boxes all with SSH and X tunneling. I toss PuTTY [www.chiark.greenend.org.uk] and TightVNC [www.tightvnc.com] on my Wrist Watch [www.thinkgeek.com] and I'm all set to abide by there arcaine rules and yet all MY stuff is safe secure and packaged away on secure Linux boxes and many layers of encryption. They can't legally invade that.
As for a Desktop; I would suggest an alternate OS. In the past 4 years I have been able to live without a windows based machine (Yeah I fix them all the time) but I personally never had the need for one (Except some games which I quickly satisfy using a PS2, Thanks to WA, Windows Anonymous)
Yes, I carry a handgun for those few ISP's that block port 22 (That would be a joke!)
> SELECT * FROM brain_cells WHERE synaptic_rate > 0
0 row returned
The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
--- www.f-theocean.com
It is not a right to get high speed internet access through your university. If you have a problem with the connectivity offering, you shouldn't connect.
Another thing to realize is that the IT departments at Colleges and Universities (especiall liberal arts colleges) are dealing with a population of students, professors, and staff that are generally computer illiterate. I can say this because I was in the help desk at my college, and people needed help with the most basic functionality of their computer. I would often think to myself: These are some of the brightest people in the world (nobel laureates would come in with basic computer problems) and they don't know the difference between a disk drive and a CD. Eventually, it dawned on me that I shouldn't take even the most basic computer knowledge for granted.
It makes complete sense for a college IT department to require this amount of control over their computers that connect to their network. Remember, using the network is a priviledge not a right. This level of control is done for a very good reason. It makes it better for everyone to raise the bar. I'd rather my tuition go to the education departments than to waste on removing every new worm and trojan that comes in... Especially because as a help desk worker, I was being paid $10 per hour (best student job on campus) to disinfect peoples computers.
i goto gatech, and they make you register your mac address with them to get online. after that, you do whatever. if your computer starts spitting out viruses and shit, the turn off the physical port you are plugged into and your mac address for an hour or so and send a resnet guy to your room with a cd of updated everything. if he fixes it before the hour is over, he calls and your port and mac address are allowed back on. during move in last august, one entire dorm was just physically turned off. every port was turned off, resnet went to each room, as each room was cleared, their ports were turned back on. very efficient, slight down time, no spyware/big brother ware
Now did you really have to ask? :-)
Remote control software will break applications or reboot computers in the middle of important coursework, like a rendering program that has been running for the last several weeks. Universities tend to hire students to do or assist system administration. The later may not act fully mature and install something other than antivirus software to, say, invesigate personal life of a potential date.
The university should swallow the bitter pill and distribute optional CDs that contain anti-virus software, windows update configuration wizard and some cool program to encourage use. With all the automated updates coming from accountable companies rather than a TA. Cable/DSL providers have managed to get by without even that.
you're replying to your own posts (with the same account...) with a "PARENT NOT OFFTOPIC!"
i bet you're the kind of guy who sends flowers to himself to make your girlfriend jealous. heh, what am I saying? girlfriend?
Why is it that all new technology becomes a god-given right?
You're connecting to their network (I assume we're talking direct connection via the dorms and not over the Internet). They have the right to control machines hard connected to their network from a security standpoint. Can't argue that.
Now, if the software can also scan your system (it is YOUR system, right, not one the college is giving you access to?) and report what you have installed or files you have (such as MP3's for the fucking RIAA), then you have a legitimate complaint.
Now if you're connecting to them via the Internet, that's a different story. They have the right to refuse your connection unless you're using AV, firewall, etc., but not to put software on your private machine at home.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
You want a technical answer but I think the ethical one is overriding here: I just don't believe networks should be run in this fashion.
First, it's totally insane to require Microshite Windoze. It speaks of the cerebral poverty of the faculty at many an institution where these supposed gifted people can barely save a document in Microsoft Word and then require everyone else do the same.
Second, any open standard should do just as well, and yet - and do I smell graft here? - Microsoft are in there, Dell are in there, IBM are sometimes in there, and demands are made that students get a computer of a definite make, model, configuration, etc - just to qualify for enrolment. If this isn't lobbying and bribery, I don't know what is.
Finally, if you want to connect to a network, then you should be able to prove you're malware-free. I don't have the technical details on this, but forcibly downloading junk on students' computers is just wrong.
Its pretty common for wifi networks to require authentication before access; in the case of ResNet, applying the same principle could solve this problem. The network would have to be tightly monitored for virus/worm/windows-like behavior, but if discovered, that user/ethernet/port/mac address (however you implement the authorization) would be axed from the network. Then make the process to get reconnected arduous and painful. Word will get around quickly: be nice to the geek on your floor, get him to "fix" your computer regularly.
I just don't get what the fuss is all about.
IANAL but write like a drunk one.
Wouldn't it be dangerous if teh software they use to monitor you and patch your computer had a serious bug ? I suppose you need administrator access to your computer to patch it ... ...
Ofcourse you are on an internal network
Here's a good way to prevent the virus from spreading through you whole network should one of your Windows PCs get compromised. We do this at all our clients, and we haven't had any trouble for a long time.
Install a personal firewall that allow you to define rules. They often come with antivirus packages (www.bitdefender.com has a nice one). Specify the following rules, in this order:
1. allow all outbound traffic on port 25 to your smtp server(s). If your firewall allows, and if everybody is using the same e-mail client, you can restrict it to that e-mail client.
2. Block all outbound traffic on port 25
3. Block all incoming traffic (unless there's some service running on this perticular PC, but that's seldom the case for office PCs)
4. Allow all outgoing traffic.
The beauty of this is, that if a Windows get infected with a virus/worm that uses its own smtp engine to send itself out, it won't be able to, so that infection is contained. Unless the virus/worm has the presence of mind to check your outlook settings and use your smtp settings - I haven't found one that does though.
Your clients will be able to surf/im/e-mail ect. without any trouble, and worms that come around looking for open ports, won't find any.
sigaar
Pretty simple at Swinburne (down right now for a major machine room upgrade of the electricity supply and UPS). The switch automatically detects the presence of a virus infected computer, and shuts off the port. The luser then has to go and inform ITS, and when they can prove that the machine is clean, the port is reconnected. Easy peasy.
We're building something called the twilight zone at my school, a Vlan dedicated to infested machines. If our automated scanners detect that a machine is being a pest, it gets thrown in this VLAN with all the other pesky PCs. The vlan, of course, has all internet sites redirect to a "help yourself" page on the local servers to indicate what has happend to your machine.
I personally think this is a really neat Idea.
"portscan their dorm"
and what exactly, is wrong with portscanning?
...Isn't that how the internet was navigated, pre-gopher?
My university doesn't seem to want us portscanning either...will someone please explain why this is in any way a big deal? (without using the excuse "windows has security holes and if you see security holes you MIGHT use them to crack into the system" ) It's not as if there's a limited amount of bandwidth on that level...
trading mp3s...movies...i can understand giving people shit for that, but portscanning? how else are you supposed to navigate the internet????
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
I see that Wheaton does allow using Linux or Mac OS 9 or later. As a Linux user I am glad to hear that they do allow operating systems other than Windows. Its not like I actually plan to go back to college full time. But, for the sake of students there, I hope that they will continue to allow using Linux or Macintosh. With or without the latest security updates worm and virus problems are quite rare rare for most operating systems other than Windows. Here is the link to the operating sytems that Wheaton allows:
Computer systems supported by ResNet
I use Linux most of the time and only rarely use the Windows XP that is also on my computer. With both Linux and Windows I keep the security patches and virus signatures up to date. I even go so far as to use the Clam antivirus scanner for Linux and update the virus signatures regularly. I do that despite the fact that there are only a handful of Linux viruses in existence and none of those are circulating agressively in the wild. I do not know of a single Linux user who has ever been infected with a Linux virus or worm. I also use a firewall with both Linux and Windows. Of course, Linux comes with the free iptables firewall. The point is that my copy of Linux would be unlikely to be a worm/virus infested problem on their network. For Linux using students, even clicking on the wrong attachment does not lead to becoming infected.
I am not very religious but, I do not object to a private Christian college trying to block pornography and other objectionable material. If that bothers someone they could always go to a different college or access whatever they want after they graduate.
Install Linux, you will have more control of your computer. :-)
Which is worse: the absolute certainty that someone will bring a worm-infested PC onto the campus network, or the small likelihood that someone will hack the server that performs these updates? If these network administrators are competent, they are already considering the possibility of hacking and will be logging any attempts to hack that server.
I agree with other posters. If the students weren't running Windows in the first place, it wouldn't be an issue. It also wouldn't be an issue if students had done what they were supposed to do under the first policy.
In a corporate environ no justification is needed. The company is protecting their resources and thus can do whatever they deem necessary.
When I went to college (grad in 97) it was a free-for-all. Something akin to the wild west. A half way intelligent person could gather clear text passwords (it is fun using other peoples accounts) and it was better than Kazaa for grabbing progs off of peoples file shares.
My university had a great collection of pr0n newgroups - in the interest of research of course!!
My f**kin 'i' key is broken so...
Personally, I think the rule is simple.
Whoever paid for the computer is the only one who is allowed to install software on it. So unless the University paid for the machine, their fingers aren't allowed on the keyboard (even virtually).
Scanning the machine for vulnerabilities, or turning off the network port due to outbound virus/worm/spam traffic, OTOH, is within their purview as the owner of the network. MAC-address blocking is also a good idea for cases where you can't control the port (e.g. wireless) or if you think the machine will simply be moved to another port on the network. (MAC-address blocking, while not perfect, at least raises the bar. In fact, if the user changes the MAC address, it can be grounds for discipline. Moving a system to a different network port can be defended as "I wasn't sure if the cable/port was working". Changing the MAC is less likely to occur to an end-user.)
A smart university would also setup a computer repair shop on campus utlizing interns paid minimum wage. That way, there's someplace affordable for the virus-infested masses to take their machines, while not completely eliminating the lesson to be learned that letting your machine get infected costs money.
University networks need to get smarter and stop treating desktop/laptop machines as "trusted".
Wolde you bothe eate your cake, and have your cake?
Nice simple question. Who provides the network? If it is the college, then they have a right, and perhapse a duty to protect their infrustructure. If you disagree with their monitoring policy, don't jack in. As long as the college makes you aware of what they choose to monitor using their equipment, I cannot see a problem.
This might be seen as a troll, but if someone lets a virus loose on the network I look after, I do not care who they are, I will do my utmost to look after the "common good".
A sig is placed here
To display how futile
English Haiku is
Whatever you do, don't persecute the Linux or Mac OS users because they can't install whatever Windows only software you end up going for. It's the Windows users 99.99999% of the time that cause the problem.
No offense intended, senior sir. Of course there are a few exceptions to every rule, like the sendmail expert, the TCP/IP expert, etc, but these gurus are the insignificant minority and are not the top-brass guys who decide and determine campus-wide policies. The top IT brass, are the suit&tie guys, the money-getters, the CIS/MIS/wannabe-business-majors-who-couldn't-cut-i t, the (MS)Window-generation, instructed in the fine art of GUI Zero-Administration philosophy.
Just create a linux NAT box and keep you windows machines behind it. That way you are not required to have the software but you can still you windows freely.
LK
Art by Mindy Herman, my wife.
If one of the computers on a network has a worm and is trying to send it out to the other computers on the network, how can I monitor this?
The college I work at used to just block machnes, but now is moving to a software CD very similar to what the original poster mentioned.
There are several reasons for this. First of all, if you are just blocking infected machines, that means that those machines are infected (obviously) and you have to spend time walking the student through cleaning up their machine. Secondly, even if there is only a short period of time between when a machine is infected and shut down, a ton of other machines can get infected in that time. Welchia and blaster were specifically written to look for machines with IP's near the host machine, so it can spread quickly. Our hopes is that by having machines that are patched and up to date, we don't have machines getting infected in the first place.
The second reason for the software is authentication - if we know who is using an infected machine, or one that is not getting updates for whatever reason, it's much easier to locate them and inform them of it. That can be good for the student - they don't have to wait to realize they don't have internet, try to track down the problem, and then call tech support - instead, tech support calls them.
I have blog like everyone else
I work in IT at a school like the small liberal arts institution you describe. In this environment, dealing with privacy and freedom versus security is a real juggling act. Centralizing is much like the old Sam Clemmons line of, "Put your eggs in one basket and then watch that basket very carefully." Our school also mandates the installation of antivirus software before you connect to the LAN. This doesn't seem like much of a hassle for the user. What disturbs me is the software that "monitors the status of the student's computer". The student's computer is their's and the school has no right to monitor it! The school does have the right to install software on the LAN that monitors malicious activity. . .we know if you're spreading a virus, but checking for contents on your computer is intrusive.
> 'one step foreword, two steps backward,'
A foreword is an introductory note to a book, generally written by someone other than the author -- hence "fore" and "word". If you're talking about a direction, the word is "forward."
In general the solution you're looking for is called an "Intrusion Detection System" (or IDS for short). They are designed mostly to identify and prevent threats from the outside going in, but they can be equally effective in identifying/preventing internal network threats. There are many commercial ($$$) and free ones - one popular open source one is called Snort. I've never used it myself, but I'm told that it uses basic pattern-matching to classify threats, and that these patterns are generally available quite quickly for new threats from Snort newsgroups and mailing lists.
Otherwise, if you have servers on the same network segment as the infected systems, your servers should be running some sort of anti-virus/worm solution, which should be able to tell you exactly what address is attempting to send the server a worm.
Unfortunately this will not work on campus because Microsoft have deemed, that only XP Professional can log on to a domain. I can't imagine many students (or their colleges) being happy to pay the additional Microsoft licensing fees, so they can enforce GPO's and certificates.
This is a huge shame, and one of the 2 reasons I believe XP Home to be overly crippled (For the record: the other is lack of dual monitor support)
My school goes a little further and adds automatic hidden network shares in the disk image to allow the admin staff to access our entire computer. In the CIS course, we're provided with laptops... thing is, the laptops come pre-imaged. We're not provided with any disks at all. If we have a software problem (like all the ones we're having with VS.NET) and we need to re-install, we actually need to get our computer re-imaged. They won't even allow us to install the software ourselves! This policy even goes for the teachers.
I, for one, do NOT welcome our new IT overlords.
- m4. f0x
"Don't let your schooling interfere with your education." -Mark Twain
The short answer is yes. They are talking about implementing stand security practices that are time tested in the corp. world. Centrally managed av allows for one to update the server and then it in turn updates all the clients. In my situation it allows for 12,000 clients to updated in approximately an hour. Going with something like microsoft SUS, which is an internal windows update service, allows them to better manage software updates. Another aspect is firewall. Wether it be xp sp2, zonealarm, or some other product that is also an important step. Last but not least is to make sure you have a properly secured network infrastructure. Turning off unuesed ports, ports that viri are propagating through, ect. even go as far as to implement a "virus wall" or filting on the internet gateway to block malicous scripting and/or ip address. as an example: W32.Korgo.Q is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on random TCP ports between 256 and 8191. If your network goes down, you bandwidth usage triples, you loose data (end of term papers, grades, projects).... how much personal impact does it take before you want them to implete the above? Then you get into the cost of managing the outbreak and eradicating it from the environment. Without proactive action they wouldn't have a choice but to pass the cost on.
The university is taking steps to protect its network. They are essentially saying "If you want to use our network, you need this software." How is that any different from Yahoo saying "If you want to use our Instant Messenger network, you have to install our client"? Is Yahoo getting sued if an instant message gets lost in transmission?
It is essentially different in one important regard. They are essentially asking you to install a back-door that they can use to install software. IMO, this would be more like Yahoo saying you need BackOriface installed to use their system.
If I were in this position (the initial questioner mentioned he was a student), I would take the following actions in order:
1) Discuss the situation with the network operations management, if possible. Otherwise discuss it with someone as close to the situation as he can. Threaten to go public with your concerns. (Everybody hates publicity.)
2) If this does not get sufficient response, write an article for the local campus newspaper on the downside of the "solution."
3) If this does not get sufficient response, write a letter to the local newspaper regarding these concerns.
4) If this does not get sufficient response, write up the whole thing and send it to various security-related, publically archived email lists.
Do this professionally without giving out confidential inforamtion (the name of the college is NOT confidential).
Now if you are also employed by the college it is more tricky. I would start by discussing the situation with your manager.
LedgerSMB: Open source Accounting/ERP
Good points all. This is essentially a right of privacy in your personal property issue. All the data on THIS side of the connection is MINE. All the data on THAT side of the connection is THEIRS. It's not their business HOW I keep my data from contaminating their data, so long as I do so.
Occurs to me that if they have the right to twiddle my machine, then I should have a reciprocal right to fix whatever ails their network!!
~REZ~ #43301. Who'd fake being me anyway?
... no computers are allowed to connect to the network unless authorised by the support guys. They're very strict about letting student's personal computers or laptops connect to the network, so much so I can only remember once where they allowed the student to use their own laptop with the department's network (and they're postgrad, so they don't exactly blend into the sea of undergrads).
:)
Presumably they're only allowing certain MAC addresses to connect, so I don't know if they can detect somebody who's reprogrammed their NIC's MAC address. That said, if they were noticed (and the labs we use are all monitored with CCTV), their place on the course would be seriously questioned, as it would probably be a substantial breach of the conditions of use all students in the department sign at the start of the academic year.
The labs are fully featured enough for most tasks anyway. There are a couple of hundred computers for undergrads, and loads of other computers littered throughout the department, and a few specialist labs. The network connects all manner of systems, from all many of Windows installs, to Mac OS X, to loads of Linux systems, and a few BSD machines running in the background, and probably others I've never encountered (it is a CS department, after all!). The department sees no need to put the network in jeopardy by letting any computer connect, rather than just the department's own
I work at a large university with a similar policy. I find the mandatory virus installation wholly intrusive and ineffective but the people who know better are powerless against ridiculous mandates set up by people who don't understand the real problems.
Our local ISP has a similar user load and yet they never resort to demanding customers install certain software. Competition tends to help the customer like that (listening fcc?) . The real reason is that our network is supported by tax dollars and we are unable to standardize equipment that allows for a network dynamic enough to block emerging worms. A private isp has similar switches that can be updated in batch and all at once. We don't have that luxury and the network is comparatively 'dumb'.
A compromise is voluntary compliance with penalties for those that cause problems and did not take the recomended steps. This allows 95% of the students to install the software with the understanding that it's a help, not a blanket submission. Truth is, anyone knowledgeable enough (doesn't even require computer knowledge) who doesn't get scared because it's "a computer" could figure out simple ways around the 'mandatory' protection. But its about principle. A university is the last place that should be telling students they can't find their own solutions to these kinds of problems. Place requirements sure, place expectations (not spamming the network cause your computer got virused) but don't say this is the *only* way (esp when that way is significantly worse).
Instead of placing simple restricitons on stmp servers... they just block port 25. Its the insane accross the board reactions like this that charactarize these kinds of decisions.
If you're at a university like this, complain. Let it be known that you don't accept these measures and methodically charactarize why these reasons are. If you do, I gurantee you'll find a lot of people on the 'other side' that support you.
You cant force anything in a higher-ed setting, everyone is going to do what they want to do.
All you can do is not trust the network, and require VPN to get into any school resources. Everything should be firewalled, unlike most schools (esp. UC's and Stanford) that have wide open nets where every computer is on the internet w/ a global IP. Recently, most schools have started blocking ports at the gateways, but a total, optional patch-management / security scanner is necessary. Something like a patch-pusher that has confirmation dialogs for every action.
In space, for example. People on commercial space ventures will need air, and they will have to pay for it. We pay for food and shelter, this would just be another "essential" that would need to be budgeted for.
This post written under Gentoo-linux with an SCO IP license.
Why the hell not? Everybody's PCs are being monitored by US vs. THEM Let's Chat! about My Yahoo! Slashdot Organ Donor Card Required to log-in... as an MSN Tour Guide to the World Wide Whack-A-Do[Add Printer]Wizard gasp?[Printers] To give this young person the response he or she deserves, rather than a bunch of techno-hipster triple-talk in special terms: If you are concerned about the privacy, safety and security of the online identities of yourself and your Windows-based PC, you should keep it completely isolated from all networks and only use public terminals. You can always burn data onto flops, cds, zips and tapes to physically carry to one of the school's computers if you need to use network resources. As an added bonus, I have found that my Windoze crash a whole lot less often since I have added Zip and DT Drives to my LAN because the machines won't permit Microsoft Certified Corporate RAIDers and PTsnoopers access to the units. My Workgroup = Cool Friends Network Real Things Artists Cooperative Networks Under Construction:[PAPRPORT.EXE]HotTips[WINDOW~1] Temporary MSNBC.COM/News Home Base URL = http://www.geocities.com/tommywho70x/index.html City of Gonzopolis, Travis, Texas, Ya-who wishes to speak to the MAYOR OF STUPID.COM[PRODIGY]???? SWBT1/LAN/Ding.wav powered by HP oh, really? #01+ 512 - 247 - 6696Ring1 Daddyoh4.sbcglobal.net #01+ 512 - 247 - 6875Fax1To Bigmama1.sbcglobal.net #01+ 999 - 999 - 9999Ypager is a Mop[UPS]Beep.wav #01+ 800 - 555 - 1212Tell Me![WIN32]ATT once?09/11 One of our members is a retired USN CPO CommTech who also was an NROTC Instructor at UTexas while Michael Dell was learning everything he needed to know about how to build these critters and emulate Billionaire Billg Wiz-Api-Chart. Walter recommends the use of Ontrack System Suite with Trend Micro Anti-Virus and Net Defender Firewall as well as Windows System Utility Programs. Support is provided by VCOM.COM The results he and I have been getting from this software put the more popular Symantec and McAfee products to shame. Symantec and McAfee's programs will protect the best interests of their major corporate customer's secured databases and communications devices/driver files over that of what the Technocratic Power Elite view as mere pissants. The Ontrack System Suite, imho, beats them both out on HONESTY, power, reliability, versatility, auto-protection, up-to-the-nano-noodle reporting and event logging. Another useful device is a good Voice Recognition API such as NatSpeak[Dragon] or ViaVoice[IBM] and train your computer to use your voice print and sign-in dialog as your GATEKEEPER, allowing no remote access to anybody who may have your password, but cannot match your unique voice character map. Good luck in your studies and future career if there is to be any future in this wonderful New World Order Entry Forms News Web Sites Top Story F-Off Cheney[1]F-On Bush[0]Yahoo! F-US ALL.COM!!00 FTW GEORGE CARLIN FOR PRESIDENT! Give Head! Lick Bush! Show George and Laura what's Behind the Green Door in 2004! Deep Throat[1]Geronimo! Apache Mailserver for C-in-C Dimm Wit#0043 SENDMAIL To: George W. Bush[The Shrub]president@whitehouse.gov [FEEDBACK]Tomahawk&Wampum
( that's got to be the lowest slashdot i've yet gotten a reply from :) )
that makes some sense, when I said 'portscanning' I wasn't really thinking of applying it en-masse, but if it can be, then there's more sense to the issue.
:)
Unfortunately I was not on the internet in those days, and would not have known that. thanks for the info
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
One More Reason to Use Linux
I write my papers in LaTeX and back them up to my svn repo that gets backed up nightly.
We have a piece of equipment by a company called Sandvine which can mitigate virus threats, monitor traffic by protocol, etc. without anything needing to be installed by the actual end user. The drawback in the college setting is that they would need at least one of these boxes for every building on campus in order to effectively mitigate the virus threat. Not only that, but there is a yearly maintainence fee for support from them as well. But the way I see it, with most colleges costing you $10,000+/year to attend school there and live on campus, it's the least they can do if they're serious about "protecting the end-user".
i *utterly* agree with you, but if you do this, you'll have users moaning because they can't just hook any machine up: they need you to add them to the domain, create a user account, and lock the machine down. people won't voluntarily let you do this to their personal machines - you'd have to force them.
i still think this is the way to go, though: "if you want access to our network and the internet via it, you've got to jump through some hoops for the general good".