Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
My campus will disconnect any computer it finds vulnerable. I suppose this could be considered the next step in that direction, but this time students have a way to be sure that they don't end up disconnected at an inconvenient time.
If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
Personally, I'd much rather just get cut off and be notified why. I don't like the idea of giving over control of my computer like that.
Probably they have, and figure they're safe. And they probably are, until some student with a rich attorney in the family decides to make something of it.
The higher the technology, the sharper that two-edged sword.
... run Linux. At least I tell them that, and they believe it well enough.
In truth, I run XP with a good firewall most of the time.
The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
Quite frequently the only option for people who live in student housing is the internet that the university itself offers. The only real option left is dialup.
File under 'M' for 'Manic ranting'
Here they don't care what you do. They have a policy in place so they "can" get you, but they really don't care. If you start using ridiculous amounts of bandwith, they will cut you off. But you have to be like, hosting an anonymous ftp that gets slashdotted for that to happen. Also if you are sending spam they cut you off. They don't care about your computer, just their network. And if you muck around they cut you off at the switch level. Its as simple as that.
The GeekNights podcast is going strong. Listen!
Many companies use features available for Windows Servers and third-party software to force updates and patches if you connect a computer to their network, or, more specifically, attempt to get a network address or login to the company domain.
For Windows users, this isn't really a bad thing as a whole, since it's not your job (and nor would you want it) to remember and know every frickin' problem that Windows has or its severity. So, let the campus ITs do their work to keep you and other computers playing nice-nice on the network.
On the other hand, the campus IT needs to be careful what they send as compulsory updates. Some PCs do not take certain updates well for God Knows Why, which could hose your system in some way. If that happens, I wouldn't know what your recourse would be to have your campus IT fix what it broke.
And don't think I'm just picking on Windows, either--other operating systems, including Mac OS X and Linux, need some necessary updates, too. Those operating systems (so far) have had far, far fewer viral attacks than Windows that cause Bad Days.
That could change someday.
Vos teneo officium eram periculosus ut vos recipero is.
I just attended ResNet 2004 which is a conference devoted to the Information Technology departments of all Colleges and Universities across the globe. There are usually around 300 participants and many other who do not make the guest list. I think the biggest conversation among those at the conference was how where is the line between appropriate and not appropriate actions to help keep the networks clean as well as the students computers. You can check out http://www.resnetsymposium.com for the website or http://web.princeton.edu/sites/resnet/ for a list of those who attended. There is also a listserv for @ http://listserv.nd.edu/archives/resnet-l.html. All of these sites will give you contacts for people who have answers to your questions. A trend for schools is purchasing solutions such as Perfigo www.perfigo.com or Bsi's campus manager http://www.bradford-sw.com to help them do their dirty work.
I work for computer services at my college, and we have a number of Mac labs. We have absolutely no problem with these whatsoever. However, it's impossible in a college setting to have a completely homogeneous selection of platforms. We need our PCs for everything from our accounting courses (some specialized software) to our comp sci courses (Yeah, they force us to use Visual C++, switching to .NET next year).
In all honesty, at a small college like the one I attend, there's a good reason to go with PCs from a financial standpoint: Despite educational discounts, Macs still cost more than PCs. That's a simple fact. Secondly, Microsoft gives AMAZING educational discounts for their software. I'm not talking about the "Educational" licenses for students, but rather we get X amount of free software per year, which is really a boon for our computer services department. We recently got our budget cut in half (management isn't comprised of the brightest of individuals), so the financial aspect is really appealing.
If we had the option to run all Macs, I'd swing for it in a minute, as far as my duties for computer services are concerned. It would make my job a helluva lot easier. However, we don't have that option, and I think you'll find that the same is true for most small colleges.
I hate to respond to an AC, but I believe that I have to. While there are not widespread viruses or worms for Mac OS, there are security exploits (why else would apple issue security updates?). A good portion of these network killing attacks are security exploits, not viruses/worms.
This is exactly what our school does. When you first go on the network you're given a 10. ip address. Any DNS calls resolve to an oncompus webserver that allows you to register your computer (ie, if you load your home page, the school computer responds instead). When you register, you enter your username and password (or create one) and your computer is scanned for known security vulnerabilities (are you vuln to Blaster, etc) and any broadcasting virii. If you are, you are not even given a 10. address lease until you install patches (free CDs available from ITS or Dorm staff.) Once you've installed, you have to call ITS and ask to be unbanned.
You don't have to use the schools antivirus, but if you get a virus that broadcasts you are DHCP banned. Just like before, you have to ask to be unbanned and you must re-do the registration process from before (since your mac was removed from the "good" list).
While the computer is scanned, we are not required to install spyware. I think our policy is a good trade off, campus required spyware is too much. I'd move off campus or hurry up and switch to Linux.
When you've got "root", which gives you "ring-0" access to everything on the box, you have access to the encryption software, and hence can pull the key used to decrypt the data(assuming the decryption is done by the host computer), or more likely, just ask the encryption software to fetch the file on your behalf. Most virus scanners would indeed try to access the data as soon as it is mounted and ready to read decrypted data, and so could any other software the university might want to install on the computer.
X-Has-Sig: yes
Any time an institution requires software to be installed at all, it's a red flag that says that institution is doing something else wrong. While it's a good idea for students to keep their computers up to date with virus scanners and security patches and the like, it's not a good idea for the institution to take that responsibility away from the students themselves.
I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.
The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.
So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
It sounds like they have good intentions with this "network security" software and not bad intentions to snoop on the students, but once installed the agent basically has administrator rights on that Windows box. There's a chance the agent could be subverted by a corrupt administrator, the school administration, or an outside attacker with less good intentions.
There's a simpler way to fix this without the Big Brother risks. Block all the Netbios ports on the student dorm LAN and transparent proxy all outgoing SMTP to a virus scanning gateway. This will take care of 99% of the network scanning and mass mailing worms. Do students really need to see each other's file shares? Regardless of the risk from network worms, file shares with weak passwords can be a huge privacy risk. It's ridiculously easy to snoop around. Start -> Run -> \\IP address\C$ then try administrator:password and administrator:blank password.
The control everything approach of forced antivirus updates and forced OS updates works well if you own everything on the network, but it just doesn't work on a dorm LAN with privately owned computers.
Cable modem service is surprisingly more available than you might think. In most dorms, the cable service is provided by the cable company of record in the community. The school may or may not be paying for basic services... but if the students have the opportunity to purchase digital cable or on-demand service from the cable company, then the frequencies to allow cable modem service are most certainly present.
At that point, only a contract stipulating that they can't offer cable modem service in the dorms is the only thing that can stop it, and most schools don't demand that because they don't see much of a threat from that source anyway.
Our campus is using cisco routers. So we enable netflow and dump the output to another host running FreeBSD. (FreeBSD have netflow implementation using netgraph if you don't use cisco routers though we haven't tested using it).
The FreeBSD is actually our main gateway before going out to the Internet. Then, we wrote a script to detect flow counts to ports used by common worms/viruses and if its more than 100 at one time, we will save the IP address to a database. This scripts runs every 10 minutes using cron. The script will first delete all entries and insert the new IP addresses for every 10 minutes.
Then, we set the firewall running on the FreeBSD box to block all connection from the IP address and transparently route any http connection to our emergency response page. The page will notify the students that his/her PC is infected with a certain virus (based on the port it tries to connect to).
We only allow them to connect to Windows Update, Symantec website and our Emergency Response website. All other conections are blocked. We cache all the windows patches using our transparent proxy so that when they want to update their PC, they won't have to wait for several hours.
On our Emergency Response page, we provide free antivirus, the latest symantec antivirus pattern update, spybot and its updates and also dcombobulator. A short description of the suspected virus infecting their PCs is given on the website.
The emergency page also list out all the IP addresses of PC suspected to be infected with worms, the location in our campus (based on the VLANS), the number flow counts detected coming from the PC, the MAC address, the name of the PC (windows), and the user currently using the system. Some of the details, we got using netflow and others we got using nbtscan.
Every semester, the user will have to sign a document saying that his/her PC have an antivirus software installed and up-to-date.
We are planning to use snort to detect suspicious packets using snort's signatures and block the IP address detected.
We do receive complaints from students regarding this implentation where the students said that their PC is up-to-date and free from virus. But after further investigation, their PC was infected. It seems that they just assume that their PC are free from viruses without actually scan using antivirus.
Yes, but this takes time, unless things have changed, I went through this before and it was about a 4 day wait for rescom (or whatever they call themselves now) to change things. Also when I was oncampus you could not move to a differant room, the only way that happened is if you moved. So you were fixed to a room for the year, unless you went through the couple day wait. Maybe they have changed things now (been over 2 years since I was on campus).
Before the rash of viruses over the past two years, I would have said that the software costs outweighed the downtime and maintenance costs. I would say that now, no, they don't outweigh the costs, but when they are paying us students (who do 99% of the cleanup when a virus hits) close to minimum wage, it probably is still cheaper for them to take the free flawed software. And yeah, I know the job has a crappy pay rate, but you can't beat how flexible they are around exams, homework, etc.
.NET, etc), or some web design stuff, or Word, etc. So yeah, overall it is used for the most part.
The 'free' software is generally used, as most of it is comp sci department stuff (VC++,
I can't think of the name of the software package off the top of my head, but I remember there was some large-scale app that went to waste, and the copies are still sitting in a box in storage from two semesters ago. And due to the licensing agreements, we can't sell or give it away, so it kinda sucks.
waivers aren't worth much if you can show their negligence caused harm to you.
Snowden and Manning are heroes.
You guys can bitch all you want, but the problem of having an entire ResNet filled with unpatched, virus/worm/trojan infected windows boxes show up on the last week in August is very real. As is the problem of outbound traffic from compromised windows machines consuming all the available bandwidth. The quarentine until proven clean methodology is becoming fairly standard in the ResNet management circles, as is some sort of authenticated access control that ties a human being to a machine address.
The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.
Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
The bandwidth limit is hardly new, that kicked in a few years ago, right before everything collapsed with napster. I remember not even being able to check my email for hours because the whole network was hosed then. On top of people going nuts with napster and such, the connections for some buildings was just plain terrible in my case Beaver Hall, after I left they did some upgrades. Things are no were near as bad as they got at one point. The whole building basicly would have no internet for hours at a time.
The internet was pretty much slow as hell from spring of 2000 onward, it wasn't to bad when i started in 99, but from there, it was all over. Even on a good day the whole time I was there, it was rarely much faster then being on a phone modem.
Yeah apartment is great with cable modem, just be ready to curse Adelphia instead, and if you by chance live at copperbeech don't even think of using the free wireless, just bite the bullet and get normal adelphia cable service. Cause otherwise you won't have internet.
reminds me, fuckers haven't given us out deposit back.
Just as most schools require a 'basic computer' course - so too, either as part of this course, or as another, there should be a class on basic principles of networking and securing computers - generic for most OS's (linux, OSX, Windows).
Before a student is allowed to connect - they must pass this course.
Once they are connected, the IT department should have the authority to then remove them from the network if the network user in question becomes a nuisance. Expulsion should be tied to grievious violations.
To ameliorate the effects of brain dead students - the network should be set up in smallish segments using switches in a star topology; this will allow you to take away the magic electrons from the ports of the marching morons on an individual basis; hubs are bad - if one becomes infected - they soon all will be.
DNS (WINS resolution) should be set up in such a way as to deny automated resolution of student computer names/addresses within the network. This won't stop students who are smart enough to put their buddy's address in their hosts/lmhosts file - but it will stop the majority of idiots. Disable windows authentication domains...everyone logs into their own computer, and you won't be doing remote administration anyway - you don't need that headache.
Default to disabling known nasty protocols - with the caveat that students can negotiate a legitimate need for ports to be opened up for their use.
Assign static IPs to allow fine grained filtering - to accomidate the variations in students. Some students will have everything turned on and can be fully trusted; conversely, others will barely have any services beyond email enabled. This requires work on your part; automate this functionality of your network, then delegate responsibility for maintaining it to your most responsible students. You would be amazed how fast people become experts at network administration when they are responsible for making it work for everyone. To add a little fat to the fire - if they are dragging their feet on a network effecting problem - shut down all access to the outside world until they resolve the issue. Once you get the people trained, you shouldn't have to lift a finger.
Email is another big hairball - I won't discuss; given a college/university environment, you will probably have to deal with alot of spam. On the other hand, if your students and faculty are savvy enough, you could perhaps go to a public key authentication system (everything without a valid key gets bounced). This won't help your internet facing interface much; but will help your internal traffic volume to your mailservers.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
iowa state has a pretty simple system for these types of things. at the begining of the year you must register your MAC address with your university email. then every once in a while they scan the entire network for ports that are open that shouldn't be, or just large ammounts of activity on ports of worms and the such. if your MAC address is found to have a worm you are sent an email to clean it. in X number of hours they rescan your machine to see if you took care of the problem yourself. if you didn't they cut off all access besides their webpage and the university email servers. once you take care of it you shoot them an email, they recheck you, and restore your access. (great way to piss off your roommate, clone his MAC onto an infected machine) as far as the role of the student goes i think this is an awesome system. there isn't any sort of software from them running on my machine, and its not like I'm getting scan any more than i would while i am sitting at home on my cable line. from the aspect of the admins though I'm sure this sucks. i'm not sure how much of the process is automated. i know for a fact though that the unblocking process is manual. but hey it works pretty well
I've been in the dorms (Simmons specifically) for two years, and it doesn't seem all that bad. There have been times when it's been bad; when they were installing the damn firewall at the beginning of last semester it was going down regularily for about three weeks, but speedwise it hasn't usually been too much of a problem. I'd say it's about the same (at times faster, at times slower) than my cable connection at home. Though that's not saying *too* much...
And I can tell you not only have we thought of it, the fine print on the user agreement you sign covers our ass. The document is purposefully skewed to the school's favor. If you don't like it, you simply don't use the network. And no, I'm not joking.
You sound like you went to school where the department was run by crappy CS profs. I got my undergraduate degree at a liberal arts college and 99% of my Computer Science experience there was gained while using Linux (and even a bit of Solaris my first year) systems. We all knew BSDs, open source alternative software, and more. Many of us used it daily; some developed and tested for the open source community. Windows was pretty much shunned by all but one prof. Even the necessary evil of connecting to the IT Windows systems was considered highly undesireable.
In reference to the topic at hand, I have to say this University is taking the wrong course of action. My school took the "lock the port" approach. Quite simply, if they could tell your computer was infected and you weren't doing jack to fix it, you lost your internet. Didn't like it? Well fix it. Otherwise you're gonna be going to another dorm room to try to hook up (and remember, your roommate isn't gonna like you either, cause you cost both of you an internet connection).
PS to grandparent of this message - The author states he/she is a CS student; the author never states the CS department is the head of this action (I'm strongly willing to believe it is not).
MAC banning is ineffective since nearly every card these days can have it's MAC address reprogramed. Real solutions are tied to the student's university login account which is associated with their other student records.
But what if they start using someone elses login, or they start sharing login information? Try detecting that easily.
A secure method using Windows 2k/XP would be to put the machines into a domain, use GPO's to turn on autoupdate and use IPSEC based on a domain certificate for authentication to servers (or perhaps route them through an ISA firewall) and tell the servers / firewall to only use IPSEC. Doing this would enforce updates via automatic update (its only bandwidth heavy for the first few days but means the machines will update themselves even at home) and using IPSEC means that only machines you have processed to be in the domain and have a cert will be able to talk on the network. Without getting access to system admin accounts they are going to have a hard time getting around that.
It's a backdoor, they can do anything they want to your system.
As long as they have a valid (administrative) account on the target machine, yes. Otherwise no, they can't access it at all.
Up to date virus definitions are helpful but generally too difficult for the end user to keep up with.
Any decent antivirus software will have scheduled checking for updates built in - eg Grisoft's one. Even their free edition has this - set it, forget it.
Winblows itself
Factually wrong, conceptually wrong, and immature - we have a winner.
It's official. Most of you are morons.
Like I said, the school is a small liberal arts school. Although I'm not happy about the new network policy, I still love the school. Along with this, I have been in a positive conversation with policy makers to help make my objections clear. This means that I don't want my school's site to be slashdoted . That is the only reason that I didn't link to my school's site. I will be posting my conversations with Computing Services on my website. Of course, I'm not going to link to that either.
Except you don't have to move off campus. Here at PSU we didcovered that it was cheaper to get a cable modem and a router and split the cost with dorm-mates The service was better (better up time, bandwidth, etc...)