Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
next step:
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
I think that should clear it up. And since its the computer science department thats running this, I would think that they know of other OSes other than windows i.e. Linux, BSD, OSX, etc. , and rightfully evaluate them differently.
--
Registered .sig quotient : 1337
Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
Wouldn't it be easier to not allow Windows-based computers on the network in the first place?
MAC banning is ineffective since nearly every card these days can have it's MAC address reprogramed. Real solutions are tied to the student's university login account which is associated with their other student records.
Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Ok, I give up, why you?
If it were my school, I think I'd find it easier to make my computer not be a Windows machine. Which begs the question: how is this outfit going to handle non-Windows systems? Are they going to force a similar level of compliance on Mac or Linux users? Personally I wouldn't want to have my machine subject to such regulations: I don't know as I would trust an IT department to ... well, let's just say I don't know as I would trust an IT department. I particularly wouldn't trust them with unfettered remote access to my personal property. I would also want to know what criteria were used in the selection of the software suite to be installed: if it's just because they got a good deal from Symantec I would have a problem with that too.
The higher the technology, the sharper that two-edged sword.
This doesn't sound like a very good idea. Even if the school itself is trustworthy and doesn't examine student files for content, such as illegally downloaded copyrighted materials, it is far too tempting a target for hackers--a nice centralized system with which he or she can control the entire campus's Windows machines. I much prefer Dartmouth College's response to the problems of viruses and worms--if something is detected, you'll be kicked off the network and you won't be allowed back on until your computer is clean.
it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.
Just get a freakin' Mac. I'm serious. When a bureaucracy starts doing heavy-handed stuff like this, it means they are backed into a corner and will not be any fun to live with. Escape now.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free, so banning by MAC address is a perfectly good reactive solution to viruses until they start randomly changing MAC addresses. And then you could ban unregistered MAC addresses, which is fine until viruses sniff and copy other MAC addresses, which isn't always possible.
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
-RockDoggy
it's my machine, not the schools
if the school was buying me the machine, i'd say fine
the school should not be playing mommy and daddy to the machines... if they see someone spreading worms then they should disconnect them and send a polite note saying why and how to fix it
special software may be good for the kl00 phucked lusers, but to the people who know what they're doing it will be an annoyacnce
besides, are they going to send people around to check? what's to stop me from uninstalling the software when the pimple-faced "support tech" leaves the room?
...and that's all there is to it.
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
"What do you care what other people think?" -Richard Feynman
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Don't blame me, I didn't vote for either of them!
If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free
Knowing is not doing. How many people do I know that perfectly know how to install an anti-virus but are just too lazy to do it.
Write boring code, not shiny code!
At my school (Michigan Tech), i remember receiving several emails stating that student's internet access would be disabled if they were infected with $latest_worm. The IT department typically caught the worms as the first few machines were infected, and killed their network connection. The network performance never suffered as far as i could tell.
At the other end of the spectrum, some friends of mine at other schools were unable to use any network related stuff because their IT departments completely ignored the worm problem. I'm not sure if this was because of incompetence, indifference, or a little of both.
Funny anecdote, I'm sitting here at Million Man LAN. Someone brought in a machine infected with sasser, and within minutes there were hundreds of people infected. You'd think that the gamer crowd would be up to date with their patches.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Generally, though, the set of people who know how to change their MAC address and the set of people who keep their computer virus/worm-free intersect pretty well.
Why Mac users flippantly flaunt OS X's robustness is beyond me -- they're just begging for trouble. Just let the platform fly under the radar and remain undisturbed.
I live off the Illinois State University campus. However, our rental company "SAMI", has (best we can tell) chosen to use the same provider for our network access. They require us to use McAfee's antivirus, and will shut us off in the event of infection. They have posted signs everywhere prohibiting the use of routers with or without wireless access. This boggles my mind, as you'd think they would have wanted us to have the hardware firewalls. Worse than the fact that our DSL is ridiculously slow, they have firewalled off our filesharing (apparently permanently). The best part is, the cost of the DSL is bundled into my rent... so I can't opt to get rid of it and get a cable modem instead. If I get a cable modem, I will effectively be paying something like $100 a month for connectivity. I'd write letters to the local papers complaining, but they have the right to shut off our internet for no reason (signed the TOS sheet, bleh). If they shut me off, I get to keep paying for the internet I can't use because it's technically paid for by the rent I agreed to pay. That would be somewhat similar to ~ 2 months of downtime I had a couple semesters ago, where I had to keep paying the same amount of rent.
You know, before college campuses start taking such intrusive measures, they really should get their *basic* security right. I've attended several universities and am appalled by the lack of basic security measures. For starters, subnets should be firewalled from each other with a very limited set of services exposed (e.g. there isn't really any compelling reason why resnet computers should have NetBIOS/SMB/RPC access to computers on the admin subnet). Such a simple step would go a LONG way toward limiting the spread of worms. Secondly, the resnet computers should not be able to accept inbound connections from the public internet, *period.* (better yet, stick your resnet on a NAT so none of the student PCs even have publically routable IP addresses). This will stop 3l33t Linus hackers from running their own servers, but guess what - the school is not in the business of providing you bulk bandwidth so you can run an e-business. You want to run a server? Pay for colocation, buddy.
The campus should provide antivirus screening at the e-mail gateway to limit that entry point, and should limit or monitor outbound SMTP activity from resnet PCs so they can catch infection through 3rd party hosts. Finally, the school should be running IDS on all it's networks and quarantining any system that's found to be infected/0wn3d until it's demonstratably been cleaned up. Iff the school has PROPERLY implemented their network using common best practices (to reiterate, firewall those subnets from each other - in this day and age there is NO EXCUSE for leaving your internal network wide open so a single compromised system can comprimise the whole thing) and it still isn't doing a good enough job containing infections, THEN we can talk about more intrusive measures.
What's to stop someone from doing a ping sweep of a subnet and giving their machine a static IP of one that doesn't respond to beat your DHCP restrictions?
(this is an honest question, not a flame)
And before you say that the MAC is banned:
- MAC's can be changed.
- ANY firewall product on any OS that I've used will record the MAC (when it can of course) along with an IP.
I dunno. Maybe I'm not thinking of something, but, that system sounds pretty easy to beat. Granted I'm a "Computer Geek" and probably somewhere near 70% of the students aren't, but...I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Friends don't help friends install M$ junk.
Forcing students to meet some very sensible minimum computer security requirements (such as up-to-date anti-virus and operating system software) will not limit their academic freedom or ability to express themselves in anyway, so what's the problem? Other technical solutions that would warrant investigation include separating academic and administrative network resources (my alma mater had the administrative systems on a separate physical network) and performing regular "un-cooperative" vulnerability assessments of the student and residential networks (i.e. a safeties-off penetration test with Nessus or similar).
Now, if we were discussing unfiltered Internet access for said students, I could see room for several good arguments (e.g. granting students the ability to develop Internet-accessible systems, but balancing that against the abuse of these projects to affect the instution or other students or other Internet-connected systems, etc.) But "Academic freedom" doesn't free a student of basic adult responsibilities. Just as an institution issues students keys for their doors and badges for building access and passwords for their email, an institution should teach a student to be a responsible network citizen by issuing them anti-virus software. This is not unreasonable. So why the "Ask Slashdot"?
I'm proud of my Northern Tibetian Heritage
Colleges are for education You are exactly right, the colleges should be teaching students about their constitutional and privacy rights and not invading their privacy for a minor annoyance.
If the kids knew more about their rights coming out of school they would (hopefully) be able to see when their rights are being taken away. Instead, the universities condition the students to get used to a big brother always watching them.
This account has been seized by the GNAA. That is all.
... on how far they take it. The college I live next to, which shall remain nameless, went through a similiar situation. When Blaster, Welchia, et al. hit last year, they sent around the RA's with copies of "utility" cd's containing the patches & virus fixes. Needless to say, they were (and still are) a small college. That was fine right up until they hit a Mac... because the RA and the student who owned the Mac refused to sign the form stating that the patches and fixes had been run (obviously, they couldn't), the "IT dep't" required that the unit be brought physically to their office for inspection.
I'd hate to have someone pawing over my Linux machine every time the latest virus hits the Windows boxes. I'd throw a fit if they forced me to install software on it. I'd really create a fuss if they kicked me off the 'net simply because I'm not running Windows.
And none of this "Let's 'scan' my system and see what's on it, in case I'm breaking copyrights, or doing something else I shouldn't be." What's on my system is none of anybody's business, unless it's impinging upon the network (spam, anybody?). If it's transmitted across the network, it's fair game... if it's already on my hard drive, hands off.
Guess it's just like everything else... as long as it's held to a moderate level, and some common sense is applied, it ought to be fine.
Good idea. I was going to suggest placing a small firewall between you and the rest of the network. Done right, you can configure the firewall to have the fingerprints of a POSIX OS, so the campus scanners will be fooled. Anyone intelligent enough to keep the school's spyware off their computer is without a doubt able to take care of their own computer.
You've missed the point. Should you really be whining about software being required to be installed on your computer, to the point you post an "ask slashdot" (that convienently hides the institution you attend), when your school puts restrictions on you like legal adults not being allowed to drink?
In other words: most of the students made their choice, paid their money, and are attending Wheaton because they would rather be there than somewhere else.
It's not really relevant to the conversation, but many students are heavily influenced by their parents to attend restrictive religious institutions like this. It's either that, or the parents won't pay, or maybe even support the kid.
AccountKiller
It seems to me that it's common procedure to hide certain types of identities when posting questions on Slashdot. This is done partly because the information isn't relevant, and also because it helps reinforce the idea that the situation is more broadly applicable than only to people in that specific situation.
If you had been fair about things instead of changing the subject to that of your personal dislike of policies designed to foster a community where education and personal growth are given utmost priority, you would have acknowledged that the question *was* relevant. Policies like this could easily be implemented in other places - in fact, that was part of "dancedance"'s questions. Wheaton's policy on drinking is irrelevant.
You're probably right that many parents (often alums) give their child a "_college_x_ or nothing" ultimatum with respect to financial support, but that's often for a good reason, i.e., they went their themselves and were happy with the education they received. Anyway, that's their prerogative. And it's hard to claim that anyone is being oppressed (as you implied) at getting an education of Wheaton calibre, costing around $120,000.
What's to question? He goes to a school that has a highly restrictive network policy, and he wants to know what other schools do. Does it matter what his school is?
You can get yourself removed as a dependant from your parents at the age of 18. Then you don't have to include their income on your financial aid. Of course if you do this you aren't included as a dependant for their tax purposes or included on their insurance etc. But you will qualify for much more assistance if you suddenly don't have your parents income.
----- Question authority, but not ours. Hate the man, but we're not him.
The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
--- www.f-theocean.com
It is not a right to get high speed internet access through your university. If you have a problem with the connectivity offering, you shouldn't connect.
Another thing to realize is that the IT departments at Colleges and Universities (especiall liberal arts colleges) are dealing with a population of students, professors, and staff that are generally computer illiterate. I can say this because I was in the help desk at my college, and people needed help with the most basic functionality of their computer. I would often think to myself: These are some of the brightest people in the world (nobel laureates would come in with basic computer problems) and they don't know the difference between a disk drive and a CD. Eventually, it dawned on me that I shouldn't take even the most basic computer knowledge for granted.
It makes complete sense for a college IT department to require this amount of control over their computers that connect to their network. Remember, using the network is a priviledge not a right. This level of control is done for a very good reason. It makes it better for everyone to raise the bar. I'd rather my tuition go to the education departments than to waste on removing every new worm and trojan that comes in... Especially because as a help desk worker, I was being paid $10 per hour (best student job on campus) to disinfect peoples computers.
You want a technical answer but I think the ethical one is overriding here: I just don't believe networks should be run in this fashion.
First, it's totally insane to require Microshite Windoze. It speaks of the cerebral poverty of the faculty at many an institution where these supposed gifted people can barely save a document in Microsoft Word and then require everyone else do the same.
Second, any open standard should do just as well, and yet - and do I smell graft here? - Microsoft are in there, Dell are in there, IBM are sometimes in there, and demands are made that students get a computer of a definite make, model, configuration, etc - just to qualify for enrolment. If this isn't lobbying and bribery, I don't know what is.
Finally, if you want to connect to a network, then you should be able to prove you're malware-free. I don't have the technical details on this, but forcibly downloading junk on students' computers is just wrong.
And some parents require their adult-kids to attend local nearby colleges so they can force their kids to live at home while studying. That's life.
For every choice we have available, there is a price we have to pay for that choice. Get over it. Stop talking like a victim. Like the other poster mentioned, you can disown your parents and become independant if you really want to. Most kids would never do this, but the choice is there nevertheless.
Well, I for one am not just lazy but I actually refuse to do it. The reason is that many of these 'complete antivirus solutions' are in reality a major PITA.
It's like a complete productivity destroying kit: FooSoft Network Borker downloads stuff behind the back, FooSoft Startup Killer jerks the machine unusable for several minutes each reboot, FooSoft BSOD Daemon makes sure you need to do those reboots and finally FooSoft SlugPro simulates the 386 era in case you have missed it or feel just nostalgic.
Now, I have a (hardware) firewall and won't use virus/spyware-spreading software so I don't think I'm too likely to get viruses in the first place. Why would I use some inferior solution instead?