Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
next step:
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
MAC banning is ineffective since nearly every card these days can have it's MAC address reprogramed. Real solutions are tied to the student's university login account which is associated with their other student records.
Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Ok, I give up, why you?
If it were my school, I think I'd find it easier to make my computer not be a Windows machine. Which begs the question: how is this outfit going to handle non-Windows systems? Are they going to force a similar level of compliance on Mac or Linux users? Personally I wouldn't want to have my machine subject to such regulations: I don't know as I would trust an IT department to ... well, let's just say I don't know as I would trust an IT department. I particularly wouldn't trust them with unfettered remote access to my personal property. I would also want to know what criteria were used in the selection of the software suite to be installed: if it's just because they got a good deal from Symantec I would have a problem with that too.
The higher the technology, the sharper that two-edged sword.
If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free, so banning by MAC address is a perfectly good reactive solution to viruses until they start randomly changing MAC addresses. And then you could ban unregistered MAC addresses, which is fine until viruses sniff and copy other MAC addresses, which isn't always possible.
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
-RockDoggy
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
"What do you care what other people think?" -Richard Feynman
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Don't blame me, I didn't vote for either of them!
If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free
Knowing is not doing. How many people do I know that perfectly know how to install an anti-virus but are just too lazy to do it.
Write boring code, not shiny code!
Generally, though, the set of people who know how to change their MAC address and the set of people who keep their computer virus/worm-free intersect pretty well.
I live off the Illinois State University campus. However, our rental company "SAMI", has (best we can tell) chosen to use the same provider for our network access. They require us to use McAfee's antivirus, and will shut us off in the event of infection. They have posted signs everywhere prohibiting the use of routers with or without wireless access. This boggles my mind, as you'd think they would have wanted us to have the hardware firewalls. Worse than the fact that our DSL is ridiculously slow, they have firewalled off our filesharing (apparently permanently). The best part is, the cost of the DSL is bundled into my rent... so I can't opt to get rid of it and get a cable modem instead. If I get a cable modem, I will effectively be paying something like $100 a month for connectivity. I'd write letters to the local papers complaining, but they have the right to shut off our internet for no reason (signed the TOS sheet, bleh). If they shut me off, I get to keep paying for the internet I can't use because it's technically paid for by the rent I agreed to pay. That would be somewhat similar to ~ 2 months of downtime I had a couple semesters ago, where I had to keep paying the same amount of rent.
What's to stop someone from doing a ping sweep of a subnet and giving their machine a static IP of one that doesn't respond to beat your DHCP restrictions?
(this is an honest question, not a flame)
And before you say that the MAC is banned:
- MAC's can be changed.
- ANY firewall product on any OS that I've used will record the MAC (when it can of course) along with an IP.
I dunno. Maybe I'm not thinking of something, but, that system sounds pretty easy to beat. Granted I'm a "Computer Geek" and probably somewhere near 70% of the students aren't, but...I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Friends don't help friends install M$ junk.
The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
--- www.f-theocean.com