Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.
:)
Students are at college to learn. Educate them
Error 407 - No creative sig found
My sister attended the University of Arkansas last year. The network was terrible, even with the required virus software installed. Automating the process is a great idea. The privacy concerns are a bit of a drawback, but an external harddrive with some basic encrytion would solve most people's fears. Although, to be fair, all Mac OS computers should have the same thing; Mac OS is NOT 100% secure (check apple.com for the Mac OS security updates.) This is a bit 1984/Big Brother-ish.
I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P
My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.
There was Cowboy Neal at the wheel of a bus to never-ever land.
I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.
I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.
Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.
Will the college be taking responsibility for data lost when a Microsoft patch installed a system that's less than generic is rendered unbootable? That seems to happen on at least 1 out of every 20 systems EVERY time there's a security update, in my experience.
Interested in open source engine management for your Subaru?
I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.
Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.
I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
If the college is requiring monitoring software to protect all PCs on a network and the owner of the machine pays for this service, it could create some liability issues for the college. If someone were to hack the auto updating system and push out some harmful software which damaged students' data and/or machine, people would blame the university for not preventing it and demand compensation. Depending on state laws, they might not even be able to insert some sort of legally valid disclaimer in their policy. In addition, if the network were hacked to create a massive spamming/DDOS system using all of those PCs on the university's high bandwidth internet connection, they would instantly be added to every blacklist in the world and would have a very hard time using email after that.
A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?
AccountKiller
I got to the University of Virginia, and the entire network took a huge hit last year with all the viruses. So, they started requiring people to register their MAC addresses. Basically, before they could tell what room you were in by IP address, but to be able to contact you, they would have to search who is living in that room, and which jack a person is on. Anyway, with the new system, they can easily send you an email saying "your computer is infected" and send you a link to the updates for norton antivirus (which is free for students). It seems to work pretty well and its not that much of a pain. Much less involved on the network admin's part, and much, much, much less over-the-shoulder monitoring.
I think my principles are reachin' an all time low
Well, welcome to the real world. This is exactly the policy you can expect to find in an enterprise environment. I see no good reason why it should not be applied to colleges/schools as well. After all, you are being plugged into their network infrastructure, and it's their job to keep the network running and available for all students.
Never, ever lose a file again. Ever.
This presumes you have IT people who know what the fuck they are doing. Guess what? It ain't always so.
I manage a bunch of machines in a department of a university. The security of this department was abysmal, and they inevitably were compromised.... well then suddenly it was this huge lock down everyone had to toe their lines because they were in charge (even though, had they been doing their jobs right in the first place, the compromise would never have happened). They started to boss me around.
For example:
1) You have to "upgrade" all these computers to Win2k, to which I polietely but adamantly told them "NO. These computers are running $20,000 of legacy hardware and there are no Win2k drivers. Are you going to give me $20,000 to buy new hardware and pay my salary for 3 months to rewrite all my software to work with it?" When they realized they couldn't bully me because I actually know what the fuck I'm doing, they said "ok we are going to put you on your own little subnet where you can't hurt the rest of us."
2) The head IT guy told me that I had to wipe all my Linux installs. The only Linux distro I could install was SuSe because the others "had security holes." This guy had no Linux experience so I politely told him that he was incorrect, and invited him to break into my box. He got one of his subordinates to try to crack it over a weekend, and couldn't (again, because I know what the fuck I'm doing)... so they grudgingly let me keep my installs.
Well a couple of months later they had another compromise, so they automatically blamed me and locked out my subnet, and then didn't bother to TELL ME, despite the fact that I had treated them with professionalism and courtesy.
After hours of troubleshooting, I went to talk to them and they said what they thought had happened. I told them that my machines were fine. They kept insisting that I was compromising their network so I made them show me the logs. The MAC and IP addresses were from none of my machines... not even through the router for my subnet! They simply hadn't even looked! They were just so ignorant and so petty that they blamed me. I lost many many hours of time thanks to them.
There are a lot of knowledgeable, professional IT people in a University environment. There are also a great many fucktards, some of them with serious attitude problems. If you have the good kind, booting off the network is a good policy. If you have idiots, it's a nightmare for people like me who just want to get our work done.
Before implementing this kind of spybot, Syracuse University used to require that students caught running the major virus-of-the-month bring their students to the CMS office at the center of campus, where a work study student would install MacAffe (which the school has always had a site license that covered all students for) and then clean up the worm. This was done only during business hours and was intentionally slow... having your computer impounded for the weekend was an intentional side effect of this process as a punishment for being so dumb.
Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.
Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill Gates mess with it. It's already compiling lists of all the music and movies you play and it sends all sorts of information back home. Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?
LSU can and does monitor traffic at building routers. Unusual activity has them block the MAC address. It's much easier than requiring expensive commercial software that does not work.
Unfortunately, LSU is moving toward just that kind of stupid requirement. They are specifying that Winblows machines on their network have "up to date" virus software. That's fine, so long as they don't require Winblows in the first place. The student senate is considering a laptop and Active Directory requirement. What a nightmare.
There's lots of room between turning every computer on campus into a campus owned DRM'd dumb terminal and letting the Windows machines destroy the campus network. They could continue blocking actual problems at the router instead of requiring the very source of the problems be run by all. They can offer the service voluntarily to those who simply have to have winblows. Macs, Linux and commercial Unix do not have the same problems and should be encouraged. Computing services should make running Windows as easy as they can and that includes offering virus protection, but they defeat themselves when they dumb the network down for it.
Friends don't help friends install M$ junk.
80k, ha. my school decided that 16k was all anyone ever needed. "So the network wasn't saturated" you don't know how many times I have looked at ways to increase this. (anyone got any ideas?, it's internet, not intranet limited)
AccountKiller
Don't know about US law... but I used a similar idea here in canada to try and sue the government into paying for the damage to my bike by going through a pothole.
;)
The end result was, I still have to pay taxes for road repair, but the city is not at all liable for the road actually being in good enough condition that my bike isn't damaged by its use... even though I pay for it. I'm sure the university would use some similar logic... we're not responsible for any damage to your software/hardware, but you are if you mess with it...
It's called a no-win situation.. life is full of them... get used to it!
---
Programming is like sex... Make one mistake and support it the rest of your life.
Giving a college employee (who is likely a student) access to run any program with administrator rights is ripe for abuse. Even if this is limited to running a batch file daily (or weekly or ...) it would be trivial to add functionality to, for instance, copy all .gif files to look for an off color photo of any of the female students... or delete a research paper, install a keylogger, (re)enable a webcam's image capturing to see what you were missing while the owner thought it was off etc.
Of course, you also mentioned the problem of the machine giving out all these patches being compromised. Even if your college were lucky enough to find someone honest enough to not do anything intentionally evil, compromise of that one machine would provide the attacker access to run anything as administrator on all connected systems.
This is reminiscent of landlord/tenant laws. The landlord is required to give notice before entering someone's living space. And similar to the difference between department stores monitoring their dressing rooms for shoplifting vs. your landlord putting a camera into your bedroom and bathroom "to make sure you aren't using drugs / damaging anything/etc"
It may be legal for the college to do this, but certainly isn't something it should be doing.
Anyway, I'd be configuring VMWare run the university-accessible copy of Windows and only use that for NAT. Anything you send over their network cleartext is fair game, anyway.
I've got the laptop in question right here, (I'm typing on it now) and yeah, I dual-boot Linux (Knoppix knx-hdinstall) and Windows 2000 SP4. I need to upgrade the hard drive to give both systems the space they need to coexist happily, but even now they both are happy together. The hard drive is 10GB, there is 228MB of RAM in here, and I have both a wired NIC and a Prism-based 802.11b card to use with it. It won't run Neverwinter Nights or Doom 3, or anything like that, but from what I understand Starcraft will probably run on this. I can certainly play KMahjongg on this until the cows come home.
However, I intend to use this machine primarily on Linux...*especially* when it is hooked up to the University network. Everyone knows just how good OpenOffice.org is as an Office alternative, and how much it needs to evolve, so I won't say much about that. However, the SPSS requirement is something that takes some thought.
After some judicious googling, I found two SPSS alternatives: The R Project and GNU/PSPP. I don't know much about either program, (nor do I know much about SPSS) but it's good to know there are at least two alternatives that leap out at you when you look for it.
Linux should be a supported alternative at all Universities and Colleges throughout the world. Actually, I think Linux should be promoted over Windows, and I am not alone in thinking this..
Linux solves a lot of problems that bedevil IT departments at Colleges and Universities. It comes with great Free/Open Source alternatives to widely-bootlegged proprietary software. It is less prone to malware, viruses and trojans. It is more secure than Windows. And if you look beyond full-figured GUIs like GNOME and KDE and use trim window managers like IceWM, BlackBox, XFCE and so on, you can run graphical Linux on modest computers. Linux + KDE is actually quite nimble on my 400MHz ThinkPad 600E, and I have seen it run OK on 233MHz Pentium systems with 128MB RAM or better. If Windows 2000 will run on a machine, Linux and KDE will also run.
All these problems the article we're discussing enumerates would be ameliorated if not completely sidestepped by encouraging alternatives to a Windows Monoculture.
Knowledge is power. Knowledge shared is power multiplied.
Do the savings in software costs cover the downtime and maintenance costs?
Also, is all that 'free' software even used?
Just curious.
You should look into your state's renter/landlord laws. In Kansas it's called the Kansan Residential Landlord and Tenant Act. Our law explicitly forbids billing for bundled services not necessary for occupancy. I forget the exact wording but that's the jist of it. A lawyer in your area might be better able to advise you. I wouldn't be surprised if they are overstepping their bounds. All places like that will until someone stands up for themselves and fights back. Best of luck, and move out.
You do not connect!
If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.
If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.
I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.
Never argue with an idiot, they drag you down to their level and beat you with experience.
Huh. So, in other words, because the IT department is unwilling/unable to deal with more secure operating systems, students are doomed to suffer with the most insecure OS yet devised by the hand of man. Interesting.
Actually, this smacks somewhat of a job-security issue. If students were all running Macs or Linux or what-have-you, there might be less need for IT personnel.
The higher the technology, the sharper that two-edged sword.
And you signed on for this... why?
A few factors to consider here
1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.
I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.
As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.
What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.
Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.
But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....
Then, it got better for awhile, but the network got bad again. Hours with computing services on the phone later... they insist that I have a virus or hardware problem. I knew there was nothing wrong with my computer, it worked fine when I had it home over break, and I do my updates and run a firewall and such. I only had a week left of class at this point before the end of the semester, so I just dealt with having internet maybe 50% of the time (which is traumatic for me). But sure enough, when I got home with my computer, NOTHING was wrong with it, the internet was fine. What I think was wrong with it was ppl with worms... Zone Alarm would pick up dozens of port scans every minute... and I tried to tell computing services the IPs of those doing it, but they would have none of that.
In summary, college networks need to do something about this. I wonder why they don't just run cable or dsl to the rooms instead of dealing with this network jazz. I guess it would be more expensive, but I would rather pay more for reliable internet service myself. They are supposedly going to make more stringent requirements next year, but if they make me do some autoupdater crap I won't like that idea. I'm not sure what a good solution would be, but something needs to be done.
The Present is the point at which time touches eternity. - C.S. Lewis
Well, it's the university's network, no matter if the government or the students' collective tuition helps pay for it.
Seems reasonable to require precautions on the part of anyone who wishes to connect to the network. To that end I figure they should provide at minimal cost an anti-virus and firewall package to help keep infections and intrusions to a minimum. But installing software which monitors the individual computers...I don't like that idea at all.
Seems like from there it's just a short hop to "We have to monitor your computers to make sure you don't have any MP3s or videos or (insert potential copyright violation here) so we can avoid lawsuits."
Maybe-and this is a big maybe-but MAYBE the universities should work a little harder to educate the students (say, a required class during freshman orientation?) on the importance of running a firewall and a/v software. Set up a live demo with a honeypot on stage, and show them how quickly it can happen. Sort of a digital "scared straight".
Please note that "twitter" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.
Wow. You must have some TIME on your hands to put together such blather. Since it's obviously important to you, I'll take a few myself.
1) Your very first sentence is self contradictory, assuming that you meant "sycophant"... How can somebody be a sycophant and obnoxious/off-topic? Or did you not notice the word "flattery" in the definition?
2) This is slashdot. Here is where people spend leisure time and blather. Such as, for instance, your post. Get over it. Think of slashdot as the online equivalent of a bar. Some people talk too much. Some people really should shower more often. Some people wear clothes that were fashionable in the 80's. Get over it.
3) It's OK to not like Microsoft software. Probably 80% of my experience of cyberspace is done via Linux. I hate the worms, viruses, spyware, and general crap as much as the next guy. I love the clean, easy way Linux lets met at the guts of the system to result in a stable, secure platform.
4) Even if twitter is some lonely, desperate, delusional, megalomaniac karma whore, how is posting stuff on slashdot being "part of the open source/free software community."? Contributing software is "being part of the OSS community" - posting on slashdot is being part of the slashdot community!
Get off your high horse, dude. People are entitled to be a bit nuts - you'll probably figure that out (as most people do) when you get to be around 30.
Oftentimes, the nuttiest people are the most brilliant.
I remember a gentleman named "Gary". I won't give his last name. He was one of the strangest people I'd ever met. Remember "Revenge of the Nerds"? Well, the cast of that movie tried in vain to capture the spirit of Gary.
The kind of guy who really DID drive a mustard-brown, 20-year old station wagon at 35 MPH down the Interstate - stuffed to the gills with books, bird cages, a pet lizard, folding chairs, boxes of clothing obtained at a thrift store, and consumed Jolt cola bottles.
He attended community (There's that word, in this case, it was people in the area in which I lived meeting together) meetings that I often attended as well, meetings congressed to discuss legal and political issues.
Having talked briefly with Gary before, and figuring him for being partially mentally handicapped, it was a great shock when, during a speech on the history of the US Constitution, Gary raises his hand, and then spends several minutes giving a detailed, ornate, and incredible rendition of the history of an important event. (I could be wrong, but if I remember correctly it was the ending of the civil war)
I was shocked, and I wasn't the only one. Everyone I knew looked at each other in surprise and bewilderment. This? Coming from GARY!?
So, before you go knocking on twitter for having a good time mentally masturbating on slashdot, remember this old saying:
"There's enough good in the worst of us, and enough bad in the best of us, that it ill behooves any of us to thing the worst of any of us".
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It comes down to this: the university needs to protect it's network. If a student is using that network, the university ought to be able to monitor for illegal downloads just as much as they should protect the accessibility of transcript or payroll data. The actions are different, monitoring bits vs maintaining a secure system, but their end is the same. Does capability to block spyware compromise a student's privacy?? fw
This is already the case at Washington State University (Pullman, WA) where if you're on-campus IP address is banned when their network monitoring software finds that you either massively uploading or downloading or scanning ports or have a virus, they require you to physically take your PC to the IT office to be scanned for the offending items before they re-enable your IP. Their take is that they are protecting students from viruses and copyright material lawsuits, but it really pushes the boundaries of personal privacy.