Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.
:)
Students are at college to learn. Educate them
Error 407 - No creative sig found
Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
My campus will disconnect any computer it finds vulnerable. I suppose this could be considered the next step in that direction, but this time students have a way to be sure that they don't end up disconnected at an inconvenient time.
If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
next step:
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
Personally, I'd much rather just get cut off and be notified why. I don't like the idea of giving over control of my computer like that.
I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P
My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.
There was Cowboy Neal at the wheel of a bus to never-ever land.
No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
I think that should clear it up. And since its the computer science department thats running this, I would think that they know of other OSes other than windows i.e. Linux, BSD, OSX, etc. , and rightfully evaluate them differently.
--
Registered .sig quotient : 1337
Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.
I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.
Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
Well if it's ok then, gimmie your IP and root pw so I can scan your computer to make sure you dont have anything that will cause problems to everbodys intarweb.
Your hair look like poop, Bob! - Wanker.
Then they can sell the video feed in the internet and help to reduce tution fees with the income they make.
Is a win-win situation, ppl around the world can get unscripted reality web bradcast (maybe pr0n) and let a lot of students to complete a college education it doesn't matter if it is to flip burgers at Mc Donald's
Think man! Stop drawing attention to it, and start trying to hack it. Don't be a fool!
-- http://thegirlorthecar.com funny dating game for guys
... run Linux. At least I tell them that, and they believe it well enough.
In truth, I run XP with a good firewall most of the time.
The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Ok, I give up, why you?
I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.
Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.
I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
Here they don't care what you do. They have a policy in place so they "can" get you, but they really don't care. If you start using ridiculous amounts of bandwith, they will cut you off. But you have to be like, hosting an anonymous ftp that gets slashdotted for that to happen. Also if you are sending spam they cut you off. They don't care about your computer, just their network. And if you muck around they cut you off at the switch level. Its as simple as that.
The GeekNights podcast is going strong. Listen!
This doesn't sound like a very good idea. Even if the school itself is trustworthy and doesn't examine student files for content, such as illegally downloaded copyrighted materials, it is far too tempting a target for hackers--a nice centralized system with which he or she can control the entire campus's Windows machines. I much prefer Dartmouth College's response to the problems of viruses and worms--if something is detected, you'll be kicked off the network and you won't be allowed back on until your computer is clean.
Many companies use features available for Windows Servers and third-party software to force updates and patches if you connect a computer to their network, or, more specifically, attempt to get a network address or login to the company domain.
For Windows users, this isn't really a bad thing as a whole, since it's not your job (and nor would you want it) to remember and know every frickin' problem that Windows has or its severity. So, let the campus ITs do their work to keep you and other computers playing nice-nice on the network.
On the other hand, the campus IT needs to be careful what they send as compulsory updates. Some PCs do not take certain updates well for God Knows Why, which could hose your system in some way. If that happens, I wouldn't know what your recourse would be to have your campus IT fix what it broke.
And don't think I'm just picking on Windows, either--other operating systems, including Mac OS X and Linux, need some necessary updates, too. Those operating systems (so far) have had far, far fewer viral attacks than Windows that cause Bad Days.
That could change someday.
Vos teneo officium eram periculosus ut vos recipero is.
it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.
Just get a freakin' Mac. I'm serious. When a bureaucracy starts doing heavy-handed stuff like this, it means they are backed into a corner and will not be any fun to live with. Escape now.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
I didn't hear apples mentioned?
We polish 'em up and give 'em to teacher.
KFG
I just attended ResNet 2004 which is a conference devoted to the Information Technology departments of all Colleges and Universities across the globe. There are usually around 300 participants and many other who do not make the guest list. I think the biggest conversation among those at the conference was how where is the line between appropriate and not appropriate actions to help keep the networks clean as well as the students computers. You can check out http://www.resnetsymposium.com for the website or http://web.princeton.edu/sites/resnet/ for a list of those who attended. There is also a listserv for @ http://listserv.nd.edu/archives/resnet-l.html. All of these sites will give you contacts for people who have answers to your questions. A trend for schools is purchasing solutions such as Perfigo www.perfigo.com or Bsi's campus manager http://www.bradford-sw.com to help them do their dirty work.
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
-RockDoggy
it's my machine, not the schools
if the school was buying me the machine, i'd say fine
the school should not be playing mommy and daddy to the machines... if they see someone spreading worms then they should disconnect them and send a polite note saying why and how to fix it
special software may be good for the kl00 phucked lusers, but to the people who know what they're doing it will be an annoyacnce
besides, are they going to send people around to check? what's to stop me from uninstalling the software when the pimple-faced "support tech" leaves the room?
...and that's all there is to it.
I work for computer services at my college, and we have a number of Mac labs. We have absolutely no problem with these whatsoever. However, it's impossible in a college setting to have a completely homogeneous selection of platforms. We need our PCs for everything from our accounting courses (some specialized software) to our comp sci courses (Yeah, they force us to use Visual C++, switching to .NET next year).
In all honesty, at a small college like the one I attend, there's a good reason to go with PCs from a financial standpoint: Despite educational discounts, Macs still cost more than PCs. That's a simple fact. Secondly, Microsoft gives AMAZING educational discounts for their software. I'm not talking about the "Educational" licenses for students, but rather we get X amount of free software per year, which is really a boon for our computer services department. We recently got our budget cut in half (management isn't comprised of the brightest of individuals), so the financial aspect is really appealing.
If we had the option to run all Macs, I'd swing for it in a minute, as far as my duties for computer services are concerned. It would make my job a helluva lot easier. However, we don't have that option, and I think you'll find that the same is true for most small colleges.
I hate to respond to an AC, but I believe that I have to. While there are not widespread viruses or worms for Mac OS, there are security exploits (why else would apple issue security updates?). A good portion of these network killing attacks are security exploits, not viruses/worms.
A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?
AccountKiller
When you've got "root", which gives you "ring-0" access to everything on the box, you have access to the encryption software, and hence can pull the key used to decrypt the data(assuming the decryption is done by the host computer), or more likely, just ask the encryption software to fetch the file on your behalf. Most virus scanners would indeed try to access the data as soon as it is mounted and ready to read decrypted data, and so could any other software the university might want to install on the computer.
X-Has-Sig: yes
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
"What do you care what other people think?" -Richard Feynman
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Don't blame me, I didn't vote for either of them!
> I am a CS student at a small Liberal Arts college
When I read this my mind immediately expected it to be followed by something like:
"I am a CS student at a small Liberal Arts college. I've never been lucky with girls and nothing like this has ever happened to me before. One night I was up late in the laundry room and this beautiful girl walked in..."
- For the complete works of Shakespeare: cat
Any time an institution requires software to be installed at all, it's a red flag that says that institution is doing something else wrong. While it's a good idea for students to keep their computers up to date with virus scanners and security patches and the like, it's not a good idea for the institution to take that responsibility away from the students themselves.
I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.
The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.
So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
one step foreword
He sure isn't a spelling major
I got to the University of Virginia, and the entire network took a huge hit last year with all the viruses. So, they started requiring people to register their MAC addresses. Basically, before they could tell what room you were in by IP address, but to be able to contact you, they would have to search who is living in that room, and which jack a person is on. Anyway, with the new system, they can easily send you an email saying "your computer is infected" and send you a link to the updates for norton antivirus (which is free for students). It seems to work pretty well and its not that much of a pain. Much less involved on the network admin's part, and much, much, much less over-the-shoulder monitoring.
I think my principles are reachin' an all time low
At my school (Michigan Tech), i remember receiving several emails stating that student's internet access would be disabled if they were infected with $latest_worm. The IT department typically caught the worms as the first few machines were infected, and killed their network connection. The network performance never suffered as far as i could tell.
At the other end of the spectrum, some friends of mine at other schools were unable to use any network related stuff because their IT departments completely ignored the worm problem. I'm not sure if this was because of incompetence, indifference, or a little of both.
Funny anecdote, I'm sitting here at Million Man LAN. Someone brought in a machine infected with sasser, and within minutes there were hundreds of people infected. You'd think that the gamer crowd would be up to date with their patches.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Well, welcome to the real world. This is exactly the policy you can expect to find in an enterprise environment. I see no good reason why it should not be applied to colleges/schools as well. After all, you are being plugged into their network infrastructure, and it's their job to keep the network running and available for all students.
Never, ever lose a file again. Ever.
Why Mac users flippantly flaunt OS X's robustness is beyond me -- they're just begging for trouble. Just let the platform fly under the radar and remain undisturbed.
Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.
Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill Gates mess with it. It's already compiling lists of all the music and movies you play and it sends all sorts of information back home. Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?
LSU can and does monitor traffic at building routers. Unusual activity has them block the MAC address. It's much easier than requiring expensive commercial software that does not work.
Unfortunately, LSU is moving toward just that kind of stupid requirement. They are specifying that Winblows machines on their network have "up to date" virus software. That's fine, so long as they don't require Winblows in the first place. The student senate is considering a laptop and Active Directory requirement. What a nightmare.
There's lots of room between turning every computer on campus into a campus owned DRM'd dumb terminal and letting the Windows machines destroy the campus network. They could continue blocking actual problems at the router instead of requiring the very source of the problems be run by all. They can offer the service voluntarily to those who simply have to have winblows. Macs, Linux and commercial Unix do not have the same problems and should be encouraged. Computing services should make running Windows as easy as they can and that includes offering virus protection, but they defeat themselves when they dumb the network down for it.
Friends don't help friends install M$ junk.
Double shoot ... how many of them even bother writing their term papers? Just download 'em!
many universities require students to reside in campus housing for at least the first year, many for 2 years.
"Sic Semper Tyrannosaurus Rex."
AccountKiller
Our campus is using cisco routers. So we enable netflow and dump the output to another host running FreeBSD. (FreeBSD have netflow implementation using netgraph if you don't use cisco routers though we haven't tested using it).
The FreeBSD is actually our main gateway before going out to the Internet. Then, we wrote a script to detect flow counts to ports used by common worms/viruses and if its more than 100 at one time, we will save the IP address to a database. This scripts runs every 10 minutes using cron. The script will first delete all entries and insert the new IP addresses for every 10 minutes.
Then, we set the firewall running on the FreeBSD box to block all connection from the IP address and transparently route any http connection to our emergency response page. The page will notify the students that his/her PC is infected with a certain virus (based on the port it tries to connect to).
We only allow them to connect to Windows Update, Symantec website and our Emergency Response website. All other conections are blocked. We cache all the windows patches using our transparent proxy so that when they want to update their PC, they won't have to wait for several hours.
On our Emergency Response page, we provide free antivirus, the latest symantec antivirus pattern update, spybot and its updates and also dcombobulator. A short description of the suspected virus infecting their PCs is given on the website.
The emergency page also list out all the IP addresses of PC suspected to be infected with worms, the location in our campus (based on the VLANS), the number flow counts detected coming from the PC, the MAC address, the name of the PC (windows), and the user currently using the system. Some of the details, we got using netflow and others we got using nbtscan.
Every semester, the user will have to sign a document saying that his/her PC have an antivirus software installed and up-to-date.
We are planning to use snort to detect suspicious packets using snort's signatures and block the IP address detected.
We do receive complaints from students regarding this implentation where the students said that their PC is up-to-date and free from virus. But after further investigation, their PC was infected. It seems that they just assume that their PC are free from viruses without actually scan using antivirus.
Giving a college employee (who is likely a student) access to run any program with administrator rights is ripe for abuse. Even if this is limited to running a batch file daily (or weekly or ...) it would be trivial to add functionality to, for instance, copy all .gif files to look for an off color photo of any of the female students... or delete a research paper, install a keylogger, (re)enable a webcam's image capturing to see what you were missing while the owner thought it was off etc.
Of course, you also mentioned the problem of the machine giving out all these patches being compromised. Even if your college were lucky enough to find someone honest enough to not do anything intentionally evil, compromise of that one machine would provide the attacker access to run anything as administrator on all connected systems.
This is reminiscent of landlord/tenant laws. The landlord is required to give notice before entering someone's living space. And similar to the difference between department stores monitoring their dressing rooms for shoplifting vs. your landlord putting a camera into your bedroom and bathroom "to make sure you aren't using drugs / damaging anything/etc"
It may be legal for the college to do this, but certainly isn't something it should be doing.
Anyway, I'd be configuring VMWare run the university-accessible copy of Windows and only use that for NAT. Anything you send over their network cleartext is fair game, anyway.
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Friends don't help friends install M$ junk.
I've got the laptop in question right here, (I'm typing on it now) and yeah, I dual-boot Linux (Knoppix knx-hdinstall) and Windows 2000 SP4. I need to upgrade the hard drive to give both systems the space they need to coexist happily, but even now they both are happy together. The hard drive is 10GB, there is 228MB of RAM in here, and I have both a wired NIC and a Prism-based 802.11b card to use with it. It won't run Neverwinter Nights or Doom 3, or anything like that, but from what I understand Starcraft will probably run on this. I can certainly play KMahjongg on this until the cows come home.
However, I intend to use this machine primarily on Linux...*especially* when it is hooked up to the University network. Everyone knows just how good OpenOffice.org is as an Office alternative, and how much it needs to evolve, so I won't say much about that. However, the SPSS requirement is something that takes some thought.
After some judicious googling, I found two SPSS alternatives: The R Project and GNU/PSPP. I don't know much about either program, (nor do I know much about SPSS) but it's good to know there are at least two alternatives that leap out at you when you look for it.
Linux should be a supported alternative at all Universities and Colleges throughout the world. Actually, I think Linux should be promoted over Windows, and I am not alone in thinking this..
Linux solves a lot of problems that bedevil IT departments at Colleges and Universities. It comes with great Free/Open Source alternatives to widely-bootlegged proprietary software. It is less prone to malware, viruses and trojans. It is more secure than Windows. And if you look beyond full-figured GUIs like GNOME and KDE and use trim window managers like IceWM, BlackBox, XFCE and so on, you can run graphical Linux on modest computers. Linux + KDE is actually quite nimble on my 400MHz ThinkPad 600E, and I have seen it run OK on 233MHz Pentium systems with 128MB RAM or better. If Windows 2000 will run on a machine, Linux and KDE will also run.
All these problems the article we're discussing enumerates would be ameliorated if not completely sidestepped by encouraging alternatives to a Windows Monoculture.
Knowledge is power. Knowledge shared is power multiplied.
Forcing students to meet some very sensible minimum computer security requirements (such as up-to-date anti-virus and operating system software) will not limit their academic freedom or ability to express themselves in anyway, so what's the problem? Other technical solutions that would warrant investigation include separating academic and administrative network resources (my alma mater had the administrative systems on a separate physical network) and performing regular "un-cooperative" vulnerability assessments of the student and residential networks (i.e. a safeties-off penetration test with Nessus or similar).
Now, if we were discussing unfiltered Internet access for said students, I could see room for several good arguments (e.g. granting students the ability to develop Internet-accessible systems, but balancing that against the abuse of these projects to affect the instution or other students or other Internet-connected systems, etc.) But "Academic freedom" doesn't free a student of basic adult responsibilities. Just as an institution issues students keys for their doors and badges for building access and passwords for their email, an institution should teach a student to be a responsible network citizen by issuing them anti-virus software. This is not unreasonable. So why the "Ask Slashdot"?
I'm proud of my Northern Tibetian Heritage
... on how far they take it. The college I live next to, which shall remain nameless, went through a similiar situation. When Blaster, Welchia, et al. hit last year, they sent around the RA's with copies of "utility" cd's containing the patches & virus fixes. Needless to say, they were (and still are) a small college. That was fine right up until they hit a Mac... because the RA and the student who owned the Mac refused to sign the form stating that the patches and fixes had been run (obviously, they couldn't), the "IT dep't" required that the unit be brought physically to their office for inspection.
I'd hate to have someone pawing over my Linux machine every time the latest virus hits the Windows boxes. I'd throw a fit if they forced me to install software on it. I'd really create a fuss if they kicked me off the 'net simply because I'm not running Windows.
And none of this "Let's 'scan' my system and see what's on it, in case I'm breaking copyrights, or doing something else I shouldn't be." What's on my system is none of anybody's business, unless it's impinging upon the network (spam, anybody?). If it's transmitted across the network, it's fair game... if it's already on my hard drive, hands off.
Guess it's just like everything else... as long as it's held to a moderate level, and some common sense is applied, it ought to be fine.
You've missed the point. Should you really be whining about software being required to be installed on your computer, to the point you post an "ask slashdot" (that convienently hides the institution you attend), when your school puts restrictions on you like legal adults not being allowed to drink?
In other words: most of the students made their choice, paid their money, and are attending Wheaton because they would rather be there than somewhere else.
It's not really relevant to the conversation, but many students are heavily influenced by their parents to attend restrictive religious institutions like this. It's either that, or the parents won't pay, or maybe even support the kid.
AccountKiller
You do not connect!
If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.
If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.
I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.
Never argue with an idiot, they drag you down to their level and beat you with experience.
Before the rash of viruses over the past two years, I would have said that the software costs outweighed the downtime and maintenance costs. I would say that now, no, they don't outweigh the costs, but when they are paying us students (who do 99% of the cleanup when a virus hits) close to minimum wage, it probably is still cheaper for them to take the free flawed software. And yeah, I know the job has a crappy pay rate, but you can't beat how flexible they are around exams, homework, etc.
.NET, etc), or some web design stuff, or Word, etc. So yeah, overall it is used for the most part.
The 'free' software is generally used, as most of it is comp sci department stuff (VC++,
I can't think of the name of the software package off the top of my head, but I remember there was some large-scale app that went to waste, and the copies are still sitting in a box in storage from two semesters ago. And due to the licensing agreements, we can't sell or give it away, so it kinda sucks.
A few factors to consider here
1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.
I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.
As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.
What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.
Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.
But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....
It seems to me that it's common procedure to hide certain types of identities when posting questions on Slashdot. This is done partly because the information isn't relevant, and also because it helps reinforce the idea that the situation is more broadly applicable than only to people in that specific situation.
If you had been fair about things instead of changing the subject to that of your personal dislike of policies designed to foster a community where education and personal growth are given utmost priority, you would have acknowledged that the question *was* relevant. Policies like this could easily be implemented in other places - in fact, that was part of "dancedance"'s questions. Wheaton's policy on drinking is irrelevant.
You're probably right that many parents (often alums) give their child a "_college_x_ or nothing" ultimatum with respect to financial support, but that's often for a good reason, i.e., they went their themselves and were happy with the education they received. Anyway, that's their prerogative. And it's hard to claim that anyone is being oppressed (as you implied) at getting an education of Wheaton calibre, costing around $120,000.
What's to question? He goes to a school that has a highly restrictive network policy, and he wants to know what other schools do. Does it matter what his school is?
You guys can bitch all you want, but the problem of having an entire ResNet filled with unpatched, virus/worm/trojan infected windows boxes show up on the last week in August is very real. As is the problem of outbound traffic from compromised windows machines consuming all the available bandwidth. The quarentine until proven clean methodology is becoming fairly standard in the ResNet management circles, as is some sort of authenticated access control that ties a human being to a machine address.
The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.
Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
Well, it's the university's network, no matter if the government or the students' collective tuition helps pay for it.
Seems reasonable to require precautions on the part of anyone who wishes to connect to the network. To that end I figure they should provide at minimal cost an anti-virus and firewall package to help keep infections and intrusions to a minimum. But installing software which monitors the individual computers...I don't like that idea at all.
Seems like from there it's just a short hop to "We have to monitor your computers to make sure you don't have any MP3s or videos or (insert potential copyright violation here) so we can avoid lawsuits."
Maybe-and this is a big maybe-but MAYBE the universities should work a little harder to educate the students (say, a required class during freshman orientation?) on the importance of running a firewall and a/v software. Set up a live demo with a honeypot on stage, and show them how quickly it can happen. Sort of a digital "scared straight".
Just as most schools require a 'basic computer' course - so too, either as part of this course, or as another, there should be a class on basic principles of networking and securing computers - generic for most OS's (linux, OSX, Windows).
Before a student is allowed to connect - they must pass this course.
Once they are connected, the IT department should have the authority to then remove them from the network if the network user in question becomes a nuisance. Expulsion should be tied to grievious violations.
To ameliorate the effects of brain dead students - the network should be set up in smallish segments using switches in a star topology; this will allow you to take away the magic electrons from the ports of the marching morons on an individual basis; hubs are bad - if one becomes infected - they soon all will be.
DNS (WINS resolution) should be set up in such a way as to deny automated resolution of student computer names/addresses within the network. This won't stop students who are smart enough to put their buddy's address in their hosts/lmhosts file - but it will stop the majority of idiots. Disable windows authentication domains...everyone logs into their own computer, and you won't be doing remote administration anyway - you don't need that headache.
Default to disabling known nasty protocols - with the caveat that students can negotiate a legitimate need for ports to be opened up for their use.
Assign static IPs to allow fine grained filtering - to accomidate the variations in students. Some students will have everything turned on and can be fully trusted; conversely, others will barely have any services beyond email enabled. This requires work on your part; automate this functionality of your network, then delegate responsibility for maintaining it to your most responsible students. You would be amazed how fast people become experts at network administration when they are responsible for making it work for everyone. To add a little fat to the fire - if they are dragging their feet on a network effecting problem - shut down all access to the outside world until they resolve the issue. Once you get the people trained, you shouldn't have to lift a finger.
Email is another big hairball - I won't discuss; given a college/university environment, you will probably have to deal with alot of spam. On the other hand, if your students and faculty are savvy enough, you could perhaps go to a public key authentication system (everything without a valid key gets bounced). This won't help your internet facing interface much; but will help your internal traffic volume to your mailservers.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Please note that "twitter" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.
Wow. You must have some TIME on your hands to put together such blather. Since it's obviously important to you, I'll take a few myself.
1) Your very first sentence is self contradictory, assuming that you meant "sycophant"... How can somebody be a sycophant and obnoxious/off-topic? Or did you not notice the word "flattery" in the definition?
2) This is slashdot. Here is where people spend leisure time and blather. Such as, for instance, your post. Get over it. Think of slashdot as the online equivalent of a bar. Some people talk too much. Some people really should shower more often. Some people wear clothes that were fashionable in the 80's. Get over it.
3) It's OK to not like Microsoft software. Probably 80% of my experience of cyberspace is done via Linux. I hate the worms, viruses, spyware, and general crap as much as the next guy. I love the clean, easy way Linux lets met at the guts of the system to result in a stable, secure platform.
4) Even if twitter is some lonely, desperate, delusional, megalomaniac karma whore, how is posting stuff on slashdot being "part of the open source/free software community."? Contributing software is "being part of the OSS community" - posting on slashdot is being part of the slashdot community!
Get off your high horse, dude. People are entitled to be a bit nuts - you'll probably figure that out (as most people do) when you get to be around 30.
Oftentimes, the nuttiest people are the most brilliant.
I remember a gentleman named "Gary". I won't give his last name. He was one of the strangest people I'd ever met. Remember "Revenge of the Nerds"? Well, the cast of that movie tried in vain to capture the spirit of Gary.
The kind of guy who really DID drive a mustard-brown, 20-year old station wagon at 35 MPH down the Interstate - stuffed to the gills with books, bird cages, a pet lizard, folding chairs, boxes of clothing obtained at a thrift store, and consumed Jolt cola bottles.
He attended community (There's that word, in this case, it was people in the area in which I lived meeting together) meetings that I often attended as well, meetings congressed to discuss legal and political issues.
Having talked briefly with Gary before, and figuring him for being partially mentally handicapped, it was a great shock when, during a speech on the history of the US Constitution, Gary raises his hand, and then spends several minutes giving a detailed, ornate, and incredible rendition of the history of an important event. (I could be wrong, but if I remember correctly it was the ending of the civil war)
I was shocked, and I wasn't the only one. Everyone I knew looked at each other in surprise and bewilderment. This? Coming from GARY!?
So, before you go knocking on twitter for having a good time mentally masturbating on slashdot, remember this old saying:
"There's enough good in the worst of us, and enough bad in the best of us, that it ill behooves any of us to thing the worst of any of us".
I have no problem with your religion until you decide it's reason to deprive others of the truth.
iowa state has a pretty simple system for these types of things. at the begining of the year you must register your MAC address with your university email. then every once in a while they scan the entire network for ports that are open that shouldn't be, or just large ammounts of activity on ports of worms and the such. if your MAC address is found to have a worm you are sent an email to clean it. in X number of hours they rescan your machine to see if you took care of the problem yourself. if you didn't they cut off all access besides their webpage and the university email servers. once you take care of it you shoot them an email, they recheck you, and restore your access. (great way to piss off your roommate, clone his MAC onto an infected machine) as far as the role of the student goes i think this is an awesome system. there isn't any sort of software from them running on my machine, and its not like I'm getting scan any more than i would while i am sitting at home on my cable line. from the aspect of the admins though I'm sure this sucks. i'm not sure how much of the process is automated. i know for a fact though that the unblocking process is manual. but hey it works pretty well
...we get X amount of free software per year, which is really a boon for our computer services department. We recently got our budget cut in half (management isn't comprised of the brightest of individuals), so the financial aspect is really appealing.
while this argument shows why you favor Microsoft over Apple, if the financial burden is so large, why not consider upgrading to linux or a *bsd? With the new latest KDE and Gnome desktops coupled with OpenOffice it's not too difficult for an average college student to learn how to use the system. Instead of spending the money upgrading the operating system, software, and virus protection [at least] every few years, why not invest the money into small seminars teaching such useful tools as LaTeX and the Gimp.
I'm not trying to start a war of the OS's, but since you have apples available anyway for all the media applications (photoshop, quark, etc.) why not just get rid of windows for the desktop applications? (ignoring the fact that your staff is windows trained, the students are windows trained, and it's nice to blame network problems on novell or microsoft).
People in management can get very bright; you just need to burn them at a higher temperature until they glow a nice, pretty blue.
:)
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
You sound like you went to school where the department was run by crappy CS profs. I got my undergraduate degree at a liberal arts college and 99% of my Computer Science experience there was gained while using Linux (and even a bit of Solaris my first year) systems. We all knew BSDs, open source alternative software, and more. Many of us used it daily; some developed and tested for the open source community. Windows was pretty much shunned by all but one prof. Even the necessary evil of connecting to the IT Windows systems was considered highly undesireable.
In reference to the topic at hand, I have to say this University is taking the wrong course of action. My school took the "lock the port" approach. Quite simply, if they could tell your computer was infected and you weren't doing jack to fix it, you lost your internet. Didn't like it? Well fix it. Otherwise you're gonna be going to another dorm room to try to hook up (and remember, your roommate isn't gonna like you either, cause you cost both of you an internet connection).
PS to grandparent of this message - The author states he/she is a CS student; the author never states the CS department is the head of this action (I'm strongly willing to believe it is not).
It comes down to this: the university needs to protect it's network. If a student is using that network, the university ought to be able to monitor for illegal downloads just as much as they should protect the accessibility of transcript or payroll data. The actions are different, monitoring bits vs maintaining a secure system, but their end is the same. Does capability to block spyware compromise a student's privacy?? fw
You can get yourself removed as a dependant from your parents at the age of 18. Then you don't have to include their income on your financial aid. Of course if you do this you aren't included as a dependant for their tax purposes or included on their insurance etc. But you will qualify for much more assistance if you suddenly don't have your parents income.
----- Question authority, but not ours. Hate the man, but we're not him.
The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
--- www.f-theocean.com
It is not a right to get high speed internet access through your university. If you have a problem with the connectivity offering, you shouldn't connect.
Another thing to realize is that the IT departments at Colleges and Universities (especiall liberal arts colleges) are dealing with a population of students, professors, and staff that are generally computer illiterate. I can say this because I was in the help desk at my college, and people needed help with the most basic functionality of their computer. I would often think to myself: These are some of the brightest people in the world (nobel laureates would come in with basic computer problems) and they don't know the difference between a disk drive and a CD. Eventually, it dawned on me that I shouldn't take even the most basic computer knowledge for granted.
It makes complete sense for a college IT department to require this amount of control over their computers that connect to their network. Remember, using the network is a priviledge not a right. This level of control is done for a very good reason. It makes it better for everyone to raise the bar. I'd rather my tuition go to the education departments than to waste on removing every new worm and trojan that comes in... Especially because as a help desk worker, I was being paid $10 per hour (best student job on campus) to disinfect peoples computers.
You want a technical answer but I think the ethical one is overriding here: I just don't believe networks should be run in this fashion.
First, it's totally insane to require Microshite Windoze. It speaks of the cerebral poverty of the faculty at many an institution where these supposed gifted people can barely save a document in Microsoft Word and then require everyone else do the same.
Second, any open standard should do just as well, and yet - and do I smell graft here? - Microsoft are in there, Dell are in there, IBM are sometimes in there, and demands are made that students get a computer of a definite make, model, configuration, etc - just to qualify for enrolment. If this isn't lobbying and bribery, I don't know what is.
Finally, if you want to connect to a network, then you should be able to prove you're malware-free. I don't have the technical details on this, but forcibly downloading junk on students' computers is just wrong.
And some parents require their adult-kids to attend local nearby colleges so they can force their kids to live at home while studying. That's life.
For every choice we have available, there is a price we have to pay for that choice. Get over it. Stop talking like a victim. Like the other poster mentioned, you can disown your parents and become independant if you really want to. Most kids would never do this, but the choice is there nevertheless.