Slashdot Mirror
Should Colleges Monitor Students' PCs?
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.
:)
Students are at college to learn. Educate them
Error 407 - No creative sig found
Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
My campus will disconnect any computer it finds vulnerable. I suppose this could be considered the next step in that direction, but this time students have a way to be sure that they don't end up disconnected at an inconvenient time.
If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
next step:
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
Personally, I'd much rather just get cut off and be notified why. I don't like the idea of giving over control of my computer like that.
I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P
My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.
There was Cowboy Neal at the wheel of a bus to never-ever land.
No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.
I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.
Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
Think man! Stop drawing attention to it, and start trying to hack it. Don't be a fool!
-- http://thegirlorthecar.com funny dating game for guys
... run Linux. At least I tell them that, and they believe it well enough.
In truth, I run XP with a good firewall most of the time.
The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Ok, I give up, why you?
I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.
Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.
I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
I didn't hear apples mentioned?
We polish 'em up and give 'em to teacher.
KFG
...Or just install Linux, which is like $2,000 cheaper.
I just attended ResNet 2004 which is a conference devoted to the Information Technology departments of all Colleges and Universities across the globe. There are usually around 300 participants and many other who do not make the guest list. I think the biggest conversation among those at the conference was how where is the line between appropriate and not appropriate actions to help keep the networks clean as well as the students computers. You can check out http://www.resnetsymposium.com for the website or http://web.princeton.edu/sites/resnet/ for a list of those who attended. There is also a listserv for @ http://listserv.nd.edu/archives/resnet-l.html. All of these sites will give you contacts for people who have answers to your questions. A trend for schools is purchasing solutions such as Perfigo www.perfigo.com or Bsi's campus manager http://www.bradford-sw.com to help them do their dirty work.
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
-RockDoggy
I work for computer services at my college, and we have a number of Mac labs. We have absolutely no problem with these whatsoever. However, it's impossible in a college setting to have a completely homogeneous selection of platforms. We need our PCs for everything from our accounting courses (some specialized software) to our comp sci courses (Yeah, they force us to use Visual C++, switching to .NET next year).
In all honesty, at a small college like the one I attend, there's a good reason to go with PCs from a financial standpoint: Despite educational discounts, Macs still cost more than PCs. That's a simple fact. Secondly, Microsoft gives AMAZING educational discounts for their software. I'm not talking about the "Educational" licenses for students, but rather we get X amount of free software per year, which is really a boon for our computer services department. We recently got our budget cut in half (management isn't comprised of the brightest of individuals), so the financial aspect is really appealing.
If we had the option to run all Macs, I'd swing for it in a minute, as far as my duties for computer services are concerned. It would make my job a helluva lot easier. However, we don't have that option, and I think you'll find that the same is true for most small colleges.
A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?
AccountKiller
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
"What do you care what other people think?" -Richard Feynman
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Don't blame me, I didn't vote for either of them!
> I am a CS student at a small Liberal Arts college
When I read this my mind immediately expected it to be followed by something like:
"I am a CS student at a small Liberal Arts college. I've never been lucky with girls and nothing like this has ever happened to me before. One night I was up late in the laundry room and this beautiful girl walked in..."
- For the complete works of Shakespeare: cat
Any time an institution requires software to be installed at all, it's a red flag that says that institution is doing something else wrong. While it's a good idea for students to keep their computers up to date with virus scanners and security patches and the like, it's not a good idea for the institution to take that responsibility away from the students themselves.
I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.
The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.
So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.
Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill Gates mess with it. It's already compiling lists of all the music and movies you play and it sends all sorts of information back home. Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?
LSU can and does monitor traffic at building routers. Unusual activity has them block the MAC address. It's much easier than requiring expensive commercial software that does not work.
Unfortunately, LSU is moving toward just that kind of stupid requirement. They are specifying that Winblows machines on their network have "up to date" virus software. That's fine, so long as they don't require Winblows in the first place. The student senate is considering a laptop and Active Directory requirement. What a nightmare.
There's lots of room between turning every computer on campus into a campus owned DRM'd dumb terminal and letting the Windows machines destroy the campus network. They could continue blocking actual problems at the router instead of requiring the very source of the problems be run by all. They can offer the service voluntarily to those who simply have to have winblows. Macs, Linux and commercial Unix do not have the same problems and should be encouraged. Computing services should make running Windows as easy as they can and that includes offering virus protection, but they defeat themselves when they dumb the network down for it.
Friends don't help friends install M$ junk.
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Friends don't help friends install M$ junk.
You do not connect!
If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.
If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.
I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.
Never argue with an idiot, they drag you down to their level and beat you with experience.
Before the rash of viruses over the past two years, I would have said that the software costs outweighed the downtime and maintenance costs. I would say that now, no, they don't outweigh the costs, but when they are paying us students (who do 99% of the cleanup when a virus hits) close to minimum wage, it probably is still cheaper for them to take the free flawed software. And yeah, I know the job has a crappy pay rate, but you can't beat how flexible they are around exams, homework, etc.
.NET, etc), or some web design stuff, or Word, etc. So yeah, overall it is used for the most part.
The 'free' software is generally used, as most of it is comp sci department stuff (VC++,
I can't think of the name of the software package off the top of my head, but I remember there was some large-scale app that went to waste, and the copies are still sitting in a box in storage from two semesters ago. And due to the licensing agreements, we can't sell or give it away, so it kinda sucks.
A few factors to consider here
1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.
I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.
As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.
What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.
Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.
But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....
You guys can bitch all you want, but the problem of having an entire ResNet filled with unpatched, virus/worm/trojan infected windows boxes show up on the last week in August is very real. As is the problem of outbound traffic from compromised windows machines consuming all the available bandwidth. The quarentine until proven clean methodology is becoming fairly standard in the ResNet management circles, as is some sort of authenticated access control that ties a human being to a machine address.
The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.
Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
Please note that "twitter" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.
Wow. You must have some TIME on your hands to put together such blather. Since it's obviously important to you, I'll take a few myself.
1) Your very first sentence is self contradictory, assuming that you meant "sycophant"... How can somebody be a sycophant and obnoxious/off-topic? Or did you not notice the word "flattery" in the definition?
2) This is slashdot. Here is where people spend leisure time and blather. Such as, for instance, your post. Get over it. Think of slashdot as the online equivalent of a bar. Some people talk too much. Some people really should shower more often. Some people wear clothes that were fashionable in the 80's. Get over it.
3) It's OK to not like Microsoft software. Probably 80% of my experience of cyberspace is done via Linux. I hate the worms, viruses, spyware, and general crap as much as the next guy. I love the clean, easy way Linux lets met at the guts of the system to result in a stable, secure platform.
4) Even if twitter is some lonely, desperate, delusional, megalomaniac karma whore, how is posting stuff on slashdot being "part of the open source/free software community."? Contributing software is "being part of the OSS community" - posting on slashdot is being part of the slashdot community!
Get off your high horse, dude. People are entitled to be a bit nuts - you'll probably figure that out (as most people do) when you get to be around 30.
Oftentimes, the nuttiest people are the most brilliant.
I remember a gentleman named "Gary". I won't give his last name. He was one of the strangest people I'd ever met. Remember "Revenge of the Nerds"? Well, the cast of that movie tried in vain to capture the spirit of Gary.
The kind of guy who really DID drive a mustard-brown, 20-year old station wagon at 35 MPH down the Interstate - stuffed to the gills with books, bird cages, a pet lizard, folding chairs, boxes of clothing obtained at a thrift store, and consumed Jolt cola bottles.
He attended community (There's that word, in this case, it was people in the area in which I lived meeting together) meetings that I often attended as well, meetings congressed to discuss legal and political issues.
Having talked briefly with Gary before, and figuring him for being partially mentally handicapped, it was a great shock when, during a speech on the history of the US Constitution, Gary raises his hand, and then spends several minutes giving a detailed, ornate, and incredible rendition of the history of an important event. (I could be wrong, but if I remember correctly it was the ending of the civil war)
I was shocked, and I wasn't the only one. Everyone I knew looked at each other in surprise and bewilderment. This? Coming from GARY!?
So, before you go knocking on twitter for having a good time mentally masturbating on slashdot, remember this old saying:
"There's enough good in the worst of us, and enough bad in the best of us, that it ill behooves any of us to thing the worst of any of us".
I have no problem with your religion until you decide it's reason to deprive others of the truth.
People in management can get very bright; you just need to burn them at a higher temperature until they glow a nice, pretty blue.
:)
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
You sound like you went to school where the department was run by crappy CS profs. I got my undergraduate degree at a liberal arts college and 99% of my Computer Science experience there was gained while using Linux (and even a bit of Solaris my first year) systems. We all knew BSDs, open source alternative software, and more. Many of us used it daily; some developed and tested for the open source community. Windows was pretty much shunned by all but one prof. Even the necessary evil of connecting to the IT Windows systems was considered highly undesireable.
In reference to the topic at hand, I have to say this University is taking the wrong course of action. My school took the "lock the port" approach. Quite simply, if they could tell your computer was infected and you weren't doing jack to fix it, you lost your internet. Didn't like it? Well fix it. Otherwise you're gonna be going to another dorm room to try to hook up (and remember, your roommate isn't gonna like you either, cause you cost both of you an internet connection).
PS to grandparent of this message - The author states he/she is a CS student; the author never states the CS department is the head of this action (I'm strongly willing to believe it is not).
The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
--- www.f-theocean.com