Slashdot Mirror
Why Are Students Liable for School Insecurity?
yamamushi asks: "Within the past few weeks, students across Boerne ISD were being called into offices to discuss the use of proxies to circumvent the schools websense system. The problem is that some of these students are being suspended from school for up to 3 months at a time. Shouldn't the school district be liable for their own insecurity? Why are they punishing so many students for something that should be handled from the district's end? I know at the time I was going to school there, I was punished for using a Linux LiveCD to login to their computers without using a password, even after I told the admins how to disable booting from CD-ROMs. They refused to update any of the computers and as such I was using the same tactic till the day I graduated." While security breaches by students are something to take seriously, should school administrations continue with their knee-jerk mentality to something like this, especially at the times when its obvious that no malicious intent was involved?
Why bother improving security when you can just pass a law enabling you to arrest or expel anybody who tries anything funny?
After all, we all know that the most dangerous elements of our society are stopped by LAWS, right?
You come into my house, I say "don't fuck with the computer."
You fuck with the computer, I kick you out.
If anything, a public resource should be more tightly controlled.
Should they fix their security issues? Yes.
Should they kick out people who exploit the fact that they don't? Hell yes.
Malicious or no, you should not be touching the school computers anymore.
-- 'The' Lord and Master Bitman On High, Master Of All
Check what the kids and their parents agreed to before complaining. Most I've seen explicitly state that using external proxies is against the rules.
"I use a Mac because I'm just better than you are."
It is malicious intent. If you are using the internet in an environment were you're blocked from visiting certain sites, then they don't want you visiting them on their network.
If you turn around and sneak through their system and do it anyway, that seems pretty bad faith to me.
If they locked up the computer lab after hours and because you are smart/skilled enough to get in anyway because you can pick locks, you're still doing something that you're not supposed to be doing.
To paraphrase Dragnet: "if you don't like the law you can try to get that law changed that doesn't give you the right to break it." The school network isn't "law", no, but they can still cause trouble for you if you go against it.
More Twoson than Cupertino
Just because the door is unlocked does not necessarily mean it's not breaking and entering. The students know the rules. If they choose to break them, they should suffer the consequences. The technological measures that may or may not be in place are irrelevent.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
3 months? What the hell did they look at, counterstrike tips websites?
Isn't enough that I ruined a pony, making a gift for you?
"Within the past few weeks, students across Boerne ISD were being called into offices to discuss the use of proxies to circumvent the schools websense system. The problem is that some of these students are being suspended from school for up to 3 months at a time. Shouldn't the school district be liable for their own insecurity?
No.The school apparently has a policy in place to forbid students from going to various sites. They use appropriate tools (like websense) to enforce that policy. Simply because there are ways around the tools, doesn't mean its okay to do so. There code of conduct talks about an agreement signed by the students. If they violate this agreement they should be punished.
This isn't really any different from other "crimes" (or violations of school policy). The school's rule is simply that you are not allowed to do certain things on the computers. Some of these things are restricted by their security systems, others are not. Just because you *can* do it, doesn't mean it's within the rules they've established. The students are responsible for their behavior -- it's not the responsibility of the admins to make it impossible for the rules to be violated.
I don't see any problem with punishing students for misuse of its resources, as long as they were given fair warning of those rules (and as long as those rules are consistent with the school's educational mission). A teacher can't prevent students from cheating on exams, but they'll still be punished when they're caught breaking that rule. Why should this be treated differently?
This is more awesome then the day Awesome McAwesom came to Awesometown!
It has nothing to do with malicious intent and more to do with liability. I'd bet that the school has to protect its pupils from the darker side of the internet (p0rn, 4chan, RMS's latest rant about how it should be GNU/Linux etc.) And I'd also hope that before using the PCs you had to agree to a terms of conduct. I've had this discussion before with someone I know in the UK who got slapped for trying to bypass his school's filters, and he tried the "malicious intent" argument. It doesn't wash, simply because the computers you are using are not yours, nor should you treat them as such. I'm sure you felt very 3l1t3 with your boot CD, but the fact remains those are your PCs and it was right you were punished for continuing to do something you were told not to do.
A thief who robs a house doesn't get any lesser a sentence if the front door was unlocked versus locked and bolted. The fact it's ridiculously easy there to beat their puny security shouldn't make any ultimate difference.
...then when bad people break the law and use proxies...the 'good guys' won't be able to use proxies to stop the bad guys!
Or something...
Blar.
The school has rules. You break the rules, they toss you out.
Adding a computer into the mix doesn't change that equation.
There is no law that says "Oh, the rule that you broke involved the Internet! Well, that's an entirely different case!"
Three Squirrels
Let me get this right-- you're criticizing the schools for acting in bad faith, failing to protect their networks from you? When you've agreed to their terms, in order to use their computers, and then you break your agreement by attacking their systems? WTF?
Yes, the schools should make an effort to protect their systems from attackers, for their own benefit (reducing IT headaches in the long run, preventing release of confidential info, etc etc). But if you violate their terms, you deserve to be punished according to the agreement. If you repeatedly attack their systems, they should lock you out of their systems. It's not their responsibility to force you to behave. If you don't wanna behave, that's your choice. But don't whine about it when you suffer the consequences.
1984 was supposed to be a warning, not an instruction manual.
This is what bureaucrats do. They cover their posteriors and foist the blame onto others. Bureaucrats take many forms ranging from government minions at schools, to many of the people who will decisively outrank you in the private sector. They will do two things to you, that you just have to learn to deal with, unless you can make your own way in life independent of them:
1) They will set up the hierarchy to obfuscate the chain of authority to make it hard to hold any one of them individually accountable.
2) They will, as a group, foist the blame onto the nearest target that looks helpless.
You, as a student who knows how to do basic things in Unix, are scary to many adults today. You are probably also scary to many young people because the truth is, many young people are no more comfortable with "real technology" than their parents are. This makes you a good target. "Look! He's up to no good!" They don't have to prove that you were doing anything wrong, and most people are a combination of too stupid and too uneducated to understand the ins and outs of what you are doing. It's all voodoo to them.
I am also increasingly convinced that there is a segment of the human race that is sheep-like in its quickness to assume danger, its irrational hysteria and inability to gauge danger appropriately. You will also see these types of people in every walk of life, especially in "safe" environments like schools, corporations and government agencies where they can be protected from the realities of life. These are the sort of people who are so stupid that they would call a teen who makes a quake map of his school a "terroristic threat," but would lead their student body onto a football field that is surrounded by barbed-wire and fence and about twenty good sniper nests the day they get a bomb threat. Yes, that happened to me, in HS. I scared the tar out of some of my teachers by pointing out the irony of them trying to "make us safe" from a possible psycho who'd blow up half the school, but surrounding us in an enclosed point where a sniper could pick us off, and reload with impunity.
The first question I don't think is should the kids be punished, but rather if the punishment they are receiving is in line with the infraction. I could understand maybe getting tossed in detention, or maybe a more pro-active solution, being forced to help the network admins secure the network (imagine that, doing something useful instead of with obviously talented kids instead of throwing the book at them), but getting suspended for any length of time is probably way overboard.
Second, why do the schools feel the need to put stupid firewalls up in the first place? Honestly, there's nothing out there that the kids can't easily access elsewhere. I could understand maybe being worried about them downloading trojans and viruses on accident from less than upstanding websites, but a better solution in that case would be to tighten up the security on the computers to prevent that sort of thing rather than just blocking websites outright. Personally, unless there's a specific reason not to, I think most schools should be running something like SELinux anyway. Much easier to secure and keep running clean than just about anything else, and it already has a strong permission set so that students can use the systems for class work and such, without having to jump through hoops.
Curiosity was framed, Ignorance killed the cat.
I am a tech director for a k12 public school district. Just last week we had to suspend 5 kids (actually bright kids) for using proxies among other things (and moreover being stupid about it). One of the problems was that a student found a website (that I have actually used before) that lets you boot to a floppy and recover a windows password from a computer. That student then had admin access to all of our 420 laptops. As the only tech there (and part time at that) it is much easier to suspend them than to re-image all 420 laptops, password protect the bios and prevent booting from anything but hd! I felt bad nabbing them, but they were dumb enough to leave their script kiddie programs on their network drives... a simple search for *.exe screwed them all. As far as proxies, they are coming out with them faster than I can (or care to) block them. As my case is not different from many other school districts facing harsh budget cuts out there, I don't forsee security in schools getting better any time soon mostly because most of us cracking down used to be those little nerds wreaking havoc on our school's sysadmins.
Posted by Cliff on 03/05/07 18:28
from the punishing-them-for-the-mistakes-of-others dept.
[ Education ] [ Ask Slashdot ]
yamamushi asks:
If they don't and even one student used that to do something harmful, then it would be the schools fault then. Sucks.
Why are students punished for stealing school supplies? Surely it's the school's fault for not keeping everything locked up well enough?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
In Watchmacallit Kansas eight year old Billy-Bob was sent to the principal's office for stickling his used chewing gum under the seat of his desk.
"But, but, but..." he cried, "It's not my fault! If they didn't want me to stick my gum there they shouldn't have given me a desk with a seat attached to it!"
Three Squirrels
Need to be bypassed just to get work done that needs to be done. Students / teachers some times need to by pass Security just to get software / websites to work that are needed for class. Systems that only have a admin login for all users and the school district IT people don't have the time / manpower / funding to lock things down and make the software work at the same time.
school district should be liable for things like keeping the systems up to date and the teachers should have to go to JAIL for porn that comes from spyware, popups, out of date web filtering software and other things that they do not know about / have control of.
Why did you tell them?
Who are you to go and audit their security?
Did someone pay you to perform that service? If not then you are a criminal.
You know people, this unsolicited "white knight" horseshit has to stop. It is obvious it is NOT appreciated and you can go to jail for it. So why bother? Other than to "prove" how much "smarter" you are than the administrators of the [insert school, corp, government]'s network. Whoop-dee-do!
Har it from me, AC, "You are sooo smart and talented! I bow to your greatness!! Now, go and start a company of your own, make a gajjilion dollars and hire me! I promise that I will kiss your ass, and I mean spread your cheeks and I'll get you on your hole! And that way you'll will do much more for society and proving your brilliance to the world than showing off to your local certificate holding bureaucrat."
Thank you.
They aren't, they are liable for their own deliberate actions in violations of the rules.
If there's a rule that I'm not allowed to visit a porn site, and I find one that ISN'T blocked and go there, that's MY problem. Yeah, they should block it now, but I should still be punished.
Yes, to some extent, creativity is good. When creativity leads to illegal or immoral behavior, punishment takes place. If you're creative enough to find out how to do such and such, you're probably intelligent enough to know the rules regarding it, too.
I have little sympathy for those who break rules and then complain that it wasn't their fault, they shouldn't have been able to break them. If you want to help someone's security, tell them about it, don't do it and then tell them you were trying to help them AFTER you get caught. Which it seems a lot of hackers try to do these days.
Such defenses smells mildly of the sociopath, not the lack of a sense of right and wrong, but the sense that such rules do not apply, and a clear attempt to rationalize the behavior as the fault of a third party. In this case, the school set up a resource, and in exchange for the resource, demands some rules be follows, and set up token support for those rules. Such token support could be the honor system, a barrier, or a lock. None of these are unbreachable, nor should they be. After all, we are trying to teach the children to be responsible and respectable citizens. We are not, in fact, trying to raise sociopaths who leech off society. We are not trying to create a citizenry that requires constant surveillance to insure order. At least in the US we use the honor system, or other forms of token defense, to keep the society in order. We do not want heavily armed police on every corner.
So, to answer the question, no. You know the rules, and choose to break them. As an honorable person, the thing to do is accept the consequence and try not to break the rules again. Putting aside the technical feat, which given todays kiddie tools require almost no intelligence whatsoever, the network is provided for a specific purpose, and using it outside that purpose is not a right, any more than using sudafed to make meth is a right.
I know that much of this thinking is just a lack of maturity, and will go away as the consequences are applied, just like the magical thinking the very young child. What is frightening is when such justifications are used an supported by persons who should be old enough to know better.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Why were those students even able to use proxies? All traffic should be going through a commercial-grade router. A few rules and all TCP 80/443 traffic will be going to the designated filtering system and outbound connects on any other ports will be getting only an "administratively prohibited" ICMP error. Once that's done it doesn't matter what the students do on the client side.
Yes, I know the downsides, but if you want a secure filtering system you can't trust the client end to behave. If you could, you wouldn't need a filtering system.
Using a proxy to bypass filtering: Slap on the wrist.
Using a proxy to bypass filtering to check for messages on their myspace account: Death.
Students are liable for their actions, not for the school's insecurity. You know you shouldn't be doing it, yet you continue because you can. That's like saying "Why should I be liable for skipping class? The door was unlocked and there was no malicious intent..." You'd better learn to follow rules before you graduate or you'll be posting about how you're homeless because your employer caught you surfing the 'net at work.
It's really all about how bad they are.
I worked as a technician as a highschool for a few years.
Basically, it you're not doing anything horrific, the policy of the tech departments was to look the other way. In larger districts it isn't the technicians who deal with filtering, we maintain it, but we hate it as much as anyone else because it's a pain in the ass and there's dozens of ways around it.
If you're using it to look at pr0n or stuff, then yea, it's a big deal.
Another example is insecure network systems. If you use our insecurity, a lot of which may be intentional or requested by a teacher (ie: "Can you give every student in my class local admin so they can install this software?") and we have little choice about implementing it as we have orders from on high, we usually don't care unless it's something big.
IE: If you use our insecurity to just do your work, who cares? If you use it to send a Timbuktu message as guest to every computer in your subnet, then yes, there'll be issues.
As for administration, they just need to listen to the techs more. Their knee jerk reactions are based in large part on not UNDERSTANDING the technology, and even being threatened by the students that do.
My $0.02.
One of the problems was that a student found a website (that I have actually used before) that lets you boot to a floppy and recover a windows password from a computer. That student then had admin access to all of our 420 laptops. As the only tech there (and part time at that) it is much easier to suspend them than to re-image all 420 laptops, password protect the bios and prevent booting from anything but hd!
You knew about this issue (booting from alternate media), but did nothing to resolve it? You took the easy way out re: configuration, and it burned you. Even after the fact, you say that suspension is easier [to implement] than actually fixing the vulnerabilities. If I were your manager I would want to know exactly why/how this happened, and what you did/didn't do about it.
PS I very much doubt you are a "tech director for a k12 public school district". You are a part-time sysadmin.
I want to drag this out as long as possible. Bring me my protractor.
On the other hand, 3 months is clearly a knee-jerk compared to things like school-yard fights, stealing someone's lunch money, plaigerising, etc. If punching another student or stealing their homework also netted you 3 months suspension, fine. But if they are way shorter penalties for clearly way worse offenses, then the school is unjustified in it's punishment for the crime.
Magic doesn't work in my presence. My power of disbelief is too strong.
I work in such a place, and I usually get two or three requests a week to block proxy sites. I would prefer it if access to the internet was completely unrestricted. If you do not have trust and respect for people, they will not have any for you. Part of the problem is that some lecturers either cannot control their class, or do not, for fear of making their attendance figures suffer, which in turn can have an effect on how much money is raised in funding.
...when they're the ones who broke the rules in the first place.
As many other people have already stated, just because you can get around something doesn't suddenly make it OK. If a bank left its vault wide-open, is it magically OK to take all the money out? No, because that's not your money and you have no right to it. Just because the network security is lax, does that magically make it OK to do whatever you want with it? No, that equipment was provided for a specific purpose and if you're not going to use it for that purpose, then you're abusing it and actions should be taken against you. The idea of an action being wrong isn't "it's wrong only if you get caught" (which is sadly what most schools teach), it's wrong because it's taking something given to you for a specific use and completely misusing it, and in the case of a network, actually taking resources away from people who ARE trying to use it for work.
In terms of keeping the kids out of things, much like DRM, trying to outwit clients is going to end up as an exercise in futility. There are more tricks at the disposal of the people trying to circumvent the rules than there are to the ones who have to enforce it. Any roadblocks that can be set up can be bypassed as well. Is it possible to set up a highly locked-down system that blocks everything but a few specific sites? Yes, but now look how absolutely worthless that network is for education now. Believe me, there are more sites out there of actual, legitimate educational value on the Internet than any one group can catalog, and now you're hurting the actual point of the network in the first place! The kind of thinking that says "well lock it all down!" epitomizes everything that's wrong with the way Americans approach laws; destroy the usefulness of a tool for EVERYONE just because a select handful abuse it. NO! You punish the half-wits that abuse these things while leaving it as useful as it reasonably can be to those who wish to use it legitimately.
I do agree though that while action should be taken against students who break the rules simply because they CHOSE to break the rules, most school IT groups could learn a thing or three from those kids. I know we had one hell-raiser who was constantly bypassing filters and security measures. Smart kid, no concept of his actions having greater consequences beyond himself (a common teenager mindset). What'd we do with him? Kept him on a tight leash while we was in class (which I'm sure had minimal impact on his activities) and the moment he graduated he was made an intern. When we rolled out new security policies, we had him break them (which he invariably did...given enough time) and we used how long it took him as the benchmark. We also made him do a lot of work on machines that his peers had screwed up, just as a life lesson that while you think it's "cool" to steal mouse balls or black out optical mice or install Linux or any of a myriad of other acts of nerd rebellion, someone has to go in and clean that up. I like to think he actually gained a bit of perspective from having to load entire machines with the benefit of a mouse because of a stunt he might have thought was funny a few months earlier.
But now I'm starting to ramble like I'm an old man...scary to think I'm not even a decade removed from when I would have thought messing up a mouse as a high school prank was funny...
These are online at:
http://www.boerne-isd.net/page.cfm?p=3118
Read Them!
From page 59 of the student handbook:
Consequences for inappropriate use
Suspension of access to the system.
Revocation of computer account; or,
Other disciplinary or legal action, in accordance with the Student Code of Conduct and applicable laws.
It doesn't seem that the school has justified their excessive punishment of AUP violations.
I'd say that I'm sorry that the kids are being punished, but I'm not. This isn't about the school district doing anything inappropriate. It's about kids doing something that they knew was inappropriate and being punished appropriately. I fail to see why anyone is upset by this. Part of the function of education is to teach children how to behave and what their boundaries are.
If they're told that these are rules, but you don't *really* have to obey them, what other rules will they choose to ignore? Will they ignore the rules about bringing weapons to school? Will they ignore the rules about bringing drugs to school? Will they chose to ignore the rules about cheating on tests?
I've seen people walked off jobs for less. If there's a proxy, it's there for a reason. If the rules say that you have to use the proxy or you can't see that site, surf it from home. I would much rather see them punished now, while the only thing they get dinged for is some time out of school, extra curricular activities, etc. instead of waiting until they're grown-ups with a car payment, a mortgage, some credit cards, and a couple of kids who get fired for doing the same thing at work.
2 cents,
Queen B.
HDGary secures my bank
Part of what schools are teaching is that one needs to take responsibility for one's actions, which have consequences. Breaking the rules and doing things that you've been told not to do - no matter how ingeniously it's done - is not something that's going to get you pat on the head in the real world. Screw around with someone else's system, and you can expect the people who run it to screw back.
You know, no one congratulated me on my ingenuity and craftsmanship when I was able to buy beer with my doctored driver's license. "Why am I being blamed for the fact that the store owner couldn't identify a fake ID?" I protested. God, I was a brat.
Teenagers keep asking to be treated like adults, then whine about it when they are.
http://alternatives.rzero.com/
Just because you can do something, it does not follow that one should do it.
These kids, and you, can do something, but you should not be doing it, therefore you are being punished for doing it.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
By your logic, someone could walk up to you and shoot you in the chest and YOU'd be the one charged with a crime for not wearing a bullet proof vest.
Some students were suspended up to 3 months. I can't find anywhere that says what the differences were, but there could have been several things. Maybe they're the one that setup the external proxy and told all the other students about it, wasting everyone's time and getting more people into trouble. Maybe the student was engaged in cyberbullying or sending threatening messages. It's all conjecture because we don't know why certain students got a harsher penalty than others.
sue the hell outta them. so many people abuse law system in united states that, such a just case would make legal system work as intended, once in a while.
Read radical news here
Students should be liable for their actions. Knowingly and actively breaking the rules should have consequences. It's a damn good lesson to learn early.
This whiny appeal here is a akin to saying, "If they didn't want me to steal it, they shouldn't have left it unlocked." It's a rationalization intended to avoid responsibility for one's actions. This isn't a failure of security, it's a failure of character.
I agree that the 3 month suspension punishment was over the top. But to argue (as you did earlier) that kids should be encouraged for this creative behavior, I vehemently disagree. If they did not get a warning (including a school-wide warning, as long as it was focused on the proxy issue and not generic), then I think that a warning would have been the appropriate response. If they did get a warning, then a 1-day in-school suspension (or detention) would probably have been a reasonable response.
To argue for no response whatsoever, however, seems irresponsible.
Ben Hocking
Need a professional organizer?
- speak freely during class
- refuse to converse with the teachers
- habitually arrive just 5 minutes late
- use a proxy server to make the school's computers do things the school doesn't want them to do
- use your own notebook paper to design paper airplanes (even if never flown)
- play with the cafeteria food, even on your tray
- carry a concealed squirt gun, even if never loaded or fired
- bring a cat, toad, or owl to class
- play quid^H^H^H^H football in the building . . .
Disobeying a school rule results in punishment. Go figure."We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
I can empathize with students wanting freedom on a computer network, or even wanting to just play around with the system to see what they can do. Heck, when I was in high school, I was one of those guys who would bump his print jobs up in the queue using pconsole, or discovering all the accounts that had access through the Squid proxy to the Internet.
...Naturally, students decided they wanted to push the envelope. Kids started remotely shutting down one another's laptops and trying to steal one another's passwords. Eventually, a student guessed a faculty member's password, found a user account created by my predecessor long before I started on a faculty server, rdp'd into a server, and tried running a password cracking application...that contained a root kit.
On the other hand, I was a network/system administrator at a high school after college, and I can understand the challenges administrators have to deal with in terms of high school students. Administrators don't just decide that they want to lock students down; heck, some schools don't WANT their students to have restrictions placed upon them. When I started, the school had upgraded from Windows 2000 to Server 2003 the year before, and the security that was implemented was essentially Windows 2000 security. They made some stupid mistakes; all passwords stored in LM format, weak ACLs on systems, no BIOS passwords, few if any group policies. On the other hand, they had their VLANs designed properly, the servers all had fairly strong passwords, and they weren't running unnecessary services. The security that was implemented was essentially designed to protect users from malware and keep outsiders from poking around.
An administrator's job is to, in effect, install and maintain technology that reflects the mission of an organization. Some schools have a pedagogy that encourages open exploration; other schools want strict rules and regulations. The school I worked at fit somewhere in between. When kids decided they wanted to try and cheat on exams, down using p2p applications, and attempt to change their grades, they put me in a position (mind you, just months after I started working there, and hardly after enough time to complete a full security audit and redesign) where I couldn't just trust them to be responsible in an open system. So, the next semester, they were irritated to find out that their accounts were running as local users; that group policies had been designed using strict Software Restriction Policies creating a whitelist of applications they could run; that their laptops and desktops all had BIOS passwords; that the only route out to the Internet was through an ISA server that connected directly to a filtering application, and then into a Packet Shaper; that their Flash plugin was disabled; that their ability to run Java applications was limited; that their exam account couldn't do anything EXCEPT run the exam application; that their ability to create and log onto local accounts was eliminated, etc.
Were there things on that list that should have been implemented earlier? Absolutely! Any organization should ALWAYS have BIOS passwords set on their machines, which should change every year. LM passwords should NEVER be enabled. Having some type of proxy is also a must, as are strong ACLs on switches and routers. Some type of bandwidth management device should be implemented, as there are more than three people using the network at a school. The school DEFINITELY should have set up WSUS to keep their Windows systems updated.
I'll admit that, when I have the authority, I'm active in creating (from the start) a secure environment, but you're not helping out an administrator when you just start poking holes in the network and not give them the chance to fix the holes. Schools don't have huge budgets, and the IT department is often required to play the role of help desk, admin, developer, engineer, etc, rather than just one niche. In my case, I was lucky; I had a good relationship with the people
I mean, why hold bank robbers liable for larceny and murder for robbing banks and shooting the tellers? It's madness I tell you!
Let me try and field these questions here...
"Within the past few weeks, students across Boerne ISD were being called into offices to discuss the use of proxies to circumvent the schools websense system."
Have a line in the students' Acceptable Use Policy that says students are not permitted to use proxy sites to circumvent IT security systems. Of course, I don't punish a student just for using a proxy site though...they always use them in conjunction with accessing webpages that are blocked. If a student used a proxy to access playboy.com, he'd lose his internet access for a month...for looking at an adult website, not for using the proxy.
The problem is that some of these students are being suspended from school for up to 3 months at a time.
Why? What damage was done? If they were suspended 3 months for using a proxy to look up porn, I'd say it was unjustified. To access MySpace? Likewise. On the other hand, if they were using proxies to do some serious business...running rogue file servers, distributing illegal MP3s and movies, and filtering the traffic through a proxy...then I could see some justification. (I'm sure someone's going to flame me for that comment and say 3 months of suspension is still ludicrous, but I'll back it up if I have to.)
Shouldn't the school district be liable for their own insecurity?
Shouldn't students be liable for their misuse of the school's network? The answer to both questions is yes. Realize, though, that there are proxy sites that are incredibly frustrating to block. kproxy.com for example... go ahead and find out how many servers are managed by kproxy.com. They have valid hostnames ranging from www.kproxy.com, www0.kproxy.com - www9.kproxy.com, and www00.kproxy.com - www99.kproxy.com. I'm never too happy about kids forcing me to have to go through and take the time to block off that many IPs. And who says that kproxy will keep the same address range a week from now? I have a lot of better things to do with my time then actively police the websites students visit. I trust them to use the internet for purposes that do not interfere with the AUP. When they think they have the right to screw around and bypass security just because they're capable of doing so, that's when the school has to step in and remind them that they don't have that right just because they're savvy computer users.
They refused to update any of the computers and as such I was using the same tactic till the day I graduated."
This sounds awfully familiar. My University's residence had their internet connection supplied to us via 'Microsoft Proxy Server 2.0', which was completely intolerant of any operating system other than Windows. (Webtraffic was available for alt-OS'es, and not much else.) I tried like hell to convince the IT dept to upgrade their network or at least alter their settings to incorporate other OS'es, but like most bureaucratic entities change comes at a glacial pace and I had no success in 'asking' for help. Eventually I bought a second computer and used it to circumvent the shortcomings of the MS proxy. Personally my opinion is that I didn't do anything wrong in doing so, as the school's IT department wasn't able/were unwilling to help, and since part of the Universities' residence agreement was to supply me with a working internet connection, I don't view similar strategies as subverting the Uni's authority or attempting to break the law. Overt attempts to hack the Uni's network or server would have likely resulted in suspension or expulsion, and justifiably so, as such practices were clearly forbidden and explained to each student before any network connection was activated. Just my 2 cents...
See, I don't need to rely on outside proxies to get around my old school's filter. I used their own proxy. I'm not kidding. Their own proxy would bypass the normal filtering proxy, allowing for unrestricted access.
I fight this issue over and over.
You have to fallow the rules or pay the price, if the computer lets you do it or not. The computer does not determin policy and should not be needed to enforce it.
It just like a double yellow line on the road does not prevent you from passing someone. Its defined as policy/law that you don't cross it, even if it physicaly does not stop you. Is the city/state to blame if you get a ticket? do you have to pay the fine yourself? why is the computer any different?
Now dont get me wrong, some policies are BS and I dont fallow them myself. There should be a real person overseeing it. But it not up to the computer to enforce them.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Within the past few weeks, students across Boerne ISD were being called into offices to discuss the use of lockpicks to circumvent the school's door lock system. The problem is that some of these students are being suspended from school for up to 3 months at a time. Shouldn't the school district be liable for their own insecurity?
Gamingmuseum.com: Give your 3D accelerator a rest.
the title "Why Are Students Liable for School Insecurity?"
:( And bring them to McDonalds for a treat to make them feel better.
When I read that, I had to think about the question itself. I'm sure I'm not the only one to spot this, but doesn't this particular question imply a confused sense of accountability? Time and time again we've seen the wrong people being sued, arrested, expelled or simply frowned upon when someone else breaks the rules. Take the Viacom/YouTube for example, YouTube allegedly hosts video clips that infringe upon copyrighted material and YouTube is being pinned down to enforce removal. How much of this is really YouTube's fault? Shouldn't the person uploading illegal material be responsible? You may say that YouTube may have a parental duty to monitor all uploaded videos, but the fact remains that when someone is being called out for breaking the law, it is common today to quickly respond "It was the host's fault for not catching it."
I'm not pro-DMCA, I hate RIAA/MPAA for what they're doing, but I hate them because they're going about it the wrong way, trying to enforce a law using questionable material as 'evidence'. So they turned to the ISPs and threatened to sue them if YOU, a user through that ISP, are downloading illegal material.
What sickens me the most is the appalling reasoning that I saw on some of these posts!! I've seen many posts that agree and disagree, but there are a few that completely forgot that people should be ACCOUNTABLE for their own actions!
Someone said in a reply: "Bah, that's crap. Kids who are smart enough to figure that stuff out need to be nurtured, not beat down. They displayed initiative, imagination, and creative problem solving, and they didn't cause any actual harm, just broke an arbitrary rule."
This is very typical thinking around issues of 'intention vs. premeditated vs. harm vs. creativity'. I can certainly agree that kids are being creative in their bypassing of security, but this doesn't excuse them from being accountable for their actions. Like my parents would have said to me: "You broke the rules, you're going to take the consequences." Kids can be nurtured to explore and grow their creativity WITHOUT breaking the laws, rules or policies set forth by whatever governing body surrounds them. Does anyone remember The Happy Hacker?
This article even getting through, and seeing the responses in this thread, clearly shows how confused people are today about responsibility, accountability and guidance.
It saddens me that schools have become a DAYCARE CENTER for parents, when they used to be an EDUCATIONAL FACILITY. Teachers would impart some of the responsibilities to teach kids the proper ethics and morals, but as soon as Joe Shmoe is sent to the principal's office because he was disrespectful in class, parents come running to the school to protect their kids from all the meanies and bad peoples out there
Those kids deserved to be punished for breaking school policies. 3-months suspension MAY be a bit much, but you know what? I don't blame the schools for covering their own ass! In this SUE-AGE, what if one of those kids was going to some website like 'how to make pipe bombs' and some accident happened? Who do you think would have felt the heat? Everyone would turn their finger to the school for not 'having security measures in place.'
Fuck that! Remember the chaos in Boston about the ATHF brite-lite ads? The police force reacted perfectly well, because people freaked out about bomb threats. Even if it turned out to be nothing after all, if it WAS going to be a bomb threat, and the police wouldn't have acted, EVERYONE would have blamed the police force.
Sorry for the long post, but I'm tired of telling people to own up to their actions.
A black cat crossing your path signifies that the animal is going somewhere. -- Groucho Marx
Are you for real?
This is about school admins being lazy and wanting to make examples out of kids for doing something which is more or less innocent on the basis of them being "hackers."
The punishment does not at all fit the crime here.
+++ATH0
I am astonished that everyone on this forum seems to be siding with the school. What harm were the kids doing by bypassing the websense system? It's not like by viewing forbidden things they were hurting anyone else. Sure, they were breaking the rules - but if I had been suspended for 3 months every time I broke a rule I'd never have had any time in school.
The
So lets apply this type of logic a little further. If I walk into an unlocked house and steal something it is their fault for not locking the doors?
Now yes there is a world of difference between stealing something and using a proxy to bypass security, but think on it. Just because someone didn't put in enough security doesn't mean you are justified in breaking the rules.
That's the ticket. Punish the smart kids and the creative thinkers.
Sgt. Friday was an ass. You have full rights to break the law, but you will suffer due process of law if you are caught. If I feel the DMCA is completely unjust, I am fully justified to break that law, but I need to be cognizant of the repercussions.
I know that's what you meant, I just wanted to point out that fetishization of the law is a giant leap towards totalitarianism. Certainly, these students should be expelled for using proxies against the acceptable use policies. But that said, I would never attend, lecture, chair, or be affiliated in any way with an institution that would censor with WebSense.
school says: don't do that
Student:
School: (punishes student for being a retard who can't follow instructions)
Result: Profit?!?
I mean, seriously. If you're told not to do something, and you do it anyways, whether or not you did it to get around things put into place to try and prevent you from doing them, YOU GET TO TAKE GOD DAMN RESPONSIBILITY FOR YOUR FUCKING ACTIONS.
Let this be a lesson learned to the kids - maybe they will think next time.
When your mother told you, "Because I said so," you should have listened.
Congratulations on completing High School. Welcome to the real world!
Laws and regulations do not exist to accord with moral principles or even common sense. Laws exist to compel behavior. There is no court of principle or reason to hear your appeals.
You do not abide by rules, regulations, and laws because you necessarily agree with them or believe them to be justified. In many cases you abide by them because you fear the consequences of violating them. You abide by them because they are threats, threats of the form: "If you do [or do not do] X, then we will punish you by doing Y."
Society, your High School, your College - like your mother - rules not by prior consent, not by reason, not by universal moral principles, but rather by tradition, intuition, emotion, and force.
Better these students learn this in school as minors than in the real world and end up in prison.
It's much easier to put the blame on Games, TV's and the students themselves, rather than parents and administrations to take responsibilty.
Besides, what are the kids going to do?? They're not adults and they have to do what they tell them.
The violence in games is now the center of attention. Years ago it was movies that people pointed the blame to.
BLAME EVERYTHING else but the parents, teachers or bullies in school that cause kids to go ape-shit. If half of the parents didn't give the kids a chance to play violent video games, and actually spent some time with them, rather than using the console as a fucking baby-sitter.. we wouldn't have little issues like this.
After the last shooting, the parents and family said... "We had no idea he had this in him... he was just... quiet." Give me a fucking break. First off, if they knew.. they're not going to take responsibility and blame for it. Why? The kid is dead! Who's going to tell anyone? Again.. it's the KID's problem. Granted, he had a couple screws loose... but I'm sure someone picking on him in school and his parents not giving a fuck has a lot to do with it.
This is going on more and more.. mostly because of the messed up economy that's limiting time spent with kids and such. Few family values are carried on if mom and dad aren't around to teach them. Instead, they learn from assholes at school and video games.
I grew up on a farm and played my share of video games... we also fucked sheep.. but we didn't kill many people. Just those who found out we fucked sheep.
If people are going to start pointing fingers.. they should at least look into cowboy'n up and taking a few steps on a solution. Whether it costs thousands more to make sure everyone's safe... they should think of some regulations.
I recommend kicking out little bastards that give other students a hard time, rather than going after the one getting picked on, myself... the kid may make a game that looks like his school.. but the bad guy is the one at the end of the room, throwing paper at him. There's a root cause for everything.. and it certainly isn't the kids themselves.
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Something tells me this can't be their first encounter if they're getting 3 months suspension. If that's the case I'd see if there are any free lawyers. The use policy for the IT department resources outline the following punishments:
Consequences for Inappropriate Use
Suspension of access to the system.
Revocation of the computer system account; or
Other disciplinary or legal action, in accordance with the Student Code of Conduct and applicable laws.
So sure there is the catch all of "Other disciplinary or legal action..." but the policy also states you might find things you don't like, so suck it up and deal with it. Seems a little harsh to go 3 months. I wonder if it's not the start of an Urban legend. If it's true, it's just another case of teachers or staff being too damn lazy to do a proper job of teaching and administrating.
While I agree that "whatever inappropriateness they had gotten up to" might require harsher penalties, if they have been warned not to use a proxy, then using a proxy is sufficient cause for them to receive an appropriate (read: not a fricking 3-month suspension) punishment. You aren't allowed to talk in class (hey! my free speech is being suppressed!), and if they have a rule that you can't use proxies on a school computer and/or on school grounds, I see nothing wrong with that. Granted, if they're using that rule as an excuse not to have better security in place, they're being stupid - but that doesn't excuse the kid from breaking the rule (again, if the rule has been clearly explained).
College would be a slightly different story, but only slightly. If you're using the college/university network, then they have the right to set up limitations on that use. If you break those rules, then you shouldn't be surprised if your rights to use that network are revoked - even if that makes your life more difficult because all of your professors put their assignments on the web, etc. (There are always work-arounds and/or exceptions.)
Ben Hocking
Need a professional organizer?
When I was in high school around 2003 I was suspended for 1 week and subjected to a search warrant / criminal prosecution for over year for downloading all student records to a hard drive, while in the process of working with the local newspaper to turn over the information. Although the act of unauthorized access is technically illegal, myself and other technical knowledgeable students had repeatedly warned the IT staff about SERIOUS security problems we many times accidentally discovered, however little to no changes were ever made. At one time the IT staff even told in writing that "Linux is only for use by hackers."
The "hack" (if you could even call it one) involved searching google for a Novell null password scanner and clicking the first link. The first and only account we discovered, conveniently had read/write access to all attendance, grades, and other student records!
That doesn't make any sense. Saying that the students shouldn't be liable for abusing security and placing that blame on the school district is just like saying if you have a security system protecting your house and someone breaks into your house by bypassing your security system that YOU should be held responsible and not the person that breaks in... that's absurd. I know myself I compromised school security systems when I was there with no ill intent either, however, that doesn't mean I wasn't at fault. But maybe that's just my opinion, -Wolfe
I graduated from Boerne High School in 2000 so maybe you can imagine my surprise at seeing this thread. As I recall, Principal Champion wouldn't have allowed something like this but I believe he's since passed on unfortunately. If the IT situation there is still the same as it was in the late 90s then the three or four computer labs are being run and maintained by one teacher who also doubles as the Electronic Arts teacher. In fact, while I was there at least, certain students (myself included) were occasionally approached to help with maintaining the network. While I'm not sure if it is anything unusual by any degree, the school's webpage at the time was developed and maintained by the Web Design class, rather than a profession Web-guy. I'm still inclined to believe Boerne ISD is an awesome school to go to (most people move to that area because of the schools) and it's relatively consistently judged to be among the best in Texas. We happened to have the whole "Snow Falling on Cedars" scandal while I was attending the school (CNN showed up to show all their proficiency at misreporting the story and misspelling and mispronouncing "Boerne" and the only lasting effect of the whole thing was that the book got made into a movie) but I was never given the impression except that the school had the student's best interests at stake. Personally, I'm ambiguous about this particular situation. I highly doubt that these students were banned for a first offense, and if that's true then I can agree with punitive action being taken. Could the whole incident simply be a case of an overworked teacher who works on computers as a hobby being used as the school's official SA?
As much as I'd love to beat me chest about this one ('specially seeing as how I used to do it), I can't say I disagree with this move too much. The computers are school property, and the school lays down the rules as to what they can and can't be used for. Isn't that what the students are really being punished for? Visiting sites or using services the school has banned on school-owned computers? The wall the school puts in between them and AIM or mySpace or Ebaum's or porn or whatever is really just there as a reminder. It doesn't magically become OK to do that stuff just because you figured out how to get around that wall, even if it was really easy.
let me first say to the submitter you're a dick. Don't throw this back on the school the reason public schools have parents and students sign such exhaustive user agreements is because hardly any of them have the proper funding to provide state of the art security. During college I worked at a public school as one of 3 people in IT. We had to maintain 1500 machines district wide, helpdesk and all, keep all the servers running, update and maintain the website, and many times run and install cabling ourselves. That doesn't leave a whole hell of a lot of time to go around to every machine and change BIOS settings not to boot from the cd-rom.
All three of us were in our early 20's and had a hard enough time dealing with 40-50 year old educators who were very resistant to change. Students like you really pissed me off. I worked in IT for god's sake you little bastards left us no time to play any games at all.
Waah, waah.
You did something wrong and you got caught. Deal with it.
You fault the school's security posture, but you're only looking at half of it.
So they don't have the budget to enforce it with the latest and greatest security appliances, but they have a really cheap tool on their side: the authority to strike you down with a vengeance for knowingly violating their policy.
They've eliminated a known threat (you) for 3 months and deterred anyone else that may think to act similarly. I'd say that's effective.
At my school, the internet connection goes through the Board servers, and they are able to block anything they want. At first, the sites that were blocked were mainly sites requested by teachers and administrators through a form that explained why the site was not appropriate for school use. However, they started to block sites that had certain keywords in them, and this is where I think they cross the limit.
:). Also, the board attempted to disable to command prompt on the windows XP machines (the cmd.exe), but uh... sorta forgot command.exe :).
Now, almost half the news sites I go too are blocked because they have keywords such as "Pornography" in them. So news articles such as "Tactics in the Porn Industry's Fight Against Piracy" would cause the entire site to be blocked and inaccessible. And there was actually a class project I had, that involved researching "Pornography and the Internet", which due to the censorship I was only able to do from home. This is where I see using a proxy (obviously encrypted due to keywords) seems reasonable.
I don't think these kids should be punished for merely using a proxy, but it should depend on the actual sites that they visit. I can see the reasoning behind punishing kids for visiting myspace on the basis that its against school rules, but just for using a proxy is ridiculous (Although I'm not sure whats the case with these kids). However, I'd also think the maximum punishment for this should be merely restriction of computer use.
But I also must admit, that theres a certain joy in circumventing the pathetic attempts of the board in trying to censor the internet. One of the most hilarious discoveries that me and my friend discovered was when a site was blocked due to the crappy keyword checker, the sites that also had ssl enabled could work if you simply changed the address to https
That oughta teach them to fuck with teh system!
First off, I am a student tech at a local school. Agreed, the use of a proxy is not creative, but circumventing the rules is justified when it is for legitimate education. Myspace, YouTube, pornography, whatever are not school appropriate, and thus my school runs all network traffic through an internal proxy.
Problem is, the filters are far too sensitive, often restricting access to legitimate information sources or gateways such as Google, the online version of the biology textbook, Wikipedia, Fox News, CNN, and other sites quite useful for the spread of educational information.
Popular ways to access this valid content include using an alternative browser installed on a USB drive, or disabling the use of the proxy in the standard browser.
Should students be punished for circumventing unusual regulations in order to access educational data?
I graduated high school only 2 years ago, and still have a little brother that is in high school. Just the other day he was saying how he can never do any research on the computers at school because all the websites are blocked, including wikipedia. I found this problem as well. Fortunately for me I had a computer science teacher who liked me and trusted me enough to let me bypass the security measures as long as I was in his class and he was there. Chances are, these students simply want to get their work done and not be inhibited by these horrible systems that keep students "safe". Just supervise the kids the way you are supposed to and there won't be a problem.
I was punished for using a Linux LiveCD to login to their computers without using a password, even after I told the admins how to disable booting from CD-ROMs. They refused to update any of the computers and as such I was using the same tactic till the day I graduated.
So the policy was clearly communicated to you and you continued to reoffend.
Shouldn't the school district be liable for their own insecurity?
Actually, no. If they dictate a policy, and you choose to not go along with it, you should be responsible for that decision. Simply being able to do something doesn't make it appropriate to actually do it.
"The problem is that some of these students are being suspended from school for up to 3 months at a time.
Three months is certainly very excessive. And, frankly, I DON'T BELIEVE YOU. How about a link to verify?
Absolutely they should be coming down on the students.
The schools have rules, conditions, and access limitation in place for multiple reasons:
In the case of things like students accessing proxies not on the blacklist to access sites on the blacklist, or booting LiveCDs, or otherwise evading the infrastructure as it was in place, these students are willfully violating the conditions of their using the resources. Even if they're smart enough to avoid the viruses and popups and such, they're opening up the computers to risks the administrators have deemed too high.
Students who willfully misuse school resources, in the case of almost everything, are subject to discipline up to suspension or expulsion for most things. In the case of computers, they're not just doing something that could hurt them, they're potentionally hurting everyone at the school.
Consider if it were a work environment. In most workplaces, even looking at porn on your own computer is considered "creating a hostile work environment" for anyone who works there, since you have no expectation of privacy at a workplace. Infraction of workplace rules is punishable by up to and including termination. Convert that back to a schoolplace, and at least you get to come back to school.
The computers aren't there for your personal enjoyment, they're there as tools of learning for the student population as a whole. There is nothing "educational" to be gained by browsing Facebook or MySpace, or reading your personal email, or anything the school has explicitly decided you shouldn't have access to. If you feel you should, there should be a policy in place for reviewing and allowing or denying access.
Just cause you CAN do something doesn't mean you MAY or SHOULD. You can steal from shops, kill people, and sleep with your brother's wife. You probably may not or should not do any of those things, though.
Seriously, if you're going to go intentionally getting around rules that have been put in place, why are you complaining about being disciplined when you get caught? Chat with your MySpace ho's at home, leave the school computers for people doing real work.
This space for rent. Call 1-800-STEAK4U
That doesn't sound right at all; the kids knew what they were doing and they were doing specifically to circumvent what little security there may have been, but that doesn't make the violation of the rules "less bad."
I may be an idiot if I forget to lock my door, but the criminal that comes in and steals my TV is still a criminal and still needs to be punished for what he did wrong.
The thief knew what he was doing was wrong, the students knew what they were doing was against the rules. It's really that simple.
Stupid sexy Flanders.
"While security breaches by students are something to take seriously, should school administrations continue with their knee-jerk mentality to something like this, especially at the times when its obvious that no malicious intent was involved?"
Nothing like a carefully worded question to get the debate rolling! Should they continue their 'knee-jerk mentality'? Of course not. They should be thoughtful and precise. They should be guiding and teaching. This does not imply that they should not punish. Quite the opposite! I run about 350 public PCs for a major city library system. Being a library, most of our PCs have full, unaltered Internet access; some do not (child laws and such). We have one group that is flexible in that we can change them from full access to limited access and back. Before we (supposedly) perfected the system, we had a HUGE problem with kids getting around the blocks to various pages, as well as adults DL'ing porn and illegal movies. The rules were posted; people were warned. Then, people were tossed out. The rules are posted at each PC, plus at the sign up stations. Among the rules is the prohibition against physical, electronic, and logical alterations to the equipment. This rule, as with the others, is in place to protect the computers and, therefore, the city's investment in them, along with my time in maintaining them. Break the rules, you're out. Too many times, you're banned for a period. Too much more after that, you don't get back into the library.
When it comes to public PCs, we're talking about public money and public liability. For our unlimited stations, parents are advised that the Internet contains content they may not wish their children to see and we are in no way responsible for it. Takes care of our liability. The rules mentioned above take care of the money as best we can. So, YES, PUNISH THEM FOR BREAKING THE RULES! On the other hand, suspension for three months? Give me a break. You may as well flunk them and set them back a year. Suspend them for a couple weeks at most, then disallow computer access for the rest of the semester (or next semester if this one is almost over). As mentioned elsewhere, these kids NEED to LEARN to FOLLOW RULES. The sooner, the better. Want to know what happens when we don't teach our kids this? Take a look at society around you. I bet you can see what I'm talking about.
I have to agree completely. I have been incensed by the idiotic reactions of various schools lately, but this is not one of them. While the particular *site restriction policies* should probably be examined on a regular basis, enforcing rules of appropriate computer use is not, a priori, draconian, even if no mechanism is in place to prevent misuse. That would be like saying beating someone up in the hall is OK as long as no teacher is around.
The schools should make reasonable efforts to tighten down the computers to prevent getting around the policies, but even corps with competent IT staffs (the few there are) are having arm-loads of trouble with proxies. How do you keep up? Account restrictions and locked BIOS should be standard, but there is only so much to be done (technically) about keeping kids away from restricted content. A long suspension might be harsh depending on what was done, how many times, whether it involved legal as well as school policy violations, and what they do with the kid in the meantime. At my private high school growing up, we got a few public school rejects, who the school had trouble disciplining because the parents had a lot of financial clout with the small school's Board.
I cannot believe anyone would take the students side in this. If you circumvent something, you get into trouble. That is the way it works.
obviously its because the students were doing it to update their myspace profiles...
That's like saying, "Sure, we have metal detectors at the airport, but I was able to sneak in 2 guns, a knife and a bazooka. Why should I be in trouble for bringing in all those things if their security was weak enough for me to defeat?"
Sure, the security might need to be fixed, but that doesn't excuse students from breaking the rules.
Boats float, except when you poke holes in them. Then they sink. If you steal a boat while it's sinking, you're no better than kids that use proxies to get to websites that are blocked by proxy software.
And yes. That makes as much sense as comparing using a proxy to stealing physical objects, picking locks, and physical abuse in a myriad of forms.
Analogies, I submit, suck, and shouldn't be used as your primary argument for or against something. Try intelligent discussion of the relevant facts instead. It's bad enough that the facts of something are open to interpretation.. adding a layer of opinionated obfuscation and rant doesn't really help the matter.
As for the topic at hand, people have been suspended for the stupidest things imaginable if they involved computers since the dawn of the computing age. Much of this has to do with faculties not understanding technology.
However, these students did something that was (rather nebulously) declared evil by the administration. No clue what they did, or if it violated any rules, as there isn't a link to that. We're not talking about trampling on a sacred trust here, but about a school "rule". I remember there being ridiculous and often illegal rules back in my high school (which, when this was pointed out, where somewhat grudgingly not applied) so I'll reserve any judgement until someone publishes exactly what these folks did.
And by the way, if I'm paying for my kid to go to a school? I'm absolutely going to force them to change rules that I don't feel are "right". Heck, if it's a local public school, then I'm paying for your kid to go to school. I feel that doubly applies.
You're reading Slashdot. Of course you like Linux and pc hardware
This isn't an isolated phenomenon. The vast majority of school districts are sort of plunged into educational technology use without very much training or expertise. They may be provided federal and state funding to purchase computers for classrooms, but they aren't allocated funding to employ full time technical professionals to maintain the investment. When I was in high school, the same thing was happening. I used Linux live CD's all the time, and even when I tried to help them fix things, they never wanted to know. We were in even less secure a situation. To get around the school's chaperon filter, all you had to do was change the browser settings so that you didn't use the proxy at all, and you could get through without trouble. The reason why administrators react in such a way is because they don't understand what's going on beyond wrong vs right. Its highly likely that 1 teacher who took an A+ certification course and feels very full of him or her self is also too overzealous to admit that a student was able to help correct a security flaw that they had overlooked. That's how it was in my High School district. I think the key is to start doing 1 of 3 things: either providing teachers and administrators proper training, employing competent technical professionals, or start actually trusting students who offer to help and regarding their suggestions with a bit of humility.
izm
I speak as a school sysadmin. I am not lazy, I am overwhelmed. The same goes for my district admins. I cannot possibly close every last security hole in the over 600 computers I am ultimately responsible for. The task is too large. Either way, the rules were written and most likely(as is the case in the school where I work) students signed off on a form or booklet that said they would agree to abide by these rules. These rules include appropriate network use. The fact that a security hole is not patched, does not negate the signed agreement by said student(s) who signed an agreement that they would not do it and said agreement lists punishments (at least at my school) that will be meted out in response to breaking of said rules. Therefore the fact that a security hole is there does not give a student the right to breach it or use it to their own advantage.
At my school, we encourage students to report such breaches to us that they discover (and they are guaranteed not to get in trouble for the discovery) so we can improve our security. We like to try and keep the kids who are good at this stuff on our side in this way but if any student should use such a breach to their advantage in the way this article describes and they get caught, there will be consequences...not 1 month suspensions generally but still a message needs to be sent.
As an earlier poster in this thread said, part of being in school is teaching students how to respect boundaries. Same poster also said correctly that similar actions as an adult lead to far more serious consequences such as loss of job or worse.
...quicker, easier, more seductive the darkside is...but more powerful, it is not.
It is dumb not to secure the machines but the kids are actively trying to circumvent what is in place. The fact that it's easier than it should be is immaterial with respect to whether the student's action should be permissible. If a janitor leaves his supplies closet open is it okay for the kids to go in there and start messing with stuff? Or should we pat them on the back for being creative in doing something they know they're not supposed to?
In both cases the lapses should be addressed but that doesn't excuse the behavior of exploiting it.
...to teach students to respect an honor code?
And SSH I did - I tunneled vnc over SSH back through my linux router to my desktop and learned, learned, learned about networking. It was OK since that was before anyone important knew anything at all... now they know enough to want control.
These days, you should probably just get a decent linux or wince phone and completely bypass the official chowder-head restricto-net. Cat and mouse games are fun until you realize that getting caught means getting stabbed in the face by junkies over at the "alternative education" center. Ah, law and order, how you protect us...
I was shocked reading the content of the slashdot posting! I was punished for using a Linux LiveCD to login to their computers without using a password, even after I told the admins how to disable booting from CD-ROMs. Read that again. This person is blaming the administration for allowing him to do something that was against the rules. Perhaps he would like to be chained to his desk so that he cannot get up, move about, disturb the class, and get in trouble with the teacher?
It's so absolutely outrageous that I don't know where to begin discussing how terrible it is. He's asking for a nanny state (most Slashdotters seem to think that a nanny state is bad). He's asking for stronger censorship on the part of the school (blocking access to proxies). He's asking for the admins to change the computer security settings so that he isn't capable of doing something that he knows will get him into trouble. It's truly insane, and honestly, it sounds like someone managed to troll Slashdot into fighting for these absurd things by appealing to the "OMG, highschool kids have no rights!" crowd.
What are you some sort of dissident or something?
You're absolutely right. This is such a ludicrous punishment that I don't know why my own cynicism didn't kick in.
Ben Hocking
Need a professional organizer?
If the rules exist solely to insulate the school from complaining parents then no, it's the school's problem. They asserted in loco parentis and it's their deficiency to deal with. They can't simply put in an electronic babysitter and hope for the best. If the kids who broke their border did something illegal the school would be responsible so just because they don't doesn't mean the school gets to erect a legal fiction that takes them off the hook.
If on the other hand the rules and the border are there solely to instill some sense of 'good' computing and being a cheerful and well mannered community member then yes the punishment is appropriate, AS LONG AS those penalties are are articulated in the policy beforehand. If on the other hand there are no articulated penalties and the school is literally on a witchhunt pulling things out of their heads willy nilly and never ending the search for the guilty according to a set of invisible laws that they maintain allow them to question and punish anyone they want for whatever they feel like then no, they should back off. Or they should simply throw all the kids under suspicion out of school forever and leave them to the private school system. That way the school is free to assert their rules, free to ignore or not even require evidence and free to do whatever it likes to whomever it likes for as long as they want. I'm sure THAT will teach the students about fair and reasonable community behavior.
The thing is, In real life, the employer makes rules, if you don't follow them, you can lose your job. If something gets damaged in the process, you can have to pay for it. It doesn't matter how stupid the sys admin or the rule is or how lazy for that matter, it is their property you are using. And If I had to constantly check and change stuff to make sure your not going somewhere your not supposed to be on the company network, Guess what, you don't have access anymore and you will be lucky to have a job. You are costing the company money they shouldn't have to pay. Plain and simple.
Employers and schools aren't like your parents were they have an obligation to keep you around. If you want to violate the rules and treat someone like shit, stay home and live off your parents. Cause you will get fired or suspended anywhere else. And in some cases, you could be out some money with lots of bad credit following you around.
I don't think anyone who isn't related to the owners of a business or fucking one of the owners can seriously say they have some right to poke around where the company says they don't (this include bypassing a proxy or Internet restrictions). And IF you seriously think your too important to get fired, Keep it up, they just haven't found your replacement yet. But as soon as you start costing them money, you can bet they will look even harder.
What if I taped up a door so it wouldn't close, then broke in? The school is liable for their own security, so if I broke in using my taped door, that's their own fault!
Security IS the schools responsibility. But part of security is the rules, policies, and procedures set forth... 'lock the doors behind you', 'don't leave the windows open'... which equates to stuff like 'you can't use proxies'. If someone deliberately breaks a security rule... like leaving the back door to the school open so it's more convenient for them to get back in if they forget their key... then that is a punishable offence.
If I keep a door held open with a rock, that doesn't mean that I should whine about their lax security just because it didn't crush the rock and close anyway.
Now... that said, and despite a previous job as a sysadmin, I would like to see less of a focus on prosecuting students for stuff like this. It's wasteful... the students that do the most violating are likely to be the students most competant in computers, the ones we need the most now and in the future. Can't we get some kind of 'nerd-exemption' going, like all those jock-exemptions they use to keep their stupid football team competetive?
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
The door IS locked, just not well. It is, in fact, like most physical security. Generally speaking, physical security sucks, especially on homes. It is rather cursory and easy to override. People don't care to spend the money, time and hassle on better stuff. For example a normal lock is rather easy to pick. Most can even be bumped, which requires essentially no skill. Also, if someone gets your key, they can have a copy made at any hardware store. However better locks are out there. If you get a Medeco high security lock is solves basically all these problems. It can't be bumped, is highly resistant to most physical attacks, a real bitch to pick and you can't get the keys copied.
So why not use it? Well first off they are like $200 per lock. Then there's the fact that if you need new keys, you have to go to the dealer and show ID (and the keys are expensive). Thus the expense and inconvenience keeps good locks like that out of most homes. They'll settle for low grade ones that are really not that secure, all said and done.
Same deal here. The filter IS like a lock. May be a shitty one, but it is clearly a message to stay out of certain sites. Doesn't matter if the security is bad, you aren't allowed to break it. You'd be mad if you found me standing in your living room and my response was "Your lock sucks, you should get a better one if you want me out," I'll be just as angry if I find you on my computer without permission.
I'm sure you were violating some rule or terms of use, but because they didn't physically prevent you from breaking said rule, you though it's OK to do so anyway. Just because you can break a rule, doesn't mean you should.
I guess if I leave my front door unlocked, you'd think it was OK to enter uninvited? I think not.
People, please don't berate about my responsibility to keep things locked up to keep them secure. I'm talking about his personal responsibility, as a good citizen, to voluntarily follow the rules of his society or school.
You know, "do unto others as you'd like them to do unto you" ...
It must have been something you assimilated. . . .
I use a proxy to get around Websense at my school--
--because Wikipedia is blocked by it.
When I asked why it was blocked, I got the response that apparently it was banned.
So yeah, I use a proxy, and yeah, I'm breaking the rules, too. But as long as I know I'm using it for something morally acceptable (research), and not MyfaceBookSpace (which I don't use, anyway).
So, it's entirely possible (though probably unlikely) that they could have been using a proxy for research purposes.
If you join a school, you go by their rules, no matter how retarded they may be. If you don't want to be treated as one of the windoze-using herd in a winblows-only school with winshit-only obligatory security measures, choose another school. If you join a school, break their rules, and get penalized - tough shit. No sympathy points here.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
...Same logic applies.
Sounds good if the company never requires me to do a job that can only be reasonably completed by bypassing their network restrictions. Say, I need to connect to an outside database with my special debugging client to find out why the customer's application is not working. The logical way to do it is to tunnel through an HTTPs proxy, but this is presumably against company's policy - they meant to block all traffic besides web browsing. Say, I call you at 2am on Sunday and ask you to reconfigure the network for me, since the customer is getting impatient. Given that it takes you great trouble and expense to even "visit a workstation in person", I doubt that you would solve the problem before the customer gets pissed and drops the contract. In this case, give me a good reason why YOU shouldn't be promptly fired and the $10M value of the contract charged against your paycheck?
I never saw a company that accepts its own security restrictions as a valid excuse for not doing the assigned work.
It almost seems like they put out a giant shiny red button and told the kids 'do not push that button!'
School: We don't have the resources to properly lock down our system. So lets just tell the kids not to do these bad things and kick out any that do.
Curious Kid: Hmmm they tell me I can't use proxies? [TEST, TEST] sure looks like I can use proxies just fine.
School: *slap* No school for you!
Did they honestly expect teenagers to obey all the rules? Part of school is teaching kids that breaking the rules has consequences, but ridiculous punishment for trivial rule violations will just teach them contempt for the system.
A reasonable suspension would be 1-3 days. 3 months? Just plain stupid.
I work with extremely sensitive data constantly, most of which, if mishandled or disclosed, would ruin any number of Fortune 50 companies. It doesn't occur to me to do so. I love my job, and besides it's wrong, and I didn't need to be told it is wrong. But I was told so. All the same, I could do it.
/. will be that students shooting up the school shouldn't be held responsible, if the school 'let them' bring a gun in.
And no judge would accpet my argument:
"But your Honor, they didn't PREVENT me from doing it!!!"
I've had several school systems as clients. Ultimately, I told each of them that it would be likely that determined students would find ways around security. I encouraged each system to develop and apply an acceptable use policy for all computer use, not just Internet access, and to take it seriously - be prepared to exercise it and punish students.
In one system we had to ban a student from all computer use, for repeatedly altering grades. I only found out how they were doing it when I had to work late. Their guidance counselor took pity on them, seeing as they were a promising candidate for an excellent college and wanted to major in CS. So the counselor let them use their staff PC after the day was done. All I wanted to do was shut down the server for maintenance, and I had to get the janitor to open the office door and log off the one last user. We scared the heck oput of the student.
The student was charged with trespass. The counselor was dismissed at the end of the school year. I had to explain how they could get their work done without a computer. They both actually broke into the school building a week later and tried to erase all the records of the incidents.
The backups worked. Nice try.
At some point, it's not as simple as 'kids will be kids'. Even without staff aid, students should be learning that 'no' means 'NO!'. Next thing I hear, the prevailing opinion on
Teaching responsibility might as well begin in grade school. We need it to be taught sooner.
-rick
deleting the extra space after periods so i can stay relevant, yeah.
That's pretty dumb, in my opinion. That's like saying, "Should trespassers be held liable for trespassing when the property owners only put a sign up saying "No Trespassing" but refuse to fence their property?"
"Sure officer, I walk across that old lady's back yard every day on my way to school, but at first she wasn't even locking the gate, and when she did put a lock on it, all I had to do was lift the gate off the hinges. It's obvious she's not taking responsibility for keeping people out of her back yard."
That sounds ridiculous but at our old house, students would cut through our back yard from time to time, and once they left the gate open, we got home and let the dog out the back door, and the next thing you know the dog's roaming around the front yard. If my dog had been hit by a car, I would be well within my rights to hold the person who left the gate open accountable (morally anyway).
College is a weird time when I can remember having odd ideas about liability. Well, I was wrong, and so is anyone who doesn't take responsibility for their actions. Leaving my front door unlocked does NOT make it OK to enter my house without permission. In fact the cops will agree with me.
"I have never let my schooling interfere with my education." - Mark Twain
"Part of the function of education is to teach children how to behave and what their boundaries are."
And that is one of the very good reasons my child will NOT be attending public school. There is no way in Hell that I want some part time government employee thinking that it is their job to teach my child how to behave, and where his boundries are.
Isn't it the administration's responsibility to exercise due diligence in securing their own computers?
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Well, Chances are you won't be hired at this company. All the software they use is purchased and not developed on site.
But in the case you are working there and need something like that, All you have to do is inform someone you will need the access with a decent reason for it, and you will have it. It isn't very hard, All you have to do it give someone VPN access to the part of the network that isn't restricted and off you go. But remember one thing, Everything you do will be monitored and logged so visiting smut sites or doing your on line banking from work isn't a good idea. Surfing Slashdot for hours on end and then billing the time isn't a good idea either.
The costs to administrate the network and everything involved has been cut by two thirds after restricting were people can go and such. We had a few people quit in protest but only one actually left and word is he had another job waiting before throwing a fit. Virus problems have been almost nonexistent, Slowdowns and downtime from Spyware and stuff have almost been completely eliminated. Mysteriously, Problems with computer crashing and general repairs have been almost completely eliminated. Employees are more productive and they are making more money (through a combination of profit sharing and small raises). It is something else when you look at a controlled network like this.
I dodged any real punishment, thankfully, but I have been sternly told that ssh is completely against school rules... when what I was using it for was mostly pushing my work home so that I could do it wherever. Oh, and using a sane editor.
Thankfully, the administration knows me well enough that I got off with a slap on the wrist and a STOP NOW!!!!.
I work as an IT teacher in a UK school. My school, like a great many in the UK, has an RM network (http://www.rm.com/), if you've never come accross it, it basically seems to be an amalgamation of things that don't quite work properly held toegther by thousands of patches and bug fixes to create a truly crap network. Also, you can't open any of the server hardware, as it's all leased, and the only proper control you have is though all RM's proprietary software. It is our network manager's job to hold all that crap together without anything major going wrong too often. It is pretty much impossible to overhaul large sections of the network due to very tight budgets, so you live with what you've got, only replacing things when they're truly broken. If you think you're a good sysadmin, try working with a system that you don't have time to fix (or even the PERMISSION to fix properly for an RM network) or money to replace, and that up to one thousand small children are actively trying to fuck up wherever possible.
I think things would run much smoother all over if people would simply accept 100% responsibility for their portion of the problem. Here's an extreme example:
Lets say I buy a house with a nice front yard but in a bad neighborhood somewhere. Further, I collect a million dollars and pile this money on my front lawn. I put no security systems in place, nor do i hire any guards. Then I take a trip around the world only to find my money gone when I get back. We'll also assume that the weather was perfect during my absence so no natural causes would cause the money to disappear. I call the police, tell them my money has been stolen. Obviously, if someone did indeed take the money, it wasn't there's to take. They should not have done it, there is a law against it, if they are caught, they should go to jail. On the other hand, someone should smack me upside the head for not keeping my money more secure. Even moving the money inside the house with no locked doors would have provided better security since it would not have been visible to any passerby. The cops would tell me I was a dumbass.
So in this case the school did do a number of things, they put in place security measures, had security policies and informed the students. The students willingly broke the rules and should be punished. Perhaps this accounts for 95% of the problem. The school should recognize though that there is a hole in security that is being widely exploited and current measures of prevention are not working. An exploited security hole should make its way towards the top of someone's priority list to be addressed. The school should not ignore it's contribution to the overall problem, but recognize it, adress it, and minimize further contributions to the problem.
Viruses and spyware wouldn't have been a problem if you were using anything other than Windows, but you decided to go the babysitting route and treated your employees like children? What are you doing on Slashdot, good sir?
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
I work at a school and there are blocks in place for non secure proxies, but to the extent of my knowledge the only way to completely block proxy use is by one of the following conditions:
A) All access to https (any encrypted outbound connection) is blocked
or
B) Access to https is dependent on a site being on a white list
I personally ssh in to my home computer and use that as a proxy for accessing legitimate stuff for my position that may be blocked by our filter.
Are there ways other then my stated to block access to a proxy?
Bull! Before someone claims that schools should block 100% of the "bad sites" out there and that not doing so gives students the right to use them, try this:
Now ask yourself... how much time did you just spend doing nothing but blocking proxy sites? Do you think it would be easier/harder if you had 1200 kids who might or might not be trying to find proxy sites instead of 6? Would you be willing to spend that much time every day? (New proxies appear constantly you know.)
And in the end is it which important? That you stop every kid who wants to break the rules and an agreement *that they signed*? Or that your firewall is set up right, the servers work, all 600-1000 PCs are up and running, Windows is patched, networking is Ok, Internet access is working, the servers hard drives aren't filling up, etc.?
I could probably do a fair job of blocking almost every proxy out there if only I spent 1/2 of my day every day working at it. But why? When did "You didn't stop me" become the same as "I'm allowed to"?
What if life was like that? Someone stole your bike? Sorry, we can't punish them. You may have had a lock and chain on it, but the chain wasn't resistant to acetylene torches. You didn't take full precautions.
Someone broke into your house and stole your computer? Yeah, we caught them but had to let them go. Why? They said that your doors and windows were locked but that they smashed your bedroom window with a rock. A rock they found in your yard. You should have either used break-proof glass or removed every rock from the yard. Your security was too flawed so we had to let them go and keep the PC too.
get fired from my job? I was just bypassing the stupid webwasher so that I could view pr0n...
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Should a student who is breaking rules they've agreed to abide by be liable for their actions? Yes, but they shouldn't be suffering most of the penalties we hear about in the news.
Should the school and/or its administrative staff be liable for leaving insecurities in its systems? Yes, but within reason. A school is supposed to be a learning environment, and as such some restrictions can't be imposed without also restricting valuable learning resources.
Those are simple straightforward answers that I believe to be correct, but there is another underlying issue that most people don't seem to be aware of. Technology presents scenarios that require rules and regulations unlike any other element common in schools. Because of that, there is no tried and true baseline for school officials to expand off of, and most of the rules and regulations that are set up leave a poor balance due to a lack of knowledge and understanding of technology.
Since the percentage of students with the knowledge to exploit an insecure situation (well intentioned or otherwise) is rising more quickly than that of the staff, a proper balance is becoming harder to maintain. Why is it harder to maintain when the students should be following the rules and regulations? Because as general knowledge increases, so does the awareness of learning opportunities present in the technology.
And of course a school is a place to learn, so any decent student who cares about themselves at all will want to take advantage of the opportunity, and any administrator or staff member worth anything will encourage the student to do so; they just won't realize that this encouragement will cause curiosity that leads to the breaking of important rules.
And when a student knows they're learning something new, and knows they're not causing any negative effect on themselves, their peers, or their school, why wouldn't they exploit insecurities?
If Linux or mac could run the programs that need run, they would be there too. And no, I didn't decide to babysit, I don't make the rules. I just follow and implement them.
Maybe some day when your network is something more then your mom's cable connection, you will understand that people take jobs at places and have bosses. And these places with bosses have certain requirements and you cannot just change the stuff on your own.
Viruses infest systems because of security holes. Students do not access proxies because of security holes, students access proxies because of information censorship which they disapprove of. The proxies are external information portals, and are not under your control. They simply route information from one place to another, providing a different means of accessing information. Therefore an attempt to block access to proxies is NOT a security issue and is ONLY a censorship issue.
We need to be more judicious in the language we use to discuss these issues so that it is more clear what we're really talking about.
In relation to this article, students should not be punished as if they committed a security violation, because they did not. They at worst violated a censorship policy by viewing information that violates school policy.
I guess it's fair enough if normal employee duties do not require Internet access to arbitrary sites. Although, the preferred approach would be to allow only specific netmasks at the router rather than firing people for changing Internet Explorer settings. Modern education however does require full Internet access, including to sites talking about homesexuality, breast cancer and birth control. So do employees who need to prepare presentations, find the best shipping method for a fragile container, process claims based on customer's photos... Until there is a breakthrough in artificial intelligence, there is no way to set up a filtering program that does not interfere with legitimate use.
So your defense is that it shouldn't cause any problems for you (even though you are doing exactly what you aren't supposed to) because they aren't managing the security like you think they should? So... what... the grocery store shouldn't charge you for theft if you walk out without paying? I mean... hey they should have had better security. Stop trying to justify what you've done. It's wrong. You were told not to do it. It's not your computer system.
+1 Insightful if I had any points.
The higher the technology, the sharper that two-edged sword.
All I see is a link to the school district's web site and a six line commentary, followed by a question. What article are people arguing over? There's even a posting that says the article is moronic ... and there's not enough detail in the commentary to start a good argument.
Did an article link get edited out or does the emperor have no clothes here?
Alternatively, I'm a moron ... yeah, yeah, I know. Fire away.
[17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings
The responsibility is the students and typical of society, people what to sluff it off on the administration or some other entity rather than take the blame themselves.
Cheers
Most school districts have a Terms of Use contract. You might not remember signing it, but it happened. I'm sure there was some type of violation of it.... Though I do concur that the three months seems excessive, there are not enough details here to truly understand the situation. And if the website was of genuine educational use, then the proper procedure is usually to let someone know, and if it is deemed appropriate, it will be allowed through the filters. There was a time in our school district when mythology websites were blocked as "cult" or something else as ridiculous. I also agree with the idea that just because something is possible is no reason to do it.
I presume that the administration didn't come down on these students in a vacuum. They probably have published guidelines for acceptable use. These are most likely a non-optional condition for use of the school's computer network/systems/bandwidth/etc.
I'm all for the maxim that "you've gotta know the rules to know how to break them properly," but when you take it upon yourself to break the rules, you've got to be prepared for the consequences. Period.
Should the school system have harmed my education to stop me doing those things?
Now pretend my education didn't matter, and all that matters is that the school maintains order and security. Even by those standarsd, it is counterproductive to mete out disproportionate punishments. Teachers and school officials shouldn't try to pretend that they have more control than they do. Whether they like it or not, they are dependent on the judgment and good will of the students. Those are the fundamental elements that ensure the security of the school. Teachers and school officials are responsible, as leaders and educators, for fostering those elements.
Making punishment proportional to the real damage or danger incurred helps maintain trust and good will. It lets the kids know that the teachers aren't just arbitrary fascists, and it funnels them towards mostly harmless mischief. There were a handful of teachers at my school who could issue serious rules that we would obey even if we didn't agree with them. Those were the teachers who weren't really threatened by our harmless mischief. We knew they would punish us if they caught us, but we also knew they were concerned for our well-being, our education, and the well-being of the school, not their own authority. Mostly they just rolled their eyes and expressed mock exasperation when they found out about one of our pranks but couldn't pin it on us. When those teachers spoke seriously, we listened and obeyed, even if we felt they were being harsh or unreasonable. They had real authority over us, which we freely granted. (We also liked those teachers enough that we never risked getting them in trouble, unless they were in on it.)
The teachers who wanted to control us by establishing authority, who felt
Hello.
When I was younger and more naive, I used to hold the same beliefs that yamamushi does. Now, however, I a) work in the IT department for a school district, and b) know a bit more about formal security policies, and as such my perspective has shifted a bit.
Our district has 10,000 (unique) users and about 4000 computers. We have a staff of five people. We have hundreds of kids every day actively looking for holes in the system. Legally, we have to prevent students from accessing proxies, but you and I both know that proxies pop up all the time... and there's a lot of kids looking for open proxies. No automatic blacklist filter can stay ahead of that, and we're not going to have the staffing resources to go through all the logs and trace where people went.
So we have policies. Any security person will tell you that written Acceptable Use Policies are an integral part of an organization's plan for dealing with insider threat (read: you). I see your district has its AUP posted on the website, so presumably you read and signed the AUP. I see no room for whining after getting suspended. Granted, our district would suspend you for three days rather than three months, but I can't fault the idea of district suspending you after you signed a contract saying "if I circumvent the logon system, I will be suspended."
Kudos to you for telling the tech people how to disable devices, and shame on them for not fixing it. But at the same time, I've known about security holes for years that still havn't been fixed -- because they're not big gaping holes, and I haven't had time to fix them. So they go to the bottom of the list, and we trust you, the user, to use the system responsibly and play by the rules.
Hardened systems are good, but they're no replacement for responsible student behavior. Let's switch the analogy. We don't have a technological mechanism in place to prevent a DoS of the grading system if you're in a specific spot. Nor do we have a technological mechanism in place to keep the wrestling team from kicking the shit out you in the bathroom. But we shouldn't need to, because we expect students to behave. Granted, they don't always... which is why people get suspended.
-- r . m o s q u i t o --
This is absolutely, positively a matter of degree. They got past the outgoing firewall. Whoop-tee-do. Make them write an essay during detention about how they won't do it again. Suspending them and harming their education for three months is not appropriate. Period.
+++ATH0
Having students sign a document is all wonderful sounding, but minors can't enter into contracts (except for "necessaries," which computer access at school is not). Your signed agreements are invalid. If their legal guardians are signing it, then you'd have an argument.
This is purely an internal discipline issue. The signing of those documents is just to make the students accountable to themselves, not to the school board in any way.
Not certain what "malicious intent" has to do with anything here, though perhaps the poster used the wrong word?
People who download pirated music, movies, or software are not doing so because they hold any malice against the creator of that content (generally - in the case of MS maybe they do) but what they are doing is still a vilation of the law. If students were doing that, or accessing porn sites (also illegal), the school district could be held liable for those illegal activities.
Without more information, we don't know if the students were engaged in illegal activitiy, violating some express policy, or just doing something the administrators considered unsafe (potential for encountering viruses and trojans) or merely didn't like. Impossible to say if they were being heavy-handed or if they were doing what they had to do.
Hmm... I'm a high school junior who just had a talking to by the Dean of Students and Director of IT for setting up a proxy to help others get around my school's Websense installation. This isn't exactly the email I wanted to see in my inbox...
j ect\Project\FirefoxPortable
---
Danny:
Please explain why you put this program in this folder
\\file-server\shp_classes\AP_US_History_Final_Pro
---
Luckily for me, the only thing I have to do is comment on my school's Acceptable Use Policy to help make it more clear to students (and, of course, not help people access blocked sites again). I was a little worried about getting a detention or other punishment of that magnitude when I was pulled into a conference room after my last class, but 3 months suspension? That's simply insane. And these are probably some of the schools best students... take it from someone in high school that Websense's "Your company policy denies access to this page at all times" just begs to be worked around. It's not really the getting to Facebook and Youtube at school that was fun, but the challenge of figuring out the best way to do it.
Although I still have qualms with some of the blocked sites, I would like to commend my school's handling of this. They talked about why what I did was wrong (they were mainly upset with my helping of other students to get around the blocking, not doing it personally), and invited me to talk to them about such issues. Much better than the knee-jerk reaction described in the summary.
---
And while i'm at it, I think I'll describe my now-removed setup. First off, many people had put a copy of Firefox in their user's folder so they wouldn't have to use IE (which is the only browser on most all but the science laptops), which, of course, was a huge waste of space. Therefore, I put a copy of Portable Firefox in a folder that everyone could access (although without permission) with a modified launcher that would store the user's profile (bookmarks, history, etc) in each person's own user folder. Then, to bypass Websense, I ran tinyproxy on my home router running OpenWRT with a domain name from DynDNS, then configured FoxyProxy in the shared Firefox install to use my house as a proxy to access the blocked sites. Then I could put a shortcut to the Firefox install in someone's home folder, and they would have persistent bookmarks and a configured proxy.
I had previously set up CGIProxy on my webserver, but that was unusably slow. Websense also caused me to read the HTTP protocol specifications in an attempt to find other weaknesses that don't rely on a outside proxy. I determined that you can access some sites by mucking with the HTTP headers. (Unfortunately, this only works for servers that are not properly configured per the RFC's, but that seems to be a lot of them.) In HTTP 1.0, there was no way to serve more than one domain name from one IP address. HTTP 1.1 addressed this issue by requiring that all requests include a "Host:" header specifying the domain the information should be accessed from. Many servers, such as Youtube, will respond the same no matter what host is specified. Websense, however, will always look at the Host: header if it exists to determine if the site is allowed. Therefore, it is possible to make an HTTP request to youtube.com but ask for "Host: websense.com", have Websense believe that you are going to websense.com, but actually have a page from youtube.com returned. (However, technically, it is improper for servers to respond to requests for domains they do not serve). As far as I know, mine is the first discovery of this technique. Great fun!
Websense causes learning... just not how school administrators expect!
I'd like to add to the general consensus coming from school/college/university sys admins.
Unfortunately the reason we have these draconian regulations is, pure and simple, that we are overwhelmed and over worked.
More computers, more students using computers, more students using computers for more things, and (of course) the proliferation of interconnected networks (ie "the Internet").
"back in the day" so to speak, our team of 3 people looked after 5 labs: 2 labs of mainframe dumb terminals, one lab of non networked DOS/Win PCs, one localtalk/appletalk connected lab of Macs.
Total computer count 40 dumb terminals and 40 non networked PC's.
nowdays, right now, that team is just me, and by my self I look after over 10 labs totalling over 300 machines and 10 servers.
hell I don't even have time to make policy anymore instead it comes on down from above from system techs (who've probably never seen a student) and management (ditto). Most of the policies are enforced automatically (the door security system doesn't record you as entering the lab, but you've logged on to a computer, bing 1 days suspension, logged in to 2 computers at once - even if it's a case of the first machine stalling at you logout, bing suspended for a day).
So to be brutally honest most of the regulations we throw at students are simply there because we don't have time to investigate and modify all the issues we need to and because we need to (or more specifically are told to from above) cover our arse.
A proxy server is just a web server. It happens to server any content you choose, but it is still just a web server. Calling this a breach of security is quite a stretch.
With this rationale, you could create a policy that says "You shall not circumvent our security measures and walk on the grass". Then if anyone walks on the grass, expel them for breach of security policies, regardless of what measures were in place. Afterall, they violated the written policy.
Policies really need to be written to the actual intent, not the mechanism. The policy should state that the students shouldn't view offensive material. The WebSense server should help keep the students under control. Any violation should be related to the material being viewed, not the manner in which it was reached. This trend of policing methods instead of outcomes has led to a lot of the bad laws passed recently, the DMCA being the most obvious example.
This is also another example of the dangers of the nanny mentality. Everyone seems to want to do something, and doing nothing is seen as unacceptable from the outside. So, we have to screen old ladies at airports, we have to pass laws prohibiting incandescent lightbulbs even though the market will take care of the problem if it is the right thing to do, and we have to "protect" our children even though in some cases protecting them deprives them of coping skills.
That's why students get expelled... Most admins doesn't administer well, they just administer their name, "admins"...
ghostbar page.
Take the example of someones house.
It has no door of any sort.
A guy walks into the house and sees something they shouldn't - financial records for example. He could say "It's not my fault. There's no security here. Anyone could walk in".
So the homeowner adds a door and a sign saying "Do not enter".
The guy now walks up to the house, opens the door and enters.. He could say "It's not my fault. There's no security here. Anyone could walk in just by opening the door".
So the homeowner adds a lock.
The guy now walks up to the house, picks the lock and enters. He could say "It's not my fault. There's no security here. Anyone could walk in just by opening picking the lock".
So the homeowner adds several locks.
The guy now walks up to the house, pulls out a sledgehammer and breaks the door down. He could say "It's not my fault. There's no security here. Anyone with a sledgehammer could get in".
So the homeowner replaces the wooden door with an all-steel one.
The guy now walks up to the house, and uses an oxy-cutter to cut through the door. He could say "It's not my fault. There's no security here. Anyone with an oxy-acetylene cutter could get in".
Obviously somewhere the 'guy' has crossed the line. I'd suggest that it was at the point that it was no longer possible to accidentally commit the offence.
Honestly, all the school is responsible for is to ensure that a student cannot accidentally bypass their filtering restrictions and set a penalty. It doesn't matter wether it will still be possible to bypass the system. Ultimately it will ALWAYS be possible to bypass it The school just has to ensure that it requires a conscious act by the student. The Student has to make a decision to breach the guidelines laid out by the school; and along with that should be the realisation that there will be consequences if they're caught.
And - yes. I am a school network administrator. I deal with such a situation every day.
We put limitations on what students can reach to protect the students AND to protect the school from possible liability issues. If we're not trying to prevent access to undesirable content it could be claimed that we are endorsing it. It works both ways.
This student wasn't raping daughters or breaking federal law (as other analogies have suggested), he circumvented school network security. Big deal.
You have two choices here, you can ruin his educational record for breaking some arbitrary rule (that is already the subject of ridicule on this very thread) or acknowledge that you have an intelligent, curious, boundary-pushing student with a love of technology and nurture those qualities.
I wonder how many of the programmers, administrators & security consultants reading this broke high-school computing rules. I know I sure as hell did. Am I a morally-bankrupt, daughter-raping federal law-breaker? No. Am I in the top 2% salary bracket in my country? You betcha (software developer in NZ).
There's no way I want my kids to grow up unquestioningly obeying every 'law' thrown at them.
"Shouldn't the school district be liable for their own insecurity?"
Umm... no! Shouldn't the grocery store be responsible for its own insecurity... why should the thief be punished if he was just trying to feed his family? He clearly had no bad intentions - he was just feeding his family...
Also, here is the school districts internet policy from their website: (as you can see, multiple restrictions have been fractured and the punishment fit its procedural description)
(emphasis mine)
Rules for Appropriate Use
- A student has access only through his/her student account.
- The account is to be used only for identified educational purposes.
- A student is held responsible at all times for the proper use of the account and the District may suspend or revoke the student's access for rule violations.
- Remember that individuals who receive e-mail from a student with a school address might think the message represents the school's point of view.
Inappropriate Uses
- Using the system for illegal purposes.
- Borrowing someone's account or password.
- Posting personal information about one's self or others, such as addresses and phone numbers.
- Chatting online.
- Downloading or using copyrighted information without permission from the copyright holder.
- Posting messages or accessing materials that are abusive, obscene, sexually oriented, threatening, harassing, damaging to another's reputation, or illegal.
- Wasting school resources through the improper use of the computer system.
- Damage to computers, computer systems or other computer networks including attempting to access systems to which the student has no authorization (i.e. hacking).
- Using the systems or network for commercial use.
- Downloading or installing software on the computer or otherwise modifying the computer or configuration.
Consequences for Inappropriate Use
- Suspension of access to the system.
- Revocation of the computer system account; or
- Other disciplinary or legal action, in accordance with the Student Code of Conduct and applicable laws.
Rirelobql xabjf gung EBG-13 vf gur yrnfg frpher rapelcgvba rire, ohg jbhyq lbh jnfgr lbhe gvzr npghnyyl qrpelcgvat vg???
Actually There isn't any real Internet access at the areas were the workstations are. This is why you would have to VPN to get your access.
On the workstation level and all the servers and workstations to that side go through a caching proxy connection that we can control which sites are presented and what traffic gets passed through. It is more like two or three subnetworks with different levels being accessible to different departments as their requirements dictate. Playing with IE's proxy setting is how we know someone is trying to bypass it. The router logs hits for the IDS and block traffic appropriately. If it is hit hard enough, it will block all communications to that side of the network. One guy played around with it for about four hours of his workday trying to get different setting to work. I don't care how done you are with your work, If you have four hours to play with setting you shouldn't be touching, you need to be gone.
But on a plus side, It complies with all HIPPA regulations and it is relatively secure against any meaningful intrusions. There are at least two levels that need to be defeated with IDS system on both that should stop almost all traffic before the important stuff gets hit. And the second layer stops most all in house threats like viruses and trojans are mitigated.
That doesn't sound right at all; the kids knew what they were doing and they were doing specifically to circumvent what little security there may have been, but that doesn't make the violation of the rules "less bad."
Seriously - they are kids. They SHOULD be breaking the rules, pushing the boundaries. Otherwise they will become good little subservients who never question anything, who never see reason to change the world we live in. Is that what you want?
The problem is that "grown-ups" think that violating an "Acceptable use policy" is a BIG DEAL but why? To kids it is probably the LEAST honourable document - kids know stealing, violence and causing real harm are wrong, and I'm sure most would feel terrible about doing any of these things, but I doubt many of them think twice about artificial rules inflicted upon them about computer usage by adults who don't even appreciate what the kids just want to do (usually simply socialise). If we want kids to honour these agreements they need to be more reasonable, or better explained, or given a sense of value, not just 'you will not do this'.
Can we teach kids to use computers in everyday life, see them employing technology to interact with each other and then get pissed off when they actually do this ? *gasp* it's on school time and computers - where do you think kids spend most of their time?? gee, at school??
When I was in school, we didn't have privoxy or any of that other stuff. I wrote my proxy in raw perl and hosted it on my home dial-up connection. I was pretty proud of it, too. Since BESS blocked 90% of the Internet, including huge numbers of completely harmless sites, it was a fun, harmless, and educational exercise. It was a thousand times more educational than the Pascal programs we wrote in Programming class ("write a program that returns the area of a circle.")
Today, I am paid as a security engineer to do things like write perl, analyze network security, and enforce regulatory requirements. If I had been suspended or expelled for the harmless proxy stuff I did in high school, I could have been denied a chance to go to college, and had my career ruined before I even got on my feet.
The school administration who suspended these kids is doing a disservice to their community, to society, and to our country's economy. They are accomplishing the opposite of their duties as educators. And, in all likelihood, they are doing it because they are madly jealous of the students who quite obviously have superior intelligence to them, and who will be making double their salaries in a few years (unless they ruin the kids' careers while they still have power!)
I was suspended by the half-wit administration at my high school (not for computer use, but for leaving at lunch time without filing out the proper paperwork first!), and they might have expelled me if they were smart enough to catch on to the ease with witch I bypassed their censorware. Suspension did not teach me discipline. It did not educate me in any way. It made me respect them less, subvert them more, and it STOPPED me from learning anything academic for one day. It also made me consider buying their hick-ass shanty homes from their land lords and evicting them now that I have money... but I almost feel sorry for them: stuck in dead-end-jobs with no joy in life except using their brief period of power to try to ruin young people's chances at college and a better life than they have.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
You really think the ultimate reason these "kids" were doing this was for learning purposes?
What a bunch of garbage - I didn't have to break any rules to learn how to program or learn how networking works. Stop making excuses for bad behavior! It's not quite the same civil disobedience, these kids had a motive that belies your interpretation of what happened.
Now look at the posting:
Shouldn't the school district be liable for their own insecurity?
Yes, but as I pointed out, that doesn't make the perpetrator of the violation less guilty.
Why are they punishing so many students for something that should be handled from the district's end?
Who says the district isn't doing anything about it? Someone breaks into your house, you might change the locks, but you still prosecute the criminal. Why are so many people sticking up for these kids? Where does it end? Who put you in charge to decide how much they are allowed to get away with?
It's ultimately up to them to decide what to do. If one of these kids was falsely accused, then you'd have a point, but if the kids violated policy, they violated policy. What's the school supposed to do? Say "aawww, you're just kids, don't worry about it!"? Do you actually have any kids? Do you know how well an attitude like that works?
Stupid sexy Flanders.
'No guns' makes sense to you? Idiot.
Treating 'drugs' as a single entity is equally idiotic. Huff some gasoline dude.
Now if you were for wheeling into the national forest, bump firing a thousand rounds or so for fun then relaxing with some nice bud and a cold brew...
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I want to add that I don't necessarily support zero-tolerance policies, but then most of them seem to be made up on the spot. The real question is if the kids had a policy they were aware of, but obviously if someone locks the doors then any reasonable person can assume that doesn't mean they're allowed to climb through an open window.
But, frankly, this was a ridiculous topic to begin with. There's no link to a story, only to the school districts website. There's no indication about what the policy was, or if the kids knew about it. In fact, yamamushi (the original poster), went to school there - he's probably friends with some of the kids. For all I know, they did a lot worse than simply bypass some security, but we're just hearing one side of the story.
Now that I think on it, I can't believe slashdot even posted such a story. Ok, now that I think about it some more, they used to publish Jon Katz stories, so I actually can believe it.
Stupid sexy Flanders.
Life isn't fair. But Justice should be. Let the punishment fit the crime. Idle hands are the devil's playthings. OK, one more cliche... don't do the crime, if you don't have a dime.
The Admin and the Engineer
They're mentality is 'make an example of the smart or clever kids.' Punish (read: Cull) the smart ones out of the heard and you can graduate the ones that are easier to control.
The ones in charge, even if they don't realize it, don't want the clever/smart/innovative children to be doing anything they want. So get rid of the bad seeds so you can have the regular children undisturbed. One must tow the line and there is no room for anyone who is innovative, creative, and intelligent beyond that of the norm.
If at first you don't feel good.... suffer like the rest of us.
Though I just checked Websense's website, and one of the ways they promote their product is to help secure systems against spyware. Guess that probably counts for something.
http://www.websense.com/global/en/ResourceCenter/
Let me make sure I have this straight -
An institution has a certain policy prohibiting the use of proxies to circumvent some system. That policy has been communicated. Certain students violate the policy, knowingly and in some cases repeatedly. The institution responds by taking penal action (prescribed by the aforementioned policy). The defense offered amounts to, "Well, the institution should have had better security provisions to prevent me from violating the policy - because it didn't, that absolves me of wrongdoing."
Anyone else see an problem (logically and/or ethically) with this line of reasoning?
Food for thought: if a criminal offers the defense that, "The law enforcement system of this country should have had better provisions to prevent me from committing a crime - because it didn't, that absolves me of having committed any crime", is that an acceptable defense? Should the criminal be granted amnesty?
Just because you CAN do something (or can can get away with doing something), doesn't mean you SHOULD. Jeez.
Any school who has the wherewithall to deploy a product like Websense, also knows they must have policies and proceedures in place for various IT-related things. One of these standard policies is the AUP for end-users, including students. This AUP's are included in the Student Handbook, where it clearly spells out what the punishment is for failing to adhere to the code of conduct set forth in the Student Handbook.
Should employers exercise their right to terminate you for breech of contract when you fail to uphold the agreement you signed? Of course you would expect them to. Students who are using proxies to bypass Websense know that they are breaking the rules. Therefore they know that there is a punishment that will result from it.
Do they understand the consequences of missing so much school? Perhaps not, but that is a separate issue. Schools haven't changed their basic formula: You break the rules, you get punished.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
The title of the posting makes this clear. "Why Are Students Liable for School Insecurity?" They aren't. They are liable for their actions. I'm glad to see a few people in this thread have some freaking sense.
Now ask yourself... how much time did you just spend doing nothing but blocking proxy sites?
Then maybe you and the school district should take the hint and get a clue and stop trying to CONTROL CHILDREN by using CENSORSHIP. Censorship is never an appropriate solution to anything, regardless of circumstances, and children should be guided and educated rather than controlled or restricted.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Some schools are banning sites due to the fact that some students go to them compulsively. Take YouTube, for instance... while there are a lot of viral-type videos that people can't stop watching on that site, there are also many videos that can act as educational resources. It should be the TEACHER's or the LIBRARIAN's responsibility to make sure that the students are not using those sites for things that have nothing to do with school. But, since they block those sites entirely without even considering their educational possibilities, those students find ways to get around the blocks. I am currently a sophomore in high school, and I only use the school's internet access for my own educational benefit... but for those sites that are blocked that I need resources from, I need to use a proxy server. My school district does a good job at blocking proxies as they are discovered by the students, but we all find a new one within days. Once again... it is the TEACHER'S responsibility that we are using the computer for good... because, unlike the IT Admins... some teachers actually have a bit of common sense. *GASP*
All they gotta do is block the Proxy category in Websense...they should fire their current IT Security and hire me! Sheez
It's very simple. The only thing the article accuses them of doing (and by article I am using it in the same context that you yourself did) is the use of proxies. As the use of proxies is sufficient to bypass most filters (which websense is), and as the use of proxies often requires nothing more than a functioning web browser, there is nothing about using a proxy which implies any security violation.
And I, despite feeling alone in the belief, still support the principle of presuming innocence in the absence of evidence to the contrary.
Yeah I'm right there with you - 2100 high school students - 600 computers - and lets not forget 75 staff and about 100 teachers. I'm busy keeping the matrix running helping with special requests from teachers and the odd "lost" student project.
.... taking away social / gadget time is effective with less impact on actually being in class and learning.
All students and staff sign an Accepptable Use Agreement. Now I do have a problem with a 3 month suspension for fiddling with proxies - seems way outta line. For us suspension is the last resort - for most kids loss of privledges is effective: "lunch suspension" (having lunch in a classroom - no talking - no iPods - no phones) is phase one - next level is "Saturday School" where your parent must take you in and pick you up - Suspension from school events is another possibility - and lastly suspension.
Kids are (or seem to be) much more social - more connected - more gadgets
ANd helping kids to realize there are rules and realities is just one part of what schools needs to teach
Its not the years, its the mileage
But in Canada minors can't enter into a binding contact so any writen agreement between the school and a studnet of less then 18 years of age would not be valid, at least here in Canada but I'd bet it's the same in the US. This is to protect minors who might not fully understand what it means to sign a contract. If no harm was done then there's no need to punish them to harshly. My friends and I did stuff with our schools shitty computers and network all the time, but we were smart enough to use stolen teacher accounts (one teacher's password was her husbands first name and he was the schools VP). It was fun and we didn't break anything cause it wouldn't accomplish anything. We just wanted to play games and install pirate/free software to do the things we otherwise wouldn't have bee able to do. Glad I did it and so were some of our teachres. The only one who really cared was the library/IT/Retard guy and he just wasn't technically capable of doing anything so all you had to do was make sure he didn't physically see you doing anything at a computer. If my school were blocking websites I'd try and bypass it and I'm sure most /.ers would too. Givem a break.
yes. because there's only so much we can do to secure our networks. we don't have the funding to do it properly and some things just cost money. In my workplace there is no way to secure boot options, because bios always allows damn BootMenu with just one press of a key and no password on it. Keep in mind that we are also securing your grades from deletion and you from writing all those tests again.
If I leave my car with the door unlocked and keys and documents lying inside it's clearly very stupid of me and makes it easier for you to steel but that's still a very poor defense in court.
Maybe it will teach students that just because they *can* do something doesn't mean they should.
Too many people seem to believe that if something isn't 100% "prevented", then it means it should be "ok" for some people to do it and not expect any repercussions. That's just plain stupid.
Whatever happened to common sense?
Does this mean I might not be, or have been tempted, at times, to do similar? No? But after the administration punishes a few people -- maybe people will think twice about doing something "stupid" just to prove they have the technical capability to do so.
Of course one first tries common sense (which is sadly lacking in way too many people), then you try rules -- and of course rules are just "red flags" to bull-headed idiots who must prove the rules can easily be broken -- unless the administration puts up "undefeatable" protection (which, of course, most everyone here will claim can't be done).
It's a catch-22. If they expect common sense -- that doesn't happen. If they setup rules, then they are a line-to-be-crossed (just because it is there). If someone is punished for crossing the line, it's "unfair" because they didn't do enough to prevent it. If they _tried_ to do enough to prevent it, the folks here would laugh at the ultimate powerlessness of the authorities to "control" hackers^wstudents with rules and complain if they institute criminal laws to backup the rules or meet out harsh punishment for breaking the rules.
Yeah, I've may have, more than once, broken rules in school (et al.), but I don't know if I would be whining about them not doing enough to "stop" me as an excuse for my having done it. That's like the burglar who sued the home-owner for falling through a sky-light and breaking his leg. The owner left a ladder leading up to the roof in their _*locked*_, back patio. The burglar blamed the owner for setting up the temptation to crawl up on the roof in an attempt to break in. He *won* -- owner was accused of creating something akin to an "attractive nuisance". *L-A-M-E*
The first question to ask is if the students know the rules, and consequences for breaking them.
The second question is if the students understand WHY the rules are there. 80% of the security problems I come across are simply lack of education, and this is a school..
The third question is what the students were trying to reach and what argument there was to stop them. If it was something sensible maybe a solution could be found. Often security is too tight, which creates the desire to work around it.
Combine the above education with dialog about solutions (maybe a cyber cafe?) and you end up at something sensible in collaboration, not in opposition. Users that collaborate are safer in my experience, and education + dialog is usually well worth the investment because it creates insight. Those wannabee hackers may suddenly realise what hazard they cause (hell, even get them involved in discussing the security policies to create shared responsibility).
Sure, there are nut cases who just don't get the point, but they are in my experience rare. It's a matter of bringing it in the right way. Beating them up on first violation isn't productive.
Insert
i currently work as a technician in a secondary school with 1800 students and maintain over 500 machines. the computers in school are a privilage for the students. they are there for school work, for ICT lessons and for the student registering system. they are there for access to the internet in a legal manner, via filtering . we have a service where the students can log into a virtual learning from home and access resources such as powerpoint presentations, word documents and PDFs. we have a security strategy and policies in place to enforce the strategy.
;-)). it is the most efficient way to re-install all 50 machines in a computer suite on a regular basis. this is a security flaw, i agree, but the functionality it provides serverely outweighs the defecits of vulnerability.
it is the stance of the school that if a student is attempting to highlight flaws in the schools security system, they'll probably find them. the excuse "i was searching for flaws" is the typical response of someone who's been caught, or someone who's being a smart-arse, both of which are not favourable positions to be in when attempting to scrape an education. that student shouldn't be attempting to "break in" but should be doing their work. they are given a username and a password to get into the network on any machine in the school. they don't need to force entry.
it is possible to gain access to any computer via a linux boot CD because of the way we ghost all the machines in the school. we use an acronis CD to boot from and load a ghost image from a server containing JUST ghosts (aptly named Casper
in conclusion, any student trying to gain entry to the network in an unauthorised manner, no matter what the intent of that student, is still unauthorised and therefore illegal and subject to reprimand. the machines aren't there for students to hack, they're there for them to be able to complete their coursework. nuff said
Which is a fancy way of saying "students break the rules because they don't agree with them". There's lots of teens that break laws that they don't agree with (this isn't anything new either), yet if they get caught breaking said laws they get punished. The only difference is one of degree, breaking a law versus the school's rules. Both are wrong, most of the time the students know full well that both are wrong, and willfully break them anyway. By not punishing them you're teaching them what exactly? That it's OK to break any rule (and laws are rules too, just with more severe repercussions for breaking them) that they dislike? This is going to help them be productive members of society how?
Sorry, but you're an idiot. Tell you what, get a job somewhere that has an Internet Acceptable Use Policy that forbids looking at porn from your work computer and also backs that up by using a blocklist/proxy. Find a proxy server out there that isn't blocked from work, then use it to surf porn on your office PC. When you get caught and they go to discipline you tell them your theory above and see if it helps. (Hint: It won't.)
Whenever a user is willfully finding ways around network restrictions they become a security problem. This is especially true since the vast majority of network intrusions come from inside. Perhaps using a proxy server to get around a blacklist seems minor to you, but it can be a very major thing. In my example above your viewing porn at work could open up the business to a sexual harassment lawsuit if a woman happens by and sees you viewing it. Why do you think certain sites are blocked in the first place? It's not that the network admins are maliciously denying users/students access to certain sites, there are very good legal reasons to block most things! In a K-12 school system this is particularly so, if the system doesn't make a serious effort to block sites they can lose their government funding for Internet access. Do you think it's OK to let a few kids break the rules and get to blocked sites when it may mean the entire school (or district) losing Internet access? Is that really censorship?
What article? The only link in the summary is to the school district's web site. There is no news article linked about this. The submitter is hardly unbiased either, they admit they broke the rules while going to a school in the same district and even though they were punished for it, they continued to break them the same way until they graduated. I'm sorry, what they say about these suspensions may very well be 100% accurate, but given their bias I'm inclined to think they either didn't have the full story to report or they left out inconvenient facts that'd have made the suspensions look quite sensible. Perhaps these students had been warned and punished in the past for using proxies against the AUP and continued to do so, so they were suspended the next time they were caught? Could be, we simply don't know for sure because the submitter's bias if far too strongly aligned with rulebreaking being considered OK to trust that we have the full story.
You know, you need to go read the summary again very carefully. Even with the bias ther
I got ten days for because they didn't put a directory limit on there accounts and crashed the network. Also many time when you inform them about serious security problems like be able to delete all the accounts from any account they just ignore it.
If a cash register is unattended and unlocked, is it legal to take money from the register?
Does the lack of security validate any action?
While students who break the terms of use should be punished (maybe not as harshly), there might be a good reason for them to be doing so. A few year ago, I was still in highschool. Whatever filtering/blocking software was on the school library computers absolutely crippled them. They were useless. You couldn't do legitimate research, let alone surf the web. I found myself using loopholes in the system just to get work for school done. And the filtering software wasn't doing its job anyway, I still saw guys looking at porn ( in the middle of the school library no less! )
From experience (I was the network admin for a K-12 system up till last year) the #1 site that students try to access that they are blocked from is MySpace.com. At the K-12 level I have yet to hear a single valid reason a student would need access to MySpace from school during school hours. Likewise a lot of sites (porn for example) are also of no valid education use at the K-12 level. (There can be a legit educational need for access to these things at the college level where research projects can delve into subjects that would have parents suing at the K-12 level.) Also Internet access for K-12 schools is funded by the federal government and comes with strings attached -- specific categories of sites that must be blocked. Failure to at least make a good effort to block those sites can quickly have your funding pulled, taking away ALL Internet access for the school system, an event that will have a much more negative impact on students than not being able to access MySpace. MySpace is a particularly nasty problem for K-12 schools since many students tend to post things about what they're going to be doing after school so their friends will know, but don't restrict their profiles (and lie about their age so MySpace doesn't do it automatically). If someone were to abduct a kid/teen after school based on something they posted to MySpace during school and the system hadn't tried to block it, then guess who'll get sued? Yeah, the school system will.
At least in the state I worked in, the blocklist, which is controlled by the state, makes a strong effort to not block legitimate sites that talk about homosexuality, breast cancer, AIDs, safe sex, etc. All teachers and staff can submit a request on the page that comes up when a site is blocked for that site to be re-reviewed so all a student needs to do is tell their teacher what the site contains and why they need access to it. The teacher can then request the site be re-reviewed if they deem it a legit need. (And it's amazing how few of those requests teachers get compared to all the complaints students make about sites being blocked. If you look at the block logs you'll quickly see that around 99% of them are for sites that have no educational uses.)
I should note that not all sites that have no educational value get blocked, but ones that are getting abused (high traffic during school hours, especially sites with games on them) will end up added. In those cases the students bring this on themselves by abusing the ability to access the site, in particular accessing it at times they are supposed to be learning (like in a lab class before the lesson is over with).
Students are in school to learn; when they are a bit more mature and can handle having the breadth of the Internet available to them they no longer have to deal with proxies. At this point it's just whining.
They put these roads here for me. Why am I liable when I swerve out the lane and run someone over?
Most schools have several computers that any kid can use. Many school systems alter the password-protected BIOS of EVERY computer in the school district to preclude booting from any drive but the C:\ drive. The Internet access is locked down to prohibit viewing most websites. All access to changing ANY aspect of the computer's operation is password protected at the school district level. If the little bastards want porn or music or Myspace, they will have to do it at home.
Any other practice only enables students to mess up the computers and prevent others from using them. Broken computers are not replaced or repaired by rubbing a magic lamp; taxpayers have to buy them! When a student breaks a machine or makes it otherwise unusable, he/she should be banned from school computers and his/her parents compelled to pay for the IT department's time and any needed new parts.
Goddamned kids! Get off my lawn!
Right, this is how it works, according to me: If I leave my house one day without locking the front door and somebody comes in, sits in my sofa, uses my things etc - is he right to do so? Is it my fault for not locking the door, or should everybody in society know that this is no allowed? Or if I drop my wallet somewhere and somebody picks it up - does he have a right to spend the money just because I didn't take better care of it?
I think most people would say that of course it doesn't depend on whether the front door was locked or I whether I was cereful enough with my money. The insurance company might say that it was my own fault if I suffered a loss, but a crime is a crime; stealing and trespassing in people's home is not allowed even if it is easy.
Same thing with the rules of an educational institution; if the rules are made public, you are supposed to know them and follow them, even if it is SO easy to circumvent them. And if you do break the rules, then it is reasonable to implement whatever the standard punishment is.
If I park my $30K SUV in Center City Philadelphia with the engine running and the windows open, and someone steals my car, it is still their crime, not mine.
If a beautiful woman is jogging in the park in micro-shorts and a tiny sports bra, and a rapist attacks her, the crime is the rapists, not hers.
If a shoplifter steals a pair of jeans by passing it around the RFID detector, it is not the store's fault for not having tighter security.
If a kid knows it is against the rules to bypass a security measure, then the kid is breaking the rules. End of story.
Too many people feel that just because the CAN that means they SHOULD... If the school says you shouldn't visit those sites, regardless of what they're security is - you shouldn't visit those sites. There are rules for a reason, they don't want kids wasting thier time surfing sites the feel are not appropriate. If it is a site you need there are other avenues of getting access, like approaching the principal or having your parents approach the principal. And if they still don't give you access, then I guess they don't feel you need it. It's their school, it's their rules.
So when you get caught speeding for the first time, are you OK with the cops taking away your license permanently? There's punishing people for breaking the rules and there's unreasonable punishment.
For comparison, I'd love to know the standard suspension for, say, fighting in school; I've heard of a lot of cases where that's not more than a week. If it's not significantly more than three months in this district, I think that's a problem.
If the rule in my state was that they revoked your license, then I wouldn't have any logical complaint about it. Moreover, if you're going more than a fixed amount over the limit, they do, in fact, take your license away.
The thing is that we have no information, we have a posting by someone who was said he was a student in the same district, there is no link to what the kids really did wrong, there is only a link to the school district's site. So I have two things to say about it: if the rules were published, then they ought to be punished according to the rules, it's really that simple. The second thing is that some students were punished worse than others, but the submitter doesn't elaborate - obviously some of the kids did something worse than the others.
I'm afraid we're not getting the whole story. Never the less, the kids circumvented a security measure. Locking your door isn't an invitation to climb in your window. It makes it an even more obvious offense.
Stupid sexy Flanders.
I know it's in vogue to claim that schools just want to control kids and stick them in little boxes. I'll admit that sometimes colossally bad decisions are made at a school or some seemingly arbitrary new school rule is added. But the truth is that there may be more behind what is done than you realize. Still, it's a fact that school and district admins are just people and sometimes people make mistakes even with the best intentions.
To be perfectly honest I would love to do away with filtering. I have things to deal with besides whether Johnny has the ability to see a nipple on images.google.com or if Cindy is sending emails to her new Lesbian girlfriend she met online who lives in another state. There are four things that stop me from yanking the filters and giving everyone unrestricted access:
Since I've been asked this offline I'll assume someone is going to ask here... "What's wrong with #4? Their parent's taxes pay for the computers, Internet access and even your salary!"
True, but so do the parents of all of the kids who can't get time on a computer to work on actual homework. I bet the parents of the kid chatting away every one of his study periods expects that their tax money is going to educate their children... not to let them search for Britney Spears look-alikes naked.
Nobody is shutting down web sites. Nobody is telling you that you can't watch videos of some chick getting it on with a horse. Nobody is censoring anything. You are free to view/read what you want online in your own home with your own computer using Internet access that you or your parents pay for. We're just saying, "No, not here, not with things funded by the public for the purpose of education." Schools aren't (and shouldn't be) your private ISP.
A great altruistic ideal and goal. But the truth is that a fair amount of time is spent educating students in our district about not only what they should and shouldn't do online but why. Things are taught like how it might affect their future career if they view porn at work, etc.. I believe that with a large percentage of students that is enough and they won't intentionally go to sites they shouldn't.
But if you take 1200 kids in one school and just say "shame on you. It's naughty for you to do that and here is why..." then there will still be enough wasting computer time to keep those who want to learn and do their homework off of the PCs.
Federal grants and funding mandate school districts establish a staff and student Accepted Use Policy (AUP) and secure Internet access to protect students from bad stuff. Most school districts do a good job trying to keep up by filtering the web, stopping hacks, and preventing proxies. What they can't prevent is the "wanna be hacker" students who are trying to impress their friends or otherwise knowingly bypassing security. This is a direct Federally-mandated policy violation. The school could lose their funding if found incompetently protecting the students from inappropriate Internet stuff. These students risk their schools funding, worth millions of dollars and possible law suits. Since there is so much to compromise when these students knowingly bypass security, the school is forced to ensure these students pay the price and thus show the federal government that they are "towing the line."
Help, I'm trapped in a carbon-based life form.
It all comes down to 'following the rules' for you types, don't it? No matter that the rules and procedures are injust or simply non-functional...and that the process for change fairly well road-blocked for youth.
I bet you also spout such gems as "If they aren't doing anything wrong, they have nothing to worry about!"
What's the matter...depressed because your help-desk job is gonna get outsourced to India? Cheer up, we still need native English speakers who understand the big picture of software and systems design!
Blar.
It's not just "in vogue", it also happens to be true. Public schools, at least, aren't primarily about educating children, even though that is supposed to be their primary function. In reality, they are primarily about providing a place for working parents to dump their kids during the day so they can go to work. Toward that end, schools are more interested in keeping children under control (and keeping parents happy) than teaching students to think for themselves.
No child is too young to be taught about sex. Society just has an unfounded puritanical fear of teaching children about sex because parents are afraid their "little ones" will run out and start having it if they even know what it is, which is of course ridiculous.
Where's the teacher in this scenario? There should be a teacher making frequent rounds around the room to see what the students are actually doing on the computer. If the kid is doing something they shouldn't be, then the burden should be on the teacher (not filtering software or sysadmins) to stop them. Teacher too busy or apathetic to carry out this role? Then fire him/her and hire more, better teachers.
Honestly, I think most schools would be much better off if they were forced to reevaluate their priorities. My high school, for instance, had 12 football coaches, while simultaneously claiming they didn't have the funds to pay for new beakers for the chemistry lab. Forced to make the choice, I guarantee you they would have to favor the investments that actually resulted in bringing up test scores and pass rates.
Again, why is the teacher MIA in this scenario? Why is the school letting students use the computers completely unsupervised?
Filtering is a form of censorship. Censorship doesn't have to involve shutting the publisher down. It can involve blocking people's access to the publisher. Would you claim that China's firewall blocking access to tons of sites isn't censorship?
Censorship is never the answer because the
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
In such a hypothetical situation, the company could accuse me of inappropriate use of resources, or even have me charged with sexual harassment if the action were creating an uncomfortable work environment for others. But if they tried to press charges for hacking into their computer systems, they would be laughed out of court. Therefore it is not a security violation, and what I said was correct, whether I am an idiot or not.
I'm well aware that the source of the problem is the government rules which mandate the restriction of content. That doesn't make it right, but it does, denotatively speaking, make it censorship rather than a security violation.
Yes. I think you don't know what the word means.
It's somewhere in between the educational value of recess and being on the Yearbook staff, and like these traditional elements of school, is largely about learning to communicate and interact socially. Just because you and I don't enjoy it, that does not make it less educational than comparable aspects of our school experiences. Not everything you have to learn is calculus.
So when caught, punish them the same as kids used to be punished if caught looking at a Playboy during class. That is hardly a new problem.
Your tax dollars are being spent on filtering software and labor to maintain this filtering. It's probably cheaper to not filter, so don't pull the money card. If availability of computers is the issue, restrict access time as appropriate.
Last semester I received 3 detentions for "messing with the computers, and creating a security hole". Our school has all the computers connected via a proxy, which has port 80 open, and only a few unadvertised ports open (including boinc-client). I was eager after a few AutoCAD drawings to ssh into my server and code some C/C++, via PuTTY. So, I fire up internet explorer (UGH), and download PuTTY. They said we had to keep IE as the default browser. When I opened PuTTY and told it to use 80 outgoing, and to use the proxy, my teacher noticed the dialouge box, and immediately threw me out of class, no questions asked, and told me not to mess with the network. I left the situation as it was. About 2-3 weeks later, I installed firefox onto the computer (IE was absolutely driving me nuts). I had to tell it to use the proxy on port 80 before it would work, and the moment that dialouge box opened, he noticed and yelled at me again, and talked to me out of class and sent me to the assistant principal. I was then confronted with screenshots that they had taken 2-3 weeks ago of me trying to use PuTTY, claiming that's what I was doing that today (apparently they ignore timestamps that would appear near the file...). They then told me that this was a security liability and that someone could gain access to their network if I was connected to my machine from PuTTY. Which, as we know, all they could do is sniff the trafic, but what does the school care about my SSH passwords? So, after explaining it calmly, I was told it was besides the point and that I was still responsible. Our school server runs Micro$haft Winblows 2000, no SSH. All admin work is done via physical access or a windows network login. But, yet, Mozilla Firefox and PuTTY are security holes! No one told me...
"If the rule in my state was that they revoked your license, then I wouldn't have any logical complaint about it."
That rather depends on the relative punishment for, say, drunk driving. If drunks got off lighter than mild (say +10 mph on the highway) speeding, you'd have a right to complain. Sentences have been thrown out for this sort of thing, even if they were the law.
You're absolutely right: we don't have the whole story and it's pretty clear that the submitter was trying to sensationalize quite a bit. But that said, you're trying deflect the discussion with a straw man: I don't thank many (any?) people here are prepared to argue that circumventing the firewalls was not an offense that merits some form of punishment. What I think people are arguing about (and what I feel you keep shifting away from) is whether a three month suspension is really a suitable response. I think detention and revocation of computer privileges would have been very much in order, but this seems excessive.
first ignore my spelling and punctuation. i am not stupid just lazy
you are talking out your ass. ever even been to a school board meeting in your district? if it is so bad these days then change it. maybe even get alected to the school board where you live. go to the district and ask to see their budget. this smug talk gose away real fast when you actually learn the details and see what kind of a little budget these guys work with. it is easy to say, 'you could do your job with 1/2 the budget' and 'if the teacher is not babysitting kids looking over their shoulder they are not doing their job and should be fired'
yeah that is the way to attract the really good teachers. public schools have a hard time getting the kind of teacher who realllly teaches as it is. you think most of your teachers should not have been teaching. offer to cut their pay and turn them into internet monitors and how many of the "good" ones you think would have been there? plus you want this guy to turn off filters? really? that will do a lot of good when they fire him and just hire someone else who will turn them back on. and who knows maybe will be worse and love having filters and think every web page that has the least amount of skin is blocked. 'oh that site has a girl in a bikini.. block it!' at least this one seems to think they are bad too.
and guess what if you fired every coach and ended every sports program you still would be nowhere near saving half of the budget i bet. you guys love to argue this censorship shit. you love to point out all the 'flaws' with the 'system that keeps free thinkers down' but you only do it as long as you can ignore the facts. until every parent home schools or every teacher teaches purely for the love of it without caring if they can put food on the table or pay their bills it will stay more complicated to teach the children than you want it to be. what about teacher salaires, electricity, health, liability, property insurance? heating, cooling, costs? cost of administration to actually run payroll (or should we just put the money in a big bucket and everyone come take their correct share on payday? oh I forgot they will just teach for free.)
i know schools can save $ by not paving the parking lots. no better yet make kids walk to school to teach them character! they are mature enough right? talking about mature well maybe *your* kids are mature enough to not waste time on computers looking at porn when someone else needs one. or maybe you just think they are. but i know that about 1/2 of the kids i go to school with are not
and about home schooling. we could save billions in taxes if all home schooled right? yeah i'd like to see my cousin schooled by his looser parents. his mom couldnt even spell looser and yeah I know it's l-o-s-e-r so bite me. smart parents would have smart kids and dumb ones dumber kids not to mention shes too lazy to actually teach. but until you have a solution for stupid, self absorbed, lazy parents give these guys a break. they do as much as they can with what they are given.
Well, like I said (and you agreed) we don't have the whole story...
But think about it this way: is drunk driving really so bad that you automatically have your license suspended? I mean, it's not like as if you had an accident or anything (at which point other crimes may have been committed). Someone could drive all the way home while intoxicated, and pull onto their street and be seen swerving by a cop. They can pull safely into their driveway, and the cop comes and takes away their license (depends on the state, I suppose).
So is cicumventing a firewall all that bad? Not until you allow a virus or worm in, at which point it could be devestating (although it shouldn't be) to the entire school district. Half the punishment of a crime is to act as a deterrent to others.
And the fact that some people got worse punishments than others shows that there certainly were other factors weighed in there, but it must not have fit the poster's propoganda effort. In fact, I'd wager the only reason a link to the school district's website, which had no information about the offense anyway, was to "slashdot" it.
I find the whole thing rather dubious.
Stupid sexy Flanders.
They made authority figures look bad. It's as simple as that.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
That was exactly my point. Bypassing a firewall "recklessly" endangers the school's network. It's not like cutting class, it's something where the consequences can be serious, and so should the punishment.
Stupid sexy Flanders.
so you say:
1. shut up and study,
2. start a company and speak up,
3. profit ?
I am sure I've missed a step somewhere because I still have no money
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Posts that advocate penalizing students for breaking these rules ignore the real problem: That the rules are **wrong**.
Does that mean all rules are wrong if people disagree with them? No. But censorship in schools is getting ridiculous, and if no one resists, the minority (the parents/school boards) will be allowed to impose any rules they want. And how would that be democratic? What about the *majority* (the students) that has to use the computers? This is not only undemocratic, but it inconveniences students who use district computers to do school work.
I go to a school that uses WebSense and I have watched as what we are allowed to do on the computers has gradually limited them to near uselessness as our sysadmins monitor our computers, adding any sites they object to to the block list. Once we could access Yahoo! Mail. Now we can't access email of any kind. Once we could send our work home using personal file storage sites such as Box.com. Now, since our computers have no CDR/RW drives and are blocked from online file sharing, students can only use floppies (a whopping 1.44 MB) to transfer their work.
My point is that students should have the right to use the computers for legitimate purposes, regardless of what papers they were forced to sign. All I ask is that the people in charge use some common sense.
All i can really say is, three months suspension for breaking network security is probably too much. At most suspend their computer usage privilages. I've known people who were doing drugs, were known to be doing drugs, and got less than a 3 month suspension.