Why Are Students Liable for School Insecurity?

yamamushi asks: "Within the past few weeks, students across Boerne ISD were being called into offices to discuss the use of proxies to circumvent the schools websense system. The problem is that some of these students are being suspended from school for up to 3 months at a time. Shouldn't the school district be liable for their own insecurity? Why are they punishing so many students for something that should be handled from the district's end? I know at the time I was going to school there, I was punished for using a Linux LiveCD to login to their computers without using a password, even after I told the admins how to disable booting from CD-ROMs. They refused to update any of the computers and as such I was using the same tactic till the day I graduated." While security breaches by students are something to take seriously, should school administrations continue with their knee-jerk mentality to something like this, especially at the times when its obvious that no malicious intent was involved?

malicious intent?

[blowdart]

It has nothing to do with malicious intent and more to do with liability. I'd bet that the school has to protect its pupils from the darker side of the internet (p0rn, 4chan, RMS's latest rant about how it should be GNU/Linux etc.) And I'd also hope that before using the PCs you had to agree to a terms of conduct. I've had this discussion before with someone I know in the UK who got slapped for trying to bypass his school's filters, and he tried the "malicious intent" argument. It doesn't wash, simply because the computers you are using are not yours, nor should you treat them as such. I'm sure you felt very 3l1t3 with your boot CD, but the fact remains those are your PCs and it was right you were punished for continuing to do something you were told not to do.

Get used to it

[MikeRT]

This is what bureaucrats do. They cover their posteriors and foist the blame onto others. Bureaucrats take many forms ranging from government minions at schools, to many of the people who will decisively outrank you in the private sector. They will do two things to you, that you just have to learn to deal with, unless you can make your own way in life independent of them:

1) They will set up the hierarchy to obfuscate the chain of authority to make it hard to hold any one of them individually accountable.

2) They will, as a group, foist the blame onto the nearest target that looks helpless.

You, as a student who knows how to do basic things in Unix, are scary to many adults today. You are probably also scary to many young people because the truth is, many young people are no more comfortable with "real technology" than their parents are. This makes you a good target. "Look! He's up to no good!" They don't have to prove that you were doing anything wrong, and most people are a combination of too stupid and too uneducated to understand the ins and outs of what you are doing. It's all voodoo to them.

I am also increasingly convinced that there is a segment of the human race that is sheep-like in its quickness to assume danger, its irrational hysteria and inability to gauge danger appropriately. You will also see these types of people in every walk of life, especially in "safe" environments like schools, corporations and government agencies where they can be protected from the realities of life. These are the sort of people who are so stupid that they would call a teen who makes a quake map of his school a "terroristic threat," but would lead their student body onto a football field that is surrounded by barbed-wire and fence and about twenty good sniper nests the day they get a bomb threat. Yes, that happened to me, in HS. I scared the tar out of some of my teachers by pointing out the irony of them trying to "make us safe" from a possible psycho who'd blow up half the school, but surrounding us in an enclosed point where a sniper could pick us off, and reload with impunity.

Re:Of course they should.

[Nos.]

Its too close to a "thought crime" to you to outlaw using proxies to bypass the filtering system in place? Wow, I'm all for freedom of information and personal privacy, but bypassing a filtering system doesn't even come close to being a thought crime in my books.

Why? Because it's educational.

[tverbeek]

Part of what schools are teaching is that one needs to take responsibility for one's actions, which have consequences. Breaking the rules and doing things that you've been told not to do - no matter how ingeniously it's done - is not something that's going to get you pat on the head in the real world. Screw around with someone else's system, and you can expect the people who run it to screw back.

You know, no one congratulated me on my ingenuity and craftsmanship when I was able to buy beer with my doctored driver's license. "Why am I being blamed for the fact that the store owner couldn't identify a fake ID?" I protested. God, I was a brat.

Teenagers keep asking to be treated like adults, then whine about it when they are.

Re:DMCA-think

This is exactly why I ended up dropping out of high school. They wanted me to stay an extra year over 1 credit hour they wouldn't let me do it over the summer, and all because they suspended me for fixing the network with a teacher's permission.

The second the librarian, which was the admin walked in and caused a fuss the teacher didn't back me, and i was essentially pushed under the bus.

My classmates explained that i was the one helping and essentially trashed the network until the end of the year in retribution.

Hence why I have a GED instead of a diploma. I hate bureaucrats.

Conversly, why always blame the sysadmin?

[raistphrk]

I can empathize with students wanting freedom on a computer network, or even wanting to just play around with the system to see what they can do. Heck, when I was in high school, I was one of those guys who would bump his print jobs up in the queue using pconsole, or discovering all the accounts that had access through the Squid proxy to the Internet.

On the other hand, I was a network/system administrator at a high school after college, and I can understand the challenges administrators have to deal with in terms of high school students. Administrators don't just decide that they want to lock students down; heck, some schools don't WANT their students to have restrictions placed upon them. When I started, the school had upgraded from Windows 2000 to Server 2003 the year before, and the security that was implemented was essentially Windows 2000 security. They made some stupid mistakes; all passwords stored in LM format, weak ACLs on systems, no BIOS passwords, few if any group policies. On the other hand, they had their VLANs designed properly, the servers all had fairly strong passwords, and they weren't running unnecessary services. The security that was implemented was essentially designed to protect users from malware and keep outsiders from poking around. ...Naturally, students decided they wanted to push the envelope. Kids started remotely shutting down one another's laptops and trying to steal one another's passwords. Eventually, a student guessed a faculty member's password, found a user account created by my predecessor long before I started on a faculty server, rdp'd into a server, and tried running a password cracking application...that contained a root kit.

An administrator's job is to, in effect, install and maintain technology that reflects the mission of an organization. Some schools have a pedagogy that encourages open exploration; other schools want strict rules and regulations. The school I worked at fit somewhere in between. When kids decided they wanted to try and cheat on exams, down using p2p applications, and attempt to change their grades, they put me in a position (mind you, just months after I started working there, and hardly after enough time to complete a full security audit and redesign) where I couldn't just trust them to be responsible in an open system. So, the next semester, they were irritated to find out that their accounts were running as local users; that group policies had been designed using strict Software Restriction Policies creating a whitelist of applications they could run; that their laptops and desktops all had BIOS passwords; that the only route out to the Internet was through an ISA server that connected directly to a filtering application, and then into a Packet Shaper; that their Flash plugin was disabled; that their ability to run Java applications was limited; that their exam account couldn't do anything EXCEPT run the exam application; that their ability to create and log onto local accounts was eliminated, etc.

Were there things on that list that should have been implemented earlier? Absolutely! Any organization should ALWAYS have BIOS passwords set on their machines, which should change every year. LM passwords should NEVER be enabled. Having some type of proxy is also a must, as are strong ACLs on switches and routers. Some type of bandwidth management device should be implemented, as there are more than three people using the network at a school. The school DEFINITELY should have set up WSUS to keep their Windows systems updated.

I'll admit that, when I have the authority, I'm active in creating (from the start) a secure environment, but you're not helping out an administrator when you just start poking holes in the network and not give them the chance to fix the holes. Schools don't have huge budgets, and the IT department is often required to play the role of help desk, admin, developer, engineer, etc, rather than just one niche. In my case, I was lucky; I had a good relationship with the people

Astonished

[the_povinator]

I am astonished that everyone on this forum seems to be siding with the school. What harm were the kids doing by bypassing the websense system? It's not like by viewing forbidden things they were hurting anyone else. Sure, they were breaking the rules - but if I had been suspended for 3 months every time I broke a rule I'd never have had any time in school.

"Because I said so"

[dircha]

When your mother told you, "Because I said so," you should have listened.

Congratulations on completing High School. Welcome to the real world!

Laws and regulations do not exist to accord with moral principles or even common sense. Laws exist to compel behavior. There is no court of principle or reason to hear your appeals.

You do not abide by rules, regulations, and laws because you necessarily agree with them or believe them to be justified. In many cases you abide by them because you fear the consequences of violating them. You abide by them because they are threats, threats of the form: "If you do [or do not do] X, then we will punish you by doing Y."

Society, your High School, your College - like your mother - rules not by prior consent, not by reason, not by universal moral principles, but rather by tradition, intuition, emotion, and force.

Better these students learn this in school as minors than in the real world and end up in prison.

I think that doesn't mean what you think it means

[TBone]

Shouldn't the school district be liable for their own insecurity? Why are they punishing so many students for something that should be handled from the district's end? I know at the time I was going to school there, I was punished for using a Linux LiveCD to login to their computers without using a password, even after I told the admins how to disable booting from CD-ROMs. They refused to update any of the computers and as such I was using the same tactic till the day I graduated."

While security breaches by students are something to take seriously, should school administrations continue with their knee-jerk mentality to something like this, especially at the times when its obvious that no malicious intent was involved?

Absolutely they should be coming down on the students.

The schools have rules, conditions, and access limitation in place for multiple reasons:

• To prevent abuse of school resources
• To limit access to educational resources, ensuring they're available for people who "need" them
• To reduce liability of the school by exposing 14 year olds to Tubgirl, Goatse, etc etc etc
• Many more I don't feel like itemizing, but are fairly evident to anyone who thinks about it for a bit

In the case of things like students accessing proxies not on the blacklist to access sites on the blacklist, or booting LiveCDs, or otherwise evading the infrastructure as it was in place, these students are willfully violating the conditions of their using the resources. Even if they're smart enough to avoid the viruses and popups and such, they're opening up the computers to risks the administrators have deemed too high.

Students who willfully misuse school resources, in the case of almost everything, are subject to discipline up to suspension or expulsion for most things. In the case of computers, they're not just doing something that could hurt them, they're potentionally hurting everyone at the school.

Consider if it were a work environment. In most workplaces, even looking at porn on your own computer is considered "creating a hostile work environment" for anyone who works there, since you have no expectation of privacy at a workplace. Infraction of workplace rules is punishable by up to and including termination. Convert that back to a schoolplace, and at least you get to come back to school.

The computers aren't there for your personal enjoyment, they're there as tools of learning for the student population as a whole. There is nothing "educational" to be gained by browsing Facebook or MySpace, or reading your personal email, or anything the school has explicitly decided you shouldn't have access to. If you feel you should, there should be a policy in place for reviewing and allowing or denying access.

Just cause you CAN do something doesn't mean you MAY or SHOULD. You can steal from shops, kill people, and sleep with your brother's wife. You probably may not or should not do any of those things, though.

Seriously, if you're going to go intentionally getting around rules that have been put in place, why are you complaining about being disciplined when you get caught? Chat with your MySpace ho's at home, leave the school computers for people doing real work.

Re:Three months? For proxies?

[gfxguy]

That doesn't sound right at all; the kids knew what they were doing and they were doing specifically to circumvent what little security there may have been, but that doesn't make the violation of the rules "less bad."

I may be an idiot if I forget to lock my door, but the criminal that comes in and steals my TV is still a criminal and still needs to be punished for what he did wrong.

The thief knew what he was doing was wrong, the students knew what they were doing was against the rules. It's really that simple.

Re:If we ban proxies at school...

[ShieldW0lf]

If the fundamental argument for the use of the proxies and security in schools is that the students are youths, to be protected from the corruption of the internet for the very reason that they are impetuous and easily led astray at this tender stage of their life, then it's inconsistent to punish them for the failures of those measures.

Clearly, the systems exist to protect the corrupt society from idealistic youth who are not materially benefited by the society. But it's a hard sell politically.

Thus this ridiculousness.

Re:If we ban proxies at school...

I'm a student at a Burlington Catholic High School in Wisconsin, and the security there is lacking. In fact, many students, including myself were all punished simultaneously for using a student made bypass proxy (quite ingenious). The site was blocked as soon as they caught some idiot looking at ebay, but I often used this bypass for school purposes, to access web sites like ancestry.com for use with genealogy in a history class. Hundreds of pages, if not thousands, are blocked as "personal pages" that contain very informative content. So, I was banned for four weeks from use of a school computer (along with other students) for accessing content that was/wasn't blocked by Bess, the school security proxy.

I found it hilarious that I was banned for four weeks though. First, the website had a username/password on it, so technically they still do not know whether or not it truly was a bypass system. Secondly, other than ONE STUDENT on ebay, they cannot prove that any other students accessed unprivileged content. So, they just banned everyone who accessed the website (no matter what they used it for) for two to four weeks.

Students should not be punished for School insecurities, administrators should be punished for insecurities. So now, I just use a different bypass website, well, more like 10 different ones.