Virus Eats School District's Homework

theodp writes "Forget about 'snow days' — the kids in the Lake Washington School District could probably use a few 'virus days.' Laptops issued to each student in grades 6-12 were supposed to accelerate learning ('Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,' according to the district's Success Stories), but GeekWire reports that a computer virus caused havoc for the district as it worked its way through the Windows 7 computers, disrupting class and costing the district money — five temporary IT staff members were hired to help contain the virus. Among the reasons cited for the school district's choice of PCs over Macs were the proximity to Microsoft HQ (Redmond is in the district), Microsoft's involvement in supporting local and national education, and last but not least, cost. In the past, the Lake Washington School District served as a Poster Child of sorts for Microsoft's Trustworthy Computing Group."

Looks like the school district

[Chrisq]

Looks like the school district leaned a valuable lesson ... oh wait!

Re:Looks like the school district

[ArsenneLupin]

... all the while trying to save "cost" :-)

Re:Looks like the school district

... all the while trying to save "cost" :-)

I'm not sure how it would have cost them any less if they'd have gone with an Apple-branded OS. Or even Linux for that matter.
Despite what the summary and school says, technically this was a Trojan which drops a backdoor into the system. It's been detectable by all the major AV software vendors for a very long time, the earliest variants were from back in the old DOS days.

Since the school can't even manage to spell properly, I'm going to assume that what happened was something like this:
Child A: "I heard this is cool, let's open it up!"
Child B: "But it keep says there's a warning. I can't get it to install."
Child C: "I already have it. I have a friend on Facebook called p3d0b3ar who sent it to me last week. Here's how to make the warning go away."
Child A & B: "Cool! Let's help all our friends install it too!"

Re:Looks like the school district

Most likely scenario there.

That is exactly what happened to my little brother's laptop, and then by extension, my parents' desktop. Of course it was my fault, despite being 600 miles away and having multiple malware-free machines running in my apartment.

Re:Looks like the school district

[somersault]

It would have cost them less, because they'd have been a lot less likely to even come across a trojan compatible with their system.

"I can't get it to install"..? You mean people don't know how to click "run" or "ok" or whatever UAC says?

Re:Looks like the school district

[Joce640k]

"Here's how to make the warning go away."

If only it were that difficult.

I got a virus last week because I was trying to install MS antivirus on a machine. Microsoft Security Essentials requires a WGA check and it failed for some reason (don't know why - it was a perfectly legal machine).

Anyway, I went to Google to see if I could find a workaround and ... the very first page I visited installed a virus on the machine. No warnings, no permissions asked for. Some system dialog or other flashed up then ten seconds later I was looking at one of those "Police! Your computer has been locked!" screens (and the prospect of another Late Night With Windows(TM)).

Catching a virus by trying to install an anti-virus? Only with "Trustworthy Computing"....

Re:Looks like the school district

[Viol8]

"I'm not sure how it would have cost them any less if they'd have gone with an Apple-branded OS. Or even Linux for that matter."

Just a wild stab in dark but perhaps they wouldn't have ended up with a trojan on all their systems because OS/X and Linux have better security.

Re:Looks like the school district

[Seeteufel]

But where is the Linux Trustworthy Computing initiative? You see...

Re:Looks like the school district

As someone who has worked in an Apple district, the cost savings with going with Apple comes from the support model. It takes less resources (people) to manage Apple branded machines if designed properly. Those other resources can go into training teachers on how to use technology effectively in the classroom. The war between Mac and Windows was over long ago. Kids today don't care which platform they use. They have always will and and have a computer, so what version of Word they type their papers in, doesn't phase them. People need to get over this whole Mac vs PC thing and look at the bigger picture.

Re:Looks like the school district

[somersault]

What browser were you using? I install Chrome before I go searching for things like anti-virus :p

Re:Looks like the school district

[Joce640k]

What browser were you using?

Guess...!

Re:Looks like the school district

[semi-extrinsic]

Why do kids have permission to install anything on a school PC? Hell, why are they even allowed to download executables? Someone failed at setting these computers up properly, that's for sure. For a school PC they don't even need Java or Flash (if they really need Youtube, enable HTML5 video) or Acrobat Reader (get a less common PDF reader).

Re:Looks like the school district

yahoo was serving out an ad recently that installed that fake police send us paypal money to get your machine back thing...

It went right thru the newest firefox with an av and with noscript installed! i'm still not sure how it did that... not even ctrl-alt-del worked. nothing worked but rebooting to safemode. removing all the crap it loaded into the users\temp folders. and removing the entrys in the msconfig startup...

i don't feel like screwing around with it enough to figure out how it did it... i just completely blocked all yahoo sites instead. fuckem. they never had shit anyway. (other than some of their stock chart tools)

it was a good time to infect too... over the holiday weekend.. i bet they made a ton of cash.

Re:Looks like the school district

[LordLimecat]

The premise-- that Macs somehow are immune to viruses-- is utterly ridiculous. Was everyone sleeping when each of the last several years' Pwn2Owns resulted in OSX falling first (I think that this year they did better)? Was everyone sleeping when Flashback hit and everyone was astonished that OSX has bugs just like every other computer program on the planet?

If they had a rampant virus despite having antivirus and filters, then I know several things: They were granting admin privileges to the users and / or their AV utterly sucks (what kernel-mode antivirus gets thwarted by userland viruses?); they dont have a functional update system; and their network controls are inadequate.

I would note that, even if the premise were correct ("Macs dont ever have malicious programs"), this incident would demonstrate that the infrastructure simply wasnt there-- if youre giving very young, possibly irresponsible kids network access with semi-controlled devices, it behooves their IT department to make sure one clever and devious kid cant bring everything down. This demonstrates that they havent thought that through. I recall when my college got hit by Blaster, the IT staff started blocking MAC addresses that were infected. This was about 10 years ago; theres no excuse for not having similar capabilities now, not when there are so many low-cost managed switches out there.

Re:Looks like the school district

[LordLimecat]

Its been about 3-4 years since a PoC cross-platform PDF exploit was released demonstrating arbitrary code execution across all major platforms (Linux, Windows, Mac-- each launching its respective platform's calc program). These days almost every single exploit that hits a windows box uses a cross platform plugin.

Has it occurred to you that the reason you dont hear more stories about Flashback-style viruses on Mac is threefold:
1) Viruses these days are extremely sophisticated at hiding themselves;
2) Windows, with the history it has, has a number of highly sophisticated tools at detecting them; and
3) Macs do not, and it is thus likely that any such infections would be completely unnoticed?

Re:Looks like the school district

[ArsenneLupin]

The premise-- that Macs somehow are immune to viruses-- is utterly ridiculous.

You know, there are other OSes out there than just Windows and MacOS... So the rest all falls down from this...

And I don't need to worry whether the fire extinguisher that I keep next to my bed is still current on its inspections, and all that other complicated stuff, because I simply don't smoke in bed.

Re:Looks like the school district

[LordLimecat]

Are you sure that wasnt a popup crafted to look like a non-browser window? That is a very common method of enticing people to click on them, and to run the files it downloads.

Alternatively, perhaps you should visit the Mozilla Plugin Check:
https://www.mozilla.org/en-US/plugincheck/

If you truly got a driveby virus, your plugins are out of date, or your browser is. For the record, this is easily possible on Linux and OSX as well (and has been demonstraded before, and each year at Pwn2Own).

Re:Looks like the school district

[LordLimecat]

Can you please explain in what regard the security on OSX or Linux (a standard desktop distro) are superior to Windows 7 / 8?

Re:Looks like the school district

[Life2Death]

Parent used IE to surf the web, clearly.

Re:Looks like the school district

The one with the Flash plugin.

Re:Looks like the school district

The premise-- that Macs somehow are immune to viruses-- is utterly ridiculous.

You know, there are other OSes out there than just Windows and MacOS... So the rest all falls down from this...

The summary reference was to Macs as an alternative. If you can fairly suggest an alternative which would be as easily implemented as either, I'd be surprised.

And I don't need to worry whether the fire extinguisher that I keep next to my bed is still current on its inspections, and all that other complicated stuff, because I simply don't smoke in bed.

I believe electrical fires are actually more common than smoking related ones in bedrooms.

That's because Smoking as a rule has declined significantly for unrelated reasons.

Better get some AFCI outlets.

Re:Looks like the school district

. These days almost every single exploit that hits a windows box uses a cross platform plugin.

Windows, with the history it has, has a number of highly sophisticated tools at detecting them; and Macs do not, and it is thus likely that any such infections would be completely unnoticed?

These are what is known as hypotheses. The problem is, there are a crap-ton of security researchers who actually look at these numbers, and both have been disproved. Most malware still doesn't have a cross platform component, either by numbers of infection or by variant. The infection rate of a random sampling of Macs inspected by security experts always finds a much lower infection rate by a huge margin.

Maybe to help explain this phenomenon you should wander over to a security convention like Blackhat or Defcon. Count the number of security experts with Macbooks versus other devices. Notice a trend?

Re:Looks like the school district

[slashmydots]

Looks like the school district leaned a valuable lesson ... oh wait!

Yeah, spellcheck your press releases! lol.

Re:Looks like the school district

And its easy to say things like that with the 20/20 vision of hindsight. The truth is that with most organizations a laptop that costs a minimum of $500 more per unit is a fools choice. In the long run with maintenance the PC may cost more than the Mac would, but that pesky "may" word is in there. The Mac "definitely" costs much much more initially and every security argument known to man doesn't change that. This country has trouble passing normal school levies that raise the tax on your house by $15 per month. Where exactly are they supposed to come up with an extra $500 per child for Mac laptops?

Re:Looks like the school district

[interkin3tic]

Or, occam's razor: they actually have fewer viruses. Probably because fewer people use them.

Re:Looks like the school district

They shouldn't be able to click "run" or "ok" or whatever UAC says. If they had been set up properly, they would have to type an administrator password at the UAC screen.

Re:Looks like the school district

Actually, back in the day, those weird mac keyboards were a titanic pain in the ass for me. I clock in at ~130 WPM on my home machine, and given about two minutes to 'adjust', I'll be reliably hitting 100 WPM on any keyboard I touch.

These macs were in a computer lab where my best friend did his college work-study program, so I'd often go there to hang out and do my own homework. And if I got stuck on the macs (Which I avoided), well, I typed on the mac.

In two years, I never broke 50 WPM on those machines, using them a few times a week. Compared to "three minutes" to hit WPM on any other machine. 'course, Apple doesn't make those crappy keyboards anymore (They were curved instead of slanted), but, felt like throwing an old story in. Everyone hated those keyboards.

Re:Looks like the school district

[cjjjer]

Or

One of the kids did it on purpose for shits and giggles.

Re:Looks like the school district

[Viol8]

Hmm , lets see. Just off the top of my head - not tightly integrating the HTML engine with the core OS, not having all system daemons running with administrator privs, having a proper setuid system, not being able to send abitrary messages to the windows of other apps. I'm sure google can provide you with a load more.

Re:Looks like the school district

[LordLimecat]

As I recall, ever since Pwn2Own started, every single year with perhaps one exception the fully patched OSX box running safari was the first to fall.

There may be many reasons that Macs tend not to have a perception of "virus prone", but "theyre more secure" isnt one.

Re:Looks like the school district

[Spottywot]

"Here's how to make the warning go away."

If only it were that difficult.

I got a virus last week because I was trying to install MS antivirus on a machine. Microsoft Security Essentials requires a WGA check and it failed for some reason (don't know why - it was a perfectly legal machine).

Anyway, I went to Google to see if I could find a workaround and ... the very first page I visited installed a virus on the machine. No warnings, no permissions asked for. Some system dialog or other flashed up then ten seconds later I was looking at one of those "Police! Your computer has been locked!" screens (and the prospect of another Late Night With Windows(TM)).

Catching a virus by trying to install an anti-virus? Only with "Trustworthy Computing"....

A website designed to help solve AV installation problems is compromised by Ransomware, sounds like a good way to ensure plenty vulnerable computers will visit. Maybe No-script and Adblockplus could have prevented this, but this just proves that even the tech savvy are crazy to surf the net without AV and appropriate browser plugins. I always see guys on these threads who maintain that they don't need AV and that they slow down their machines too much. I see *some* sense in it in that I can't remember the last time my AV blocked anything on any of my machines.

I liken it to sleeping around and riding bareback, it may feel nicer at the time, but sooner or later you'll get infected!.

Re:Looks like the school district

[LordLimecat]

Windows however does not have privileged separation from the ground up

What do you suppose UAC is? And what do you mean "from the ground up"-- NT "from the ground up" has notions of users and different privilege levels that possibly eclipses the Unix world in scope and granularity.

Why do you think Chrome has robust sandboxing on Windows, but not on other platforms? As I recall, the reason the Chrome team gave was that, quite simply, Windows had better supported mechanisms for stripping privileges from processes (I believe they mentioned there was a way to do the sandboxing, but it used a little-used method that was not recommended on Linux).

Im not a Linux guru; Ill admit that. But Im not aware of a bog-standard Linux or Mac install having the ability to set permissions and privileges on specific processes completely aside from the context that launched them; or being able to set permissions on specific entries in a particular plist file (the equivalent of per-key permissions in the windows registry). As I recall, Windows also has more robust ASLR-- or at least did for many years-- than Linux or Mac, earlier support for DEP, and more granular ACLs on its default filesystem.

I really dont want to get into a "this OS is better than that" argument, because different philosophies went into each, and each has its strength. OSX focuses heavily on user experience. Linux focuses heavily on modularity, flexibility, and extreme hackability. Windows tends to focus on business and end-user experience, but without as much focus on OSX; there is also, however, a very big focus on security given all the bad press Windows has had over the years. It has very much undergone trial by fire, and to some extent that makes me less inclined to just say "go OSX; it has 0 track record with thwarting viruses, but Im sure it will be fine". Most big viruses I see either tend to be on XP holdouts, or else tend to be removable in a few minutes due in large part to UAC.

Re:Looks like the school district

[LordLimecat]

For starters, to be clear by "tightly integrated" you mean "Windows ships with IE dlls in Programfiles", right? And are you telling me you can remove Safari from OSX?

Unless Im mistaken, your driver "processes" in OSX run with kernel privileges. I would be interested to know however whether processes like dhcpd on OSX are running in user mode, and why on earth you think that would be a good idea security wise. Generally on WIndows we like to reserve the right to change IP addresses to administrator only, for example.

SetUID is, unless im mistaken, seen as a BAD security idea-- you generally dont want a normal user launching a program that runs with root, and Windows already has a method of stripping privileges from a process. Wikipedia for example notes why it is NOT a security improvement to use SetUID.

I dont really think any of these are terribly good examples.

Re:Looks like the school district

[AwesomeMcgee]

This is the thing I don't understand above all else; Why the #$%! does yahoo and google serve up ads that do this shit??? Precisely what is their ad scanning policy, seriously I would expect this from a great deal of sites but we've all seen both google and yahoo and other completely reputable sites serve up 3rd party ads that have this garbage embedded in them, and there is simply *no* excuse for it. If you ask me yahoo should be held legally accountable for serving this content, or doubleclick, or whichever host it came from, they should have some semblence of logs of how many people it was served to, take that number * $1500 for the cost of a computer because we have to assume they may have utterly destroyed each one of those and fine them. We need a freegin government anti-virus agency. The constant prevalence of this crap drives me up the damn wall, not because I get hit, I wear protection, but because by all accounts there's no reasonable manner with which this should be legal.

Re:Looks like the school district

[UnknowingFool]

Except for the little detail that Pwn2Own is turn based, you might have had a point. Also this year, Windows fell first (and was picked first). The only system never breached (and sometimes not tried) has been Linux.

Re:Looks like the school district

I didn't realise those Windows users were using viruses, that explains why they have so many of them.

Re:Looks like the school district

[IwantToKeepAnon]

Looks like the school district leaned [sic] a valuable lesson ... oh wait!

There, fixed that for ya :)

Re:Looks like the school district

[Viol8]

"And are you telling me you can remove Safari from OSX?"

Dunno, but you sure as hell can remove every browser from Linux and it'll still function fine. Why does Windows need IE dlls at all?

"your driver "processes" in OSX run with kernel privileges."

Dunno, but in linux system daemons run under all sorts of users. eg apache, smmsp, daemon. They don't all need to run as root.

"you generally dont want a normal user launching a program that runs with root, and Windows already has a method of stripping privileges from a process."

Generally they fire up with root privs, carry out a few tasks then setuid() to something innocuous. But if you're really worried then google "chroot" , its something thats been around since the year dot in unix which Windows still hasn't got. Also SE Linux has lots of extra stuff.

Unix started out with security built in , Windows was a free for all desktop OS thats been upgraded piecemeal over the years and it shows.

Re:Looks like the school district

And even with hiring staff, it still probably cost less than all those MACs.

Re:Looks like the school district

[LordLimecat]

Dunno, but in linux system daemons run under all sorts of users. eg apache, smmsp, daemon.

Your examples are bad. The windows equivalents also run under non-system accounts. IIS has its own account that it uses to run under. Most services that you install aftermarket generally recommend that you install under a separate user account-- although, as in Linux, you have the option of being unwise and running with root privileges.

Windows was a free for all desktop OS thats been upgraded piecemeal over the years and it shows.

Windows NT and above were built from the ground up for privilege separation. I could just as easily remark that ACLs and Mandatory Access Control were bolted onto Linux after the fact; AFAIK you cannot for example grant "create folder" access in Ext3/4 without granting delete folder, create file, delete file, and change permission rights as well-- at least not without using something "bolted on after the fact"

Re:Looks like the school district

[GodInHell]

Say it with me now: "I, [state your name] do hereby swear that I will install NoScript or an equivalent tool on my PC before browsing porn."

Re:Looks like the school district

[lister+king+of+smeg]

that will stop them until one of the smart enough to be dangerous students pops out a live usb/cd and changes himself to administrator, then tells his friends how to do it, and that is assuming they had separate user admin accounts, when i was in high school they had a bunch of old xp laptops in the chemistry/genetics room they had one account each where the user was admin they were allowed on the network with no restrictions.(so they all had itunes Chrome Firefox Opera and a dozen different tool bars for each as well as free!!! font/emoticons and no updates since they were baught(I cleaned several of the laptops to a useable state so I could get work done eventually I caved and just used linux+qemu on a thumb drive). even the "locked down" computers in the library and computer lab allowed arbitrary code execution but that generally didn't matter as they had deep freeze.

Re:Looks like the school district

You are aware that you can disallow booting from CD in the bios and password protect it, right?

Re:Looks like the school district

[drinkypoo]

The only system never breached (and sometimes not tried) has been Linux.

And this, friends, is why the people suggesting that "their security wasn't good enough" or "they should use a mac" are both being idiots. If your goal is security, there is only one reasonable choice, and it is... OpenBSD ;)

Seriously, these kids don't need Windows. It doesn't matter what they run. Shouldn't the goal be to choose the OS which is least likely to explode?

Re:Looks like the school district

Generally they fire up with root privs, carry out a few tasks then setuid() to something innocuous. But if you're really worried then google "chroot" , its something thats been around since the year dot in unix which Windows still hasn't got. Also SE Linux has lots of extra stuff.

Unix started out with security built in , Windows was a free for all desktop OS thats been upgraded piecemeal over the years and it shows.

Tell a security research that chroot is a security feature and they'd laugh at you, it's useful, but don't confuse it for what it's not, because there are issues with it.

Seriously, get off your high horse, UNIX started out without hardware memory protection, and the software side of things has a long history of security design issues, such as herp derp, unencrypted network protocols, world readable password hashes in /etc/passwd, and no salting, just for starters.

Everything to do with software security has been upgraded piecemeal over the years. Remember ftp and telnet? Good lord man, wake up and smell the coffee.

Re:Looks like the school district

[shutdown+-p+now]

Dunno, but you sure as hell can remove every browser from Linux and it'll still function fine. Why does Windows need IE dlls at all?

Because various system apps (such as e.g. the help browser) use it to render HTML. You know, much like e.g. help in Gnome uses GtkWebView (or whatever it's called these days) to render it.

Re:Looks like the school district

[TemporalBeing]

Windows however does not have privileged separation from the ground up

What do you suppose UAC is? And what do you mean "from the ground up"-- NT "from the ground up" has notions of users and different privilege levels that possibly eclipses the Unix world in scope and granularity.

You obviously do not understand the differences between Windows+ACLs and Linux+SELinux. SELinux is far more granular than anything available in the Windows world.

Why do you think Chrome has robust sandboxing on Windows, but not on other platforms? As I recall, the reason the Chrome team gave was that, quite simply, Windows had better supported mechanisms for stripping privileges from processes (I believe they mentioned there was a way to do the sandboxing, but it used a little-used method that was not recommended on Linux).

Haven't read up on Chrome in that respect. Windows does have abilities for programs to restrict or enhance their priviledges at run-time; not something common in the Unix world to do. But it also probably came from the fact that in Windows - even the Windows NT line - security was an after thought, so it had to be added to keep compatibilty in place and allow developers to more easily transition to new security models within Windows.

Im not a Linux guru; Ill admit that. But Im not aware of a bog-standard Linux or Mac install having the ability to set permissions and privileges on specific processes completely aside from the context that launched them; or being able to set permissions on specific entries in a particular plist file (the equivalent of per-key permissions in the windows registry). As I recall, Windows also has more robust ASLR-- or at least did for many years-- than Linux or Mac, earlier support for DEP, and more granular ACLs on its default filesystem.

ACLs enable Windows to do what in Linux is Groups. They are more robust in that they don't have to necessarily mean a group and can be applied a little differently.

That said, Linux/Unix also have the ability to use ACLs. But most don't as they are inferior to other technogies that are available. So they only get used when integrating with Windows sytems.

I really dont want to get into a "this OS is better than that" argument, because different philosophies went into each, and each has its strength. OSX focuses heavily on user experience. Linux focuses heavily on modularity, flexibility, and extreme hackability. Windows tends to focus on business and end-user experience,

More like:

• Apple/Mac focuses on user-experience
• Linux focuses on freedom, modularity, developer capability
• Microsoft/Windows focuses on business needs

MS only focuses on user-experience in so much as it drives a business purchase decision; not because it makes a better user-experience.
And the FOSS world is coming around on the user-experience area - especially KDE; but it takes time and resources, which are typically lacking.

Re:Looks like the school district

[AvitarX]

They have always will and and have a computer

Wish I lived in a neighborhood that nice,

Re:Looks like the school district

[LordLimecat]

Its nice to know that there are others out there who can use Linux without thinking the security world revolves around it. Maybe theres hope for slashdot yet.

Re:Looks like the school district

[LordLimecat]

SELinux isnt something that was built in "from the ground up"; it was tacked on by the NSA after the fact, and is absent from most consumer Linux distros. I will grant both that I dont know a whole lot about it (other than the high level "heres what it does") and also that its probably more granular than stock Windows, but thats not terribly relevant-- the topic was "ways stock Linux is more secure than stock Windows", and SELinux is very much NOT "stock".

But it also probably came from the fact that in Windows - even the Windows NT line - security was an after thought,

Lets be real here: Security was an afterthought everywhere. Windows' history may be particularly bad here, but noone (other than some of those crazier BSD guys) can really claim to have security "from the ground up". Im not clear why you think security was an afterthought in the NT line, either-- XP had everyone admin by default, but this was mostly because 90% of software vendors are incompetent at running without admin privileges, something that continues to persist even into Win7 days. You certainly could run as a standard user in XP and get a great deal of protection, however.

That said, Linux/Unix also have the ability to use ACLs. But most don't as they are inferior to other technogies that are available. So they only get used when integrating with Windows sytems.

I understand that you can get a bit more granular with extended ACLs, but that theyre not always supported and still not quite as granular as NTFS ACLs. I wasnt aware that there were other technologies available for that sort of thing, what were you referring to (sincerely curious)?

MS only focuses on user-experience in so much as it drives a business purchase decision; not because it makes a better user-experience.

I mean, they kind of ARE in the software biz to make money, so yes their focus is on generating sales most efficiently. But I worded it as I did because I cant for the life of me figure out how Windows8 drives business purchasing decisions-- Microsoft does seem to care about home user experience to try to chase down this tablet market.

And the FOSS world is coming around on the user-experience area - especially KDE; but it takes time and resources, which are typically lacking.

That may be, but "user experience" isnt generally the first and primary objective, flexibility appears to be.

Re:Looks like the school district

[LordLimecat]

I think I would agree that if an OpenBSD laptop meeting the minimum requirements was entered into Pwn2Own, it would likely never get hacked (for one reason or another) :)

Re:Looks like the school district

[LordLimecat]

The point is that driveby infections are every bit as possible on OSX and Linux as they are on Windows, which has been proven in real world situations.

Re:Looks like the school district

[butalearner]

Can you please explain in what regard the security on OSX or Linux (a standard desktop distro) are superior to Windows 7 / 8?

I've seen your other posts, where you go into very interesting detail regarding how Windows actually does have nice security features. But here's the real answer to your question: malware isn't built for Linux. Yeah, a competent Windows admin probably could have avoided this, but even a volunteer Linux admin *definitely* would have, because the virus simply wouldn't have worked. Note that I'm not making any claims about superior features or about how Linux is immune, just that this would not have happened. Yeah, security through obscurity isn't really all that impressive, but generally speaking it works just fine for Linux users.

Re:Looks like the school district

[LinuxIsGarbage]

Actually, back in the day, those weird mac keyboards were a titanic pain in the ass for me. I clock in at ~130 WPM on my home machine, and given about two minutes to 'adjust', I'll be reliably hitting 100 WPM on any keyboard I touch.

These macs were in a computer lab where my best friend did his college work-study program, so I'd often go there to hang out and do my own homework. And if I got stuck on the macs (Which I avoided), well, I typed on the mac.

In two years, I never broke 50 WPM on those machines, using them a few times a week. Compared to "three minutes" to hit WPM on any other machine. 'course, Apple doesn't make those crappy keyboards anymore (They were curved instead of slanted), but, felt like throwing an old story in. Everyone hated those keyboards.

I remember the crappy hockey puck mice, but I don't know what the crappy keyboards you're talking about are.

Re:Looks like the school district

[benjymouse]

..., but even a volunteer Linux admin *definitely* would have, because the virus simply wouldn't have worked.

So what types of admins were administering the server when this happened? (broke into and compromised multiple servers and sites)

Or when this happened? (Gained root access and deployed Trojans)

I guess those sites were being run by incompetent people? How else could a compromised user account lead to root access and rootkits installed?

Re:Looks like the school district

This is a bit different than viruses. The simple fact is that people want to keep that Macbook Air, and they get to keep it if they hack it. And it is possible to hack Mac OS X, particularly Safari is easy (or was, at least, now they put that annoying sandbox stuff...)

Re:Looks like the school district

>that. But Im not aware of a bog-standard Linux or Mac install having the ability to set permissions and privileges on specific processes completely aside from the

You mean SetUID?
A lot of processes (like Apache) are regularly run with chroot to limit their directory access and/or under special IDs that have only very limited access. Most linus distributions now ship with SELinux, which ... well put it this way, it was designed by the NSA. So.. standard POSIX style permissions, more primitive than modern Windows. Modern SELinux, more advanced.

Mac OS has something similar with their sandbox technology, and has quietly shipped with it running for certain daemons for a while. They are making a big push to have it enabled for end-user applications now too, which is making a big stink among developers (because very few developers on Mac or other platforms are used to writing programs that run under those constraints).

>context that launched them; or being able to set permissions on specific entries in a particular plist file (the equivalent of per-key permissions in the windows
Well yes, permissions can only be set at the file level, so you can either read/write a configuration file, or you can't - on the other hand, the registry in Windows is a giant mess that regularly gets corrupted. There are other more elegant ways around this, though. For example, you make a config file in your home folder that you control, but the system-wide config file in the /etc/ folder takes priority. That way the administrator can force certain things, and leave other things up to the users.

>registry). As I recall, Windows also has more robust ASLR-- or at least did for many years-- than Linux or Mac, earlier support for DEP, and more granular ACLs
> on its default filesystem.

ASLR is an Intel specific thing, and Windows is more Intel specific than Linux. That is to say, that Windows has "supported" PowerPC, Alpha, etc. mainly in name only and focused 99% of their efforts on Intel. Most of the improvements in Linux apply to all platforms - this is a good thing in the long term, but of course maybe not today for everyone with c2d or i5 chips.

Well let's be honest, Mac OS before OS X was a joke in some ways. Linux has had ACLs in EXT3 for quite a long time now, but certainly after Windows introduced it in the NT line. Then again, it actually worked better on Linux from the beginning. One big problem Windows faced until recently (and sill does, to some extent!) is that applications were made for Windows 95, etc. They want to write files where they want, they want to hard-code paths, they assume they have administrator rights, etc. That's of course not entirely Microsoft's fault, though. Also, the NT Kernel has a lot of awesome functionality that isn't used in Windows or exposed via the Win32 APIs.

Also, if ACLs were important to you, there have been other filesystems with advanced ACL support (XFS, etc.) around for a long time.

As for OS X having 0 track record with security, remember that for practical purposes, it is BSD with a different GUI.

Re:Looks like the school district

[sensationull]

That's why you use Bitlocker to encrypt the drive so that a simple boot program can't mess with the passwords, best bit is that it is transparent to the user. Besides the BIOS should be be locked down to prevent booting from anything but the HD and the HD should be using drivelocker preventing another drive from being substituted.

Re:Looks like the school district

[LordLimecat]

the registry in Windows is a giant mess that regularly gets corrupted.

[Citation needed]

Generally those "registry not found issues" are caused by failing hard drives; it could just as easily be a missing fstab or partition table.

Re:Looks like the school district

[lister+king+of+smeg]

BIOS lock is easy to bypass with a simple removal of the batteries and shorting of a capacitor.

Re:Looks like the school district

[Viol8]

"Tell a security research that chroot is a security feature and they'd laugh at you, it's useful, but don't confuse it for what it's not, because there are issues with it."

If you're thinking about the double chroot issue thats been fixed in most setups and FreeBSD has its "jails". So no, they wouldn't laugh.

"UNIX started out without hardware memory protection,"

Yeah, back in the early 70s. We're in 2012.

"Remember ftp and telnet?"

Those were designed in the 80s and the fact that they used plaintext wasn't a bug unlike all the Windows exploits. How about we compare apples with oranges?

Re:Looks like the school district

[Viol8]

"Because various system apps (such as e.g. the help browser) use it to render HTML."

Oh well, thats obviously a crucial component of the OS and I can completely understand why it wouldn't function without it!

Not.

"You know, much like e.g. help in Gnome uses GtkWebView"

I wouldn't know , I don't use Gnome because unlike in Windows I have a choice of window managers I can use and the OS will even function without a GUI at all. Something Windows has only just managed in the last few years and even now its still requires a lightweight GUI for initial setup and admin!

Re:Looks like the school district

[Viol8]

". I could just as easily remark that ACLs and Mandatory Access Control were bolted onto Linux after the fact;"

My friend, I was using ACLs on HP-UX back in the late 80s before windows even existed so spare me the standard issue argument Windows NT being some sort of earth shattering breakthrough in OS design. Linux simply ported what Unix has had for decades.

"AFAIK you cannot for example grant "create folder" access in Ext3/4 without granting delete folder, create file, delete file, and change permission rights as well-"

You're confusing standard unix permissions with ACLs which are not "bolted on" in Linux, they're a standard shipment and have been for years. Whether many people use them or not is another matter.

Re:Looks like the school district

[sensationull]

on a desktop, not a laptop, at least not a decent one, most need a new Mb or to go back to the manufacturer for unlocking with a hardware dongle.

Re:Looks like the school district

[TemporalBeing]

SELinux isnt something that was built in "from the ground up"; it was tacked on by the NSA after the fact, and is absent from most consumer Linux distros. I will grant both that I dont know a whole lot about it (other than the high level "heres what it does") and also that its probably more granular than stock Windows, but thats not terribly relevant-- the topic was "ways stock Linux is more secure than stock Windows", and SELinux is very much NOT "stock".

True, SELinux wasn't in at the start, but users, groups, and permissions were in every Unix from the start.

But it also probably came from the fact that in Windows - even the Windows NT line - security was an after thought,

Lets be real here: Security was an afterthought everywhere. Windows' history may be particularly bad here, but noone (other than some of those crazier BSD guys) can really claim to have security "from the ground up". Im not clear why you think security was an afterthought in the NT line, either-- XP had everyone admin by default, but this was mostly because 90% of software vendors are incompetent at running without admin privileges, something that continues to persist even into Win7 days. You certainly could run as a standard user in XP and get a great deal of protection, however.

For Windows, look at the Win16 and Win32 APIs - supported by even the earliest versions of the WinNT lines. These APIs are by design insecure, do not utilize ACLs or permissions, etc. Yet they are the foundation of the Windows API until Win8 with the WinRT API - the first major rewrite of the official Windows API as it bypasses even Win32 (AFAIK).

Comparatively, Unix/Linux while they dealt with more generic APIs, many were subject to the permissions system from the get go. Look at X Windows and you'll see the same thing - unlike in Windows where any application can subvert or access another application's User interface elements by design.

That said, Linux/Unix also have the ability to use ACLs. But most don't as they are inferior to other technogies that are available. So they only get used when integrating with Windows sytems.

I understand that you can get a bit more granular with extended ACLs, but that theyre not always supported and still not quite as granular as NTFS ACLs. I wasnt aware that there were other technologies available for that sort of thing, what were you referring to (sincerely curious)?

You have a number of options - from ACLs (which can be embedded into ext2/3/4) to SELinux to AppArmor to a number of other things if you want to get the more advanced permission functionality.

MS only focuses on user-experience in so much as it drives a business purchase decision; not because it makes a better user-experience.

I mean, they kind of ARE in the software biz to make money, so yes their focus is on generating sales most efficiently. But I worded it as I did because I cant for the life of me figure out how Windows8 drives business purchasing decisions-- Microsoft does seem to care about home user experience to try to chase down this tablet market.

MS is trying to drive businesses to buy their tablets and phones. It hasn't been working very well, so they are pushing Win8 to achieve that; but it's not likely going to work very well either since most businesses (especially the large businesses that are the core of MS's market) that care about tablets and phones have already integrated iOS support for iPad/iPhone.

Re:Looks like the school district

[shutdown+-p+now]

Oh well, thats obviously a crucial component of the OS and I can completely understand why it wouldn't function without it!

It will function if you rip it out. It's just that there's no real reason for anyone to want to rip it out (other than "look how 1337 I am, I don't even have it installed!"), and so there are no arrangements to provide for that. If you want to hunt down all the relevant binaries yourself, you're free to do so.

Re:Looks like the school district

[UnknowingFool]

Some of attacks were drive-bys; most of them were very sophisticated. The point is saying OS X fell first provides no meaningful insight into the nature of security and also obscures the nature of the contest.

Re:Looks like the school district

[doccus]

I haven't noticed any focus on "user experience" lately with OSX, rather it looks like the focus is "Apple's Experience of Profit"

Re:Looks like the school district

[Alarash]

You people thinking you are safe from using Linux are both right and wrong. Just wait until Linux gets a noticeable market share in the desktop environment, and you'll see viruses and exploits for it. This used to be the case of Macs, and now they are under attack too, just because it's now worth writing code for this platform.
Anyone who worked in network security will tell you that no system is safe. It's just a matter of finding a reason.

SCADA systems were considered safe, fit for critical infrastructure use. Cue Stuxnet, and now everybody is freaking out that water treatment plants can be hacked.

Is it 10 years already?

[symbolset]

There once was this thing, the "trustworty computing" pledge.

What happened to that?

Re:Is it 10 years already?

[dbIII]

It may be enough time to put a man on the moon but it's apparently not long enough to clean up MS Windows (even if Microsoft did compare their project to the Apollo one).

Re:Is it 10 years already?

[Dr_Barnowl]

The trust is for the media cartels. They don't trust users not to copy their media, so Microsoft sold them the idea of computing they could trust.

The "End to End Trust" initiative is all about this - removing the computer's trust that it's owner should have control, and handing that trust to the people with the root signing keys - Microsoft will become indispensable to the entire Windows software ecosystem. The ultimate rent-seeking behaviour.

The Computer doesn't trust you.

Re:Is it 10 years already?

[recoiledsnake]

Journalists raised a hue and cry about the end times because TC was implemented by Microsoft.

In the meantime, Apple came in and implemented the same spec and the same journalists fell over each other extolling the virtues of the walled garden.

Re:Is it 10 years already?

[Raumkraut]

Perhaps it's the difference between inviting people into your walled garden, and building a wall around the people in your already highly populated garden?

Re:Is it 10 years already?

[Seeteufel]

Antitrust.

Re:Is it 10 years already?

[Bearhouse]

Sorry, posting to cancel error in modding...(damn this 'instant' button)

Mod up someone, please

Re:Is it 10 years already?

[sootman]

Bill Gates also thought (in 2004) that we'd defeat spam in two years.

The only fool bigger than one who believes a prediction from MS is one who believes a promise from MS.

Re:Is it 10 years already?

[symbolset]

something, something, "partnership"

Can I be the first to say that...

They learned their lesson!

*bad dum tss*

And Linux?

[Arrepiadd]

Among the reasons cited for the school district's choice of PCs over Mac's were (...) cost.

And yet Linux was never an option? Avoided Apple to reduce the cost and ended up hiring 5 people to contain the damage that came as a consequence of their choice... way to go!

Re:And Linux?

[aliquis]

^ What I wanted to say.

Sure they shouldn't buy macs. But if they worry about viruses they don't need to get Windows machines just because of that.

Also is it really that hard to keep a Windows machine free of viruses? All the kids installed the same crap?

Re:And Linux?

Also is it really that hard to keep a Windows machine free of viruses? All the kids installed the same crap?

It's as hard to keep a Windows machine free of viruses as it is to keep a Linux machine from shitting itself on boot.

For your average Slashdotter: It's not even a question.

For your average computer user: There is no hope.

Re:And Linux?

[Robert+Zenz]

It's as hard to keep a Windows machine free of viruses as it is to keep a Linux machine from shitting itself on boot.

I've only seen Linux not booting two times in 6+ years of using it: The first was faulty hardware which caused SEGFAULTS. The second was a damaged home-partition. From all the arguments you could come up with, this is the least viable. ... At least say "...as it is to keep Linux from randomly killing X", that at least sounds believable.

Re:And Linux?

No kidding, if I was setting up a school network and got to choose the OS I would choose Linux without a moment of hesitation. It's the only OS out of the 30 or so I've used over the years that doesn't require expensive 3rd party software just to restrict users rights into something sane enough to put teenagers at the keyboard.

One of these days people will use Linux or something very similar to it as the defacto standard for such networks, they will look back and laugh at how silly it was to force a square peg through a round hole.

Re:And Linux?

[Hentes]

Having an IT staff for a program this big is pretty much a necessity which they should have thought of before launching it.

Re:And Linux?

[wallbase]

One of these days people will use Linux or something very similar to it as the defacto standard for such networks, they will look back and laugh at how silly it was to force a square peg through a round hole.

You're living in a dreamworld. Linux has been around for a sufficiently long time and it still hasn't... fucking... happened. There's too much inertia for Windows and too little impact (on the desktop) for Linux.

But I'm happy to be proven wrong.

Re:And Linux?

[erroneus]

It is a bit hard. Not for me... not for people with self control and a little understanding of what goes on out there. The weak link is humans.

But that said, there is some blame in the design of Windows. I think the Apache web server needs to be stripped of its name to have it awarded to Windows. I think it might make Windows cooler somehow.

People want to claim there is no original code from DOS/Windows in the current versions of Windows. That may be true. Part of the problem is design. It still harbors the design of a single user, single tasking OS which was added upon for more than a decade of incremental changes, patches and fearure improvements, one after the other after the other. It's amazing it's not messier than it already is.

Would you rather drive a car that started out as a go-cart or a car which started out with stability and security in mind when the plans were drawn up?

Microsoft didn't have a plan in mind for Windows when it created DOS. It didn't even have Windows95 in mind when it created Windows 3. It's all a pile on top of a pile on top of a pile.

Re:And Linux?

[Seeteufel]

Just a matter of investment and product quality. Build a resilient developer ecosystem, port your code to LLVM, go for extreme testing. I think it would be about 50 Mio $ to get it perfect.

Re:And Linux?

[L4t3r4lu5]

Cost != Purchase price.

Re:And Linux?

[BenoitRen]

It would actually be a matter of making Linux not suck as a desktop OS.

Re:And Linux?

[BenoitRen]

FTFS:

PCs over Mac's

Bob's Quick Guide to the Apostrophe, You Idiots

Re:And Linux?

[wvmarle]

From the way the summary is written ("temporary IT staff members") I make up they have a permanent IT staff of more than one already.

Re:And Linux?

[fatphil]

If by that you mean "make Linux suitable for droolers who can do little more than click on the nearest flashing brighly-coloured thing on the screen", then that might help. However, as this was supposed to be a school, teaching the kids to be intelligent problem-solvers rather than braindead pondlife could be considered the better thing to do.

Re:And Linux?

[BenoitRen]

No, I meant technically, not aesthetically. Please troll somewhere else.

Re:And Linux?

[fatphil]

It can render windows, icons, menus, and handle a mouse pointer - in what way is linux not technically suitable for the desktop?

Gotta love the irony of the person churning out the tired old "it's not ready for the desktop" line accusing another of trolling, though.

Re:And Linux?

Even when they know that's going to happen in most cases managers will take that bet. Here's how it works:
1.Get funding to install cheapest solution possible
2.You're seen as fiscally responsible - get promoted
3.Virus hits and you have to spend a bunch of money to fix it
4.Hire some guys to come in and fix it
5.You're the hero - get promoted

No one ever gets fired for installing Microsoft. Linux is seen as something tantamount to communism in the business world. Like dealing with Russia, or China they'll do it and hold their nose, but they don't really like it. I've been in meetings where management has argued that you can't trust open source because there's no one company behind it. They also argue that there is no support, or support is extremely expensive.

There is some truth to that logic. Enterprise vendors mostly support Red Hat or Suse, but hardly ever both, and once you start down one path it's very difficult to change. Ever try to get patches into an offline environment using Red Hat? Be prepared to spend a boatload of money on what Red Hat calls a Satellite Server ($10k / per license just to do patching) at each hop into the protected environment. For that cost you'd think that you'd have a secure solution, but you really don't. They require firewall to be opened round trip so they can make http requests to validate their install. Conversely, WSUS allows you to have a server in production, and downstream servers in the protected environment that never talk directly to the internet. I like that much better (yes I know the external host could be compromised and then all bets are off, but still). So it's hard to argue with the management assessment of the situation. I'd love to run linux in our environment, but even on the server side it's way more painful than Microsoft, and the desktop is even worse.

Re:And Linux?

[wisnoskij]

Incompatibility with 99% of all software, including viruses, is not a feature.

Re:And Linux?

[Quietust]

What you've said is certainly true... for Windows 95/98/Me, which were indeed built on top of Windows 3.1 and MS-DOS and not properly designed to be multi-user. If you think Windows 7 falls under that same category, you are sadly mistaken - that traces back not to 16-bit Windows 3.1 but to 32-bit Windows NT 3.1, which was designed to be multi-user (and even multi-CPU) from the very beginning.

Re:And Linux?

Silly you, linux is cheap if your time isn't worth anything! oh, wait....

Re:And Linux?

[benjymouse]

Part of the problem is design. It still harbors the design of a single user, single tasking OS which was added upon for more than a decade of incremental changes, patches and fearure improvements, one after the other after the other. It's amazing it's not messier than it already is.

[citation needed]. Where do you see a design of single user/single tasking OS?

Microsoft didn't have a plan in mind for Windows when it created DOS. It didn't even have Windows95 in mind when it created Windows 3. It's all a pile on top of a pile on top of a pile.

That may be so. But current Windows is not built upon any of those. The current strain of Windows is built upon Windows NT, which *was* a clean-room implementation of Windows. It has *nothing* to do with DOS, Windows 3 or Windows 9x/ME, except that it has a compatibility subsystem for running legacy applications.

Windows NT was always a multi-user and network-aware OS. From the very start. Unlike Unix and Linux which were designed multi-user but *not* network aware. Windows users (SIDs) are unambiguous across a network. On Unix/Linux you need to resort to all kinds of hacks, translations and reservations to make uids and gids work consistently on networked file systems.

Re:And Linux?

[Seeteufel]

Just a matter of Investment and polishing.

Re:And Linux?

[BVis]

Unlikely. As with everything in modern American public education (well, anything in a major American organization, public or otherwise), decisions are made based on how little something costs RIGHT NOW as opposed to how much it will cost in the long run, and any attempt to build infrastructure to support a new initiative is met with "that's so much money, we'll just cross that bridge when we come to it if it's a problem." Handing out tens of thousands of Windows-based laptops (especially with Redmond's subsidy for OS cost) may be cheaper up-front, but bringing in that many laptops requires substantial infrastructure to handle the 'side benefits' of Windows, namely the need for strong antivirus solutions and the most restrictive group policies that are possible that still allow the students to log into their laptops. I can guarantee you that at one point as this program was being developed the following conversation, or one very much like it, happened:

Tech: "We need to take security measure X, because Y."
Suit: "How likely is Y to happen?"
Tech: "Hard to say, exactly, but it's possible, so we should do X. It will require additional effort Z, but it's a fair trade."
Suit: "And how much will Z cost us?"
Tech: "Well, it will probably generate additional help desk traffic."
Suit: "Work around it, help desk traffic costs money."
Tech: "If we do that, and Y happens, the entire network could be trashed and we'll have to hire (expensive) additional staff to fix things, and we could potentially be down for weeks or months."
Suit: "Ehh, that'll probably never happen. Do the workaround."

I'm guessing in this case the students were required to have privileged accounts on their laptops because of shitty software that doesn't install correctly in userland.

Re:And Linux?

[drkstr1]

Heh, I guess I'm the only one who is constantly having fix my Linux machines when they fail to boot. But then again, I tend to get bored once everything is working... ;-)

Re:And Linux?

[Archangel+Michael]

If they have any IT staff at all, they should be fired for incompetence. If they don't have any IT staff, the administrators should be fired for incompetence. Either way, someone should be fired for incompetence.

I work for a school district, in IT, and we don't let users have the ability to install anything. Period. A properly managed system, means that you have all the tools in place to get systems functioning without users needing Admin level (UAC or otherwise) access. Problem is, schools cry poverty when it comes to IT, and administration doesn't understand why it cost money to have systems in place to manage large number of computers. The logic is that their home PCs don't require management of any sort, so why do the schools thousands of computers need it.

Well, now they have their answer. Trying to save money by not having proper management is now costing more in temporary IT help than it would have cost to do things properly in the first place.

Re:And Linux?

WTF? Have you ever actually used a proper old-school *NIX environment?

Re:And Linux?

[hobarrera]

Actually, the paid for windows in order to save costs. I don't get how you save costs with a pretty expensive alternative.

Additionally, isn't it morally wrong to force propietary software onto students? Isn't the US goverment supposed to promote the usage of free software? (It's a legitimate question - I thought this was so).

Re:And Linux?

Linux is a kernel.

Re:And Linux?

[BenoitRen]

It may be tired and old, but it's true: Linux is not ready for the desktop. The kernel is designed for a server OS and hence its scheduler is not suitable for desktop use. The kernel's and libraries's API changes every release. And so on.

Re:And Linux?

[fatphil]

You clearly know nothing about linux.

a) There's no "its scheduler" - there are a whole host of different schedulers you can use, which are optimised for different expected workload types. And if I/O's a major part of your workload (if you're dealing with lots of large image/audio/video files) then you've even got a selection of different I/O schedulers to chose from, again optimised for differnt types of workloads. You can parametrise how swappy you want the kernel to be too, and lots of other things. I've been using linux on my desktop for a decade, and I've never seen linux get in the way of my work. Shitty userspace apps like firefox which don't know how to deal with contention properly piss me off every 2 minutes, but that's not linux's fault, they're just as shit on windows and even worse on OSX.

b) Linus holds as an overriding principle that kernel interface changes must never break userspace. Even to the extent that he prevented some real fixes being included in the kernel, which annoyed Alan Cox so much he resigned from being subsystem maintainer for ttys ( http://lkml.org/lkml/2009/7/28/375 ) So whilst the kernel may grow new interfaces with each release, it doesn't lose old ones.

Re:And Linux?

[BenoitRen]

There's no "its scheduler" - there are a whole host of different schedulers you can use, which are optimised for different expected workload types.

None of which are designed for the desktop.

Linus holds as an overriding principle that kernel interface changes must never break userspace.

Userspace isn't everything. Drivers have to be recompiled because that part of the kernel API did change. With every distro release lots of other API break as well.

PC over Mac

Oh, so there are only two choices right ?
If the children would have access to something where somebody not part of a giant corporation has access to source code it's obviously a bad idea....
And of course they absolutelly need to be trained "to be ready for the industry", wich they will join in about 5 to 15 years...
So they get what the industry was supposed to adopt a couple of years ago... and will learn that there is only "one true way"....

Well it's just the usual morons making the usual moronic decisions....

Meanwhile I wonder how long it will take them to fix the typo in the lack of success story...

Oh really?

[Robert+Zenz]

...and last but not least, cost.

Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.

Re:Oh really?

...and last but not least, cost.

Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.

Uh, you forgot about the part where Redmond is in this district. Chances are all licensing costs were either eliminated or heavily subsidized for education. And Windows 7 "Ready" hardware? Please. That's a $250 i3 with 2GB of RAM in a school budget. Why do you think the PCs are running like frozen dogshit when infected. Nothing in the Apple store is that cheap, or that slow.

Re:Oh really?

An i3 with 2GB of RAM is slow?

Re:Oh really?

seems like they can jack off all day or something.

Dude, not at the school...

Re:Oh really?

[thoth]

Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.

I know it is fashionable to rail on government spending as wasteful in all circumstances, but this attitude always pisses me off.
For every government project that goes over-budget or delayed, there is a corporation happily cashing the checks and under-delivering. That's where the problem is.

Re:Oh really?

[Robert+Zenz]

I was less after the "they throw money out the window"-part, but more for the "they can do whatever they want, nobody checks ever!"-part.

And yes, I totally agree with you! Especially since here in Austria they threw out a Linux migration because they bought a proprietary ActiveX-Component halfway through and some authorities pay € 500k for their homepage (which is nothing but a simple CMS)...

Re:Oh really?

[progician]

You can't be serious. Or they that is.

Re:Oh really?

[inglorion_on_the_net]

For every government project that goes over-budget or delayed, there is a corporation happily cashing the checks and under-delivering. That's where the problem is.

True, but I also wonder why governments don't do anything about it. Back when I built software for the government, I was employed by a company that would agree up front on the features and cost, and then deliver the promised features and receive the promised payment. Our customers loved us, because this was apparently better than the experience they were used to. Makes me wonder why they didn't go for the same terms in their other contracts.

I mean, I understand and know full well that you can't always accurately estimate everything ahead of time. Sometimes, development ends up costing more than you estimated. Happened to us, too. That just means you make less profit, or maybe even lose money on the project. I understand why companies would try to pass the higher cost on to the customer, but I don't see why the customer would let them do that. Maybe the first time, if backing out and starting over costs more than paying extra, but after that, wouldn't you look for a more trustworthy supplier?

Long story short, I think governments at least share the blame for over-budget projects. Over-time is a bit more subtle, as there isn't always possible to deliver on time. But it's always possible to charge no more than the agreed-upon price.

Re:Oh really?

[Robert+Zenz]

Unfortunately, I am serious...so are they. They also paid some € 10k for a browser addon (which acts just like a favorite toolbar, but with links to government sites)...guess what? Was one-browser-only...guess which one.

On the up-side, they acknowledge that there's a problem with partisanship and corruption in the government and big companies here in Austria...and defend it with, and I quote, "...this the culture here in Austria"... ... ... ...

Complete bollocks there.

Never had a problem with Linux shitting itself on boot.

Not even sure what that is. POST failure? Driver crash on initialisation? Because the first isn't the OS and the latter I've seen in Windows as often as I've seen in Linux.

For your average MS troll, you've done really REALLY badly.

Re:Complete bollocks there.

[hughbar]

Yes, so agree with this. Most of my Linux computers are from about 2003 -2005, a couple of them are 365/24 servers [so infrequent boots, fair enough] but everything boots just fine. The only Windows in da house now is for test installs etc. I don't actually USE it for anything much.

Re:Complete bollocks there.

For your average MS troll, you've done really REALLY badly.

MS troll? Uh, okay. Given that I regularly use Linux (RHEL, specifically these days), OS X, Windows and Solaris.

Whatever dude. The average person interacting with a computer has no fucking clue, and will manage to fuck things up. Hell, give me an unprivileged user account with shell access, and I'll prevent that account from being able to properly log in without administrator intervention and file restoration.

Hurr durr leenucks isn't a fucking solution when the problem exists between the chair and keyboard, you moronic wretches.

Re:Complete bollocks there.

[progician]

Keep your voice down and we can have a conversation.

Issue #1: The user should be taught how to keep their system clean. Doesn't matter whether it is Linux, Windows or OSX. So they handed out devices without any restriction imposed on the user, the user who is a kid, and is supposed to be restricted they have enough knowledge to be responsible for their own computer-like devices. For the same reason, people having a driver instructor while driving for a while, pass an exam, and only after that they are allowed to drive their own, or other people's car.

Issue #2: All major existing operating system today is capable to restrict the user's actions if they are set up correctly. Now the commercial OSes, like Windows and OSX are advertised as an out-of-the-box solution, and thus people think that they are ready to be deployed in virtually any situations. In practice however, it turns out that when it comes to managing a bunch of devices for predefined goals apart from having fun with personal computing at home, you need a competent administrator or administrator team to handle the set up and the maintenance. Customer support just doesn't cut it for this reason. They off site, and slowly responding, and they don't really know what are the exact requirements for their installation. CS could be handy perhaps in individual cases, where the user works within its competence, but any organization working with computers regularly (as I deduced from the article, the whole point of giving out laptops is to get the education system computerized) need competent maintainer.

Windows isn't really more vulnerable to viruses than OSX in a competent hand, and Linux is just as much stable as any of the commercial operating systems if maintained by skilled administrator. And an competent system administrator would be completely aware of the fact that children are not the most trustworthy users when it comes to downloading and executing software from unknown sources.

So, in my opinion what the school board/administration did is cuting corners on their computer staff, or hired incompetent, unskilled cheap labour for the position. Either way, it isn't really the OS that really matters, it is the person who keeps it running.

Re:Complete bollocks there.

[hobarrera]

Keep your voice down and we can have a conversation.

Issue #1: The user should be taught how to keep their system clean. Doesn't matter whether it is Linux, Windows or OSX. So they handed out devices without any restriction imposed on the user, the user who is a kid, and is supposed to be restricted they have enough knowledge to be responsible for their own computer-like devices. For the same reason, people having a driver instructor while driving for a while, pass an exam, and only after that they are allowed to drive their own, or other people's car.

However, very few extremely technical users can keeps their windows installation clean and running for years. You certainly can't expect this from the general population, let alone children.

[...]

Windows isn't really more vulnerable to viruses than OSX in a competent hand

In a competent hand, yes, it is.

, and Linux is just as much stable as any of the commercial operating systems if maintained by skilled administrator.

Please name one piece of malware out in the wild that affects distros like Mint or Ubuntu.

And an competent system administrator would be completely aware of the fact that children are not the most trustworthy users when it comes to downloading and executing software from unknown sources.

So, in my opinion what the school board/administration did is cuting corners on their computer staff, or hired incompetent, unskilled cheap labour for the position. Either way, it isn't really the OS that really matters, it is the person who keeps it running.

Linux and BSD require no effort to keep malware out. There are none, and the defaults are pretty sane (there aren't plenty of security-holes in default services which run as root).

Re:Complete bollocks there.

[progician]

Sir, I think you misinterpreted my comment.

However, very few extremely technical users can keeps their windows installation clean and running for years. You certainly can't expect this from the general population, let alone children.

I think you are a bit harsh with your words. Technical users in general can keep their Windows clean not just a few of them. I know this is just matter of terms, but I only call a user 'technical' only in Windows terms, if they can keep their OS clean and functioning without restricting them.
And according to TFA, the point of giving out these laptops to the children is to educate them to use computers. It is my firm position, that any operating system, including Windows can be also kept functional and tidy if you restrict the user. So why not restrict these children, on their school-given laptops, and educate them, so that later these restriction can be removed and they would become the administrator of their own system? This is the natural course in many field of education, so why not do it for the now ubiquitous computer-like devices? The goal would be, that everybody should have the operational knowledge of their own tools, devices.

Windows isn't really more vulnerable to viruses than OSX in a competent hand

I was able to keep my Windows installation completely virus free by using trusted sources of binary software (trusted here means trusted by me). Without any anti-virus. This includes only really handful sites, like MS, NVidia, and open source sites binary downloads (typically sf.net).
After the experiment, I ran 3 different antivirus software, and they found nothing. So yes, in competent hands, it is possible to keep it clean. I don't like Windows, but it is mostly the user habits, that are dangerous, not necessary the system. I mean, until you find out how your system works, it is a good advice to have an even stricter policies: No installation, website browsing policies... this can be imposed on the child-like users (not just children, but many, many adults).

Linux and BSD require no effort to keep malware out. There are none, and the defaults are pretty sane (there aren't plenty of security-holes in default services which run as root).

This is only true to a point. You see, malwares aren't restricted to OS level, many and increasing number focuses on the user land, especially browsers. We are observing a second layer operating system built on the top of the traditional one, that of the web-client. While it is very unlikely that some javascript or similar malware would be able to gain root privileges on a Linux/BSD system, it is fair enough to get in to the shoes of the browsing user most of the time. The real deal with Linux/BSD systems is working mostly from trusted software repositories built from source code, and binaries that are built by the OS maintainers themselves, therefore the natural user habits are to use the main source of the software. Same goes for OSX: Most of the running software is either Apple product or some big shot name that the user recognizes right away. The rest of the software are usually coming from the same source as those to Linux, given that Unix-likeliness.

Sure you can trace back some issues to some technical shortcoming of Windows, but IMHO it is always up to the user habits to keep the everyday garbage out of the door. For this reason, big companies, like MS and Apple sees this as a challenge to nanny over the user all the time, but that is rather the case of the good ol' false dichotomy between security and freedom. My proposal was addressed to the education of the children. Nonetheless, if we're committed to educate our youth to use their devices properly, I would defintely emphasize that the above mentioned "ring of trust" system at its best starts at hw/kernel level. Free software, such as the Linux kernel with openly and publicly editied and moderate source code (along of course the technical details) is the most secure way you can get.

Re:Complete bollocks there.

People still don't have a clue.

Build it and they will come. Provide a computer and they'll immediately have artistic talent or their business will thrive or they;ll get "that" job.

Sad really, schools no longer actually "teach", they facilitate.

And all this BS about security and OS for the hardware completely misses the real problem.

Make all school districts use Windows!

[ipquickly]

Just imagine how many new IT jobs this would create.

Re:Make all school districts use Windows!

The broken Windows fallacy?

Re:Make all school districts use Windows!

[ipquickly]

The broken Windows fallacy?

5 hired IT staff that would have been unnecessary had the school used Linux or Mac say so.

Re:Make all school districts use Windows!

[Albinoman]

You can really believe that hiring 5 *temporary* employees to clean up a mess and give some advice costs more than the price difference between a mac (which wouldn't have necessarily fixed this, and mac techs probably cost more) and pc times, what, thousands of laptops?

Re:Make all school districts use Windows!

[fatphil]

In my experience (mostly big IT companies), the number of windows admins required is nearly 4 times the number of unix admins required, for the same number of desktop machines.

An extreme example was the last job I had, where there was a typical level of windows admins, and there were zero unix admins. Everyone was given a machine with a blank hard drive, and told on their first day to install whatever OS/distro they wanted, and were comfortably running themselves. I guess a third went debian, a third ubuntu, a couple of gentoos, some redhats, and a few others too.

Re:Make all school districts use Windows!

[coofercat]

Did they ask the kids to help them sort it out?

I know times have changed since I was a nipper, but at my school, there were probably 3 of the kids + 0 staff who knew the BBC + echonet system really well. I seem to remember one kid hacking it to within an inch of it's life then writing a report on "security" so he didn't get expelled for it. Anyway... my point is, the kids may know how to fix this better than these drongo staff members they hired (heck, the kids may have done it in the first place, so they'd presumably know how to fix it).

Re:Make all school districts use Windows!

Whatever's used most = most attacked. Windows & Android (a Linux) shows us this much.

Re:Make all school districts use Windows!

I would argue that if the users were administering their own systems than your number of *nix admins was equal to your number of *nix users.

Re:Make all school districts use Windows!

Are you retarded?
Did you expected any of them to install a pirated version of Windows? Really?

Re:Make all school districts use Windows!

[Bobfrankly1]

In my experience (mostly big IT companies), the number of windows admins required is nearly 4 times the number of unix admins required, for the same number of desktop machines.

I would submit that this also depends on the level of tasks required of the windows admins, and the level of capability of the windows admins as well. Unix admins, and for that matter Windows admins with *nix experience seem to be much better at automating mundane and redundant tasks then the average windows admin, which (from what I've observed) seems to be a large consumer of windows admin's time.

Re:Make all school districts use Windows!

[Bobfrankly1]

Did they ask the kids to help them sort it out?

I know times have changed since I was a nipper, but at my school, there were probably 3 of the kids + 0 staff who knew the BBC + echonet system really well. I seem to remember one kid hacking it to within an inch of it's life then writing a report on "security" so he didn't get expelled for it. Anyway... my point is, the kids may know how to fix this better than these drongo staff members they hired (heck, the kids may have done it in the first place, so they'd presumably know how to fix it).

Those were a unique time. Computers were becoming widely available and they booted to a command line. Just getting around required some basic level of understanding that could naturally progress one towards becoming tech-savvy. For quite awhile now, kids don't delve nearly as deep into computers. They delve into the gui based software or games, but they barely scratch the surface on things. Opening up a command line is often viewed now as voodoo, written in an arcane language. Even some of the younger techs that work the front lines for a help desk barely comprehend a command line.

Yes, I understand that I'm going on about the command line, but it's been a pretty useful point of reference for judging someone's capability for understanding or finding out about resolving a decent variety of issues, when measured along with other metrics.

Re:Make all school districts use Windows!

[fatphil]

Very much agreed. And also on what the people with the different machines are doing. I think the average Excel/Powerpoint/Word/Outlook user (accounts, marketting, secretarial) are more likely to get into and less likely to be able to solve the problems themselves in the MS world, than the (wannabe) rocket-scientist developers on the unix workstations and networks who see a problem as a challenge, and even if they can't fix it will diagnose it with enough precision that an admin can just fix with a [tap][tap][tap].

mac's[sic]

if you're going to be sic all over someone else's mistakes you'd best read, re-read, and re-read again your own posting. There is no aposorophe involved in pluralising a word.

Re:mac's[sic]

[floofyscorp]

Ohh, the irony.

Re:mac's[sic]

[hawkinspeter]

I don't even know what an 'aposorophe' is.

Re:mac's[sic]

[MightyYar]

Its prefectly crolument.

Re:mac's[sic]

[Muad'Dave]

The GP needs to embiggen their vocabulary.

Sick

[devnullkac]

You can't just put "[sic]" next to any random string of characters and expect the reader to understand. What the hell is "whiel boosting creativity" supposed to mean, anyway? Maybe I'm slow this morning, but it took me 5 minutes to see the "while". Brackets can help readers stay engaged [and] informed [while] improving understanding, but this time they failed us.

Re:Sick

[Kenosti]

http://en.wikipedia.org/wiki/Sic

Re:Sick

[jimshatt]

You're right, but then the joke about education gets lost.

Re:Sick

[jones_supa]

I must add that "sic" should actually be put inside parentheses instead of square brackets.

Re:Sick

[MightyYar]

At least in the US, the convention is to use square brackets.

Re:Sick

You honestly don't know what 'sic' means? Holy crap.

The real problem

[bensw]

Among other things, TFA implies that this is because they were using 'PCs instead of Macs' [sic].

While it's true that OSX has way less malware than Windows, the main cause of malware infections is the users who click anything that's offered to them without thinking.
You can hide behind less popular operating systems, but the sad truth is that the average computer user simply can't handle the freedom of being able to do whatever they want, without messing things up.

So the solution is better tech education or--the cheaper way--locking things down. Both MS and Apple are doing it in their mobile OSs and they're starting to implement this in their desktop OSs as well.

Of course, the IT could also have locked Windows down with Group Policy and SRP, so that it would be pretty much impossible to install anything (unless reinstalling the OS).
Instead, they relied on some crappy antivirus (Sophos) and I wouldn't be surprised if the users were given admin rights as well.

I'm not a Microsoft fan at all (and they might have played dirty to get the school to use Windows), but the real story here is IT staff incompetence and the poor education of the average computer user.

Re:The real problem

[Lumpy]

"but the sad truth is that the average computer user simply can't handle the freedom of being able to do whatever they want, without messing things up."

The Sad truth is people actually believe you need to allow a user to anything they want. You dont. It's school property, you restrict your users to only what they need the devices for, anything else is simply incompetence.

Re:The real problem

[MeNeXT]

"but the sad truth is that the average computer user simply can't handle the freedom of being able to do whatever they want, without messing things up."

The Sad truth is people actually believe you need to allow a user to anything they want. You dont. It's school property, you restrict your users to only what they need the devices for, anything else is simply incompetence.

The user needs to be sandboxed and he can do whatever he likes including install a virus without affecting the system. Sure he destroys his files if he is not careful but he does not destroy the system and he does not destroy the backups.

Limiting a computer in this situation would limit education. Users don't need to run any software above their privileges including IE and Office.

Re:The real problem

[hweimer]

While it's true that OSX has way less malware than Windows, the main cause of malware infections is the users who click anything that's offered to them without thinking.

No. Any system that can be botched more or less accidentally is a complete failure. While GNU/Linux and to a lesser extent OS X are far from perfect, they make it considerably harder to run untrusted code, simply because this is an operation typically not needed during daily use.

Re:The real problem

[Seeteufel]

Don't blame them, blame the software.

Re:The real problem

While GNU/Linux and to a lesser extent OS X are far from perfect, they make it considerably harder to run untrusted code, simply because this is an operation typically not needed during daily use.

How, exactly?
The main difference is that for admin stuff by default Windows will pop up a UAC prompt, while Linux will pop up a password prompt.
I don't think that's that much better, especially since you need to enter the password about as often as you need to click on a UAC prompt.

But more importantly, malware doesn't even need root/admin access to do a lot of damage on Windows or Linux. It can easily run with limited rights and steal your passwords or mess up your files.

Re:The real problem

Even with Group Policy and non-admin accounts it is quite possible to get viruses on Win7. It might be less likely but it does happen.

Re:The real problem

[wvmarle]

Windows' mess of not keeping system files and user files strictly separate is partly to blame.

Even in Win7 you all the time get warnings like "this program wants to make changes to your hard disk, allow/deny?". All you have to do is click "allow" and the program runs. What it is changing, I don't know. It appears to give unfettered access to system files - which is totally unnecessary, unless you're running an installer.

While having access to user files only can still give very nasty results (deleting important stuff, for example), trojans have a much harder time to get to a higher level, and to hide themselves while running. Cleaning up is a lot easier, too.

Re:The real problem

[Muad'Dave]

How, exactly?
The main difference is that for admin stuff by default Windows will pop up a UAC prompt, while Linux will pop up a password prompt.
I don't think that's that much better, especially since you need to enter the password about as often as you need to click on a UAC prompt.

You seriously don't see a huge difference between a user being asked a yes/no question and having to come up with a password they've never been told? You're ok with a single click being the only rampart between your system files and the raging virus hordes? Wow.

Re:The real problem

[malignant_minded]

Locking down the computer is a definite no matter the OS. Also you should only see the AP and no one else on the network. For BYOD you should be using a level playing field anyway like Google Docs so everyone sees the same stuff rather than "I can't open this .pages file!" This also allows for easier sharing because everything is going out the gateway rather than around the LAN. Cloud usage in this case should remove the need for an AD and home shares.

Re:The real problem

If your account doesn't have admin privileges already that yes/no box will ask for a password.

Re:The real problem

You are right, there's a difference.

But we're talking about school computers here. There's no reason for school computers to be running Windows with admin accounts.
If you have a standard account, it's more or less the same as in Linux, you get a password prompt.

Re:The real problem

[FreelanceWizard]

You do know that non-admin users have to provide an admin login to elevate using UAC, right? And that proper Windows practice since Windows 2000 has been to run users as non-admins?

Re:The real problem

[Lumpy]

Limiting education is a good thing. Otherwise all students need to be issued handguns and chainsaws. Not doing so is limiting their education.

Re:The real problem

[benjymouse]

Windows' mess of not keeping system files and user files strictly separate is partly to blame.

Baloney. Windows keeps operating system files separate from installed application files and separate from user content files. Really.

Even in Win7 you all the time get warnings like "this program wants to make changes to your hard disk, allow/deny?"

No you don't. You get a prompt when a program wants to make changes to the system - not the hard disk. Where do you get your faulty information? Are you making it up? Windows is locked down so that regular users cannot make changes to the operating system or installed applications. Administrators can make changes to installed application files (directories below "program files"), but *no* user run as administrator by default even if they have administrator rights.

All users' tokens are stripped of administrator privileges at logon, even if they have been granted those privileges. Windows will hold on to the original (non-stripped) token. When an application tries to make changes to protected parts of the system, the OS will determine whether the users saved token has the needed privileges. If so, UAC will prompt the user for confirmation to temporarily elevate to the saved token. If the user does not have permissions, even in the non-stripped token, the user is prompted for an account + password.

All you have to do is click "allow" and the program runs.

You obviously run with an administrator account. Which is not best practice. If you were running with a non-admin account you would be prompted for an account and a password. The account would need to have the correct permissions.

What it is changing, I don't know.

Your only correct statement so far.

It appears to give unfettered access to system files - which is totally unnecessary, unless you're running an installer.

No it doesn't. On Windows (and unlike Unix/Linux) not even the administrator have permission to change system files. Administrators do not have permission to change system files - only the special account TrustedInstaller does. And TrustedInstaller cannot log in, not interactively and not from the network.

While having access to user files only can still give very nasty results (deleting important stuff, for example), trojans have a much harder time to get to a higher level, and to hide themselves while running. Cleaning up is a lot easier, too.

And if you stopped running with an administrator account you would have realized that under Windows a user can only change his/her own files. But leaving your ignorance aside, Windows has much better protection of the system, compared to Unix/Linux and OS X:

• Even administrators do not have permission to change OS files (system files). Only Trusted Installer have those permissions, and trusted installer can not log in. Only windows update and certain digitally signed installers (OS updates) are allowed to run as TrustedInstaller.
• You could try to use admin privileges to take ownership of system files and then grant yourself access. That's certainly possible if your admin account holds the "take ownership" privilege. But then Windows Resource Protection kicks in. Upon reboot (before loading the compromised file) it will determine that system files have been tampered with and will restore them from an encrypted cache.
• Kernel mode drivers must be digitally signed. A virus/trojan cannot inject itself into or piggyback on drivers. That would invalidate the signature and Windows will refuse to load the driver.
• Windows checksums important internal tables. Even if virus/trojan should succeed in gaining kernel space access, attempts to modify tables will be discovered and the system will protect itself by restarting.
• Secure Boot ensures that a system will only start

Re:The real problem

[internerdj]

It needs new policies to protect the "school property." I'm the year of the class of Columbine. Everybody freaked out. The local districts couldn't afford to buy metal detectors, so someone had the bright idea that they should be able to see into student's backpacks. Clear vinyl or mesh backpacks for everyone. That policy lasted until they had to replace all the rain damaged textbooks from everyone using mesh. If laptops are the new textbooks, then there will be some learning experiences in making sure they are properly protected from damage.

Re:The real problem

I agree with the Article. This would not have happened if they bought Mac or ran Linux. Viruses only effect a users account on Mac and Linux thus the damage is easily contained and properly backed up files restored. Is it possible that a virus could effect a whole school full of Mac books, yes? Is it likely? Hardly. Also you don't have to lock a program down hard like you do with windows. You can give the user more friend without sacrificing quality.

In the end the school board is going to be paying more for those cheap windows laptops than they would have for a Mac books. No matter how much a sweet deal their neighbors from Redmond gave them.

Re:The real problem

A tool needs to be calibrated ootb
a toy would just beep and light up

really not in the same leahue even if you try to drown any interesting conversation with vulgar banalities like "my toy works gud waarrrglarb"

Re:The real problem

[Muad'Dave]

...proper Windows practice... There's the problem - how many people properly administer Windows machines?

Re:The real problem

[wvmarle]

My information: from using a netbook with a stock Win7 Starter installation (installed by the shop). Never asked me for setting up a user account; never asked me for a password.

And yes, I'm pretty ignorant on Windows. I'm a plain user. I got the system, I use it, that's it. If I'm running as "administrator" by default, that's Windows fault to allow that to begin with and not asking me to set up a user. It's my experience as a user - who hasn't used Windows in a really really long time.

I have installed drivers on the system (for my printer and "USB mass storage" drivers for my phone), without the need for a password, just clicking "allow" when the prompt came. Oh sorry, not even that, it was just done by the system for the USB drivers, I plugged it in and it started to do stuff. I wouldn't know whether they are "kernel mode" drivers or otherwise, nor would I truly care - it just has to work.

Re:The real problem

[drkstr1]

This is an informative overview of the windows security model. To bad I blew my mod points for this thread earlier on, with a worthless comment.

Re:The real problem

I agree with the Article. This would not have happened if they bought Mac or ran Linux. Viruses only effect a users account on Mac and Linux thus the damage is easily contained and properly backed up files restored.

It's exactly the same with properly configured Windows systems, which would most likely not get infected either.
The only reason you don't have to worry so much with Mac or Linux is because malware makers don't care enough about those. For now, at least.

Re:The real problem

While GNU/Linux and to a lesser extent OS X are far from perfect, they make it considerably harder to run untrusted code, simply because this is an operation typically not needed during daily use.

I would tell you that you are wrong... but this is obviously an opinion based on no factual evidence whatsoever, so I won't bother.

Re:The real problem

Windows' mess of not keeping system files and user files strictly separate is partly to blame.

Except that for the most part, they do keep them separate. This is why you can't even save to c:\ anymore without using administrator rights. It seems to me that your problem isn't windows, its your shitty administrative practices.

Re:The real problem

[benjymouse]

My information: from using a netbook with a stock Win7 Starter installation (installed by the shop). Never asked me for setting up a user account; never asked me for a password.

Windows Starter assumes - in line with other OSes like Ubuntu or OS X - that the first user is also the administrator. You can easily set up more users - and they will default to be regular users. But even if you never create another account, you do not run as administrator by default. The UAC prompt is the way you are asked whether you are ok with your administrative privileges being invoked for the action you are trying to perform. MS reasoned that requiring you to enter your password once again would offer little extra protection: If you have decided to go ahead and ignore the screen dimming down and a warning prompt you would probably also just type in the password as well.

Never asked me for setting up a user account

And you never looked for it.

never asked me for a password.

It asks for your password each time you log on. A password is used to prove identity. You prove your identity when you log on.

And yes, I'm pretty ignorant on Windows. I'm a plain user. I got the system, I use it, that's it.

You forget about the part where you use it to post about "the real problem" on slashdot where you claim Windows mix users and system files. As if you know what the real problem is.

If I'm running as "administrator" by default, that's Windows fault to allow that to begin with and not asking me to set up a user.

But you are not running as administrator by default. Your account has the permissions to act as an administrator (as the owner of the device), but by default you are running as a non-admin user (admin privileges stripped away at logon). Would you rather that the shop retained the administrative rights and only set you up with regular users privileges?

It's my experience as a user - who hasn't used Windows in a really really long time.

I have installed drivers on the system (for my printer and "USB mass storage" drivers for my phone), without the need for a password, just clicking "allow" when the prompt came.

Yes, the system does not allow new drivers to be installed without an administrators permission. That's the prompt. Do you sincerely believe it would be more secure if you were required to enter your password once again? Didn't you decide that it was ok to install the drivers? Wouldn't you have entered the password? If you believe it should prompt for your password then by all means go ahead and crank UAC up to maximum security. Then it will ask for password. Whether a password prompt would stop stupid users from hurting themselves is a matter of debate. Personally I don't believe it will stop users who just want to install a new pr0n codec. The major barrier is that the system *does not* allow silent installs. It *will* prompt you.

Oh sorry, not even that, it was just done by the system for the USB drivers, I plugged it in and it started to do stuff. I wouldn't know whether they are "kernel mode" drivers or otherwise, nor would I truly care - it just has to work.

Yes, if the drivers are bundled with the OS or available on WindowsUpdate it will just install them, as they have been vetted and are known not to be malicious. But again, if you want to be prompted just crank up the security. For the majority of users (especially the ignorant ones) the defaults just work. Like it did for you.

Re:The real problem

"All you have to do is click "allow" and the program runs."

That is because you are running as an administrator. I'm a Windows Server Admin, and even I don't do that. So when I get a UAC prompt, I have to provide admin account credentials (username/password) to continue, not just click "allow".

On my kids' home computers, I have to enter my credentials so they can't install things without my knowledge.

Re:The real problem

[inglorion_on_the_net]

So the solution is better tech education or--the cheaper way--locking things down. Both MS and Apple are doing it in their mobile OSs and they're starting to implement this in their desktop OSs as well.

Also, Chrome OS. I'm getting a Chromebook for this reason. I'm perfectly capable of keeping a system humming (I've been using and adminning GNU/Linux systems since 1997 or so), but I just can't be bothered if I don't have to. Chrome OS comes with a web browser and an SSH client. That's really all I need on my laptop. They're updated automatically. I trust Google to not muck that up.

To top it off, Chromebooks are cheap. I paid about $400 for mine, but you can buy one for $199 retail. If you buy bulk, I'm sure you can get a better price, better features, or both.

I can understand why the school district didn't go with Chromebooks at the time (they probably weren't out yet, and even if they had been, would have been unproven technology), but they seem an option worth evaluating now.

Re:The real problem

So the solution is better tech education or--the cheaper way--locking things down

Oh yes take a bunch of kids who are learning and employ the principle of least innovation oops I mean privilege.

Guess what. Kids are SUPPOSE to make mistakes and learn from them. That's not going to be without cost. Deal with it.

And stop locking down every bleeding thing in the name of security! They're not going to learn anything if you restrict them to a word processor, and a crummy school sanctioned site.

The problem was

They probably shipped them with the free carpware virus checker and some kid told his friends how to turn it off, in order to load the game crack for some game that had a virus on board.
It's not the platform at fault, but the schools poor project management and lack of computing skills employed.
I've seen this sort of thing many times.

Re:The problem was

[MadKeithV]

They probably shipped them with the free carpware virus checker.

Carpware? Sounds fishy.

Need to teach the kids proper browsing habits

[Nyder]

Viruses are easy to take out of the system, but that doesn't stop the same behavior that puts the virus there in the first place.

Example: A friend of mine I end up fixing his laptop for viruses usually gets them because his kids are looking for TV shows and gets sent to sites that want them to download something. Boom, infected. Looking for a youtube/Disney/Hulu video downloading, boom! Infected.

I don't care too much because I get paid. And getting rid of the viruses/whatever is as easy as taking the harddrive out of the computer and hooking it to an already running computer (via usb-ide/sata adaptor), and run a few programs. Takes a few hours, or more depending on the size of the harddrive and how much space is taken up. But very, very easy to fix.

Re:Need to teach the kids proper browsing habits

Viruses are easy to take out of the system,

Um... you'll never know if you get them all. All your suppositions that you are "clean" are based on software you didn't write and likely don't have access to the source. And you know what's even easier? Abandoning the broken platform for one that isn't susceptable, such as Linux or OS X. Who gives a shit if it's "easy," when over the life of that machine you'll spend exponentially more proc cycles and hd spins fucking with a broken system?

I don't care too much because I get paid. And getting rid of the viruses/whatever is as easy as taking the harddrive out of the computer and hooking it to an already running computer (via usb-ide/sata adaptor), and run a few programs. Takes a few hours, or more depending on the size of the harddrive and how much space is taken up. But very, very easy to fix.

You are an arrogant fool and your employers are too for allowing you to continue being employed. Why tear apart the hardware like that? Ever heard of a live cd? I think you better rethink your expertise, because IMO, it's garbage. I wouldn't let you anywhere near my hardware.

Re:Need to teach the kids proper browsing habits

[krenaud]

I have given my kids restricted user accounts on their Windows computers and so far they haven't managed to infect the computers. Setting up a Windows machine with restricted accounts, Foxit reader as PDF reader, Chrome as web browser and flash block plugin installed has done the trick for me so far. For the same price as a Mac I get a PC + iPad + spare change.

Re:Need to teach the kids proper browsing habits

[Inda]

And mine have full blown admin rights for their own PCs. How else are they going to learn about all the nasties on the internet? Better they make the fuck-ups today, when their machines aren't doing anything important, then when they turn into adults with credit cards, bank accounts and other meaningful online accounts.

Re:Need to teach the kids proper browsing habits

[The+MAZZTer]

Chrome has its own built-in PDF reader which works fine for 99% of cases, no need for Foxit. Chrome even has a "Save to PDF" virtual printer so you don't even need Foxit for that.

Re:Need to teach the kids proper browsing habits

Lots of legit websites get silently compromised.

Re:Need to teach the kids proper browsing habits

[krenaud]

Even when the kids are ready to handle installing apps for themselves they will still run as non-admin users, just like I do myself. They will receive the admin password for when they need to perform admin tasks.

Linux

Why didn't they just use one of those education oriented Linux distro instead of windows? Not like they will need specific windows applications to do homeworks or classwork.

It's not my fault!

[qazsedcft]

The virus ate my homework!

Re:It's not my fault!

the virus "is" my homework

How about they....

[Lumpy]

Hire COMPETENT IT staff to begin with? Honestly, what kind of amateur hour school is this? having to hire temp IT staff to deal with it, really? how about actually staffing your departments properly and with competent staff?

Re:How about they....

Competent staff AND remove those who aren't letting those staff do a proper job.

You can be dictating to the IT department that students have to be able to do X when X means eliminating the defenses. At the same time the defense mechanisms shouldn't need to block users from writing code or leaning about the software they use. It's called GNU/Linux. It's called learning. Unfortunately that isn't what education is. At least not in the United States. Education is more like babysitting and shoving propaganda down kids throats.. “Drugs are bad! Sex is bad! We live in a free society” but of course reality is completely different. Kids are locked in prisons all day without any freedoms or rights and made to participate in totally unnecessary activities such as gym/exercise/art/music/computers/and other classes that are non-essential. I'm not proposing the elimination of programs that promote the arts/music/computers/exercise although setting up the school day for non-learning and/or non-critical life activities and then requiring every student to participate in them is wrong.

Re:How about they....

[fuzzyfuzzyfungus]

What I find curious about a need for temp IT staff is this:

If you are doing a deployment of that size(unless the district is a 1 room schoolhouse or something, "grades 6-12, all students" is a fair number of laptops), you will need some sort of system imaging setup, to plunk your OS and applications on new machines/machines that lost an HDD, you will need a decent number of lowish-skilled screwdriver labor to keep up with all the physical damage and parts replacements, and you will likely need some basic network infrastructure so that OS updates get delivered and user documents aren't languishing on fragile laptop hard drives without some sort of backup to the fileserver.

Now, if you have all that stuff, and you run into a virus that whatever AV software you were running couldn't handle, what's the problem? Break the laptops down into logical groups(by grade, by homeroom, whatever) draft all your hardware fix-it guys, and re-image one group at a time. Annoying? Yes. Catastrophic? Not really.

Re:How about they....

[bn-7bc]

Good point, why does the students have admin rights on school issued laptops (they should not need it any-more unless the run an outdated windows version, correct?)

Re:How about they....

[Viol8]

"Drugs are bad!"

Depends which drugs. Cannabis? Not so bad. Crack cocaine or meth? Hell yes!

"Kids are locked in prisons all day without any freedoms or rights"

Oh get over yourself. Kids are made to go to school because if left to their own devices 90% of them would learn NOTHING. And kids DON'T have the same rights as adults so stop sulking about it just because you probably didn't like school much.

"totally unnecessary activities such as gym/exercise/art/music/computers/and other classes that are non-essential."

Yeah , I mean who wants a country full of fat bastards with heart disease to get fit. I'm mean thats just cruel isn't it? As for other stuff, peh! Learning, who needs it eh when you can be a troll on slashdot all your life instead?

"setting up the school day for non-learning and/or non-critical life activities and then requiring every student to participate in them is wrong."

No, it isn't. But perhaps when you become an adult you'll realise why.

Re:How about they....

[L4t3r4lu5]

Hi, school IT tech here. I'm all for a pay rise! How about we raise your taxes so I can get one? Don't like that idea, right? Maybe take some money out of health care? Sanitation? Policing?

Yeah... I didn't think so. After four years, I make around 60% of what I would in the private sector starting wage for the same job. Guess what, though! Jobs are scarce, so I can't afford to be picky. Yes, I'm good at what I do (and I've done great things for this school), but by no means is the public sector all green fields and pork barrel funding. We're more cash-strapped than you can imagine (I'm having to buy cheaper asset labels, for pity's sake).

Re:How about they....

[Lumpy]

Problem is most manufacturers are idiots and change models every 15 days. a stock image you make today will not work on the next batch of laptops you get.

Second School administrators are idiots. they dont buy Business class, they buy as cheap as possible and as random as possible. So yu get craptastic Compaq laptops bought 5 at a time over the summer. now you have 30 different models and revisions. No chance in hell to make a standard image. You have to make a OEM disk that will re install everything clean using scripting, something that is WAY outside the capabilities of a typical IT staff member.

As long as they had a decent server setup for roaming profiles and everything was configured right so that files went to and were backed up to the server whenever the machines were on the network.. Take laptop, insert reinstall disk press go. then simply log in as that user and wait while everything migrates back to the laptop.

I'm betting they had none of this in place and every machine was running how it was when the box was opened from the store.

Re:How about they....

[Lumpy]

There is a lot of money for you. Lower pay for administration. your principal does not need to make 6 figures. Oh and the Coach does not need to make high 5 figures. (Typically PE teachers make more than the Science teachers)

Re:How about they....

You have to make a OEM disk that will re install everything clean using scripting, something that is WAY outside the capabilities of a typical IT staff member.

But all the school district IT staff have MCSE certificates in their HR files.

Re:How about they....

Actually no. My son is in 8th grade in this district; they run Windows 7 Enterprise on Dell Latitude netbooks. They're very locked down and all running the same image. They did, in fact, re-image them in the end too.

Re:How about they....

[L4t3r4lu5]

There is a lot of money for you. Lower pay for administration. your principal does not need to make 6 figures. Oh and the Coach does not need to make high 5 figures. (Typically PE teachers make more than the Science teachers)

Call up a CxO in your company and tell him you can hire another three techs if he'd just lose an order of magnitude of his paycheque. Let me know how that goes.

Have you been drinking?

Re:How about they....

[antdude]

Where do they get the money for those competent people? :P

Re:How about they....

[avandesande]

I think an administration free laptop like a Chromebook would be best.

Re:How about they....

[statusbar]

But ... But... the companies said that this was a "Trusted Computing" system!!! So all they needed was trust!

Re:How about they....

[urbanriot]

Thank you. The first words that rang through my mind were 'incompetency' in terms of either a) having incompetent internal IT staff or b) having internal incompetent management that did not hire external staff to create a properly configured network. It sounds like someone in charge is trying to offload their responsibility to a 'PC vs. Mac' argument when it's really a bad management issue.

Re:How about they....

Oh get over yourself. Kids are made to go to school because if left to their own devices 90% of them would learn NOTHING.

[citation needed] I've talked with a group of unschooling families, and their kids seemed to be really fucking bright compared to most kids I run into. The difference seems to be that they learn stuff they need as they need it, instead of having various things they don't need crammed into them, only to be forgotten in a couple of years because they never use it. They also appear to enjoy learning, and learn quickly. Granted, it was a small sample size, but if you're going to make up numbers, I can throw nearly anecdotal evidence around.

Re:How about they....

[PowerBook2k]

Anybody who's in private sector IT who thinks public school district IT is an endless field of dollar bills needs to come and work it for a month or two.

We're non-union, so the administration likes to treat us differently for raises each year- one year we're considered with this union group that gets screwed, next year we're considered like administrators so we get screwed, and so on.

We've had a number of people in important jobs leave for greener pastures recently (email guy/programmer, DBA, jr. server admin) who we haven't replaced. We look better on budget but it also looks easier to outsource us.

Re:How about they....

[Viol8]

Go to any large council estate (or housing project in the US) and you'll see plenty of unschooled kids who learn nothing because no one makes them go to school and so they know nothing and end up on societies scrapheap because they're unemployable.

And the sort of "unschooled" kids you're talking about are usually bright middle class kids who's parents actually home school them but don't call it that.

Re:How about they....

Go to any large council estate or housing project, and you'll see plenty of public schooled kids who've also learned nothing and are unemployable. When you don't have any hope, why bother to learn? As the saying goes, you can lead a horse to water, but you can't make him drink.

Re:How about they....

Not so Lumpy, on most counts. They have bought in bulk over the years, not 5 at a time. They may have 30 models by now, but with 20,000 or so computers in place, you're bound to have variety.
They do have a decent server setup.
Every machine is configured to district standards. None are placed just out of the box.
They neglected in keeping their Sophos Antivirus up to date. They did not develop an intelligent plan of attack once the virus struck.

Re:How about they....

Lake Washington School District has the benefit of several local large technology levees which are used for equipment, software, staff, and training.
Your cash-strapped issues do not apply here.

Re:How about they....

That's about what they did, fff. Problem was, that as they fixed one school (by fixing the 10% that were infected), then moved to the next, the virus would pop up back at the last school. It's not that their AV software couldn't handle it, it's that they weren't monitoring their AV software to make sure it was active and up-to-date on all of their equipment. Once again, an ounce of prevention is worth a pound of cure. While they were at that school touching the infected machines, they should have had a list from their AV server telling them which machines weren't updating their AV correctly and gone and fixed them, too.
It's been a long time since anyone has had to deal with a major AV outbreak, lessons learned have become lessons forgotten.

Re:How about they....

I wonder if the school district misses Dr. Chip Kimball now. Before he was the district superintendent, he was the director of technology. A quirky dude but he had high standards and pushed the district to higher standards, too. I bet he had operation guidelines developed to address this very situation, and they're sitting on a shelf, no one knows what is in them.

Linux

They could have also chosen Linux laptops and hired 1 person to support the users and teach them about backups.

That would have be cheaper and if the new hire add some skills he could even taught programming using Python or PHP straight on the laptops.

Oh wait, that would actually worked on the direction of the students instead of the system...

People psyhology...

[Pecisk]

...is not leaded by logic, but by "evil you know" decision chain. Therefore no matter how many homeworks Windows will eat, it will stay.

just issue them condoms

Its the best way to contain a virus.. They are going to do it anyway.

Why is ANY school district still using Win/Mac?

[pkbarbiedoll]

This could and should have been prevented by installing Linux - which is free - on all student and faculty/staff computers. With education costs soaring, going with the name brand (which is also less secure) is no longer an excuse.

Re:Why is ANY school district still using Win/Mac?

This could and should have been prevented by installing Linux - which is free - on all student and faculty/staff computers. With education costs soaring, going with the name brand (which is also less secure) is no longer an excuse.

Both Apple and Microsoft should not charge a damn dime for software used for education. Zero. Zilch. Nothing. Not even on the principals computer. One of these days they'll realize this.

You forgot to mention the main downside with running Linux in education. It does nothing to prepare them for the corporate world, where standardized packages (MS Office) and Windows OS still remain dominant. Learning the tools is part of this learning curve as well. Your "less secure" argument is questionable, as many OSes can be properly secured with competent IT staff (which was clearly the shortfall here).

Re:Why is ANY school district still using Win/Mac?

[wvmarle]

There used to be this expression "no-one ever got fired for buying IBM". Buy IBM, and you're safe; if it still breaks you can always say "well I went with what everybody does, what is generally considered a good choice, so I did the best I could". By buying some no-name brand, or brandless hardware, you don't have this excuse. Then it's instantly your responsibility.

Same for Microsoft vs Linux. Linux is "that hacker platform" while Windows is "what all businesses use". It's the safe choice - from a job security pov. We know Linux is statistically more stable and secure than Windows, but if it goes wrong, it's the fault of the guy going for the alternative, off the beaten track, and insisting of going against what the rest of the world does.

Or for the obligatory car analogy: Linux is the self-driving car that reacts faster, is more alert, won't speed, stops for red lights, and has a perfect accident record, while Windows is the human driven car. When one of the human drivers has yet another accident, that's too bad, humans aren't perfect. When the self-driving car has an accident, that's a disaster, totally unacceptable and why isn't there a human at the wheel paying attention to correct those mistakes.

Re:Why is ANY school district still using Win/Mac?

[semi-extrinsic]

I'm sorry, but if you can't make the transition from LibreOffice to MS Office fairly easily, you won't be very productive in the "corporate world" anyway. I mean, most people coming straight from college have likely never used Pivot tables or VB macros or whatever advanced Excel features the corporation is using, so you'll be training them anyway. Then again, I'm amazed at how many corporations employ people to do work that a shell script could (and should) be doing instead.

Re:Why is ANY school district still using Win/Mac?

[oGMo]

Linux is "that hacker platform" while Windows is "what all businesses use".

Uh, sure. In 1993. It's 2012 .. a vast number of businesses use Linux. It put the commercial Unixes out of business. Entire cities use Linux, even on the desktop. We have highly successful distros like Ubuntu that do nothing but pander to the non-hacker.

The only safety involved is "this here is Microsoft country, and the Microsofties on the board want Microsoft. MICROSOFT!" If you're getting generous donations, you don't want to piss off your corporate overlords.

bios malware?

[reiisi]

I take it you don't believe in the existence of malware that can over-write the BIOS?

Growth In College Tuition Vs. Growth In Earnings

Graph
http://static1.businessinsider.com/image/50b62f7769bedd754700000a-522-476/student-tuition-earnings.jpg

Full article
http://www.businessinsider.com/growth-in-college-tuition-vs-growth-in-earnings-for-college-graduates-2012-11

That's because of people like you

because 10 years ago, you were saying "Linux has been around for a sufficiently long time and it still hasn't happened".

PS It has happened.

Just not where you live.

Switch OSes, that's the ticket!

[vistapwns]

Just like that time I caught a cold from being around people, then I moved to Antarctica and stopped being around people. No more colds! Hah!

Competency begins at the top

I ran for school board in my district (Georgia - frightful place educationally) so my takeaway from this was "Yeah. Didn't expect anything better once I saw the typos in the banner on their brag page.".
My kid brought home the school printed report card page. In big, bold print at the top was "Reprot Card". I seriously don't expect a large organization who cares so little about their professional appearance as to not proofread their public presentation material to make any wise choices about the really complicated stuff like technology.

No. Need to teach admins proper admining habits.

[PlusFiveTroll]

From reading a quick description on how the virus works... This school seems to have no fucking clue what AD/GPO/LUA means. It sounds like the notebooks can either copy files to each other over the network or students can copy .exe's to the network servers. Fail 1. It also sounds like the students are running without least user authorization, aka, they can get admin access to their computers easy, or they already have it. Fail 2, maybe. It could have been a teacher who got it and was allowed to write stuff to places that was dangerous and because of poor AD layout allowed it to get everywhere. Fail 2 again, maybe. Of course maybe the teachers or students didn't start spreading it and some dipshit admin got it in the first place and managed to get it in a directory that the GPO launches a startup script. Major Fail 2 if this happened. Other then the last one, I still don't understand how it would have launched and ran unless the students could run as admin, this virus needs to write to the Windows directory. Honestly there are so many more possible fails here, I'll give up even trying to list them.

The district has 25,000 computers, if even 10% of them is infected with this, it's not very easy to fix just due to the size of the job. At worst taking 25,000 hard drives out of laptops is an insane job. Better to have a linux or maybe a PE cd of some sort that boots and auto tackles the infection. Or, really, backup all the kids non-exe files and nuke from orbit with a fresh install image.

Non-story: 90% still up and running

[concealment]

“As far as learning time, we aren’t losing any,” Reith said. “We still have about 90 percent of our equipment up and running. Teachers are being flexible with what tools they use and how they approach a particular lesson.”

Translating from media hype: someone did something foolish on a computer, then got a new virus which spread quickly, but it hasn't been the end of the world. In fact, it seems contained. Weird how it's the worst possible virus. Funny how this just happened to happen at this school right in the shadow of Redmond. I'd look at dissatisfied employees.

Define the bits making it suck.

Or is this merely your method of saying nothing whilst appearing wise?

So they'll be using Win8 in 2017-2020?

Or is it going to be as useless to them as you paint Linux as in training them for vocational computer use?

PS when did schools become apprenticeship courses for businesses so they can skip training staff?

Fanboys everywhere!

Love the idiots who say "mac" was available. Yeah, dummy, they get viruses too. Same with the umbuntu offshoots.
                You start with the laws. "Viruses" are a proof of concept. And be able to charge the offender, the spreader/creator/propogator of bad code. Programers, know this concept. Bad code, gigo, etc. bad code, like bad science, should go to "jail". You should be able to determine with a degree of certainity who started a "rogue/bad"program. You should be able to charge the "releaser/injector" of the program for the monitary damages incurred by their code intrusion, Just the way the italian courts have done with their bad science case this year.

Speaking of educational failures...

PCs over Mac's

Speaking of educational failures, WHO THE FUCK PLURALIZES WORDS WITH A GODDAMN APOSTROPHE?

Seriously - if you're going to deliberately highlight syntax fuckups in the district's materials it *might* be helpful to proofread the submission carefully...

No, they are to close to Redmond

[SmallFurryCreature]

I heard that if you buy a Mac, Ballmer comes to your house and dances the Developer dance in your garden. If you install linux, he dances naked.

Please think of your neighbors, install Windows.

On a more serious note, this was a MS project, MS is not going to install linux... well except for when they need a reliable stable server platform to host a project.

Re:No, they are to close to Redmond

If your neighbors didn't have Windows, they wouldn't care if Balmer was naked in your garden.

Unless they went outside, but what computer user wants to go outside? ;-)

Re:No, they are to close to Redmond

Why would I install Windows? That'll just mean I can see naked Balmer dancing, while I'd have been blissfully ignorant if that section of wall were still opaque.

Here's what I think happened

[Pollux]

Before we blame the IT staff, let me give this some perspective. (I have nine years experience as a teacher & tech director in a public K-12 US school.)

First, I'm reasonably confident in saying that, if proper Group Policy was implemented and user restrictions put in place, this never would have happened. Second, this is a HUGE school district with over 50 schools. They can certainly afford a public liaison (who was speaking on behalf of the district in the local broadcast), and I'm sure they have a large IT staff...I'm guessing in the neighborhood of 20-30 employees. Though public school districts would pay less than Microsoft right next door, given the sheer numbers there must be at least a few people on that staff that know how to accomplish this and as well of its value in preventing this sort of mess from happening.

With that in mind, here's what I've concluded: There is likely someone with leadership authority who told IT staff to let students manage their own laptops and have admin privileges. Given the size of the district, the directive either came from the district technology committee, or directly from the superintendent, school board, or both. All it would take is a number of parents to ignorantly complain to a "friend on the board" that "Johnny's laptop is broken - he can't install the programs he needs to do his homework" for the school board to direct the superintendent to "fix the issue." Likely this was a top-down order; I simply cannot imagine a tech staff that large to be that incompetent on their own.

What bothers me about this is how they're going about trying to fix the problem. If I had a worst-case mass-deployment of a virus at my school, I would just recall all the equipment, reimage everything, and redeploy a week later. I would issue a directive to all the staff that the equipment is down for one week to be cleaned, and make due without it. It's either one week of downtime or months of unreliability. If teachers would know that they have the option of either the problem being fixed in a week or the problem being "managed" over months, they would all take the week's downtime in a heartbeat.

One other question I have for those here: have you ever encountered a Windows virus that, as they claim, just "spreads on the network" without user initiation of the virus by clicking on an executable, script, or loading an infected webpage? I think the much more likely scenario is that this virus is being spread through usb flash disks, but I'm not sure whether that explanation was too technical for staff to understand.

Re:Here's what I think happened

[L4t3r4lu5]

There is likely someone with leadership authority who told IT staff to let students manage their own laptops and have admin privileges. Given the size of the district, the directive either came from the district technology committee, or directly from the superintendent, school board, or both.

I would, and have in the past, told them no. Nobody else is technically competent enough to decide what is in the best interest of the school with regards to networking infrastructure and services, and to fail in that regard is how situations like this occur. Yes, they get on their high horse and blatantly CC everyone in the food chain higher than you, but ultimately it comes down to whether you're prepared to protect the school from poorly informed decisions made by technically incompetent people. If they want a problem solved, they need to come to me with the problem. and not a half-baked hack suggested by a geeky teenage nephew over the weekend.

Re:Here's what I think happened

(Posting AC since I'm moderating)

Indeed, IT either ignored the obvious risk, which would border on negligence, or they were browbeaten into keeping it simple and trust the students.

A practical problem with GPOs is that most applications aren't policy friendly, and sometimes are outright bad citizens. In the past decade, many vertical desktop applications have been trying to move to the web, and have pretty much stopped improving their desktop products (just fix them up enough to run on the latest version of Windows). The result is that many desktop SW is still at the level of quality of Windows 95 and many ignore GPOs and don't even provide an MSI or a way to do a centralized deployment. Even if the underlying OS has improved, the apps haven't. GPO deployment can be a pain w/o investing heavily on centralized deployment tools, and imaging doesn't age well (ie, you have to plan on reimaging every couple years, and using images only postpone the problem, since you still have to patch w/o a central way to manage it).

Viruses like Sasser (to mention a "recent" big one) can spread to other unpatched computers w/o user interaction after the initial infection. On a campus network, reinfection between cleaning and patching would be common: you need to get them off the network to do it, and physically touch every single computer (and that is assuming that the vulnerability is patched and reinfection can be prevented w/o taking all computers in the same network segment offline at the same time).

Reimaging might be an issue if the students were encouraged to store their documents locally.

Re:Here's what I think happened

[drb_chimaera]

The Blaster worm back in 2003 - it used a vulnerability in the RPC system to spread. Caused absolute chaos within the University I worked in back then.

Re:Here's what I think happened

First, I'm reasonably confident in saying that, if proper Group Policy was implemented and user restrictions put in place, this never would have happened.

Bingo. Everyone is sitting here ripping on the operating system, yet it is very obvious that the administrators are the ones to blame. I haven't even read the article but I would be willing to bet each one of these students had local admin rights.

One other question I have for those here: have you ever encountered a Windows virus that, as they claim, just "spreads on the network" without user initiation of the virus by clicking on an executable, script, or loading an infected webpage? I think the much more likely scenario is that this virus is being spread through usb flash disks, but I'm not sure whether that explanation was too technical for staff to understand.

I have seen it happen on some small office networks, typically set up as workgroups, with no security restrictions in place.

Re:Here's what I think happened

[Bobfrankly1]

One other question I have for those here: have you ever encountered a Windows virus that, as they claim, just "spreads on the network" without user initiation of the virus by clicking on an executable, script, or loading an infected webpage? I think the much more likely scenario is that this virus is being spread through usb flash disks, but I'm not sure whether that explanation was too technical for staff to understand.

School IT guy here, yes, I've seen Downadup/Conficker spread through older neglected servers. Technically this is a worm, but I'm not overbearing on semantics like some. It appeared to gain entry to our network through a flash drive, as we did have strong proxy and filtering in place, but that only serves as a perimeter defense. Once inside our network, it spread among the older servers and started running brute force attacks against the active directory system, causing many accounts to lock out (which led to it's discovery). Ports were locked down to cut the worm's spread and communication, and cleanup was mostly complete within a week with a combination of scripting and manual cleanup on the more stubborn servers. Some WMI rebuilds were also needed on some machines, but even though it was decently wide spread, it wasn't that difficult to resolve. However, we had a competent staff, and thereafter we also had an A/V budget (imagine that!).

With that in mind, here's what I've concluded: There is likely someone with leadership authority who told IT staff to let students manage their own laptops and have admin privileges. Given the size of the district, the directive either came from the district technology committee, or directly from the superintendent, school board, or both. All it would take is a number of parents to ignorantly complain to a "friend on the board" that "Johnny's laptop is broken - he can't install the programs he needs to do his homework" for the school board to direct the superintendent to "fix the issue." Likely this was a top-down order; I simply cannot imagine a tech staff that large to be that incompetent on their own.

With what I've seen, I would concur. Some absolutely dangerous settings have been implemented solely due to political orders. This is not to be confused with political pressure, which may be able to be shifted or avoided, but an order given because of political pressure on a board or district administrator. You can try to reason, try to explain, present worst case scenarios, and make sure it's all documented, follow any CYA policy you can think of. Depending on the situation, you may even try to go over the head of the one giving the order. But in the end, if that's the order, you follow it or you endanger your job.

Re:Here's what I think happened

[Bobfrankly1]

I would, and have in the past, told them no.

Depending on the size of the district, the mood and power of the one giving the order, and the political capital behind that one, you might get your way, or you might be shown the door. From my observations within a K-12 school district, the worst security decisions are the ones forced on IT. You can say no to the kids, no to the parents, no to the staff, but saying no to the superintendent or the board is career suicide. You can have your say about why "x" is a bad decision, lay out a worst case scenario, and even better if it happens during a board meeting where the minutes are recorded. But if you're over-ridden, you do what you're paid to, or start looking for a new job.

Re:Here's what I think happened

Spot on, Pollux. The challenge is to see this course of action when the virus first hits and not be lazy as it gets cleaned up and seems to be under control.
If only 10% of your computers and servers are infected, it is difficult to justify shutting everything down for a week. The gift of hindsight makes it obvious, but you and I are armchair quarterbacks looking back and pontificating, "What shoulda been done was..."
They should have also been monitoring and maintaining their antivirus software. Then there would have been no need to develop and implement a containment plan.

So you've changed your complaint now?

I thought Linux was shitting itself on boot. Apparently you've dropped that (and you saying that indicates that either you know you're completely talking out of your arse or you're lying about using windows, linux, solaris, etc).

Linux doesn't require trust of the person sitting at the keyboard.

Put a CD in and it will mount it on Linux.

Put a CD in and it will run autorun.exe on Windows.

The windows itself is untrustworthy because Microsoft assumes that everyone using their system is an imbecille.

You are indication that they are not *always* incorrect on that score.

Whatever's used most = most attacked

Android (yes, a Linux) shows us all that on smartphones.

* You Penguins really don't ever want to see "the year of Linux on the desktop", trust me, since what we're seeing on smartphones is only a "portent of things to come"!

(Well, that is IF Linux ever takes the most used/most marketshare on PC desktops, that is).

Linux isn't some "magical security panacea": It's hiding behind "security-by-obscurity" on the desktop.

What shows anyone this much? Well, again - See what happened on smartphones & ANDROID (linux)?

Linux also has about a 50/50 split with servers in the Fortune 100-500, & what's happening THERE, now that it's achieved a decent % of total use there?

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LI

Re:Whatever's used most = most attacked

Dude, it's not normal to write like that. You seem sexually frustrated. Look up some porn and jack off. You'll feel much better.

Re:Whatever's used most = most attacked

Writing verifiable truth's normal. Being an off-topic troll like you isn't.

Whatever's used most = most attacked

Android (yes, a Linux) shows us all that on smartphones.

* You Penguins really don't ever want to see "the year of Linux on the desktop", trust me, since what we're seeing on smartphones is only a "portent of things to come"!

(Well, that is IF Linux ever takes the most used/most marketshare on PC desktops, that is).

Linux isn't some "magical security panacea": It's hiding behind "security-by-obscurity" on the desktop.

What shows anyone this much? Well, again - See what happened on smartphones & ANDROID (linux)?

Linux also has about a 50/50 split with servers in the Fortune 100-500, & what's happening THERE, now that it's achieved a decent % of total use there?

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LI

obligatory XKCD

http://xkcd.com/327/

Of course this isn't entirely related unless you look at the principle of the matter. IT, where are your manners?

I guess that depends on what the definition of

[mark_reh]

"low cost". Maintaining a MS OS is only "low cost" if you have someone who will do it for free- i.e. you're the family geek, keeping the wife and kid's computers working so they can enjoy compatibility with systems at school and work.

I subscribe to the "conspiracy theory" of MS OSes. They are deliberately unreliable and insecure in order to keep an army of IT people employed fixing them. The army continues to support and specify MS OSes because they know they'll have years of bugs, security problems, and random instability to look forward to from which to derive a pay check.

Re:I guess that depends on what the definition of

[vistapwns]

deliberately unreliable and insecure, yet not one of thousands of employees at MS, many of whom no longer work there, have leaked memos from darth balmer stating to make it such? Also the whole argument is begging the question. Strange how my PC is never unreliable and insecure, must be some kind of voodoo magic how I can leave auto-update enabled and not download fakeav.exe crap.

Re:I guess that depends on what the definition of

[mark_reh]

No one has to state it specifically. You manage it through hiring practices, like the insurance companies do.

Insurance is in the business of making money. They do that through investment activities and on the spread between what they take in in premiums and what they pay out in claims. How do they increase profits? By taking in more and paying out less. How do they pay out less? By denying claims that should be covered under their contracts. Have you ever received a letter from an insurance company explaining "benefits" - insurance industry speak for denial of claim? You call the company to ask what the paper means and you get to talk to an idiot who knows nothing about insurance or the letter they sent you. The insurance companies employ a minimum wage army of clueless people to answer calls and frustrate callers into giving up.

MS does the same- hire low skilled programmers and give them tasks that are out of their scope of knowledge. Result? Windows!

Re:I guess that depends on what the definition of

[Bobfrankly1]

"low cost". Maintaining a MS OS is only "low cost" if you have someone who will do it for free- i.e. you're the family geek, keeping the wife and kid's computers working so they can enjoy compatibility with systems at school and work.

I subscribe to the "conspiracy theory" of MS OSes. They are deliberately unreliable and insecure in order to keep an army of IT people employed fixing them. The army continues to support and specify MS OSes because they know they'll have years of bugs, security problems, and random instability to look forward to from which to derive a pay check.

Maintaining a large network of interconnected school sites is only "low cost" if you're doing it wrong.

I work for a District of 50+ sites with a mix of windows, mac, and linux(server) machines. We have roughly equal amounts of issues with both the windows and mac machines. They don't have the same issues, but when you put large amounts of macs in an enterprise environment for years, you start to understand that "it just works" is a marketing ploy, not an accurate statement. Having access through our Apple rep to their systems engineers was also enlightening on how screwed up or incompatible some of their solutions are. It's just the same crap in a different shiny wrapper. The only conspiracy is the cult of Apple trying to present the Mac as the solution to the PC. They both have warts, they just appear in different places.

Whatever's most used = most attacked

Android (yes, a Linux) shows us all that on smartphones.

* You Penguins really don't ever want to see "the year of Linux on the desktop", trust me, since what we're seeing on smartphones is only a "portent of things to come"!

(Well, that is IF Linux ever takes the most used/most marketshare on PC desktops, that is).

Linux isn't some "magical security panacea": It's hiding behind "security-by-obscurity" on the desktop.

What shows anyone this much? Well, again - See what happened on smartphones & ANDROID (linux)?

Linux also has about a 50/50 split with servers in the Fortune 100-500, & what's happening THERE, now that it's achieved a decent % of total use there?

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LI

Re:Whatever's most used = most attacked

We need to get an "APK" mod, so I know I will be in for some scrolling on my tablet if I expand the comment.

Re:Whatever's most used = most attacked

Try being on topic instead of a troll.

Microsoft's involvement ... supporting education

LOL, you mean supporting the privatization of education.

laptops not desktops so you need a managed wifi

[Joe_Dragon]

laptops not desktops so you need a managed wifi system with more then 1 AP.

and even then the systems use NON school AP's as well.

Also virus can pass though email and web uploading of school work / over usb key as well.

Let's see there a virus so trun off the web site / email and have the kids use usb keys to trun in there work.

Re:laptops not desktops so you need a managed wifi

[LordLimecat]

Just about every consumer grade AP supports MAC filtering. User has virus (detected by the IDS)? Blacklist his MAC. Hey look, crisis averted.

Most also support WPA enterprise, which provides for per-user authentication. User detected with virus? Remove his account from RADIUS. Oh hey look, he can no longer auth to the network.

There are a million ways this could have been averted, if there had been a focus on security. I wont deny that its certainly easier to simply blame the operating system for the bad practices, however.

Because that's a strawman premise.

Locked doors are not immune to be bypassed, but an unlocked door with a sign on saying "This door is protected by fuck all" is a lot more prone to being bypassed than a locked one.

The problem is one of culture.

Windows assumes that the user is scared of their PC and completely clueless, therefore the computer will do things to "help" you. And that is done hidden from the user, hence a very profitable course for a virus to exploit.

Macs assume the user is completely clueless therefore the computer won't do much other than the proscribed elements. Safer but far less generically useful. And similarly for virus writers.

Linux assumes that if you do something specifically, you know what you're doing and it should happen, but ALSO that you are knowledgeable enough only if given the information. So it doesn't hide anything from you that may be scary. This is then abused by the MS fluffers as being too complex. But it also means your system tells you when it does something and you have to get involved in it. Not a productive line for viruses.

Re:Because that's a strawman premise.

[LordLimecat]

Everything you said ignores that the most common virus vectors dont care what OS you are using; if you have a plugin installed, you are technically vulnerable regardless of platform. It is true that if you use OSX you will likely simply get overlooked as its easier to simply target the larger Windows market share. However, last time I checked this is known as "security by obscurity", and is generally ridiculed as false security-- though it may in some sense "protect you", it isnt really doing anything to stop someone who wants to take you down, it just makes them less likely to pick you to target in the first place.

Lake Washington School District

[westlake]

The geek kicks off on stories like these.

But a small word of caution: LWSD has a very good reputation

Lake Washington School District named to AP District Honor Roll

Among the more than 900 U.S. and international middle school students invited to the ceremony on the Johns Hopkins University campus, all earned exceptionally high scores that place them well within the top one-half of one percent academically of all same-grade students.
Past participants in the CTY Talent Search include Facebook founder Mark Zuckerberg, Google cofounder Sergey Brin, and performer Lady Gaga.

Whiz Kid: Sammamish Middle-Schooler Kartik Iyer Honored for SAT Scores

lot's of windows only software mac is in the same

[Joe_Dragon]

lot's of windows only software mac is in the same place but there is a good deal of stuff that is on both mac and windows.

Wine is hit or miss and can be a lot of work / testing to set up.

Windows and Linux opens you to lot's of hardware vendors / lot's of choice. Apple is one vendor with limited choice and high prices.

Apple laptops start at $1000 (949.00 list price for schools bulk deals may be lower) but that only a 11 inch screen and 64GB disk space.

64GB is not that much when you add up OS+apps and a 11 inch screen is small (13 is good min size).

Ipads are limited in software and adding keyboards to each one just makes it harder on the school to keep track of what each kid has vs say 1 laptop and a real laptop let's kids use there own USB mouses / keyboards if they want to.

Ipads need Bluetooth keyboards not any USB keyboard / wireless keyboards with a non Bluetooth usb plug in.

for the record

[slashmydots]

For the record, any underfunded IT dept run by unskilled people can have a virus rampage regardless of the OS. There are mac and Linux viruses and just generally undesirable software and if the computers aren't configured properly, they will find it installed.

Apache vs IIS.

Your point is invalid.

Re:Apache vs IIS.

the point is valid.

most used = most attacked.
most attacked != most compromised.

Re:Apache vs IIS.

No, its not. Not unless you are going to find me some hard evidence that shows IIS is attacked more frequently than Apache. I'll be waiting

some software needs admin rights to run and even

[Joe_Dragon]

some software needs admin rights to run and even with out admin rights virus can still mess up the users folders / use holes in the OS / apps to get around needed to be admin.

or at least use something like deep freeze

[Joe_Dragon]

or at least use something like deep freeze.

I used to go to a school with deep freeze and the way the log on system was setup it was easy to get local admin by not logging on with a network logon and just hitting cancel.

1-2 full time IT guys needed temps to do the

[Joe_Dragon]

1-2 full time IT guys needed temps to do the imaging setup.

I did that ones as a temp it was more then just do the imaging setup after that you needed to setup some software to say I'm at X school in the district, set the computer name and join the domain.

The district had 1 image for the full district.

if the students have to buy the laptops then they

[Joe_Dragon]

if the students have to buy the laptops then they should be admins.

It bad to be forced to buy a laptop with no choice of the hardware but to forced to buy one and have it locked down so you can't run your own software??

Awh

B'aw... I had hoped this was an out of control bacterium culture with an appetite for paper :(

Excuse #37:

[PPH]

My DOS ate my homework.

And you ignored everything I said.

Moreoever, other than running on the plugin, the virus does nothing because the vasty majority only delete and procreate on windows systems because they are written able to infect only one type of system.

Technically vulnerable doesn't mean jack shit. You're practically much more vulnerable on Windows because it's unlocked and the chain and lock they draped over the top can be removed if you twiddle some bits of the fence it's attached to.

Thinking that you're saying something useful is merely proof that you've read something that you have shoehorned into "My Windows System Is As Secure".

I'm as safe walking through the streets of Manhattan as walking through the streets of Iraq, because I COULD get shot dead in either.

The fact that there's more shooting going on in Iraq is being ignored to the detriment of PRACTICAL safety.

Lie down with dogs

[hduff]

Get up with fleas.

Re:some software needs admin rights to run and eve

some software needs admin rights to run

It's not very likely that the students would need exactly such a program. But I'm pretty sure you can make exceptions, so that a Standard user can run something with admin rights.

and even with out admin rights virus can still mess up the users folders / use holes in the OS / apps to get around needed to be admin.

Of course, that's why we have things like Software Restriction Policy and AppLocker. And half decent IT guy will know that.
As for holes, you'll never be 100% sure with anything, but you can come pretty close with the right approach.

AKA Computer Voo Doo

[fwarren]

You were the last compentent person to touch their system. The only one who knew how to make changes. They know they changed nothing. How could this problem exist, it requires a change to have been made?

Computer Voo Doo. It has to be the change you made 2 years ago that caused the virus today.

Ah, Voo Doo, I know thee well. Many of my customers have claimed I have practiced the art.

Re:No. Need to teach admins proper admining habits

[Hatta]

Or, really, backup all the kids non-exe files

And non-DOC files, non-PDF files, non-XLS files, non-.vbs files, non-zip/rar/7z files that could contain infected files, etc. No, it's too hard to enumerate all the potential sources of reinfection. You get infected, you lose your shit. Period. Don't like it? Learn not to get infected.

"LAMP" = favorite to attack for phishers

Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)

http://www.theregister.co.uk/2011/06/10/domains_lamped/

PERTINENT QUOTE/EXCERPT:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

---

AND WHAT IS THE MOST PREVALENT FORM OF ATTACK?

Well - I'll let OTHERS speak for me, "hot off the presses today" from Trend Micros' analysis:

PERTINENT QUOTE/EXCERPT:

"The vast majority (91 per cent) of targeted attacks begin with a spear phishing email, according to a new study by Trend Micro."

FROM -> http://www.theregister.co.uk/2012/11/29/spear_phishing/

APK

P.S.=> Now, WHAT was that YOU said? Ok, let's requote it:

"Apache vs. IIS Your point is invalid" - by Anonymous Coward on Thursday November 29, @09:25AM (#42129403)

No, I KNOW not, as do folks like Trend Micro... and, so do you! Your "freebie" webserver's also NOT following "DNT" (do not track) either:

http://apache.slashdot.org/story/12/09/08/0053235/apache-patch-to-override-ie-10s-do-not-track-setting

Lastly - I know WHY you reply to my posts as ac: You KNOW I'm TOO WELL-ARMED with verifiable & undeniable facts, and you don't want me "tossing it back in your face" when I make you "eat your words" (how do they taste now, for instance?)

... apk

"Eat your words" (what the fav. of phishers?)

http://mobile.slashdot.org/comments.pl?sid=3281695&cid=42130567

APK

P.S.=> Always a pleasure making "penguins" have to "eat their words", flavored with "the bitter taste of SELF-DEFEAT" & their foot in their mouth, lmao...

... apk

Wrong Conclusion

This is just silly. The problem isn't that they didn't use Linux or MacOS, it's that nobody locked down these computers. They're the school's computers, so they can put whatever they want on them. No one should have rights to install software, and Security Essentials should be turned on, and kept up to date. Sloppy system administration. Pure and simple.

Re:I just skim past your posts.

APK's upward modded. You're downward modded. Says it all.

We'll fix that

[ISoldat53]

in WIn8

Wrong Conclusion

[a1englishman]

I accidentally posted anonymously.
This is just silly. The problem isn't that they didn't use Linux or MacOS, it's that nobody locked down these computers. They're the school's computers, so they can put whatever they want on them. No one should have rights to install software, and Security Essentials should be turned on, and kept up to date. Sloppy system administration. Pure and simple.

Unjustifiable downmods to hide truths I post? apk

Is that how you little penguins operate? Of course it is. PURE deceit &/or half-truths.

(It is TRULY, the "why" of WHY You fools will NEVER get ahead, & see "the year of Linux on the desktop"... period!)

Bottom-line - People won't listen to bullshit artists & 1/2 truths, & certainly NOT those using unjustifiable downmods vs. facts!

NOW - The funniest part is, you all seem to *think* people are stupid and can't see posts you bogusly downmod like mine has been (for merely citing verifiable facts & truths... ones "penguins" can't handle!).

Newsflash - many here browse below the default moderation threshold (which is purest bullshit since anyone can pull a downmod - in fact?

I'll let an OPEN "SORES" BIG NAME SPEAK FOR ME on that very account:

---

"It just takes one Ubuntu sympathizer or PR flack to minus-moderate any comment. Unfortunately, once PR agencies and so on started paying people to moderate online communities, and to have hundreds of accounts each, things changed." - by Bruce Perens (3872) on Friday July 30, @03:55PM (#33089192) Homepage Journal

SOURCE -> http://linux.slashdot.org/comments.pl?sid=1738364&cid=33089192

---

Deceitful little bogus downmodding trolls are JUST like:

The Chinese Water Army:

http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22Chinese+Water+Army%22&btnG=Search&gbv=1&sei=tSchUJjPGYn36gGYtIDACQ

AND HBGary:

http://www.dailykos.com/story/2011/02/16/945768/-UPDATED:-The-HB-Gary-Email-That-Should-Concern-Us-All

PERTINENT QUOTES/EXCERPTS:

"According to an embedded MS Word document found in one of the HBGary emails, it involves creating an army of sockpuppets, with sophisticated "persona management" software that allows a small team of only a few people to appear to be many, while keeping the personas from accidentally cross-contaminating each other. Then, to top it off, the team can actually automate some functions so one persona can appear to be an entire Brooks Brothers riot online... And all of this is for the purposes of infiltration, data mining, and (here's the one that really worries me) ganging up on bloggers, commenters and otherwise "real" people to smear enemies and distort the truth... "

and

"They are talking about creating the illusion of consensus. And consensus is a powerful persuader... And another thing, this is just one little company of assholes. I can't believe there aren't others doing this already. From oil companies, political campaigns, PR firms, you name it. Public opinion means big bucks. And let's face it, what these guys are talking about is easy."

and

"To the extent that the propaganda technique known as "Bandwagon" is an effective form of persuasion, which it definitely is, the ability for a few people to infiltrate a blog or social media site and appear to be many people, all taking one position in a debate, all agreeing, for example, that so and so is not credible, or a crook, is an incredibly powerful weapon."

---

This takes the cake, as to how "PR Firms" pull crap, in "Confessions of a Shill" (pulling crap on anti-semitic stuff):

http://www.abovetopsecret.com/forum/thread826545/pg1&addstar=1&on=13829871#pid13829871

Unbelievable... but, there it is, along with ALL THE OTHER PROOF just above!

---

(Forums sockpuppeting mu

Re:I just skim past your posts.

Then why did you reply? At least get your story straight troll.

Re:Growth In College Tuition Vs. Growth In Earning

[DeeEff]

Correlation != Causation.

Get with it. This is a rookie mistake.

To let you know.

nt

Re:To let you know.

Can you be on topic troll? Can't handle truths he posted?? No obviously.

Throwing a sickie

students stayed engaged nad [sic] organized whiel [sic] boosting creativity

I almost had to throw a sickie for reading that.

You'll be waiting until the 12th of never... apk

They won't produce it. They're trolls. They operate on pure "FUD", nothing more...

* HOWEVER - this is why I come to /., to learn things I *may* not already be aware of... so, we'll see!

APK

P.S.=> I'd like to see it myself actually... ... apk

Re:some software needs admin rights to run and eve

some software needs admin rights to run and even with out admin rights virus can still mess up the users folders / use holes in the OS / apps to get around needed to be admin.

You are correct and this is a problem, but it is not specific to Windows by any means.

UAC is tagged on.

So apparently you need to ask yourself that question: do you know what UAC is?

Re:UAC is tagged on.

[shutdown+-p+now]

GP actually knows what it is, unlike the person to whom he replied.

UAC and privilege separation are two different things. The latter has been there since NT 3.1. The former is basically dumbed-down (so you don't have to type in password every time) equivalent of [gk]sudo, which is also "tagged on" on top of the normal Unix mechanism to run something under a different user account.

Re:UAC is tagged on.

[Zephyn]

So apparently you need to ask yourself that question: do you know what UAC is?

Union Aerospace Corporation. Usually their system glitches result in dimensional breaches that demons use to invade Mars, or its moons... so just losing some school data seems rather mild by comparison.

Re:UAC is tagged on.

[benjymouse]

UAC and privilege separation are two different things. The latter has been there since NT 3.1.

Exactly. NT 3.1 was the *first* Windows NT - a clean room implementation of an operating system designed to be multi-user with networked users, hence the "wasted" (at the time) space for proper SIDs with no network ambiguity like Unix/Linux.

The former is basically dumbed-down (so you don't have to type in password every time) equivalent of [gk]sudo, which is also "tagged on" on top of the normal Unix mechanism to run something under a different user account.

No, that description fits the UAC prompt. Many people assume that because the UAC prompt looks like sudo then UAC it is implemented much the same way and/or serves the same purpose as sudo.

sudo is an elevation of the user to root. sudo itself is a SUID and sets the user to run as root as the effective user. While running as root the process can do *anything* and *everything* on the system. A far cry from the least privilege security principle. But such is the Unix/Linux security model: A uid of zero means unrestricted access. A non-zero uid means there's a lot you cannot do, intrinsically. Because there are legitimate actions regular users need to do, but which is restricted in the OS because of the rather coarse grained security model (one all-powerful and the rest), SUID was invented.

UAC is a model where processes are assigned integrity levels in addition to the permissions already in the process token. The integrity model means no-write-up, i.e. a process running at a lower integrity level *can not* write or manipulate objects at higher levels. Regular desktop applications run at "normal" integrity level.

Internet facing applications (IE, Chrome, Outlook, Word/Excel/PowerPoint in "viewing" mode etc) run at "low" integrity mode. The security token and the access control checks already built into the system ensures that a low integrity process cannot write files, registry keys or otherwise make changes to the system unless the resource being written to is also "low integrity". This way the IE and Chrome can cache web pages in a special low integrity cache area, save cookies etc.

While both sudo and UAC prompt can be seen as ways to "elevate" the process permissions by changing the security "token", the reality is that Unix/Linux do not really have tokens - they have user IDs. A Unix/Linux process cannot have fine grained or specifically tailored permissions - it can only have the permissions of a user in the system - because user IDs is the way permissions are described.

Windows process tokens are initially cloned from the user who started the process (but the process inherits the integrity level from the executable and runs with low integrity level if the executable was low integrity), but the process token can be tailored, e.g. permissions removed. The Windows tokens consists of SIDs rather than a single user ID. SIDs can refer to integrity levels or groups or alternate identities.

When a user logs on to Windows, a token with all of the users permissions is initially created. But during the logon process a second token is created, one with all of the administrative privileges stripped away. This token becomes the user token and the one inherited by processes started by the user. The UAC prompt temporarily restores the original non-stripped token, allowing the user to exercise his admin rights. But crucially it does not allow him more rights than initially granted.

Compare that to Linux/Unix where the sudo "elevation" allows the process *root* permissions. Yes - sudo has been designed such that it is limits what the user can do while running - but the process as such has universal powerful privileges and a single bug can allow total system compromise. This is by no means theoretical - multiple security problems have plagued sudo and other SUIDs. It is simply not least-privilege.

Re:UAC is tagged on.

[shutdown+-p+now]

But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.

Re:UAC is tagged on.

[benjymouse]

But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.

That is correct for home- and individual users. But users in a corporate (or school) setting should *not* be allowed to elevate to full admin privileges, if at all. Users can still install per-user apps and policies can still restrict which apps can be allowed to start (based on hashes, digital signatures, vendor etc).

Re:UAC is tagged on.

[cptgrudge]

But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.

That is correct for home- and individual users. But users in a corporate (or school) setting should *not* be allowed to elevate to full admin privileges, if at all. Users can still install per-user apps and policies can still restrict which apps can be allowed to start (based on hashes, digital signatures, vendor etc).

And so it comes to this. It's not the fault of Windows, but the ignorance of those configuring the systems. Color me surprised!

Apk whines about modded down.

But he's modded up. Says it all.

I guess the idiotic little shitball doesn't know what he's supposed to be complaining about, does he.

Re:Apk whines about modded down.

Said the courageous anonymous wuss.

Re:Apk whines about modded down.

Learn to read moron. He said apk was modded up. You're stupid.

My dog

My dog ate my homework....

Deja vu

[ternarybit]

This story jumped out at me because I graduated from an LWSD school back in '04.

One of my hacker / cracker / script kiddie friends nabbed an 0day version of Agobot from IRC, got itchy one day, and executed it at school. I remember clear as day sitting in chemistry, and the intercom sounded, "Teachers, please shut down all computers in your classroom."

The entire school's network was down for a week as the IT staff manually disinfected each computer. My friend was "expelled" into a head-start program at the local community college, while his parents paid a $5,000 fine for the disinfecting labor.

Funny to read a similar story 8 years later...

The real reason Windows gets all the malware...

[ggraham412]

You can scam more money out of Windows users. Plus there are more of them.

And of the rest, the Linux users are broke to begin with and the Mac users gave all their money to Apple already.

Minix

Minix is what they should have gone with. It's aimed at being a teaching tool, and while at it, they can use NetBSD and a whole bunch of Linux apps on it as well

And who said that all teaching would be online

Will never happen as long as this type of thing continues to exist
Much harder to hack into the teachers paper gradebook and pen-entered grades, and paper written report cards....
We ought to look at the costs associate when this type of thing occurs on such a grand scale (and they're happening very frequently)
It's not enough to just say "well, whomever the IT Dir. is for the district is to blame" as well all know that even if the IT Dir. could force
security decisions, they don't make the final call.

Choosing M$ as your platform and OS of choice and then not keeping it updated/secured and locked down - it tantamount to mass suicide and a complete and utter waste of time/talent/resource and education (which is why it ought not be a part of education)

What's really happening

[ChuckleBug]

I am a high school science teacher in the Lake Washington School District. I usually stay away from education discussions here, because there are enough uninformed know-it-alls to make the discussions annoying (I mean a minority here, no disparagement of /. intended). People think that they know everything about education because they went to school at some time. Not necessarily true.

I don't have much time (grading calls) but I wanted to address a couple things I've seen in my perusal of the comments. 1. Someone said they issued laptops with no restrictions. Not true. It just isn't. There was a problem, and it's bad, but we actually aren't a bunch of idiots randomly passing out laptops. We USE them extensively for assignments, assessments, surveys/polls, research, and communication. There is security in place, although I don't know all aspects of it since my IT days are behind me. I do know that the web filters work wherever the laptops are used, and I know already of a few students who got busted for using proxies. It's going to happen, because a lot of our students are smart. I don't think it was a student who introduced the virus, but I can't state my reasons, so I don't expect anyone to believe me.

2. Incompetent IT. Not true, either. It was an error. A costly one, but I don't think this is an indication of utter incompetence. Hiring IT people isn't easy, because we can't pay what the private sector does.

Crap. I gotta run. Suffice to say, this has been a pain in the butt, and has made everything more difficult, but I know a lot of these IT people who are being trashed and they work their asses off and do a great job when we need them. This kind of problem is unprecedented here.

An example of Microsoft's incompetence

What I mean is, this had to be foreseeable. It's one thing for a school district in Georgia to have an issue, but in Microsoft's backyard? I don't know, the PR sting from this one is going to be quite awful - many on /. sure as hell won't let them forget it. Yeah, it's not Microsoft's responsibility to be the Lake Washington School District's IT department, but if I were at Microsoft and I were looking at our backyard, I would have played a much larger role in Lake Washington's deployment and care of these laptops.

Unless Microsoft steps up, it may be time for Lake Washington to go with Ubuntu - or find some money and dare I say it, go with OS X.

5 new IT people?

Even temps, that ain't chump change to a school district. These are the people who buy the lowest cost everything, they didn't spend the money cause someone sneezed.

even with mac os at $0 it's the hardware price / l

[Joe_Dragon]

even with mac os at $0 it's the hardware price / limited choice that makes windows be used.

bigger picture

the bigger picture is that the whole process emulates the 'real world' the decisions are first and foremost made by politics then if things don't work play hot potato with it

TEACH THE KIDS TO ADMIN THEIR MACHINES

Here's a thought. TEACH THE KIDS TO ADMIN THEIR MACHINES. Virus removal is NOT rocket science. They're suppose to be learning right?

Locking down the computers ensures kids can't learn. How many kids are going to be able to buy their own machine to play around with, and justify it to their parents if they're given a locked down one? Where do you think the next gen of computer techs comes from?

HOW TO DO MORE SECURE UAC

The settings to examine & change are as follows in gpedit.msc &/or regedit.exe:

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

(Set as PROMPT FOR CREDENTIALS)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser

(Set as Automatically deny elevation requests)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

OR

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle

(Set DISABLED)

---

* There you go... you can do all of what you state, & more, easily enough, but instead by using NATIVE TOOLS already present in Windows itself in, gpedit.msc or regedit.exe!

APK

P.S.=> To even FURTHER enhance that, albeit @ the application level? You can use taskmgr.exe, & set UAC Virtualization ENABLED on ANY RUNNING APP too: Further sealing it off from infecting/infesting other running apps or the entire OS by every users' profile, by simply right clicking on running apps & changing their UAC virtualization level (this prevents ENTIRE OS & all users profiles from infestation, isolating it to 1 single user only (ala a test profile used to test possibly virus ridden programs, OR, to isolate problem programs like webbrowsers in the past & Adobe's JAVA products or javascript using tools (since those latter 2 are the PREVAILING largest infectors out there now, in JAVA &/or ADOBE apps))... apk

"Poster Child"

[RockDoctor]

('Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,' according to the district's Success Stories),

[...]

In the past, the Lake Washington School District served as a Poster Child of sorts for Microsoft's Trustworthy Computing Group."

I'm envisaging one of those posters of some starving Ethiopian waif begging for edukashun dollarz. Is that the impression you get. Or ... could it be ... a school administrator so enamoured of the Ribbon interface on their Orifice2012 that they couldn't find the button for starting the spell checker?

[self ... checks spelling]

No really?

'Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,'

Damn right if I was a school I'd claim virus on that one. (if it was indeed sic)