Slashdot Mirror
Virus Eats School District's Homework
theodp writes "Forget about 'snow days' — the kids in the Lake Washington School District could probably use a few 'virus days.' Laptops issued to each student in grades 6-12 were supposed to accelerate learning ('Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,' according to the district's Success Stories), but GeekWire reports that a computer virus caused havoc for the district as it worked its way through the Windows 7 computers, disrupting class and costing the district money — five temporary IT staff members were hired to help contain the virus. Among the reasons cited for the school district's choice of PCs over Macs were the proximity to Microsoft HQ (Redmond is in the district), Microsoft's involvement in supporting local and national education, and last but not least, cost. In the past, the Lake Washington School District served as a Poster Child of sorts for Microsoft's Trustworthy Computing Group."
Looks like the school district leaned a valuable lesson ... oh wait!
There once was this thing, the "trustworty computing" pledge.
What happened to that?
Help stamp out iliturcy.
Among the reasons cited for the school district's choice of PCs over Mac's were (...) cost.
And yet Linux was never an option? Avoided Apple to reduce the cost and ended up hiring 5 people to contain the damage that came as a consequence of their choice... way to go!
...and last but not least, cost.
Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.
Never had a problem with Linux shitting itself on boot.
Not even sure what that is. POST failure? Driver crash on initialisation? Because the first isn't the OS and the latter I've seen in Windows as often as I've seen in Linux.
For your average MS troll, you've done really REALLY badly.
Just imagine how many new IT jobs this would create.
You can't just put "[sic]" next to any random string of characters and expect the reader to understand. What the hell is "whiel boosting creativity" supposed to mean, anyway? Maybe I'm slow this morning, but it took me 5 minutes to see the "while". Brackets can help readers stay engaged [and] informed [while] improving understanding, but this time they failed us.
What do you mean they cut the power? How can they cut the power, man? They're animals!
Among other things, TFA implies that this is because they were using 'PCs instead of Macs' [sic].
While it's true that OSX has way less malware than Windows, the main cause of malware infections is the users who click anything that's offered to them without thinking.
You can hide behind less popular operating systems, but the sad truth is that the average computer user simply can't handle the freedom of being able to do whatever they want, without messing things up.
So the solution is better tech education or--the cheaper way--locking things down. Both MS and Apple are doing it in their mobile OSs and they're starting to implement this in their desktop OSs as well.
Of course, the IT could also have locked Windows down with Group Policy and SRP, so that it would be pretty much impossible to install anything (unless reinstalling the OS).
Instead, they relied on some crappy antivirus (Sophos) and I wouldn't be surprised if the users were given admin rights as well.
I'm not a Microsoft fan at all (and they might have played dirty to get the school to use Windows), but the real story here is IT staff incompetence and the poor education of the average computer user.
Viruses are easy to take out of the system, but that doesn't stop the same behavior that puts the virus there in the first place.
Example: A friend of mine I end up fixing his laptop for viruses usually gets them because his kids are looking for TV shows and gets sent to sites that want them to download something. Boom, infected. Looking for a youtube/Disney/Hulu video downloading, boom! Infected.
I don't care too much because I get paid. And getting rid of the viruses/whatever is as easy as taking the harddrive out of the computer and hooking it to an already running computer (via usb-ide/sata adaptor), and run a few programs. Takes a few hours, or more depending on the size of the harddrive and how much space is taken up. But very, very easy to fix.
Be seeing you...
Ohh, the irony.
The virus ate my homework!
Hire COMPETENT IT staff to begin with? Honestly, what kind of amateur hour school is this? having to hire temp IT staff to deal with it, really? how about actually staffing your departments properly and with competent staff?
Do not look at laser with remaining good eye.
They could have also chosen Linux laptops and hired 1 person to support the users and teach them about backups.
That would have be cheaper and if the new hire add some skills he could even taught programming using Python or PHP straight on the laptops.
Oh wait, that would actually worked on the direction of the students instead of the system...
...is not leaded by logic, but by "evil you know" decision chain. Therefore no matter how many homeworks Windows will eat, it will stay.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
I don't even know what an 'aposorophe' is.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
I take it you don't believe in the existence of malware that can over-write the BIOS?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Just like that time I caught a cold from being around people, then I moved to Antarctica and stopped being around people. No more colds! Hah!
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Its prefectly crolument.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
From reading a quick description on how the virus works... This school seems to have no fucking clue what AD/GPO/LUA means. It sounds like the notebooks can either copy files to each other over the network or students can copy .exe's to the network servers. Fail 1. It also sounds like the students are running without least user authorization, aka, they can get admin access to their computers easy, or they already have it. Fail 2, maybe. It could have been a teacher who got it and was allowed to write stuff to places that was dangerous and because of poor AD layout allowed it to get everywhere. Fail 2 again, maybe. Of course maybe the teachers or students didn't start spreading it and some dipshit admin got it in the first place and managed to get it in a directory that the GPO launches a startup script. Major Fail 2 if this happened. Other then the last one, I still don't understand how it would have launched and ran unless the students could run as admin, this virus needs to write to the Windows directory. Honestly there are so many more possible fails here, I'll give up even trying to list them.
The district has 25,000 computers, if even 10% of them is infected with this, it's not very easy to fix just due to the size of the job. At worst taking 25,000 hard drives out of laptops is an insane job. Better to have a linux or maybe a PE cd of some sort that boots and auto tackles the infection. Or, really, backup all the kids non-exe files and nuke from orbit with a fresh install image.
The GP needs to embiggen their vocabulary.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Translating from media hype: someone did something foolish on a computer, then got a new virus which spread quickly, but it hasn't been the end of the world. In fact, it seems contained. Weird how it's the worst possible virus. Funny how this just happened to happen at this school right in the shadow of Redmond. I'd look at dissatisfied employees.
There used to be this expression "no-one ever got fired for buying IBM". Buy IBM, and you're safe; if it still breaks you can always say "well I went with what everybody does, what is generally considered a good choice, so I did the best I could". By buying some no-name brand, or brandless hardware, you don't have this excuse. Then it's instantly your responsibility.
Same for Microsoft vs Linux. Linux is "that hacker platform" while Windows is "what all businesses use". It's the safe choice - from a job security pov. We know Linux is statistically more stable and secure than Windows, but if it goes wrong, it's the fault of the guy going for the alternative, off the beaten track, and insisting of going against what the rest of the world does.
Or for the obligatory car analogy: Linux is the self-driving car that reacts faster, is more alert, won't speed, stops for red lights, and has a perfect accident record, while Windows is the human driven car. When one of the human drivers has yet another accident, that's too bad, humans aren't perfect. When the self-driving car has an accident, that's a disaster, totally unacceptable and why isn't there a human at the wheel paying attention to correct those mistakes.
They probably shipped them with the free carpware virus checker.
Carpware? Sounds fishy.
I'm sorry, but if you can't make the transition from LibreOffice to MS Office fairly easily, you won't be very productive in the "corporate world" anyway. I mean, most people coming straight from college have likely never used Pivot tables or VB macros or whatever advanced Excel features the corporation is using, so you'll be training them anyway. Then again, I'm amazed at how many corporations employ people to do work that a shell script could (and should) be doing instead.
for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
I heard that if you buy a Mac, Ballmer comes to your house and dances the Developer dance in your garden. If you install linux, he dances naked.
Please think of your neighbors, install Windows.
On a more serious note, this was a MS project, MS is not going to install linux... well except for when they need a reliable stable server platform to host a project.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Before we blame the IT staff, let me give this some perspective. (I have nine years experience as a teacher & tech director in a public K-12 US school.)
First, I'm reasonably confident in saying that, if proper Group Policy was implemented and user restrictions put in place, this never would have happened. Second, this is a HUGE school district with over 50 schools. They can certainly afford a public liaison (who was speaking on behalf of the district in the local broadcast), and I'm sure they have a large IT staff...I'm guessing in the neighborhood of 20-30 employees. Though public school districts would pay less than Microsoft right next door, given the sheer numbers there must be at least a few people on that staff that know how to accomplish this and as well of its value in preventing this sort of mess from happening.
With that in mind, here's what I've concluded: There is likely someone with leadership authority who told IT staff to let students manage their own laptops and have admin privileges. Given the size of the district, the directive either came from the district technology committee, or directly from the superintendent, school board, or both. All it would take is a number of parents to ignorantly complain to a "friend on the board" that "Johnny's laptop is broken - he can't install the programs he needs to do his homework" for the school board to direct the superintendent to "fix the issue." Likely this was a top-down order; I simply cannot imagine a tech staff that large to be that incompetent on their own.
What bothers me about this is how they're going about trying to fix the problem. If I had a worst-case mass-deployment of a virus at my school, I would just recall all the equipment, reimage everything, and redeploy a week later. I would issue a directive to all the staff that the equipment is down for one week to be cleaned, and make due without it. It's either one week of downtime or months of unreliability. If teachers would know that they have the option of either the problem being fixed in a week or the problem being "managed" over months, they would all take the week's downtime in a heartbeat.
One other question I have for those here: have you ever encountered a Windows virus that, as they claim, just "spreads on the network" without user initiation of the virus by clicking on an executable, script, or loading an infected webpage? I think the much more likely scenario is that this virus is being spread through usb flash disks, but I'm not sure whether that explanation was too technical for staff to understand.
Android (yes, a Linux) shows us all that on smartphones.
* You Penguins really don't ever want to see "the year of Linux on the desktop", trust me, since what we're seeing on smartphones is only a "portent of things to come"!
(Well, that is IF Linux ever takes the most used/most marketshare on PC desktops, that is).
Linux isn't some "magical security panacea": It's hiding behind "security-by-obscurity" on the desktop.
What shows anyone this much? Well, again - See what happened on smartphones & ANDROID (linux)?
Linux also has about a 50/50 split with servers in the Fortune 100-500, & what's happening THERE, now that it's achieved a decent % of total use there?
2012:
New Linux Rootkit Emerges:
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."
---
'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:
http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
---
Medicaid hack update: 500,000 records and 280,000 SSNs stolen:
http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444
So, what's dts.utah.gov running everyone?
LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov
What's health.utah.gov running too??
YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov
* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!
===
2011:
KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com
---
London Stock Exchange serving malware:
http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware
(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)
---
DUQU ROOTKIT/BOTNET BEING SERVED FROM LI
http://xkcd.com/327/
Of course this isn't entirely related unless you look at the principle of the matter. IT, where are your manners?
"low cost". Maintaining a MS OS is only "low cost" if you have someone who will do it for free- i.e. you're the family geek, keeping the wife and kid's computers working so they can enjoy compatibility with systems at school and work.
I subscribe to the "conspiracy theory" of MS OSes. They are deliberately unreliable and insecure in order to keep an army of IT people employed fixing them. The army continues to support and specify MS OSes because they know they'll have years of bugs, security problems, and random instability to look forward to from which to derive a pay check.
laptops not desktops so you need a managed wifi system with more then 1 AP.
and even then the systems use NON school AP's as well.
Also virus can pass though email and web uploading of school work / over usb key as well.
Let's see there a virus so trun off the web site / email and have the kids use usb keys to trun in there work.
The geek kicks off on stories like these.
But a small word of caution: LWSD has a very good reputation
Lake Washington School District named to AP District Honor Roll
Among the more than 900 U.S. and international middle school students invited to the ceremony on the Johns Hopkins University campus, all earned exceptionally high scores that place them well within the top one-half of one percent academically of all same-grade students.
Past participants in the CTY Talent Search include Facebook founder Mark Zuckerberg, Google cofounder Sergey Brin, and performer Lady Gaga.
Whiz Kid: Sammamish Middle-Schooler Kartik Iyer Honored for SAT Scores
lot's of windows only software mac is in the same place but there is a good deal of stuff that is on both mac and windows.
Wine is hit or miss and can be a lot of work / testing to set up.
Windows and Linux opens you to lot's of hardware vendors / lot's of choice. Apple is one vendor with limited choice and high prices.
Apple laptops start at $1000 (949.00 list price for schools bulk deals may be lower) but that only a 11 inch screen and 64GB disk space.
64GB is not that much when you add up OS+apps and a 11 inch screen is small (13 is good min size).
Ipads are limited in software and adding keyboards to each one just makes it harder on the school to keep track of what each kid has vs say 1 laptop and a real laptop let's kids use there own USB mouses / keyboards if they want to.
Ipads need Bluetooth keyboards not any USB keyboard / wireless keyboards with a non Bluetooth usb plug in.
For the record, any underfunded IT dept run by unskilled people can have a virus rampage regardless of the OS. There are mac and Linux viruses and just generally undesirable software and if the computers aren't configured properly, they will find it installed.
some software needs admin rights to run and even with out admin rights virus can still mess up the users folders / use holes in the OS / apps to get around needed to be admin.
or at least use something like deep freeze.
I used to go to a school with deep freeze and the way the log on system was setup it was easy to get local admin by not logging on with a network logon and just hitting cancel.
1-2 full time IT guys needed temps to do the imaging setup.
I did that ones as a temp it was more then just do the imaging setup after that you needed to setup some software to say I'm at X school in the district, set the computer name and join the domain.
The district had 1 image for the full district.
Uh, sure. In 1993. It's 2012 .. a vast number of businesses use Linux. It put the commercial Unixes out of business. Entire cities use Linux, even on the desktop. We have highly successful distros like Ubuntu that do nothing but pander to the non-hacker.
The only safety involved is "this here is Microsoft country, and the Microsofties on the board want Microsoft. MICROSOFT!" If you're getting generous donations, you don't want to piss off your corporate overlords.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
if the students have to buy the laptops then they should be admins.
It bad to be forced to buy a laptop with no choice of the hardware but to forced to buy one and have it locked down so you can't run your own software??
My DOS ate my homework.
Have gnu, will travel.
Everything you said ignores that the most common virus vectors dont care what OS you are using; if you have a plugin installed, you are technically vulnerable regardless of platform. It is true that if you use OSX you will likely simply get overlooked as its easier to simply target the larger Windows market share. However, last time I checked this is known as "security by obscurity", and is generally ridiculed as false security-- though it may in some sense "protect you", it isnt really doing anything to stop someone who wants to take you down, it just makes them less likely to pick you to target in the first place.
Get up with fleas.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
You were the last compentent person to touch their system. The only one who knew how to make changes. They know they changed nothing. How could this problem exist, it requires a change to have been made?
Computer Voo Doo. It has to be the change you made 2 years ago that caused the virus today.
Ah, Voo Doo, I know thee well. Many of my customers have claimed I have practiced the art.
vi +
Or, really, backup all the kids non-exe files
And non-DOC files, non-PDF files, non-XLS files, non-.vbs files, non-zip/rar/7z files that could contain infected files, etc. No, it's too hard to enumerate all the potential sources of reinfection. You get infected, you lose your shit. Period. Don't like it? Learn not to get infected.
Give me Classic Slashdot or give me death!
in WIn8
I accidentally posted anonymously.
This is just silly. The problem isn't that they didn't use Linux or MacOS, it's that nobody locked down these computers. They're the school's computers, so they can put whatever they want on them. No one should have rights to install software, and Security Essentials should be turned on, and kept up to date. Sloppy system administration. Pure and simple.
Correlation != Causation.
Get with it. This is a rookie mistake.
This story jumped out at me because I graduated from an LWSD school back in '04.
One of my hacker / cracker / script kiddie friends nabbed an 0day version of Agobot from IRC, got itchy one day, and executed it at school. I remember clear as day sitting in chemistry, and the intercom sounded, "Teachers, please shut down all computers in your classroom."
The entire school's network was down for a week as the IT staff manually disinfected each computer. My friend was "expelled" into a head-start program at the local community college, while his parents paid a $5,000 fine for the disinfecting labor.
Funny to read a similar story 8 years later...
You can scam more money out of Windows users. Plus there are more of them.
And of the rest, the Linux users are broke to begin with and the Mac users gave all their money to Apple already.
GP actually knows what it is, unlike the person to whom he replied.
UAC and privilege separation are two different things. The latter has been there since NT 3.1. The former is basically dumbed-down (so you don't have to type in password every time) equivalent of [gk]sudo, which is also "tagged on" on top of the normal Unix mechanism to run something under a different user account.
So apparently you need to ask yourself that question: do you know what UAC is?
Union Aerospace Corporation. Usually their system glitches result in dimensional breaches that demons use to invade Mars, or its moons... so just losing some school data seems rather mild by comparison.
I am a high school science teacher in the Lake Washington School District. I usually stay away from education discussions here, because there are enough uninformed know-it-alls to make the discussions annoying (I mean a minority here, no disparagement of /. intended). People think that they know everything about education because they went to school at some time. Not necessarily true.
I don't have much time (grading calls) but I wanted to address a couple things I've seen in my perusal of the comments. 1. Someone said they issued laptops with no restrictions. Not true. It just isn't. There was a problem, and it's bad, but we actually aren't a bunch of idiots randomly passing out laptops. We USE them extensively for assignments, assessments, surveys/polls, research, and communication. There is security in place, although I don't know all aspects of it since my IT days are behind me. I do know that the web filters work wherever the laptops are used, and I know already of a few students who got busted for using proxies. It's going to happen, because a lot of our students are smart. I don't think it was a student who introduced the virus, but I can't state my reasons, so I don't expect anyone to believe me.
2. Incompetent IT. Not true, either. It was an error. A costly one, but I don't think this is an indication of utter incompetence. Hiring IT people isn't easy, because we can't pay what the private sector does.
Crap. I gotta run. Suffice to say, this has been a pain in the butt, and has made everything more difficult, but I know a lot of these IT people who are being trashed and they work their asses off and do a great job when we need them. This kind of problem is unprecedented here.
UAC and privilege separation are two different things. The latter has been there since NT 3.1.
Exactly. NT 3.1 was the *first* Windows NT - a clean room implementation of an operating system designed to be multi-user with networked users, hence the "wasted" (at the time) space for proper SIDs with no network ambiguity like Unix/Linux.
The former is basically dumbed-down (so you don't have to type in password every time) equivalent of [gk]sudo, which is also "tagged on" on top of the normal Unix mechanism to run something under a different user account.
No, that description fits the UAC prompt. Many people assume that because the UAC prompt looks like sudo then UAC it is implemented much the same way and/or serves the same purpose as sudo.
sudo is an elevation of the user to root. sudo itself is a SUID and sets the user to run as root as the effective user. While running as root the process can do *anything* and *everything* on the system. A far cry from the least privilege security principle. But such is the Unix/Linux security model: A uid of zero means unrestricted access. A non-zero uid means there's a lot you cannot do, intrinsically. Because there are legitimate actions regular users need to do, but which is restricted in the OS because of the rather coarse grained security model (one all-powerful and the rest), SUID was invented.
UAC is a model where processes are assigned integrity levels in addition to the permissions already in the process token. The integrity model means no-write-up, i.e. a process running at a lower integrity level *can not* write or manipulate objects at higher levels. Regular desktop applications run at "normal" integrity level.
Internet facing applications (IE, Chrome, Outlook, Word/Excel/PowerPoint in "viewing" mode etc) run at "low" integrity mode. The security token and the access control checks already built into the system ensures that a low integrity process cannot write files, registry keys or otherwise make changes to the system unless the resource being written to is also "low integrity". This way the IE and Chrome can cache web pages in a special low integrity cache area, save cookies etc.
While both sudo and UAC prompt can be seen as ways to "elevate" the process permissions by changing the security "token", the reality is that Unix/Linux do not really have tokens - they have user IDs. A Unix/Linux process cannot have fine grained or specifically tailored permissions - it can only have the permissions of a user in the system - because user IDs is the way permissions are described.
Windows process tokens are initially cloned from the user who started the process (but the process inherits the integrity level from the executable and runs with low integrity level if the executable was low integrity), but the process token can be tailored, e.g. permissions removed. The Windows tokens consists of SIDs rather than a single user ID. SIDs can refer to integrity levels or groups or alternate identities.
When a user logs on to Windows, a token with all of the users permissions is initially created. But during the logon process a second token is created, one with all of the administrative privileges stripped away. This token becomes the user token and the one inherited by processes started by the user. The UAC prompt temporarily restores the original non-stripped token, allowing the user to exercise his admin rights. But crucially it does not allow him more rights than initially granted.
Compare that to Linux/Unix where the sudo "elevation" allows the process *root* permissions. Yes - sudo has been designed such that it is limits what the user can do while running - but the process as such has universal powerful privileges and a single bug can allow total system compromise. This is by no means theoretical - multiple security problems have plagued sudo and other SUIDs. It is simply not least-privilege.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.
even with mac os at $0 it's the hardware price / limited choice that makes windows be used.
But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.
That is correct for home- and individual users. But users in a corporate (or school) setting should *not* be allowed to elevate to full admin privileges, if at all. Users can still install per-user apps and policies can still restrict which apps can be allowed to start (based on hashes, digital signatures, vendor etc).
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
But, in practice, most users on a typical Windows system are basically administrators (=root, or close enough - there's always TrustedInstaller etc), and so when UAC produces a token with their original privileges restored, the net effect is the same as sudo. So, when your average user sees a UAC prompt, the end result is the same as when he does sudo whatever.
That is correct for home- and individual users. But users in a corporate (or school) setting should *not* be allowed to elevate to full admin privileges, if at all. Users can still install per-user apps and policies can still restrict which apps can be allowed to start (based on hashes, digital signatures, vendor etc).
And so it comes to this. It's not the fault of Windows, but the ignorance of those configuring the systems. Color me surprised!
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
I'm envisaging one of those posters of some starving Ethiopian waif begging for edukashun dollarz. Is that the impression you get. Or ... could it be ... a school administrator so enamoured of the Ribbon interface on their Orifice2012 that they couldn't find the button for starting the spell checker?
[self ... checks spelling]
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"