Should Colleges Monitor Students' PCs? 554
dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
Education (Score:5, Interesting)
Students are at college to learn. Educate them
Re:Education (Score:5, Insightful)
Re:Education (Score:5, Interesting)
Here at PSU you must register your computer's MAC address and your dorm room and the port you plug your computer in within your room. If you change your MAC address from what's on file, you can't connect. If you plug into another port, you can't connect.
Re:Education (Score:3, Informative)
Re:Education (Score:3, Informative)
Re:Education (Score:3, Informative)
Re:Education (Score:3, Funny)
Re:Education (Score:5, Insightful)
Re:Education (Score:4, Insightful)
Knowing is not doing. How many people do I know that perfectly know how to install an anti-virus but are just too lazy to do it.
Comment removed (Score:5, Insightful)
Re:Education (Score:3, Interesting)
I have a bunch of software developers at work. They insist on running their test servers in a workgroup or their test domain. These are people who should know better, but I could remi
Re:Education (Score:5, Interesting)
By moving "leper" systems into a restricted subnet until they prove themselves cured, you minimize the risk to your infrastructure without completely terminating access. Additionally, people that let their systems become infested usually will not be power users and may not even notice/mind the restricted access state.
Re:Education (Score:4, Interesting)
You also run the risk of having to disinfect these people manually via the network support staff.
When you find the people that are infected, disable them, have IE automatically open to a page that tells them they are cut off and that they need to immediately contact the support staff for cleaning and reinstatement.
Re:Education (Score:3, Interesting)
I go to a school of about 20,000 students and I work for the Arts & Sciences IT Department. I deal mostly with Faculty, not students in the residences (thank god).
We do much of what your school does to combat viruses, but now and then we get a professor who refuses to let us near their machine to clean it if it's infected. In that case, we have the authority to just go to the networking hub closets and start ripping out cables so that all the network jacks in that professors office go dead. I don't
Re:Education (Score:3, Informative)
But what if they start using someone elses login, or they start sharing login information? Try detecting that easily.
A secure method using Windows 2k/XP would be to put the machines into a domain, use GPO's to turn on autoupdate and use IPSEC based on a domain certificate for authenticat
Re:Education (Score:5, Informative)
You don't have to use the schools antivirus, but if you get a virus that broadcasts you are DHCP banned. Just like before, you have to ask to be unbanned and you must re-do the registration process from before (since your mac was removed from the "good" list).
While the computer is scanned, we are not required to install spyware. I think our policy is a good trade off, campus required spyware is too much. I'd move off campus or hurry up and switch to Linux.
Re:Education (Score:4, Insightful)
What's to stop someone from doing a ping sweep of a subnet and giving their machine a static IP of one that doesn't respond to beat your DHCP restrictions?
(this is an honest question, not a flame)
And before you say that the MAC is banned:
- MAC's can be changed.
- ANY firewall product on any OS that I've used will record the MAC (when it can of course) along with an IP.
I dunno. Maybe I'm not thinking of something, but, that system sounds pretty easy to beat. Granted I'm a "Computer Geek" and probably somewhere near 70% of the students aren't, but...Re:Education (Score:4, Interesting)
Also, a ping sweep might register as a scan, in which case you might get blocked since virii also scan. Or, you'll hit my IP (my firewall blocks pings) and you'll use my ip/mac and then you will get yourself quickly physically blocked in the switch your connected to.
For people not in the dorms, they can really only block your mac address, but I've tried manually setting IP addresses, and it doesn't seem to work...
Re:Education (Score:4, Interesting)
On one hand, I commend the university staff for trying to keep everyone safe. Nothing worse than one infected pc spreading through the windows "security flaw" flavor of the week and dragging everything down.
On the other hand, they are taking on a huge responsibility to keep the students pc's running. Case and point - we demand that everyone on our network runs McAfee and is kept up to date with patches. One lady in admin installs McAfee so that she can use her home pc to connect (via Cisco VPN,) and the whole pc stops blows up. I ended up spending 10 hours (6 hours trying to fix what went wrong, the other 4 giving up and reloading the damn thing.) Add to that getting grief the whole time because "This wouldn't have happened if I didn't install that.." Nevermind the spyware that was already installed.
Moral of my rant? Don't do this kind of thing unless you have a mass of cheap labor (college kids who are on work/study,) and are allowed to fix what went wrong when it most likely will.
It may not be all it's cracked up to be... (Score:5, Insightful)
Re:It may not be all it's cracked up to be... (Score:4, Informative)
Re:It may not be all it's cracked up to be... (Score:3, Insightful)
Re:It may not be all it's cracked up to be... (Score:3, Informative)
Re:It may not be all it's cracked up to be... (Score:3, Interesting)
The end result was, I still have to pay taxes for road repair, but the city is not at all liable for the road actually being in good enough condition that my bike isn't damaged by its use... even though I pay for it. I'm sure the university would use some similar logic... we're not responsible for any damage to your software/hardware, but you a
Re:It may not be all it's cracked up to be... (Score:5, Insightful)
Re:It may not be all it's cracked up to be... (Score:3, Insightful)
Re:It may not be all it's cracked up to be... (Score:3, Informative)
Re:It may not be all it's cracked up to be... (Score:3, Insightful)
Very good point, as well there are patches that sometimes break the computer in other ways, or altogether. What will the University do when they force a patch onto the entire student
Not unreasonable (Score:5, Informative)
If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
Re:Not unreasonable (Score:5, Insightful)
Re:Not unreasonable (Score:3, Informative)
But they'll just say the same thing:
"I don't trust you and your computer with unfettered access to the University Network(property)."
They'll also say that internet access is not a right, but rather a privelige, and if you want that privelige, you'll abide by their terms.
My school used to post "hogs" lists of people who printed too much or used to much disk space. Maybe social pressure could help, with an "infected" list put up that shows who's computers have been
Then it is simple: (Score:5, Interesting)
If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.
If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.
I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.
Never argue with an idiot, they drag you down to their level and beat you with experience.
Re:Not unreasonable (Score:3, Interesting)
Actually, this smacks somewhat of a job-security issue. If students were all running Macs or Linux or what-have-you, there might be less need for IT personnel.
Re:Not unreasonable (Score:3, Interesting)
Re:Not unreasonable (Score:4, Insightful)
Re:Not unreasonable (Score:3, Interesting)
alternate invasive uses (Score:5, Insightful)
request a hard drive scan for copyright owner's works.
I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.
Easy Answer. (Score:3, Interesting)
Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.
Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill
Re:Easy Answer. (Score:4, Interesting)
Running Red Hat Fedora, I routinely use yum to update packages... not much different than Windows Update.
Just because I use Linux doesn't mean I don't feel the need to stay up to date!
Re:Big Difference. (Score:4, Interesting)
Wow. You must have some TIME on your hands to put together such blather. Since it's obviously important to you, I'll take a few myself.
1) Your very first sentence is self contradictory, assuming that you meant "sycophant [reference.com]"... How can somebody be a sycophant and obnoxious/off-topic? Or did you not notice the word "flattery" in the definition?
2) This is slashdot. Here is where people spend leisure time and blather. Such as, for instance, your post. Get over it. Think of slashdot as the online equivalent of a bar. Some people talk too much. Some people really should shower more often. Some people wear clothes that were fashionable in the 80's. Get over it.
3) It's OK to not like Microsoft software. Probably 80% of my experience of cyberspace is done via Linux. I hate the worms, viruses, spyware, and general crap as much as the next guy. I love the clean, easy way Linux lets met at the guts of the system to result in a stable, secure platform.
4) Even if twitter is some lonely, desperate, delusional, megalomaniac karma whore, how is posting stuff on slashdot being "part of the open source/free software community."? Contributing software is "being part of the OSS community" - posting on slashdot is being part of the slashdot community!
Get off your high horse, dude. People are entitled to be a bit nuts - you'll probably figure that out (as most people do) when you get to be around 30.
Oftentimes, the nuttiest people are the most brilliant.
I remember a gentleman named "Gary". I won't give his last name. He was one of the strangest people I'd ever met. Remember "Revenge of the Nerds"? Well, the cast of that movie tried in vain to capture the spirit of Gary.
The kind of guy who really DID drive a mustard-brown, 20-year old station wagon at 35 MPH down the Interstate - stuffed to the gills with books, bird cages, a pet lizard, folding chairs, boxes of clothing obtained at a thrift store, and consumed Jolt cola bottles.
He attended community (There's that word, in this case, it was people in the area in which I lived meeting together) meetings that I often attended as well, meetings congressed to discuss legal and political issues.
Having talked briefly with Gary before, and figuring him for being partially mentally handicapped, it was a great shock when, during a speech on the history of the US Constitution, Gary raises his hand, and then spends several minutes giving a detailed, ornate, and incredible rendition of the history of an important event. (I could be wrong, but if I remember correctly it was the ending of the civil war)
I was shocked, and I wasn't the only one. Everyone I knew looked at each other in surprise and bewilderment. This? Coming from GARY!?
So, before you go knocking on twitter for having a good time mentally masturbating on slashdot, remember this old saying:
"There's enough good in the worst of us, and enough bad in the best of us, that it ill behooves any of us to thing the worst of any of us".
Re:Easy Answer. (Score:4, Interesting)
As for Macs, Linux, and other commercial Unixes most people dont want that, so the CS department Im working at is concidering forcing Debian onto all our departmentally owned machines and denying access to all privately owned computers except on the highly locked down wireless lan, and even then we require virus scanners and up to date patches.
Now I hear people groaning already about forcing Debian on all machines, well imagine this;
A person sits down at a computer and is presented with a GDM login screen. They type in their user name and password and set their session to "Microsoft Windows 2000." Yup, you guessed it, a hardware independent completely locked down, controled and up to date version of Windows pops up logged into the domain with complete access to all their files and all the printers and everything, and they can even open up a terminal that automagically presents them with a Debian environment for them to do their programing on. How will we do this? VMWare running ontop of our nice Debian install. That way the Windows install is completely hardware independent and every time there is an update we just roll up a new image and throw it up on the file server and all our users have all the latest updates. Combine that with the fact that the Debian host machine is running snort and puts the Windows machine inside a highly restricted private ip space that is monitored, and virtually all the problems we have with Windows suddenly disappear. Now yes this is an abomination, but it turns Windows from a huge headache into just another *.deb that we have to keep track of and keep up on security for.
Now thats how to deal with the Windows virus/spyware/worm administration nightmare. Now Im not saying that this would work to roll out on the entire campus, but it is a very novel approach.
Re:alternate invasive uses (Score:3, Insightful)
There will be no request, it will just happen. (Score:5, Insightful)
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.
With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.
It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.
All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.
Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.
Re:There will be no request, it will just happen. (Score:3, Informative)
As long as they have a valid (administrative) account on the target machine, yes. Otherwise no, they can't access it at all.
Up to date virus definitions are helpful but generally too difficult for the end user to keep up with.
Any decent antivirus software will have scheduled checking for updates built in - eg Grisoft's one [slashdot.org]. Even their free edition has this - set it, forget it.
Winblows itself
Factually wrong, conceptually wrong, and imm
Just cut them off (Score:5, Informative)
It's a good thing and a bad thing (Score:4, Interesting)
Re:It's a good thing and a bad thing (Score:3, Informative)
There's a simpler way to fix this without the Big Brother risks. Block all the Netbios ports on the student dorm LAN and transparent proxy all outgo
Use a carrot, not a stick (Score:5, Interesting)
Re:Use a carrot, not a stick (Score:5, Insightful)
No, absolutely not. (Score:3, Insightful)
Don't want your computer searched? Don't connect to the network.
If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.
Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
Ok then . . . . (Score:3, Funny)
Re:No, absolutely not. (Score:3, Interesting)
Re:No, absolutely not. (Score:3, Insightful)
Even more relevant is the fact that the internet must be paid for - in this case by the university, who then charges a sub-fee to the students) - whereas air is free.
easy solution... (Score:4, Insightful)
Re:easy solution... (Score:2, Informative)
Quite frequently the only option for people who live in student housing is the internet that the university itself offers. The only real option left is dialup.
Re:easy solution... (Score:3, Informative)
At that point, only a contract stipulating that they can't offer cable modem service in the dorms
Actually... (Score:3)
Re:easy solution... (Score:3, Interesting)
Good reason to have Linux on your PC (Score:4, Insightful)
It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.
A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?
Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....
Same experience (Score:5, Interesting)
I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.
Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
Yes (Score:2)
Yes. To the _extent_ that the threat you dezcribe, however unlikely they think it is that someone could break their security, is extremely realistic and plausible. Regardless of what penalties they threaten to implement on the person(s) that do such a thing, happening once is happening once too often.
Personally, I'd tell them that the only way I'd agree to this is _IF_ a malicious user got into the system and caused me to lose data, that they would assume complete accoun
What a fantastically awful idea (Score:2, Interesting)
Will the college be taking responsibility for data lost when a Microsoft patch installed a system that's less than generic is rendered unbootable? That seems to happen
bleh (Score:2)
While they're at it, why not go all the way [debian.org]?
</obligatory>
That does seem like a lot to expect out of students. I hate to have very much running on my own PC, and it's likely to cause more trouble than it's worth. They could probably reduce their demands to automatic updates, and use snort to tell them when someone's been infected. They don't have to write the snort rules themselves. There are a variety of people who publish them whenever something major comes out.
Schools should monitor girl's quarters (Score:2, Funny)
Is a win-win situation, ppl around the world can get unscripted reality web bradcast (maybe pr0n) and let a lot of students to complete a college education it doesn't matter if it is to flip burgers at Mc Donald's
Um, shhhh! (Score:5, Funny)
Re:Um, shhhh! (Score:5, Funny)
Bada Boom!
Thanks folks, I'm here all week!
My School Has This and I... (Score:4, Informative)
In truth, I run XP with a good firewall most of the time.
The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
Balancing out the evils (Score:5, Insightful)
Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.
Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.
In my new position I can completely understand it.
When I was in college, I would have despised the very concept.
Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.
Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
Don't do this (Score:5, Interesting)
Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.
I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
Dartmouth's response (Score:3, Insightful)
A Necessary Evil for Windows PCs (Score:3, Informative)
For Windows users, this isn't really a bad thing as a whole, since it's not your job (and nor would you want it) to remember and know every frickin' problem that Windows has or its severity. So, let the campus ITs do their work to keep you and other computers playing nice-nice on the network.
On the other hand, the campus IT needs to be careful what they send as compulsory updates. Some PCs do not take certain updates well for God Knows Why, which could hose your system in some way. If that happens, I wouldn't know what your recourse would be to have your campus IT fix what it broke.
And don't think I'm just picking on Windows, either--other operating systems, including Mac OS X and Linux, need some necessary updates, too. Those operating systems (so far) have had far, far fewer viral attacks than Windows that cause Bad Days.
That could change someday.
University ResNet Responsibilties (Score:5, Informative)
It's their network (Score:3, Insightful)
Isn't that already true?
Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.
IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.
paws off (Score:3, Insightful)
if the school was buying me the machine, i'd say fine
the school should not be playing mommy and daddy to the machines... if they see someone spreading worms then they should disconnect them and send a polite note saying why and how to fix it
special software may be good for the kl00 phucked lusers, but to the people who know what they're doing it will be an annoyacnce
besides, are they going to send people around to check? what's to stop me from uninstalling the software when the pimple-faced "support tech" leaves the room?
The college is question is Wheaton. (Score:5, Interesting)
Another "Solution" (Score:3, Insightful)
The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).
While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).
I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.
Campuses, workplaces and ISPs (Score:5, Insightful)
If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.
Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
Re:Campuses, workplaces and ISPs (Score:3, Insightful)
They ARE saying "If you want on our network, you will put this on your system." If you're not using their network, you don't have to play by their rules.
It's fairly simple. The network administrator is a jealous beast. He hates the system administrator and he hates the user. It is his territory, you play by his rules, or you don't play at all.
Re:Campuses, workplaces and ISPs (Score:3, Insightful)
Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer.
Most of them do. Ever hear of a computer lab?
Reading too much Penthouse... (Score:5, Funny)
When I read this my mind immediately expected it to be followed by something like:
"I am a CS student at a small Liberal Arts college. I've never been lucky with girls and nothing like this has ever happened to me before. One night I was up late in the laundry room and this beautiful girl walked in..."
This is true (Score:5, Informative)
I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.
The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.
So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
Real world (Score:3, Interesting)
No. (Score:3, Interesting)
Giving a college employee (who is likely a student) access to run any program with administrator rights is ripe for abuse. Even if this is limited to running a batch file daily (or weekly or ...) it would be trivial to add functionality to, for instance, copy all .gif files to look for an off color photo of any of the female students... or delete a research paper, install a keylogger, (re)enable a webcam's image capturing to see what you were missing while the owner thought it was off etc.
Of course, you also mentioned the problem of the machine giving out all these patches being compromised. Even if your college were lucky enough to find someone honest enough to not do anything intentionally evil, compromise of that one machine would provide the attacker access to run anything as administrator on all connected systems.
This is reminiscent of landlord/tenant laws. The landlord is required to give notice before entering someone's living space. And similar to the difference between department stores monitoring their dressing rooms for shoplifting vs. your landlord putting a camera into your bedroom and bathroom "to make sure you aren't using drugs / damaging anything/etc"
It may be legal for the college to do this, but certainly isn't something it should be doing.
Anyway, I'd be configuring VMWare run the university-accessible copy of Windows and only use that for NAT. Anything you send over their network cleartext is fair game, anyway.
I am the network admin at a college (Score:4, Informative)
The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.
Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
Training, Architecture, Responsibility (Score:3, Informative)
Before a student is allowed to connect - they must pass this course.
Once they are connected, the IT department should have the authority to then remove them from the network if the network user in question becomes a nuisance. Expulsion should be tied to grievious violations.
To ameliorate the effects of brain dead students - the network should be set up in smallish segments using switches in a star topology; this will allow you to take away the magic electrons from the ports of the marching morons on an individual basis; hubs are bad - if one becomes infected - they soon all will be.
DNS (WINS resolution) should be set up in such a way as to deny automated resolution of student computer names/addresses within the network. This won't stop students who are smart enough to put their buddy's address in their hosts/lmhosts file - but it will stop the majority of idiots. Disable windows authentication domains...everyone logs into their own computer, and you won't be doing remote administration anyway - you don't need that headache.
Default to disabling known nasty protocols - with the caveat that students can negotiate a legitimate need for ports to be opened up for their use.
Assign static IPs to allow fine grained filtering - to accomidate the variations in students. Some students will have everything turned on and can be fully trusted; conversely, others will barely have any services beyond email enabled. This requires work on your part; automate this functionality of your network, then delegate responsibility for maintaining it to your most responsible students. You would be amazed how fast people become experts at network administration when they are responsible for making it work for everyone. To add a little fat to the fire - if they are dragging their feet on a network effecting problem - shut down all access to the outside world until they resolve the issue. Once you get the people trained, you shouldn't have to lift a finger.
Email is another big hairball - I won't discuss; given a college/university environment, you will probably have to deal with alot of spam. On the other hand, if your students and faculty are savvy enough, you could perhaps go to a public key authentication system (everything without a valid key gets bounced). This won't help your internet facing interface much; but will help your internal traffic volume to your mailservers.
I wouldn't comply (Score:4, Insightful)
There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.
Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).
Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
Hop, Skip (Score:3, Insightful)
First, it's totally insane to require Microshite Windoze. It speaks of the cerebral poverty of the faculty at many an institution where these supposed gifted people can barely save a document in Microsoft Word and then require everyone else do the same.
Second, any open standard should do just as well, and yet - and do I smell graft here? - Microsoft are in there, Dell are in there, IBM are sometimes in there, and demands are made that students get a computer of a definite make, model, configuration, etc - just to qualify for enrolment. If this isn't lobbying and bribery, I don't know what is.
Finally, if you want to connect to a network, then you should be able to prove you're malware-free. I don't have the technical details on this, but forcibly downloading junk on students' computers is just wrong.
Re:apples? (Score:2, Insightful)
I think that should clear it up. And since its the computer science department thats running this, I would think that they know of other OSes other than windows i.e. Linux, BSD, OSX, etc. , and rightfully evaluate them differently.
Liberal Arts colleges and OS choice (Score:4, Interesting)
1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.
I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.
As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.
What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.
Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.
But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....
A good thing your experience is far from universal (Score:5, Informative)
In reference to the topic at hand, I have to say this University is taking the wrong course of action. My school took the "lock the port" approach. Quite simply, if they could tell your computer was infected and you weren't doing jack to fix it, you lost your internet. Didn't like it? Well fix it. Otherwise you're gonna be going to another dorm room to try to hook up (and remember, your roommate isn't gonna like you either, cause you cost both of you an internet connection).
PS to grandparent of this message - The author states he/she is a CS student; the author never states the CS department is the head of this action (I'm strongly willing to believe it is not).
Re:apples? (Score:4, Funny)
We polish 'em up and give 'em to teacher.
KFG
Re:apples? (Score:5, Informative)
In all honesty, at a small college like the one I attend, there's a good reason to go with PCs from a financial standpoint: Despite educational discounts, Macs still cost more than PCs. That's a simple fact. Secondly, Microsoft gives AMAZING educational discounts for their software. I'm not talking about the "Educational" licenses for students, but rather we get X amount of free software per year, which is really a boon for our computer services department. We recently got our budget cut in half (management isn't comprised of the brightest of individuals), so the financial aspect is really appealing.
If we had the option to run all Macs, I'd swing for it in a minute, as far as my duties for computer services are concerned. It would make my job a helluva lot easier. However, we don't have that option, and I think you'll find that the same is true for most small colleges.
Management (Score:5, Funny)
People in management can get very bright; you just need to burn them at a higher temperature until they glow a nice, pretty blue.
:)
Re:apples? (Score:4, Informative)
The 'free' software is generally used, as most of it is comp sci department stuff (VC++,
I can't think of the name of the software package off the top of my head, but I remember there was some large-scale app that went to waste, and the copies are still sitting in a box in storage from two semesters ago. And due to the licensing agreements, we can't sell or give it away, so it kinda sucks.
Re:Enough is enough (Score:3, Funny)
Re:Wheaton is no stranger to controlling students. (Score:3, Interesting)
Re:Wheaton is no stranger to controlling students. (Score:3, Insightful)
In other words: most of the students made their choice, paid their money, and are attending Wheaton because they would rather be there than somewhere else.
It's not really relevant to the conversation, but ma
Re:Wheaton is no stranger to controlling students. (Score:3, Insightful)
Re:Wheaton is no stranger to controlling students. (Score:3, Insightful)
And some parents require their adult-kids to attend local nearby colleges so they can force their kids to live at home while studying. That's life.
For every choice we have available, there is a price we have to pay for that choice. Get over it. Stop talking like a victim. Like the other poster mentioned, you
Tux goes to College... (Score:3, Interesting)
I've got the laptop in question right here, [slashdot.org] (I'm typing on it now) an