Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Education Security

Should Colleges Monitor Students' PCs? 554

dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"
This discussion has been archived. No new comments can be posted.

Should Colleges Monitor Students' PCs?

Comments Filter:
  • Education (Score:5, Interesting)

    by agent dero ( 680753 ) on Friday June 25, 2004 @10:18PM (#9534387) Homepage
    Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.

    Students are at college to learn. Educate them :)
    • Re:Education (Score:5, Insightful)

      by LostCluster ( 625375 ) * on Friday June 25, 2004 @10:26PM (#9534450)
      MAC banning is ineffective since nearly every card these days can have it's MAC address reprogramed. Real solutions are tied to the student's university login account which is associated with their other student records.
      • Re:Education (Score:5, Interesting)

        by EvanED ( 569694 ) <evaned.gmail@com> on Friday June 25, 2004 @10:29PM (#9534471)
        You don't want to disable this though, so they can still use lab computers.

        Here at PSU you must register your computer's MAC address and your dorm room and the port you plug your computer in within your room. If you change your MAC address from what's on file, you can't connect. If you plug into another port, you can't connect.
      • by Nexzus ( 673421 )
        I would think though, that if you're smart enough to change your MAC address, you'd be smart enough to make sure that your computer is safe.
      • Re:Education (Score:5, Insightful)

        by BillyBlaze ( 746775 ) <tomfelker@gmail.com> on Friday June 25, 2004 @10:33PM (#9534489)
        If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free, so banning by MAC address is a perfectly good reactive solution to viruses until they start randomly changing MAC addresses. And then you could ban unregistered MAC addresses, which is fine until viruses sniff and copy other MAC addresses, which isn't always possible.
        • Re:Education (Score:4, Insightful)

          by Pieroxy ( 222434 ) on Friday June 25, 2004 @10:42PM (#9534557) Homepage
          If you know how to reprogram your MAC address, you probably also know how to keep your computer virus-free

          Knowing is not doing. How many people do I know that perfectly know how to install an anti-virus but are just too lazy to do it.
          • Re:Education (Score:5, Insightful)

            by DrEldarion ( 114072 ) <[moc.liamg] [ta] [0791uhcsm]> on Friday June 25, 2004 @10:48PM (#9534587)
            Generally, though, the set of people who know how to change their MAC address and the set of people who keep their computer virus/worm-free intersect pretty well.
          • Re:Education (Score:3, Interesting)

            by homer_ca ( 144738 )
            Believe me I know. Even technies who know better can be lazy about antivirus software or OS updates, but they'll still understand the different between "Hey, your computer's not patched and it has old virus defs. It *could* get infected" and "HEY YOUR COMPUTER IS INFECTED. If you plug in to the LAN you WILL spread this virus."

            I have a bunch of software developers at work. They insist on running their test servers in a workgroup or their test domain. These are people who should know better, but I could remi
            • Re:Education (Score:5, Interesting)

              by binarybum ( 468664 ) on Friday June 25, 2004 @11:19PM (#9534731) Homepage
              I like this restricted subnet leper colony idea. A healthy network is one that runs well independently of how crapped out end nodes are. I think in this day, it is best to develop networks that assume that every node is a virus-ridden maggot that could potentially be a threat. Networks that rely on users keeping their systems tidy will not scale well and will invetibaly become weaker by not having to deal with minor day to day issues due to an intially placid user base.
              By moving "leper" systems into a restricted subnet until they prove themselves cured, you minimize the risk to your infrastructure without completely terminating access. Additionally, people that let their systems become infested usually will not be power users and may not even notice/mind the restricted access state.
              • Re:Education (Score:4, Interesting)

                by garcia ( 6573 ) * on Friday June 25, 2004 @11:41PM (#9534858)
                Yeah well they are still spewing garbage out and wasting bandwith (whether it is going anywhere or not).

                You also run the risk of having to disinfect these people manually via the network support staff.

                When you find the people that are infected, disable them, have IE automatically open to a page that tells them they are cut off and that they need to immediately contact the support staff for cleaning and reinstatement.
      • Re:Education (Score:3, Informative)

        by skinfitz ( 564041 )
        MAC banning is ineffective since nearly every card these days can have it's MAC address reprogramed. Real solutions are tied to the student's university login account which is associated with their other student records.

        But what if they start using someone elses login, or they start sharing login information? Try detecting that easily.

        A secure method using Windows 2k/XP would be to put the machines into a domain, use GPO's to turn on autoupdate and use IPSEC based on a domain certificate for authenticat
    • Re:Education (Score:5, Informative)

      by BobPaul ( 710574 ) * on Friday June 25, 2004 @10:36PM (#9534513) Journal
      This is exactly what our school does. When you first go on the network you're given a 10. ip address. Any DNS calls resolve to an oncompus webserver that allows you to register your computer (ie, if you load your home page, the school computer responds instead). When you register, you enter your username and password (or create one) and your computer is scanned for known security vulnerabilities (are you vuln to Blaster, etc) and any broadcasting virii. If you are, you are not even given a 10. address lease until you install patches (free CDs available from ITS or Dorm staff.) Once you've installed, you have to call ITS and ask to be unbanned.

      You don't have to use the schools antivirus, but if you get a virus that broadcasts you are DHCP banned. Just like before, you have to ask to be unbanned and you must re-do the registration process from before (since your mac was removed from the "good" list).

      While the computer is scanned, we are not required to install spyware. I think our policy is a good trade off, campus required spyware is too much. I'd move off campus or hurry up and switch to Linux.
      • Re:Education (Score:4, Insightful)

        by xanadu-xtroot.com ( 450073 ) <xanaduNO@SPAMinorbit.com> on Friday June 25, 2004 @11:16PM (#9534720) Homepage Journal
        but if you get a virus that broadcasts you are DHCP banned.

        What's to stop someone from doing a ping sweep of a subnet and giving their machine a static IP of one that doesn't respond to beat your DHCP restrictions?

        (this is an honest question, not a flame)

        And before you say that the MAC is banned:
        • MAC's can be changed.
        • ANY firewall product on any OS that I've used will record the MAC (when it can of course) along with an IP.
        I dunno. Maybe I'm not thinking of something, but, that system sounds pretty easy to beat. Granted I'm a "Computer Geek" and probably somewhere near 70% of the students aren't, but...
        • Re:Education (Score:4, Interesting)

          by BobPaul ( 710574 ) * on Saturday June 26, 2004 @12:58AM (#9535185) Journal
          Well, they do search for mis-formed MAC addresses (ie, if the MAC doesn't resolve to a real company) and then they'll port block you (at the switch). Or if you register a whole bunch of macs (remember, they go under your name in the database) then they'll block your physical port on the switch.

          Also, a ping sweep might register as a scan, in which case you might get blocked since virii also scan. Or, you'll hit my IP (my firewall blocks pings) and you'll use my ip/mac and then you will get yourself quickly physically blocked in the switch your connected to.

          For people not in the dorms, they can really only block your mac address, but I've tried manually setting IP addresses, and it doesn't seem to work...
    • Re:Education (Score:4, Interesting)

      by Anonymous Coward on Saturday June 26, 2004 @12:13AM (#9535016)
      As a network admin (Network Nazi, thank you very much) I know the effects of having just one compromised pc on the network. With all the viruses out there that spoof email addresses, I know instantly when an infected pc comes online (I get an email from every server that gets attacked by a virues...)

      On one hand, I commend the university staff for trying to keep everyone safe. Nothing worse than one infected pc spreading through the windows "security flaw" flavor of the week and dragging everything down.

      On the other hand, they are taking on a huge responsibility to keep the students pc's running. Case and point - we demand that everyone on our network runs McAfee and is kept up to date with patches. One lady in admin installs McAfee so that she can use her home pc to connect (via Cisco VPN,) and the whole pc stops blows up. I ended up spending 10 hours (6 hours trying to fix what went wrong, the other 4 giving up and reloading the damn thing.) Add to that getting grief the whole time because "This wouldn't have happened if I didn't install that.." Nevermind the spyware that was already installed.

      Moral of my rant? Don't do this kind of thing unless you have a mass of cheap labor (college kids who are on work/study,) and are allowed to fix what went wrong when it most likely will.
  • by jgrider ( 165754 ) on Friday June 25, 2004 @10:19PM (#9534388) Homepage
    Perhaps you might want to (anonymously) remind them that by assuming management of individuals computers (not uni. owned) like that, they are also assuming some liability. Who gets sued, if they miss a virus or something, and it eats your term paper... theoretically you could sue them... I bet they haven't thought of that.
  • Not unreasonable (Score:5, Informative)

    by Rhesus Piece ( 764852 ) on Friday June 25, 2004 @10:19PM (#9534391)
    My campus will disconnect any computer it finds vulnerable. I suppose this could be considered the next step in that direction, but this time students have a way to be sure that they don't end up disconnected at an inconvenient time.

    If this were my school, however, I think I'd find it easier to make my computer not look like a windows machine to the network, then deal with stuff on my own instead of trusting their software.
    • by ScrewMaster ( 602015 ) on Friday June 25, 2004 @10:28PM (#9534464)
      If it were my school, I think I'd find it easier to make my computer not be a Windows machine. Which begs the question: how is this outfit going to handle non-Windows systems? Are they going to force a similar level of compliance on Mac or Linux users? Personally I wouldn't want to have my machine subject to such regulations: I don't know as I would trust an IT department to ... well, let's just say I don't know as I would trust an IT department. I particularly wouldn't trust them with unfettered remote access to my personal property. I would also want to know what criteria were used in the selection of the software suite to be installed: if it's just because they got a good deal from Symantec I would have a problem with that too.
      • Re:Not unreasonable (Score:3, Informative)

        by hazem ( 472289 )
        I will start by saying I agree with you.

        But they'll just say the same thing:

        "I don't trust you and your computer with unfettered access to the University Network(property)."

        They'll also say that internet access is not a right, but rather a privelige, and if you want that privelige, you'll abide by their terms.

        My school used to post "hogs" lists of people who printed too much or used to much disk space. Maybe social pressure could help, with an "infected" list put up that shows who's computers have been
      • Then it is simple: (Score:5, Interesting)

        by Avihson ( 689950 ) on Friday June 25, 2004 @11:48PM (#9534894)
        You do not connect!

        If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.

        If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.

        I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
        I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.

        Never argue with an idiot, they drag you down to their level and beat you with experience.

    • Re:Not unreasonable (Score:3, Interesting)

      by LostCluster ( 625375 ) *
      Before implementing this kind of spybot, Syracuse University used to require that students caught running the major virus-of-the-month bring their students to the CMS office at the center of campus, where a work study student would install MacAffe (which the school has always had a site license that covered all students for) and then clean up the worm. This was done only during business hours and was intentionally slow... having your computer impounded for the weekend was an intentional side effect of this
    • by nametaken ( 610866 ) on Friday June 25, 2004 @10:59PM (#9534647)
      I live off the Illinois State University campus. However, our rental company "SAMI", has (best we can tell) chosen to use the same provider for our network access. They require us to use McAfee's antivirus, and will shut us off in the event of infection. They have posted signs everywhere prohibiting the use of routers with or without wireless access. This boggles my mind, as you'd think they would have wanted us to have the hardware firewalls. Worse than the fact that our DSL is ridiculously slow, they have firewalled off our filesharing (apparently permanently). The best part is, the cost of the DSL is bundled into my rent... so I can't opt to get rid of it and get a cable modem instead. If I get a cable modem, I will effectively be paying something like $100 a month for connectivity. I'd write letters to the local papers complaining, but they have the right to shut off our internet for no reason (signed the TOS sheet, bleh). If they shut me off, I get to keep paying for the internet I can't use because it's technically paid for by the rent I agreed to pay. That would be somewhat similar to ~ 2 months of downtime I had a couple semesters ago, where I had to keep paying the same amount of rent.
      • Re:Not unreasonable (Score:3, Interesting)

        by macdaddy ( 38372 )
        You should look into your state's renter/landlord laws. In Kansas it's called the Kansan Residential Landlord and Tenant Act. Our law explicitly forbids billing for bundled services not necessary for occupancy. I forget the exact wording but that's the jist of it. A lawyer in your area might be better able to advise you. I wouldn't be surprised if they are overstepping their bounds. All places like that will until someone stands up for themselves and fights back. Best of luck, and move out.
  • by Shmoe ( 17051 ) on Friday June 25, 2004 @10:19PM (#9534395) Homepage
    next step:

    request a hard drive scan for copyright owner's works.

    I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.

    • Easy Answer. (Score:3, Interesting)

      by twitter ( 104583 )
      I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.

      Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.

      Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill

      • Re:Easy Answer. (Score:4, Interesting)

        by mcrbids ( 148650 ) on Friday June 25, 2004 @11:38PM (#9534850) Journal
        Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?


        Running Red Hat Fedora, I routinely use yum to update packages... not much different than Windows Update.

        Just because I use Linux doesn't mean I don't feel the need to stay up to date!
      • Re:Easy Answer. (Score:4, Interesting)

        by forlornhope ( 688722 ) on Saturday June 26, 2004 @02:06AM (#9535397) Homepage
        Active Directory isnt so bad, Samba 3 can join AD domains and participate as a native client. Its a bit harder to setup but it is definately possible.
        As for Macs, Linux, and other commercial Unixes most people dont want that, so the CS department Im working at is concidering forcing Debian onto all our departmentally owned machines and denying access to all privately owned computers except on the highly locked down wireless lan, and even then we require virus scanners and up to date patches.
        Now I hear people groaning already about forcing Debian on all machines, well imagine this;
        A person sits down at a computer and is presented with a GDM login screen. They type in their user name and password and set their session to "Microsoft Windows 2000." Yup, you guessed it, a hardware independent completely locked down, controled and up to date version of Windows pops up logged into the domain with complete access to all their files and all the printers and everything, and they can even open up a terminal that automagically presents them with a Debian environment for them to do their programing on. How will we do this? VMWare running ontop of our nice Debian install. That way the Windows install is completely hardware independent and every time there is an update we just roll up a new image and throw it up on the file server and all our users have all the latest updates. Combine that with the fact that the Debian host machine is running snort and puts the Windows machine inside a highly restricted private ip space that is monitored, and virtually all the problems we have with Windows suddenly disappear. Now yes this is an abomination, but it turns Windows from a huge headache into just another *.deb that we have to keep track of and keep up on security for.
        Now thats how to deal with the Windows virus/spyware/worm administration nightmare. Now Im not saying that this would work to roll out on the entire campus, but it is a very novel approach.
    • You dont *have* to install it - want your own comp on your own terms? - get dial up. Want on thier network...getover it
    • by twitter ( 104583 ) on Friday June 25, 2004 @11:25PM (#9534768) Homepage Journal
      From the link above [microsoft.com]:

      As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems.

      It's a backdoor, they can do anything they want to your system. It can scan, read and write files. It's like giving them root, so they own your computer.

      With abilities like that, do you think they will bother to ask you when it comes time to satisfy some big power? RIAA requests to eliminate your music collection will be honored. CIA/FBI requests to search and monitor suspicious characters will be carried out. Anyone who would require such powers will abuse them.

      It's as unAmerican as all hell. Such scans would obviously violate your fourth amendment right to be secure in your personal papers. At State schools, the network is public and at many it has been paid for by special student fees, so this is an abuse of a public network, comparable to wholesale wiretaping, post violation and even bugging, if your computer has a microphone they can turn on. At private schools, ownership of the network depends on the amount of public money paid to build it and is encumbered by the fact that they will want to connect it to other public networks. That desire to connect to public networks should be used to enforce the kind decent behavior.

      All of the other services mentioned can and should be required of Windows machines but Winblows itself should be optional. Up to date virus definitions are helpful but generally too difficult for the end user to keep up with. All the services besides system monitoring are helpful to the user and the school. If the user chooses to be rooted as a condition of running Winblows, that's their choice.

      Operating systems that don't have problems should be encouraged by the University. Not being rooted can be one more reason to run Linux, Mac and other OS. Traffic should still be monitored. If my computer starts belching spam, I'd be happy if my ISP sent me a message and chopped the line. There's a big difference between that and requiring read write to my computer.

      • It's a backdoor, they can do anything they want to your system.

        As long as they have a valid (administrative) account on the target machine, yes. Otherwise no, they can't access it at all.

        Up to date virus definitions are helpful but generally too difficult for the end user to keep up with.

        Any decent antivirus software will have scheduled checking for updates built in - eg Grisoft's one [slashdot.org]. Even their free edition has this - set it, forget it.

        Winblows itself

        Factually wrong, conceptually wrong, and imm
  • Just cut them off (Score:5, Informative)

    by Spetiam ( 671180 ) on Friday June 25, 2004 @10:20PM (#9534400) Journal
    Personally, I'd much rather just get cut off and be notified why. I don't like the idea of giving over control of my computer like that.
  • by Coldeagle ( 624205 ) on Friday June 25, 2004 @10:20PM (#9534401)
    I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P
    • It sounds like they have good intentions with this "network security" software and not bad intentions to snoop on the students, but once installed the agent basically has administrator rights on that Windows box. There's a chance the agent could be subverted by a corrupt administrator, the school administration, or an outside attacker with less good intentions.

      There's a simpler way to fix this without the Big Brother risks. Block all the Netbios ports on the student dorm LAN and transparent proxy all outgo
  • by Aneurysm9 ( 723000 ) on Friday June 25, 2004 @10:21PM (#9534410)
    My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.
    • by Frater 219 ( 1455 ) on Saturday June 26, 2004 @01:08AM (#9535223) Journal
      Some steps I think might be useful:
      • Be honest and up-front with security advice. You know that Windows is a massive security risk. You know that Linux, BSD, and Mac OS X systems aren't virus-proof, but that they have on average a lot fewer problems. You know that a Windows system can be operated reasonably securely only if it's protected with up-to-date anti-virus software, zero-day Windows Update, and careful choices of third-party software. Communicate these facts.
      • Let students make choices freely, but offer them the tools you think are worth using. Don't require them to install particular software -- especially not something they will find untrustworthy, like monitoring software. Instead, make tools easily available which you have found to be valuable. That may mean a site license for your favorite anti-virus software. It may mean handing out Knoppix CDs. Or it may mean selling inexpensive NAT "firewalls" in the campus store, and giving the Help Desk the setup instructions.
      • Support smart choices, not just popular ones. Sure, most of your students use Windows. Some don't. Of the Windows users, most use Internet Explorer. Some don't. Make sure the ones who don't are welcome. The campus Web site needs to work in Safari, Konqueror, Galeon, and Firefox. The wireless network can't rely on a Cisco client program that only works properly on Windows. The help desk needs to be able to answer Mac OS X questions and some basic Linux desktop questions -- or, if not, refer them to someone who can, like the campus LUG.
      • Monitor for problems that harm others -- don't snoop. Ideally, every border on your campus network should have enough IDS to detect portscans. If not, no big deal -- monitor what you can. You're looking for signs of viruses, break-ins, bots, backdoors. You aren't looking for porn, MP3s, or passwords. You do not have the right to access students' files on their own computers; those are their property. (Don't claim to have that right in your AUP. You still don't have it.)
      • Cut off compromised systems. When you find a compromised system, cut it off the network first, then contact the owner. Use MAC-based blocking -- automatic, if at all possible. If your network registration system (you do have one, right?) associates the wired and wireless interfaces of a given computer, make sure to block both, since XP will wake up wireless if the wired cuts out. (Really, this is not all that much Perl!)
      • Don't punish accidents, but don't shield students from their choices' consequences. If a student's computer is infected with a virus and cut off, that's a bummer for the student. But it's probably in part the consequence of that student's choices. (After all, the Mac user next door didn't get the virus, and neither did the XP user who installed this week's patch the day it came out.) Your IT staff are not obligated to provide free disinfection services or OS reinstalls, and you are entitled to bill for clean-up, just as the residential life office would if someone trashed their room. The purpose here isn't punishment; it's simply to place the costs on the persons whose choices incurred those costs.
      • Some troublemaker freshmen will be your student computing assistants next year. Not all of them will. But you will hear about students who are doing "bad things" on the network. (You will hear -- you probably don't have to scan for them.) Students who act up, portscan their dorm, index the SMB shares of all the lusers who didn't realize they were exporting all their porn, piss off the systems staff, and make crazy demands are probably not sociopathic techno-crooks. They will get over it. Call them in and make friends with them. Some will start being useful to others. Hire them. Others will be nasty and malicious. Get them expelled.
      • Maintain
  • by garcia ( 6573 ) * on Friday June 25, 2004 @10:21PM (#9534411)
    No, they shouldn't monitor their computers at all. Not unless they plug into the campus network. Once the student does that it is now the college's responsiblity to protect their network and other's on that network.

    Don't want your computer searched? Don't connect to the network.

    If I was paying a network fee and ended up w/a virus or worm because of some other careless idiot I would be pissed.

    Hell, I am pissed that my webserver is constantly hit by Comcast IP ranges and Comcast does nothing about it when I *KNOW* that they have the ability to scan and disable the users (at least on ATTBI's existing network).
    • Well if it's ok then, gimmie your IP and root pw so I can scan your computer to make sure you dont have anything that will cause problems to everbodys intarweb.
    • If the college is requiring monitoring software to protect all PCs on a network and the owner of the machine pays for this service, it could create some liability issues for the college. If someone were to hack the auto updating system and push out some harmful software which damaged students' data and/or machine, people would blame the university for not preventing it and demand compensation. Depending on state laws, they might not even be able to insert some sort of legally valid disclaimer in their polic
  • easy solution... (Score:4, Insightful)

    by AmigaAvenger ( 210519 ) on Friday June 25, 2004 @10:22PM (#9534413) Journal
    Simple, if you don't like their conditions then don't use THEIR network! There are other solutions, dsl, cable... yes you will have to pay more, like other people. At my college students in the dorm often complained about not being able to run napster. all the off campus students didn't exactly have much sympathy, since we are paying $30-$50 a month for other sources of internet.
    • Re:easy solution... (Score:2, Informative)

      by mark-t ( 151149 )
      No... not always an option for people who live on campus.

      Quite frequently the only option for people who live in student housing is the internet that the university itself offers. The only real option left is dialup.

      • Re:easy solution... (Score:3, Informative)

        by LostCluster ( 625375 ) *
        Cable modem service is surprisingly more available than you might think. In most dorms, the cable service is provided by the cable company of record in the community. The school may or may not be paying for basic services... but if the students have the opportunity to purchase digital cable or on-demand service from the cable company, then the frequencies to allow cable modem service are most certainly present.

        At that point, only a contract stipulating that they can't offer cable modem service in the dorms
    • Re:easy solution... (Score:3, Interesting)

      by smilingirl ( 608655 )
      Um, at my college, the ONLY internet option you have is the university network. If you want internet in your place of residence (dorm, on campus apartment), it's the only thing available. No cable or DSL is run in the dorms! You might could use dialup through the phone lines I suppose, but that is so slow. And, frankly, I can not live without the internet, so I have to deal with the warzone of the university network. And a warzone it is indeed, I got a virus my freshman year that wiped my hard drive fr
  • by Phurd Phlegm ( 241627 ) on Friday June 25, 2004 @10:22PM (#9534415)
    ... unless the policy is that they don't allow it because they can't put their BigBrotherWare on it.

    It seems like a reasonable alternative would be to give people the option of maintaining their own PC. If they get a virus or become a spam bot or something, then they give up that right and have to allow the school to essentially administer their system.

    A question: what happens if someone has an old PC that's running 98 or something? Is the school going to give them a copy of something more modern so they can run their stuff? Can their machine even handle a newer OS?

    Of course, students are probably new and cool enough that they all have better PCs than me--mine is a 500 MHz K6. Since it runs Linux, it's actually plenty snappy....

  • Same experience (Score:5, Interesting)

    by AgentOJ ( 320270 ) on Friday June 25, 2004 @10:23PM (#9534422)
    I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.

    I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.

    Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?
  • by mark-t ( 151149 )
    Are your concerns well founded?

    Yes. To the _extent_ that the threat you dezcribe, however unlikely they think it is that someone could break their security, is extremely realistic and plausible. Regardless of what penalties they threaten to implement on the person(s) that do such a thing, happening once is happening once too often.

    Personally, I'd tell them that the only way I'd agree to this is _IF_ a malicious user got into the system and caused me to lose data, that they would assume complete accoun

  • This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'.

    Will the college be taking responsibility for data lost when a Microsoft patch installed a system that's less than generic is rendered unbootable? That seems to happen
  • <obligatory>
    While they're at it, why not go all the way [debian.org]?
    </obligatory>

    That does seem like a lot to expect out of students. I hate to have very much running on my own PC, and it's likely to cause more trouble than it's worth. They could probably reduce their demands to automatic updates, and use snort to tell them when someone's been infected. They don't have to write the snort rules themselves. There are a variety of people who publish them whenever something major comes out.
  • by Anonymous Coward
    Then they can sell the video feed in the internet and help to reduce tution fees with the income they make.

    Is a win-win situation, ppl around the world can get unscripted reality web bradcast (maybe pr0n) and let a lot of students to complete a college education it doesn't matter if it is to flip burgers at Mc Donald's
  • Um, shhhh! (Score:5, Funny)

    by acidrain ( 35064 ) on Friday June 25, 2004 @10:25PM (#9534448)
    Think man! Stop drawing attention to it, and start trying to hack it. Don't be a fool!
  • by IcEMaN252 ( 579647 ) on Friday June 25, 2004 @10:27PM (#9534455) Homepage
    ... run Linux. At least I tell them that, and they believe it well enough.

    In truth, I run XP with a good firewall most of the time.

    The school figures that if you are smart enough to fool them, you are smart enough not to need their help anyways, so they don't bother you too much. Plus, I know people in Computing & Media Services.
  • by h2oliu ( 38090 ) on Friday June 25, 2004 @10:27PM (#9534457)
    Having gone to a liberal (in all senses of the word) arts college, and now being an IT manager responsible for a few hundred machines I can understand both sides.

    Yes. There is a more central location for someone to attack. However, the average user doesn't take care of their system. In this case, you have to defend a single, actively malicious individual targetting your environment, rather than having to deal with the after effects of the bzillions of non-targetted attacks.

    Unfortunately, as usually happens in situations like this, it is the conscientious user that has their system's security lowered. While, on average, the general security of the population is improved.

    In my new position I can completely understand it.

    When I was in college, I would have despised the very concept.

    Overall, I think that this is probably better for the system. But I can sure understand why the "good" ones would feel like they are being punished for someone elses actions.

    Side note: The people who are truly technical will probably be running some flavor of Linux/Unix so they won't be affected by this.
  • Don't do this (Score:5, Interesting)

    by EvanED ( 569694 ) <evaned.gmail@com> on Friday June 25, 2004 @10:27PM (#9534458)
    I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.

    Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.

    I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.
  • by dartmouth05 ( 540493 ) * on Friday June 25, 2004 @10:29PM (#9534467)
    This doesn't sound like a very good idea. Even if the school itself is trustworthy and doesn't examine student files for content, such as illegally downloaded copyrighted materials, it is far too tempting a target for hackers--a nice centralized system with which he or she can control the entire campus's Windows machines. I much prefer Dartmouth College's response to the problems of viruses and worms--if something is detected, you'll be kicked off the network and you won't be allowed back on until your computer is clean.
  • by Spencerian ( 465343 ) on Friday June 25, 2004 @10:29PM (#9534468) Homepage Journal
    Many companies use features available for Windows Servers and third-party software to force updates and patches if you connect a computer to their network, or, more specifically, attempt to get a network address or login to the company domain.

    For Windows users, this isn't really a bad thing as a whole, since it's not your job (and nor would you want it) to remember and know every frickin' problem that Windows has or its severity. So, let the campus ITs do their work to keep you and other computers playing nice-nice on the network.

    On the other hand, the campus IT needs to be careful what they send as compulsory updates. Some PCs do not take certain updates well for God Knows Why, which could hose your system in some way. If that happens, I wouldn't know what your recourse would be to have your campus IT fix what it broke.

    And don't think I'm just picking on Windows, either--other operating systems, including Mac OS X and Linux, need some necessary updates, too. Those operating systems (so far) have had far, far fewer viral attacks than Windows that cause Bad Days.

    That could change someday.
  • by KidGlory ( 791696 ) on Friday June 25, 2004 @10:32PM (#9534487)
    I just attended ResNet 2004 which is a conference devoted to the Information Technology departments of all Colleges and Universities across the globe. There are usually around 300 participants and many other who do not make the guest list. I think the biggest conversation among those at the conference was how where is the line between appropriate and not appropriate actions to help keep the networks clean as well as the students computers. You can check out http://www.resnetsymposium.com for the website or http://web.princeton.edu/sites/resnet/ for a list of those who attended. There is also a listserv for @ http://listserv.nd.edu/archives/resnet-l.html. All of these sites will give you contacts for people who have answers to your questions. A trend for schools is purchasing solutions such as Perfigo www.perfigo.com or Bsi's campus manager http://www.bradford-sw.com to help them do their dirty work.
  • It's their network (Score:3, Insightful)

    by RockDoggy ( 782845 ) on Friday June 25, 2004 @10:33PM (#9534492) Homepage
    I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network.

    Isn't that already true?

    Anyway, keep this in mind: it's their network, and therefore it's their responsibility to secure it as best they can. If you don't like their methods, that's certainly your choice, and thus your best option may be a modem and your own dialup account off-campus.

    IMHO, you needn't worry about much invasion of privacy at a small liberal arts college. Such institutions tend to avoid such controversy. But make no mistake, you have no right to unfettered internet access when it's their network. It's a privilege, not a right.

  • paws off (Score:3, Insightful)

    by nuggetman ( 242645 ) on Friday June 25, 2004 @10:33PM (#9534493) Homepage
    it's my machine, not the schools
    if the school was buying me the machine, i'd say fine

    the school should not be playing mommy and daddy to the machines... if they see someone spreading worms then they should disconnect them and send a polite note saying why and how to fix it

    special software may be good for the kl00 phucked lusers, but to the people who know what they're doing it will be an annoyacnce

    besides, are they going to send people around to check? what's to stop me from uninstalling the software when the pimple-faced "support tech" leaves the room?
  • by Vellmont ( 569020 ) on Friday June 25, 2004 @10:35PM (#9534511) Homepage
    A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?
  • Another "Solution" (Score:3, Insightful)

    by pladdtn82 ( 692156 ) on Friday June 25, 2004 @10:38PM (#9534524)
    I am a student who also happens to be attending a small liberal arts school. When I returned to my dorm in the fall of 2003 after the widespread Blaster and SoBig worms, I found that our usually reliable (though somewhat lethargic) internet access was not working. The reason? Apparently, the infected computers brought in by freshman (roughly 300 students) were enough to cause problems.

    The response by IT was to cut internet access to every dorm room. IT had a very "holier than thou" attitude, and threatened to not restore access until *everyone* had installed the patch. Of course, this never happened, but the permanant "solution" was to throttle (read cripple) our upload speed from the dorms (I could average about 80 kbps on a good day).

    While this didn't bother most students (not many geeks, mainly people who just surf, read email, and use p2p), it was very frustrating for anyone who's internet needs went beyond that. Also, IT called several times inquiring why I had not installed the patch (I use a Macintosh).

    I guess my point is that IT deparments (perhaps specificly at small liberal arts or private schools) may tend to be a little over zealous when telling students what the must and/or can't do.

  • by Brandybuck ( 704397 ) on Friday June 25, 2004 @10:39PM (#9534532) Homepage Journal
    Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer. My employer does NOT come to my home and tell me what software must be on my personally owned computer. They have the right to prevent me from accessing their network from home, but no further.

    If campuses are providing internet access as a benefit to students, then they're acting like ISPs. If a small mom-n-pop ISP can handle issues like this, then so can a college or university.

    Most campuses seem to be a combination of both. They have their local network(s) with gateways to the internet. So they have to act like both businesses and ISPs. Both the campus AND the students need to realize this.
    • Many schools WILL provide you with a computer. Georgia Tech, for example, will rent a system to students for a fee per semester.

      They ARE saying "If you want on our network, you will put this on your system." If you're not using their network, you don't have to play by their rules.

      It's fairly simple. The network administrator is a jealous beast. He hates the system administrator and he hates the user. It is his territory, you play by his rules, or you don't play at all.
    • Why must a college campus be treated any differently from other organizations? If you're an employee, grad student, or are otherwise obligated to connect to their network, then they should supply you with the computer, just like an employer.

      Most of them do. Ever hear of a computer lab?

  • by hoggoth ( 414195 ) on Friday June 25, 2004 @10:42PM (#9534554) Journal
    > I am a CS student at a small Liberal Arts college

    When I read this my mind immediately expected it to be followed by something like:

    "I am a CS student at a small Liberal Arts college. I've never been lucky with girls and nothing like this has ever happened to me before. One night I was up late in the laundry room and this beautiful girl walked in..."

  • This is true (Score:5, Informative)

    by captainmoo ( 209101 ) on Friday June 25, 2004 @10:43PM (#9534559)
    Any time an institution requires software to be installed at all, it's a red flag that says that institution is doing something else wrong. While it's a good idea for students to keep their computers up to date with virus scanners and security patches and the like, it's not a good idea for the institution to take that responsibility away from the students themselves.

    I worked in the NOC here at the University of Washington, and the policy was to kill ethernet ports of infected computers. It was determined whether the computer was infected by analyzing traffic flow to/from the computers and picking out patterns characteristic of common worms and viruses. This not only helped alleviate the problem by preventing the viruses from propagating, but forcing the user to take action to get the wallport reactivated increased awareness.

    The UW also makes CDs with the latest virus software and patches available for free from the bookstore and various other places on campus. This way users don't have to connect to the internet to clean and patch their systems, and it makes the job easy through automated software. This kit doesn't, however, let the institution perform updates automatically or install arbitrary software. The university also maintains a repository on the LAN containing virus definition files, and the virus scanner on the CD is set up to download these automatically.

    So aside from the security implications the poster mentions, there are privacy issues with allowing the institution to install arbitrary software. By forcing the user to take action in order to use the resources provided, it eliminates the privacy concerns, and raises awareness of the greater issue.
  • Real world (Score:3, Interesting)

    by IanBevan ( 213109 ) * on Friday June 25, 2004 @10:50PM (#9534598) Homepage
    Well, welcome to the real world. This is exactly the policy you can expect to find in an enterprise environment. I see no good reason why it should not be applied to colleges/schools as well. After all, you are being plugged into their network infrastructure, and it's their job to keep the network running and available for all students.
  • No. (Score:3, Interesting)

    by ninjaz ( 1202 ) on Friday June 25, 2004 @11:23PM (#9534754)
    Colleges should not have administative control over students' PC's. In the workplace, it's a different issue entirely, since the the machine is generally company property and used specifically for work. In the case of a student PC, it is a personal machine, and likely to have highly personal data.

    Giving a college employee (who is likely a student) access to run any program with administrator rights is ripe for abuse. Even if this is limited to running a batch file daily (or weekly or ...) it would be trivial to add functionality to, for instance, copy all .gif files to look for an off color photo of any of the female students... or delete a research paper, install a keylogger, (re)enable a webcam's image capturing to see what you were missing while the owner thought it was off etc.

    Of course, you also mentioned the problem of the machine giving out all these patches being compromised. Even if your college were lucky enough to find someone honest enough to not do anything intentionally evil, compromise of that one machine would provide the attacker access to run anything as administrator on all connected systems.

    This is reminiscent of landlord/tenant laws. The landlord is required to give notice before entering someone's living space. And similar to the difference between department stores monitoring their dressing rooms for shoplifting vs. your landlord putting a camera into your bedroom and bathroom "to make sure you aren't using drugs / damaging anything/etc"

    It may be legal for the college to do this, but certainly isn't something it should be doing.

    Anyway, I'd be configuring VMWare run the university-accessible copy of Windows and only use that for NAT. Anything you send over their network cleartext is fair game, anyway.

  • by imsmith ( 239784 ) on Saturday June 26, 2004 @12:45AM (#9535151)
    You guys can bitch all you want, but the problem of having an entire ResNet filled with unpatched, virus/worm/trojan infected windows boxes show up on the last week in August is very real. As is the problem of outbound traffic from compromised windows machines consuming all the available bandwidth. The quarentine until proven clean methodology is becoming fairly standard in the ResNet management circles, as is some sort of authenticated access control that ties a human being to a machine address.

    The notion of putting clients on a PC is something that I personally don't advocate, but I know people who do, and I understand their reasons. Joining Windows boxes to a domain and using Windows Update Server to keep them up to date is another thing being tossed about.

    Basically, we are talking about keeping the network 'up' and providing 'the best for the most' in terms of access and bandwidth. If it means having to do some vulnerability scanning before you can get on the net, it may mean that.
  • by Lodragandraoidh ( 639696 ) on Saturday June 26, 2004 @01:07AM (#9535219) Journal
    Just as most schools require a 'basic computer' course - so too, either as part of this course, or as another, there should be a class on basic principles of networking and securing computers - generic for most OS's (linux, OSX, Windows).

    Before a student is allowed to connect - they must pass this course.

    Once they are connected, the IT department should have the authority to then remove them from the network if the network user in question becomes a nuisance. Expulsion should be tied to grievious violations.

    To ameliorate the effects of brain dead students - the network should be set up in smallish segments using switches in a star topology; this will allow you to take away the magic electrons from the ports of the marching morons on an individual basis; hubs are bad - if one becomes infected - they soon all will be.

    DNS (WINS resolution) should be set up in such a way as to deny automated resolution of student computer names/addresses within the network. This won't stop students who are smart enough to put their buddy's address in their hosts/lmhosts file - but it will stop the majority of idiots. Disable windows authentication domains...everyone logs into their own computer, and you won't be doing remote administration anyway - you don't need that headache.

    Default to disabling known nasty protocols - with the caveat that students can negotiate a legitimate need for ports to be opened up for their use.

    Assign static IPs to allow fine grained filtering - to accomidate the variations in students. Some students will have everything turned on and can be fully trusted; conversely, others will barely have any services beyond email enabled. This requires work on your part; automate this functionality of your network, then delegate responsibility for maintaining it to your most responsible students. You would be amazed how fast people become experts at network administration when they are responsible for making it work for everyone. To add a little fat to the fire - if they are dragging their feet on a network effecting problem - shut down all access to the outside world until they resolve the issue. Once you get the people trained, you shouldn't have to lift a finger.

    Email is another big hairball - I won't discuss; given a college/university environment, you will probably have to deal with alot of spam. On the other hand, if your students and faculty are savvy enough, you could perhaps go to a public key authentication system (everything without a valid key gets bounced). This won't help your internet facing interface much; but will help your internal traffic volume to your mailservers.
  • I wouldn't comply (Score:4, Insightful)

    by Grimster ( 127581 ) on Saturday June 26, 2004 @03:58AM (#9535674) Homepage
    The school's right to "poke" stops where the network cable meets my NIC card, everything on the outside of the cable is their business, if they detect viruses/spam/P2P/anything else "not allowed" then by all means bust my ass for it. However no one, but me, logs into and uses my computer, period, unless you come with a search warrant and that warrant includes looking into my PC then you ain't peeking at it. You can ask, and most damned likely I'll show you, but that's the extent of it.

    There was much the same discussion a while back when someone posted about the cable company "checking" their PC. Same rule applies, the cable company's, or school's rights end where my NIC card (or switch) begins. They're welcome to ask, and I'm welcome to say no. They're also welcome to turn off my uplink, everything has its consequences of course, go busting heads with the school you'll probably find your ethernet go black, but they're still not logging into my PC.

    Tell me what's wrong, I'll fix it but don't think for a minute you're putting your grubby mitts on my keyboard without a court order (or asking nicely, but you're still not patching jack shit, I'm the only one with root).

    Besides, I wouldn't run Windows on anything but a gaming machine anyway, I do my WORK on linux, so I can check email, open urls, etc etc etc without any fear I'm about to be infected by the "nasty virus of the day".
  • Hop, Skip (Score:3, Insightful)

    by rixstep ( 611236 ) on Saturday June 26, 2004 @04:59AM (#9535804) Homepage
    You want a technical answer but I think the ethical one is overriding here: I just don't believe networks should be run in this fashion.

    First, it's totally insane to require Microshite Windoze. It speaks of the cerebral poverty of the faculty at many an institution where these supposed gifted people can barely save a document in Microsoft Word and then require everyone else do the same.

    Second, any open standard should do just as well, and yet - and do I smell graft here? - Microsoft are in there, Dell are in there, IBM are sometimes in there, and demands are made that students get a computer of a definite make, model, configuration, etc - just to qualify for enrolment. If this isn't lobbying and bribery, I don't know what is.

    Finally, if you want to connect to a network, then you should be able to prove you're malware-free. I don't have the technical details on this, but forcibly downloading junk on students' computers is just wrong.

Take an astronaut to launch.

Working...