Measuring software for schools


  • đźš˝ Regular

    Urg, sounds like the installers for PLC software. Those also have Win95 styling just so you don't get any unrealistic expectations that the software won't be a buggy piece of rubbish once it's installed.
    It seems to be that the more you pay the worse it is.



  • Yeah, the installer windows for this software also aren't quite capable of dealing with high DPI displays.

    Bonus points for the update tool which checks the version of the installed software - and which promptly nags me to update it to the newest version.

    Problem: The same tool then tells me that my license is not valid for the new version. I also did indeed install the newest version before this debacle (and promptly stumbled over the license issue).

    I have yet to find out any new features. Seriously, nothing immediately springs to mind.
    The installer: Same.
    The tools included: Same.
    The UI: Exact same.



  • This post is a couple days old, but I couldn't help:
    @dkf said:

    Looks like they got off lightly. HF is where chemistry gets serious.

    I trust anyone interested in this discussion of dangerous chemicals knows of "Things I Won't Work With"?

    I think this is my favorite entry:

    In a comment to my post on putting out fires last week, one commenter mentioned the utility of the good old sand bucket, and wondered if there was anything that would go on to set the sand on fire. Thanks to a note from reader Robert L., I can report that there is indeed such a reagent: chlorine trifluoride. ... It is apparently about the most vigorous fluorinating agent known, and is much more difficult to handle than fluorine gas. That’s one of those statements you don’t get to hear very often, and it should be enough to make any sensible chemist turn around smartly and head down the hall in the other direction.

    The compound also a stronger oxidizing agent than oxygen itself, which also puts it into rare territory. That means that it can potentially go on to “burn” things that you would normally consider already burnt to hell and gone, and a practical consequence of that is that it’ll start roaring reactions with things like bricks and asbestos tile.
    ...
    There’s a report from the early 1950s (in this PDF) of a one-ton spill of the stuff. It burned its way through a foot of concrete floor and chewed up another meter of sand and gravel beneath, completing a day that I'm sure no one involved ever forgot.



  • And heeere we are again.

    The guys now have broken WiFi completely and it has been broken for two weeks now. When I still was an admin for my dorm, the other residents would've gathered torches and pitchforks after two hours.

    Two weeks would've probably earned me a visit to the Iron Maiden (and not the musical kind!).

    They also managed to break my private connection via an access point. Will have to see how I can circumvent that - I will not be at the mercy of those clowns.

    And, yes, we finally got 25 new Surface Pro tablets just like I asked for. Well, finally and got may be a bit too strong. It's rather "I got a notification that they were delivered to our IT guys".

    That was more than a month ago. Today I got an email which informed me that they were whining about how hard it is to image those laptops. For some reason they also need a recovery image for the Surface which they were not able to obtain from Microsoft.

    I just tried it - worked just fine for me. I'm mystified where they're going wrong.

    I shudder to think what will happen when I'll suggest that we move to Windows 10 when it comes out this year...



  • Short one:

    They broke HTTPS. And only that.


  • Discourse touched me in a no-no place

    @Rhywden said:

    They broke HTTPS. And only that.

    Oh, a badly done transparent proxy, probably thinking about forcing everyone to install their own CA certificate so that they can spoof any site they want. It's an astoundingly Bad Idea. Awful, awful, awful.

    Please slap them upside the head from me.



  • Yeah, they already tried that one - at least the MITM attack.

    They only forgot that we also have our own PCs and smart phones on the network, and it turns out that modern browsers complain quite a bit about someone trying to pull such a stunt.



  • Forwarded to my inbox:

    From my outbox:

    Thanks, [upstream support guy].

    We maintain a local whitelist of student-accessible SSL sites instead of
    allowing Zscaler to run MITM attacks against all SSL traffic, so this is
    a non-issue for us.

    Cheers
    [me]



  • So, today I once again set out to discover why on Earth the semi-public WLAN is still not working.

    Okay, DNS seems to be somewhat reliable now - nslookup does yield results.
    And I can ping the destination. Great success!
    Curl? Well, that's where we run into a "Cannot establish a connection". Damn.

    Hmmh, let's run a tracert just for shits and giggles, just to see where the packets are routed exactly.

    1    5 ms    3 ms    4 ms    172.17.0.7
    2    8 ms    3 ms    4 ms    192.168.200.3
    3    9 ms    4 ms    4 ms    10.32.77.1
    4    9 ms    4 ms    4 ms    10.32.2.13
    5    9 ms    5 ms    *       10.16.1.2
    6    *       *       *       Timeout
    7   10 ms    6 ms    6 ms    88.246.246.25  //first public address
    

    I'm not exactly sure what to make of this, but it looks like there are at least 3 NATs involved, plus a bit of bouncing around on internal servers.

    Also, I'm not sure WHY there are so many NATs in the first place? Shouldn't the adress space of 10.0.0.0/8 suffice if you use something like VLAN if you're concerned about network segments not being able to talk to each other?

    Granted, this may not actually be the cause of the problems but it sure ain't helping...



  • @Rhywden said:

    I'm not sure WHY there are so many NATs in the first place? Shouldn't the adress space of 10.0.0.0/8 suffice if you use something like VLAN if you're concerned about network segments not being able to talk to each other?

    You'll probably find that the netadmins for your 10.0.0.0/8. 10.32.0.0/16, 192.168.0.0/16 and 172.16.0.0/12 spaces work for different organizations.

    As for why you're unable to establish an outbound web connection with curl: let me tell you how it works at the school I netadmin.

    Our connection to the outside world is a router with fibre behind it. That router is managed and configured upstream from us, and gives us access to a large VPN. Like most schools attached to that VPN, we get two /23 blocks of 10.0.0.0/8 to play in. One of them is for the curric network, to which anybody on campus can get access; the other is for the admin network, accessible only via four admin workstations on wired outlets in the admin building.

    There is a firewall between the VPN and the wider Internet. Outbound connections are allowed on a VPN-wide whitelist of port numbers below 1024, and on all ports above it.

    Ports not on the outbound whitelist include 22, 23, 25, 53, 80, 123, 443, 465, 587, 993, 995. The intent appears to be that Web access must be done via district-specific proxy servers; DNS, NTP and mail have to go via servers inside the VPN.

    Inbound connections to my site are allowed via specific port mappings that I have to submit paperwork and get approval for. There is no way, as far as I have been able to find out, to get site-specific whitelisting for selected outbound ports, though there are some specific IP address ranges for which direct access to otherwise inaccessible ports is allowed (notably the Microsoft update servers and a handful of Apple ones).

    The only web proxy available to us is one that ends up passing all requests through to the Zscaler SAAS cloud service. Words cannot begin to express how much I dislike that service's authentication mechanisms and its admin interface, though its performance as a web proxy is decent. I run a site-local Squid proxy that hides most of the upstream horror.

    Of course, there are various devices in use on campus that don't play nice with web proxies (some very old Android devices in particular simply have no inbuilt web proxy support at all). Even those mobile devices that do support proxy servers are a pain in the arse to use with multiple proxy credentials; once a mobile device has managed to collect a staff username and password, for example, it takes a more complicated settings dance to render it unproblematic for student use than school staff are likely to perform consistently.

    So I've set up four wireless VLANs at our site. One of them is just a bridge to the wired curric LAN, so it suits laptops and other gear that doesn't have a problem with web proxies. The other three all have a transparent web proxy on port 80 as well as an explicit one on port 3128; the proxy concerned is my local Squid, which knows what kind of filtering to apply based on the VLAN ID the request came from.

    The VLANs with transparent proxy facilities get addresses in 192.168.4.0/23, 192.168.6.0/23 and 192.168.8.0/23, and I run NAT from there to the curric network's 10.x.x.x space, which upstream in turn NATs to the Internet, so that connections that don't need proxying will work properly.

    Three levels of NAT does look a little excessive, but it could easily be the result of somebody slapping a consumer WiFi router on top of an arrangement like mine.



  • Is it actually neccessary to NAT the additional VLANs? Or is that because you might run out of address space? A /23 is a bit small for schools, after all.



  • I had a choice when I set this up: either partition the 10.x.x.x/23 space that the upstream VPN allocates for my site's curric subnet, or define my own private address spaces and NAT them.

    I chose the NAT path because nine bits of address space does feel a bit tight. The school already has 120 wired workstations, four servers (some multihomed) and assorted printers and switches and WAPs on the curric network, and the ultimate aim is to provide BYOD infrastructure for a school that will likely be upwards of 400 students by the time that happens.

    The only real downside to NAT is that it makes setting up port mapping for inbound connections kind of painful, what with having to modify the config on every NAT router along the way. But given that I'm in total control over routing inside the site, and that the bureaucratic process involved in getting an edge VPN port mapped to any of my boxes is always going to be more painful than updating my own config, it's not really an issue for me.



  • Another fresh WTF:

    As I previously detailed, I intend to write some Windows Apps for the Surfaces. Thus I need to install the packages on the laptops. This is easily done through executing a Powershell script which basically imports my certificate, then shoves the files where they're supposed to go and registers the app with the menu.

    Only that I'm not allowed to execute shell scripts. But I'm allowed to do everything else. I can install any program I want. I can edit the registry. I can invoke all the script commands manually.

    I'm not quite sure which brainfart was behind that bright idea - please remember that, whatever a pupil does on those machines, it's wiped after a reboot anyway.


  • Discourse touched me in a no-no place

    @Rhywden said:

    Only that I'm not allowed to execute shell scripts. But I'm allowed to do everything else. I can install any program I want. I can edit the registry. I can invoke all the script commands manually.

    Can you rename the script interpreter and run it then?

    It certainly used to be the case that one of the main hook points for controlling this sort of thing was based entirely on the name — without directory or extension — of the executable file. Which is just one of the dumbest ideas ever for a piece of security software, but whatever…



  • Will try that on monday, thanks for the suggestion.

    Other WTFs I just remembered:

    a) They managed to ban some USB sticks from working - they're all recognized but some are simply not mounted. Which was a lot of fun for visitors from companies when they wanted to start their Powerpoint - which was on a USB stick and on their laptop. The USB stick then was not accessible and the laptop, well, that's where the non-working WLAN threw a spanner in the works...
    This is school-wide problem and obviously an error on their side, not a hardware problem, since it happens on the Surface 3 Pro as well. My own Surface (with identical hardware) can read all the sticks just fine.

    b) They also managed to ban my own laptop from the network which until then had access to the internet through my accesspoint - while I'm still getting an IP, the router obviously blocks my laptop from going any further because it's not a member of the domain. However, I noticed today that, while using a browser was obviously not working, my Dropbox successfully synced some files and folders!
    So on monday I'll also see if they thought of banning VPN. I'll also look into TCP-over-DNS...



  • What's your relationship with the school?

    Were the restrictions you're running into imposed by somebody working for the school, or are they inherited from something like this horrible Victorian Education Department image?



  • @Rhywden said:

    They also managed to ban my own laptop from the network which until then had access to the internet through my accesspoint - while I'm still getting an IP, the router obviously blocks my laptop from going any further because it's not a member of the domain. However, I noticed today that, while using a browser was obviously not working, my Dropbox successfully synced some files and folders!

    Are you sure you're not merely seeing (a) an inability to connect to whatever Windows file servers are normally accessible to domain clients, due to lack of domain credentials plus (b) outbound connections to ports 80 and 443 blocked at the edge of their VPN, in order to force the use of a web proxy for web access?

    The way I always work around (b) is to tell Firefox to use a SOCKS 5 proxy on localhost:1080, then start up a PuTTY session with a dynamic port on 1080 back to an ssh server at my house.



  • Well, I can see the proxy thing but I don't understand why anything else is still able to connect.



  • If the powers that be follow the same "logic" as they do in our school VPN, it's because eeeeevil can obviously only enter the premises via clients connected to services on well-known ports. So they force a proxy for 80 and 443, force the use of VPN-internal servers for DNS and ntp and smtp and pop3, don't support imap in any form at all, and leave every outbound port above 1024 completely open.

    Which is one of the reasons why my home ssh server lives on a high-numbered port.



  • What does it tell you when you 'can't execute scripts'? The remote execution policy is always set to signed by default, which means that you can't even run scripts you yourself write. And yet another script (say, a batch) can say -allowunsigned or something and enable it. I don't fully understand what the point is; if it was just a setting for powershell, that would be one thing, but ignoring it with just a param? Oh well.





  • I know how to deal with it. It bugs me that they added a security measure that can be turned off with an argument.



  • Not so easy to turn off with the GUI though, so that makes it blakey-resistant.



  • Thanks for that. Will try it out first thing on Monday.



  • I had to change a fuse in my car to fix my radio a few days ago and it made me feel like a rockstar electrician. As these are clearly comparable situations, you should seriously consider hiring me to fix whatever it is you're talking about (unless it's already fixed, I got confused when you said "physics equipment").


Log in to reply