School/Education Network Security



  • I have a feeling everyone has encountered this kind of WTF – it's literally everywhere.

     
    For example:

    The local school district here has some combination of Novell and regular Windows authentication.  Doesn't sound too bad, right?  Wrong. 

    1. Teacher and staff logins are less secure than student logins.  They're first letter of first name+lastname.  So "Paula Bean" would be pbean.  Yes, that's the username and password.    In comparision, student logins are private student ID/two letters of last name + birth date + random letter and number.

    2. Local admin accounts have the username and password "computer##".  The computer number is on a sticker attached to the side of the computer.  Want to potentially screw up the whole computer lab?  Be my guest.

    3. Server is in an unlocked case with no UPS.


                     



  • (Un)fortunately if you know how to really secure a medium-sized network, you're not working for a school usually - it's just not paying enough. Or is that only true in my home area?

    OTOH universities that have networking / CS courses should be well organized, right? Lab at my uni (the 'free access for everyone' lab) had FC systems with properly configured selinux, nfs mounted profiles, central auth. (ldap I think), account per person, etc. This year they've switched to one login / profile for everyone - WTF??? I have no idea why did they break a really well working system :/



  • Universities can also usually afford to blow huge amounts of dough on their network, since that's been a selling point for quite some time, and university students tend to be the type most likely to try attacking their own network for fun. Schools, on the other hand, can just take the "arrest the student for terrorism, damn the consequences" approach (and do!)



  • @Volmarias said:

    Universities can also usually afford to blow huge amounts of dough on their network, since that's been a selling point for quite some time, and university students tend to be the type most likely to try attacking their own network for fun. Schools, on the other hand, can just take the "arrest the student for terrorism, damn the consequences" approach (and do!)

    You don't know how true that is, sadly. (Especially the punish the student part).  Couple that with non-computer-savvy teachers, and you have a disaster waiting to happen.  In my 11th grade year at HS, some guy decided to plug in a flash drive with some of the "Portable Apps" on it.  Guess what happened?  Yup, he got banned from the computer lab for the rest of the year.
     



  • @redct said:

    @Volmarias said:

    Universities can also usually afford to blow huge amounts of dough on their network, since that's been a selling point for quite some time, and university students tend to be the type most likely to try attacking their own network for fun. Schools, on the other hand, can just take the "arrest the student for terrorism, damn the consequences" approach (and do!)

    You don't know how true that is, sadly. (Especially the punish the student part).  Couple that with non-computer-savvy teachers, and you have a disaster waiting to happen.  In my 11th grade year at HS, some guy decided to plug in a flash drive with some of the "Portable Apps" on it.  Guess what happened?  Yup, he got banned from the computer lab for the rest of the year.

    Sounds about right for a security policy though.  IMHO



  • @MasterPlanSoftware said:

    Sounds about right for a security policy though.  IMHO

    So why wasn't the policy enforced in the first place? And I don't mean the "ban student" policy. If that rule was created, it means that it was there to defend network from X. If you can put X on the network anyway, you've got 2 problems - banned student and broken network. If that rule was enforced, student wouldn't be able to do that in the first place, and network would be "secure" - that's better for both school and students.
    If you don't at least try to enforce security rules, don't write them down. IMHO



  • I just had to register to reply to this thread.

     

    At the school I am related to in a rather complicated fashion:

     

    1) They have a computer lab with around 10-20 computers. Because of severe severe lack of space, this lab is shoved into a small room, barely large enough for the kids and computers, let alone the teachers. Also, the room that the only door leads to is used by a preschool (don't ask) so the door cannot be opened during the lab's use. And for a while, there was no ventilation whatsoever. The result: Random crashes in a sweatshop-like environment.

    Only later did they add a single vent.

     
    2a) Hideous laptops. Not in the sense of ugly to look at, but all sorts of wrong things with them. Some have copies of XP passed down from teacher to teacher for years, and never have been reinstalled. One has a dead battery. One has a user with a messed-up keymap (the others are fine). One has a terribly broken copy of Vexira Antivirus, (which is itself a WTF) that will slowly destroy the OS every Sunday when it tries to update, forcing the use of a recovery partition. There is all kinds of unimaginable junk in there and some totally bizarre programs/files. I've bequeathed a few things of my own, such as a small webserver with a large website, a FTP server, VLC and other junk I've forgotten.

    2b) There are a set of twenty new laptops. Their problem: Vista. Not only are they not quite powerful enough, but Vista has multiple WTFs out of the box. Did I mention that they are loaded with Vexira?

    3)  The ultimate: They took the precaution of giving teachers separate password-protected accounts. This is entirely useless however, because the student (non-passworded) account has administrator rights!



  • I've never even HEARD of Vexira.



  • @redct said:

    I've never even HEARD of Vexira.


    That's strange, because "Without them, there's no defense. ®"
    At least they do support linux & co.:



  • @redct said:

    @Volmarias said:

    Universities can also usually afford to blow huge amounts of dough on their network, since that's been a selling point for quite some time, and university students tend to be the type most likely to try attacking their own network for fun. Schools, on the other hand, can just take the "arrest the student for terrorism, damn the consequences" approach (and do!)

    You don't know how true that is, sadly. (Especially the punish the student part).  Couple that with non-computer-savvy teachers, and you have a disaster waiting to happen.  In my 11th grade year at HS, some guy decided to plug in a flash drive with some of the "Portable Apps" on it.  Guess what happened?  Yup, he got banned from the computer lab for the rest of the year.
     

    Yeah, that sounds about right.

    At my high school, I had to take a computer class to graduate. Ignore the fact that I was already programming, and that the highest programming class was "MS Excel". No, I absolutely HAD to have a computing class to graduate. So, over my furious protestations, I was taken out of last period study hall (Read: Permission for seniors to go home 40 minutes early), and placed into "Intro To Computers." Ostensibly, the class was supposed to teach us the basics of using a computer. In reality, our Teacher (Who we shall call Mr. X) turned on a Jimmy Buffet CD (always the same one), passed out photocopied newspaper articles, and told us to turn on word and retype it. No, this isn't a touch typing class, he just wanted us to do busywork so that he didn't have to do his job.

    I spent a lot of time in that class playing minesweeper, renamed mavisbeacon.exe (well done, network security!) for the 40 minutes I was there.

    Anyway, the real WTF is that some poor girl accidentally dragged the taskbar from the bottom to the right. Mr. X, seeing this, became enraged, and spent the next 10 minutes screaming at her to put it back. The poor girl, having no idea how (hence her taking this class) broke down crying, and he sent her to the main office. Classy. So, in summary, yes, I do know how true that is.



  • At our school they do things about the same way, but they do teach Java students.
    Now i wouldnt mind learning it, but they didn't even give me a chance to do so.
    Our schools have different 'levels', eg Havo and VWO (in Holland).

    I'm on VWO, which is the highest one, and i'm not allowed to take ICT because i'm not in HAVO.

    Like smart people can't work with computers :(

    The real WTF: 1Mbit internet for about 300 pc's 



  • 1MB for 300 PCs?  So, each one has the equivalent of sucky dial-up?



  • Sometimes less, like 5 KB ps, or when everyone is trying to mail their work 1KB.

    It really is god-awful.

     

    The real WTF here is that there's a optic fiber cable to the school, provided by SurfNET, and it's not being used.

    All because the local IT nono cant figure out how to secure it.



  • I do like the idea of administrator students [;)]

    In our university we have a system which copies the accounts and their password with a cron job to all the computers. No LDAP or anything like it. It's an in-house solution by the über-admin we have. Passwords can be at most 8 chars long, any other characters are ignored. And a password like Pzft9kwm is not complex enough.

    At least our home dirs are on a working nfs volume...
     



  • @hallo.amt said:

    In our university we have a system which copies the accounts and their password with a cron job to all the computers. No LDAP or anything like it. It's an in-house solution by the über-admin we have. Passwords can be at most 8 chars long, any other characters are ignored. And a password like Pzft9kwm is not complex enough.

    Aside from the somewhat bizarre policies, this was the normal way to handle account distribution in the early days of unix. Variations on this theme are still the best way in various scenarios (nowadays we'd normally construct a db1 database from the LDAP/whatever server, distribute it to all the hosts, and use the NSS db module). This approach has the notable advantage that the remote hosts are not dependant on a live network connection to some server, making it a good solution for outlying offices that are stuck behind a dial-up connection or similar. There's a few implementations floating around.



  • @Volmarias said:

    Anyway, the real WTF is that some poor girl accidentally dragged the taskbar from the bottom to the right. Mr. X, seeing this, became enraged, and spent the next 10 minutes screaming at her to put it back. The poor girl, having no idea how (hence her taking this class) broke down crying, and he sent her to the main office. Classy. So, in summary, yes, I do know how true that is.

    That's where you should go in and rescue the damsel in distress from the evil zombie teacher. She might have been thankful...



  • @Sad Bug Killer said:

    @Volmarias said:

    Anyway, the real WTF is that some poor girl accidentally dragged the taskbar from the bottom to the right. Mr. X, seeing this, became enraged, and spent the next 10 minutes screaming at her to put it back. The poor girl, having no idea how (hence her taking this class) broke down crying, and he sent her to the main office. Classy. So, in summary, yes, I do know how true that is.

    That's where you should go in and rescue the damsel in distress from the evil zombie teacher. She might have been thankful...

    Yeah, she was already trying to convince me to do her fucking typing homework. I really didn't want her, for a few different reasons.



  • My very first topic in this forum was I believe about school network.

    http://forums.thedailywtf.com/forums/thread/126205.aspx <-heres the link. Enjoy.


Log in to reply