Re: [Visualpython-users] High School Network Security

[Jonathan B. <jbr...@ea...>]

On Fri, 2005-05-13 at 21:11 -0400, FRANCESCO NOSCHESE wrote:
> Hello everyone,
> 
> I am a high school physics teacher who is planning post-AP exam student 
> projects using VPython.  However, my school refuses to allow Python and 
> VPython to be installed on the school's network because it is open 
> source.

"Because it is open source" is a horrible reason.  There is no
characteristic of Open Source software that makes it a security risk, or
susceptible to abuse beyond any of the other risks involved with
networked computing.  Here at North Carolina State University, we have
several labs with dozens of Linux machines that are composed almost
entirely of Open Source software.  Would we have deployed them if they
were unsafe, considering the several hundred students in the Computer
Science department which use these workstations?

> Here's the reply from the technology coodinator at my school:
> 
> "Our technology team discussed your request to install VPython on the 
> network/lab at our May 4th meeting and all agreed that it is not good 
> practice to install open source software on the school computer systems.  
> We have conferred with LHRIC and a random sampling of other districts and 
> all agree it is not in the district's best interest to do so, even thought 
> there is no doubt your intended goal is worthy."

Sounds like someone is woefully misinformed.  Its hard to argue against
their decision without knowing their reasoning, but I'll try to give you
a little ammunition.  If you do find out what their reasoning is, please
let us know.  "Open Source == unsafe" is a really bad belief to have in
an education technology resource center.

> [LHRIC is a technology-oriented consortium of local school districts 
> <http://www.lhric.org>]
> 
> Is this really a problem?  What are the risks?  Is there any way to 
> prevent student misuse of Python?  How can I make a case to allow Python 
> in school?

Python itself is not only a high-level language, it also includes a lot
of supporting libraries that allow you to read, write, create, and
delete files, run other programs, edit the system registry, make network
connections to other computers, etc.  See the documentation for the os,
sys, and socket packages in the Python Library Reference, for example.

A student with malicious intent could write a Python program that uses
these standard packages to take any action permitted by his account
privileges.

But this is somewhat of a red herring.  If the students can get data
onto the computer, even via a floppy disk or email (even web-based
email), then they would have exactly the same capability by writing a
program in Visual Basic, C, Pascal, or any of the other myriad
programming languages that target MS Windows.  Just write the program on
a home computer and email it to herself at school.

The key to limiting the damage that untrusted users/students can do has
less to do with what software is available on the machine and more to do
with how you setup the system privileges for the users.  All of the
machines on campus here are kept relatively safe by not allowing
students to login with administrative-level privileges.

If you have a firewall installed on the system that restricts outbound
network connections, in conjunction with non-administrative login, and
stay up-to-date on security patches, then the student is pretty much
limited to damaging his own personal files and installing
{ad,spy,mal}ware that only affects him.

The Debian GNU/Linux project (www.debian.org) is a community-based Linux
distribution that places great emphasis on Software Freedom and Open
Source (http://www.debian.org/intro/free).  Debian-edu
(http://wiki.debian.net/?DebianEdu) is a group within Debian that aims
to improve Debian's appeal to educational organizations.  I think they
would love to help you go to bat with your technology team.

HTH,
-Jonathan Brandmeyer

P.S.  The only kind of "misuse" that I have seen with computers in the
classroom has been students web browsing and instant messaging when they
(er, we ;) were supposed to be working on VPython.