visualpython-users

[Visualpython-users] High School Network Security

[FRANCESCO N. <fno...@kl...>]

Hello everyone,

I am a high school physics teacher who is planning post-AP exam student=20=

projects using VPython=2E  However, my school refuses to allow Python and=20=

VPython to be installed on the school's network because it is open=20
source=2E

Here's the reply from the technology coodinator at my school:

"Our technology team discussed your request to install VPython on the=20
network/lab at our May 4th meeting and all agreed that it is not good=20
practice to install open source software on the school computer systems=2E=
 =20
We have conferred with LHRIC and a random sampling of other districts and=20=

all agree it is not in the district's best interest to do so, even thought=
=20
there is no doubt your intended goal is worthy=2E"

[LHRIC is a technology-oriented consortium of local school districts=20
<http://www=2Elhric=2Eorg>]

Is this really a problem=3F  What are the risks=3F  Is there any way to=20=

prevent student misuse of Python=3F  How can I make a case to allow Python=
=20
in school=3F

FYI, we have a Novell Zenworks network for XP and Win98 machines=2E  We al=
so=20
have Citrix in XP=2E

Many thanks in advance for all your help=2E

Frank Noschese
Physics Teacher
John Jay High School
Cross River, NY

fnoschese@klschools=2Eorg
*****************************
Frank Noschese
Physics Teacher

John Jay High School
Cross River, NY

fnoschese@klschools=2Eorg
voicemail: (914) 763-7384
*****************************

Re: [Visualpython-users] High School Network Security

[Jonathan B. <jbr...@ea...>]

On Fri, 2005-05-13 at 21:11 -0400, FRANCESCO NOSCHESE wrote:
> Hello everyone,
> 
> I am a high school physics teacher who is planning post-AP exam student 
> projects using VPython.  However, my school refuses to allow Python and 
> VPython to be installed on the school's network because it is open 
> source.

"Because it is open source" is a horrible reason.  There is no
characteristic of Open Source software that makes it a security risk, or
susceptible to abuse beyond any of the other risks involved with
networked computing.  Here at North Carolina State University, we have
several labs with dozens of Linux machines that are composed almost
entirely of Open Source software.  Would we have deployed them if they
were unsafe, considering the several hundred students in the Computer
Science department which use these workstations?

> Here's the reply from the technology coodinator at my school:
> 
> "Our technology team discussed your request to install VPython on the 
> network/lab at our May 4th meeting and all agreed that it is not good 
> practice to install open source software on the school computer systems.  
> We have conferred with LHRIC and a random sampling of other districts and 
> all agree it is not in the district's best interest to do so, even thought 
> there is no doubt your intended goal is worthy."

Sounds like someone is woefully misinformed.  Its hard to argue against
their decision without knowing their reasoning, but I'll try to give you
a little ammunition.  If you do find out what their reasoning is, please
let us know.  "Open Source == unsafe" is a really bad belief to have in
an education technology resource center.

> [LHRIC is a technology-oriented consortium of local school districts 
> <http://www.lhric.org>]
> 
> Is this really a problem?  What are the risks?  Is there any way to 
> prevent student misuse of Python?  How can I make a case to allow Python 
> in school?

Python itself is not only a high-level language, it also includes a lot
of supporting libraries that allow you to read, write, create, and
delete files, run other programs, edit the system registry, make network
connections to other computers, etc.  See the documentation for the os,
sys, and socket packages in the Python Library Reference, for example.

A student with malicious intent could write a Python program that uses
these standard packages to take any action permitted by his account
privileges.

But this is somewhat of a red herring.  If the students can get data
onto the computer, even via a floppy disk or email (even web-based
email), then they would have exactly the same capability by writing a
program in Visual Basic, C, Pascal, or any of the other myriad
programming languages that target MS Windows.  Just write the program on
a home computer and email it to herself at school.

The key to limiting the damage that untrusted users/students can do has
less to do with what software is available on the machine and more to do
with how you setup the system privileges for the users.  All of the
machines on campus here are kept relatively safe by not allowing
students to login with administrative-level privileges.

If you have a firewall installed on the system that restricts outbound
network connections, in conjunction with non-administrative login, and
stay up-to-date on security patches, then the student is pretty much
limited to damaging his own personal files and installing
{ad,spy,mal}ware that only affects him.

The Debian GNU/Linux project (www.debian.org) is a community-based Linux
distribution that places great emphasis on Software Freedom and Open
Source (http://www.debian.org/intro/free).  Debian-edu
(http://wiki.debian.net/?DebianEdu) is a group within Debian that aims
to improve Debian's appeal to educational organizations.  I think they
would love to help you go to bat with your technology team.

HTH,
-Jonathan Brandmeyer

P.S.  The only kind of "misuse" that I have seen with computers in the
classroom has been students web browsing and instant messaging when they
(er, we ;) were supposed to be working on VPython.

Re: [Visualpython-users] High School Network Security

[Lee H. <mi...@ho...>]

> > "Our technology team discussed your request to install VPython on the
> > network/lab at our May 4th meeting and all agreed that it is not good
> > practice to install open source software on the school computer systems.
> > We have conferred with LHRIC and a random sampling of other districts 
>and
> > all agree it is not in the district's best interest to do so, even 
>thought
> > there is no doubt your intended goal is worthy."


Do they have java installed on the web browsers? Java is open source.

I bet you can find other things already installed that are open source.

Do they have windows installed?  If I recall correctly, windows uses
quite a few BSD licensed programs in their base install (the ftp client,
parts of their TCP/IP stack).

Not installing because it is open source is the most outrageous thing
I have ever heard. That these are the people controlling what young
people get to learn is outrageous.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: [Visualpython-users] High School Network Security

[Gary <pa...@in...>]

FRANCESCO NOSCHESE wrote:

>Hello everyone,
>
>I am a high school physics teacher who is planning post-AP exam student 
>projects using VPython.  However, my school refuses to allow Python and 
>VPython to be installed on the school's network because it is open 
>source.
>
>Here's the reply from the technology coodinator at my school:
>
>"Our technology team discussed your request to install VPython on the 
>network/lab at our May 4th meeting and all agreed that it is not good 
>practice to install open source software on the school computer systems.  
>We have conferred with LHRIC and a random sampling of other districts and 
>all agree it is not in the district's best interest to do so, even thought 
>there is no doubt your intended goal is worthy."
>  
>
I wonder if there is a commuincation gap.  You said "open source".  
Perhaps what they *heard* was "freeware".

Or an understanding gap:  open source = freeware.

If so, one would hope that a delicately worded education would solve the 
problem.  But we've all run into IT people who enjoy a rather feudal 
approach to management.  Keep us posted with details.  Perhaps we can 
help make your argument.

Re: [Visualpython-users] High School Network Security

[Jacob S. <ke...@ja...>]

> FRANCESCO NOSCHESE wrote:
>
>>Hello everyone,
>>
>>I am a high school physics teacher who is planning post-AP exam student 
>>projects using VPython.  However, my school refuses to allow Python and 
>>VPython to be installed on the school's network because it is open source.
>>
>>Here's the reply from the technology coodinator at my school:
>>
>>"Our technology team discussed your request to install VPython on the 
>>network/lab at our May 4th meeting and all agreed that it is not good 
>>practice to install open source software on the school computer systems. 
>>We have conferred with LHRIC and a random sampling of other districts and 
>>all agree it is not in the district's best interest to do so, even thought 
>>there is no doubt your intended goal is worthy."
>>
> I wonder if there is a commuincation gap.  You said "open source". 
> Perhaps what they *heard* was "freeware".
>
> Or an understanding gap:  open source = freeware.
>
> If so, one would hope that a delicately worded education would solve the 
> problem.  But we've all run into IT people who enjoy a rather feudal 
> approach to management.  Keep us posted with details.  Perhaps we can help 
> make your argument.
>

Yeah, it would be just like schools to refuse anything free if they can 
spend their tax dollar budget on expense programs that don't work half as 
well as the free things.

OT  rant

My school just recently signed up for a thing on the internet called 
teenbiz3000.  It's supposed to be an internet thing that is perfectly 
controlled by the teachers and can be tracked completely.  All it is is just 
an online email program and some games, all geared towards making us better 
readers.  In high school!!   This was supposed to be taken care of in first 
and second grade.  I also learned from the teacher that the school paid 
through the nose to get access to this thing.  I have seen it first hand and 
I don't like it.  I don't believe it works.  What are they paying the first 
and second grade teachers for if not to teach kids to read?  What happened? 
When did they start throwing money needlessly and foolishly around?

end rant

Jacob 

Re: [Visualpython-users] High School Network Security

[Bruce S. <Bru...@nc...>]

The comment that they might confuse "open source" with "freeware" seems 
a highly likely explanation. In principle, open source software could be 
MORE secure than commercial software, because it is inspectable.

On the other hand, it is all too common for IT people to get in the way 
of education. It is easier for them to say "no" to everything than to 
support valid educational innovation. Sometimes this is due to valid 
concerns about security, but often it is just a knee-jerk reaction to 
anything new.

Last year I heard a very interesting talk by Paul Dubois, who led the 
development of the Numeric module for Python, in which he argued that 
all computational science (e.g. computational physics) should be carried 
out using open source software because it is inspectable. Only in that 
environment can other scientists fully critique algorithms, look for 
flaws, etc.

Bruce Sherwood

FRANCESCO NOSCHESE wrote:
> Hello everyone,
> 
> I am a high school physics teacher who is planning post-AP exam student 
> projects using VPython.  However, my school refuses to allow Python and 
> VPython to be installed on the school's network because it is open 
> source.
> 
> Here's the reply from the technology coodinator at my school:
> 
> "Our technology team discussed your request to install VPython on the 
> network/lab at our May 4th meeting and all agreed that it is not good 
> practice to install open source software on the school computer systems.  
> We have conferred with LHRIC and a random sampling of other districts and 
> all agree it is not in the district's best interest to do so, even thought 
> there is no doubt your intended goal is worthy."
> 
> [LHRIC is a technology-oriented consortium of local school districts 
> <http://www.lhric.org>]
> 
> Is this really a problem?  What are the risks?  Is there any way to 
> prevent student misuse of Python?  How can I make a case to allow Python 
> in school?
> 
> FYI, we have a Novell Zenworks network for XP and Win98 machines.  We also 
> have Citrix in XP.
> 
> Many thanks in advance for all your help.
> 
> Frank Noschese
> Physics Teacher
> John Jay High School
> Cross River, NY
> 
> fno...@kl...
> *****************************
> Frank Noschese
> Physics Teacher
> 
> John Jay High School
> Cross River, NY
> 
> fno...@kl...
> voicemail: (914) 763-7384
> *****************************
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_ids93&alloc_id281&op=click
> _______________________________________________
> Visualpython-users mailing list
> Vis...@li...
> https://lists.sourceforge.net/lists/listinfo/visualpython-users

Re: [Visualpython-users] High School Network Security

[Gary <pa...@in...>]

Bruce Sherwood wrote:

> The comment that they might confuse "open source" with "freeware" 
> seems a highly likely explanation. In principle, open source software 
> could be MORE secure than commercial software, because it is inspectable.
>
> On the other hand, it is all too common for IT people to get in the 
> way of education. It is easier for them to say "no" to everything than 
> to support valid educational innovation. Sometimes this is due to 
> valid concerns about security, but often it is just a knee-jerk 
> reaction to anything new. 

Having spent nearly twenty years as an industrial physicist before 
switching to academe, I can testify that the situation is just as bad, 
I'd say worse, in industry. 

Re: [Visualpython-users] High School Network Security

[Anton S. <br...@po...>]

Bruce Sherwood wrote:
> The comment that they might confuse "open source" with "freeware"
> seems a highly likely explanation. In principle, open source software
> could be MORE secure than commercial software, because it is
> inspectable.

More precisely or at least more explicitly, with a well publicized 
open-source tool you can have more confidence that the algorithm is 
sound and that there are no backdoors.

Bruce Schneier's security newsletter frequently pillories products that 
use secret encryption techniques, on the grounds that to do cryptography 
well is a lot harder than amateurs think, and you can't know a defense's 
strength until the professionals have attacked it.  (see also 
http://en.wikipedia.org/wiki/Kerckhoffs%27_law)  When one of the 
standard techniques is cracked, it's big news; when someone's secret 
proprietary technique is cracked, you won't know it until a company that 
relied on it goes under. ;)  The principle applies more generally than 
to encryption, of course.

-- 
Anton Sherwood, http://www.ogre.nu/

Re: [Visualpython-users] High School Network Security [OT]

[Gary <pa...@in...>]

Anton Sherwood wrote:

> Bruce Sherwood wrote:
>
>> The comment that they might confuse "open source" with "freeware"
>> seems a highly likely explanation. In principle, open source software
>> could be MORE secure than commercial software, because it is
>> inspectable.
>
>
> More precisely or at least more explicitly, with a well publicized 
> open-source tool you can have more confidence that the algorithm is 
> sound and that there are no backdoors.
>
> Bruce Schneier's security newsletter frequently pillories products 
> that use secret encryption techniques, on the grounds that to do 
> cryptography well is a lot harder than amateurs think, and you can't 
> know a defense's strength until the professionals have attacked it.  
> (see also http://en.wikipedia.org/wiki/Kerckhoffs%27_law)  When one of 
> the standard techniques is cracked, it's big news; when someone's 
> secret proprietary technique is cracked, you won't know it until a 
> company that relied on it goes under. ;)  The principle applies more 
> generally than to encryption, of course.
>
In Steven Strogatz'  book "Sync" he relates a story about how he (or was 
it a colleague) discovered a way to use chaos to encrypt data during 
transmission.  He couldn't imagine breaking the code. He got very 
excited and began to dream about fame and fortune.   Encryption experts 
were not as excited.   Of course, the experts cracked it fairly easily.