Mandatory computer classes? As a former student from the dorms, and having spent nearly four years at a helpdesk--this is insane, utter nonsense.

First, many people will never even grasp the basics, and if they do--they won't take the time to actually monitor them. Once the AV scanner and firewall are installed, they'd better work flawlessly and never pop up again. I can't tell you how many times I saw people install zonealarm and then hit "yes" every single time something popped up without a moment of thought. What a way to render a decent product useless.

Secondly, I can tell you my school *technically* didn't allow anything but windows installations on the residential network, under the premise that network ops knew how to check the security remotely. Bridges and routers were off course strictly off limits. If their scans found anything that looked like remote admin/access they'd find an excuse to pull the port... Except for the idiots that had a world writeable C$. Let me tell you how much this made me want to cooperate with the network people...

Inside the first week (I'm slow) I had redhat up with full iptables, and portsentry--I caught the system scans from the network ops, and stealth scans from a rooted DNS they ran (what's that...the campus secondary DNS is serving Crouching Tiger.divx ?) --added filters to drop all traffic from their portion of campus, and appropriate masquerading going through to the internal network. A quick check of google for emails and search of usenet revealed the three sysadmins home dsl and cable addresses. Added those to the script too just in case they do any scanning from home. Of course, the systems people stopped by my dorm a few times--it seemed a non-existant ip address on an unregistered MAC was being *very* noisy about portscanning every system resembling a server whenever a sweep went through the dorm. Go figure, somebody felt that it must have been okay to check their security for them since they were doing such a good job themself... Had to stop that unfortunately...

Don't knock the college kids--the only thing my system was ever open to was the SSH exploit, and the daemon was chrooted anyway.

Go ahead, make a mandatory computer hygiene class, I dare you...By the end of the semester I'll be using every drive in the lab to serve warez--not because I believe in it, but because I can't stand 101 classes taught by people who simply don't have a clue.

If you can't educate your users (and believe me, you can't), maybe you should lock your network down--it's easier and cheaper anyway

How do you expect new art/english, or even CS and IT majors whose experience consists of using microsoft word to secure their computer when half the sys-admins in the world can't do it anyway?

It's your network--you protect it. 'Cause I can't stand hearing another lecture from some misguided idiot on how to use McAfee and not open attachments. At least *my* SMTP server authenticated its users and didn't have relaying enabled...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/267/28483#28483