[Edu-sig] UPDATE: High School Network Security

[Jordan Johnson]

Possible responses follow.

On Monday, May 16, 2005, at 11:00  AM, Frank Noschese wrote:
> 1) Lack of technical support from the 'vendor'. Since most open source 
> software
> is provided 'free' and is not maintained by a central vendor, 
> technical support
> is limited if not non existent. With this lack of technical support of 
> the
> software products in question, we have no way of getting help when the 
> software
> has a problem or is the cause of problems with the network.

"I am willing to accept the responsibility of being the local support 
provider for this software.  Among other sources of support, be aware 
of [list mailing lists and websites here]."

> 2) Product testing was another reason. Since there are so many 
> contributors to
> open source software, in many cases, the software is not tested for
> compatibility and stability. As such, there is no level of expectation 
> that the
> product will function as stated. Further more, with the limited 
> testing of the
> software, we have no idea of what problems or ill effects the software 
> may have
> on the computers and network.

"The functionality of many open source software, and Python in 
particular, is documented openly, and as such, errors are usually easy 
to find and then avoid.  It is worth noting that recent versions of 
Internet Explorer and Mac OS X have had serious security problems of 
their own; this problem is far from unique to open source."

> Seeing in that there is no way for us to verify that
> the code that contributors are adding is there own, we may be opening 
> up the
> district to legal actions should the software or portions there of are
> copyrighted and being used illegally or improperly.

"Usage of the software is, or should be, governed by our own Acceptable 
Use Policy.  Also, given that we are not redistributing the software or 
marketing a derivative work, we will be extremely unlikely to draw 
legal attention even if this software is found to contain infringing 
code.  Many major academic institutions (such as the University of 
North Carolina, Indiana University, and UC Berkeley) participate in the 
redistribution of Python and other open source software, which strongly 
suggests that their legal counsel does not find the practice risky or 
objectionable."

> 4) Security of the "system." Since in most cases, anyone can obtain a 
> copy of
> the source code of the software (OPEN SOURCE), we are running the risk 
> of a
> user being able to modify the software on the network and manipulated 
> it in
> such a manor to produce undesired effects. Since we have to look out 
> for the
> stability and security of the network, this was viewed as a possible 
> security
> issue. Another security concern is the ability of virus introduction. 
> Since the
> source code is open, anyone so inclined, could create a virus to 
> exploit the
> software without much difficulty. This ability to introduce a virus or 
> other
> malicious code to the system can have the effect of bringing the 
> system "down"
> and possible data loss or corruption."

Left as an exercise for the reader.  (A probably-unhelpful answer would 
involve something like, "If you're worried about a threat from this 
software, you have bigger problems." :>)

Cheers,
jmj (who did rather well fighting the IT bureaucracy at his own high 
school)

: Jordan Johnson - jorjohns @ cs . indiana . edu
: If I were a bug, I would want to be a true Renaissance bug.