Security in the Classroom

  “Classroom security” used to mean locking your filing cabinet and office door at the end of the day. In the last 30 years, the meaning of this phrase has expanded astronomically. Internal school information has been moving steadily from paper stacks to networked databases, and layer after layer of firewalls, filters, proxies, and permission control systems have become a regular part of every school network. This is necessary to an extent for the same reason that a daycare near a highway needs a fence around the playground. But does the fence really need guard towers, barbed wire, and trenches on both sides?

  There are a number of arguments supporting both sides of this particular debate. From the student side, security can be major pain. Students are used to being able to use their computers for almost anything, and having artificial restrictions put in place in a learning environment can be frustrating (Waters, 2007, p. 36). Teachers usually understand the restrictions that are in place but end up running up against the brick wall at some point themselves. System administrators, meanwhile, are often left with a myriad of labyrinths to maintain and ideally want control to be as tight as possible so abuse can’t become a problem (Waters, 2007, p. 34).

  What kind of abuse might a school computer system suffer? There’s a few obvious answers to this, such as virus and malware attacks, email scamming, physical damage, and access to inappropriate material. How should the system filter content such as this on the fly? These filters are in place to protect users and equipment, presumably. Often, overzealous interpretation of the term “abuse” leads to security actually hindering the productive use of technology in the classroom. Waters sums this up nicely in Data Security (Waters, 2007, p. 34):

“Firewalls can thwart hackers, but they can also prevent staff and students from accessing online tools or information. Desktop lockdown measures can keep virus-laden applications off the network, but they can also keep teachers from trying out new software. And forget the serendipitous "teachable moment," when a teacher might need immediate access to a website, or the ability to load some software or adjust a student's desktop.”   

    The Threat of Security (Robinson, Brown, & Green, 2007) addresses some of these hindrances from a teacher’s perspective, including:

• Email policies forbidding anything not directly related to the school
• Tight, constant traffic surveillance
• Account login policies and restrictions
• Blocked access to collected resources (web hosting, video services, personal sites, etc.)

    The Threat of Security has quotes throughout from a number of frustrated teachers. One complained that he was essentially put on probation after ordering flowers from his school address during the summer. Another was frustrated over the school’s security policy that required automatic logout after 15 minutes, which was causing some students in his class to lose work when collaborating with groups. On web filters, this was the comment (p. 23):

“... our school has a filter and I tried to get on my Freewebs site... It wouldn’t let me through.... probably the word “free.”  …my district forbids teachers from posting Web pages outside sites that relate to their classroom. All pages must reside on the county server.”

  These types of restrictions make up the locked side of this security spectrum. IT administrators are happiest on this end because they don’t have to worry about breaches in security and everything stays neat and tidy. The problem with this is that, as stated earlier, this can severely inhibit the educational utility of these computer systems. If non-standard software is needed, it must first go through many levels of approval (O'Hanlon, 2009, p. 32), and by the time this process is done, it may be too late to effectively use these programs anyways.

  If you go to the other extreme, where students and teachers have total freedom with their individual computers,  you end up with the situation as described in Safe at Home’s first scenario (O'Hanlon, 2009). Students were all given laptops for a take-home program and security was not considered; “Kids being kids, they loaded anything they could on them” (p. 32) and the computers were so full of malware and system problems that within 2 months, every machine needed reformatting and reimaging – this time with filters in place to prevent this kind of damage from happening again. Control disappears entirely, problems become impossible to track, and teachers have no guarantee that student actions or malware infections aren’t wreaking havoc with other school systems.

  Neither of these extremes is conducive to a productive environment. What, then, are the base requirements for computer security in a school setting that avoids these problems? First of all, the integrity of the operating system must be maintained. This means malware filtering and firewalls at the very least, as these are considered to be the number one threat to networked systems (Young, 2008). User actions should not have the ability to impede the operation of a machine at a hardware or software level, and individual machines must have enough isolation that a security breach cannot move past the originating hardware. This is especially important in schools where things like student grades are not kept on an isolated network.

  Secondly, users and computers must be identifiable so that any major problems can be tracked back to the source (Waters, 2007, p. 36). This can be as simple as network login passwords and as complex as ID cards and biometrics, but it needs to be part of the system if troubleshooting is to be efficient (Bolch, 2009). For the same reason, internet traffic needs to be logged; this doesn’t mean that administrators can constantly spy on student activity, but it does mean that any major issues have backing documentation. 

  Thirdly, content filters must be implemented – but as unobtrusively as possible. Just as an airport security terminal exists to divert threats, so too a content filter should be weeding out threats instead of simply allowing “approved” material through. Does iTunes pose a threat? What about YouTube? If not, is there any reason aside from bureaucracy that doesn’t allow it to be used on school computers? If usefulness outweighs risk, why are some things still blocked?

  These are the same basic rules that any business starts with when constructing an initial IT framework. Site-based networks need management. The trick is finding the right balance of restrictions and freedoms (Waters, 2007, p. 36). Implementation details can vary widely, but the medium can’t overwhelm the message it is trying to convey.

Bibliography

Bolch, M. (2009). An Ounce of Prevention: Technologists Use Network Access Control to Protect System Resources, Students. Technology & Learning , 29 (8), 38.

O'Hanlon, C. (2009). Safe at Home. T.H.E. Journal , 36 (9), 32-33.

Robinson, L., Brown, A., & Green, T. (2007). The Threat of Security: Hindering Technology Integration in the Classroom. Learning & Leading with Technology , 35 (2), 18-23.

Waters, J. (2007). Data Security: Locked Down, Not Out. T.H.E. Journal , 34 (2), 34-39.

Young, J. (2008). Top 10 Threats to Computer Systems Include Professors and Students. Chronicle of Higher Education , 55 (17), A9.

------------------------------------------------------------------------------

------------------------------------------------------------------------------

    A bit of background on why I chose this topic. We've all been students on the locked-down end, but I've also worked as an IT admin on the opposite end of the spectrum. I know what it's like to have users that won't respect the boundaries you put in place. I also know that users don't like being told what they can't do, so we made it our policy to not get in the way of what they needed to work *comfortably*. This may not have quite been standard fare, but we made it clear that we would take care of anything that was company related. If employees put personal software on their machines that was giving them trouble, it was their own problem. That doesn't necessarily work with students, but it's something to think of.

    On a different but related note, I have here two TED talks by Kevin Kelly that discuss the nature of technological evolution. While these don't directly discuss security, they do raise an interesting point. Technology and the internet are growing at an incredible rate and, as McLaren cautioned, we need to be aware of the changes that are going on and the rate at which they are developing. This is especially relevant if we want to keep up to date with our students in terms of computer security.

How Technology Evolves

The Next 5000 Days of the Web

Fresh start

I'm not sure if we're actually supposed to be posting anything this class, but I figure I might as well. I've always been torn when it comes to technology education. To me, technology is something to be explored, learned inside and out, and used to its fullest.

I like disassembling things. If something isn't working, rather than take it in for repairs or buy a replacement, I will take it apart piece by piece and fix it myself. When I was in high school, this was something that clashed very strongly with how technology was being used. Teachers would expect us to be using new tech, but they would only teach us the very basics to get us off the ground. I didn't have a problem with this per se, but the expectation was that we would only use the techniques that we had been taught. I don't like being restricted in the techniques I can use. I like playing and experimenting.

Example:

We were given an assignment in computer science (at the university level!) to perform a series of operations on an array of objects and gracefully end processing once the list was finished with. For those not familiar with programming internals, most programming languages don't have a lot of built-in checks for things like the end of a file, a disc error, or undefined objects. If the language expects something and gets something else, it will throw an exception and crash. So the "end of list" check was supposed to be something we had to think hard on and figure out a way to program.

Now, I was taught the standard method for "catching" and handling exceptions before they crashed, as this can be a very handy feature in advanced programming. So my check function consisted of a simple catch for the list-end exception. I lost marks because we "hadn't learned that technique yet and that's not what I was looking for". Very annoying. It worked, it was a language-kosher way of handling it.... what's the problem?

This happens too often. If a student can run circles around classmates, let them. Mark them at a much higher level and hold them to a higher standard, but let them work at their most advanced level. It's obviously something they love, and they should not have that enthusiasm squashed with a "no, wait until the class is all in the same place.

Just my rant.

-------------------------------------------

On a completely separate note, here's a cool video that everyone here should see. Nothing to do with technology whatsoever.

Class Switch

Well, that changed things. Due to a scheduling mishap/forgetfulness/bureaucracy, I've been switched into a new section of the Teacher Tech course. This blog may or may not apply anymore, but we will see.

Apologies to the cohort for dropping off the grid; to all my new classmates, I hope that I can integrate well.

First post!

When it comes to tech classes, I'm usually the one meandering around, looking bored, not because I don't get it but because I'm usually done before the explanation is complete. As a result of this I tend to get very impatient when it comes to technology related topics. They often run at a far lower level than what I'm already familiar with – not that the topics being discussed are irrelevant, I'm just usually running several steps ahead of the crowd. This is one of the reasons that I enjoyed the computer science courses offered here.

As an educator now, I need to begin learning how to teach students that are not working on the same technical level as I am. I'm hoping that this course will show me some new learning resources that I haven't come across yet, as well as showing me how to make these resources available to students no matter what their skill level may be. I've done this with with music, now it's time to do this with passion #2.

Launching off on a tangent for a moment, I want to comment on the video from the first class. For the time, that was a very well put-together collage of different live and animated media. A good use of stop-motion and animated overlay of live film make it something out of the ordinary for the day and age. That being said, as a sound engineer and technician I take some issue with the misbehaving microphone cliché. Most microphone mishaps are either caused by the user or by an inexperienced technician. One of the things that my fiancée did in the Teacher Technology class last year helped at least get her classmates up to the level where most of these problems would no longer present themselves. She took the whole class over to our church, where we both work as sound engineers, and showed them in a little over an hour what every component of a basic sound system, how to connect them in an efficient manner, and how to prevent and/or correct a lot of the problems that occur most frequently with sound systems. This is something that I would like to do this term if the opportunity presents itself.

Anyways, I think that's enough for now. Takes me ages to start, then I start rambling.