Internet Safety – School Security Ellenville, NY April 26, 2004 Copyright 2001,2002 Lower Hudson...

Internet Safety – School Security

Ellenville, NY

April 26, 2004

Copyright 2001,2002 Lower Hudson Regional Information Center (LHRIC).


Open Meetings Law

FOIL & E-Document Policy

Employee AUP’s

CIPA & E-Rate

Student Safety

Domain Names

Security & Hackers

Internet Safety – School Security

Managing Risks

Resources


Managing Risks

Establish an educational forum– Not an open forum

Policy and Practice must align– Supervise, Monitor, and Enforce

Insure AUP is signed – affirmativeEngage a third party security audit


Managing Risk

Managing Risks In-DepthSlide 5


Managing Risks-Enforcement

Insure due process– Notice, student response, parental meeting– Missouri suit– Arkansas suit– Ohio suit– Pennsylvania expulsion upheld


You can't stop a kid from creating a personal web site critical of your schools: Missouri school district becomes the latest to learn the hard way

From eSchool News staff and wire service reports February 1, 1999

Sending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that Woodland School District in Marble Hill, Mo., violated a high school student's free speech rights when it suspended him for posting a personal web page criticizing his school. The ruling makes clear that schools have no jurisdiction over what their students do in cyberspace, provided it's done on their own time and from their own computers.

U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits the district from using the suspension against student Brandon Beussink in grade and attendance calculations. It also bars the district from punishing Beussink or restricting his ability to post his home page on the internet.

"Dislike or being upset by the content of a student's speech is not an acceptable

justification for limiting student speech," Sippel wrote in his opinion.


Newslines--Arkansas district settles lawsuit over student’s sexually explicit web page eSchool News staff and wire service reports October 1, 2000

Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site so

it could begin the school year without the distractions of a court hearing, a school district

attorney said Aug. 18.

Dan Bufford said the court case was causing too much disruption. “We were looking at sending six to eight teachers, seven to eight students, and three sets of parents from Jonesboro to Little Rock to testify,” Bufford said. “The distractions and the expense of that was just too much.”

The American Civil Liberties Union sued the school district, contending the district wrongly

suspended Justin Redman for 10 days. He was suspended for producing a web site that mirrored

the school’s official web site, but included sexually explicit photos and text, some of which named other students and administrators.

John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization

agrees with the district’s actions. “Every school board and every school board attorney in the state is going to know about this case,” he said. “The schools are going to have to come to realization that, just as they cannot visit discipline on students for something they said at a weekend party, they cannot do it

because of something a student said on the world wide web.”


District must pay teacher-bashing student $30K: Court overturns suspension and upholds protection of student speech on the internet

Gregg W. Downey May 1, 1998

A school district will pay $30,000 to one of its students who was suspended for making fun of his band teacher on the internet, according to the Associated Press (AP). In return, the student will drop his half-a-million-dollar lawsuit against the district for the 10-day suspension, AP reported.

Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had been suspended for using his home computer to create a web site disparaging a band teacher.

The superintendent said the district suspended O'Brien for violating a policy forbidding students from showing disrespect to employees. A federal court told the school district to stop trying to restrict O'Brien's right to free expression.


Pennsylvania judge: Expelling student for web site threats is OK

From eSchool News staff and wire service reports September 1, 1999

A Lehigh Valley, Pa., school district did not violate a student’s constitutional right to free speech when it expelled him last year for allegedly threatening a teacher on his personal web site, a Northampton County Court judge ruled July 23.

Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School District officials saw his web site, in which he allegedly asked for donations to hire a hit man to kill Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family described the site as

an attempt at satirical humor, not a terrorist threat.

The long-since-dismantled web site reportedly had a heading saying “Why She Should Die” above a sentence reading, “Take a look at the diagram and the reasons I give, then give me $20 to help pay a hit man.”


Open Meetings Law

Electronic distribution of Board packets:OK

E-mail between members considered a written memo and is discoverable.

Interaction via e-mail, bulletin board, chat, instant messaging, or video conference most likely constitutes a meeting and is in violation.


Open Meetings Law

Resource:Robert Freeman

– Committee on Open Government– www.dos.state.ny.us.coogwww.html– [email protected]


FOIL & e-Document Policy

Are e-mail, web logs, spreadsheets & word processing documents considered records under FOIL?– Web site logs– Policy directives– Correspondence and memos related to business– Work schedules and assignments– Agendas and minutes of meetings– Drafts of documents circulated for comment – Any document that initiates, authorizes or completes a

business transaction



Administrators must plan for and design a filing structure that can adequately support operational needs and record keeping requirements.

Generally, records transmitted through e-mail and electronic systems will have the same retention periods as records in other formats.

e-Mail addresses of officers and staff & computer access codes are exempt.– Can be used to gain unauthorized access to a computer

or transmit a virus.



Resource:State Archives and Record Administration

(SARA)– www.archives.nysed.gov/services/

recmgmt.htm



Parents & Public can access Web Logs– Exeter Schools– Indiana Superintendents

E-Mail is discoverable in litigation– Utah lawsuit

School Board’s e-communications may be in violation of state’s Sunshine Laws– South Carolina, Pennsylvania,

Create an Electronic document policy– Sample


Superintendents’ use of school computers questioned From eSchool News staff and wire service reports March 5, 2001

An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often violate their own rules. While many school internet policies say web surfing should be for educational use only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their district-issued computers, the Star reported.

In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an apparent violation of common school district internet policies, and one that cost former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted the Star’s investigation.

The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly were education pages. But 3,000 other sites—some of which also could have been viewed for educational purposes—ranged from the popular Amazon.com shopping site to more obscure

sites.


DA eyes agency's failure to release school internet logs: Utah Education Network faces sanctions for overwriting data it was ordered to discloseRebecca Flowers October 1, 1998

Failure to hand over certain logs that track the wanderings of school computer users on the world wide web--including records showing attempts to visit sexually oriented orother banned sites--could result in a criminal investigation by a county district attorney in Utah. The target of the probe: the Utah Education Network (UEN), a public/private consortium that provides internet service to Utah's K-12 schools districts.

In April, Michael Sims, an anti-censorship internet activist, filed for access to the school computer logs under Utah's sunshine law. He wanted to check what web sites were being blocked by internet content filters used by Utah schools.

At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those records belonged to the individual school districts. Sims appealed that denial to the State Records Committee. At a hearing last month, the committee agreed withSims and ordered that the computer logs, purged of any confidential material, be released.


Private web forum snags school boardeSchool News staff and wire service reports October 1, 2000

Members of the Beaufort County (South Carolina) School Board and district Superintendent Herman Gaither have come under fire for using a private internet bulletin board to discuss school district matters. The private electronic forum might constitute a violation of the state’s freedom of information laws, a South Carolina media attorney says.

The issue raises questions about how existing laws meant to ensure the open exchange of public information should be applied to modern technologies such as eMail and the internet.

Gaither said he set up the bulletin board so he could share information with board members on “sensitive or semiprivate information.” Only Gaither and board members had access to the site, which let them read and respond to internal messages.

Jay Bender, the attorney for the South Carolina Press Association, said the state’s Freedom of Information Act prohibits public agencies from using technology to

conduct their business in private and that the bulletin board might violate the law.


Board’s web feedback criticizedElizabeth B. Guerard, Assistant Editor March 1, 2000

A Pennsylvania school board’s use of comments received over the internet has set off a controversy involving the state’s sunshine laws, which require open access to public meetings.

When Central Bucks School District officials were faced with tough decisions that would uproot and place some 2,800 students in new schools, they solicited feedback from parents over the internet instead of using the traditional, face-to-face format of a school board meeting.

Administrators at the Doylestown, Pa.-based district—the third largest in the state—say the process made it easy for them to see where the greatest need for change was. But some parents who were unhappy with the proposed changes have questioned the validity of transferring the democratic process online.

For one thing, the hundreds of electronic comments that were posted to the district’s web site were not made public. Barry Kaufmann, executive director of Common Cause Pennsylvania, a state public interest lobby, said parents should be concerned that comments made online were not shared with others in the community.


E-Document Policy

• Create and enforce an e-document policy that minimizes the time the information is stored

• Enforce the policy in a uniform way

• Create a litigation response that preserves data at the outset of litigation

• Educate employees on the need for a business approach to e-documents

– NSBA Legal Issues and Education Technology


Employee AUPs

Personal Use

Improper Access

Harassment

Copyright

Teacher Web Sites

Teacher Links

Confidentiality

Advertising

Politics

Fundraising


Personal Use

• “School computers, networks, and Internet access are provided to support the educational mission of the school. They are to be used primarily for school-related purposes. Incidental personal use must not interfere with the employee’s job performance, must not violate any of the rules contained in this policy or the student AUP, and must not damage the school’s hardware, software, or communications systems.”

– NSBA Legal Issues and Education Technology


Improper Access

• Images from web pages are stored in cache and can be accessed from hard drive even without Internet access – Dean of Harvard Divinity School

– Child Pornography on school computers

N.J. district sues teacher for allegedly viewing web porn


N.J. district sues teacher for allegedly viewing webporn From eSchool News staff and wire service reports March 1, 1999

The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it paid him while he allegedly viewed computer pornography during school hours. The viewing took place in a school physics room and included times when students were in the room, school officials said.

According to the Associated Press, Alan Ross, who taught 11th - and 12th-grade chemistry, physics, and earth science before being suspended without pay last year, also has a tenure challenge pending. If Ross is found guilty, he would lose tenure and the board would be allowed to fire him.

A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997 showed visits to about 2,900 sites, more than half of which were categorized as adult or personal.All of the online visits occurred during school time--and about 55 percent while students were present in the physics room, school officials said. No sites were visited on the three days Ross was absent during that period, they said.


Harassment

• Off color and potentially offensive Internet jokes and e-mails circulating among staff may create a “hostile” environment– Harassment rules apply equally to electronic

communications

– Report abuse

– Take immediate stepsJudge upholds teacher’s suspension over sexually explicit eMail


Newslines--Judge upholds teacher’s suspension over sexually explicit eMail eSchool News staff and wire service reports September 1, 2000

A judge has upheld the three-week suspension without pay of a Scottsbluff, Neb., middle school teacher accused of repeatedly sending sexually exp licit materials on the school district’s eMail system.

Gerald Schmeckpeper was suspended in December for insubordination when he disobeyed repeated requests to stop his eMail practice. The school board upheld the suspension in January.

Schmeckpeper argued that he was told only to use caution when opening eMail. But District Judge Robert Hippe on July 13 said there was sufficient evidence to suspend Schmeckpepper. Schmeckpeper was receiving and sending eMail with crude jokes and cartoons and had several sexually explicit pictu res stored

electronically, Hippe said.


Copyright

Alleged software piracy could cost LA schools $4.8 million

LAUSD school board settles software piracy charge

LA Times and Washington Post sue web site for copyright infringement


Alleged software piracy could cost LA schools $4.8 millioneSchool News Staff Reports August 1, 1998

A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles UnifiedSchool District (LAUSD), alleging its teachers and other employe es have illegally copied softwareprograms.

The charges of piracy could cost the nation's second -largest school district (after New York City)nearly $5 million over the next three years.

Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance(BSA), a trade group based in Washington State that was formed b y Microsoft and other softwareproducers to protect their copyrights.

But the real cost of the settlement, which at press time was sti ll subject to board approval, is theestimated $4.5 million the district would be forced to spend to replace the unlicensed softwarethat allegedly has spread throughout its classrooms.

us


Newslines--LAUSD school board settles software piracy chargeeSchool News Staff and Wire Reports April 1, 1999

The Los Angeles Unified School District (LAUSD) will pay a compu ter trade group $300,000 to settle a lawsuit alleging that copyrighted computer programs wer e being unlawfully duplicated for use in schools.

The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend $1.5 million over the next three years on an eight -member team to find and eliminate any unauthorized software and to train staff and students on distric t policy prohibiting the unlawful duplication of computer programs.

The Business Software Alliance, an organization formed by Micros oft Corp., Novell Inc., and other computer software companies, alleged that the West Valley Occupational Center in Woodland Hills used unauthorized copies of numerous types of sof tware, including Microsoft Word and Adobe Photoshop.

The group said it had found at least 1,399 copies of software th at it contended were being used without authorization and asked for more than $562,000 in compen sation.

LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid an even more costly court battle.


Newspaper 'fair use' challenge could limit what schools and others post on the web: LA Times and Washington Post sue web site for copyright infringementFrom eSchool News staff and wire reports November 1, 1998

In a case with broad implications about what you can post on you r schools' web sites, the LosAngeles Times and the Washington Post have filed a copyright -infringement lawsuit against the operator of a site that posts their stories without permission.

The lawsuit, filed Oct. 1 in a federal court in Los Angeles, acc uses the Free Republic site of using hundreds of stories from the two newspapers, violating their cop yrights and diverting users and potential revenue from their own sites.

Rex Heinke, an attorney for the newspapers, said the Free Republic site ha s been posting the stories "on a very large scale for a very long time.” Reproducin g the stories without the publishers' consent is financially detrimental to the newspaper companies, Heinke said. The newspapers rely on hits to their own web sites to generate adver tising sales, he said.

The Free Republic site, based in Fresno, Calif., posts the stori es and allows users to writecomments about them. The site's operator, Jim Robinson, said he has ignored warnings from the newspapers because the practice is protected by the First Amendm ent and the "fair use" doctrine of copyright law.


Teacher Web Sites

• Sites created by teachers for their students that are not hosted on the school’s computer system may expose the teacher to risk.

• Whenever possible migrate the teacher’s site to the school system where he/she is protected by the schools AUP, and computer use policies


Teacher Assigned Links

• “The links in this area will let you leave the school district site. The linked sites are not under the control of the district, and the district is not responsible for the contents of any linked site, or any changes or updates to such sites. The district is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of the site by the district.”

– NSBA Legal Issues in Education Technology


Confidentiality

• The Family Education Rights and Privacy Act (FERPA) requires schools to have a policy that grants parents the rights to inspect and review the educational records of their children within 45 days of a request.

• FERPA also requires a parent’s written consent before disclosing personally identifiable information about a student.


Advertising

• School employees are often involved in outside businesses and they may find it tempting to advertise or solicit using the school’s e-mail. – Prohibition should include sending messages

from home or other outside computer to school district e-mail users.


Politics

• Any e-mail sent from the school computer system contains the school’s return address. It is the same as using the school’s letterhead. Accordingly, employees should be put on notice not to have their own opinions mistakenly attributed to the district.Middle school principal suspended for eMail violation


Newslines--Middle school principal suspended for eMailviolationeSchool News Staff and wire service reports February 1, 2000

A Massachusetts middle school principal was suspended for 10 day s because she sent an eMail message to her staff urging them to vote for a political candid ate. Mary A.Toomey, principal of the South Lawrence East School, might also have v iolated state ethics laws.

“As a result of the investigation, I determined that Mary Toomey exercised poor judgment,” said Lawrence Public Schools Superintendent Mae E. Gaskins.

Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was running a sticker campaign for school committee. She sent the eMail the day before the Oct. 5 primary election.

The eMail said Kennedy needed voters to place stickers printed with her n ame directly on the ballot. The stickers would be available at the school’s f ront office, according to the eMail message.Kennedy received the votes she needed and went on to wi n a spot on the committee. School committee spokeswoman Martha E. Previte said Toomey should have received a harsher punishment.


Fundraising

• Schools may decide to permit fundraising with prior approval or they will prohibit it.

• If they permit fundraising activity they must be careful not to discriminate and bar any speakers based on the message.


Security & Hackers

Internal Attacks: Students and Staff Hackers

External Attacks: Internet & e-MailParasitic Attacks: Bandwith

, Storage, ProcessingPhysical Security: IP SurveillanceCommon Security Issues


Internal Attacks: Student & Staff Hackers

Denial of Service– Web server attacks

Unauthorized Intrusions– Admin server accounts– SASI Id’s

Anonymous surfing– Port 443


External Attacks: Internet & e-Mail

Spamming and Smurfing– Rejected e-mail

e-Mail Viruses– ILOVEYOU, Melissa, Anna K, Sircam– Back Orifice

Worms– Code Red– Nmda– Polymorhic worms


Parasitic Attacks

Bandwith– School T1 used fully 24 hours a day– Wireless access

Resource consumption– .exe files – Music, Videos, Games– Adware, IE Hijacker, Foistware,Trojan


Physical Security

IP Surveillance cameras– Easy access to stored video– Motion detectors and alarms

Wireless access for Administration and Police– Quicker assessment and access


Common Security Issues

Kids used to maintain parts of network – (ie web server)

Virus subscription not purchasedSecurity patches not up to date on servers and

workstationsFirewall: None, poorly configured, not up to date

on patches Web server inside or outside FirewallApplications and/or servers not set up correctly

(leaving Guest ID’s, Anonymous users, FTP)


Common Security Issues

No disaster recovery and backups are not rigorous

No restrictions on desktops for students– Floppy access, FTP, loading software

No policy for security: escalation, passwords, etc.


Student Safety

Improper Access– Pornography & Hate sites– Inadvertent access – Ladybug, White House.gov– “How to build a bomb” in backpack

Harrassment– Student to Student– Mr. Bungle

Impersonation– Prodigy case (Boy Scouts)– Spoof web sites (Norwich Schools)


Student Safety

Revealing Personal Information– Bathroom walls incidents– Spoof web site with girls alleged sexual activities– Geocities site with all senior class pictures

Chat Rooms– 71 Felony convictions by Westchester D.A.– Profiles, strangers, pedophiles

Illegal Use– Purchases of alcohol and tobacco, threats– Secret Service

Inappropriate speech– Obscene, defamatory, discriminatory


Student Safety

Invasions of Privacy– Students accessing other students files and e-

mail, sometimes tampering

Teacher assigned linksClub web sites

– Religious prayer club, date rape listserv


Domain Names

Norwichschools.org vs Norwichschools.com– Purchase all available names

Maintain all school domain names rigorously– Porno site appears under school name– High cost of re-purchase

Legitimate third parties have put up school web sites that many parents believe is the “official” school site.– Irate e-mails that school didn’t respond


CIPA & E-Rate

Must certify that all users are protected from inappropriate materials

Must have public meetingMust have AUP

Internet Safety – School Security Ellenville, NY April 26, 2004 Copyright 2001,2002 Lower Hudson...

Documents

Transcript of Internet Safety – School Security Ellenville, NY April 26, 2004 Copyright 2001,2002 Lower Hudson...