Risk Management for Technology Exposures Prevention Recovery Forensics Security Audit Common Internet Risks Students Managing Internet Risk Sunshine Laws

Risk Management for Technology Exposures

Prevention

Recovery

Forensics

Security Audit

Common Internet Risks Students

Managing Internet Risk

Sunshine Laws and Public Records

Common Internet Risks - Employees

Common Security Risks

© Copyright Lower Hudson Regional Information Center (LHRIC).

Firewalls

Servers & Network

Desktops

Applications

Policies

User Awareness

Managing Security Risks

Employee Risks

Personal Use

Privacy

Improper Access

Harassment

CopyrightTeacher Web Sites

Teacher LinksConfidentiality

Advertising

Politics

Fundraising

Improper Access

Pedophiles

Harassment

Copyright:

Internet Risks-Students

Educational Forum

Disclosure and disclaimers

Educational Restrictions

Enforcement

District Strategies

Managing Internet Risks

Open Meetings Law

FOIL & E-Document Policy

CIPA & E-Rate

Domain Names

Sunshine Laws & Public Records

How Bad Is It?How Bad Is It?

Security incidents are rising exponentiallySecurity incidents are rising exponentially• 128,678 incidents from July 1-December 31128,678 incidents from July 1-December 31stst, 2001, 2001• 2,437 vulnerabilities reported – double the previous 2,437 vulnerabilities reported – double the previous

yearyear• 41% of companies experienced “critical attacks”41% of companies experienced “critical attacks”• 12.7% encountered 1 “emergency” and had to use 12.7% encountered 1 “emergency” and had to use

recovery measuresrecovery measures Source: Washington Post, January 28, 2002Source: Washington Post, January 28, 2002

Tension between security and ease of useTension between security and ease of useMany/most serious security incidents are caused by Many/most serious security incidents are caused by

your own students and disgruntled employeesyour own students and disgruntled employees

Internal HacksInternal Hacks

60%-80% of hacks are internal -FBI60%-80% of hacks are internal -FBI Unauthorized IntrusionsUnauthorized Intrusions

• Admin accts; SASI accessAdmin accts; SASI access• Personal laptop connected to school systemPersonal laptop connected to school system

Changing settingsChanging settings• Librarian’s surpriseLibrarian’s surprise

Superintendent’s private filesSuperintendent’s private files Employee w Backdoor accessEmployee w Backdoor access

Internal HacksInternal Hacks

Anonymous surfing - Port 443Anonymous surfing - Port 443 Hacked web sitesHacked web sites Inadvertent damageInadvertent damage

• Loading software from homeLoading software from home• Deleting important configuration filesDeleting important configuration files• Attempting to help wiping our systemsAttempting to help wiping our systems

Internet HacksInternet Hacks

E-Mail borne virus:E-Mail borne virus:

I Love You; Melissa; Anna K; Sircam; I Love You; Melissa; Anna K; Sircam; Code Red; NmdaCode Red; Nmda

BubbleboyBubbleboy Worms:Worms:

• SQL Slammer; Polymorphic wormsSQL Slammer; Polymorphic worms

Internet HacksInternet Hacks

Denial of Service attacksDenial of Service attacks• ExamplesExamples

Parasitic attacksParasitic attacks• T1 used 24 hours per dayT1 used 24 hours per day• Wireless scanWireless scan• Spamming and rejected e-mailSpamming and rejected e-mail

Copyright infringementCopyright infringement

Software piracySoftware piracy Copying materials without permissionCopying materials without permission Copying materials without citing sourcesCopying materials without citing sources

Improper AccessImproper Access

Access to Obscene and Inappropriate Access to Obscene and Inappropriate Material from the School’s SystemMaterial from the School’s System• Inadvertent Access to PornographyInadvertent Access to Pornography

““It was an innocent search”It was an innocent search” Domain name spoofsDomain name spoofs

• Hate Sites …How to Build a Bomb...Hate Sites …How to Build a Bomb...

• Doom & Duke NukemDoom & Duke Nukem

• 65% of T1 used for music downloads and uploads65% of T1 used for music downloads and uploads

• 11 Year old wins E-Bay bids in excess of $900,00011 Year old wins E-Bay bids in excess of $900,000

PedophilesPedophiles

Common profiles and operating Common profiles and operating proceduresprocedures• Chat RoomsChat Rooms• Bulletin BoardsBulletin Boards• Working with Law Enforcement OfficialsWorking with Law Enforcement Officials

HarassmentHarassment

Schools close in January on Internet Schools close in January on Internet threatthreat

The Secret Service?The Secret Service? ““Bathroom Walls” IncidentBathroom Walls” Incident New Rochelle HarassmentNew Rochelle Harassment Mr. BungleMr. Bungle

Copyright Infringement Copyright Infringement

Everything on the Internet is protected by Everything on the Internet is protected by CopyrightCopyright• If employer has the right & ability to supervise If employer has the right & ability to supervise

the actions of the employee & has a financial the actions of the employee & has a financial interest in exploitation…even if the employer interest in exploitation…even if the employer didn’t know…he may be liabledidn’t know…he may be liable

Copyright InfringementCopyright Infringement

Students cutting and pasting parts of Web Students cutting and pasting parts of Web pages onto their ownpages onto their own

Improper use of student materialImproper use of student material

Establish an Educational ForumEstablish an Educational Forum

Insure that policy and practice are alignedInsure that policy and practice are aligned Insure that AUP is signed - affirmative Insure that AUP is signed - affirmative

consentconsent You can allow limited “self-discovery”You can allow limited “self-discovery”

Disclosure and DisclaimersDisclosure and Disclaimers

What services will be or will not be provided:What services will be or will not be provided:• E-mail, FTP, Telnet, Listservs, ChatsE-mail, FTP, Telnet, Listservs, Chats

Not responsible for interruptions & errors in Not responsible for interruptions & errors in serviceservice

Not responsible for content, quality, accuracy of Not responsible for content, quality, accuracy of services, products, and informationservices, products, and information

Are you using filtering or monitoring softwareAre you using filtering or monitoring software Not responsible for loss or damage from Not responsible for loss or damage from

“Viruses”“Viruses” Third Party linksThird Party links

District StrategiesDistrict Strategies

Supervise! Supervise! Educate staff, students, and parents Educate staff, students, and parents Develop a site limitation strategyDevelop a site limitation strategy Develop a solid AUPDevelop a solid AUP Keep policy decisions at the highest levelKeep policy decisions at the highest level

Educationally Based RestrictionsEducationally Based Restrictions

Criminal speech:Criminal speech:• Threats to the President, instructions on Threats to the President, instructions on

breaking into computer systems, child breaking into computer systems, child pornography, drug dealing, alcohol pornography, drug dealing, alcohol purchasepurchase

Unauthorized accessUnauthorized access• Login as someone elseLogin as someone else• Browse someone else’s filesBrowse someone else’s files


Inappropriate speech:Inappropriate speech:• Obscene, profane, vulgar, threatening, Obscene, profane, vulgar, threatening,

harassment, personal attacks, prejudicial, harassment, personal attacks, prejudicial, discriminatory, defamatorydiscriminatory, defamatory

• Dangerous information (if acted upon could Dangerous information (if acted upon could cause damage)cause damage)

• Violations of privacy (revealing personal Violations of privacy (revealing personal information about others)information about others)


Inappropriate speech:Inappropriate speech:• Abuse of resources (chain letters, Abuse of resources (chain letters,

“spamming”) Copyright infringement or “spamming”) Copyright infringement or plagiarismplagiarism

• Violations of personal safety (revealing Violations of personal safety (revealing personal contact information about self or personal contact information about self or others)others)

Enforcement - Due ProcessEnforcement - Due Process

If it is educational, access can’t be If it is educational, access can’t be denied,restricted or suspended without due denied,restricted or suspended without due processprocess..• Notice to student of alleged violationNotice to student of alleged violation• Opportunity for student to respond to allegationOpportunity for student to respond to allegation• No denial of an account in advance of a hearingNo denial of an account in advance of a hearing

Missouri suitMissouri suit Arkansas suitArkansas suit Ohio suitOhio suit Pennsylvania expulsion upheldPennsylvania expulsion upheld

Court to school district: You can't stop a kid from creating a personal web site critical of your schools: Missouri school district becomes the latest to learn the hard way

From eSchool News staff and wire service reports February 1, 1999

Sending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that Woodland School District in Marble Hill, Mo., violated a high school student's free speech rights when it suspended him for posting a personal web page criticizing his school. The ruling makes clear that schools have no jurisdiction over what their students do in cyberspace, provided it's done on their own time and from their own computers.

U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits the district from using the suspension against student Brandon Beussink in grade and attendance calculations. It also bars the district from punishing Beussink or restricting his ability to post his home page on the internet.

"Dislike or being upset by the content of a student's speech is not an acceptable

justification for limiting student speech," Sippel wrote in his opinion.

Newslines--Arkansas district settles lawsuit over student’s sexually explicit web page eSchool News staff and wire service reports October 1, 2000

Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site soit could begin the school year without the distractions of a court hearing, a school districtattorney said Aug. 18.

Dan Bufford said the court case was causing too much disruption. “We were looking at sending six to eight teachers, seven to eight students, and three sets of parents from Jonesboro to Little Rock to testify,” Bufford said. “The distractions and the expense of that was just too much.”

The American Civil Liberties Union sued the school district, contending the district wrongly suspended Justin Redman for 10 days. He was suspended for producing a web site that mirrored the school’s official web site, but included sexually explicit photos and text, some of which named other students and administrators.

John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization agrees with the district’s actions. “Every school board and every school board attorney in the state is going to know about this case,” he said. “The schools are going to have to come to realization that, just as they cannot visit discipline on students for something they said at a

weekend party, they cannot do it because of something a student said on the world wide web.”

District must pay teacher-bashing student $30K: Court overturns suspension and upholds protection of student speech on the internet Gregg W. Downey May 1, 1998

A school district will pay $30,000 to one of its students who was suspended for making fun of his band teacher on the internet, according to the Associated Press (AP). In return, the student will drop his half-a-million-dollar lawsuit against the district for the 10-day suspension, AP reported.

Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had been suspended for using his home computer to create a web site disparaging a band teacher.

The superintendent said the district suspended O'Brien for violating a policy forbidding students from showing disrespect to employees. A federal court told the school district to stop trying to restrict O'Brien's right to free expression.

Pennsylvania judge: Expelling student for web site threats is OK From eSchool News staff and wire service reports September 1, 1999

A Lehigh Valley, Pa., school district did not violate a student’s constitutional right to free speech when it expelled him last year for allegedly threatening a teacher on his personal web site, a Northampton County Court judge ruled July 23.

Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School District officials saw his web site, in which he allegedly asked for donations to hire a hit man to kill Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family described the site asan attempt at satirical humor, not a terrorist threat.

The long-since-dismantled web site reportedly had a heading saying “Why She Should Die” above a sentence reading, “Take a look at the diagram and the reasons I give, then give me $20 to help pay a hit man.”

Enforcement - Consistency Enforcement - Consistency

Schools have double standard for Schools have double standard for computer vandalism and crimecomputer vandalism and crime• ““It was just a joke.”It was just a joke.”• Nerd discipline Nerd discipline • School yanks Internet access School yanks Internet access • Legal punishmentsLegal punishments• Incident policyIncident policy• $10,000 damage award$10,000 damage award

The Evolution of 'Nerd Discipline'

As with most schools, our overall experience with computer technology,classroom applications, networks, and controlled internet access has been positive and productive. There is, however, a small, smart, and venturesomesegment of our student population whose actions sometimes make it otherwise.

These are individuals who use school computers--occasionally in conjunction with computers at home--to test every rule, procedure, and established guideline ... and thus challenge us to devise new and different ways of dealing fairly and effectively with a whole new category of "electronic" infractions. The infractions can range in severity from downloading objectionable material to exchanging passwords, and from intentionally deleting student files to planting software devices designed to disable one or more targeted workstations, a whole department, or

the school's entire network.

Through constant monitoring and review of policies and rules, we can makeevery school's experience with computer technology as positive and productiveas it can and should be.

Jeannine Clark is an assistant principal at Clarkstown High School North in New City, N.Y., and the school's building coordinator for the district's technology initiative.

School yanks student internet access By Rebecca Flowers May 1, 1998

A school in Cloverdale, Calif., is being criticized for its decision to shut down student access to the internet after two local teens were accused of hacking Pentagon computers. Some charge the school overreacted in issuing the internet ban, but school officials disagree.

The two students, sophomores at Cloverdale High School, have not been charged with any crimes, and investigators are certain the school's computer network was not used during any of the attacks. But the fear of sabotage or retaliation compelled school officials to close down access to the internet for all students at the school on March 5

Although the FBI had not contacted the school, John Hudspeth, the boys' computer science teacher, disabled the hackers' network accounts and froze their personal directories. "We had tried to limit the privileges of only the two hacking students, to allow the rest of the student body and faculty to enjoy continued online services," said Bill Cox, president of the board of education. "But either other students were helping our hackers out of friendship or because they saw hacking as 'cool’ or our hackers had captured other account passwords and were using those accounts in direct violation of our Acceptable Use Contract that all network users sign."

Threats of further retaliation in the Wired article coupled with attacks on one of the ISPs were enough to convinced Cox that strong action was necessary. "Do we just wait around for our high school server to be trashed?" he said. School officials said the temporary suspension was needed to allow them to regroup and learn more about security. Cox also felt that the student body needed to think about the hacking issues in a more reasoned light.

Enforcement - Legal ChargesEnforcement - Legal Charges

Some of the Legal Charges Against Students/Staff Some of the Legal Charges Against Students/Staff

1st Degree Computer Tampering -Felony1st Degree Computer Tampering -Felony 3rd Degree Computer Tampering - Felony 3rd Degree Computer Tampering - Felony 2nd Degree Aggravated Harassment - Misdemeanor 2nd Degree Aggravated Harassment - Misdemeanor 3rd Degree Possession of a Controlled Substance - Felony 3rd Degree Possession of a Controlled Substance - Felony

1st Degree Attempt to Distribute Indecent Material to Minors1st Degree Attempt to Distribute Indecent Material to Minors

EnforcementEnforcement

Who do I call?Who do I call? When should I escalateWhen should I escalate How do I secure the evidence?How do I secure the evidence? How do I limit the damage?How do I limit the damage? What long term actions are needed?What long term actions are needed?

Personal UsePersonal Use

““School computers, networks, and Internet access are School computers, networks, and Internet access are provided to support the educational mission of the provided to support the educational mission of the school. They are to be used primarily for school-related school. They are to be used primarily for school-related purposes. Incidental personal use must not interfere with purposes. Incidental personal use must not interfere with the employee’s job performance, must not violate any of the employee’s job performance, must not violate any of the rules contained in this policy or the student AUP, and the rules contained in this policy or the student AUP, and must not damage the school’s hardware, software, or must not damage the school’s hardware, software, or communications systems.”communications systems.”

• NSBA Legal Issues and Education TechnologyNSBA Legal Issues and Education Technology

PrivacyPrivacy

Parents & Public can access Web LogsParents & Public can access Web Logs• Exeter SchoolsExeter Schools• Indiana SuperintendentsIndiana Superintendents

E-Mail is discoverable in litigationE-Mail is discoverable in litigation• Utah lawsuitUtah lawsuit

School Board’s e-communications may be in violation School Board’s e-communications may be in violation of state’s Sunshine Lawsof state’s Sunshine Laws• South CarolinaSouth Carolina, , Pennsylvania,Pennsylvania,

Court: Schools must let parents view internet-use logs From eSchool News staff and wire service reports November 20, 2000

In a decision with broad implications for schools nationwide, a New Hampshire judge has ruled that the Exeter school district must make public copies of its internet history logs so a father can check whether officials are doing enough to keep pupils away from the web’s seedy side.

James Knight, a father of four whose children attended district schools until recently, filed a lawsuit asking a judge to force the district to hand over its internet logs after educators decided not to use filtering programs on computers children use.

The programs, which have been criticized for their accuracy, block access to objectionable internet sites. The district decided to use supervision and spot checks by teachers instead

Superintendents’ use of school computers questioned From eSchool News staff and wire service reports March 5, 2001

An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often violate their own rules. While many school internet policies say web surfing should be for educational use only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their district-issued computers, the Star reported.

In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an apparent violation of common school district internet policies, and one that cost former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted the Star’s investigation.

The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly were education pages. But 3,000 other sites—some of which also could have been viewed for educational purposes—ranged from the popular Amazon.com shopping site to more obscure

sites.

DA eyes agency's failure to release school internet logs: Utah Education Network faces sanctions for overwriting data it was ordered to disclose Rebecca Flowers October 1, 1998

Failure to hand over certain logs that track the wanderings of school computer users on the world wide web--including records showing attempts to visit sexually oriented or other banned sites--could result in a criminal investigation by a county district attorney in Utah. The target of the probe: the Utah Education Network (UEN), a public/private consortium that provides internet service to Utah's K-12 schools districts.

In April, Michael Sims, an anti-censorship internet activist, filed for access to the school computer logs under Utah's sunshine law. He wanted to check what web sites were being blocked by internet content filters used by Utah schools.

At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those records belonged to the individual school districts. Sims appealed that denial to the State Records Committee. At a hearing last month, the committee agreed with Sims and ordered that the computer logs, purged of any confidential material, be released.

Private web forum snags school board eSchool News staff and wire service reports October 1, 2000

Members of the Beaufort County (South Carolina) School Board and district Superintendent Herman Gaither have come under fire for using a private internet bulletin board to discuss school district matters. The private electronic forum might constitute a violation of the state’s freedom of information laws, a South Carolina media attorney says.

The issue raises questions about how existing laws meant to ensure the open exchange of public information should be applied to modern technologies such as eMail and the internet.

Gaither said he set up the bulletin board so he could share information with board members on “sensitive or semiprivate information.” Only Gaither and board members had access to the site, which let them read and respond to internal messages.

Jay Bender, the attorney for the South Carolina Press Association, said the state’s Freedom of Information Act prohibits public agencies from using technology to

conduct their business in private and that the bulletin board might violate the law.

Board’s web feedback criticized Elizabeth B. Guerard, Assistant Editor March 1, 2000

A Pennsylvania school board’s use of comments received over the internet has set off a controversy involving the state’s sunshine laws, which require open access to public meetings.

When Central Bucks School District officials were faced with tough decisions that would uproot and place some 2,800 students in new schools, they solicited feedback from parents over the internet instead of using the traditional, face-to-face format of a school board meeting.

Administrators at the Doylestown, Pa.-based district—the third largest in the state—say the process made it easy for them to see where the greatest need for change was. But some parents who were unhappy with the proposed changes have questioned the validity of transferring the democratic process online.

For one thing, the hundreds of electronic comments that were posted to the district’s web site were not made public. Barry Kaufmann, executive director of Common Cause Pennsylvania, a state public interest lobby, said parents should be concerned that comments made online were not shared with others in the community.

Improper AccessImproper Access

Images from web pages are stored in Images from web pages are stored in cache and can be accessed from hard cache and can be accessed from hard drive even without Internet access drive even without Internet access • Physics Teacher firedPhysics Teacher fired• Dean of Harvard Divinity SchoolDean of Harvard Divinity School• Child Pornography on school computersChild Pornography on school computers

N.J. district sues teacher for allegedly viewing web porn From eSchool News staff and wire service reports March 1, 1999

The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it paid him while he allegedly viewed computer pornography during school hours. The viewing took place in a school physics room and included times when students were in the room, school officials said.

According to the Associated Press, Alan Ross, who taught 11th- and 12th-grade chemistry, physics, and earth science before being suspended without pay last year, also has a tenure challenge pending. If Ross is found guilty, he would lose tenure and the board would be allowed to fire him.

A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997 showed visits to about 2,900 sites, more than half of which were categorized as adult or personal.All of the online visits occurred during school time--and about 55 percent while students were present in the physics room, school officials said. No sites were visited on the three days Ross was absent during that period, they said.

HarassmentHarassment

Off color and potentially offensive Internet Off color and potentially offensive Internet jokes and e-mails circulating among staff jokes and e-mails circulating among staff may create a “hostile” environmentmay create a “hostile” environment• Teacher suspendedTeacher suspended• Harassment rules apply equally to electronic Harassment rules apply equally to electronic

communicationscommunications• Report abuse Report abuse • Take immediate stepsTake immediate steps

Newslines--Judge upholds teacher’s suspension over sexually explicit eMail eSchool News staff and wire service reports September 1, 2000

A judge has upheld the three-week suspension without pay of a Scottsbluff, Neb., middle school teacher accused of repeatedly sending sexually explicit materials on the school district’s eMail system.

Gerald Schmeckpeper was suspended in December for insubordination when he disobeyed repeated requests to stop his eMail practice. The school board upheld the suspension in January.

Schmeckpeper argued that he was told only to use caution when opening eMail. But District Judge Robert Hippe on July 13 said there was sufficient evidence to suspend Schmeckpepper. Schmeckpeper was receiving and sending eMail with crude jokes and cartoons and had several sexually explicit pictures stored

electronically, Hippe said.

CopyrightCopyright

LA Schools sued for $4.8 million in copyrigLA Schools sued for $4.8 million in copyright abuse caseht abuse case

LA Schools settle copyright suitLA Schools settle copyright suit Fair Use suit could influence what schools Fair Use suit could influence what schools

can publish on the webcan publish on the web

Alleged software piracy could cost LA schools $4.8 million eSchool News Staff Reports August 1, 1998

A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles UnifiedSchool District (LAUSD), alleging its teachers and other employees have illegally copied softwareprograms.

The charges of piracy could cost the nation's second-largest school district (after New York City)nearly $5 million over the next three years.

Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance(BSA), a trade group based in Washington State that was formed by Microsoft and other softwareproducers to protect their copyrights.

But the real cost of the settlement, which at press time was still subject to board approval, is theestimated $4.5 million the district would be forced to spend to replace the unlicensed softwarethat allegedly has spread throughout its classrooms.

Newslines--LAUSD school board settles software piracy charge eSchool News Staff and Wire Reports April 1, 1999

The Los Angeles Unified School District (LAUSD) will pay a computer trade group $300,000 to settle a lawsuit alleging that copyrighted computer programs were being unlawfully duplicated for use in schools.

The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend $1.5 million over the next three years on an eight-member team to find and eliminate any unauthorized software and to train staff and students on district policy prohibiting the unlawful duplication of computer programs.

The Business Software Alliance, an organization formed by Microsoft Corp., Novell Inc., and other computer software companies, alleged that the West Valley Occupational Center in Woodland Hills used unauthorized copies of numerous types of software, including Microsoft Word and Adobe Photoshop.

The group said it had found at least 1,399 copies of software that it contended were being used without authorization and asked for more than $562,000 in compensation.

LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid an even more costly court battle.

Newspaper 'fair use' challenge could limit what schools and others post on the web: LA Times and Washington Post sue web site for copyright infringement From eSchool News staff and wire reports November 1, 1998

In a case with broad implications about what you can post on your schools' web sites, the LosAngeles Times and the Washington Post have filed a copyright-infringement lawsuit against the operator of a site that posts their stories without permission.

The lawsuit, filed Oct. 1 in a federal court in Los Angeles, accuses the Free Republic site of using hundreds of stories from the two newspapers, violating their copyrights and diverting users and potential revenue from their own sites.

Rex Heinke, an attorney for the newspapers, said the Free Republic site has been posting the stories "on a very large scale for a very long time.” Reproducing the stories without the publishers' consent is financially detrimental to the newspaper companies, Heinke said. The newspapers rely on hits to their own web sites to generate advertising sales, he said.

The Free Republic site, based in Fresno, Calif., posts the stories and allows users to writecomments about them. The site's operator, Jim Robinson, said he has ignored warnings from the newspapers because the practice is protected by the First Amendment and the "fair use" doctrine of copyright law.

SecuritySecurity

SwitchesSwitches• Physical safetyPhysical safety

RoutersRouters• Updates and patches, possible paths,Updates and patches, possible paths,

FirewallsFirewalls• Updates and patches, DMZUpdates and patches, DMZ

SecuritySecurity

PasswordsPasswords Process for alertsProcess for alerts ForensicsForensics Redundancy and recoverabilityRedundancy and recoverability

• DocumentationDocumentation PoliciesPolicies

• reporting, escalating, employees reporting, escalating, employees leaving,evidenceleaving,evidence

Former employee charged with school district hacking eSchool News Staff Reports March 1, 2000

A former school district worker who quit after being passed over for a promotion was charged with hacking into his old employer’s computer system.

Randall Chua Antonio, 32, was charged Jan. 24 with seven felonies in connection with 30 computer break-ins over 11 months at the San Diego Unified School District. Antonio pleaded innocent to the charges, which include disrupting computer services, destroying data, and accessing a computer system without permission.

He is accused of hacking into the district’s computers so that employees couldn’t access the system or to destroy data, but authorities don’t believe any student information was compromised, said Gayle Falkenthal, a spokeswoman for the San Diego County District Attorney’s office.

Antonio worked nine years at the district’s maintenance operation center, where he designed and administered its computer system and web site. He quit in August 1998 and the alleged break-ins began a month later and continued for a year, court records show.

Teacher Web SitesTeacher Web Sites

Sites created by teachers for their Sites created by teachers for their students that are not hosted on the students that are not hosted on the school’s computer system may expose the school’s computer system may expose the teacher to risk.teacher to risk.

Whenever possible migrate the teacher’s Whenever possible migrate the teacher’s site to the school system where he/she is site to the school system where he/she is protected by the schools AUP, and protected by the schools AUP, and computer use policiescomputer use policies

Teacher Assigned LinksTeacher Assigned Links

““The links in this area will let you leave the school district The links in this area will let you leave the school district site. The linked sites are not under the control of the site. The linked sites are not under the control of the district, and the district is not responsible for the contents district, and the district is not responsible for the contents of any linked site, or any changes or updates to such of any linked site, or any changes or updates to such sites. The district is providing these links to you only as a sites. The district is providing these links to you only as a convenience, and the inclusion of any link does not imply convenience, and the inclusion of any link does not imply endorsement of the site by the district.”endorsement of the site by the district.”

• NSBA Legal Issues in Education TechnologyNSBA Legal Issues in Education Technology

ConfidentialityConfidentiality

The Family Education Rights and Privacy Act The Family Education Rights and Privacy Act (FERPA) requires schools to have a policy that (FERPA) requires schools to have a policy that grants parents the rights to inspect and review grants parents the rights to inspect and review the educational records of their children within the educational records of their children within 45 days of a request.45 days of a request.

FERPA also requires a parent’s written consent FERPA also requires a parent’s written consent before disclosing personally identifiable before disclosing personally identifiable information about a student. information about a student.

AdvertisingAdvertising

School employees are often involved in School employees are often involved in outside businesses and they may find it outside businesses and they may find it tempting to advertise or solicit using the tempting to advertise or solicit using the school’s e-mail. school’s e-mail. • Prohibition should include sending messages Prohibition should include sending messages

from home or other outside computer to from home or other outside computer to school district e-mail users.school district e-mail users.

PoliticsPolitics

Any e-mail sent from the school computer Any e-mail sent from the school computer system contains the school’s return system contains the school’s return address. It is the same as using the address. It is the same as using the school’s letterhead. Accordingly, school’s letterhead. Accordingly, employees should be put on notice not to employees should be put on notice not to have their own opinions mistakenly have their own opinions mistakenly attributed to the district.attributed to the district.• Superintendent’s e-mail sparks state inquirySuperintendent’s e-mail sparks state inquiry

Newslines--Middle school principal suspended for eMail violation eSchool News Staff and wire service reports February 1, 2000

A Massachusetts middle school principal was suspended for 10 days because she sent an eMail message to her staff urging them to vote for a political candidate. Mary A. Toomey, principal of the South Lawrence East School, might also have violated state ethics laws.

“As a result of the investigation, I determined that Mary Toomey exercised poor judgment,” said Lawrence Public Schools Superintendent Mae E. Gaskins.

Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was running a sticker campaign for school committee. She sent the eMail the day before the Oct. 5 primary election.

The eMail said Kennedy needed voters to place stickers printed with her name directly on the ballot. The stickers would be available at the school’s front office, according to the eMail message.Kennedy received the votes she needed and went on to win a spot on the committee. School committee spokeswoman Martha E. Previte said Toomey should have received a harsher punishment.

FundraisingFundraising

Schools may decide to permit fundraising Schools may decide to permit fundraising with prior approval or they will prohibit it.with prior approval or they will prohibit it.

If they permit fundraising activity they must If they permit fundraising activity they must be careful not to discriminate and bar any be careful not to discriminate and bar any speakers based on the message.speakers based on the message.

Sunshine LawsSunshine Laws

The use of e-mail and conferencing The use of e-mail and conferencing tools have raised questions. tools have raised questions. • If one Board member e-mails another about sIf one Board member e-mails another about s

chool board business is that a violation of the chool board business is that a violation of the state’s sunshine laws?state’s sunshine laws?

• How about when board members use the How about when board members use the telephone, e-mail, or faxes to poll one another telephone, e-mail, or faxes to poll one another about board business?about board business?

• What about soliciting feedback from the publicWhat about soliciting feedback from the public electronically electronically??

Private web forum snags school board eSchool News staff and wire service reports October 1, 2000






Board’s web feedback criticized Elizabeth B. Guerard, Assistant Editor March 1, 2000





Prevention - FirewallsPrevention - Firewalls

What data do you want to protect?What data do you want to protect?• Known databases such as student and Known databases such as student and

financial info.financial info.• Local databases kept on hard drives Local databases kept on hard drives

What is a firewall?What is a firewall?• Not a content filterNot a content filter

Poor configurations and lack of patch Poor configurations and lack of patch maintenance very commonmaintenance very common

Personal firewalls for your homePersonal firewalls for your home

Prevention - FirewallsPrevention - Firewalls

Intrusion Detection SoftwareIntrusion Detection Software• 5,000 port scans per day5,000 port scans per day

What is a DMZ?What is a DMZ? Web server dilemmasWeb server dilemmas

• Placement of server Placement of server • Access for content managementAccess for content management

Prevention - ServersPrevention - Servers

Keep up with server maintenance and security Keep up with server maintenance and security patchespatches• Nmda took advantage of known holes Nmda took advantage of known holes • Code Red, Polymorphic wormsCode Red, Polymorphic worms

Subscribe to virus definitions and be sure to updateSubscribe to virus definitions and be sure to update• Not all virus protection software is created equalNot all virus protection software is created equal

Remove all generic and guest defaults after installRemove all generic and guest defaults after install• Web server hacked via generic loginWeb server hacked via generic login

Check for inactive web modulesCheck for inactive web modules• They can be accessed and generic setups abusedThey can be accessed and generic setups abused

Prevention - DesktopsPrevention - Desktops

A: driveA: drive• Vulnerable to infected floppy disks and other non-Vulnerable to infected floppy disks and other non-

authorized files and applicationsauthorized files and applications C: driveC: drive

• Vulnerable to configuration changes, and access to Vulnerable to configuration changes, and access to restricted resources (students hid Internet access)restricted resources (students hid Internet access)

FTPFTP• Vulnerable to downloads of infected files or other non-Vulnerable to downloads of infected files or other non-

authorized files and applicationsauthorized files and applications

Prevention - DesktopsPrevention - Desktops

Windows ExplorerWindows Explorer• Students see all network resources Students see all network resources

Right ClickRight Click• Students can cut, paste, and delete important Students can cut, paste, and delete important

files including system configurationfiles including system configuration

Prevention - NetworkPrevention - Network

Require specific logonsRequire specific logons• Lab aid giving generic logons so students could Lab aid giving generic logons so students could

bypass systembypass system• Pornography found on C: drive in teachers’ roomPornography found on C: drive in teachers’ room

Secure your remote access to networkSecure your remote access to network• Maintenance done by third partiesMaintenance done by third parties• Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)

Are your hubs and switches physically secure?Are your hubs and switches physically secure?

Prevention - NetworkPrevention - Network

Configure your routers with access listsConfigure your routers with access lists Check hubs, switches and routers for web Check hubs, switches and routers for web

management modules and change default management modules and change default passwordspasswords

Prevention - ApplicationsPrevention - Applications

Microsoft Office – “save as” Microsoft Office – “save as” • Can student see network drives?Can student see network drives?

Microsoft Office and Encarta templatesMicrosoft Office and Encarta templates• Students get Internet access and can Students get Internet access and can

download unauthorized Microsoft patchesdownload unauthorized Microsoft patches Downloads of plugins and other softwareDownloads of plugins and other software Programming courses such as C++ and Programming courses such as C++ and

Visual BasicVisual Basic• Have access to basic network functionsHave access to basic network functions

Prevention - PoliciesPrevention - Policies

.exe files.exe files• Slow Internet and/or network performanceSlow Internet and/or network performance• Overwhelmed hard drives and network serversOverwhelmed hard drives and network servers

PasswordsPasswords• No policy on changingNo policy on changing• Fewer passwords for ease of use purposesFewer passwords for ease of use purposes• ““Shoulder surfing” , yellow stickies, etc.Shoulder surfing” , yellow stickies, etc.

Disks from homeDisks from home• Technical vulnerabilitiesTechnical vulnerabilities• Copyright vulnerabilitiesCopyright vulnerabilities


Loading software locallyLoading software locally• Technical issues – not in “Ghost image”Technical issues – not in “Ghost image”• Printing and application support issuesPrinting and application support issues• Copyright issuesCopyright issues• Accidentally “blow out” systemAccidentally “blow out” system

Docking home computersDocking home computers• Students running “cracking” programs and access Students running “cracking” programs and access

SASI passwordsSASI passwords• Keychain hardrivesKeychain hardrives


Removal of access when someone leavesRemoval of access when someone leaves• E-mail, Calendar, network logon, etc.E-mail, Calendar, network logon, etc.

Early notification of problems such as virusesEarly notification of problems such as viruses• What process in place to notify users of new viruses, What process in place to notify users of new viruses,

etc.etc. More than one person with key knowledge and More than one person with key knowledge and

access.access.• Network backdoors setupNetwork backdoors setup• Secret backups and password changes done before Secret backups and password changes done before

terminationtermination• 18 months rebuilding system because of no 18 months rebuilding system because of no

documentationdocumentation

Prevention – PoliciesPrevention – Policies

Students doing maintenanceStudents doing maintenance• May compromise security intentionally or May compromise security intentionally or

unintentionallyunintentionally Enforcement of PoliciesEnforcement of Policies

• If practice doesn’t follow policy than policies If practice doesn’t follow policy than policies are not valid.are not valid.

Recovery Recovery

Save to the networkSave to the network• Saving to the C: drive means no backups Saving to the C: drive means no backups

Verify that they are doneVerify that they are done• Who is responsible? Who is their backup?Who is responsible? Who is their backup?

External backups vs internalExternal backups vs internal Proper tape rotationProper tape rotation Off-site storageOff-site storage Periodic backup check before and emergencyPeriodic backup check before and emergency

RecoveryRecovery

Damaged serversDamaged servers• RAID drivesRAID drives• Maintenance contract or spare drivesMaintenance contract or spare drives• Mirrored or backup serversMirrored or backup servers• Hot siteHot site

Routers, switches, hubsRouters, switches, hubs• Maintenance contract of replacementsMaintenance contract of replacements

RecoveryRecovery

Applications media archivedApplications media archived Escalation procedure to move to recovery Escalation procedure to move to recovery

quicker and to limit damagesquicker and to limit damages• May need to isolate problemMay need to isolate problem• May need to change passwordsMay need to change passwords

ForensicsForensics

Log files:Log files:• Intrusion detection logsIntrusion detection logs• Firewall logsFirewall logs• Router logsRouter logs• Server logs Server logs • Application logsApplication logs

ForensicsForensics

Unique log-insUnique log-ins Isolate systemsIsolate systems Notify authoritiesNotify authorities Print screens (IM’ing, chat, e-mail, etc.)Print screens (IM’ing, chat, e-mail, etc.)

• Terror threat to local HSTerror threat to local HS• Ballad of an e-mail terroristBallad of an e-mail terrorist

Hard Dive recoveryHard Dive recovery Anonymizer sitesAnonymizer sites

Open Meetings LawOpen Meetings Law

Electronic distribution of Board Electronic distribution of Board packets:OKpackets:OK

E-mail between members considered a E-mail between members considered a written memo and is discoverable.written memo and is discoverable.

Interaction via e-mail, bulletin board, chat, Interaction via e-mail, bulletin board, chat, instant messaging, or video conference instant messaging, or video conference most likely constitutes a meeting and is in most likely constitutes a meeting and is in violation. violation.

Open Meetings LawOpen Meetings Law

Resource:Resource: Robert FreemanRobert Freeman

• Committee on Open GovernmentCommittee on Open Government• www.dos.state.ny.us.coogwww.htmlwww.dos.state.ny.us.coogwww.html• [email protected]@dos.state.ny.us

FOIL & e-Document PolicyFOIL & e-Document Policy

Are e-mail, web logs, spreadsheets & word processing Are e-mail, web logs, spreadsheets & word processing documents considered records under FOIL?documents considered records under FOIL?• Web site logsWeb site logs• Policy directivesPolicy directives• Correspondence and memos related to businessCorrespondence and memos related to business• Work schedules and assignmentsWork schedules and assignments• Agendas and minutes of meetingsAgendas and minutes of meetings• Drafts of documents circulated for comment Drafts of documents circulated for comment • Any document that initiates, authorizes or completes a business Any document that initiates, authorizes or completes a business

transactiontransaction


Administrators must plan for and design a filing Administrators must plan for and design a filing structure that can adequately support structure that can adequately support operational needs and record keeping operational needs and record keeping requirements.requirements.

Generally, records transmitted through e-mail Generally, records transmitted through e-mail and electronic systems will have the same and electronic systems will have the same retention periods as records in other formats.retention periods as records in other formats.

e-Mail addresses of officers and staff & e-Mail addresses of officers and staff & computer access codes are exempt.computer access codes are exempt.• Can be used to gain unauthorized access to a Can be used to gain unauthorized access to a

computer or transmit a virus.computer or transmit a virus.


Parents & Public can access Web LogsParents & Public can access Web Logs• Exeter SchoolsExeter Schools• Indiana SuperintendentsIndiana Superintendents

E-Mail is discoverable in litigationE-Mail is discoverable in litigation• Utah lawsuitUtah lawsuit

School Board’s e-communications may be in violation School Board’s e-communications may be in violation of state’s Sunshine Lawsof state’s Sunshine Laws• South Carolina, Pennsylvania,South Carolina, Pennsylvania,

Create an Electronic document policyCreate an Electronic document policy• SampleSample


Resource:Resource: State Archives and Record Administration State Archives and Record Administration

(SARA)(SARA)www.archives.nysed.gov/services/recmgmt.htmwww.archives.nysed.gov/services/recmgmt.htm

Superintendents’ use of school computers questioned From eSchool News staff and wire service reports March 5, 2001

An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often violate their own rules. While many school internet policies say web surfing should be for educational use only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their district-issued computers, the Star reported.

In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an apparent violation of common school district internet policies, and one that cost former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted the Star’s investigation.

The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly were education pages. But 3,000 other sites—some of which also could have been viewed for educational purposes—ranged from the popular Amazon.com shopping site to more obscure

sites.

DA eyes agency's failure to release school internet logs: Utah Education Network faces sanctions for overwriting data it was ordered to discloseRebecca Flowers October 1, 1998

Failure to hand over certain logs that track the wanderings of school computer users on the world wide web--including records showing attempts to visit sexually oriented orother banned sites--could result in a criminal investigation by a county district attorney in Utah. The target of the probe: the Utah Education Network (UEN), a public/private consortium that provides internet service to Utah's K-12 schools districts.

In April, Michael Sims, an anti-censorship internet activist, filed for access to the school computer logs under Utah's sunshine law. He wanted to check what web sites were being blocked by internet content filters used by Utah schools.

At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those records belonged to the individual school districts. Sims appealed that denial to the State Records Committee. At a hearing last month, the committee agreed withSims and ordered that the computer logs, purged of any confidential material, be released.

Private web forum snags school boardeSchool News staff and wire service reports October 1, 2000






Board’s web feedback criticizedElizabeth B. Guerard, Assistant Editor March 1, 2000





E-Document Policy

• Create and enforce an e-document policy that minimizes the time the information is stored

• Enforce the policy in a uniform way

• Create a litigation response that preserves data at the outset of litigation

• Educate employees on the need for a business approach to e-documents

– NSBA Legal Issues and Education Technology

Domain NamesDomain Names

Norwichschools.org vs Norwichschools.comNorwichschools.org vs Norwichschools.com• Purchase all available namesPurchase all available names

Maintain all school domain names rigorouslyMaintain all school domain names rigorously• Porno site appears under school namePorno site appears under school name• High cost of re-purchaseHigh cost of re-purchase

Legitimate third parties have put up school web sites that Legitimate third parties have put up school web sites that many parents believe is the “official” school site.many parents believe is the “official” school site.• Irate e-mails that school didn’t respondIrate e-mails that school didn’t respond

CIPA & E-RateCIPA & E-Rate

Must certify that Must certify that all usersall users are protected are protected from inappropriate materialsfrom inappropriate materials

Must have public meetingMust have public meeting Must have AUPMust have AUP

Documents

Risk Management for Technology Exposures Prevention Recovery Forensics Security Audit Common Internet Risks Students Managing Internet Risk Sunshine Laws