Linux-related job postings - Hopkinton NH School District

Dan Jenkins dan at rastech.com
Tue Jan 11 21:01:00 EST 2005


Ed Lawson wrote:

> On Tue, 11 Jan 2005 09:49:59 -0500
> Dan Jenkins <dan at rastech.com> wrote:
> 
>>Biggest problem: Their testing service requires Internet Explorer. In 
>>fact, it requires ActiveX. It also requires changes to disable any 
>>prompting for ActiveX components. It requires changes at the web proxy
>>filter to allow its compiled HTML pages (.HTA) to pass through. And,
>>no, they (the testing service) has no plans to make any changes in
>>their application. They do not acknowledge any of these are security
>>issues. And testing is mandated for all students (except kindergarten
>>and preschool). Even viewing the test results requires these changes.
> 
> Has anyone contacted the state DOE and explained the security issues
> involved here and why this is a very bad thing so that perhaps they
> might pressure the testing contractor to use a more secure system.

I didn't explain well. The testing is NOT from the state DOE. It is a 
private contract with a testing body from somewhere in the midwest.

> I am not a technical person, but based on my limited knowledge I believe
> you are saying the contractor supplying the state mandated testing is
> requiring every school in the state to make at least part of their
> network and likely the part containing the most sensitive data about
> students and staff vulnerable to known security flaws.  It would be one
> thing for a corp to do so with an internal network in order to use
> certain applications, but to require it of systems open to the Internet
> seems incredibly bad.  Do I have this right?

You are basically correct, except this is NOT state mandated testing. 
Also, there is no staff information on these systems. The only student 
information is a student ID. The data on the testing and students is 
maintained in the testing services remote database.

This is a private testing service the school uses. It has, as far as I 
know, nothing to do with the state or feds. So, this only affects those 
schools who choose to buy into this testing service.

One way we are aiming to work around the issues is to deploy a rolling 
cart of laptops which are configured for testing. (They can also be used 
for other purposes, of course.) That way the classroom systems can be 
locked down again. Things had to be opened up generally because the 
testing was started before the rolling cart approach was funded.

Basically, the testing service appears to believe the Internet is an 
internal network. To be honest, they seem to believe that the testing 
computers would be dedicated to their testing service role. Therefore, 
security issues would be limited. However, this is an unrealistic view. 
If a school has a few dozen computers for testing a few times a year, 
those systems will get used for other purposes throughout the rest of 
the year.

-- 
Dan Jenkins (dan at rastech.com)
Rastech Inc., Bedford, NH, USA --- 1-603-206-9951
*** Technical Support for over a Quarter Century



More information about the gnhlug-discuss mailing list