Python and the school network

[randle]

The worst that's going to happen is they'll create a mass email spam program, temporarily knock out a server or exploit some privilege escalation bug and gain some confidential information.

This is exactly what I'm worried about. Doesn't sound like something I'd like to deal with here if I'm honest.

Thanks for the feedback eveyone. I'm more so thinking in the same vein as skunk. I'm not willing to allow any possibilities (that I can control) of access to confidential data as obviously would be held highly accountable for this. Also I've gone to the bother and time to secure the network so am not happy to give them the tools to simply undo all this.

I'm in no way saying others are doing it wrong or that their opinion is wrong but just that I'm not willing to go down that route.

I do run a vSphere server environment here so a virtual server with SSH/Text editor to provide these needs is a possibilty however have no knowledge of how to set this up but am willing to give it a go. My other option looks to be VPC2007 and images that don't save changes when shutdown. These wouldn't have a network connection but would provide a way to practice in a raw environment as suggested and can still access My Docs for saving through shared folders.

[DMcCoy]

stuff like this:
http://www.hsc.fr/ressources/outils/...atator_v0.2.py


BAN programming!!!!

They already have physical access to a machine and a valid account. There is only so much you are going to be able to do. I mitigated some of the impact with wired 802.1x and switch ACLs along with client/server firewalls to stop access from student VLANs to sensitive servers.

You can't stop the determined hostile user though, just slow them down.

[randle]

This is what I'm trying to find out. If they're running Python in an already restricted account, will it give them the tools to gain elevated access?

[CyberNerd]

This is what I'm trying to find out. If they're running Python in an already restricted account, will it give them the tools to gain elevated access?

No. Permissions are permissions - but it isn't the security of the local machine you should be worried about.

[randle]

Ok I meant more of a backdoor to the system/network then

but it isn't the security of the local machine you should be worried about.

It's not so much. It's network access primarily.

[CyberNerd]

Any modern computer language on a computer could create a risk if you consider that all virus, trojans etc are computer programmes.

As @skunk and @DMcCoy say - the best thing you can do is apply a liberal use of vlans and firewalls to mitigate against crackers.

My opinion is that the risk is tiny and theoretical. Allowing kids to be able to learn python vastly overweights the negatives.
I think you should install the interpreter, and keep an eye on the log files.

[tom_newton]

As others have said, python won't allow access to anything they don't have already.
It will allow users to do things faster than they could by hand - and if it is on your regular network that could allow students to create a DoS scenario. Very easy to find out whodunnit though.
You could probably stop the interpreter talking to the network using windows firewall, butthat spoils some of the fun.

Setting up the single host should be easy enough - ubuntu server on vm, install ssh server, use likewise to link to AD, install python, install easy text editor like joe or pico. Push putty to clients. Done

[dhicks]

if it is on your regular network that could allow students to create a DoS scenario.

More probably by accident than anything else, though - when the second years started doing networking in C++ at university the network used to get blitzed on a regular basis.

You could probably stop the interpreter talking to the network using windows firewall, butthat spoils some of the fun.

Maybe a VLAN with their own route to the Internet?

Setting up the single host should be easy enough - ubuntu server on vm, install ssh server, use likewise to link to AD, install python, install easy text editor like joe or pico. Push putty to clients.

Depends what they are to be taught - they might need a GUI of some kind (in which case a VNC or X terminal should be perfect). I'm sure we found a browser-based SSH client a few weeks back, too, so you could probably do all access via a web browser.

[januttall]

python works great on windows just a word of warning: python can esaily be used to communicate over the network verry easily so good firewalls might be recomended in a school enviroment and putting it on another machine sounds a good idea