I've been asked to add Python to the school network which is easy enough as an msi is provided however am unsure as to whether installing this on the native system is a good idea. Should I be implementing a Virtual PC image with this? With GPO restrictions in place, is this neccessary?
The school's never needed anything like this on the network before so haven't had to worry about this before however due to recent public comments, it's been decided that we need this.
Decided by who? in consultation with who? for what purpose?
Ben
This is a request by the ICT department as they want to teach students Python. Ideally I want to know what the risks are and in what way this could be done if it's a good idea then once I know either way, I can go back to them and the SMT and let them know whether this is possible rather than just saying no from the get go.
Are there schools out there who have been asked to implement something similar?
Giving kids a python interpreter means they can use the computer to do what they like with - access the C:\ drive, call system commands, run network commands.
Is Python the security risk or is windows the security risk?
I personally don't think it's an issue. If you think it is then run it on *nix or in a virtual machine.
If you're worried about running Python locally on each workstation you could install an SSH client and a text editor on each workstation and have the pupils save and execute code on a central server. Also, this kind of worry is exactly the kind of the kind of thing the Raspberry Pi is designed to take care of - give each pupil a £22 computer and leave them to it.Originally Posted by randle
randle (3rd February 2012)
What @dhicks said. You could even set up an ubuntu box joined to AD, one decent desktop should allow for a full class of students (probably more) all doing "commandline" based python. Use an easy text editor like "joe" and you're away. You may have problems with students trying to be clever and DOS the box by running compute-intensive stuff, but it is easy enough to spot these and apply a LART.
You could position this as a "first step" into the python world - also one box means you have a LOT of control over the runtime environment, a (competent) IT teacher can easily distribute sample scripts to students, it might even be possible for students to log in from home to do work.
randle (3rd February 2012)
Looking at the same thing here, tbh my preferred option is the raspberry Pi if they can get it out of the doors in enough quantity for September, which is looking increasingly unlikely.
I think we'll be going down the route of having VM's set up with a dev image:
Python
Eclipse with PyDev
Android Dev Environment
Windows 7 Mobile Dev Environment
Visual Studio
Microsoft Robotics Developer Kit
Small Basic
Scratch
Running python programs on windows will give program the same security restrictions that the user would have if the had access to the command line, windows explorer or the save/open dialogs in most windows applications. They could run any program on the system that they have read and execute permissions on.
If you have denied students access to a file/folder/network drive, then they still can't get it, because they will be running python under their own account. However, one thing that does occur to me is if the students hand in a program (in any language, not just python) to a teacher and the teacher runs it, then it would run as the member of staff. If a student were crafty, they could get the program to access a confidential file and send it via email or network share to themselves when the teacher runs it. Staff marking the work would need to be very strict about reading the code before running it. I would also give the staff a restricted environment of some kind to run it in, Maybe a vm or linux server, or another un-privileged username.
Unless they can find a privilege escalation type bug, then they shouldn't be able to do any admin level stuff. That is assuming you have the PCs locked down properly. I think the worst they are likely to be able to do is crash the pc, or maybe corrupt the python install. Neither of those should take long to fix (either reboot. or reinstall python).
You probably want to make sure the rest of the network is secured properly, with firewalls, backups, system images, etc, but any vulnerabilities there are present if the students can bring in their own equipment, or use VMs/ssh/raspberry pi or Java or Visual Basic. Its possible that they could create programs to do denial of service or other attacks against hosts on your network. This applies to any network however, with or with out development tools installed.
This is based on my personal experience with python, I don't use it in a teaching environment.
randle (3rd February 2012)
I really think school sysadmins need to relax a little and give kids chance to explore.
The worst that's going to happen is they'll create a mass email spam program, temporarily knock out a server or exploit some privilege escalation bug and gain some confidential information. They'll do that if it's on a (networked) raspberry pi or (networked) Virtual machine. There are not going to many kids that could do it, and even fewer that would do it. You or the teachers will be able to identify those bright but misaligned students in a flash.
Real learning doesn't happen in a sterile environment. I've had kids that have written their own proxy servers in their bedrooms, to be able to get to games sites and others that have attempted to DoS our internal email system. The only thing that has come from it is good, the kids learned important lessons.
We aren't working in a military environment. Sometimes it is good to say YES to things that will be good for teaching and learning, and learning Python certainly will be. Even of it means 'letting go' a little.
garethedmondson (4th February 2012)
I'd have to agree with this.
What I would suggest is dropping a couple of Universty IT departments an e-mail, a lot of them have Python and other interpreters installed for CompSci students, in a domain environment. In fact, I learnt Python in a Windows 7 domain environment towards the end of last year.
They did at the start, then liberties were taken, so it go bolted down a bit, more liberties were taken, more bolts, etc.
...is that a bunch of laws get broken and the school has vicarious liability to any victims, ICO on its back and a P45 with the sysadmin's name on it. Not a career path I intend to follow or would recommend anyone else doing so.
Yes and no. Why does a controlled, safe environment have to be sterile? Why does students letting rip with their coding prowess mean that the school network be at risk.
I would recommend a bunch of (virtual) servers in a DMZ with only SSH inbound open. The kids can play, the servers can be reset once they have royally stuffed them up and the rest of the school can keep running as normal with a reasonable level of risk.
randle (3rd February 2012)
If you give someone a programming language and they decide to bruteforce your SQL or LDAP then provided you've taken reasonable measures to secure said servers then I don't think you would have too much to worry about from an ICO or p45 perspective. If you are really that paranoid then it might be best to unplug the network cards altogether.
That would be a pretty sterile environment, albeit secure.
I think we shouldn't all overreact to what 'could' happen, or we'll end up banning a whole load of useful educational tools like raspberry pi and running student machines a DMZ; back to the separate staff/student networks of eons ago. Relax, it will be fine
As long as it runs under a standard user account I really don't see what the problem is.
stuff like this:
http://www.hsc.fr/ressources/outils/...atator_v0.2.py
BAN programming!!!!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote