Return to the September 1995 Table of ContentsBy Lars Kongshem
Lars Kongshem is assistant editor and webmaster of Electronic School.
Worried about connecting your school or district computer network to the Internet for fear of malicious hackers invading and vandalizing your computers? You don't have to go looking for reasons to feel paranoid about Internet security. Just ponder a few recent events:
Does this sound like the kind of environment you'd want your school's computer network plugged into?
Well, relax. Although the security problems on the Internet are real, the good news is that K-12 Internet sites have so far been spared the sophisticated attacks that have made headlines this year.
In fact, the consensus among educators who administer K-12 host computers on the Internet is that the danger to schools from outside computer intruders is actually quite remote.
Universities, research laboratories, large corporations, and military installations are much juicier targets for hackers who are looking to test their skills, security experts say.
"Schools tend not to be high-profile targets because they are not as interesting to the hackers," says Denis Newman, director of the education networks group at Bolt, Beranek, and Newman (BBN), a provider of Internet solutions for schools and businesses.
Nonetheless, computer and network security is still a concern for schools, and break-ins do occur. But when they do, the perpetrator is more likely to be a student abusing a legitimate school account than an expert hacker picking the digital locks of your computer network from the Internet, K-12 system administrators say.
Security begins at home
Chances are that your own students pose a greater threat to the Internet than anything your school has to fear from the denizens of the global network, says one school computer system administrator.
"The Internet is more afraid of you than you are of it," says Craig Lyndes, computer support technician at Champlain Valley Union High School in Hinesburg, Vt.
"Many people on the Internet speak with great angst about the coming wave of adolescent hackers that the K-12 schools will be dumping on the Internet," Lyndes adds.
That fear is not completely unfounded. David Grisham, computer security administrator at the University of New Mexico at Albuquerque, says that of the "many instances of account theft and break-ins" he has witnessed in his job, "a large part -- 50 percent or so -- are committed by high-school-age types."
That's why the very first Internet security measure schools should consider is to adopt and enforce an acceptable-use policy that clearly delineates the legitimate and prohibited uses of the school's Internet connection, school networking experts say.
"You need to educate students about what's appropriate behavior on the Internet and what's not," says Julie Jordan, technology coordinator at the Mississippi School for Math and Science, a residential magnet school for 11th and 12th-graders in Columbus, Miss.
Students at the school, who share a fast T-1 (1.54 million bits per second) connection to the Internet with a local university, enjoy access from the more than 130 networked personal computers scattered throughout the school, in labs and residence halls.
"We have a user policy that is discussed with each student when they begin their stay with us, and it is frequently revisited during their two years here," Jordan says. "When someone is caught doing something unethical and contrary to policy, action is taken -- anything from loss of accounts to suspension from school."
Case in point: Two years ago, a student at the school discovered he could connect to a terminal located in the Pentagon in a manner that allowed him to write directly to its screen. Whatever he typed on his keyboard would instantaneously appear on the terminal at the other end. Then he fired off a couple of messages about bombs and the President of the United States.
"The Pentagon traced it all the way back to the IP [Internet Protocol] address of the computer in his dorm room," Jordan says. "They had assigned a special investigator. The Pentagon takes these things very seriously. It was a big stink." The student was suspended and later chose not to return to the school.
The fallout from that episode helped administrators at the school refine the acceptable-use policy and better train students in on-line conduct, Jordan says.
"We've learned through incidents like these what to tell students not to do," Jordan says. Although it might seem obvious to adults that a threat on the President's life is a federal offense, she adds, kids often need to have such things spelled out.
Craig Lyndes at Champlain Valley Union High School points to a similar episode at his Vermont school district last winter. A local grade-school student sent an E-mail message to President Clinton claiming -- as a prank -- that another student was planning to bomb the White House.
"The FBI was on the phone within five minutes," Lyndes says. "The kid was terrified." The student's punishment: to write a policy on how to deal with such incidents in the future.
More sophisticated student misconduct on the Internet can and does occur. One concern is that a student will use the school's connection as a launchpad for attacks on other Internet sites.
"It happened to us," Jordan says. "A student had graduated and gone off to college but kept his account here and used it as a cover to hack into university systems overseas. He was storing his hacking software here to avoid detection by the system administrators at his university."
The student was discovered by the victims of his attacks, who tracked him down and alerted the school.
"Since that incident and the incident with the Pentagon," Jordan says, "we've been taking an aggressive . . . approach to educating the students about hacking, netiquette, and appropriate uses of the network, and we've not had what I would call a 'major' incident since."
Another worry is that student hackers could turn your computers into a trading post for pirated software.
Just ask Barry Kort, a consulting scientist at BBN who for five years has been salvaging discarded corporate computers and putting them to use as Internet hosts for his K-12 MuseNet project. MuseNet is a network of multiuser, text-based virtual communities on the Internet in which kids interact with each other and learn to program simulated surroundings with educational themes.
The MuseNet systems are run in part by student volunteers. Last year, Kevin Kane, a 16-year-old computer wizard who shares system administrator duties with Kort, discovered that a software piracy ring was being operated out of a disk drive attached to one of the VAX machines that run MuseNet.
"He had been wondering where all the disk space was disappearing to," Kort says. "Then he discovered hidden directories full of pirated software."
The software pirates had gained access to accounts that allowed them surreptitiously to trade and store illegally copied software on the computer's hard drive.
The young system administrator struck back: He installed special logging software, akin to security cameras, that kept track of all activity at his site. The next time the intruders logged in, their identities were revealed.
"We deleted the files and alerted administrators at the sites the intruder had connected from," Kort says. But chasing down a hacker is a "terrible waste of time," he adds. "I'd rather do something for education."
Virtual vandals
Vandalism on the Internet can affect entire communities, just like in the real world.
When a "small group of misfit hackers" broke into the accounts of a dean and several teachers at the University of Southern Maine, administrators there withdrew the affected computers from service, MuseNet's Kort says.
Unfortunately, those same computers had been doing double duty running MuseNet.
"These machines, which I had salvaged from DEC, represented about 80 percent of MuseNet's capacity," Kort says. MuseNet's performance plummeted as the sole remaining host struggled under the additional burden, and the whole community suffered.
"Everybody knew who was responsible," Kort says. "But these kids thought they should be honored for what they did. They were without remorse."
Although one of the hackers later apologized to the MuseNet community for his actions and made an attempt to change his ways, his behavior eventually led him to a run-in with the FBI, Kort adds.
"Only one in 500 kids is a problem, and just one in 1,000 is a serious problem," he says. "Most of the kids who do hacking do it because they think it's cool. But hacking a K-12 resource is like trampling a flower bed in a park -- it's no great intellectual challenge."
How can you tell which students might become a security problem for your school? Watch out for participation in hacker discussion forums on USENET, a globally distributed bulletin board system.
In USENET newsgroups such as alt.2600, large numbers of aspiring hackers gather with a few genuine computer break-in artists to trade information and software, brag about their exploits, and romanticize the hacker lifestyle, says a former hacker turned computer security consultant.
"The 5 percent of kids on the Internet who have made it into the hacker groups are the ones who could potentially pose a problem," says Susan Thunder. "These kids are very impressionable, and peer pressure cannot be underestimated."
Thunder knows the hacker subculture well. In 1980, she teamed up with a 16-year-old named Kevin Mitnick and a couple of his friends, who were just beginning their hacking careers by breaking into Pacific Bell computers.
Mitnick went on to become a notorious hacker whose ability to break into computers on the Internet earned him the moniker "computer terrorist" from Justice Department officials. His exploits came to an end in February when he was arrested by federal agents after more than two years on the run.
But Thunder had long since turned her skills to more productive uses. These days, she works as a "specialist in the prevention of psychological subversion of trusted systems," but she has another agenda, too: Having seen many hackers go to prison for misusing their skills, she's decided to help steer kids away from the wrong side of the law.
"I get a lot of E-mail from kids who look up to me because of my previous hacker exploits," Thunder says. "But what are they looking up to? Someone who lacked the ability to be truthful? Mitnick is being idolized, and that's not good. It's not good for society, and it's not good for the Internet."
Thunder currently can be found in on-line hacker forums, attempting to use her influence as a role model to try to "direct these kids in a positive way." Helping them understand the ethical and moral issues involved in breaking into computer systems -- even when it's just for fun -- is the key, she says.
When given the proper education and direction, she adds, "they will make the right decision."
Read the sidebar: "Security Do's and Don'ts" Read the sidebar: "Where to Turn" Read the sidebar: "A Word of Warning" Return to the September 1995 Table of Contents
Go to the top of this document
Return to the Electronic School home page