Ed Lawson wrote:
On Tue, 11 Jan 2005 09:49:59 -0500 Dan Jenkins <[EMAIL PROTECTED]> wrote:
Biggest problem: Their testing service requires Internet Explorer. In fact, it requires ActiveX. It also requires changes to disable any prompting for ActiveX components. It requires changes at the web proxy
filter to allow its compiled HTML pages (.HTA) to pass through. And,
no, they (the testing service) has no plans to make any changes in
their application. They do not acknowledge any of these are security
issues. And testing is mandated for all students (except kindergarten
and preschool). Even viewing the test results requires these changes.
Has anyone contacted the state DOE and explained the security issues involved here and why this is a very bad thing so that perhaps they might pressure the testing contractor to use a more secure system.
I didn't explain well. The testing is NOT from the state DOE. It is a private contract with a testing body from somewhere in the midwest.
I am not a technical person, but based on my limited knowledge I believe you are saying the contractor supplying the state mandated testing is requiring every school in the state to make at least part of their network and likely the part containing the most sensitive data about students and staff vulnerable to known security flaws. It would be one thing for a corp to do so with an internal network in order to use certain applications, but to require it of systems open to the Internet seems incredibly bad. Do I have this right?
You are basically correct, except this is NOT state mandated testing. Also, there is no staff information on these systems. The only student information is a student ID. The data on the testing and students is maintained in the testing services remote database.
This is a private testing service the school uses. It has, as far as I know, nothing to do with the state or feds. So, this only affects those schools who choose to buy into this testing service.
One way we are aiming to work around the issues is to deploy a rolling cart of laptops which are configured for testing. (They can also be used for other purposes, of course.) That way the classroom systems can be locked down again. Things had to be opened up generally because the testing was started before the rolling cart approach was funded.
Basically, the testing service appears to believe the Internet is an internal network. To be honest, they seem to believe that the testing computers would be dedicated to their testing service role. Therefore, security issues would be limited. However, this is an unrealistic view. If a school has a few dozen computers for testing a few times a year, those systems will get used for other purposes throughout the rest of the year.
-- Dan Jenkins ([EMAIL PROTECTED]) Rastech Inc., Bedford, NH, USA --- 1-603-206-9951 *** Technical Support for over a Quarter Century _______________________________________________ gnhlug-discuss mailing list [email protected] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
