Idiot IT group at CCSF permits continuing Russian data theft for 12+ years

[Thad Floryan]

If ever an IT department's personnel should be shot on sight and their
site's server rooms nuked from orbit just to be safe, CCSF's is it.

Article here:

<http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/13/MN4Q1MO9JK.DTL>

I was surprised to learn that PORN is a valid class and research subject
at CCSF -- sign me up now because CCSF sounds like a real party school!

Following are several extracts copy'n'pasted from the above article:

Personal banking information and other data from perhaps tens of thousands
of students, faculty and administrators at City College of San Francisco
have been stolen in what is being called "an infestation" of computer
viruses with origins in criminal networks in Russia, China and other
countries, The Chronicle has learned.
[...]
But a closer look revealed a far more nefarious situation, which had been
lurking within the college's electronic systems since 1999.
[...]
Each night at about 10 p.m., at least seven viruses begin trolling the
college networks and transmitting data to sites in Russia, China and at
least eight other countries, including Iran and the United States,
Hotchkiss and his team discovered. Servers and desktops have been infected
across the college district's administrative, instructional and wireless
networks. It's likely that personal computers belonging to anyone who used
a flash drive during the past decade to carry information home were also
affected.
[...]
Since Nov. 28, college officials have traced at least 723 Internet protocol
addresses to the Russian Business Network, "a notorious gang in the
business of stealing and selling personal information," Hotchkiss said.
[...]
Shortly before Hotchkiss arrived at City College, a new firewall was
installed. Technicians set it up to block pornography sites, which are
notorious for transmitting computer viruses.

Then faculty began complaining to Hotchkiss that students needed access to
porn sites. For research.

Eventually, given examples of the academic necessity, Hotchkiss had to
remove the porn block.

[Thad Floryan]

On 1/14/2012 3:30 AM, Thad Floryan wrote:
> If ever an IT department's personnel should be shot on sight and their
> site's server rooms nuked from orbit just to be safe, CCSF's is it.
>
> Article here:
>
> <http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/13/MN4Q1MO9JK.DTL>

> [...]
> Shortly before Hotchkiss arrived at City College, a new firewall was
> installed. Technicians set it up to block pornography sites, which are
> notorious for transmitting computer viruses.
>
> Then faculty began complaining to Hotchkiss that students needed access to
> porn sites. For research.
>
> Eventually, given examples of the academic necessity, Hotchkiss had to
> remove the porn block.

Idiots didn't do it correctly. I've been using one of my Windows boxes to
peruse Russian PRON sites for years and never, ever had any infection or
malware on the system whatsoever. Why? Three reasons:

1. block ALL, REPEAT, ALL, ads everywhere. Easily done with merging the
two databases from the following two websites and placing the info in
Window's /etc/hosts file located in (Win2K, WinXP, Vista, Win7):

C:\Windows/System32\drivers\etc\hosts

The two databases are here:

<http://www.mvps.org/winhelp2002/hosts.htm>
and
<http://someonewhocares.org/hosts/>

The /etc/hosts technique works with ALL OSs: *BSD, Linux, Solaris, UNIX,
Windows, and even MacOS X.

Note that ads are the Internet's bane. Recently 150,000 readers of the
New York Times' website were infected because an offsite ad executed an
IFRAME which loaded malware silently in the background -- no clicking is
required to load malware on your system(s), it "just happens". Seriously.

2. NoScript plugin for Firefox. Under NO circumstances ever execute any
HTML IFRAME or similar malware that autoexecutes upon page loading.

3. Symantec's "Norton Anti Virus" or "Norton Internet Security", readily
available for free (after rebates) from Fry's website if you watch their
website <http://www.frys.com/> on a weekly basis for the weekly specials.

What are some good Russian porn sites? <http://www.between-legs.com/> is
a good start if you're just now entering this line of research. :-)

[David Kaye]

"Thad Floryan" <th...@thadlabs.com> wrote

> I was surprised to learn that PORN is a valid class and research subject
> at CCSF -- sign me up now because CCSF sounds like a real party school!

I was also surprised. What's more I was surprised that they seem to think
porn sites are much of a malware problem. That hasn't been my experience.

My experience is that the sites loaded with malware tend to be gaming warez
sites, fix-it sites, and bogus Google entries. One of the classics I fell
for myself was when Shaun White won the Olympic snowboarding competition a
couple years ago. I wanted to see a video of his win and searched his name
on Google. The third entry had a snap of what appeared to be exactly what I
was looking for. I went to the site and it said, "You need to upgrade your
video player to play this clip" or words to that effect. Without thinking I
clicked on a button and immediately malware gets installed on my computer.

I was looking for a place to complain on Google's website, but couldn't find
anything. When I tried searching for the site again using the same criteria
a few minutes later it was gone from Google search return.

I'm amazed that bots could operate for so long at CCSF without anyone
knowing. Don't they randomly test machines with cports or anything?
Sheesh!

[Thad Floryan]

On 1/14/2012 10:30 AM, David Kaye wrote:
> "Thad Floryan" <th...@thadlabs.com> wrote
>
>> I was surprised to learn that PORN is a valid class and research subject
>> at CCSF -- sign me up now because CCSF sounds like a real party school!
>
> I was also surprised. What's more I was surprised that they seem to think
> porn sites are much of a malware problem. That hasn't been my experience.

> [...]

> I'm amazed that bots could operate for so long at CCSF without anyone
> knowing. Don't they randomly test machines with cports or anything?
> Sheesh!

Absolute incompetence at CCSF. Even the new IT director, though he
"found" the nightly 10pm virus trawls across all his networks and also
found the recipients to be in China, Russia, Iran, etc. hasn't done anything
about it (per the SFGate article) and is letting the data still be gathered
and sent outside the USA. He should be thrown in jail ASAP and the entirety
of CCSF's computer infrastructure disconnected. You know what's gonna hit
the fan now that this 12+ year security lapse has been revealed by the Chronicle
and people start thinking about suing CCSF out of existence.

I have helped so many companies with their security issues over the decades
I've actually lost count.

One of the most humorous events at a client site was, unbeknown to be, their
Board of Directors contracted with Ernst & Young to perform a security audit
of what I designed and implemented for them.

One evening around 10pm Bay Area time, my alarm setup texted my cell phone
with intrusion attempt warnings and I was able to quickly VPN in (to San Mateo
from my home) and discover all sorts of network probes and other suspicious
activity (none of which got past the firewall). I quickly traced the point of
origin, called the ISP, and had the network connection for Ernst & Young
disconnected from the Internet within just minutes, and the hacker activity
immediately ceased.

The next morning I learned that Ernst & Young were stunned, my network setup
got an A+++ rating, and I received a substantial bonus from the client. This
was in 2000 and I had NO idea who/what Ernst & Young was at the time.

Most of my client setups are/were similar and just as effective.

If you're curious who Ernst & Young are: <http://www.ey.com/>. Search using
"computer security audit" on their website.

[Marcus Allen]

On Sat, 14 Jan 2012 16:47:26 -0800, Thad Floryan <th...@thadlabs.com>
wrote:

>Absolute incompetence at CCSF. Even the new IT director, though he
>"found" the nightly 10pm virus trawls across all his networks and also
>found the recipients to be in China, Russia, Iran, etc. hasn't done anything
>about it (per the SFGate article) and is letting the data still be gathered
>and sent outside the USA.

Almost like "The Cuckoo's Egg", by Clifford Stoll, only instead of
feeding them fake info he's apparently letting them feed off the good
stuff. Not good.

[jcdill]

On 14/01/12 4:47 PM, Thad Floryan wrote:
> Absolute incompetence at CCSF. Even the new IT director,

Most of the IT staff at CCSF are students. Community College students.
They aren't experienced IT professionals. Most community college IT
departments are similar.

When I took a studio lighting photography course at CCSF ~5 years ago,
they were just *starting* to phase out their practice of using a
student's SSN as their ID number for logging in. The forms still had a
place to enter your SSN, but we were told to not enter our SSN and then
were issued a different number to use (oh joy, another long number to
MEMORIZE because it wouldn't cache in the login system).

jc

[jcdill]

On 14/01/12 4:47 PM, Thad Floryan wrote:

> and people start thinking about suing CCSF out of existence.

How would that be useful for the thousands of students taking classes at
CCSF?

jc

[Thad Floryan]

The injured parties whose data was compromised along with the
identity theft would be seeking redress in a lawsuit and really
wouldn't care what happens to CCSF and the present students
especially those "students" who are taking and researchhing the
PORN classes at CCSF.

Would you? I wouldn't if I was an injured party due to CCSF's
absolute and inexcusable negligence.

Did you not read the SFGate article in its entirety? Here is
the URL again:

<http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/13/MN4Q1MO9JK.DTL>

In your earlier article you wrote:
"
" Most of the IT staff at CCSF are students. Community College
" students. They aren't experienced IT professionals. Most
" community college IT departments are similar.

It doesn't matter what warm bodies are doing the work, there still
needs to be responsible oversight. Per the SFGate article, there
has been NO oversight for over 12 years. That is inexcusable and
actionable -- grounds for suing CCSF and the IT department heads'
asses off and putting them away in jail for a l-o-n-g time.

[jcdill]

On 14/01/12 10:33 PM, Thad Floryan wrote:

> It doesn't matter what warm bodies are doing the work, there still
> needs to be responsible oversight. Per the SFGate article, there
> has been NO oversight for over 12 years. That is inexcusable and
> actionable -- grounds for suing CCSF and the IT department heads'
> asses off and putting them away in jail for a l-o-n-g time.

Good luck with that. The head of PG&E who ran the ship when they were
diverting funds earmarked for safety to corporate profits, bonuses, and
dividends, resulting in a pipeline explosion that killed 8 people? That
is someone who should be put away in jail for a l-o-n-g time.

People using Windoze systems with poor antivirus practices (most
computer users) will have a very hard time proving any loss they may
have suffered was due to the virus on the CCSF virus problem. Nobody
(at CCSF) is going to go to jail over this.

jc

[Thad Floryan]

It really seems you did NOT read the SFGate article (or forgot what
you read). The last two sentences are:

" [...]
" "Given the outright mismanagement of our networks, if someone's
" information is stolen, are we liable for that?" Jackson asked.
"
" No one had an answer.

Such incredibly stupid negligence on the part of CCSF is actionable.

I am not a lawyer, but this situation looks like a potential gold
mine for the injured parties especially since the negligence is
being permitted to continue.

[jcdill]

On 14/01/12 11:32 PM, Thad Floryan wrote:

> I am not a lawyer, but this situation looks like a potential gold
> mine for the injured parties especially since the negligence is
> being permitted to continue.

You don't have all the facts. There may be logistical reasons they
can't just "shut it off" overnight. They may not have a brain-dead
firewall that doesn't allow them to block this traffic, or perhaps even
the firewall is infected.

jc

[Chris Jewell]

jcdill <jcdill...@gmail.com> writes:

> You don't have all the facts. There may be logistical reasons they
> can't just "shut it off" overnight. They may not have a brain-dead
> firewall that doesn't allow them to block this traffic, or perhaps
> even the firewall is infected.

If I have a logistical reason why I cannot secure my car or firearm, and
some teenagers steal it and do substantial harm as a result, I am liable
for that harm: my logistical reason is unlikely to cut much ice with a
judge.

IANAL, but IMHO not only is the college liable for the damage resulting
from its irresponsible neglect of ordinary and customary precautions,
but their upstream provider probably is too, if they fail to pull the
college's plug once they are advised of the damage being done by the
customer.

--
Chris Jewell chr...@puffin.com

[David Kaye]

"Chris Jewell" <chr...@puffin.com> wrote

> IANAL, but IMHO not only is the college liable for the damage resulting
> from its irresponsible neglect of ordinary and customary precautions,
> but their upstream provider probably is too, if they fail to pull the
> college's plug once they are advised of the damage being done by the
> customer.

I think it all comes down to what the average person's "reasonable
expectation" is. The other night some people I know went to a mud wrestling
show. The floor was slippery. At least a couple people slipped. Well,
they knew going into the situation that there was mud wrestling taking
place, so it's a reasonable expectation that things might be slippery.
However, it is not a reasonable expectation that a stage light will fall on
an audience member, thus, I'd think (though I'm not a lawyer) that the venue
would be liable for a light falling but not for a customer slipping an
falling on slippery mud.

My "reasonable expectation" of computer use is that if I'm on a computer
that is not my own I should expect the connection to be compromised somehow.
I wouldn't think of engaging in any kind of financial transaction on a
computer that wasn't my own.

What is the "average" person's reasonable expectation? Well, given that
there has been a lot of mention in the news about security problems, I'd
think that the average person doesn't believe that computer networks are
secure.

[Thad Floryan]

It's now blatantly obvious you didn't read the entire article.

A direct quote from the Trustee of CCSF, Chris Jackson, is:

" "Given the outright mismanagement of our networks, if someone's
" information is stolen, are we liable for that?" Jackson asked.
"
" No one had an answer.

CCSF has admitted its guilt and they're still permitting the virus
to trawl their networks nightly and send info to China, the Russian
Business Network, Iran, et al.

CCSF is and has for 12+ years exhibited incompetence and criminal
negligence mismanaging their networks and placing all students,
faculty and other personnel at risk.

CCSF should have its funding yanked and closed down.

What is it about their mismangement you cannot understand? Do you
work for CCSF?

[Thad Floryan]

On 1/15/2012 7:54 PM, David Kaye wrote:
> "Chris Jewell" <chr...@puffin.com> wrote
>
>> IANAL, but IMHO not only is the college liable for the damage resulting
>> from its irresponsible neglect of ordinary and customary precautions,
>> but their upstream provider probably is too, if they fail to pull the
>> college's plug once they are advised of the damage being done by the
>> customer.
>
> I think it all comes down to what the average person's "reasonable
> expectation" is.

> [...]

> My "reasonable expectation" of computer use is that if I'm on a computer
> that is not my own I should expect the connection to be compromised somehow.
> I wouldn't think of engaging in any kind of financial transaction on a
> computer that wasn't my own.

You know that, I know that, and I would venture most readers of
ba.internet know that, too.

The average computer user does not appear to know that as evidenced
by all the myriads of infected computers "out there".

CCSF apparently has courses in IT and computer security which would
reasonably lead one to believe their infrastructure and networks
have been correspondingly secured.

> [...]

> What is the "average" person's reasonable expectation? Well, given that
> there has been a lot of mention in the news about security problems, I'd
> think that the average person doesn't believe that computer networks are
> secure.

Again, if I were a paying student of CCSF, I would reasonably assume the
school's computers and networks were safe to use. Obviously, for CCSF,
this is NOT the situation.

CCSF has admitted its mismanagement of its networks and infrastructure
and I'm just waiting to read on SFGate that the FBI has raided CCSF
and hauled the IT staff away in handcuffs and thrown away the keys.

:-)

[Thad Floryan]

On 1/16/2012 12:22 AM, Thad Floryan wrote:
> [...]

> CCSF has admitted its mismanagement of its networks and infrastructure
> and I'm just waiting to read on SFGate that the FBI has raided CCSF
> and hauled the IT staff away in handcuffs and thrown away the keys.

And that doesn't even begin to cover CCSF's pandering of PORN and
requiring it in their academic curriculum as was mentioned in the
SFGate article.

There are so many things wrong about CCSF I'm astounded they haven't
been spotlighted earlier. The SFgate article is better than nothing,
and it hints of deep and embedded corruption that has yet to surface.

[Jim Kurck]

In article <4F13DB4E...@thadlabs.com>,

Thad Floryan <th...@thadlabs.com> wrote:

> CCSF should have its funding yanked and closed down.

That seems like throwing the baby out with the bathwater.

The primary function of CCSF is educating students, not running networks.

If their IT department is incompetent, fine: sack the current staff and
find replacements. (Although that may be difficult, given what the
colleges pay their employees compared to industry). But leave the
_college's_ main function unmolested.

Perhaps that's what you meant, but it wasn't clear from what you wrote.

Jim Kurck
(who put in several years temping as an instructor at several community
colleges (including CCSF) before wising up)

--
Jim Kurck The Sporadic Organization jku...@sporadic.org

[Mike Hunt]

On 2012-01-16, Thad Floryan <th...@thadlabs.com> wrote:
>
> CCSF has admitted its mismanagement of its networks and infrastructure
> and I'm just waiting to read on SFGate that the FBI has raided CCSF
> and hauled the IT staff away in handcuffs and thrown away the keys.

Well that's obviously not going to happen so you can stop waiting now.

Hope that helps...

[jcdill]

On 16/01/12 12:22 AM, Thad Floryan wrote:
> Again, if I were a paying student of CCSF,

In this thread, we have you, who, "if you were" a student of CCSF, would
blah blah blah. Then we have me, who has actually taken classes at
CCSF. I leave it to the readers to evaluate who has more at stake in
the outcome of this issue.

jc

[jcdill]

On 16/01/12 12:31 AM, Thad Floryan wrote:

> And that doesn't even begin to cover CCSF's pandering of PORN

You are such an idiot. Most "porn" filters are badly implemented, and
they typically prevent legitimate searches on legitimate topics, for
example searching for information on breast cancer. If you knew
anything about this field you would understand the issues, and why the
correct resolution was to stop blocking college student's access to the
internet with nanny filters.

jc

[jcdill]

On 16/01/12 12:09 AM, Thad Floryan wrote:
> On 1/15/2012 2:51 PM, jcdill wrote:
>> On 14/01/12 11:32 PM, Thad Floryan wrote:
>>
>>> I am not a lawyer, but this situation looks like a potential gold
>>> mine for the injured parties especially since the negligence is
>>> being permitted to continue.
>>
>> You don't have all the facts. There may be logistical reasons they
>> can't just "shut it off" overnight. They may not have a brain-dead
>> firewall that doesn't allow them to block this traffic, or perhaps even
>> the firewall is infected.
>
> It's now blatantly obvious you didn't read the entire article.

It's no blatantly obvious that you have absolutely no common sense.

> A direct quote from the Trustee of CCSF, Chris Jackson, is:
>
> " "Given the outright mismanagement of our networks, if someone's
> " information is stolen, are we liable for that?" Jackson asked.
> "
> " No one had an answer.
>
> CCSF has admitted its guilt

Not so.

For an analogy, if a woman admits she killed someone in her home, she is
admitting the ACTION, but if it was an intruder with a knife (per a
recent sfgate story), she's not guilty of ANYTHING.

> CCSF should have its funding yanked and closed down.

And what will all the students do? What do you say to someone who is 1
semester away from completing a degree, who needs to finish and get into
the workforce and pay back their student loans?

You somehow seem to think that shutting down the internet at CCSF or
shutting down the school itself will have no bad consequences. OPEN
YOUR EYES and look at the big picture.

jc

[jcdill]

On 16/01/12 12:35 AM, Jim Kurck wrote:
> In article<4F13DB4E...@thadlabs.com>,
> Thad Floryan<th...@thadlabs.com> wrote:
>
>> CCSF should have its funding yanked and closed down.
>
>
> That seems like throwing the baby out with the bathwater.
>
> The primary function of CCSF is educating students, not running networks.
>
> If their IT department is incompetent, fine: sack the current staff and
> find replacements.

The problem, as I noted at the beginning, is that most of the college's
IT staff are poorly paid students. As such, they have little experience
and little skill, they learn on the job, and they make mistakes. Given
the current budget situation at California's Community Colleges, CCSF
certainly doesn't have any budget to hire more qualified staff. They
hired ONE new guy (the new director) and he discovered the mess. He's
just one guy, managing a staff of mostly students. Give him some time
to fix the problem.

Sheesh. It's just like all the Repubs that are bashing Obama because he
couldn't magically fix the mess that Bush created in trashing the
economy mere months before Obama took office. It's a big mess. It
takes TIME to fix problems like this. You can't turn an ocean liner
around in 30 seconds. You can't fix the US economy in mere weeks or
months. You can't fix a problem like CCSF's computer and internet mess
overnight.

jc

[Thad Floryan]

On 1/16/2012 12:35 AM, Jim Kurck wrote:
> In article <4F13DB4E...@thadlabs.com>,
> Thad Floryan <th...@thadlabs.com> wrote:
>
>> CCSF should have its funding yanked and closed down.
>
>
> That seems like throwing the baby out with the bathwater.
>
> The primary function of CCSF is educating students, not running networks.

Though I have no problems with PORN viewed using one's personal resources,
when it becomes fostered and required by a taxpayer-supported so-called
institute of higher learning I am not a happy taxpayer.

> [...]

> Perhaps that's what you meant, but it wasn't clear from what you wrote.

I trust the above clarifies my feelings in this regards.

> Jim Kurck
> (who put in several years temping as an instructor at several community
> colleges (including CCSF) before wising up)

Hmmm, didn't get a $250,000/year salary like the photography instructor
at Foothill College in Los Altos Hills, huh? :-)

[Thad Floryan]

As a California taxpayer, I have a vested interest in tax monies being
spent wisely; all California taxpayers have a stake in this whether they
attend classes there or not.

[Thad Floryan]

You're the idiot who STILL does not appear to have read the article, so
your veracity in this regards is lower than whale turds.

The new IT manager was specifically instructed to let porn sites through
the firewall.

Do you have some kind of reading dysfunction or other medical malady?

[NoOp]

So as a "taxpayer" I reckon that you also would like to see your local
libraries shut down as well?

http://www.santaclaracountylib.org/services/wifi/index.html
<quote>
Adult Area
SCCL - A: Provides unfiltered Internet Access
</quote>

[Thad Floryan]

On 1/16/2012 4:21 PM, NoOp wrote:
> On 01/16/2012 03:05 PM, Thad Floryan wrote:

>> [...]

>> The new IT manager was specifically instructed to let porn sites through
>> the firewall.
>
> So as a "taxpayer" I reckon that you also would like to see your local
> libraries shut down as well?
>
> http://www.santaclaracountylib.org/services/wifi/index.html
> <quote>
> Adult Area
> SCCL - A: Provides unfiltered Internet Access
> </quote>

Wouldn't bother me in the least since I don't use the public libraries
since they're never open at *ANY* time convenient for me (including the
branch library just about 300 yards from my home at 1975 Grant Road,
Los Altos).

I have my own books and private library at home including volumes of a
specific branch of mathematics exceeding what's even at Stanford's math
library.

With that written, I have no problems with an adult section of a public
library providing unfiltered Internet access on general principles. I
never filtered porn sites for any client's firewalls except once for a
branch office in the LA area where the sales staff was viewing porn
12-14 hours a day and selling nothing -- they quickly were fired after
I handed the logs to the company's management and that sales office was
shut down.

My issue with CCSF is the way it was written in the SFGate article the
new IT manager was forced to remove the blocks. That fact hasn't been
refuted or rescinded and I'd really be interested knowing whatinell
CCSF is doing with porn (just out of curiousity).

My interest in the CCSF exposé really is focused on the 12+ year-long
trawling of their networks with data sent to world-wide nasties. This
is worthy of a grand jury investigation given that one of the trustees
acknowledged the mismanagement and hasn't a clue what to do per the
SFGate article -- in other words, total incompetence at a taxpayer-
funded institution.

[jcdill]

On 16/01/12 5:51 PM, Thad Floryan wrote:
> My issue with CCSF is the way it was written in the SFGate article the
> new IT manager was forced to remove the blocks. That fact hasn't been
> refuted or rescinded and I'd really be interested knowing whatinell
> CCSF is doing with porn (just out of curiousity).

I already told you what the issue likely was. You keep pretending that
I haven't read the article, meanwhile you clearly can't even be bothered
to read the posts you are replying to.

I had a housemate who was involved in this VERY issue with unintended
consequences of filtering at other schools and libraries, in the early
days of nanny firewalls. It was a huge problem for schools and
libraries when students couldn't conduct legitimate research because of
the nanny filters. It wouldn't surprise me if CCSF's policy was created
at that time - the early nanny firewalls blocked legitimate sites that
students needed to visit for legitimate research (e.g. research on
breast cancer) and the firewalls weren't easily tuned to allow
legitimate searches while still blocking porn. So they unblocked the
porn, and amazingly, the world didn't come to an end when students had
access to the whole internet. At this point, there was probably very
little pressure to find a method that would block porn and still allow
legitimate research, and if there was some pressure they probably backed
off at the price tag for the systems necessary to implement it.

jc

[jcdill]

As a California taxpayer (duh, aren't we all California taxpayers in
this group?) AND a student at CCSF during the time in question, I have a
much more personal vested interest - both in the security of my data and
in the ability to take additional classes, which obviously trumps your
"I pay taxes" interest in the matter.

jc

[jcdill]

On 16/01/12 3:01 PM, Thad Floryan wrote:

> Hmmm, didn't get a $250,000/year salary like the photography instructor
> at Foothill College in Los Altos Hills, huh? :-)

You overstated his pay by more than 20%, and neglected to mention the
amount of hours he worked to earn that pay.

From SF GATE:

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/10/27/MNBO1FVLLM.DTL

> With a master's degree in fine arts, Ronald Herman's base salary at Foothill College was $98,116 last year - 5 percent higher than the district average of $93,117 for full-time faculty.
>
> His regular salary covered a typical 12 hours of instruction each week - three classes last fall, two in the winter and three in the spring - as well as helping students in the photo lab, arranging student shows and serving, as required, on a committee.
>
> But Herman served on four committees. He also taught seven extra classes during the year. Paid at a lower, part-time rate, this "overload" boosted his pay by $72,150.
>
> He earned another $35,709 for four summer classes and for leading a trip to Peru, bringing his total above $208,000.
>
> "He's one of our best instructors," said Mark Anderson, Foothill's dean of fine arts and communication. "I get here at 7:30, and he's usually here before I am. I see him here on Sundays. I've seen him here on Christmas!"

So he put in ~80 hour weeks to make that pay - working days, nights,
weekends, summer, winter, etc. That doesn't count the time he's grading
papers when he's not on campus.

I have a friend who teaches English classes at a 4-year college in PA.
She puts in 50-60 hours a week even though she only "teaches" 12 hours a
week.

jc