Slashdot Mirror
Solution For College's Bad Network Policy?
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
A different college.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Or find another school...
Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.
Get a cellphone plan. Ensure that your phone supports "Tethering". Attach your phone to your pc with a Data cable. Access the internets with freedom.
If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.
Do all colleges have such extreme measures in place?
No, mine doesn't. Technically we just have to have antivirus software installed, and keep up with MS's security patches, and they really don't ever even check for those.
Use Virtualbox to run the security agent in a virtual machine and OpenVPN to tunnel your traffic to a host on a less bigbrotherish network. If you feel like going against administration, you could also try to get the policy changed...
Are you required to run Windows? If not, don't.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.
Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!
Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.
As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.
If you do call them up and ask about Macs and Linux machines, let us know what they say.
E
Have you thought of running their spyware on a virtualbox session of whatever OS they support; and accessing only non-sensitive sites through that session. Can't you wait till you get home for the other stuff? If not maybe an encrypted pipe would do the trick.
What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.
Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.
--- Often in error; never in doubt!
We were required to have a "Cisco Clean Access Agent" installed on our machines. There were two options available for me, and I ended up going with the second.
1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.
2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?
Perhaps you could try installing those pieces of software within a virtual machine, and keep the virtual machine running all the time. Then it could return its results, and (hopefully) be sandboxed away from the rest of your system. In any case, make sure your concerns/complaints are heard.
When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.
mmm...muffins
This is similar to the linux and virtual machine suggestions from above. Go here to download it. Once downloaded and installed, run their stupid little application in sandboxie and it will no longer be able to scan you machine. You can even specify which files/folders it has access to and if it has interenet access, etc. I believe that will solve your problem with minimal hassle.
Trying to install linux on my microwave, but keep getting a kernel panic...
The client page says exactly what the client will do when it's installed. Nothing about sniffing traffic, scanning your hard drives, etc. Perhaps you could voice your concern to the HelpDesk or network engineers?
- Sometimes you're the pidgeon, sometimes you're the statue.
To get around the 'client security agent' tracking your apps/keystrokes/etc, use a VM and NAT the network connection. To get around the network tracking of what comes out of the VM you buy another PC and stick it at your parents or friends house somewhere else as a VPN server then use it to do all your 'sensitive' work. Then let them track it, its encrypted. The stuff you don't care about, go thru the school's network directly.
I suppose you could use one of those free/pay proxies instead of a 'home VPN', but that would be a bit more obvious what you were doing and set off some red flags ( or is blocked in the first place ).
Im assuming in this case its your PC and you can install whatever you please.
Oh, and consider protesting.
---- Booth was a patriot ----
Find somebody that lives off campus - they probably have normal Cable or DSL. Setup a wireless link to their location and offer to pay for part of their Internet costs. There can be some complexities involved in setting up the wireless - you probably don't want it to be noticeable otherwise the school may make you take it down, so the shot probably has to be to somewhere you can see from your window.
"There are no wireless broadband providers available in the area, I already checked."
Start one. Given what you've told us, there should be plenty of demand.
That they disable bridging is really the killer, here. The obvious answer is to turn the 'campus facing' machine into nothing more than a gateway, and you can't do that. I'd also like to point out that this stupid program makes it harder for you to run any OS except windows. Are you sure this school is okay?
That said, what about running linux and keeping this program inside of a vmware instance. Alternately, you could do the opposite: Accept that the stupid program will be running on your machine and see if a CoLinux tap would still work, at which point the machine is merely a host for another kernel.
From the first link:
"If you use our network, we own what's on your hard drives. Thanks!"
I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.
So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.
You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.
VM Windows with their stupid client and use your normal OS for the rest. For completely secure internet access use a VPN service. There are VPN services that are a few dollars in a month(The Swiss are good that way). Then you can bounce your regular OS internet activity off your VM OS with the VPN client accessing the internet from outside the university. This way you have your cake and eat it too. As far as your university would be concerned you would have the most boring OS in the world in that you basically do nothing but transmit encrypted crap back and fourth to your VPN.
Ask the students who go there.
To answer your question about other colleges, I'm a student at Penn State, and our policies are not nearly as extreme (at least currently). We don't have to install any sort of client on our computer (with the exception of the Cisco VPN client to use the WiFi), and, in their official policy at least, they say don't monitor the content you send/recieve, only the amount (we have a 4 gigabyte/week bandwidth limit in the dorm rooms, but it only counts off-campus traffic). They will call you into "Judicial Affairs" if they get a letter from the (RI/MP)AA, and if they detect a virus on your computer (I dunno how they do that, and it seems to go against their claim they don't scan content you send on the network), they require you to bring it in to be reformated, or forfeit dorm room Internet access, which I believe is a privacy violation. As far as the scanner goes, I recall reading about some sort of "install this scanner to access the network" program that only worked on Windows, so if they detected you were on Mac or Linux, you wouldn't have to install it. I dunno if your school is using the same program, but if they are, using a non-Windows operating system might keep your information more secure.
Try to find the method by which you're granted access.
If it's just by MAC address, try to spoof a whitelisted one. I believe a number of Universities allow residents to have their game-systems or other electronics granted access upon request; if you have one, or can make one up, it's an option.
Alternatively you could attempt to spoof the communication that says you're clean, or rig up their client to simply say that you are.
Your host OS can be running the Client Security App and you could keep your personal files inside the VM. You could also run encrypted filesystems inside the guest VM and even if the Client Security App is smart enough to scan inside the vmdk disk files, you are still cool.
You would not be able to hide any file sharing, etc. unless you tunnel, and you might have port forwarding issues at the vmware virtual switch and some overhead in NAT mode for any surfing you do inside the VM.
In my experience, not all universities are this restrictive. Many that do have these policies do not strictly enforce them (my school required that you do a virus scan on windows machines once per semester, but live cds let you get by by having a non-windows machine at scan time). Most schools will have people at the freshman dorms helping new students get connected. See if you can get in touch with the school's IT staff through these people (they are usually students), and ask the IT staff how to connect non-windows machines to the network. With the popularity of online gaming consoles and non-windows operating systems, I'm sure there will be a procedure.
The other advantage of talking to the IT staff is that some schools hire students to do field work, answer phones, and staff NOCs (my first real job). You never know what opportunities will open up (my school let me unofficially run boxes in the main machine room, with unrestricted access to I2 and the sprint and verizon uplinks).
You could always use TrueCrypt or similar products to protect anything remotely sensitive from snooping while you're on their network. So long as you know when the Client Security Agent is running, simply keep those partitions dismounted while the Agent is running, and they won't be able to see your stash of boring porn.
However, this isn't a particularly disorganized or egregious network usage policy. What language, exactly, do you think "expose[s your] web browsing habits, emails, and . . . passwords?" Also, looking at the "Client Security Agent," it appears to be nothing more than an app to turn on automatic updates, disable internet connection sharing, and check your anti-virus.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
Does this expose the college to any sort of liability risk?
They have to have an internal policy on what information they can take and use from your computer. If they go beyond that, what happens?
How do you stop their IT from looking at your banking info or personal images?
Some colleges require you to live on campus for the first year. During that time, you'll have to "suck it up" and live with the networking restrictions. Or switch to a computer and OS they don't support, like MacOS 9 or CPM or RT-11 or whatever to ensure you have the privacy you need. Or just don't use the computer (or the phone) for anything you don't want anyone to know about. If the school requires you to run an OS that they support, then you have your answer. For more ideas along this vein, read Cory Doctorow's Little Brother:
http://www.amazon.com/Little-Brother-Cory-Doctorow/dp/0765319853
Some colleges are really worried about the infringing material on their networks and applying some rather heavy handed response. Yours seems to focusing on prevention rather than assuming the students are adults and capable of making their own choices and dealing with the consequences. There's a fine line between "policing" and "fascism". Your college crossed it, IMO. If they require the dorm resident advisors to search your room periodically for "contraband", then I think you have to find another college or a good lawyer to fight it.
Take physical notes with pen, paper, and notebook--it uses a different part of your brain than typing. I still can't actively listen to a lecture and type note. I have to take them by hand. A client told me about Lightscribe, a pen computer which he uses for meetings and downloads what he wrote to his computer later:
http://www.amazon.com/Livescribe-2GB-Pulse-Smartpen-APA-00002/dp/B001AAN4PW
We have it here too.
The "Clean Security Agent," if I'm not wrong, is the Cisco Clean Access Agent that comes with the Cisco NAC Appilance, which runs on Windows only, and is a pain esp. for those who are running Vista. This beast have to run under Administrator privilesges and pops up a login window everytime you connect back to the network, and doesn't even want to accept certain types of Anti-virus software (such as Avira.)
Workaround: It doesn't run on Mac and Linux. If you use WIndows, you can convince the NAC you're using Linux and it will believe it until the appliance gets restarted. If you have Linux - great, the NAC just let you pass through. If you have Windows, Kevin, a program with a great icon, used to work but recently it didn't, but there is always an easy way to get over it: boot into Linux and fire up firefox and click on a link, and then boot back to Windows.
And just FYI: Due to an insane number of complaints received from the students, the IT Staff over here is getting rid of the Cisco CCA this summer :-)
FAKE VR Machine running on same NIC for their RIAA monitoring program and a VPN to your moms house.
The FLOSS project, Tor has a set of programs that make it very easy to secure your browsing. It is a portable copy of Tor, Privoxy, and Firefox, working together to give you a private route to the internet.
If you are worried about the information stored on your machine, use a live distro of Linux... Knoppix or Fedora live, and keep your private data on an encrypted USB key.
Uh, this is sorta pathetic that we computer science literate folk cannot muster up the courage to tell him to confront the policy with a student protest. However, that is what I would expect from Slashdot where everything is resolved by lawsuit or clever hack. Well sometimes we need to go piss in someone's cheerios. That is what we should be telling him to do, go down to the lib arts colleges and rally up the professional protest set, get some cogent arguments laid out and make sure you notify all media within a few hundred miles because for whoever is having a slow news day you might make the cut.
An Education is the Font of All Liberty
Every computer that needs to access the internet directly needs to have its MAC-adress registered. If something goes wrong, you can trace it back to the MAC-address account. It isn't foolproof(think MAC-spoofing) but there is little more security on our networks(mobile computers need to log in with student accounts).
Knowledge is power. Knowledge shared is power lost.
Odds are they'll simply tell him that linux is not supported under their network.
Disallowing operating systems other than Windows might make certain parts of CMU's computer science program more difficult for students.
Grand Valley State does not implement such restrictions on its students. All that is required there is an AntiVirus client, of your choosing and a request that you install MS patches on a regular basis. They do not track web usage and have a reasonably secure network.
Well you could go with one of the cell phone based WAN providers for the internet and bypass all of them. It is $60.00 a month from AT&T or Verizon. Verizon puts a 5GB cap on your total transfer though it is fast in my area. I even made an antenna and get stupid strong signal. It gives me about 2.5Mb/sec down and about 160Kb/sec up. The advantage is that you get internet just about anywhere and you don't have to go through all the schools BS.
If you've got Firefox installed, you actually have a few options. To change your User Agent string, type the special URL "about:config" in the browser's location bar to access the browser's properties and do a right click to add a new string property with the name "general.useragent.override" and the value "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6", or really any user agent string that lacks "windows". If you experience any problems, go back to the properties list and simply remove the new property "general.useragent.override" you just added.
Don't use the university's network.
Problem solved.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
yes it scanned the computer, but it was looking for programs not illegal files. It was used to make sure that each computer accessing the network had all the 'neccecery' security software installed. While understandable it was somewhat annoying when it required windows updates that didnt work very well through the restictie firewall you were put behind until you passed the security check. It was something you downloaded and ran once per term. It didnt actually require and install and wasnt needed beyond that (might be used more depending on the exact policy of your college).
.exe obviously wont run outside of windows, so anyone running linux/mac was waved through security for the duration with no real checks atall. Infact a few of my friends would dual boot MS/linux and use linux to be waved through the security then revert to MS when they were through
As some have pointed out, linux/mac is the answer if you really dont want it on your computer. The
Get a cellphone plan. Ensure that your phone supports "Tethering".
From the summary: "There are no wireless broadband providers available in the area, I already checked." Therefore, we can assume that none of the available phones support tethering.
At my school they also wanted us to use CSA. I realized (after some testing) that the computer that checks to make sure your computer is CSA-compliant is actually the DNS server (at least in my case). Solution? Use OpenDNS and you never have to worry about installing CSA.
If you think this is bad, then you better freaking skip working in the IT field; where everything is scanned, deep packet inspections, and if you ever place a personal laptop on the network they install a secret application to monitor you.
The corporate world has had products like this for a while. It's not a conspiracy, it's to make sure your pc is up to date with patches, AV software and such. Many University have had lots of problems with pcs that get infected and become zombies. They also have a lot of geeks that are curious and knowledgeable and problably have spent some time sniffing the network they're on. Many University networks give you a semi-permanent IP address (for hardwired machines) and network speeds that are insane - it's not uncommon to have 100Mbit right to your dorm room.
Network vendors have come up with "solutions" that are a client that sits on a machine and requires AV software to run daily, recent OS patches be applied and also take take data from the PC and encrypt is (typically using some VPN type solution). The client after checking everything has run talks to a machine that then allows your packets to be routed onto the the network. Without the clients magic message, the first upstream router/switch discards all the data you send. It's pretty effective at cutting down the amount of machines infected. It's not to spy.
Most Universities are pretty liberal and have strict policies about those type of shenanigans. Anyone caught doing that type of stuff would quite likely get canned at most places.
Most colleges (including mine) implement a similar solution - asking a user to download a program to give network access for Windows especially. And don't even get me started on that bloatware McAfee.
:-)
;-)
Don't simply discard your college because of the network policy - choose it/discard it based on the quality of programs it offers.
You have many excellent options to choose from above. Personally with powerful computers and oodles of RAM, I choose to run a thin layer of Linux and Virtualize Windows within it. However it may not be the most desirable situation on a laptop if Windows IS your primary OS.
However, in my opinion, whatever you decide to implement - it is important that you bring up the privacy issue with the IT department of your school. Someone needs to raise that issue emphatically. If they give you a written assurance of your privacy and later you discover that in fact it is not true, you can always sue them!
get somewhere outside (your non-college home?) a Linux box hooked up to the internet, then use putty to create a secure tunnel, proxy a browser through it and the only thing they see outside is ssh traffic.
If that is creating a fuss, just say you were trying something out to see if it works, educating yourself, learning.....
Keeping a school network secure is very, very hard.
NAP solutions, such as Ciscos Clean Access Agent are a good way to ensure that basic security requirements on clients are met. Unfortuantely, if configured incorrectly it's rather easy to circumvent Cisco's stuff if configured wrong - which it is at most schools.
And then there are the "experts" that don't want to deal with NAP, circumvent it the poorly configured NAP and start spreading viruses.
Unfortunately, the only way to properly secure such a network is to use NAP in combination with 802.1x and a secure 802.1x authentication mechanism, like EAP-TLS. This can ensure security in a school network.
Of course there are privacy concerns with NAP solutions, but i don't think the complaints are valid - if you want to use your own computer in school AND the school agrees you to give you access to their network, it should very clearly be on the terms of the school. Otherwise, you can also bring your own internet connection - many laptops have integrated UMTS as an option, and almost all carriers sell UMTS cards.
Do not use the campus network connections for anything other than study related tasks and save your work to a flash drive. If I were you, I would ask a local company, if you could do some work experience for them and use their internet connection. I do not know if this is frowned upon in the USA, but certainly here, I run an almost bulletproof network and any student that asked me to have access based on what you have said would be fine with me! You probably can get wireless, stick an omni on your roof and you will certainly increase your range by 5 miles! Also modifying wireless cards is not that hard. Netgear and Atheros cards are pretty forgiving! There will be some students that can help you out with that and maybe feel the same why that you do! I did read terms and conditions, but it was shocking enough just reading "The policies below are intended to supplement other existing university and external policies, regulations and laws" None of which they cleary define what the "other" means! I am confident enough you will find a way around this issue. Remember the best way to defeat an enemy is to be for more creative! I sincerely wish you luck!
All cows eat grass!
I am assuming that you will be living in the dorm, otherwise the CMU website gives a list of ISPs. http://www.oit.cmich.edu/it/it_isps.asp The list includes mobile broadband cards from Sprint, etc., so I'm not sure what you mean by no wireless broadband providers, though this would be a huge downgrade from the internet speed you can probably get on campus.
The Acceptable Use Policy looks to be general CYA boilerplate B.S. which lets you know that you have some expectations of privacy, but don't hold your breath if there's a subpoena or other legal action trying to get the data. As to the CSA, this appears to be an overreaction to the perceived security risks of Windows systems. On the other hand, bandwidth is expensive, and the IT department may have decided that this is a good way to prevent the spread of viruses and bots on the campus network. All of this is probably academic as it doesn't look like it's Windows only. http://www.oit.cmich.edu/faq/faq_network_dialup.asp#get Mac or Linux should probably work.
Make love, not reality television.
My school's DNS server was the point of contact with CSA. By using OpenDNS I avoided having to install CSA or even be checked for it.
Build up a decent collection before you go, and refill whenever you go get mom to do the laundry.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Get an old box (p3 will suffice, and add a couple of nics), throw windows on it, and run windows internet connection sharing. Install the client on THAT windows box, and encrypt all of your connections from that box to a similar box located somewhere with clean network.
Its basically an advanced router with vpn functionality, except you can get an old computer for free instead of shelling out big bucks for a cisco router. Best part is, it shows up to the network as a windows machine and completely legit.
(You can also add a wireless NIC and make an ad-hoc wireless network)
I've done this at my school and it works flawlessly.
You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.
This is the point of being at college, after all.
The day you move in, they have you download a program that as far as I can see just checks your security status in Windows to verify that everything is green. After that you're granted access and you can throw the program away. This persists through OS reloads and moving between dorms (I did both last year) so I guess you're authenticated by your MAC address.
Having a Windows-only policy on campus is an insanely shortsighted thing to do, given the number of students using Macbooks and the presence of UNIX-type environments in computer science departments. I'd wager if you just told them you run Linux you'd get a pass.
In the real world, if you want freedom to do as you please you have to pay for it yourself. In this case it might mean you have to fork out for your own 3G internet connection and pay accordingly (oh yes, and comply with the providers rules) or go and live somewhere where you can get a normal net connection from an ISP (oh yes, and comply with their rules).
This is all good experience for when / if you graduate and get a job. Suddenly you'll find that you can't goof around on other people's networks all day - downloading whatever the hell you please and doing whatever you want, they'll expect you to DO WHAT THEY TELL YOU TO. Consider this and the restrictions your university is imposing to be one, small step down this road. if you don't like it, well you can always go and buy your own ISP and then create whatever rules or freedoms you want.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Software like this invariably uses a technique called TCP stack fingerprinting to determine whether your device is of the sort that requires the software installed. Basically, invalid or strange TCP packets are sent to you upon first appearance (or at DHCP time or something), and the response to each helps the security system to decide whether you're a Windows box, a Linux box, a handheld something, or a game console, because the stack on each of these systems responds a little differently to out-of-RFC TCP junk.
There are several pieces of software out there, most notably OSfuscate (http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools) and sec_cloak (http://www.hacker-soft.net/Soft/Soft_2304.htm, but the link is quite broken), that reconfigure your Windows TCP stack via the registry to appear to these tools like something entirely different. After doing that, just tell your IT department that you need to get your other device on their network and most places will whitelist you. The most popular choice for what to emulate is a Sega Dreamcast; why that is the case is left as an excercise to the reader...
At most places, looking like something that can't run their spyware gets you online, but some places want to see the hardware (especially for game consoles), so if you're concerned, say the machine runs Linux sometimes and show it to them running Linux (off a LiveCD if you must) if they ask. Then use software to make your Windows look like Linux too, and the exception they'll have put in for "a Linux box with MAC xx:xx:xx:xx:xx" will cover both systems.
Use one computer that passes the test as a proxy.
At my university- basically Linux was whitelisted, and had very little problems. Also, some computers in the lab were set to boot from CD first, and DSL worked just fine.
As for using windows, I tried to make a work-around, but it didn't really work. I was *extremely* annoyed to also HAVE to have Norton. I *think* this could have been fixed by a couple phone calls, but I didn't want to go through the hassle. Though, running a VM or another partition sounds like a great workaround I didn't try.
Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.
.exe's, or simple .bat scripts would bypass the network policies.
Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden
So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it. If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules. Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.
Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.
If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults. I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.
But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.
I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.
My suggestions are:
-live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
-when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)
A lot of folks have jumped in about running the client in VMware, and that's good advice. The other half of the solution, though, is to create an off-campus proxy and run an SSL tunnel to it. That way, nobody on the campus has to see what you're doing. The trick to making this economical is to find a bunch of other students with similar concerns, one of whom lives off campus with a decent connect. Pool your resources and share the proxy.
This is also my standard advice for working in most modern, big software companies, except for the pooling part. Their IT doesn't want to know what you surf, not really, and you don't want them to either. Make everybody happy - securely tunnel to a proxy at home. For proxies, I've only ever run squid. Set it up to only proxy from localhost, and create an SSL tunnel. putty can do this, I'm sure more substantial programs exist.
I can't see justifying giving the university access to private machines. Especially with the attitude of most college admins I know. But I understand the overall goal, and was wondering - why can't an IDS/IPS do this? I mean you make people register their MACs, use 802.1x for DHCP, run snort or something, and if something wonky is detected you block 'em and make them contact you.
"Where quality is like a dead stinking rat - you just can't miss it."
Comment removed based on user account deletion
You're consenting to such monitoring/searches in exchange for use of the university's computing resources. You don't have to consent, but you also don't get to use the network.
Really, that's a terrible analogy.
Screw them up - show up with your "computer" - a Sony PS3 with Linux on it, or a BeagleBoard running Ubuntu. Say "OK, here's my computer, install your stuff."
I would find it interesting to hear how they deal with That Which Is Neither Windows Nor X86.
For portable use, get something like a Nokia 810 and Bluetooth keyboard. Again, That Which Is Neither Windows Nor X86.
www.eFax.com are spammers
Bring a router. If you're lucky your school will have a system to register "Game" machines via their MAC address. In other words it white lists the address.
Then just have the router clone your "game" machine's MAC address and you're good.
That's how I got around my schools. Although it was Clean Access based.
I've actually gone to CMU for the past 4 years (just graduated) and wanted to let you know that the policies on campus are not as evil as the OIT page makes them out to be. The CSA program, which is required to gain access to the university network from the residence halls (resnet) is a run-once program that only checks to make sure that you have all critical WIndows Updates and an anti-virus program installed. After the agent has run and you are successfully connected to the network, you can simply delete the file and reboot to make sure that it is no longer running. They are essentially just whit-listing your MAC address. If this is still a problem for you there are a couple of solutions. First, you can contact the OIT helpdesk and talk to them about manually registering your computer. They allow this manual registration process for game consoles and other systems that do not have a browser. I'm not sure if they would still want to inspect your computer (they don't want conficker running around the network) but if you carefully explain your concerns and situation to them I'm sure there is something that you can work out (I do recommend doing this before you move in as network registration is crazy for the first week). The second option is to not use the resnet services. I think that all academic buildings on campus have at least 802.11b wi-fi that is on a separate registration system and does not require use of CSA. You can choose to use the CMICH_GOLD network which is WPA2 encrypted and supports up to 802.11n in some buildings (Pearce is one of them) or the cmich network which is usually 802.11b and is not encrypted. Granted, you will need to leave your dorm and seek out one of the academic buildings or the library, but that's the price you'll have to pay for not wanting to run the CSA. Beyond the network registration policies, there are a couple of other things that you may want to watch out for when using the network. First, and most importantly, is the bandwidth limit they have on residential machines. The last time I was in the dorms (2 years ago) the weekly limit was 5GB of total traffic (up/down) which reset on Saturday night/Sunday morning (game consoles are not subject to this limit if properly registered). They claim they will not monitor what you do on the internet in terms of what sites you visit etc. but there is a blacklist of dangerous sites that will be blocked (you'll see a friendly octopus). As far as I know they do not throttle or filter bandwidth for things like BitTorrent, but they do comply with any requests from the RIAA/MPAA about pirated materials. Again, I've been out of the dorms for 2 years so I haven't kept completely current with changes to ResNet. I do know that computers in academic buildings (labs and personal computers over wifi) are not subject to this bandwidth cap (so do your downloading from your laptop between classes). I know this may sound like I'm a shill for CMU's OIT, but this is not the case. I am currently employed by the university but do not work for the networking group or the Office of Information Technology. I just wanted to help clear up some of the concerns you had about how to get connected when you get up to CMU. I personally don't think it is too bad, but I also do not like having some program running through my computer to get on the network even though the program no longer runs after you have been registered. If you still have concerns about the policies in place I strongly suggest calling the OIT Help Desk and working with them to find a solution. I can't imagine that you were the first person to have some problems with this. I'm pretty impressed that you checked the polices out before move in as I went over my network quota the first day of freshman year without realizing what I was doing (it was only 1GB/week back then). I've been using CMU's network for four years and have not felt that my private data is being exposed to the university. Most networking folks I've dealt with on campus are too busy trying to keep everything up and running to bother with watching your email go through the network. Just keep up your normal safe browsing habits and keep in mind the use policies and I don't think you'll have a problem with the network. Good luck.
CSA is actually probably Cisco Security Agent, although a lot of schools have been calling it Client Security Agent. It's a rather innocuous program that scans for virus' and the like. Unfortunately, the realities of networks today means that there's a lot of uneducated users on it - spreading legitimate filth, like virus' and malware because they were never trained properly in how to use a computer. The school has taken a very legitimate stance here: "When you plug your computer into my network, we reserve the right to make sure you're not an idiot." Does it suck compared to your parents internet? Yeah, probably, it's going to be more restrictive. However, it's less restrictive than most corporations and you should be grateful that they're not doing ridiculous things like banning Gmail or BitTorrent, like some companies do. When they do stuff like that, it's time to organize a student rally.
Disagreeing with me does not mean you get to mod me troll.
Why not use a crypt container? Alternately you could simply encrypt any files you may feel could embarrass or harm you.
You're seriously complaining about a university trying to protect itself? As with most conspiracy theories, you're overlooking the obvious to come up with your claims. Which of these is more likely:
1. the university is so interested in your personal life that they dreamed up this Client Security Agent to spy on you.
2. the university is intersted in keeping the network safe and protecting themselves from legal risks of students performing illegal activities on their network, so they create this Client Security Agent to make sure none of the compters active on the network are engaged in illegal activitiy or are vulnerable to known attacks.
You're right. It's probably 1. Go get a mobile broadband card and surf on your own. Productivity and ease of access to actual college material on the network be damned.
The contents of all storage media associated with OIT facilities may be considered property of CMU
Are you an OIT facility? No? Then don't worry about that. If they wanted explicit access to your machine, it'd have been phrased that way. They're talking about lab machines and servers, i.e. hardware that is owned by the university, likely in order to deal with the problems associated with "Well, that jackass is running a porn site off of his university-provided FTP space. We kinda have to delete that." or clueless people who go over their e-mail quota.
This is academia, not the corporate world. Try looking up the academic freedom policies your university enforces-- odds are good anyone even trying to monitor your individual network use *even just over the campus network* without prior notice or an outside legal complaint is going to get shit-canned. If any of the policies seriously conflict with that ideal, take it up with the dean of students and they'll probably go beat people up for you.
Hell, if you want confirmation of any of that, call the helpdesk and ask them. If something is particularly annoying for you and you sound like you know what you're doing and won't cause any problems, they'll probably tell you exactly how to get around it just so they can get you off their phone.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
But if I recall correctly, Virginia Commonwealth University does the same thing. UC Berkeley doesn't require you to install anything, but their security scanning servers do scan your computer for all kinds of vulnerabilities to exploit. Really fills up your logs if you've set things up that way.
Well, firstly, I kinda agree with the person above. You don't have a right to do thing your way on their network.
Although, from the anarchist deep inside me:
VPN to a home machine and out onto interwobs from there. That'll defeat any network sniffers, so long as they don't just block the tunnel. If they do, try sneaky HTTP tunnelling and things. If you have a home server, chances are you can work something out.
R.e. the network security program thingy. Either a) Make a VM inside your real machine and put the program on that. Some sneaky network adapter setup might fool it. Or, do everything (or just the sneaky things) inside a VM, run the client on the real machine, and hope they don't figure out how to look inside a VM.
Not ideal, but you could get some sort of wireless data dongle or something, and just avoid their network where possible.
Either way, my money says you should chill the heck out. I'm just waiting to get flamed to hell by bearded people, but seriously, most of you geeks care far too much about security for your own good. It's possible to not get owned without ruining your life over security (And possible to get owned if you do).
Let me see if I have this right...
You want us to tell you how to hack around the network/security/TOS of your university?
How about this observation from someone that also runs a network for students:
Comply with the policy when you use their infrastructure.
Now, how to go about that without invading your privacy? Easy - dual boot with encrypted file systems on the second partition. Keep pablum on the system you use to access their infrastructure. Keep your other stuff on a system you don't bring up using their infrastructure. Simple. If you don't want your browsing habits known (which I don't believe for a second they give a fart about), then go to a cyber cafe or something when you want to do things you don't want known.
Their network = their rules.
And for those that want to pick holes in their policies/make fun of how incompentent they are:
1. Not everytime do I tell my management team better ways to do what they want to do. Sometimes I think management is full of it. Now, if they ASK me, I have to tell them. But I don't have to open my big fat yap - and I don't, when I think they are being silly.
2. Not every "bone headed move" is all that bone headed. You need to be in the room to see why some direction was chosen. Sometimes it's stupidity, sometimes it a comprimise between time, money, resources, and what you really need to do. The old web blocking software wasn't very good at blocking http proxies. We simply didn't have the money or time to cobble up something better. All the people that knew this thought we were incompentent because it was so easy to get around the blocking software. The new software is very good at blocking that and a lot of other tricks. Our network = our rules. You're free to visit sites we don't like - on your own time, on your own network infrastructure, using your own computer. (Not that I agree with the policy, but it IS their network funded with tax dollars and subject to state law which requires web blocking software. Grow up and deal with it, change state law, or use your own stuff to do what they don't like.)
3. Get used to someone looking over your shoulder vis-a-vi computing. Employers are increasingly doing it, public institutions are required to do it, and others do it simply because they can. Failing to learn how to keep your stuff private is an invatation to these jerks to invade your privacy - so learn to make it difficult for them to do so. The first step in this process is to know that when you use someone else's network, computers, or infrastructure, they have a say in how that gets used. When you're on your own network, own computer, and own internet connection, THEN you can expect some privacy... if you're smart and use care.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Use CSA bypass, or hijack someone else's wifi and use https...
Hey, here's an idea you might not have thought of: ban machines that are causing problems. If that is a problem for the person whose machine gets banned, let them bring their machine to help desk, so you can give them a slap on the wrists. Why should anyone else have to deal with your nonsense?
Palm trees and 8
try this:
* install two network cards (two wireless, one wired one wireless, whatever)
* connect one of them to the university network
* connect your personal computer(s) to the other
* bridge the two together
* install a VPN on a system out on the Internet (you can rent XEN Virtual Machines from e.g. bluelinux.co.uk for £15 per month)
* install a VPN client on your personal computer
* set up an HTTP Proxy and whatever other proxies you want in the system "out there"
* configure your personal machine(s) to use the proxies.
all that the university will see is some encrypted traffic.
if they get arsey about this, tell them that you demand extra credits on a research project involving computer privacy, for ingenuity and initiative.
if you want to wind them up, tell them that you're doing research into reactions of universities when students take initiative to enforce their right to privacy. get out a notebook whilst saying this and write down any responses made...
In your dorm room at least, a proxy server would do. Let it be scanned.
For wireless / laptop, you could proxy through a virtual machine.
Madcow
I used to have a sig, but I set it free and it never came back.
Bill them for the usage of your resources. I did that when my fiance took my laptop to his University and they installed similar software on the machine. Easiest thousand dollars I ever made.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
My college just blocks simultaneous uploading and downloading or downloading from many different IP's at the same time.
That is just insane....
Look, I'm a ResCon at ResNet, granted at a different university though. We're nice people, and we'll try to accomodate you as best as possible. Want to register Linux? Sure, you won't need to install a CSA. Same for Macs, phones, consoles, printers, routers, etc. The CSA is mostly just to reduce the number of windows machines getting viruses.
But, if you walk into my office bitching about our "draconian network policices," I'm going to get annoyed with you, but I'll kindly explain why they're in place (and how I'm not the one that made them). If you grab a PS3 and declare that "You can't install your Nazi CSA program on this!" I'm going to ask you to leave, and contact my boss. If you work with the IT people, and are nice to them, it's easy to maintain your decent level of freedom and privacy (except for piracy, sorry) while at your university. If you make every attempt to side step it, abuse the network, and generally come across as a jerk, it's a fast way to get your internet usage permanently rescinded.
Cafes, schools, offices, and other mass-networks should try something like this if they have the budget:
Let anyone get access to "the Internet" without requiring anything except proving you are an authorized user. If I want Internet-only, I get the same access to campus resources as someone connecting from off-site without a VPN would.
If they want "on network" access to Intranet/LAN facilities, then they need to prove their machine is clean and not vulnerable to outside attack.
For universities, this should apply equally to non-university-owned computers in residence halls, professor's offices, labs, on wireless networks, or connecting to the LAN from off-campus via VPN or *gasp* dialup.
Of course, for university-owned computers, it's their computer so all bets are off.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Anybody using Windows has forfeited any right s/he had on privacy, data ownership or anything else on his or her PC anyway.
He has also signed to make sure that the machine is virus prone.
Moreover by his/her choice s/he has stated loud and clear that "convenience" trump "human rights"..
And that they have no technical competencies...
So it makes sence that CMU adds it's own virus to make sure that the machine stays clean, and keeps the network safe.
If you do care about your private data you do not use Windows...
Now if they would put non GPL code and closed source "spys" in the Andrew Linux, that would be a scandal (BTW they give you the option to use another Linux, Andrew Linux is for non technically oriented people (apparently)).
Using Windows and complaining about privacy is akin to insist on using a Hummer and complain about polution...
So IMHO the only issue is that they didn't provide a policy forcing windows users to wear the cilice (hairshirt), this would certainly improve network stability :-)
You won't find a school of any size today that doesn't have this type of network policy. When you're connected to a large network, it's the admin's job to make sure that the network functions well for everyone all the time- even if it means losing some features. No one on the network will be monitoring specific emails, web pages, or passwords- they don't have the resources to do so. They monitor overall usage patterns. If your port on their switch transferred 500Gb of data in a month and the normal user transfers 100Gb, then they may ask questions.
I'm guessing the software the install is similar to Cisco Clean Access. While it's annoying and buggy, its only job is to detect antivirus definitions and windows updates to make sure that less informed users are up to date. Once again, the school doesn't care what you have on your computer- they are simply protecting their network from being brought down by viruses.
Finally- you're going to college. Concentrate on getting laid instead of bypassing network security. It's much more fulfilling.
I know at Stanford you don't have to run the program if you use linux. I dual boot, and just registered under linux.
I bet it's similar software, and it's not a huge deal.
And if they have a legit CS program (which I assume CMU does), you need linux on your computer...
If people in the position of authority are so damn trustworthy, United States Constitution would not need amendments.
ELOI, ELOI, LAMA SABACHTHANI!?
In my experience virtually every college has some AntiVirus/Security policy that they SAY is necessary to connect to the network so the people who have no clue install it but it's rarely actually required. Usually you can just download the package (or even not) and just click past all the crap about it and connect anyway.
If you liked this thought maybe you would find my blog nice too:
Just download it so they think you have it, but don't install it. Then check if you can connect to network without it. If you can, just ignore they new policy, they almost certainly won't notice. In no case install this software on a pc with important data on it.
windows only scanners forced you to use there anti virus is not that way to go when you have a big number of mac uses and some Linux users as well. Also does there windows app work with windows 64? windows 7?
Let me guess... the Client Security Access is probably Cisco Clean Access, or something else along the same lines.
This is nothing special, a lot of places run CCA. If you don't like it, love off campus, or don't use the campus network.
I will not give in to the terrorists. I will not become fearful.
Come down to Mountain Town Station downtown. Home-made beer, and free wireless!
I can't believe I had to read so far down to finally get the correct perspective. It's college, go there to buckle down and study and use your computer for college related activities. That means getting on board with the program, participating and following the rules to gain an education. Obtain an education, then decide what you are going to challenge in the world.
You don't want anyone messing with your 'pyooter, then take one that's just for school and hook it up to the network.
Honestly, the results of your high school work landed you at Central Michigan? Let's face it, you aren't some L337 d00d heading to MIT. Consider this a second chance to prove you aren't third rate and hit the books. Otherwise, you'll just be another loser with a college degree selling shoes at the mall.
Run and catch, run and catch, the lamb is caught in the blackberry patch.
If you attend there, you will be explicitly endorsing their institutional policies -- by giving them your money. You are their customer, and you should not tolerate such ill treatment from them. Other educational facilities value personal freedom and integrity and can provide an equal or better learning experience.
Choose a different school.
I work for a university in the UK in IT, and while we don't have this sort of policy in place, we have looked at it and will likely implement something akin in the future.
Much of what is said here is ill informed and misguided advice based on speculation and paranoia. The simple truth is that unsecured network access is as much a risk to you as you fear the uni it department could be to you. Imagine all the other students who don't adequately secure their machines allowing their machines to brute force attack your machine 24/7 regardless of what operating system you choose? Imagine those other students compromised machines working hard together to hack YOUR student records and personal/financial information the Uni needs to hold about you.
Would you want that? No of course not, and every other student has a reasonble expectation that your machine won't be causing mischief too.
How does a responsible IT department allow any random machine to use the network resources without some form of validation? They can't, and so it is entirely reasonable to expect some degree of complience valdation mechanism.
The system we looked at includes clients for Linux, Macs, PCs and even other platforms - it doesn't 'scan your hard disk' or record any personal info, it simply validates complience with policies to have systems fully patched and running suitable security software (antivirus- but based on rules which don't prescribe a particular product). We licence an industry leading AV product for all staff and students to use if they don't wish to pay for one themselves (Kaspersky currently)
Beyond that, if you choose not to comply with good practice and allow validation of this, it is reasonable not to allow to risk the integrety of the system for everyone else-you are welcome to use a 3rd party (3G/satelite etc) as you see fit bit keep your potentially compromised kit away from the Uni network please.
Besides-as an institution, we are bound by the the SuperJANET rules to minimise the exposure of the entire country wide academic network to risk.
If you comply with these reasonable precautions, you can enjoy the fantastic network bandwidth available etc. Your call.
No, it's because (1) you can compile the source to get an .exe that you can verify is the same as the one you're running, so you know it's the real source, and (2) YOU don't hav to go to the trouble of compiling and reading the source, the possibility that ANYBODY could keeps the software coder honest. Sure, open source code could still have sploits built in, but it would be much harder to hide them and much riskier than hiding them in the black box of unreadable hex that is a typical .exe.
Brackets contain world's first nanosig, highly magnified:[.]
Avoid the ""Client Security Agent" (spyware) by installing a copy of the OS in a virtual machine (VM), and have that machine act as a NAT firewall for your main operating system (Linux, BSD, MacOS, Win, whatever). The spyware runs in the VM, which has none of your stuff available to it, and everything else runs on the real host (with no spyware).
They can still spy on your packets, but they could do that even without spyware, so no loss there.
Cheers
I went to CNU (Not to be confused with any of the CMUs) which made use of CSA. I would "register" the computer in windows (which I had for gaming only) and then do everything in linux. If it still works like that, you can install linux and be ok.
There is more to science than physics!
www.iomalfunction.blogspot.com
Well, more likely, save your parents money and rent an apartment and get your own internet service.
I think the best approach is to just go along with University's rules and run the software you really want to run inside a VM installed under Windows. That VM should isolate you from most of the problems you're worried about.
Guns don't kill people -- people kill people.
But the guns seem to help a bit. (apologies to Eddie Izzard)
Monthly caps are dumb and don't address the problem the colleges (and ISP's in general) are having. The problem is not the amount of bytes transferred per month, it's the total available bandwidth available at any point in time. The issue comes when there is more requests for bandwidth than is available.
Users should be able to PAY for a guaranteed minimum amount of bandwidth during times when the available bandwidth is being totally used. During times when network bandwidth is unused the spare bandwidth should be equally available to everybody.
Vint Cerf (co-author of TCP/IP) says it better than me below.....
---
"Rather than a volume cap, I suggest the introduction of transmission rate caps, which would allow users to purchase access to the Internet at a given minimum data rate and be free to transfer data at at least up to that rate in any way they wish," Dr. Cerf wrote.
Internet traffic methods that charge users fees "by the byte after a certain amount of data has been transmitted during a given period," Dr. Cerf dismisses as "volume cap" plans. "I do not find [such plans] to be a very useful practice," he added.
Instead Dr. Cerf favors plans focused on identifying those pieces of Internet data, called packets, that don't require the fastest movement between one computer server to another, so that data needing the greatest speed can be given priority, although he stressed that this selection process should be handled at the protocol level and not by broadband providers.
"Internet traffic should be managed with an eye towards applications and protocols," Dr. Cerf wrote. "A broadband provider should be able to prioritize packets that call for low latency (the period of time it takes for a packet to travel from Point A to Point B), but such prioritization should be applied across the board to all low latency traffic, not just particular application providers," he added.
If you want to run windows, but the software they want you to install bothers you, you could try running cygwin (with sshd) on your box. When I was at a school that regularly did campus-wide scans, I had a win2k box running cygwin and at least one of their scans saw it as a "unix" box, rather than a windows box.
If their scans tell them that you are running unix, and you tell them you are running unix, they will probably believe you.
Of course another option would be to just not use your own computer on their network. You could have it in your dorm and not on the network; using only their systems when you need network/internet access. Obviously that approach has costs, too, but you wouldn't have to worry about the fate of your own machine.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Get a dirt cheap obsolete laptop. This will connect you to the college network. Install their application on it.
Then just enable internet connection sharing, and connect your good laptop. Simple!
If they are into packet sniffing, just use ssh tunnel for the traffic
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
My University uses Safe*Connect to make sure we're up to date and a few other things, I guess.
The reason I say "I guess" is because as soon as I heard that they would be requiring it to get onto the network I searched the web for a workaround, which was easy: just change your browser's user agent string to say that you are running Linux. They have to let systems that they don't have a client program for on the network, because otherwise they'd piss off every X-BOX 360 and PS3 user out there.
Remove network bridging... umm thats to prevent you from running a VM from inside your comp....?
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
So that protects the drive sniffing, but how do you get around the packet sniffing now that your proxying through the virtual nick which is bugged by the security Agent?
Momento Mori
Wow. I thought college was supposed to be a bastion of learning, opportunity, and freedom. Sound like that college sucks. I hate to say it, but if their internet policy is so retarded, you can bet it's not the only shortcoming at the campus. Go to a school that treats you like an adult.
ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
I go to a Canadian university. You Americans are really having it tough. In here, you don't need to install anything, the university has no right to snoop on your data. All you need to use the wireless network is your student ID and password. Proud to be Canadian!
We do this as well and probably run the same NAC. We tell students up front that we don't require this from Mac or Linux users, so savvy students run Linux and then do Windows-only work in a VM if they simply can't allow the network admins to scan for things. By the way, we only scan for 1 thing: virus definitions. If your virus def's aren't up to date, we send you to a remediation VLAN where you can update them and get back in the game. Trust me when I say that the network admins most likely have absolutely no interest in anything you might be storing on your hard drive beyond virus def's.
Students are also free to purchase cable internet from the local cable ISP if that's what they want, and a few do.
Don't live on campus. Don't use any on-campus facilities that force you into a category of an on-campus resident. Get yourself into a position where you're using facilities that are provided to staff, faculty, and/or grad students. People who *have* a choice often have a strong opinion on these matters, and the policies tend to be more liberal for them.
All this might mean "get a job", and it might even mean "get an on-campus job in a professional staff" (as opposed to student labor roles.)
Another approach is the time-tested "work in the NOC" and then no matter how bad the network infrastructure or policies are, you're above/outside them, since YOU are the sysadmin.
I did all of the above during my various college careers.
-fb Everything not expressly forbidden is now mandatory.
I had no idea that college networks would even try to enforce such a thing. I attend Ohio University. We do not have any silly requirements to use our network, we just have to agree to a network usage policy. In such a policy we must agree to not share copyrighted material on the network. Students who have violated this policy have had stiff fines imposed on them, sometimes a court case, and even disciplinary action by the school. Personally, I think this is a great policy. I know it should not be a basis for choosing a school, but I would not go to a school with a crazy rule like that. The money the school spends on software and technical support for a program like that would be much better off spent on professors/researchers/administrators of computer networks that could pass their knowledge onto students.
Anyone know Carnegie Mellon University's IT policy?
The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware, run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration, so this probably won't surprise them.
It's not even clear whose Client Security Agent they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.
Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.
Comment removed based on user account deletion
I got around this by faking the UserAgent... the client is generally for Windows laptops. Linux and Mac OS X were exempt. While a Mac guy, I had a Windows Laptop... so fake the useragent, and bypass the stupid app. It registered my MAC address, and I was good for the semester. Simple as can be. You can call tech support and ask how to get a BeOS computer on the network. See what they tell you.
use a laptop just for your school stuff, never put anything personal on it. if you need a personal computer, get a new netbook with a 3G cell card in it.
Okay, so it's not ideal, but here's what you can do that doesn't require running a virtual machine on your primary PC, or a dual-boot-into-Windows to run the scanner/authenticator software every once in a while scenario:
Get yourself a cheap-ass PC. Throw two ethernet NICs in it. Install a new copy of Windows XP, and any software that your campus IT staff require to be installed on there. Then run Windows XP Internet Connection Sharing (ICS) on the unused ethernet adapter. (ICS is a small DHCP server + NAT engine built into Windows.) Plug that into a switch along with your main computer or computers, and use the XP box running ICS as your router.
Then from the university's perspective, you have a single Windows XP box hooked up which is clean and conforms to their standards for network access. Unless the software that you need to install prohibits ICS from functioning, and there is no way around the artificial restriction, they won't know about the PC or PCs you have running behind the ICS machine.
Just get an old P-II or P-III. Install whatever software is required to get on the network. Have two NIC's-- one faces the campus network, the other faces your local network. Run NAT. As far as the school is concerned, you've got a normal, rules complying, Windows box on the network. You're free to do whatever you want on your side.
My university requires you to log on via a Cisco VPN client as the only way to access your university account from off campus. Students are expected to install this thing on their private computers, but aren't told that when connected, *all* of your traffic is routed over that VPN.
I didn't trust the VPN initially so I've always run the thing in a Windows 2000 virtual machine, but when I noticed the way they had their routing set up I sent them an e-mail saying, "This is my personal computer; are you *sure* you want to be handling all my traffic? Including the porn? OK then..."
It's pretty different over here in Germany. We don't have a campus, but the local technical university (RWTH Aachen) provides internet access to most of the student appartment complexes (there's quite a few of 'em) and WiFi access points all over the city (basically if you're downtown, you can get a signal at least 50% of the time). Quite a few ports are blocked (pretty much everything non-standard), but you don't have to install any software and it's hella fast (IIRC the university has its own connection right into a backbone - or something like that - I just remember making a hell of a :o face when I realized my download speeds from Rapidshare were being capped by the 100mbit ethernet connection...).
Now, there's a _lot_ of students on that network. Everyone working or studying at the university has access. All you need to do is connect to the WiFi network (authentication via certificate and PEAP) via any old wireless client (hell, even my WM6.1 phone works)... I'd estimate that the whole network has 10k+ users - now how do they manage to do all this without using client scanning software? I'm sure there's a lot of malware-infected systems on the network, but the network seems to be secure enough to handle it. Maybe it's just a question of competent IT staff?
I'm not exactly up-to-date on the technical side of securing a network, but as far as I can tell, it's possible without the massive intrusion upon users' privacy that's described in the summary...
My university started requiring people to have these things installed to allow a connection too.
The servers in my local IT department could no longer connect. The robots we had for our senior engineering projects could no longer connect (we had to buy/install our own wireless routers because of it). And, since many of the student's who HAD the client installed could still not connect (although they could previously), we in local IT decided to call central IT about it roughly every 5 minutes or so and tell them that, yes we had yet another student who could not connect with their stupid client.
The policy lasted about 3 days. One year later, we still get people walking up and saying they lost their connection, and we find that the now un-required client is still installed on their machines and intermittently breaking their connection.
Buy a Verizon 3G wireless USB dongle. It'll cost you $60/month, but they appear to have coverage in Mt. Pleasant.
Some here suggested using Linux, which is a good idea if the college permits it. If they don't permit it, what about installing Wine or Crossover Office and set up a few Windows programs using that, including their snooper tool? Then you could surf from within Linux. I would think that their snooper tool would get caught in the synthetic Windows system created by the Wine installation and never see beyond there. Or, as others have suggested, you can run virtual machine software to run Windows in Linux, or vice-versa. Ubuntu even installs into Windows, but I never tried doing it that way. Or run XP in Vista with a virtual machine. That should allow you to hide at least part of your system from the spy software. Another thought crossed my mind also. Why not use your connected PC as a gateway to the Internet and connect to it from another PC that doesn't permit file sharing? You could use an older Windows system to do the connecting and set up a second Ethernet card in it and connect through the gateway PC to the college network. I don't know if their software would allow for that or not. Perhaps you can use a router as long as one PC has the software on it? You do have options, and you can probably beat the system with some of the suggestions here. If you ask too many questions, though, of the IT people there, you may cause some trouble for yourself.
I used to work for a University's IT dept in SC. We had one student who valued his privacy and did not like the fact that by being on our network we would scan his machine. We didn't think he was up to anything, he just was one of those privacy nuts. So he found a simple way around it. The dorms do not get free cable. If you want cable you have to talk to the local cable company. He just subscribed to their cable internet service, and bypassed our network completely. If he needed access to any resources, he would use the student remote portal. It ended up costing him next to nothing, because the company provided internet to students at a massive discount if they subbed to the higher cable plan, which most students do anyway.
I worked at a University in the support division, not networking. The key to making anything happen is to get the professors ticked enough to make waves. Find a nice high profile professor and make him understand what that little "Security Agent" means, such as, nothing on that computer will be private, and you may have a chance of killing it. The tech support at a University could not care less about you, you are gone in 2-6 years. They will be there forever.
It sounds funny, but I had a few friends that did this on our campus. The LAN wasn't quite as draconian as what you describe, but it did have limits/blocks on certian P2P, A really weird and sometimes non-functional routing setup, and bandwidth caps (whether inter- or intra-net). We were already signed up for Cable TV with the local cable company (the campus was fully wired for cable, but it was run by one of the local cable providers. Sort of a monopoly as in the dorms you could ONLY get their cable, but it wasn't bad and split up 4 ways was fine.) In any case, we didn't like the crappy local access, so we bought a cable modem and split the 15/5 internet fee. Had to go through some odd, duct-tape and wall-scaling involved methods for running the wires, but it worked perfectly, let us do everything we wanted, was faster and less crazy than the college LAN. I highly recommend it. Sure the money you'd be 'wasting' from not using the university's lan sucks, but whatever. And if you want, you can have a computer setup to boot from USB for when you need to access the local lan.
-=JML=-
a) They probably aren't out to get you. They appear to be taking mostly reasonable steps to protect their network and your PC. The written policies are a CYA thing. It does not mean they are sniffing your online activity, scanning your PC's drives for pirated software, or logging keystrokes. A manadatory program to ensure PCs are patched and have up-to-date malware protection IS NOT THAT UNREASONABLE and there is no reason to suspect it's doing more than that. (get some CS majors to verify this if you are truly scared). Better yet, make friends with the IT dept.
b) Don't expect the freedom to download terabytes of porn & warez using your university's bandwith. I'd call that unreasonable.
c) Most companies you'll end up working for after college will have similar policies, get used to it.
d) There is ALWAYS a way around these things, and plenty of ways to protect your privacy. Figure it out.
you have no business going to any school in Michigan. Git the south. One hears of the MITs and CALTECHs and even UM Rollas - all far, far better (and, warmer) schools than that lame-a** Central rust belt state school. Ye gods, man - what were you drinking when you applied?
Let them know the price of their poor networks (and save yourself the price of a poor education) by LEAVING!
You are all getting your knickers in a twist over nothing.
The client (assuming it's similar to the Cisco Clean Access Client I'm familiar with) simply checks that Windows machines are patched and running up-to-date antivirus. Remember Blaster? That thing ate college networks. Since then network policies have gotten a bit stricter. If you read them, they are trying to protect you, and cover their own ass.
The short version of the policy: Don't do anything illegal. Run this stuff so we can make sure the network stays virus free. Don't be a jerk. If you break these, we can kick you off our network.
If you are seriously concerned about it you are paranoid. Paranoid people should grab a cheap netbook and use that on the school network, and keep your precious personal data on a different machine. Any of that Nat/VM/router shenanigans others have suggested is violating their policies, and risking problems on their network that those policies are crafted to avoid.
There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.
I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.
Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.
I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
I am sorry that you have to put up with regulations such as those. At my college, all we have to do is register our MAC with our ID (done on first login) and then you are good. And so far they have not been blocking P2P, but they have been discussing it. So far it is still possible, but who knows what the future holds.
I can only suggest that you consider to either accept the rules or go to a different University.
Best of luck.
Wireless Internet service is available in Mount Pleasant, Michigan -- at least in certain areas. CMS Internet offers wireless starting at $29.95 per month. WMS Wireless is another possible option, but their price is higher. Another company called ISP Management offers wireless Internet as well, but their rates are not published online.
If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.
If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.
So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.
Parity: What to do when the weekend comes.
First, if I were a student at CMU, I would complain about having a corporate trojan installed on my machine. How long before somebody reverse engineers the protocol for this 'client security agent' and turns this software into a backdoor on unsuspecting student's machines.
Second, if I were a professor, I'd ask why the IT department can't set up a faculty network separate from the student body. Do some bandwidth shaping here. Give the faculty network a separate, dedicated amount of bandwidth. (I'm imagining they do this already, but I'm answering some the responses here.)
Third, if I were a high enough ranking member of CMU's IT department, I'd be asking why we want to touch all those student computers anyway. I really don't want the department to be saddled with the help desk issues resulting from this bastard 'client security agent' malware anyway. Quarantine the non-conforming students. If these students are willing to sign waviers, put them on a separate network, firewalled from the conforming students. It's up to them to firewall their machine. Block the obvious P2P traffic (or do some intelligent bandwidth shaping). Students who wish to conform get put on the other network. Plus, by a good anti-virus solution for everybody (like Avira or NOD32). Once again, anyone who doesn't conform to this policy gets put on the quarantined network, plus they sign the waiver stating they understand the risks.
Fourth, hire me as CMU's CIO.... (Forget it, Michigan is in the toilet as a state anyway...)
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
Why do you think the college has done this? To deal with arrogant students who think they own the network and do whatever they please. With RIAA and other copyright police out there, they have to control the law breakers (that's exactly what they are) just to stay open, provide an education for its students -- and it does hurt everyone in the process. Blame the irresponsible idiots, not the college. If you are going to the college, you comply with their rules. Period. Don't like it? Don't go. Worried about your "privacy" online (what is it really that you do not want them to know about???? I've heard such weak excuses from too many others to be fooled by your argument.) then don't do those activities online while on the campus network. Grow up and accept that you are not master of everything and everyone. BTW, if you do try to get around this and get discovered, what will the college do? You might be out on your ear and whoever (probably mommy and daddy) paid your tuition will be out a good deal of money. Such a disciplinary action could also follow you throughout your life and affect your ability to get a responsible job. Yeah, go ahead and try to get around it and ignore the consequences until they happen and then gripe about that... Look at this as a chance to act like a responsible adult - it might actually teach you something you can use in later life.
Jails, anyone? Any OS should give you the option to set up a secondary, limited account. But if you're using either BSD or Solaris, you can set up a jail OS and run the client from the jail. It may not be an option, but it could be a solution for you.
my school did the same thing. My solution was to use a Linksys box and then dhcp my own network. Because Linksys box was not a windows machine all I had to do was log on through an IE browser
I love all these poor "abused and mistreated comments" from the students who think they are above the common sense rules and requirements that everyone else has to play by. I'm sorry you feel you are being wronged. Those rules /scans are there for a reason - its to protect everyone - just because you feel you are so uber and your pc is simply not capable of having some network malware/trojan - sounds like your pc is probably loaded with them - since i bet you go to sites that you shouldn't be. If you want unlimitted/unrestricted access - pay for it yourself. If you can't or there are no other providers - sounds like you need to button your lip and be thankful the school allows it at all. People who keep pushing the limits like this - are reasons that the whole mess would get shut down - and you can use the library /open lab computers.
A crucial difference with the way I got around this was to set up a laptop with a streamlined XP install in a VM on top of ubuntu. Now in this case they had agent software that would forcibly disable internet connection sharing and all other network adapters other than the inbound one etc. It was quite simple to install a commercial spec firewall package that replaces windows' ICS system and takes over a number of other networking services.
It was only necessary then to route to another VM, which would handle the Wi-Fi USB dongle and there would be NO way the agent software would find this and lock itself out = Instant wireless access point for me and my colleges.
All this just to get a orphaned server on to the net to download patches that they had asked me to fix!
Sucks to have to pay extra monthly but you could buy a mobile broadband card. It won't be terribly fast but you won't have to install their agent on your computer.
There are numerous free programs out there that allow you to encrypt your online activities by using VPN. I've been using Hotspot Shield and Tor. Give those a try, hopefully they are not blocked by your college's IT infrastructure. Also, use OpenDNS - this will bypass simple DNS filtering and protect you against worms such as Conficker.
Bow before me, for I am root.
"The Internet interprets censorship as damage and routes around it." -- John Gilmore
My personal recommendation is to build/buy a cheap server to act as an intermediate machine. This machine can be patched and posed as required to use the school networks, and you can run whatever you want on your personal machine. This intermediate doesn't have to be anything special or powerful and I'll bet your local CS student/ friendly neighborhood haxor can put something together for under $50. I would recommend a dual NIC setup.
You do still have all the traditional options of swapping out NICs every 2 weeks, reverse engineering the software (which would be helpful for the rest of us), etc
And get a private DSL line. I'm surprised no one has mentioned this. Much more convenient than enrolling in a different college.
Or if they haven't implemented VOIP service in the dorms, maybe you can get DSL inside the dorms.
In either case, ideally you should have a separate computer for your private access vs. the campus access, but that isn't a requirement. If you want to use the same computer for internet access and accessing the school network, do a dual-boot system, where the DSL is in one environment and the campus connection is in the other. Or have the DSL on both so you can access the campus remotely over the DSL, but the key is to have a separate DSL image without the "spyware". Basically, image your current HD onto a new disk then keep both disks as bootable in the system. Install all the campus stuff on one of the partitions. Depending on your environment there are different ways to hide the alternate partition from the campus partition.
We are the 198 proof..
Heya, It's their network. You're subject to their rules by contract. So you have to play ball, and give up everything, or you can seek alternatives. 1. If you're techy and have more than one machine, including even a simple laptop or some super old piece of junk for $5 from a yardsale, you can setup your own server with encryption. Make it so that it cannot send out. This prevents any of their `eyes' from reporting. Or use it to simply setup a proxy server of your own that is also encrypted, and access it from anywhere with internet access. 2. Run Linux, as others have mentioned, on one machine with access. Do as you please or need with it. And have that machine share it's network access over the network with another machine of yours. 3. Have a cellphone plan already? You can do something like what Sprint or Altel offer, or whatever is local to you or that you already use; and that is, get internet over your phone. Not land line. Through the cell. Especially good if you get that $100 a month everything kind of plan, since you already pay close to that for normal cell service with text plans anyways. This way you can connect via your phone, or any device that can be plugged into via an adapater or an insert to the computer or whatever. If you already have the phone service, for a bit more, you can grab unbridled internet. It may not be super speedy, but it's better than bending over to the school's network requirements. Very best,
You want internet access on your terms? Then pay for it. Get a Verizon/Sprint card and access the internet using that. They are all of $50/month and compared to the tuition you are paying, that is nothing. Or, you could surf using their terms while on campus and do whatever you believe should be "private" when off campus.
Ninjas don't carry tic tacs
For example, the FCC won't *let* the University ban wireless routers.
(Although the University can have a policy that disallows you sharing your bandwidth via the router.)
Run their trojan in a Virtual Machine that also has a proxy (or just is set up to route traffic). Then use another VM to connect to the "legitimate" VM. In this scenario, you would not have your real machine use the network interface at all, and all the nosy admins would be able to do is scan a VM, but not the VM you are using to actually do anything. Best of all, you can run any OS and software you want and they have no way of telling what you really use or seeing anything except whatever you send over the wire. This is not perfect, but I think it would be good enough. Also, you might want to begin reversing that trojan and find out what it really does...
I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords.
If you think that sucks, just thing of the restrictions and policies your future employer will be putting on you when you connect to THEIR network! And if you don't like it? FIRED, with no way to pay for your mortgage or your kid's clothing. Your wife runs off, and you end up working part time at Home Depot selling CAT5 cable to idiots. You eat a Big Mac every day for 15 years until you end up in the hospital without insurance coverage. The ER cardiologist happens to be your ex-wife's husband, and your kids call him "dad" and your son just got his hand-me-down Porsche for his 18th birthday.
Trust me, it ain't pretty. Been there, done that.
I used to be a SOC Op and later on a student sysadmin in the CIS department in the mid-90s. They had a good program for computer science, but if they would have tried to put or require something on one of my personal systems, especially my Linux systems, to administer my systems I would have protested loudly. I understand the need to police Windows but that still does not excuse the exposure imposed on the students. It only takes one bored admin to decide to does something 'fun' with it. Unfortunately, there are some admins in universities who get that bored.
I do know there are (or were) a lot of good admins and student admins who have more of a conscience than many of the professions in industry about privacy. I know that most of them would only support this out of a pragmatic need to contain the problems on their network caused by Window's lack of security and the inability (and lack of interest) of most students and faculty to secure their systems. But the academic environment is also full of a lot of curious, bright minds who do not have the sense yet to know when to stop. When a student is caught running a MUD or pwcrack on a lab system just because he can, that a bad thing. What's likely to happen when they 'can' running something on people's home computers.
Also, the slippery slope of the school policing the students computers gets a lot steeper once the school has something running on everyone's computer. It gets a lot easier for the RIAA, MPAA or whoever else to ask the University to scan computers for illegal activity and things that 'should not be there'. If the University is already scanning for viruses, why not uses the same infrastructure to scan for other things that should not be on those computers? It may not be what the computer staff are after, but once the foot is in the door it's hard to believe that others won't demand to use it.
The Board of Trustees does not get access to my person computer until I get access to theirs. The students are paying them, not the other way around.
Considering the many posts saying the CSA is a bad idea, it raises a question. The fact that students get their Windows machines infected with every virus, trojan, and rootkit imaginable, how else shouls IT departments handle it? In the corporate world, it seems easier. However, a network of user-controller machines sounds like an administrative nightmare. For those who think the CSA is a bad idea, what are your alternatives?
Three out of three universities I have attended or visited used network security that was defeated by running any linux distro. (Or Mac OS) One had to register their MAC, but could ignore any downloading or scanning nonsense.
A private university might get away with this, but a public institution is constrained by the Constitution. I'd say that scanning your hard drive is an unconstitutional search, because there are less invasive means of keeping their network safe.
I can't write your brief for you, but talk to the ACLU and the EFF.
Would it be possible to get a second network card (usb for laptop) share the internet connection and then use openvpn on the computer you are sharing the connection with to encrypt all data coming to and from that computer? Is there a way to hide the shared connection? T
Every School I've been to that uses this also have an omission for Linux/Unix, so run that. There's never support or much need for scanning on Linux systems so its an easy way around their policy, but if you must use windows and a virtual box session won't cut it, you can setup firewall setting such that your computer appears to run Linux.
It'd be nice to just run the agent in a VM and isolate your real system that way, but it wouldn't work because they'll almost certainly be filtering by MAC address.
What you _CAN_ do is run the agent on the physical host with a minimal OS install, and then put everything else in a VM. Have the VM connect through the real host using NAT, so it has the same MAC address as the real host. The network won't know the difference.
If they tried to implement something like this at my university, there would be riots. There are very few restrictions on what students can and cannot do on the school internet, so long as it doesn't damage anything.
The program takes three very reasonable measures, namely making sure a virusscanner is run, making sure windows update is run and disabling bridging (we can discuss about the last one). If there is no small print which i did not look for th9is does include "scan your hard drive". Having been an adminitrator in an university network which was connected with 100M (back then) to the switch where also the dormitories where conected to tith 100M, and running a logging firewall on the server, i can tell you that a lot of machines attacking us where from dormitories, i suppose trojan-infected.
I my opinion providing network services in dormitories should be done by a provider outside university. Who really needs it can then use a VPN.
Get your own connection. If they have cable lines in the dorm, see if you can get a cable modem. If not... you will probably have to go with a cellular option. You may want to keep a second computer around to plug into the network just in case you have to access their local network for a class or something like that. I would suggest an old outdated laptop. Small, since you don't want to take up space in a dorm with something you do not use regularly and cheap since it's old.
As for such policies, all I can say is WOW. That is ridiculous. It would be great if students would get up and protest. I don't think Americans have enough backbone left for such a thing though. If they did we would see 60s style protests for the Iraq war like there was for Vietnam. Of course, even if they had the backbone I doubt you could get the general population interested in such a "technical" issue.
To those who defend the universities for protecting their bandwidth, etc... I challenge you to explain why the rest of the world's ISPs are somehow different. Also, even if the intentions are good, prove it! The university's property ends somewhere around the network jack. Hands off! Not even in China, with their great firewall do they mandate client side spyware! If it's really about bandwidth usage then perhaps it's time for better, smarter routers which will not give 90% of the bandwidth to 1 person just because their P2P program requested a ton of connections. I don't want to hear about funding. I'm sure it could be built with off the shelf hardware and the work could be someone's thesis.
Being the manager of the systems and network for a reasonably sized private University I had to implement a system such as the one described. A couple notations:
In a private university (not saying the ones you are talking about are private) the assets including the network and the property owned by the entity are not subject to "freedom of speech". As the owner (the University) of the network I can squash whatever communications I so desire. Of course as far as personal speech (ie. gatherings, meetings etc) the University embraced the student body however for electronic communications, the outter limits such as sending spam, bigotry, hate and other thing not in line with the conduct required of the students, were banned.
Many Universities use McAfee because the school must/should provided required software and it must be paid for. McAfee sells it for less than $1 per FTE and then gives breaks on the University owned computers. This software is easy to manage. There are competitors but in many cases McAfee outbid, outsold, or was first to the door in 2003 when isht hit the fan.
My particular (and unnamed) University wants these things: you to not infect or attempt to break into other computers and you not to be infected. The best way to do this (based on many factors including not increasing tuition to hire more IT) is to require (for windows) updates turned on (to download and install), firewall turned on (and allow the student to make exceptions), and to have AV (of our choice) installed and configured (updates, certain settings). To do this and guarantee things are not opened up is to use this type of agent software.
We do not care what you have on your computer (porn, illegal software, etc). However we do use multiple layers of packet shaping software (block most forms of illegal file sharing).
We do allow exceptions of course for gaming consoles and if you want, you can use your own harware firewall (with signed agreement stating that you acknowledge you have read and understand the University computing policy and you wave your right to a warning/network reinstatement if you are found to be violating any policy including spreading a virus. You cannot have wireless enabled.
We have many Mac and Linux users and we do of course allow them. We find most Linux users to know right from wrong and how to be somewhat secure in their computing habits.
The primary issue is the brand new student with a hand-me-down laptop that he/she has been using over the summer and his/her friends have shown them how to download "free" music and software but not how to keep their machines safe. I litterally removed over 14,000 infected files from 7 different viruses on a laptop where the student said there was no way she could have a virus and she didn't understand why we were being mean to her because we made her install this sofware which required her to follow 8 sentences of instructions. That one person is how University networks get bogged down and viruses spread.
The new stuff checks Mac and Linux but again, all we care about is viruses and getting DMCA's (but we don't check your machines) we check the wire to the Internet. If you want to share things on the Internet (of course I mean legally), encrypt it, use private communities, and don't use a lot of bandwidth.
I read over the comments from people who claim to work for the IT departments, and I can't help but think -- you just don't understand. When a student is -living- in a dorm, the internet connection in that dorm is an ISP, not a corporate network. You can set it up however you want and call it what you want, but that connection is their primary home Internet connection. That's what housing staff are telling students when they move in. That's what university staff are telling students when they pay their fees.
Beyond that, you are ethically abusing the monopoly that the school has on students, even if those students have entered that monopoly willingly. Not every applicant had information available to them that told them they'd have to install a monitoring application on their personal-use computer. It isn't fair for a university to enact such invasive policies on students who really have no choice but to stay and complete their degree.
Your contracts with students and your use policies and such may allow you to require users to blindly install your application on their personal computer to use the ISP service they were advertised and sold. There is no question in my mind that doing so is a consciously unfair policy that places no value on student satisfaction.
To students: the only time I've ever seen a reaction from a large organization doing ridiculous things like this was when I started seeking out potential customers and making them aware of the situation. Try it, respectfully with students asking what your college is like. "I've mostly enjoyed things, and I think I'll have an OK education by the time I leave, but I'm personally concerned about the requirements our IT department, and the fact that administration is OK with this." Explain what you like about the school, but point out that the official school solutions to not wanting to install the app are: 1) don't use the network you were advertised, sold, and are paying for or 2) go to a different school.
As soon as someone in admissions hears a student decline an offer based on IT's policy, there will be more attention to the ridiculous situation.
Quite true, in fact all the talk about using an OS which currently doesn't have the (proprietary? This raises security issues all its own) client software is tacitly accepting the Client Security Agent policy, not challenging the policy.
Students who switch to non-Windows OSes in order to avoid running the Client Security Agent are acknowledging that the policy is right and proper for those who run Windows. There are plenty of good reasons to reject Microsoft Windows, software freedom chief among them. But when it comes to running a proprietary program in order to gain security, I don't buy it. Instead of challenging the policy (which would require students to think about underlying principles they deem important), the students hope they will be given a pass and be able to use the network. Thus when the university distributes clients for their OSes, students will have little legitimate argument to reject running the CSA software. At least resolving something by lawsuit requires one to know the law, understand one's rights, and think up a convincing argument to present to the court.
Better policies would ditch the CSA program, make each student responsible for the use of their login credentials, and document consequences for violations of policy. But I can't say I know what freedoms these students value and are willing to fight for.
Digital Citizen
Put together a small, low-powered, skeletal machine (Atom processor or similar) to run their nonsense software on, then install 3proxy on the machine as well, and proxy your REAL computer through the low-powered machine. They can scan that one all they want and they won't find anything except an untouched installation of Windows, meanwhile you can browse all you want with no fear of your real machine being scanned. If your network traffic itself is a problem, then I'd recommend a commercial proxy or commercial VPN account.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
My university has a ban on using wireless routers in dorms. What are some plausible reasons for doing that? They already require anyone who wants internet access to run antivirus and the Bradford Persistent Agent. This might also be true for intranet access. The university provides wireless in some areas, but not in any dorms.
There are 11 types of people, those who know unary and those who don't.
Hmpf. Looks like someone got a hold of Windows2008.
OK, it's like this: Win2k8 has a nice little Network Policy and Access services that is basically Network Admission control. One of the ways it can be configured is to have an agent on the client's machine verify that that the client is configured according to policy: Automatic updates, firewall, antivirus current, etc... the client is then issued a health certificate and the switch is configured to place you in the normal vlan rather than a quarantine vlan. they may be running an isolation policy further upstream so that only healthy computers can talk to their servers. There's not that many NAP agents out there, and I doubt they've written a custom one.
Overall it's not a bad thing, but some people want to keep the aluminum foil industry in business... So what can you do? Well, likely they have a process for handling non-NAP-capable computers. Or you can run a guest XP OS in VMware, Xen, KVM or what have you, and see if you can run it in NAT mode so the same MAC and IP always appears as the source...
Or you can just not go visiting those websites that make you worried about someone finding out.
Well, you could always do like me. I use autossh together with SSH key authentication to route data from a specific port at a server I always have access to, to my desktop computer at home.
ssh -R 2222:localhost:22 ssh.at.university.tld does exactly that.
From my laptop (or whatever computer I'm using), I do the opposite, route a port from the university server to my laptop:
ssh -TNf -L 2222:localhost:2222 ssh.at.university.tld
There are a lot of SSH flags, so there's plenty of things to play with. Compression is awesome when I'm taking the train and surfing using GRPS. On 9.6 KBps it feels like 1996 again, though.
After that, I use my tunnel to set up SSH with dynamic routing:
ssh -NfD 8080 ssh.at.university.tld 2>&1
ssh -NfD 8081 -p 2222 localhost 2>&1
In Firefox I use FoxyProxy to easily switch between the two proxies, and what this setup I can pretty much switch seamlessly between 3 proxies.
Of course, it helps that I'm usually connected to the internet through the university connection and that my home desktop is on a 100 Mbps connected -- part of the research network here.
Here is the relevant snippet from the SSH man page:
While I'm here:
.| ....|
+----------+
| Fix Your |
| Fuckin'
| Code
+----------+
|..|
|..|
|..|..
Come on Slashdot. Your page looks like ass. No unicode support. Lame.
A proud member of the Onion-in-Hand alliance
``While what he says is factually correct''
No. A virtualization layer can and should be much simpler than a full operating system. You _can_ have one without bugs.
Please correct me if I got my facts wrong.
The University of Toronto just gives you a program to run that injects a fake virus and makes sure you have anti-virus software installed. Then they register your MAC address I think and you get to use it for the rest of the semester.
they also give out free AV software which is nice,
99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted.
Bullshit !
An automated script is too stupid to reaslise you aren't a worthwile target.
If your guest OS encrypts before it gets to the host OS, it cannot be sniffed. If your guest OS encrypts itself on disk before the host OS gets to read it, it cannot be read. If it encrypts itself in memory before the host OS gets access to it, it cannot be captured.
All the above CAN be done, but they'd have to write the application to deliberately crack your protection.
And ANYTHING you write is by default copyrighted to you.
D
M
C
A
Oh, you didn't know?
Well, then don' yack about things you know nothing about.
...because if you were then I'd tell you to the STFU because it's my taxes paying for you to sit on your spotty backside for three years turning up to lectures once a week for your Media Studies degree - therefore you will do as you are told.
Gentoo Linux - another day, another USE flag.
I wish Linux stopped being "just a phase" already, where all the kids pretend to use it so they may seem cool(er).
You're going some place weird, my friend. The limit of my Uni's Acceptable Use Policy is that your computer have anti-virus software installed. They don't come round checking though. The only other limitations they have are "no peer-to-peer file sharing", legal or illegal, and no connecting more than one device to a network port because most people can't set that up properly and it annoys them.
I of course regularly wirelessly share my wired internet connection, but it's set up properly. They may be able to detect that I'm doing it, but to be honest, IT Services use the "secret" DC++ file sharing we have going on campus as much as anyone else, so they're not going to care about a little secured ad-hoc wireless network.
I'm a leaf on the wind, watch how I soar...
-Lucy-
A couple of things
1) Most 'agents' only run on Windows. You of course being an enlightened Slashdot Reader will be running Linux. They might not even have a client - and if they do, you could control access.
2) If all else fails, run a cheap computer with Windows as a firewall
Fortunately, my university's IT policies aren't so asshat-ish. Yes, they offer that McAfee download, but I think the rules technically say that you have to have some AV installed, not necessarily *that* one. (I do use it because they hand it out free, and I'm not paranoid about that stuff anyway because of my largely intelligent browsing practices)
Linux machines - no problem
Considering the linux fans that must exist aroudn here, and all the Mac-heads [I do seem to see more Apple laptops], it's no surprise that that "alternate OSes" are okay.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
We all know Theo de Raadt is an ass. While what he says is factually correct, it also completely misses the nature of most security situations. 99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted.
Except that you don't have to be specifically targeted. Attacking (say) VMware could be one of a suite of things that a playload runs, and if you're running unpatched virtualization software your host (and other guests) would also get nailed:
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
The next update of Conficker (or whatever) could have code that attacks not only Windows, but VMware as well on the assumption that there's hardware out there with multiple Windows instances.
This may not be a big deal in your case, but you should be aware of it for a proper risk analysis.
If you are so worried about them finding something on your computer buy a satellite internet plan, then you don't have to worry about some guy in a dark IT room breaking into your computer looking for illegal property ;P
You could also get one of those cheap mini-laptops, they will run you like $250, and only use that computer when you are at school
I really wouldn't worry about it though, unless you do have something on your computer you could potentially get busted for.
I work for Western Michigan University and we have a similar implementation here, utilizing a system to ensure that the student computers in the dormitory are audited for security patches and antiviral updates.
I can tell you that with the economical conditions that affect Michigan's public universities, CMU cannot afford the manpower to monitor the more private aspects of student computing. They won't utilize the system to check for piracy. This doesnt mean you won't have to worry about the RIAA or MPAA, but I can tell you with reasonable assurance that your fear is misplaced.
I would recommend utilizing a VPN such as hamachi for certain network communication, CMU may provide a solution available to students when you arrive (as we have at WMU).
Last but not least, Go Broncos.
I work at CMU's IT Help Desk, and I want to clarify a few things.
Thing one: The CSA does a single scan every time you register your computer (which, unless you go over quota, shakes out to be the beginning of each semester) and it checks to see if you have one of our six supported anti-virus/malware/spyware applications (McAfee, Nortonfail, Trend, Sophos, Kapersky, AVG), any P2P applications that are in the (fairly limited) list, and latest Windows patches and AV definitions. Essentially, if the CSA sees that you don't have correct AV/definitions/security patches, it won't let you on - this is to protect the rest of the network.
Subtext: Yes, it does scan for P2P applications - however, if it sees them it won't block your computer from the network. It pretty much just says, "hey, don't pirate kthxbai" and lets you be.
Subtext 2: The result of this scan shows up in our system essentially as a list of all these things and "PASS" or "FAIL" next to it - that allows us to tell people what they need to do to get onto the network if they fail the CSA.
Thing two: After the scan, it removes itself from your computer. This is not a situation where the application stays on your computer and watches everything you do at all. It's 100% temporary. The only times it will scan are when you re-register your computer.
Thing three: It doesn't scan or even install the client if you're running *nix. For a while *nix machines didn't even have to be registered to use the network, but just needed a CMU-owned ID and password to get onto the network. I don't know if that still applies, though...
Thing four: I guarantee you that 90% of CMU's IT department is reading this post and laughing their asses off at the wild inaccuracies presented by this entire thread.
To close: No, this is not just Big Brother trying to allay your suspicions through falsehood. These are FACTS and a true explanation of how the system works. If you don't want to believe me that's fine and dandy, but that doesn't make the contents of this post any less true.
http://www.i2p2.de/how_networkcomparisons There are many other applications and projects working on anonymous communication and I2P has been inspired by much of their efforts. This is not a comprehensive list of anonymity resources - both freehaven's Anonymity Bibliography and GNUnet's related projects serve that purpose well. That said, a few systems stand out for further comparison: * Tor / Onion Routing * Morphmix and Tarzan * Mixminion / Mixmaster * Freenet * JAP * MUTE / AntsP2P
If you want to risk having your network access revoked, or worse, getting expelled, be my guest.
You don't have to let them put crap on your machine. In turn, they don't have to let you chew up their bandwidth, which, btw, they are willing to let you burn at no charge. Generous of them isn't it?
My college blocks outbound DNS and forces you to use their nameserver, which filters out stuff they don't think students should be accessing, like IRC. I would whine, but then I remember the promise I made when I agreed to the AUP. I also remember that it's their network and they're the ones who bought all the routers, switches, cables, and are paying for internet access.
In short, quit your damn whining about it. IMO, anyone who wants to whine and mope about getting conditional access to free bandwidth is no better than a wardriver looking for hotspots to exploit and that don't give a rip that their "ISP" is the one on the hook for any of their misdeeds.
Speaking as someone who has worked in an university's IT department for 7 years. (although, that was 6 years ago), I can assure you that there are people who work late and do things on their own time with university resources. (sure, it might just be the 5pm game of whatever the FPS of the week is, but we also have the person who decided to set up a porn site on the university's general use webserver (okay, this was 1996?97 or so), but there's also the folks who are just curious, and have less ethics than necessary.
... and then there's the case where Student Judicial Services or some government agency asks for us to monitor someone -- make copies of all e-mail going in/out of their accounts, etc. If the charges get dropped, you'll never hear about it, but we had an employee (in our department) convicted of child porn, a faculty member convicted for stealing from a federal grant, etc, etc.
... so, I'd have to say that odds are, they are able to scan a whole lot more than you think, and if they have students working in the IT department, there's probably scanning going on outside of the university's policies.
Build it, and they will come^Hplain.
Looking at the link the OP provided, his school is using Bradford Campus Manager as its NAC solution. Having used the product myself, I can tell you a few things about it.
1. If your school has the latest release, the agent runs on Windows/Mac and Linux. So using Linux will not get you around it.
2. The agent scans for Antivirus, Antispyware and patch level compliance for the OS. It also has the capability to scan for a certain process or registry key. Most deployments only make use of the first 3 functions. The administrators have no ability to look at your documents using the agent. There is no feedback from the client to the admins beyond what its scanning for
3. The agent includes a messaging feature which is pretty useful actually. It allows the admins to send messages to any and all agents on PCs connected to their network. They could make use of that to let you know when the network is going down or for an emergency alert system, like an armed intruder on campus.
There is no reason to be paranoid though. I used to run this solution on my campus for a year (we stopped because the remediation process is via vlan switching which can be cumbersome) and its one of the less intrusive nac solutions that a university can deploy. A lot less intrusive than cisco clean access for example.
Typically the client which the university requires you to install is a Windows application/service. If you go with some flavor of Unix, you should be able to get around that. Boston College has a similar requirement using the McAfee EPO agent. If you use Linux, then you were pretty much home free and just needed to register your NIC with the ITS department.
One of my previous jobs was director of software systems for a university.
The policy that DML describes is unwarranted and irresponsible in the extreme. If any of my people had proposed it to me, I would have forbidden it and would most likely have fired them for incompetence. The idea is shocking. To force students to install essentially unknown software provided to them by the university? Horrible.
If I were a student there and installed their "security" software and anything went wrong with my computer, I would likely talk to a lawyer about suing the university for damages; after all, if their security software caused the problem it's their fault, and if their security software failed to prevent the problem then I could allege that they fraudulently gained access to my computer by claiming their software would secure my computer, and if the problem is indeterminate I could blame it on their indeterminate software. So, by demanding I install the stuff, the college is creating a huge liability for themselves.
Moreover, Central Michigan University is a *public* university, so the idea of them forcing students to install software on their laptops to use the network raises questions of government violation of privacy.
A more realistic practice would be to have a policy stating to students that they are expected to maintain their computer free of viruses, malware, or unauthorized external access, and that in doing so they should use such security software as is normally necessary and appropriate for their operating system. Then let the student maintain their own system, and if you find it's being a problem, kick them off the network. Anyway, the student network should be isolated from the administration network in the first place, so if a student's computer is misbehaving, it shouldn't be able to cause problems for the university beyond that it would annoy other students.
I'm not sure how it is now (haven't lived at the dorms for six years) but when I was a freshman at IU they made you install a some sort of "connection software" which checked that your virus scan and windows updates were current - if you passed it registered you on the network. After that it would check every week or so to make sure you were still current - if not it would block your network access and tell you to update.
What a lot of people ended up doing was installing the software, getting registered, then formatting and reinstalling windows. This kept your mac address registered for the whole year and you didn't have any IU software running in the background.
The UMKC network requires you to download and install software to verify that you have an up-to-date virus scan and have installed all high-priority windows updates. They do have one especially strange IT policy though - no PlayStation 3's on the network. They say that the PS3 internet connection requires incoming firewall exceptions while the 360 and wii only require outbound exceptions.
Interestingly, connecting a PS3 to the network grants you network access without even giving your user information (so even less of a hassle than using Linux). I suspect they may be telling people the PS3 won't work on the network in an attempt to hide the fact that they haven't secured it... for whatever reason.
They also won't allow you to connect even a simple unmanaged Ethernet switch - only one device on the network per wall jack. This becomes a hassle for people who have a desktop, laptop, and game console.
I work at the helpdesk for a small college (1200 students) in NE Ohio. We use Cisco NAC to manage our clients. Though the program does check your computer to make sure that it has windows updates and updated antivirus. There is no way that we can log your keys or steal your passwords, and the same goes for others on our network. We lock everything (ping, RDP, \\$computername$\c$) at the switch level, so nobody can access your computer on the dorm or wireless vlans.
I cant speak for CMU, but I can only assume that they have this system in place to keep viruses from spreading, like mentioned before, for the first 2 weeks of the semester all we see here are kids who go home, download Xmen and 26 trojans, and cant figure out why their 8 year old IBM R40 (P4 and 256 RAM) that their dad jacked from his office (you can tell because it still has the domain login screen and a security tag), and we want to keep them from spreading to your (or my) machine.
It sucks, we realize that, but its all really for your protection. I would actually be wary of a network that allows anyone who wants to connect to your network, because every hill-rod yokel in town will jank your bandwith and infect everyone otherwise.
But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules.
But as a public university, there are sharp limits what rules they may impose. See: the Bill of Rights. Just because you live in a dorm doesn't mean you give up your rights to due process or being secure in your person, papers & effects.
if their students are constantly getting DMCA notices, the university might get into trouble.
Or...not. The whole point of DMCA notices is that the ISP has immunity as long as the content is taken offline. Zero liability for the university, zero trouble.
So of course they block limewire, not like it has a legitimate use anyways.
Of course it has legitimate uses, just like any other P2P network.
Simply put, their network, their rules.
Garbage, see above. If you want to be an ankle grabber for authoritarians, knock yourself out. But don't be a WATB when the rest of us stand up for our rights.
Get an air-card or (unless you are in the dorms) your local cable comapny.
Obviously there are any number of more complex options:
- You could date/bribe/extort someone in IT into exempting you.
- If the network will accept connections without this app, you could use any number of tactics to not run it (remove it, run an incompatable OS (do they have an Amegia Workbench version?), Run Black-ICE to toggle off functionality, block it at the firewall.
- If the client is required to connect, you could setup the client on a proxy server and attach through that using your real box.
It's worth noting that your useage can be monitored whether you have installed software on your PC or not (that's what a network sniffer is for). The only way around that would be to establish an encrypted connection to something outside their WAN and use it as a proxy.
Off the top of my head, perhaps either having a proxy computer running that software and bridging it to your real computer, or running that software in a virtual machine, as others have suggested.
Also, until you figure out a more sensible solution, I'd suggest keeping all sensetive data on an encrypted drive (such as truecrypt or freecrypt) and only decrypting that volume after killing the university spyware (after unplugging if needed). While I'd suggest having an encrypted drive regardless, you also need a working solution that isn't a pain in the neck every single day. Good luck.
I graduated from Central Michigan University in May 2008. While the current network policies may seem restrictive, I did live in the dorms during the 2003-2004 school year, and between xbox gaming and unlimited p2p filesharing, we had to survive with bandwidth that had the throughput of a coathanger. Average download speeds would rarely top the equivelent of dialup. I know that there is a plethora of affordable off-campus housing in Mount Pleasant, most of it with broadband included in the price of rent. If you aren't trapped by the horrible if-you-get-any-scholarship policy that makes you live on campus for two years, I strongly advise you to look into it.
DRINK DUFF (responsibly) DRINK DUFF (responsibly) DRINK DUFF
> Another concern I have is the 'Client Security Agent' that students are
> required to install and leave on their systems to use the network.
I don't know for sure about the one at your particular college, so YMMV, but in a lot of cases, the enforcement mechanism for Client Security Agents is DHCP. If you don't have the CSA on your computer reporting that you're all up-to-date and virus free and so forth, the DHCP server won't lease you an IP address or tell you where the nameservers are.
Really. I'm not making this up.
This being a site for computer nerds, I'm not going to explain in detail why that approach won't actually keep anyone who knows what they're doing off the network, other than to note that DHCP is on completely the wrong layer of the OSI model for that.
I guess these security agents aren't necessarily *entirely* worthless (particularly if they're mostly intended to protect against the zombified PCs of users who aren't entirely sure whether Microsoft XP is their internet service provider or their modem and cannot resist installing the ActiveX controls needed to view the online greeting cards they got in their Hotmail from people claiming to be former classmates of theirs from schools they never attended). But I sure wouldn't want to run a network that used one of those things as its primary form of protection.
Cut that out, or I will ship you to Norilsk in a box.
As someone who was in college not too long ago, I have experience with this. My school's network policy had two phases (this might not work if yours isn't like this). The first phase was to determine your OS and register your machine and OS by MAC address. Phase two was the additional requirements for Windows machines (must run school antivirus, must be at least win2k, etc). The solution I used was to boot to a Linux live cd (anything with a browser should work) and do the network registration phase from the linux environment. This would cause my MAC address to get registered as having a Linux OS and therefore be exempt from the Windows rules.
My simple opinion: Follow the rules by the letter. Make the scanner swallow on a big random data file of yours and then call the helpdesk.
The CSA does a registry scan for service packs, AV definitions,and your machine's MAC addresses, nothing more, nothing less. It doesn't even install anything, it runs in memory one time without making any registry modifications. (We actually recommend that you delete the application beyond the first run, because it's generated by the server with a timestamp and won't work at all 5 minutes after it's generated.
The CSA doesn't look at your hard drive other than the registry, and our network monitoring only looks at quantity of data, not the data itself. A review was made at one point whether to inspect headers to eliminate less than legit torrenting, but the lawyers recommended that we collect absolutely zero data on traffic type as to maintain a "safe harbor" network environment. (Essentially if the RIAA comes knocking, it's your problem, not ours, as long as we don't know what you were doing.)
We honestly don't care what you do with our network as long as you're not sending spam or viruses to other students.
For other info, call the help desk or visit us in person. We're more than willing to discuss network policy and or bitch about what we're given to work with infrastructure wise.
Cellular Air Card...
I am a current CMU student who just moved out of the dorms. I cannot tell you the amount frustration I had with the IT department and registering my computers. (Get ready for some headaches) The best thing I can tell you is install the sh*%y antivirus run the stupid test thing and do a system restore on your comp to undo the installation of mcafee. (But this still sucks because even upon uninstalling crap is still in your registry etc. Also they did support AVG as an alternative. Unfortunatley they did not support Avira Antivir.
Ohh and another thing get ready for a WEEKLY BANDWITH CAP of 5 gigs! Good luck trying to keep your steam apps up to date. The bad part is when you do go over this limit you have to restart the whole process of running their security crap.
On the up side my p2p sharing was great. You will find the internet is blazingly fast (assuming you get through the hoops to use it) and they did not block any p2p ports/programs/traffic that I am aware of.
I had 2 comps running (1 Win XP and 1 Vista/Ubuntu). They make you have SP3 for xp and all the updated definitions for your antivirus (which by the way is stupid because you can't go and download them till you get online but you can't go online till they are updated). See the problem here...what came first the chicken or the egg. Not sure what vista updates were needed.
As for my Ubuntu installation. You are still under the 5 gig restriction but if I remember correctly you don't have to run the CSA bulls*&t.
Here are a few tips for the MANY times I called the IT help desk.
-You get 1 free reset a semester if you go over the limit.
-Try telling them you have a problem running the CSA thing that its trying to detect Mcafee as your antivirus instead of AVG (of course this can be BS and you can have neither) Say something like I had one installed and I switched and its still trying to detect Mcafee. The guy I spoke to one time got frustrated and just said what the hell and unblocked everything that time so I didn't have to run their crap. The thing is I tried calling latter in the year to say the same thing and the guy I spoke to that time said it was impossible to do that and gave me straight up lie. After I told him that yes he can do it because it was done before he got defensive and tried to get information on his (i'm assuming) co-worker who went against their policy.
Anyways
Good luck!