Slashdot Mirror
Solution For College's Bad Network Policy?
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
A different college.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Use Virtualbox to run the security agent in a virtual machine and OpenVPN to tunnel your traffic to a host on a less bigbrotherish network. If you feel like going against administration, you could also try to get the policy changed...
Are you required to run Windows? If not, don't.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
From the first link:
"If you use our network, we own what's on your hard drives. Thanks!"
Or they will deny you access.
---- Booth was a patriot ----
That has got to be the first time I've ever heard cellphone internet described as "freedom".
Uh, this is sorta pathetic that we computer science literate folk cannot muster up the courage to tell him to confront the policy with a student protest. However, that is what I would expect from Slashdot where everything is resolved by lawsuit or clever hack. Well sometimes we need to go piss in someone's cheerios. That is what we should be telling him to do, go down to the lib arts colleges and rally up the professional protest set, get some cogent arguments laid out and make sure you notify all media within a few hundred miles because for whoever is having a slow news day you might make the cut.
An Education is the Font of All Liberty
Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.
And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.
Dealing with idiotic, forced software is a pain no matter what your OS is.
That's a good point. I recall my senior year in college the IT department installed traffic shaping hardware on the network. Basically killing the performance of P2P apps. in order to make the network useful for more general use applications
At that time, most of the file sharing was being done directly via file shares and often times there'd be virus infected files. From what you're saying, it's probably not that much different than when antivirus software would delete files on r/w enabled shares.
But to be honest, the terms kind of scare me, just because you're a professional doesn't mean the nitwits running that network are, and it's a blatant violation of copyright law to declare ownership over files in that manner.
x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
-- Theo de Raadt
Very accurate. Should be "5 interesting". Of course /. rewards argumentative counterculture copycats and lemmings... not anyone who actually tells it like it is.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.
This is the point of being at college, after all.
Mine does not even require antivirus software, although they deliberately design the system into tricking students into installing it, and some other crap. However, if you machine is rooted, and begins disrupting the network, they reserve the right to ban your computer from the network.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it. If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules. Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.
Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.
If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults. I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.
But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
It's freedom when compared with having the college install some monitoring app (dare I say spyware?) on your computer.
Yep. Just because you personally don't care what he has on his computer, he shouldn't worry that there might be a bad egg in the IT department who will drain his bank accounts and post child pornography on his facebook page.
Yes sir mister IT guy, we'll let you have all of our data and trust you not to do anything bad with it, whatever you say.
Comment removed based on user account deletion
They say....No access for you! Network Nazi's don't have to be reasonable.
Running a college network is not an easy task, and I don't envy you. Let's face it, college networks are probably some of the most vulnerable to infections and rapid spreading. However, just because you don't care and you have good intentions (I mean who _wants_ to have an infected computer?) doesn't make this policy sketchy. Basically you are saying (to paraphrase your last line) if you have nothing to hide, you have nothing to worry about. The reason why privacy advocates get worked up about these minor league, well-intentioned intrusions into privacy is because of the _potential_ for abuse. It is all the worse because it is a piece of software that is a black box as far as the typical student is involved.
To make an analogy (what good /. post doesn't have one of those?), this is along the same lines as security cameras on the street corners. Sure, most of the time no one is actually watching and anyway, after awhile they are just endless anonymous faces... until the day some watcher suddenly sits up and goes "hey - I know that guy... and that is not his wife...", or someone gets bored and starts tracking the attractive young woman around town, or some self-righteous zealot starts sending the cops out after teens necking in the park.
I'm sure making students install software that scans their computers makes the life of the network manager easier, just like warrantless searches would make police work easier. The real problem is that most students won't even ask the question posed by the original poster because they just don't know any better... If it were me, well, I swap back and forth between osx and linux, but I'd still refuse and do my best to raise awareness of why this is a problem - but maybe that's because I did my undergrad at Wesleyan way back in the day and if ever there was a place for causes...
Actually, it is an excellent analogy. In New York City, if you have a large bag and you want to ride the subways, the police department will demand to search the bag (they cannot do this for everyone, so usually they start with people who "look like" terrorists). You are within your rights to refuse the search, but then, you cannot ride the subway.
Why should anyone have to consent to allow their computer to be searched by strangers? Just ban any node that is misbehaving, and there is nothing more than needs to be done. We do not need IT staff holding our hands, and more importantly, we specifically want IT to not hold our hands.
Palm trees and 8
I second everything that you say about McAfee.
I work help desk at a McAfee campus and am also responsible for doing repairs on student and faculty computers.
You have to register your computer using a special utility that records your MAC address and whether or not you have McAfee installed. In the mean time, you'll get an IP address from the "unregistered" block and the firewall won't let any of your traffic leave the LAN.
(Yes, this can be spoofed by wireshark-ing a registered person's MAC address, or even uninstalling McAfee after registering. But, that's beyond five nine's of students on campus.)
So, every computer on campus, student and faculty, has an updated version of McAfee 8.5i. Yet I spend an awful lot of time removing viruses from those computers throughout the year. Even AVG works better, for crying out loud!
We also use Faronics DeepFreeze on machines meant for student use; we're permitted to move McAfee from those machines because in theory virus infection is impossible. Those machines work about twice as fast as their unfrozen counterparts.
It's standard practice to not even try to boot up an infected machine because the more interesting infections do a good job of preventing most of your tools from running - it's easier to pop out the hard drive, hook it up to a USB->IDE/SATA adapter, and mount it on our help desk machine and do an offline scan.
We used to use McAfee for doing these offline scans - but then we realized it would take a few hours to scan the drive and would miss most of the infection. (If it's "spyware" or "adware" and not a bona-fide "virus" it won't detect it at all. Most of our infections are "XP Antivirus".)
It does NOTHING and makes the computer it's installed on unbearably slow. Plus, a site license seems to be rather costly. Our current routine is do a 30minute-ish offline scan using MalwareBytes, pop the hard drive back in, and run ComboFix or SpyBot SD to repair the registry. Most viruses are gone in about an hour - no thanks to McAfee.
Sorry for the rant! At least we aren't stuck with Symantec/Norton.
DATABASE WOW WOW
In the real world, if you want freedom to do as you please you have to pay for it yourself.
In a manner of speaking, the OP is.
But it's a mite different here.
I'd say the lesson is that "nobody cares about your problem unless you can make it theirs as well". If they set up policies which you disagree with, that's your problem.
If you can get a significant proportion of the media to investigate this and publish it, suddenly it's their problem as well.
Well, in this particular case, the OP doesn't require a system that is fully secure against every conceivable threat. What they need is a system that is secure against one particular known threat - one that probably isn't updated very often and whose authors probably have never contemplated exploiting virtualization security leaks to ensure that the systems they're scanning are truly being scanned.
Yes, there's a possibility of introducing additional security holes this way, but generic security threats to a personal machine can mostly be evaded the same way everyone else does: by practicing safe surfing habits, being careful with flash drives, and using an appropriate firewall.
A good example how a guy who, despite having made a name for himself as a programmer, can still be very wrong regarding issues he has no intimate knowledge about.
Idle curiosity, has anyone ever called you a retarded, pompous, self-important shitcock?
We all know Theo de Raadt is an ass. While what he says is factually correct, it also completely misses the nature of most security situations. 99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted. If you are a target singled out, yes, Theo's point is valid: a determined attacker will find a way through because the second and third layers are not any better built than the first. That's not the security situation most of us face, though. For the most part we only need to make our information a degree more difficult to get at than everyone else's. A virtual machine will do that. So will running Linux. As would running OSX, though to a lesser degree. Now, if everyone were running virtual machines, he'd have a valid point because the low hanging fruit would be the virtual machine. But since VMs are a novelty to most, they're unlikely to be targeted, which makes Theo's rant just more of his usual hot gas.
If a job's not worth doing, it's not worth doing right.
Are you kidding?
These sorts of policies exists so the idiot IT people who should be working as janitors can claim they are "doing something".
Most Windows AV and AS is dead easy to get through. What is hilarious is that "extrusion attacks" are very prevalent in the type of system you maintain. Since you likely never heard the term, it means that once you trust a node inside the network and that node gets infected, your network is owned. Your draconian, brain-dead policies do not stop this.
You are all getting your knickers in a twist over nothing.
The client (assuming it's similar to the Cisco Clean Access Client I'm familiar with) simply checks that Windows machines are patched and running up-to-date antivirus. Remember Blaster? That thing ate college networks. Since then network policies have gotten a bit stricter. If you read them, they are trying to protect you, and cover their own ass.
The short version of the policy: Don't do anything illegal. Run this stuff so we can make sure the network stays virus free. Don't be a jerk. If you break these, we can kick you off our network.
If you are seriously concerned about it you are paranoid. Paranoid people should grab a cheap netbook and use that on the school network, and keep your precious personal data on a different machine. Any of that Nat/VM/router shenanigans others have suggested is violating their policies, and risking problems on their network that those policies are crafted to avoid.
There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.
I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.
Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.
I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
A fair and creative reply. Tai chi bow.
I'll put P2P traffic aside. If the school can afford the 50% or higher bandwidth premium, and they're willing to take the legal risks, perhaps they should allow it.
So, let's assume the following:
Your network serves X0,000 staff and students. 5% malware penetration == dysfunctional network and loss of job. 20% of your customers are computer proficient regarding security and good network citizenship.
I'll lay some objectivity aside to make this argument. If the Cisco product is:
* Keeping the network up,
* Used to effectively manage PCs by forcing customers to practice good security and maintenance, and
* Doing it in a way that automates the process by teaching the customer to do it themselves instead of having an IT rep make house calls to the 80% of the customer base that would require it,
isn't it a good, cost effective solution?
I agree that a single-layer defense is never enough. And, considering where we're having this debate, I can certainly support the use of policies and processes which accommodate the other 20% of the customer base with a less intrusive solution.
We're evaluating a solution for our K-12 regional network using PacketFence, including the Snort/Nessus/RADIUS options. Check it out, if you haven't.
If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.
If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.
So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.
Parity: What to do when the weekend comes.
What happened to personal responsibility? As in, people are responsible for their own machines. If they get infected, then kick them off the network. You admit you already have tools for scanning vulnerabilities remotely, use those. That's a reasonable policy.
Requiring the use of a specific piece of spyware smacks of corruption to me. I'm sure someone's getting paid for that. What if a student wants to run a different scanner? They have to run two scanners? What if they want to change the configuration, or run a different OS?
Their machines are their machines. Your jurisdiction ends with the network. Punish those who misuse the network, don't pre-emptively force yourself on their machines.
Let me get this straight--you trusted some random guy to install crap on your computer over the university?
I find that pretty interesting.
While I appreciate your candor, name calling is certainly not necessary to get your point across. As I explicitly mentioned in my response, "it's mandated by the Board of Trustees." The Ohio State Board of Trustees took it upon themselves to mandate a NAC solution to the "security problem". I apologize if I somehow alluded to it being my idea. We were told that we could either implement it or lose our jobs. You may have quit; I chose to do my job since honestly, it's really not that big of a deal. Everyone can do their work and everyone can use whatever OS they want, as the OP indicated.
You seem to be indicating that this plan is for University owned Staff/Faculty/lab machines only. If this is the case, it's no different than standard business policy, and it's just good sense (why would it need to be mandated from on high?).
GP thinks the plan you're implementing at your superior's request is for student-owned computers that they're using on campus. If that's true, then you'd be a wimp for not quitting when the Trustees planned a "let's roger the students" policy. You furthermore would be a fool for thinking "it's really not that big of a deal." Of course, I'm guessing the first paragraph is more correct; otherwise, the Trustees would probably have you running the scans on all Staff and Faculty home machines since they connect in to campus occasionally.
from the URL, It looks like Bradford Campus Manager.
It's what we use for remediation at the college where I work, and that URL, Particulary the Remediation part, is the same area that Bradford puts their CSA.
I can only say how we use the system, so I can't vouch for cmich or other school networks, but we pretty much use BCM for these purposes.
1) Check for patches on a system.
2) Check for the university supplied Virus scanner and how up to date it is.
3) Send messages to users. Specificially as part of our emergency alert strategy in case of severe weather or Schoolwide Crisis.
4) Locate PC's (Or anything with a MAC address for that matter) if they are lost or stolen and are still being used on our network.
5) Block Rogue DHCP servers, like someone mistakengly plugging in their home router on their LAN side (instead of WAN), or running Internet connection sharing, or a virus that is DHCP Spoofing.
As far as I know, it doesn't do any kind of traffic or system spying of any sort. Its basicially designed to keep non university users (or users with a problem, such as outdated AV) from getting into the network and doing damage by subnetting anything thats not registered at the switch end. The only thing a non-registered user can do is see the remediation page and login, and if they can't login their SOL.
As for the Net itself, although we use a QOS system to control bandwidth usage, we don't track anything other than what traffic is using how much bandwidth and throttle based on demand vs performance. IE if Bittorrent is sucking 80% of our bandwith, we throttle Bittorrent so that other services, (WEB, Email, XBOX, ETC) can get more traffic. My guess is that most schools follow the same principal.
In Soviet Russia, Trojan exploits YOU!
A private university might get away with this, but a public institution is constrained by the Constitution. I'd say that scanning your hard drive is an unconstitutional search, because there are less invasive means of keeping their network safe.
I can't write your brief for you, but talk to the ACLU and the EFF.