Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Solution For College's Bad Network Policy?

[John+Hasler]

A different college.

Re:Solution For College's Bad Network Policy?

Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.

Using a virtual machine and TrueCrypt can also save you from additional headaches.

This assumes that you at least have sufficient rights on the client PC.

Re:Solution For College's Bad Network Policy?

[Chris+Mattern]

And then you don't get on their network. You're not grasping the concept here--you don't use their trojan, you don't get a connection.

Re:Solution For College's Bad Network Policy?

[313373_bot]

As the GP suggests, keeping the sensitive material in an encrypted VM which accesses the net via VPN should be enough, unless the so called "Client Security Engine" includes keylogging or screen capturing functionalities, begging the question: how far can they spy on their students? Shouldn't they have privacy to do their online banking, exchange private e-mail, access medical records, or many other *perfectly legal* activities?

Re:Solution For College's Bad Network Policy?

[ivucica]

So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?

What about development? Let's theorize that the poster is a programmer. Should he, in spare time, do all the compiling in a VM, for the convenience of being able to do svn/cvs/git commit?

Academia in the whole world has gone nuts. I understand blocking access to content, but invading the privacy of my laptop is too much. I'd rather not use their crappy network at all. They'd have to give me a laptop to force me; I wouldn't install their spyware onto my private property.

Worst of all is that, in US, you guys are even paying full tuition, without any (or with little) state sponsorship for the academia. It's incredible that you guys are not fed up with it. Over here in Croatia, students have been protesting and blocking normal functioning of university departments for three weeks - because our Minister of Education is trying to push paying for education even for our "best and brightest". And US students are dozing off happily and enjoying this kind of shit ... and PAYING for it. What the fuck.

Re:Solution For College's Bad Network Policy?

[zedeler]

Here is the bottom line. If the campus system is not to your liking, and you absolutely cannot refrain from criminal activity on your computer, and you cannot get into another school, then buy a wire cellular broadband connection.

This is just the classical "only criminals have something to hide", and I flat out don't agree. There are plenty of other reasons to insist not to have your privacy invaded - just one is that your passwords may be abused by some undergraduate dork working in the IT department.

Also, I find your comments regarding freedom and how it must be deserved are patronizing and completely missing the point.

Re:Solution For College's Bad Network Policy?

[FooAtWFU]

It works like this.

People: "College is soo expensive!"

Government: "Here are subsidies for schools, and for student loans!"

College A: "Hmm, look, money! We could build some spiffy new facilities that'll look good on the tour, and attract a slightly richer set of people!"

College B: "Hmm, look, money! Good thing, too, because otherwise we couldn't keep up with College A and C. We need nicer stuff to attract the same students. And besides, what university administration doesn't like spiffy-looking new facilities?"

People: "College is still soo expensive!!"

Throwing money at colleges in the US may produce a variety of desirable effects. However, "cheaper college education for all" is not necessarily among them. Universities are experts at price discrimination (the art of charging someone as much as you can get away with). They even have you fill out forms ("financial aid") so they can figure out exactly how much to charge you!

Re:Solution For College's Bad Network Policy?

[Jah-Wren+Ryel]

So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?

Nah, that's backwards. Use the VM as a router/firewall to the campus network and install the campus spyware inside the VM. Then use the bare-metal for all the real work. If he sets up the VM right it will act just like a NAT firewall and unless someone logs in and really starts looking at what the VM is doing (rather than just what files are installed in it) campus IT will never be the wiser.

Re:Solution For College's Bad Network Policy?

[wisty]

You do it like the Australian PBS shakes down big pharma.

An Australian agency does a cost-benefit analysis on the "product" getting offered. If the price is right, and the "product" (i.e. course) is beneficial*** then you offer a subsidy. If the cost-benefit is not there, you don't subsidize.

The agency is completely isolated from Parliament (to prevent corruption)

* Or if the Fed is too wasteful, state based agencies**
** Actually, merge some of your states - California and Idaho should not be in the same category

*** the benefits of education (especially higher education) are very very hard to judge, especially if there is some chance that the metric will be gamed. Targeting student-teacher ratios can reduce admin / building overheads, but it also cuts research. Targeting graduate salaries can just make schools pick privileged, well connected students. Student satisfaction (which Australia targets) is risky - as it reduces rigor. Targeting research is also a nightmare (as researches then game the metric). Subjective judgments are open to lobbying.

Education is just one of those wicked problems where the free market isn't ideal (as students are too poor and too inexperienced to make their own decisions, and it's a return to feudalism if rich kids are the only ones who get a good education), but the state can't just set some metrics and create a pseudo-market by dishing out subsidies. Health is another.

Whoa what?

[IICV]

From the first link:

The contents of all storage media associated with OIT facilities may be considered property of CMU unless the contents are licensed software, licensed databases (e.g., InfoShare), intellectual property owned by others, or protected by CMU's Intellectual Property Rights Policy. The university has the right of access to the contents at any time for any legitimate purpose including moving or deleting files to preserve system security and performance, or examining files when there is a legitimate "need to know."

"If you use our network, we own what's on your hard drives. Thanks!"

Re:Linux

[nurb432]

Or they will deny you access.

Re:Mod Parent Up Please! :)

[Anpheus]

Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.

And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.

Dealing with idiotic, forced software is a pain no matter what your OS is.

Re:You're not as interesting as you think you are

[hedwards]

That's a good point. I recall my senior year in college the IT department installed traffic shaping hardware on the network. Basically killing the performance of P2P apps. in order to make the network useful for more general use applications

At that time, most of the file sharing was being done directly via file shares and often times there'd be virus infected files. From what you're saying, it's probably not that much different than when antivirus software would delete files on r/w enabled shares.

But to be honest, the terms kind of scare me, just because you're a professional doesn't mean the nitwits running that network are, and it's a blatant violation of copyright law to declare ownership over files in that manner.

Re:Mod Parent Up Please! :)

[Jurily]

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

-- Theo de Raadt

There's a get out

[Kupfernigk]

Did you notice the "intellectual property owned by others"?

• 1. Register your one-person software company
• 2. Assign all your non-CMU material to your company
• 3. Encrypt everything
• You are now protected by (a) their policy and (b) the DMCA.

join the computer club

[snsh]

You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.

This is the point of being at college, after all.

Re:You're not as interesting as you think you are

Yep. Just because you personally don't care what he has on his computer, he shouldn't worry that there might be a bad egg in the IT department who will drain his bank accounts and post child pornography on his facebook page.

Yes sir mister IT guy, we'll let you have all of our data and trust you not to do anything bad with it, whatever you say.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's STILL insane.

[Malenx]

You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.

In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.

Re:That's STILL insane.

But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.

Re:That's STILL insane.

[uvsc_wolverine]

I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire).

So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.

Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.

If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.

Ok.

Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.

If you don't like it they can admit someone else.

Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.

I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).

If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.

We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).

I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.

But again, it is my machine, and it is my money that is paying for that Internet connection.

Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.

Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em

Re:Mod Parent Up Please! :)

[Dun+Malg]

We all know Theo de Raadt is an ass. While what he says is factually correct, it also completely misses the nature of most security situations. 99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted. If you are a target singled out, yes, Theo's point is valid: a determined attacker will find a way through because the second and third layers are not any better built than the first. That's not the security situation most of us face, though. For the most part we only need to make our information a degree more difficult to get at than everyone else's. A virtual machine will do that. So will running Linux. As would running OSX, though to a lesser degree. Now, if everyone were running virtual machines, he'd have a valid point because the low hanging fruit would be the virtual machine. But since VMs are a novelty to most, they're unlikely to be targeted, which makes Theo's rant just more of his usual hot gas.

Bullshit

[Weezul]

There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.

I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.

Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.

I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.

Internet Service Provider

[starfishsystems]

Okay, as the person who wrote the first implementation of my university's longstanding Accepable Use Policy, let me ask a fundamental question:

In what manner are student's personal systems permitted to access the Central Michigan University network that is different from how a hundred million ISP customers access the Internet?

If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.

If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.

So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.