Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Solution For College's Bad Network Policy?

[John+Hasler]

A different college.

Re:Solution For College's Bad Network Policy?

Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.

Using a virtual machine and TrueCrypt can also save you from additional headaches.

This assumes that you at least have sufficient rights on the client PC.

Re:Solution For College's Bad Network Policy?

[FooAtWFU]

It works like this.

People: "College is soo expensive!"

Government: "Here are subsidies for schools, and for student loans!"

College A: "Hmm, look, money! We could build some spiffy new facilities that'll look good on the tour, and attract a slightly richer set of people!"

College B: "Hmm, look, money! Good thing, too, because otherwise we couldn't keep up with College A and C. We need nicer stuff to attract the same students. And besides, what university administration doesn't like spiffy-looking new facilities?"

People: "College is still soo expensive!!"

Throwing money at colleges in the US may produce a variety of desirable effects. However, "cheaper college education for all" is not necessarily among them. Universities are experts at price discrimination (the art of charging someone as much as you can get away with). They even have you fill out forms ("financial aid") so they can figure out exactly how much to charge you!

Whoa what?

[IICV]

From the first link:

The contents of all storage media associated with OIT facilities may be considered property of CMU unless the contents are licensed software, licensed databases (e.g., InfoShare), intellectual property owned by others, or protected by CMU's Intellectual Property Rights Policy. The university has the right of access to the contents at any time for any legitimate purpose including moving or deleting files to preserve system security and performance, or examining files when there is a legitimate "need to know."

"If you use our network, we own what's on your hard drives. Thanks!"

Re:Mod Parent Up Please! :)

[Anpheus]

Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.

And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.

Dealing with idiotic, forced software is a pain no matter what your OS is.

Re:Mod Parent Up Please! :)

[Jurily]

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

-- Theo de Raadt

join the computer club

[snsh]

You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.

This is the point of being at college, after all.

Re:You're not as interesting as you think you are

Yep. Just because you personally don't care what he has on his computer, he shouldn't worry that there might be a bad egg in the IT department who will drain his bank accounts and post child pornography on his facebook page.

Yes sir mister IT guy, we'll let you have all of our data and trust you not to do anything bad with it, whatever you say.

Re:That's STILL insane.

[Malenx]

You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.

In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.

Re:That's STILL insane.

But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.

Re:That's STILL insane.

[uvsc_wolverine]

I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire).

So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.

Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.

If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.

Ok.

Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.

If you don't like it they can admit someone else.

Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.

I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).

If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.

We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).

I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.

But again, it is my machine, and it is my money that is paying for that Internet connection.

Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.

Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em

Re:Mod Parent Up Please! :)

[Dun+Malg]

We all know Theo de Raadt is an ass. While what he says is factually correct, it also completely misses the nature of most security situations. 99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted. If you are a target singled out, yes, Theo's point is valid: a determined attacker will find a way through because the second and third layers are not any better built than the first. That's not the security situation most of us face, though. For the most part we only need to make our information a degree more difficult to get at than everyone else's. A virtual machine will do that. So will running Linux. As would running OSX, though to a lesser degree. Now, if everyone were running virtual machines, he'd have a valid point because the low hanging fruit would be the virtual machine. But since VMs are a novelty to most, they're unlikely to be targeted, which makes Theo's rant just more of his usual hot gas.