Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solution For College's Bad Network Policy?

Posted by timothy on from the must-be-monoculture-compatible dept.

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

19 of 699 comments (clear)

  1. Linux by Timmmm · · Score: 5, Interesting

    Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

    1. Re:Linux by Fred+Ferrigno · · Score: 3, Interesting

      When they keep out the commercial ISPs so they're the only network available and when their classes require network access, I'm a little less concerned about their rights to their network. If they're going to force you to eat their dog food, they at least have to make it palatable.

      I don't know why universities bother providing network access if it's sooo hard to maintain. Comcast, AT&T, etc. handle the off-campus students just fine without any of that crap. It's not like their job is any easier or their customers are any smarter.

      If I were running the network at a university, I'd leave the dorms to the commercial providers and let them compete for business. In the labs have the students use university PCs which are locked down as needed. For wireless, you offer a "clean" network that requires CCA or whatever and a guest network that is on the other side of the firewall and throttled.

  2. Use a VM by Anonymous Coward · · Score: 5, Interesting

    If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

  3. I've faced this same issue by reeeh2000 · · Score: 3, Interesting

    What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.

  4. thumb drive linux by elwinc · · Score: 3, Interesting

    Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.

    --
    --- Often in error; never in doubt!
  5. My Solution by Adam+Zweimiller · · Score: 5, Interesting

    When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

    --
    mmm...muffins
  6. entrepreneur by TheSHAD0W · · Score: 4, Interesting

    "There are no wireless broadband providers available in the area, I already checked."

    Start one. Given what you've told us, there should be plenty of demand.

  7. You're not as interesting as you think you are by Anonymous Coward · · Score: 5, Interesting

    I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

    So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

    You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

  8. Computer science major by tepples · · Score: 4, Interesting

    Odds are they'll simply tell him that linux is not supported under their network.

    Disallowing operating systems other than Windows might make certain parts of CMU's computer science program more difficult for students.

  9. Re:No. by Macman408 · · Score: 4, Interesting

    One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:

    P2P traffic was capped at 50% of total bandwidth.

    There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)

    If you picked up a virus, you were isolated from the network. The only thing you could get to was windowsupdate.com, until you removed the virus and called the helpdesk to promise you had an antivirus installed.

  10. Re:No. by finalfrog · · Score: 5, Interesting

    My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

  11. common, not good by Goldsmith · · Score: 4, Interesting

    This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.

    I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.

    My suggestions are:
    -live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
    -when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)

  12. Re:That's STILL insane. by Anonymous Coward · · Score: 4, Interesting

    That's the polite reason they give for shitlisting Limewire.

    The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.

    This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
    Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.

    On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?

  13. Re:That's insane. by izomiac · · Score: 5, Interesting

    Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

    That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

    Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

  14. Re:Solution For College's Bad Network Policy? by bhtooefr · · Score: 4, Interesting

    Run their trojan in WINE, in an account that can't do anything?

  15. Inadequate disclosure by Animats · · Score: 4, Interesting

    The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware, run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration, so this probably won't surprise them.

    It's not even clear whose Client Security Agent they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.

    Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.

  16. Re:Solution For College's Bad Network Policy? by Jah-Wren+Ryel · · Score: 3, Interesting

    Let's just hope that this tool only monitors files on his computer and communicates them to the base. It could also monitor some other stuff, like names of hardware equipment, such as VMWARE CD-ROM DRIVE or whatever.

    Pretty much any of that can be configured out of the VM in one way or another. Worst case he can use Xen which, being open source, can be completely modified to report anything.

    Or it may insist on talking directly to its network. Or it may actually be responsible for authenticating the detected MAC address.

    Not a problem. MAC addresses are full programable and the virtual nic maps directly to the physical nic - i.e. it hands packets directly to the physical nic, fully formed and vice versa. I'm doing something very similar at home right now - running pfsense in a vmware machine on a Windows XP host as my internet firewall. I disabled the all of XP's ip protocols on the wan nic so that the pfsense firewall runs the entire show on that physical nic.

    --
    When information is power, privacy is freedom.
  17. Re:Solution For College's Bad Network Policy? by walshy007 · · Score: 3, Interesting

    To be fair, I've been a linux user over a decade, and upon returning to uni one of the first programming courses I had was .net with microsoft everywhere. So I setup a development environment with monodevelop and mono.

    Development has been rather painless so far at least for CLI programs, and the resulting binaries run with the .net framework aswell as mono, on linux, windows and mac.

    The moment I no longer need to use c# I'll instantly go back to c++ and c coding. Even in instances where your uni 'makes' you use microsoft stuff, linux is so flexible nowadays that there is almost always some way to do it in linux without them being any the wiser.

  18. Re:Solution For College's Bad Network Policy? by MacColossus · · Score: 5, Interesting

    I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.