Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solution For College's Bad Network Policy?

Posted by timothy on from the must-be-monoculture-compatible dept.

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

14 of 699 comments (clear)

  1. Linux by Timmmm · · Score: 5, Interesting

    Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

  2. Use a VM by Anonymous Coward · · Score: 5, Interesting

    If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

  3. My Solution by Adam+Zweimiller · · Score: 5, Interesting

    When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

    --
    mmm...muffins
  4. entrepreneur by TheSHAD0W · · Score: 4, Interesting

    "There are no wireless broadband providers available in the area, I already checked."

    Start one. Given what you've told us, there should be plenty of demand.

  5. You're not as interesting as you think you are by Anonymous Coward · · Score: 5, Interesting

    I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

    So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

    You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

  6. Computer science major by tepples · · Score: 4, Interesting

    Odds are they'll simply tell him that linux is not supported under their network.

    Disallowing operating systems other than Windows might make certain parts of CMU's computer science program more difficult for students.

  7. Re:No. by Macman408 · · Score: 4, Interesting

    One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:

    P2P traffic was capped at 50% of total bandwidth.

    There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)

    If you picked up a virus, you were isolated from the network. The only thing you could get to was windowsupdate.com, until you removed the virus and called the helpdesk to promise you had an antivirus installed.

  8. Re:No. by finalfrog · · Score: 5, Interesting

    My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

  9. common, not good by Goldsmith · · Score: 4, Interesting

    This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.

    I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.

    My suggestions are:
    -live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
    -when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)

  10. Re:That's STILL insane. by Anonymous Coward · · Score: 4, Interesting

    That's the polite reason they give for shitlisting Limewire.

    The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.

    This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
    Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.

    On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?

  11. Re:That's insane. by izomiac · · Score: 5, Interesting

    Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

    That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

    Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

  12. Re:Solution For College's Bad Network Policy? by bhtooefr · · Score: 4, Interesting

    Run their trojan in WINE, in an account that can't do anything?

  13. Inadequate disclosure by Animats · · Score: 4, Interesting

    The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware, run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration, so this probably won't surprise them.

    It's not even clear whose Client Security Agent they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.

    Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.

  14. Re:Solution For College's Bad Network Policy? by MacColossus · · Score: 5, Interesting

    I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.