Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Solution For College's Bad Network Policy?

[John+Hasler]

A different college.

Re:Solution For College's Bad Network Policy?

Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.

Using a virtual machine and TrueCrypt can also save you from additional headaches.

This assumes that you at least have sufficient rights on the client PC.

Re:Solution For College's Bad Network Policy?

[tech_freak'n_stuff]

A different college.

yes, but wat if: there was a zombie apocalypse and that college was the only surving college in the united states, then BANG! there's another problem.

Re:Solution For College's Bad Network Policy?

[Chris+Mattern]

And then you don't get on their network. You're not grasping the concept here--you don't use their trojan, you don't get a connection.

Re:Solution For College's Bad Network Policy?

[313373_bot]

As the GP suggests, keeping the sensitive material in an encrypted VM which accesses the net via VPN should be enough, unless the so called "Client Security Engine" includes keylogging or screen capturing functionalities, begging the question: how far can they spy on their students? Shouldn't they have privacy to do their online banking, exchange private e-mail, access medical records, or many other *perfectly legal* activities?

Re:Solution For College's Bad Network Policy?

[bhtooefr]

Run their trojan in WINE, in an account that can't do anything?

Re:Solution For College's Bad Network Policy?

[ivucica]

And if that doesn't work?

Re:Solution For College's Bad Network Policy?

[ivucica]

So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?

What about development? Let's theorize that the poster is a programmer. Should he, in spare time, do all the compiling in a VM, for the convenience of being able to do svn/cvs/git commit?

Academia in the whole world has gone nuts. I understand blocking access to content, but invading the privacy of my laptop is too much. I'd rather not use their crappy network at all. They'd have to give me a laptop to force me; I wouldn't install their spyware onto my private property.

Worst of all is that, in US, you guys are even paying full tuition, without any (or with little) state sponsorship for the academia. It's incredible that you guys are not fed up with it. Over here in Croatia, students have been protesting and blocking normal functioning of university departments for three weeks - because our Minister of Education is trying to push paying for education even for our "best and brightest". And US students are dozing off happily and enjoying this kind of shit ... and PAYING for it. What the fuck.

Re:Solution For College's Bad Network Policy?

[zedeler]

Here is the bottom line. If the campus system is not to your liking, and you absolutely cannot refrain from criminal activity on your computer, and you cannot get into another school, then buy a wire cellular broadband connection.

This is just the classical "only criminals have something to hide", and I flat out don't agree. There are plenty of other reasons to insist not to have your privacy invaded - just one is that your passwords may be abused by some undergraduate dork working in the IT department.

Also, I find your comments regarding freedom and how it must be deserved are patronizing and completely missing the point.

Re:Solution For College's Bad Network Policy?

[FooAtWFU]

It works like this.

People: "College is soo expensive!"

Government: "Here are subsidies for schools, and for student loans!"

College A: "Hmm, look, money! We could build some spiffy new facilities that'll look good on the tour, and attract a slightly richer set of people!"

College B: "Hmm, look, money! Good thing, too, because otherwise we couldn't keep up with College A and C. We need nicer stuff to attract the same students. And besides, what university administration doesn't like spiffy-looking new facilities?"

People: "College is still soo expensive!!"

Throwing money at colleges in the US may produce a variety of desirable effects. However, "cheaper college education for all" is not necessarily among them. Universities are experts at price discrimination (the art of charging someone as much as you can get away with). They even have you fill out forms ("financial aid") so they can figure out exactly how much to charge you!

Re:Solution For College's Bad Network Policy?

[mysidia]

Maybe VMware Thinapp in Sandbox mode?

Re:Solution For College's Bad Network Policy?

[Jah-Wren+Ryel]

Maybe VMware Thinapp in Sandbox mode?

Or just give them a full-blown VM with an installation of XP and nothing else.
Set up the physical network interface so that only the VM uses it, and use virtual interfaces to route from the host OS to the VM and then out to the network.
You can run a NAT firewall (XP's connection sharing might be good enough) on the VM.

If you are feeling ultra-paranoid you could install typical applications in there too, like MS Office, etc. So if they look at everything on the VM it will look like a regular college-kid computer, but unless they are really smart they will never know that the "real" computer is just using the VM to NAT out to their network.

Re:Solution For College's Bad Network Policy?

[Jah-Wren+Ryel]

So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?

Nah, that's backwards. Use the VM as a router/firewall to the campus network and install the campus spyware inside the VM. Then use the bare-metal for all the real work. If he sets up the VM right it will act just like a NAT firewall and unless someone logs in and really starts looking at what the VM is doing (rather than just what files are installed in it) campus IT will never be the wiser.

Re:Solution For College's Bad Network Policy?

[Jah-Wren+Ryel]

Let's just hope that this tool only monitors files on his computer and communicates them to the base. It could also monitor some other stuff, like names of hardware equipment, such as VMWARE CD-ROM DRIVE or whatever.

Pretty much any of that can be configured out of the VM in one way or another. Worst case he can use Xen which, being open source, can be completely modified to report anything.

Or it may insist on talking directly to its network. Or it may actually be responsible for authenticating the detected MAC address.

Not a problem. MAC addresses are full programable and the virtual nic maps directly to the physical nic - i.e. it hands packets directly to the physical nic, fully formed and vice versa. I'm doing something very similar at home right now - running pfsense in a vmware machine on a Windows XP host as my internet firewall. I disabled the all of XP's ip protocols on the wan nic so that the pfsense firewall runs the entire show on that physical nic.

Re:Solution For College's Bad Network Policy?

[hazem]

A technical solution that "gets around" it will most likely get you suspended; it's happened before:
http://it.slashdot.org/article.pl?sid=07/04/27/203232

(and a good friend of mine who was a professor also was denied tenure over this incident). Sadly IT at universities tends to be a little kingdom of people who think they are more important than everything else going on - in fact, this isn't just at universities...

The best thing you can do is go to the dean of the school you're planning to attend and say, "gee, I was really looking forward to attending your university, but I will not attend if I have to install this monitoring software to use the network.".

Deans care a whole lot about enrollment numbers and having good students and if they are going to lose good student due to a stupid policy, there will be pressure to alter the policy or at least grant an exception.

Good luck.

Re:Solution For College's Bad Network Policy?

[walshy007]

To be fair, I've been a linux user over a decade, and upon returning to uni one of the first programming courses I had was .net with microsoft everywhere. So I setup a development environment with monodevelop and mono.

Development has been rather painless so far at least for CLI programs, and the resulting binaries run with the .net framework aswell as mono, on linux, windows and mac.

The moment I no longer need to use c# I'll instantly go back to c++ and c coding. Even in instances where your uni 'makes' you use microsoft stuff, linux is so flexible nowadays that there is almost always some way to do it in linux without them being any the wiser.

Re:Solution For College's Bad Network Policy?

[MacColossus]

I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.

Re:Solution For College's Bad Network Policy?

[wisty]

You do it like the Australian PBS shakes down big pharma.

An Australian agency does a cost-benefit analysis on the "product" getting offered. If the price is right, and the "product" (i.e. course) is beneficial*** then you offer a subsidy. If the cost-benefit is not there, you don't subsidize.

The agency is completely isolated from Parliament (to prevent corruption)

* Or if the Fed is too wasteful, state based agencies**
** Actually, merge some of your states - California and Idaho should not be in the same category

*** the benefits of education (especially higher education) are very very hard to judge, especially if there is some chance that the metric will be gamed. Targeting student-teacher ratios can reduce admin / building overheads, but it also cuts research. Targeting graduate salaries can just make schools pick privileged, well connected students. Student satisfaction (which Australia targets) is risky - as it reduces rigor. Targeting research is also a nightmare (as researches then game the metric). Subjective judgments are open to lobbying.

Education is just one of those wicked problems where the free market isn't ideal (as students are too poor and too inexperienced to make their own decisions, and it's a return to feudalism if rich kids are the only ones who get a good education), but the state can't just set some metrics and create a pseudo-market by dishing out subsidies. Health is another.

Re:Solution For College's Bad Network Policy?

[sowth]

"Everyone needs a college education" is a scam created by the baby boomers. They use higher and higher education / experience requirements so they can lock out the next generations from the workforce. The previous generation, they used a "overqualified" scam as an excuse to not hire older people. They also used any excuse to fire / lay off the older people to scam them out of pensions. After the bailout scam, there may not be any higher paying jobs anyway.

Be practical. Don't bother going to college unless:

• you are already set up with a specific company when you graduate, and you are sure you want this career path. Preferably you will already have a deal to be a paid intern while you are taking classes. The company may even pay your way if you do it right.
• You are using your education to learn how to run your own business and you already have an idea what kind of business you will run and have a good idea how you will be funded.

Otherwise you are just going to end up with huge loans to pay off while you end up flipping burgers for the rest of your life. Have fun barely surviving, while if you didn't go on to higher education, you'd at least be able to take care of yourself and maybe save some money.

Have a real plan people. Figure out what you want to do before you go on to "higher" education. Be sure going to school will fit your goal and you will get a higher paying job, which is the real reason to go to school, not some abstract notion of being "educated" and "well rounded" or following in someone's footsteps. If you want to educate yourself, read books, try things out yourself. It is much cheaper.

Re:Solution For College's Bad Network Policy?

[silvakow]

You probably think that's funny, but I appled to and got accepted to Central Michigan University in 2001 and decided not to attend because of a bad conversation with a sysadmin where he told me students should not have the ability to host any type of content. I went to (relatively) neighboring Grand Vallley State University (gvsu.edu) instead, and I'm glad I did.

Re:Solution For College's Bad Network Policy?

[bootup]

this is why you should venture out into the real world sometimes and do what is demanded to the extent you can't avoid it-and all the while not avoiding it bitch and moan until they fix it. i bitched for 3 years about my computer science program's requirement that students take a course in visual basic. that was only a core requirement for one of the two 'tracks' or sets of core courses depending on which track you were in. choice was software development or information technology. both cs degrees. anyway. point is after pointing out how hypocritical it was to require a course in visual basic when professors were saying that the difference between a university and a tech school was that a tech school taught tools and a university teaches concepts. clearly vb is a tool not a concept. before i left they dropped vb as a core requirement of the IT track. i didn't win every battle but 1/10 still makes the world a better place.

Re:Solution For College's Bad Network Policy?

[Alien54]

The Client Security Agent appears to be another bit of Microsoft Madness

Which appears to require MS Windows.

Given the the classicly high rate of computer infection among teens, this could be make sense for the school administration. Of course, it might be easier if they just required everyone to just get a Mac.

Re:Solution For College's Bad Network Policy?

[cynyr]

Does cisco clean access work on bsd/linux/macosx/an arm device/my smart phone with wifi/etc? if not what is the policy about those devices? This is always been my problem with things like Cisco clean access. If i have a perfectly good AV system that clean access doesn't know about, then i get reported as not having up to data AV software and i have to jump though hoops to get i t added, or told to take it off, and install the copy that the school used my money to buy for me. GL with all the ARM netbooks that are susposted to be comming out in the ~$200 range. I bet Clean Access doesn't run on ARM Ubuntu. I remember when my Uni (Northern Michigan University) had all sorts of problems when the iPhone came out, took down parts of our wireless network. Also i remeber that policy that the helpdesk would help get any device connected to the network. This was made fun by the Wii, it needs to get to nintendo.com as part of the setup, and regerstering a game machnine required that it be connected to the network. IDK how many times i swaped mac ADDRs to the Wii's and then had people register the Wii as a computer.

Re:Solution For College's Bad Network Policy?

[ottothecow]

The university of chicago's CS program is pretty heavy on open source.

I didnt major in CS but all of the classes I took, except for the first intro sequence class (which was Dr. Scheme on OSX because the lab was larger) were run from the standpoint of linux (the lab machines ran debian but a lot of people went for their own installs or made OSX work for some stuff).

The classes I took started in Scheme (Common Lisp would have worked but DrScheme was a good teaching environment). They then pushed into C with some bash stuff thrown in occasionally. The systems class was (obviously) done in C. Other sequences threw in Python at some point and my understanding was that the later classes were open to language choice for the most part (your group has to agree on something, and the professor may provide code samples in Java but as long as you could do the projects, you should be fine).

As to art...I just finished an art class where most of my final project was conducted through an ssh terminal on one of those aforementioned linux maxhines (I had need for both the dual xeons and the gigabit academic connection vs my eeepc and cable modem). Project ended up involving a bunch of coding in Python on the data end and Processing (a java extension for artists) on the display/rendering side.

I haven't once seen .Net in use and I am still not entirely sure how one properly writes a program for windows since c:\gcc gets an unrecognized command

Linux

[Timmmm]

Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

Re:Linux

[nurb432]

Or they will deny you access.

Re:Linux

[prestomation]

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

Turns out, a couple weeks in and they completely dropped the policy.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

Re:Linux

[wstrucke]

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

As an IT employee at Ohio State, I can assure you that there is more of this in the pipeline since it's mandated by the Board of Trustees.

I can't see comparing what is going on at OSU with what the OP reports at CMU -- Ohio State's efforts to lock down the network and restricted data are quite comprehensive and IT staff, like you, are concerned that it's done properly. Mac/Linux support is on the way -- most vendors do not support it so it's quite difficult for the University to support it. The scanners they run on your computer are not there to look at your personal files, track down copyright infringement, or anything else you might be worried about -- they simply look for OS/software patches and run an anti-virus/malware scan. If you don't run the scan with the agent, you will not have any network access. If you take some of the suggestions here and bypass the security agent, you are violating the AUP and, if caught, could face academic misconduct charges.

I can assure you that the University's IT office is underfunded enough that even if they wanted to go out of their way to scan your computer for anything else (they do not), they would not be able to.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

This isn't magic -- they run typical network vulnerability scanners and block you if a virus or bot responds from your IP. DHCP and switch info tells them your mac address.

Re:Linux

[BaldingByMicrosoft]

Newsflash: It's -their- network. Now, chew on this:

Say it was -your- responsibility to keep a network running which was used by a bunch of college students who don't know the first thing about maintaining and protecting their PCs. What, in your expert opinion, would be a "well guided" and "well managed" solution?

Re:Linux

[Wolvenhaven]

My school has that, but for windows machines only. If your machine is detected as being mac or linux they let you on the network without it, I have a dualboot machine which I booted into ubuntu on first, got registered on the network, and they kept the IP of that machine as linux even when I booted into windows. Try that unless they have mac and linux based programs too. Also, follow the guy's advice about using an encrypted pipe, I do it with ssh through a server at my house for sensitive information, and for AIM, IRC, and various other things I use SSL when available. If all else fails I'd go the route of spoofing it like the posts above me say.

Re:Linux

[Fred+Ferrigno]

When they keep out the commercial ISPs so they're the only network available and when their classes require network access, I'm a little less concerned about their rights to their network. If they're going to force you to eat their dog food, they at least have to make it palatable.

I don't know why universities bother providing network access if it's sooo hard to maintain. Comcast, AT&T, etc. handle the off-campus students just fine without any of that crap. It's not like their job is any easier or their customers are any smarter.

If I were running the network at a university, I'd leave the dorms to the commercial providers and let them compete for business. In the labs have the students use university PCs which are locked down as needed. For wireless, you offer a "clean" network that requires CCA or whatever and a guest network that is on the other side of the firewall and throttled.

Re:Linux

[ejtttje]

What happened to personal responsibility? As in, people are responsible for their own machines. If they get infected, then kick them off the network. You admit you already have tools for scanning vulnerabilities remotely, use those. That's a reasonable policy.

Requiring the use of a specific piece of spyware smacks of corruption to me. I'm sure someone's getting paid for that. What if a student wants to run a different scanner? They have to run two scanners? What if they want to change the configuration, or run a different OS?

Their machines are their machines. Your jurisdiction ends with the network. Punish those who misuse the network, don't pre-emptively force yourself on their machines.

Re:Linux

[Culture20]

While I appreciate your candor, name calling is certainly not necessary to get your point across. As I explicitly mentioned in my response, "it's mandated by the Board of Trustees." The Ohio State Board of Trustees took it upon themselves to mandate a NAC solution to the "security problem". I apologize if I somehow alluded to it being my idea. We were told that we could either implement it or lose our jobs. You may have quit; I chose to do my job since honestly, it's really not that big of a deal. Everyone can do their work and everyone can use whatever OS they want, as the OP indicated.

You seem to be indicating that this plan is for University owned Staff/Faculty/lab machines only. If this is the case, it's no different than standard business policy, and it's just good sense (why would it need to be mandated from on high?).

GP thinks the plan you're implementing at your superior's request is for student-owned computers that they're using on campus. If that's true, then you'd be a wimp for not quitting when the Trustees planned a "let's roger the students" policy. You furthermore would be a fool for thinking "it's really not that big of a deal." Of course, I'm guessing the first paragraph is more correct; otherwise, the Trustees would probably have you running the scans on all Staff and Faculty home machines since they connect in to campus occasionally.

Use a VM

If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

Re:Use a VM

[Nimey]

That may not work if the network authenticates against your MAC address.

Re:Use a VM

[Idiot+with+a+gun]

As a tech support at another University that requires said "Client Security Agent," I can tell you this will not work. I have tried.

Re:Use a VM

[lukas84]

That'd be stupid, it can be easily faked.

I've secured school networks with 802.1x and EAP-TLS. Works fine - and VLAN assignment works automatically, depending on the computer plugged in.

Re:Use a VM

[ZorbaTHut]

And then you set up the internal VM as a proxy, and you proxy your main computer's internet through the VM. Bam, problem solved.

Seriously, think these things through.

No.

[ChinggisK]

Do all colleges have such extreme measures in place?

No, mine doesn't. Technically we just have to have antivirus software installed, and keep up with MS's security patches, and they really don't ever even check for those.

Re:No.

[Macman408]

One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:

P2P traffic was capped at 50% of total bandwidth.

There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)

If you picked up a virus, you were isolated from the network. The only thing you could get to was windowsupdate.com, until you removed the virus and called the helpdesk to promise you had an antivirus installed.

Re:No.

[finalfrog]

My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

Re:No.

[Tacvek]

Mine does not even require antivirus software, although they deliberately design the system into tricking students into installing it, and some other crap. However, if you machine is rooted, and begins disrupting the network, they reserve the right to ban your computer from the network.

Re:No.

My sister goes to Central Michigan, and she got capped after using "too much" bandwidth talking to her boyfriend on Skype, so don't expect to use too much of the bandwidth even if you get around the program.

Re:No.

[moosesocks]

Every honor code I've ever heard of has been used as a tool for a college to rid itself of students that it deems undesirable. In my experience, enforcement of these codes varies enormously. Recently, the University of Virginia came under fire for using its honor code to expel students for seemingly trivial offenses.

Honor codes are great in theory, although the ones I've seen put far too much power in the hands of far too few.

Question

[Vinegar+Joe]

Are you required to run Windows? If not, don't.

That's insane.

[KingSkippus]

Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.

Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!

Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.

As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.

If you do call them up and ask about Macs and Linux machines, let us know what they say.

Re:That's insane.

[Idiot+with+a+gun]

I'm a tech support (ResNet, CMU has it too) at a different university that has a similar "Client Security Agent." I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire). If anyone fails these, they are instructed to uninstall limewire, update anti-virus, whatever, and rescan. We don't prosecute based off of any data, but it's more of a prevention system to avoid any DMCA notices.

That being said, this is for windows only. Mac and Linux are only single time scans (for what, I do not know), and after that your MAC is white listed with your ID. The beauty is that once registered, it's MAC specific, not OS. I should note that our provider is promising a Client Security Agent for Mac soon, but I doubt a Linux one is coming.

Re:That's insane.

[Idiot+with+a+gun]

Poor decision. Once you register as windows, it'll check every 2 weeks for a CSA scan. If you install windows, register, then switch OS's, in two weeks it'll go "Hey! You're a windows box, where is your CSA?" and drop you off the network.

Re:That's insane.

[binarythoughts]

http://www.bradfordnetworks.com/board/board.cgi?id=CM_CaseStudy&action=download&gul=32

you can read about CMU's Agent here.

Re:That's insane.

[izomiac]

Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

Mod Parent Up Please! :)

[gavron]

Run Linux. That's the answer. The silly Windows agent won't run on it, and your files can even be protected through filesystem encryption, and safe from magically being shared with spyware writers, botnet managers, and spam sources.

E

Re:Mod Parent Up Please! :)

[binarylarry]

Yep and you could run windows in a virtual machine with NAT setup and the client installed. That way, they'd get to scan "your machine" but wouldn't be able to access anything on the Linux side.

Re:Mod Parent Up Please! :)

[artor3]

Of course, other silly Windows programs, like SolidWorks, PSpice, Photoshop won't run either. Might make certain classes difficult depending on your major, though I'm sure it can be worked around. In the worst case, you could keep a Windows partition specifically for essential programs.

Re:Mod Parent Up Please! :)

[RichardJenkins]

You could run the agent in a wine environment without access to your real file system.

Re:Mod Parent Up Please! :)

[Anpheus]

Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.

And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.

Dealing with idiotic, forced software is a pain no matter what your OS is.

Re:Mod Parent Up Please! :)

[Jurily]

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

-- Theo de Raadt

Re:Mod Parent Up Please! :)

[solafide]

Last time I experienced this sort of stupidity, the program was a proxy/filter, and the solution to Linux was 'Windows/Macs only on campus.' Best of luck.

Re:Mod Parent Up Please! :)

[mysidia]

Perhaps the security agent could be run in a WinJail install.

Or virtualization solution like iCore Virtual Accounts.

Or inside a VMware Virtual Machine configured for NAT or on another desktop machine configured for bridging (if you have two).

Depending on if the identification of the security agent is by port or by MAC address...

You could conceivably load up the VM once to run the security agent when you turned up the port, then shutdown the VM and temporarily change your MAC address to the VM's former MAC address if necessary.

Re:Mod Parent Up Please! :)

[Dun+Malg]

We all know Theo de Raadt is an ass. While what he says is factually correct, it also completely misses the nature of most security situations. 99% of the security out there is of a casual nature. Most of us are not working for the NSA or DoD, so we are not likely to be specifically targeted. If you are a target singled out, yes, Theo's point is valid: a determined attacker will find a way through because the second and third layers are not any better built than the first. That's not the security situation most of us face, though. For the most part we only need to make our information a degree more difficult to get at than everyone else's. A virtual machine will do that. So will running Linux. As would running OSX, though to a lesser degree. Now, if everyone were running virtual machines, he'd have a valid point because the low hanging fruit would be the virtual machine. But since VMs are a novelty to most, they're unlikely to be targeted, which makes Theo's rant just more of his usual hot gas.

Re:Mod Parent Up Please! :)

[Cassini2]

At my university, they explicitly exempt Macs and Linux from having to use Cisco Clean Access. They port scan the Linux / Mac box, and use network level checks to make sure your computer is secure (or at least appears secure.)

The big problems are with Windows. With a campus as big as ours, all Windows boxes must run an up to date virus scanner. This policy must be enforced. To do otherwise is just stupid. Every computer, even Linux machines, are continuously being probed looking for vulnerable ports. People have targeted our university with custom spam, and custom port scanning attacks. Machines from senior staff have gotten virus infected, even when running current anti-virus software, and have been used to distribute spam. Users are also stupid. One inadvertently used a restricted access mailing list to spam the entire university, ironically with a complaint saying "Stop Spamming Me!"

With 20,000+ PCs on the network, bad things happen.

I've faced this same issue

[reeeh2000]

What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.

thumb drive linux

[elwinc]

Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.

I had the same problem

[Xocet_00]

We were required to have a "Cisco Clean Access Agent" installed on our machines. There were two options available for me, and I ended up going with the second.

1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.

2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?

Re:I had the same problem

[Urza9814]

Yea, in response to number 2:

My university (Penn State) has free telephone to every room, and the copper goes straight to the phone company. They actually tell you at the orientation stuff that you can go ahead and get DSL to your dorm if you don't like their network setup. Some people do, though not many. Though their network policy isn't bad...just a 4GB weekly bandwidth limit.

My Solution

[Adam+Zweimiller]

When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

Re:My Solution

[lorenlal]

McAfee? Wow.

I happen to do a little work for a local in a town that some of us are familiar with. She happens to be involved with the local university who also uses McAfee as their supported antivirus solution. I got called in a panic by this person because her system was crazy infected. It turned out that the infection disabled the McAfee framework service (which can't be started in safe mode) and totally owned her laptop.

The reason? The updates stopped working. I opted to put AVG free on there asked her to try it out, and if she wanted to we could look into purchasing the more complete suite if she wanted.

Point of the story? I'm rather upset that CMU, or other schools would *force* a particular AV solution. I'm more upset that they force down one that has, IMHO, a critical flaw in design. Namely, you can't update, install, or uninstall the scanner in safe mode (yes, safe mode with networking). It just sets up too easily for a massive infection. Fortunately, the policy of the University I mentioned earlier did not have restrictions on AV, so this was still acceptable.

I don't know what deal McAfee has with pretty much everyone that provides AV to "non-commercial" users... but I find it terrible, resource intensive, and just too easy to knock out.

Re:My Solution

[Z34107]

I second everything that you say about McAfee.

I work help desk at a McAfee campus and am also responsible for doing repairs on student and faculty computers.

You have to register your computer using a special utility that records your MAC address and whether or not you have McAfee installed. In the mean time, you'll get an IP address from the "unregistered" block and the firewall won't let any of your traffic leave the LAN.

(Yes, this can be spoofed by wireshark-ing a registered person's MAC address, or even uninstalling McAfee after registering. But, that's beyond five nine's of students on campus.)

So, every computer on campus, student and faculty, has an updated version of McAfee 8.5i. Yet I spend an awful lot of time removing viruses from those computers throughout the year. Even AVG works better, for crying out loud!

We also use Faronics DeepFreeze on machines meant for student use; we're permitted to move McAfee from those machines because in theory virus infection is impossible. Those machines work about twice as fast as their unfrozen counterparts.

It's standard practice to not even try to boot up an infected machine because the more interesting infections do a good job of preventing most of your tools from running - it's easier to pop out the hard drive, hook it up to a USB->IDE/SATA adapter, and mount it on our help desk machine and do an offline scan.

We used to use McAfee for doing these offline scans - but then we realized it would take a few hours to scan the drive and would miss most of the infection. (If it's "spyware" or "adware" and not a bona-fide "virus" it won't detect it at all. Most of our infections are "XP Antivirus".)

It does NOTHING and makes the computer it's installed on unbearably slow. Plus, a site license seems to be rather costly. Our current routine is do a 30minute-ish offline scan using MalwareBytes, pop the hard drive back in, and run ComboFix or SpyBot SD to repair the registry. Most viruses are gone in about an hour - no thanks to McAfee.

Sorry for the rant! At least we aren't stuck with Symantec/Norton.

entrepreneur

[TheSHAD0W]

"There are no wireless broadband providers available in the area, I already checked."

Start one. Given what you've told us, there should be plenty of demand.

Whoa what?

[IICV]

From the first link:

The contents of all storage media associated with OIT facilities may be considered property of CMU unless the contents are licensed software, licensed databases (e.g., InfoShare), intellectual property owned by others, or protected by CMU's Intellectual Property Rights Policy. The university has the right of access to the contents at any time for any legitimate purpose including moving or deleting files to preserve system security and performance, or examining files when there is a legitimate "need to know."

"If you use our network, we own what's on your hard drives. Thanks!"

You're not as interesting as you think you are

I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

Re:You're not as interesting as you think you are

[hedwards]

That's a good point. I recall my senior year in college the IT department installed traffic shaping hardware on the network. Basically killing the performance of P2P apps. in order to make the network useful for more general use applications

At that time, most of the file sharing was being done directly via file shares and often times there'd be virus infected files. From what you're saying, it's probably not that much different than when antivirus software would delete files on r/w enabled shares.

But to be honest, the terms kind of scare me, just because you're a professional doesn't mean the nitwits running that network are, and it's a blatant violation of copyright law to declare ownership over files in that manner.

Re:You're not as interesting as you think you are

Yep. Just because you personally don't care what he has on his computer, he shouldn't worry that there might be a bad egg in the IT department who will drain his bank accounts and post child pornography on his facebook page.

Yes sir mister IT guy, we'll let you have all of our data and trust you not to do anything bad with it, whatever you say.

Re:Sandbox it with Sandboxie

[BountyX]

Forgot to mention, sandboxie can also be setup so that anytime their program is started, it will run inside of your specified sandbox automaitcally. Very useful for running keygens too, btw ;)

Re:Tether.

[fuzzyfuzzyfungus]

That has got to be the first time I've ever heard cellphone internet described as "freedom".

My experiences in Truman, MO

[wasabioss]

We have it here too.

The "Clean Security Agent," if I'm not wrong, is the Cisco Clean Access Agent that comes with the Cisco NAC Appilance, which runs on Windows only, and is a pain esp. for those who are running Vista. This beast have to run under Administrator privilesges and pops up a login window everytime you connect back to the network, and doesn't even want to accept certain types of Anti-virus software (such as Avira.)

Workaround: It doesn't run on Mac and Linux. If you use WIndows, you can convince the NAC you're using Linux and it will believe it until the appliance gets restarted. If you have Linux - great, the NAC just let you pass through. If you have Windows, Kevin, a program with a great icon, used to work but recently it didn't, but there is always an easy way to get over it: boot into Linux and fire up firefox and click on a link, and then boot back to Windows.

And just FYI: Due to an insane number of complaints received from the students, the IT Staff over here is getting rid of the Cisco CCA this summer :-)

Re:My experiences in Truman, MO

[paxswill]

The Cisco Clean Access Agent does run under OS X. It launches at login using launchd, and spikes CPU usage every 2 seconds for 2 seconds (2 on, 2 off) by doing a bunch of system calls. It drops about 30 minutes off of my battery, so I usually leave it off (it usually runs on the background in the menubar, but you can quit it). My school uses CCAAgent for access to the wired network, and I've heard it gives you a lease on your MAC address for 24 hours. Wireless is handled through a capture page that logs your MAC and allows you to not have to login again. while you maintain a connection the the AP. Our Wifi is unecrypted though so I route my traffic through a SSH tunnel I have back home for sensitive traffic.

Rally the professional protest set

[linzeal]

Uh, this is sorta pathetic that we computer science literate folk cannot muster up the courage to tell him to confront the policy with a student protest. However, that is what I would expect from Slashdot where everything is resolved by lawsuit or clever hack. Well sometimes we need to go piss in someone's cheerios. That is what we should be telling him to do, go down to the lib arts colleges and rally up the professional protest set, get some cogent arguments laid out and make sure you notify all media within a few hundred miles because for whoever is having a slow news day you might make the cut.

Re:Rally the professional protest set

[soren202]

I'm sure if you tell the right people that the IT department can see pretty much anything you have on your computer, you'll be able to get some support.

Seriously, it's College; everyone has some skeletons in their closet.... or rather, naked pictures on their hard drives.

Computer science major

[tepples]

Odds are they'll simply tell him that linux is not supported under their network.

Disallowing operating systems other than Windows might make certain parts of CMU's computer science program more difficult for students.

Re:Computer science major

[Nigel+Stepp]

This has come up before... When I was at CMU (cmu.edu), Central Michigan University sued for the rights to the acronym and won. That's why you will only find t-shirts, hats, etc. with "Carnegie Mellon" written on them now. We got to keep the domain name as part of the deal.

So, it doesn't surprise me that they have CMU all over their site and whatnot, but whenever I say "CMU" people always know which school I mean :)

Re:Computer science major

[mysidia]

Not that disingenuous.

They were created before Carnegie Mellon, also, Carnegie Mellon University did not get that name until 1965. Central Michigan University got its name in 1959.

And central Mich called themselves CMU pretty much from the beginning. So Carnegie Mellon has no more right to the name than they have.

Also, Carnegie Mellon, in their identity guideliness specifically say not to use "CMU". Instead they use CarnegieMellon as in WikiText or C++ CamelCase.

In other words, Central Michigan University calls them that, Carnegie Mellon does not say they are CMU. The only thing they need to fix is their domain name...

However, it's a 3 letter domain name, and pretty darn cool to have one. Noone wants to have to type http://carnegiemellon.edu/

Can't tether there.

[tepples]

Get a cellphone plan. Ensure that your phone supports "Tethering".

From the summary: "There are no wireless broadband providers available in the area, I already checked." Therefore, we can assume that none of the available phones support tethering.

Re:Can't tether there.

[Hognoxious]

Where is this University?

You mean Central Michigan University? It's in Southern Beijing, as the fucking name implies.

Both CYA & BS

[indytx]

I am assuming that you will be living in the dorm, otherwise the CMU website gives a list of ISPs. http://www.oit.cmich.edu/it/it_isps.asp The list includes mobile broadband cards from Sprint, etc., so I'm not sure what you mean by no wireless broadband providers, though this would be a huge downgrade from the internet speed you can probably get on campus.

The Acceptable Use Policy looks to be general CYA boilerplate B.S. which lets you know that you have some expectations of privacy, but don't hold your breath if there's a subpoena or other legal action trying to get the data. As to the CSA, this appears to be an overreaction to the perceived security risks of Windows systems. On the other hand, bandwidth is expensive, and the IT department may have decided that this is a good way to prevent the spread of viruses and bots on the campus network. All of this is probably academic as it doesn't look like it's Windows only. http://www.oit.cmich.edu/faq/faq_network_dialup.asp#get Mac or Linux should probably work.

There's a get out

[Kupfernigk]

Did you notice the "intellectual property owned by others"?

• 1. Register your one-person software company
• 2. Assign all your non-CMU material to your company
• 3. Encrypt everything
• You are now protected by (a) their policy and (b) the DMCA.

Re:There's a get out

[John+Hasler]

All your steps are quite unnecessary. He is an "other" and he owns his intellecual property through operation of copyright law. In any case, I don't see that they are making any claims to anything on his machine: just to what's on theirs (not that such a blanket assignment would work under US law anyway).

Re:Sandbox it with Sandboxie

[Idiot+with+a+gun]

Sandboxie is usually designed to protect your computer against malicious writes. Besides, at my university, if you sandbox the CSA to prevent certain reads or internet access, we'll just drop you off the network. If the CSA can't scan properly, or if the server doesn't hear back from it, it assumes you don't have it installed, and puts you into a small private VLAN, where every webpage except for university stuff, and anti-virus stuff is redirected to the "re-mediation" page.

join the computer club

[snsh]

You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.

This is the point of being at college, after all.

Re:Your question is bad, and you should feel bad.

[characterZer0]

How do you know what the app does? Do they provide source code? Can you compile it yourself and run it? If not, you do not know.

His concern that this application may read local files, sniff network traffic, or log keystrokes is completely valid.

What is wrong with Internet Connection Sharing? Maybe he has two computers and wants one to act as a firewall for the other. Or maybe he is developing clustered applications and wants to use his own high-speed switch behind one computer acting as a router.

I would go to a different college.

Waaah.

[Idiot+with+a+gun]

Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.

Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden .exe's, or simple .bat scripts would bypass the network policies.

common, not good

[Goldsmith]

This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.

I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.

My suggestions are:
-live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
-when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's STILL insane.

That's the polite reason they give for shitlisting Limewire.

The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.

This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.

On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?

Re:That's STILL insane.

[Malenx]

You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.

In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.

It's so simple

[buss_error]

Let me see if I have this right...

You want us to tell you how to hack around the network/security/TOS of your university?
How about this observation from someone that also runs a network for students:

Comply with the policy when you use their infrastructure.

Now, how to go about that without invading your privacy? Easy - dual boot with encrypted file systems on the second partition. Keep pablum on the system you use to access their infrastructure. Keep your other stuff on a system you don't bring up using their infrastructure. Simple. If you don't want your browsing habits known (which I don't believe for a second they give a fart about), then go to a cyber cafe or something when you want to do things you don't want known.

Their network = their rules.

And for those that want to pick holes in their policies/make fun of how incompentent they are:

1. Not everytime do I tell my management team better ways to do what they want to do. Sometimes I think management is full of it. Now, if they ASK me, I have to tell them. But I don't have to open my big fat yap - and I don't, when I think they are being silly.

2. Not every "bone headed move" is all that bone headed. You need to be in the room to see why some direction was chosen. Sometimes it's stupidity, sometimes it a comprimise between time, money, resources, and what you really need to do. The old web blocking software wasn't very good at blocking http proxies. We simply didn't have the money or time to cobble up something better. All the people that knew this thought we were incompentent because it was so easy to get around the blocking software. The new software is very good at blocking that and a lot of other tricks. Our network = our rules. You're free to visit sites we don't like - on your own time, on your own network infrastructure, using your own computer. (Not that I agree with the policy, but it IS their network funded with tax dollars and subject to state law which requires web blocking software. Grow up and deal with it, change state law, or use your own stuff to do what they don't like.)

3. Get used to someone looking over your shoulder vis-a-vi computing. Employers are increasingly doing it, public institutions are required to do it, and others do it simply because they can. Failing to learn how to keep your stuff private is an invatation to these jerks to invade your privacy - so learn to make it difficult for them to do so. The first step in this process is to know that when you use someone else's network, computers, or infrastructure, they have a say in how that gets used. When you're on your own network, own computer, and own internet connection, THEN you can expect some privacy... if you're smart and use care.

Re:That's STILL insane.

But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.

Re:yeah, but

[betterunixthanunix]

Actually, it is an excellent analogy. In New York City, if you have a large bag and you want to ride the subways, the police department will demand to search the bag (they cannot do this for everyone, so usually they start with people who "look like" terrorists). You are within your rights to refuse the search, but then, you cannot ride the subway.

Why should anyone have to consent to allow their computer to be searched by strangers? Just ban any node that is misbehaving, and there is nothing more than needs to be done. We do not need IT staff holding our hands, and more importantly, we specifically want IT to not hold our hands.

Re:That's STILL insane.

[uvsc_wolverine]

I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire).

So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.

Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.

If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.

Ok.

Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.

If you don't like it they can admit someone else.

Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.

I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).

If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.

We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).

I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.

But again, it is my machine, and it is my money that is paying for that Internet connection.

Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.

Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em

Gotta love Slashdot

[Idiot+with+a+gun]

Look, I'm a ResCon at ResNet, granted at a different university though. We're nice people, and we'll try to accomodate you as best as possible. Want to register Linux? Sure, you won't need to install a CSA. Same for Macs, phones, consoles, printers, routers, etc. The CSA is mostly just to reduce the number of windows machines getting viruses.

But, if you walk into my office bitching about our "draconian network policices," I'm going to get annoyed with you, but I'll kindly explain why they're in place (and how I'm not the one that made them). If you grab a PS3 and declare that "You can't install your Nazi CSA program on this!" I'm going to ask you to leave, and contact my boss. If you work with the IT people, and are nice to them, it's easy to maintain your decent level of freedom and privacy (except for piracy, sorry) while at your university. If you make every attempt to side step it, abuse the network, and generally come across as a jerk, it's a fast way to get your internet usage permanently rescinded.

Re:Gotta love Slashdot

Are you kidding?

These sorts of policies exists so the idiot IT people who should be working as janitors can claim they are "doing something".

Most Windows AV and AS is dead easy to get through. What is hilarious is that "extrusion attacks" are very prevalent in the type of system you maintain. Since you likely never heard the term, it means that once you trust a node inside the network and that node gets infected, your network is owned. Your draconian, brain-dead policies do not stop this.

Re:That's STILL insane.

[Anubis+IV]

At least at my university (about 45K students), they get around the privilege vs. requirement thing by providing ample labs that anyone can use with all of the software that is necessary for your classes. As a result, access to a network connection from your dorm room IS considered a privilege and it CAN be revoked at any time since the university is still providing you with all of the resources you need in order to complete your classes. Granted, they may not be nearly as convenient, but they're what you need.

So, I would argue that they do, in fact, have every right to require it of you. You're using their network in a way that they don't have explicit control over, when they are providing you otherwise with the necessary resources for your classes. Sounds like a privilege to me, and if you want to use it, you need to play by their rules. Not that I personally like that idea, of course, but it's what I see as being the reality of the situation.

Also, at least at my school, the CSA came into place very shortly after one of those major worm outbreaks in 2002 or 2003. I remember hearing that around 95% of the network traffic was being generated by the worm, and that the entire university was basically suffering the effects of a DoS attack for the better part of a month since very few of the students' PCs were protected by proper AV and anti-malware software at that time. From then on, practicality alone dictated that they forced the students to install AV software and that they routinely ensure that it's still there.

Re:It's no worse than being at work

[jimicus]

In the real world, if you want freedom to do as you please you have to pay for it yourself.

In a manner of speaking, the OP is.

But it's a mite different here.

I'd say the lesson is that "nobody cares about your problem unless you can make it theirs as well". If they set up policies which you disagree with, that's your problem.

If you can get a significant proportion of the media to investigate this and publish it, suddenly it's their problem as well.

Re:Don't use their network?

Most schools have similar software in place, Tipically, Cisco Clean Access: http://www.google.com/search?q=clean+access+inurl%3Aedu

When I was in the dorms at my school, a guy maintained an InstallVise installer, which contained the proper registry keys to change window's MTU, and
a greasemoney script which spoofed firefox's user agent and platform, so windows machines looked to be running linux.

After seeing someone with a similar solution get kicked out of another school, being published on slashdot, and knowledge that my school's IT dept was searching
for the maintainer, he stopped.

Clean Access now uses a java jar, for the linux platform. If your school's client has something similar in place for linux users, I suggest that you find a Computer Science student,
and ask them to decompile the jar, using the DJ Java Decompiler, and create a greasemoney script that uses a similar method of generating a session key. You'd also probably need
the special registry keys, which can be found in the source code for sec_cloak.c, which you should be able to find on google.

Hope I could help.

2 computer solution... the better one

[tanveer1979]

Get a dirt cheap obsolete laptop. This will connect you to the college network. Install their application on it.
Then just enable internet connection sharing, and connect your good laptop. Simple!

If they are into packet sniffing, just use ssh tunnel for the traffic

Inadequate disclosure

[Animats]

The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware, run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration, so this probably won't surprise them.

It's not even clear whose Client Security Agent they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.

Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.

Re:Inadequate disclosure

[Deathlizard]

from the URL, It looks like Bradford Campus Manager.

It's what we use for remediation at the college where I work, and that URL, Particulary the Remediation part, is the same area that Bradford puts their CSA.

I can only say how we use the system, so I can't vouch for cmich or other school networks, but we pretty much use BCM for these purposes.

1) Check for patches on a system.
2) Check for the university supplied Virus scanner and how up to date it is.
3) Send messages to users. Specificially as part of our emergency alert strategy in case of severe weather or Schoolwide Crisis.
4) Locate PC's (Or anything with a MAC address for that matter) if they are lost or stolen and are still being used on our network.
5) Block Rogue DHCP servers, like someone mistakengly plugging in their home router on their LAN side (instead of WAN), or running Internet connection sharing, or a virus that is DHCP Spoofing.

As far as I know, it doesn't do any kind of traffic or system spying of any sort. Its basicially designed to keep non university users (or users with a problem, such as outdated AV) from getting into the network and doing damage by subnetting anything thats not registered at the switch end. The only thing a non-registered user can do is see the remediation page and login, and if they can't login their SOL.

As for the Net itself, although we use a QOS system to control bandwidth usage, we don't track anything other than what traffic is using how much bandwidth and throttle based on demand vs performance. IE if Bittorrent is sucking 80% of our bandwith, we throttle Bittorrent so that other services, (WEB, Email, XBOX, ETC) can get more traffic. My guess is that most schools follow the same principal.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Another solution that hasn't been suggested yet

[nathana]

Okay, so it's not ideal, but here's what you can do that doesn't require running a virtual machine on your primary PC, or a dual-boot-into-Windows to run the scanner/authenticator software every once in a while scenario:

Get yourself a cheap-ass PC. Throw two ethernet NICs in it. Install a new copy of Windows XP, and any software that your campus IT staff require to be installed on there. Then run Windows XP Internet Connection Sharing (ICS) on the unused ethernet adapter. (ICS is a small DHCP server + NAT engine built into Windows.) Plug that into a switch along with your main computer or computers, and use the XP box running ICS as your router.

Then from the university's perspective, you have a single Windows XP box hooked up which is clean and conforms to their standards for network access. Unless the software that you need to install prohibits ICS from functioning, and there is no way around the artificial restriction, they won't know about the PC or PCs you have running behind the ICS machine.

Re:Another solution that hasn't been suggested yet

[jonwil]

Except that the link in TFA for the CSA clearly says "Remove Network Bridging" which would include Internet Connection Sharing.

That sucks...

[bemymonkey]

It's pretty different over here in Germany. We don't have a campus, but the local technical university (RWTH Aachen) provides internet access to most of the student appartment complexes (there's quite a few of 'em) and WiFi access points all over the city (basically if you're downtown, you can get a signal at least 50% of the time). Quite a few ports are blocked (pretty much everything non-standard), but you don't have to install any software and it's hella fast (IIRC the university has its own connection right into a backbone - or something like that - I just remember making a hell of a :o face when I realized my download speeds from Rapidshare were being capped by the 100mbit ethernet connection...).

Now, there's a _lot_ of students on that network. Everyone working or studying at the university has access. All you need to do is connect to the WiFi network (authentication via certificate and PEAP) via any old wireless client (hell, even my WM6.1 phone works)... I'd estimate that the whole network has 10k+ users - now how do they manage to do all this without using client scanning software? I'm sure there's a lot of malware-infected systems on the network, but the network seems to be secure enough to handle it. Maybe it's just a question of competent IT staff?

I'm not exactly up-to-date on the technical side of securing a network, but as far as I can tell, it's possible without the massive intrusion upon users' privacy that's described in the summary...

So what?

[Zaphod-AVA]

You are all getting your knickers in a twist over nothing.

The client (assuming it's similar to the Cisco Clean Access Client I'm familiar with) simply checks that Windows machines are patched and running up-to-date antivirus. Remember Blaster? That thing ate college networks. Since then network policies have gotten a bit stricter. If you read them, they are trying to protect you, and cover their own ass.

The short version of the policy: Don't do anything illegal. Run this stuff so we can make sure the network stays virus free. Don't be a jerk. If you break these, we can kick you off our network.

If you are seriously concerned about it you are paranoid. Paranoid people should grab a cheap netbook and use that on the school network, and keep your precious personal data on a different machine. Any of that Nat/VM/router shenanigans others have suggested is violating their policies, and risking problems on their network that those policies are crafted to avoid.

Bullshit

[Weezul]

There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.

I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.

Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.

I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.

Internet Service Provider

[starfishsystems]

Okay, as the person who wrote the first implementation of my university's longstanding Accepable Use Policy, let me ask a fundamental question:

In what manner are student's personal systems permitted to access the Central Michigan University network that is different from how a hundred million ISP customers access the Internet?

If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.

If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.

So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.

Re:Don't use their network?

[Sancho]

Let me get this straight--you trusted some random guy to install crap on your computer over the university?

I find that pretty interesting.

Other solutions?

[mu51c10rd]

Considering the many posts saying the CSA is a bad idea, it raises a question. The fact that students get their Windows machines infected with every virus, trojan, and rootkit imaginable, how else shouls IT departments handle it? In the corporate world, it seems easier. However, a network of user-controller machines sounds like an administrative nightmare. For those who think the CSA is a bad idea, what are your alternatives?

Sue the bastards; it's unconstitutional

[PizzaFace]

A private university might get away with this, but a public institution is constrained by the Constitution. I'd say that scanning your hard drive is an unconstitutional search, because there are less invasive means of keeping their network safe.

I can't write your brief for you, but talk to the ACLU and the EFF.

Run your real system in a NATed VM

[Craig+Ringer]

It'd be nice to just run the agent in a VM and isolate your real system that way, but it wouldn't work because they'll almost certainly be filtering by MAC address.

What you _CAN_ do is run the agent on the physical host with a minimal OS install, and then put everything else in a VM. Have the VM connect through the real host using NAT, so it has the same MAC address as the real host. The network won't know the difference.