Slashdot Mirror
Solution For College's Bad Network Policy?
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
A different college.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.
If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.
Do all colleges have such extreme measures in place?
No, mine doesn't. Technically we just have to have antivirus software installed, and keep up with MS's security patches, and they really don't ever even check for those.
Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.
Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!
Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.
As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.
If you do call them up and ask about Macs and Linux machines, let us know what they say.
E
What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.
Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.
--- Often in error; never in doubt!
We were required to have a "Cisco Clean Access Agent" installed on our machines. There were two options available for me, and I ended up going with the second.
1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.
2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?
When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.
mmm...muffins
"There are no wireless broadband providers available in the area, I already checked."
Start one. Given what you've told us, there should be plenty of demand.
From the first link:
"If you use our network, we own what's on your hard drives. Thanks!"
I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.
So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.
You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.
Odds are they'll simply tell him that linux is not supported under their network.
Disallowing operating systems other than Windows might make certain parts of CMU's computer science program more difficult for students.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.
This is the point of being at college, after all.
Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.
.exe's, or simple .bat scripts would bypass the network policies.
Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden
This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.
I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.
My suggestions are:
-live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
-when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)
Comment removed based on user account deletion
That's the polite reason they give for shitlisting Limewire.
The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.
This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.
On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?
You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.
In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.
But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.
So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.
Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.
If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.
Ok.
Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.
If you don't like it they can admit someone else.
Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.
I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).
If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.
We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).
I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.
But again, it is my machine, and it is my money that is paying for that Internet connection.
Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.
Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em
This space for rent...
At least at my university (about 45K students), they get around the privilege vs. requirement thing by providing ample labs that anyone can use with all of the software that is necessary for your classes. As a result, access to a network connection from your dorm room IS considered a privilege and it CAN be revoked at any time since the university is still providing you with all of the resources you need in order to complete your classes. Granted, they may not be nearly as convenient, but they're what you need.
So, I would argue that they do, in fact, have every right to require it of you. You're using their network in a way that they don't have explicit control over, when they are providing you otherwise with the necessary resources for your classes. Sounds like a privilege to me, and if you want to use it, you need to play by their rules. Not that I personally like that idea, of course, but it's what I see as being the reality of the situation.
Also, at least at my school, the CSA came into place very shortly after one of those major worm outbreaks in 2002 or 2003. I remember hearing that around 95% of the network traffic was being generated by the worm, and that the entire university was basically suffering the effects of a DoS attack for the better part of a month since very few of the students' PCs were protected by proper AV and anti-malware software at that time. From then on, practicality alone dictated that they forced the students to install AV software and that they routinely ensure that it's still there.
Most schools have similar software in place, Tipically, Cisco Clean Access: http://www.google.com/search?q=clean+access+inurl%3Aedu
When I was in the dorms at my school, a guy maintained an InstallVise installer, which contained the proper registry keys to change window's MTU, and
a greasemoney script which spoofed firefox's user agent and platform, so windows machines looked to be running linux.
After seeing someone with a similar solution get kicked out of another school, being published on slashdot, and knowledge that my school's IT dept was searching
for the maintainer, he stopped.
Clean Access now uses a java jar, for the linux platform. If your school's client has something similar in place for linux users, I suggest that you find a Computer Science student,
and ask them to decompile the jar, using the DJ Java Decompiler, and create a greasemoney script that uses a similar method of generating a session key. You'd also probably need
the special registry keys, which can be found in the source code for sec_cloak.c, which you should be able to find on google.
Hope I could help.
You mean Central Michigan University? It's in Southern Beijing, as the fucking name implies.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Get a dirt cheap obsolete laptop. This will connect you to the college network. Install their application on it.
Then just enable internet connection sharing, and connect your good laptop. Simple!
If they are into packet sniffing, just use ssh tunnel for the traffic
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware, run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration, so this probably won't surprise them.
It's not even clear whose Client Security Agent they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.
Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.
Comment removed based on user account deletion
Okay, so it's not ideal, but here's what you can do that doesn't require running a virtual machine on your primary PC, or a dual-boot-into-Windows to run the scanner/authenticator software every once in a while scenario:
Get yourself a cheap-ass PC. Throw two ethernet NICs in it. Install a new copy of Windows XP, and any software that your campus IT staff require to be installed on there. Then run Windows XP Internet Connection Sharing (ICS) on the unused ethernet adapter. (ICS is a small DHCP server + NAT engine built into Windows.) Plug that into a switch along with your main computer or computers, and use the XP box running ICS as your router.
Then from the university's perspective, you have a single Windows XP box hooked up which is clean and conforms to their standards for network access. Unless the software that you need to install prohibits ICS from functioning, and there is no way around the artificial restriction, they won't know about the PC or PCs you have running behind the ICS machine.
There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.
I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.
Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.
I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.
If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.
So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.
Parity: What to do when the weekend comes.