Yep, WPI's AUP is pretty silly. The only thing that keeps it going is a general respect between the students and administrators, and the fact that both sides generally behave. I recently finished a 4+ year stint at WPI, 4 of which years I was a workstudy in the CCC, so I got to see both sides of the situation. I got to hear about some of the things students have done, ranging from minor annoyances to the sort of offenses that warrant federal prison time, and I got to see how the CCC responded to all of them.
At no time did I hear about something the CCC had done to punish somebody and think that it was too extreme. I'll admit that this is only my viewpoint, and other people might disagree, but I was watching the functioning of the AUP from the point of view of someone who had to help enforce it and was also subject to its rules.
As an aside, I've never seen them use it, but the Network Operations (NetOps) group has received permission to directly punish students found trying to crack into the campus routers. The punishment, in this case, is immediate expulsion from WPI, with all of your transcripts withheld. Yes, NetOps can do this directly... I've never heard of them using this power even once, but they have been granted permission to do so by the WPI administration.
The CCC has taken very extreme measures in certain other instances, though. The ones I know of were related to offenses like online bank fraud, distributing child pornography, or things on that level.
For just about every other "mundane" problem, the students generally had their computer access turned off, and would have it reactivated after they went to the CCC to discuss it with the admins face to face. If you ignored their advice, you would generally lose your access for the rest of the year, but they wouldn't confiscate the machine or turn off your other accounts and access.
For day-to-day problems, the punishment was generally just an email warning the first few times, and then it was treated as a serious "mundane" problem as above if it kept happening.
Of course, the continued functioning of this system depends on how responsibly the CCC staff behaves. From my experience, they have always been willing to talk about why they're punishing you, and what you can do to remedy the situation without penalty. But what's to keep the staff from becoming BOFHs and laying the student population to waste?
The AUP doesn't mention it, but WPI's campus administration has a general appeals process. If a student feels unfairly punished by the sysadmins and can't solve it by talking to the CCC, they can go through that route. As much free run as the campus admins give the CCC, they have reigned them in on a few occassions.
So, to put it simply, the AUP sucks. It puts way too much power in the hands of the CCC admins, but they are (thankfully) all intelligent and well behaved people. But since the CCC has to report back to the campus administration, there is at least one (unstated) route for appealing the CCC's decisions.
Of course, you're not a "real" computer geek at WPI until you've received some kind of warning email from AEJ...:) (Hi, AEJ, if you're reading this!)
Just supporting IPSec doesn't necessarily mean your job as an administrator will be easy. IPSec is only a definition of the encrypted tunnel protocols, and does not define the process of exchanging public keys, validating the computer on the other end with a certificate authority, negotiating what type of encryption algorithm to use, or many other menial configuration tasks. It is possible to set up an IPSec tunnel by hand, but I hope you enjoy typing in lengthy configuration files and copying around encryption keys by hand. If you want the keys to rollover, you'll have to redo portions of this process every time you want that to happen too.
To automate all this, you need a key exchange protocol like IKE which can handle all of these tasks for you. I personally work for a VPN company that implemented and released IPsec software/hardware before IKE had become a standard, and so we have our own protocols for establishing the Security Association for the IPSec tunnel. Our setup protocol is pretty darn good (IMHO), but it's not an open standard, so it only works between our own products. IKE is a feature likely to be added to a future release of our products.
In general regards to the big question, I think an IPSec client that supports IKE is the way to go, since both are now open standards (mostly in the range RFC2401 through RFC2409). There are already open source projects on the BSDs and Linux to support IPSec/IKE, and most VPN vendors are also moving towards it. (Check FreeS/WAN for Linux and isakmpd for BSD)
From my highly biased standpoint, I think my company's product is pretty good and we have a nice client for WinXX if you're willing to work with your key server being on an NT machine. The server can work from behind a firewall with only a few UDP ports forwarded, which is also nice.
The opinions expressed in this email don't imply or assert anything about those of my employer in any way shape or form, either for or against anything I said. Everything in this post is entirely my own opinion and beliefs.
Slashdot Mirror
At no time did I hear about something the CCC had done to punish somebody and think that it was too extreme. I'll admit that this is only my viewpoint, and other people might disagree, but I was watching the functioning of the AUP from the point of view of someone who had to help enforce it and was also subject to its rules.
As an aside, I've never seen them use it, but the Network Operations (NetOps) group has received permission to directly punish students found trying to crack into the campus routers. The punishment, in this case, is immediate expulsion from WPI, with all of your transcripts withheld. Yes, NetOps can do this directly... I've never heard of them using this power even once, but they have been granted permission to do so by the WPI administration.
The CCC has taken very extreme measures in certain other instances, though. The ones I know of were related to offenses like online bank fraud, distributing child pornography, or things on that level.
For just about every other "mundane" problem, the students generally had their computer access turned off, and would have it reactivated after they went to the CCC to discuss it with the admins face to face. If you ignored their advice, you would generally lose your access for the rest of the year, but they wouldn't confiscate the machine or turn off your other accounts and access.
For day-to-day problems, the punishment was generally just an email warning the first few times, and then it was treated as a serious "mundane" problem as above if it kept happening.
Of course, the continued functioning of this system depends on how responsibly the CCC staff behaves. From my experience, they have always been willing to talk about why they're punishing you, and what you can do to remedy the situation without penalty. But what's to keep the staff from becoming BOFHs and laying the student population to waste?
The AUP doesn't mention it, but WPI's campus administration has a general appeals process. If a student feels unfairly punished by the sysadmins and can't solve it by talking to the CCC, they can go through that route. As much free run as the campus admins give the CCC, they have reigned them in on a few occassions.
So, to put it simply, the AUP sucks. It puts way too much power in the hands of the CCC admins, but they are (thankfully) all intelligent and well behaved people. But since the CCC has to report back to the campus administration, there is at least one (unstated) route for appealing the CCC's decisions.
Of course, you're not a "real" computer geek at WPI until you've received some kind of warning email from AEJ... :) (Hi, AEJ, if you're reading this!)
Just supporting IPSec doesn't necessarily mean your job as an administrator will be easy. IPSec is only a definition of the encrypted tunnel protocols, and does not define the process of exchanging public keys, validating the computer on the other end with a certificate authority, negotiating what type of encryption algorithm to use, or many other menial configuration tasks. It is possible to set up an IPSec tunnel by hand, but I hope you enjoy typing in lengthy configuration files and copying around encryption keys by hand. If you want the keys to rollover, you'll have to redo portions of this process every time you want that to happen too.
To automate all this, you need a key exchange protocol like IKE which can handle all of these tasks for you. I personally work for a VPN company that implemented and released IPsec software/hardware before IKE had become a standard, and so we have our own protocols for establishing the Security Association for the IPSec tunnel. Our setup protocol is pretty darn good (IMHO), but it's not an open standard, so it only works between our own products. IKE is a feature likely to be added to a future release of our products.
In general regards to the big question, I think an IPSec client that supports IKE is the way to go, since both are now open standards (mostly in the range RFC2401 through RFC2409). There are already open source projects on the BSDs and Linux to support IPSec/IKE, and most VPN vendors are also moving towards it. (Check FreeS/WAN for Linux and isakmpd for BSD)
From my highly biased standpoint, I think my company's product is pretty good and we have a nice client for WinXX if you're willing to work with your key server being on an NT machine. The server can work from behind a firewall with only a few UDP ports forwarded, which is also nice.
The opinions expressed in this email don't imply or assert anything about those of my employer in any way shape or form, either for or against anything I said. Everything in this post is entirely my own opinion and beliefs.