Solution For College's Bad Network Policy? 699
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
Solution For College's Bad Network Policy? (Score:5, Insightful)
A different college.
Virtualbox + OpenVPN (Score:1, Insightful)
Use Virtualbox to run the security agent in a virtual machine and OpenVPN to tunnel your traffic to a host on a less bigbrotherish network. If you feel like going against administration, you could also try to get the policy changed...
Question (Score:3, Insightful)
Are you required to run Windows? If not, don't.
Whoa what? (Score:5, Insightful)
From the first link:
"If you use our network, we own what's on your hard drives. Thanks!"
Re:Linux (Score:4, Insightful)
Or they will deny you access.
Re:Tether. (Score:3, Insightful)
Rally the professional protest set (Score:2, Insightful)
Re:Mod Parent Up Please! :) (Score:5, Insightful)
Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.
And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.
Dealing with idiotic, forced software is a pain no matter what your OS is.
Re:You're not as interesting as you think you are (Score:4, Insightful)
At that time, most of the file sharing was being done directly via file shares and often times there'd be virus infected files. From what you're saying, it's probably not that much different than when antivirus software would delete files on r/w enabled shares.
But to be honest, the terms kind of scare me, just because you're a professional doesn't mean the nitwits running that network are, and it's a blatant violation of copyright law to declare ownership over files in that manner.
Re:Mod Parent Up Please! :) (Score:5, Insightful)
x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
-- Theo de Raadt
Re:You're not as interesting as you think you are (Score:1, Insightful)
There's a get out (Score:4, Insightful)
join the computer club (Score:5, Insightful)
You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.
This is the point of being at college, after all.
Re:Solution For College's Bad Network Policy? (Score:5, Insightful)
Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.
Using a virtual machine and TrueCrypt can also save you from additional headaches.
This assumes that you at least have sufficient rights on the client PC.
Re:No. (Score:3, Insightful)
Mine does not even require antivirus software, although they deliberately design the system into tricking students into installing it, and some other crap. However, if you machine is rooted, and begins disrupting the network, they reserve the right to ban your computer from the network.
That's STILL insane. (Score:1, Insightful)
So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it. If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules. Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.
Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.
If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults. I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.
But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
Re:Tether. (Score:1, Insightful)
Re:You're not as interesting as you think you are (Score:4, Insightful)
Yep. Just because you personally don't care what he has on his computer, he shouldn't worry that there might be a bad egg in the IT department who will drain his bank accounts and post child pornography on his facebook page.
Yes sir mister IT guy, we'll let you have all of our data and trust you not to do anything bad with it, whatever you say.
Comment removed (Score:4, Insightful)
Re:Use a PS3 or BeagleBoard (Score:1, Insightful)
They say....No access for you! Network Nazi's don't have to be reasonable.
Re:That's STILL insane. (Score:5, Insightful)
You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.
In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.
Re:You're not as interesting as you think you are (Score:1, Insightful)
Running a college network is not an easy task, and I don't envy you. Let's face it, college networks are probably some of the most vulnerable to infections and rapid spreading. However, just because you don't care and you have good intentions (I mean who _wants_ to have an infected computer?) doesn't make this policy sketchy. Basically you are saying (to paraphrase your last line) if you have nothing to hide, you have nothing to worry about. The reason why privacy advocates get worked up about these minor league, well-intentioned intrusions into privacy is because of the _potential_ for abuse. It is all the worse because it is a piece of software that is a black box as far as the typical student is involved.
To make an analogy (what good /. post doesn't have one of those?), this is along the same lines as security cameras on the street corners. Sure, most of the time no one is actually watching and anyway, after awhile they are just endless anonymous faces... until the day some watcher suddenly sits up and goes "hey - I know that guy... and that is not his wife...", or someone gets bored and starts tracking the attractive young woman around town, or some self-righteous zealot starts sending the cops out after teens necking in the park.
I'm sure making students install software that scans their computers makes the life of the network manager easier, just like warrantless searches would make police work easier. The real problem is that most students won't even ask the question posed by the original poster because they just don't know any better... If it were me, well, I swap back and forth between osx and linux, but I'd still refuse and do my best to raise awareness of why this is a problem - but maybe that's because I did my undergrad at Wesleyan way back in the day and if ever there was a place for causes...
Re:That's STILL insane. (Score:5, Insightful)
But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.
Re:yeah, but (Score:3, Insightful)
Why should anyone have to consent to allow their computer to be searched by strangers? Just ban any node that is misbehaving, and there is nothing more than needs to be done. We do not need IT staff holding our hands, and more importantly, we specifically want IT to not hold our hands.
Re:That's STILL insane. (Score:5, Insightful)
So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.
Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.
If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.
Ok.
Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.
If you don't like it they can admit someone else.
Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.
I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).
If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.
We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).
I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.
But again, it is my machine, and it is my money that is paying for that Internet connection.
Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.
Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.
Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em
Re:My Solution (Score:3, Insightful)
I second everything that you say about McAfee.
I work help desk at a McAfee campus and am also responsible for doing repairs on student and faculty computers.
You have to register your computer using a special utility that records your MAC address and whether or not you have McAfee installed. In the mean time, you'll get an IP address from the "unregistered" block and the firewall won't let any of your traffic leave the LAN.
(Yes, this can be spoofed by wireshark-ing a registered person's MAC address, or even uninstalling McAfee after registering. But, that's beyond five nine's of students on campus.)
So, every computer on campus, student and faculty, has an updated version of McAfee 8.5i. Yet I spend an awful lot of time removing viruses from those computers throughout the year. Even AVG works better, for crying out loud!
We also use Faronics DeepFreeze on machines meant for student use; we're permitted to move McAfee from those machines because in theory virus infection is impossible. Those machines work about twice as fast as their unfrozen counterparts.
It's standard practice to not even try to boot up an infected machine because the more interesting infections do a good job of preventing most of your tools from running - it's easier to pop out the hard drive, hook it up to a USB->IDE/SATA adapter, and mount it on our help desk machine and do an offline scan.
We used to use McAfee for doing these offline scans - but then we realized it would take a few hours to scan the drive and would miss most of the infection. (If it's "spyware" or "adware" and not a bona-fide "virus" it won't detect it at all. Most of our infections are "XP Antivirus".)
It does NOTHING and makes the computer it's installed on unbearably slow. Plus, a site license seems to be rather costly. Our current routine is do a 30minute-ish offline scan using MalwareBytes, pop the hard drive back in, and run ComboFix or SpyBot SD to repair the registry. Most viruses are gone in about an hour - no thanks to McAfee.
Sorry for the rant! At least we aren't stuck with Symantec/Norton.
Re:Rally the professional protest set (Score:2, Insightful)
I'm sure if you tell the right people that the IT department can see pretty much anything you have on your computer, you'll be able to get some support.
Seriously, it's College; everyone has some skeletons in their closet.... or rather, naked pictures on their hard drives.
Re:It's no worse than being at work (Score:3, Insightful)
In the real world, if you want freedom to do as you please you have to pay for it yourself.
In a manner of speaking, the OP is.
But it's a mite different here.
I'd say the lesson is that "nobody cares about your problem unless you can make it theirs as well". If they set up policies which you disagree with, that's your problem.
If you can get a significant proportion of the media to investigate this and publish it, suddenly it's their problem as well.
Re:Mod Parent Up Please! :) (Score:1, Insightful)
Well, in this particular case, the OP doesn't require a system that is fully secure against every conceivable threat. What they need is a system that is secure against one particular known threat - one that probably isn't updated very often and whose authors probably have never contemplated exploiting virtualization security leaks to ensure that the systems they're scanning are truly being scanned.
Yes, there's a possibility of introducing additional security holes this way, but generic security threats to a personal machine can mostly be evaded the same way everyone else does: by practicing safe surfing habits, being careful with flash drives, and using an appropriate firewall.
Re:Mod Parent Up Please! :) (Score:1, Insightful)
A good example how a guy who, despite having made a name for himself as a programmer, can still be very wrong regarding issues he has no intimate knowledge about.
Re:Solution For College's Bad Network Policy? (Score:1, Insightful)
This is shitty advice and you know it. The asker is already enrolled. At least you could have given advice that was untenable AND pithy, but it appears that your sense of vanity has mislead you.
Re:My Solution (Score:1, Insightful)
Re:Solution For College's Bad Network Policy? (Score:4, Insightful)
And then you don't get on their network. You're not grasping the concept here--you don't use their trojan, you don't get a connection.
Re:Solution For College's Bad Network Policy? (Score:4, Insightful)
As the GP suggests, keeping the sensitive material in an encrypted VM which accesses the net via VPN should be enough, unless the so called "Client Security Engine" includes keylogging or screen capturing functionalities, begging the question: how far can they spy on their students? Shouldn't they have privacy to do their online banking, exchange private e-mail, access medical records, or many other *perfectly legal* activities?
Re:Solution For College's Bad Network Policy? (Score:3, Insightful)
And if that doesn't work?
Re:Mod Parent Up Please! :) (Score:5, Insightful)
Re:Solution For College's Bad Network Policy? (Score:4, Insightful)
So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?
What about development? Let's theorize that the poster is a programmer. Should he, in spare time, do all the compiling in a VM, for the convenience of being able to do svn/cvs/git commit?
Academia in the whole world has gone nuts. I understand blocking access to content, but invading the privacy of my laptop is too much. I'd rather not use their crappy network at all. They'd have to give me a laptop to force me; I wouldn't install their spyware onto my private property.
Worst of all is that, in US, you guys are even paying full tuition, without any (or with little) state sponsorship for the academia. It's incredible that you guys are not fed up with it. Over here in Croatia, students have been protesting and blocking normal functioning of university departments for three weeks - because our Minister of Education is trying to push paying for education even for our "best and brightest". And US students are dozing off happily and enjoying this kind of shit ... and PAYING for it. What the fuck.
Re:Solution For College's Bad Network Policy? (Score:3, Insightful)
Here is the bottom line. If the campus system is not to your liking, and you absolutely cannot refrain from criminal activity on your computer, and you cannot get into another school, then buy a wire cellular broadband connection.
This is just the classical "only criminals have something to hide", and I flat out don't agree. There are plenty of other reasons to insist not to have your privacy invaded - just one is that your passwords may be abused by some undergraduate dork working in the IT department.
Also, I find your comments regarding freedom and how it must be deserved are patronizing and completely missing the point.
Re:Gotta love Slashdot (Score:2, Insightful)
Are you kidding?
These sorts of policies exists so the idiot IT people who should be working as janitors can claim they are "doing something".
Most Windows AV and AS is dead easy to get through. What is hilarious is that "extrusion attacks" are very prevalent in the type of system you maintain. Since you likely never heard the term, it means that once you trust a node inside the network and that node gets infected, your network is owned. Your draconian, brain-dead policies do not stop this.
So what? (Score:3, Insightful)
You are all getting your knickers in a twist over nothing.
The client (assuming it's similar to the Cisco Clean Access Client I'm familiar with) simply checks that Windows machines are patched and running up-to-date antivirus. Remember Blaster? That thing ate college networks. Since then network policies have gotten a bit stricter. If you read them, they are trying to protect you, and cover their own ass.
The short version of the policy: Don't do anything illegal. Run this stuff so we can make sure the network stays virus free. Don't be a jerk. If you break these, we can kick you off our network.
If you are seriously concerned about it you are paranoid. Paranoid people should grab a cheap netbook and use that on the school network, and keep your precious personal data on a different machine. Any of that Nat/VM/router shenanigans others have suggested is violating their policies, and risking problems on their network that those policies are crafted to avoid.
Re:Solution For College's Bad Network Policy? (Score:5, Insightful)
It works like this.
People: "College is soo expensive!"
Government: "Here are subsidies for schools, and for student loans!"
College A: "Hmm, look, money! We could build some spiffy new facilities that'll look good on the tour, and attract a slightly richer set of people!"
College B: "Hmm, look, money! Good thing, too, because otherwise we couldn't keep up with College A and C. We need nicer stuff to attract the same students. And besides, what university administration doesn't like spiffy-looking new facilities?"
People: "College is still soo expensive!!"
Throwing money at colleges in the US may produce a variety of desirable effects. However, "cheaper college education for all" is not necessarily among them. Universities are experts at price discrimination (the art of charging someone as much as you can get away with). They even have you fill out forms ("financial aid") so they can figure out exactly how much to charge you!
Bullshit (Score:4, Insightful)
There are always operating systems that don't support your trojans. Do you have an iPhone version? Symbian? BSD? What about simply plugging two machines into the same NATed router? You scanners probably won't detect any machine behind its own firewall either.
I'm guessing you don't know much about academic institutions beyond your little world. Academic misconduct rarely if ever extends to resource misuse cases, especially such minor ones. Imagine a student ran bittorrent seeds for pirated pornography on school servers, well they'd get a warning. If they repeated the infraction, they'd have all access terminated. If they circumvented that, they'd surely be expelled, and maybe face intrusion charges. But even then it's not clear their transcript would read "academic misconduct". In particular, there would be no "F (academic misconduct)" on their transcript because they haven't cheated in any classes.
Sadly, residential networks create a perfect environment for windows worms. But viruses that support Mac & Linux usually do so passively by wrapping their executable within non-executable formates, like office or PDF. So IT should ask Mac & Linux users to scan for viruses as a courtesy to their windows using fellow students, but compelling scans using closed source software will only discourage compliance.
I concur with the other posts that say running Linux will grant you an exception most anyplace. If that doesn't work, then share your roommate's connection using a NATed router.
Re:Linux (Score:1, Insightful)
I'll put P2P traffic aside. If the school can afford the 50% or higher bandwidth premium, and they're willing to take the legal risks, perhaps they should allow it.
So, let's assume the following:
Your network serves X0,000 staff and students. 5% malware penetration == dysfunctional network and loss of job. 20% of your customers are computer proficient regarding security and good network citizenship.
I'll lay some objectivity aside to make this argument. If the Cisco product is:
* Keeping the network up,
* Used to effectively manage PCs by forcing customers to practice good security and maintenance, and
* Doing it in a way that automates the process by teaching the customer to do it themselves instead of having an IT rep make house calls to the 80% of the customer base that would require it,
isn't it a good, cost effective solution?
I agree that a single-layer defense is never enough. And, considering where we're having this debate, I can certainly support the use of policies and processes which accommodate the other 20% of the customer base with a less intrusive solution.
We're evaluating a solution for our K-12 regional network using PacketFence, including the Snort/Nessus/RADIUS options. Check it out, if you haven't. [packetfence.org]
Internet Service Provider (Score:4, Insightful)
If there is no difference, then the university doesn't have a better case for control over theses personal systems than any ISP does. Yes, in order to fairly deliver the network service to its customers, the ISP or the university may control bandwidth or cap usage or perform other kinds of traffic shaping. Yes, it may monitor traffic for this purpose. There is no reasonable expectation of privacy when exposing such traffic on the network. There is also no reasonable expectation for these personal systems to be trusted. An appropriate policy would grant access to the network under these terms. Many universities do this, and treat this part of the network in every respect as an extension of the Internet. This is an effective policy.
If on the other hand these personal systems are being granted some degree of trust or privilege merely by virtue of their presence on the university network, then we clearly see a misdesigned network and a corresponding misapplication of policy. There are parts of any organizational network that people don't get to just plug random equipment into. So don't sell access to these networks to the student population. Duh. If a research group wants to attach its supercomputer cluster to the Teragrid infrastructure, for example, it should be subject to a restrictive usage policy. That's the kind of scenario that most universities, including mine, envisioned when we drafted our usage policy. The same for an outside consultant who needs connectivity to the administrative servers in order to perform software integration. But this sort of policy would be completely inappropriate for a student who is simply getting an Internet connection through university facilities.
So how about the following proposal for the university to consider? How about you don't give every student a bomb and you don't then require them to submit to random strip searches because of the increased security risk that you brought upon yourself? It's easy to avoid the whole problem in the first place.
Re:Solution For College's Bad Network Policy? (Score:4, Insightful)
So the only solution is to destroy that little convenience he shall have by getting access onto their network, by having to do all his work in a VM?
Nah, that's backwards. Use the VM as a router/firewall to the campus network and install the campus spyware inside the VM. Then use the bare-metal for all the real work. If he sets up the VM right it will act just like a NAT firewall and unless someone logs in and really starts looking at what the VM is doing (rather than just what files are installed in it) campus IT will never be the wiser.
Re:Linux (Score:3, Insightful)
Requiring the use of a specific piece of spyware smacks of corruption to me. I'm sure someone's getting paid for that. What if a student wants to run a different scanner? They have to run two scanners? What if they want to change the configuration, or run a different OS?
Their machines are their machines. Your jurisdiction ends with the network. Punish those who misuse the network, don't pre-emptively force yourself on their machines.
Re:Don't use their network? (Score:3, Insightful)
Let me get this straight--you trusted some random guy to install crap on your computer over the university?
I find that pretty interesting.
Re:Linux (Score:3, Insightful)
While I appreciate your candor, name calling is certainly not necessary to get your point across. As I explicitly mentioned in my response, "it's mandated by the Board of Trustees." The Ohio State Board of Trustees took it upon themselves to mandate a NAC solution to the "security problem". I apologize if I somehow alluded to it being my idea. We were told that we could either implement it or lose our jobs. You may have quit; I chose to do my job since honestly, it's really not that big of a deal. Everyone can do their work and everyone can use whatever OS they want, as the OP indicated.
You seem to be indicating that this plan is for University owned Staff/Faculty/lab machines only. If this is the case, it's no different than standard business policy, and it's just good sense (why would it need to be mandated from on high?).
GP thinks the plan you're implementing at your superior's request is for student-owned computers that they're using on campus. If that's true, then you'd be a wimp for not quitting when the Trustees planned a "let's roger the students" policy. You furthermore would be a fool for thinking "it's really not that big of a deal." Of course, I'm guessing the first paragraph is more correct; otherwise, the Trustees would probably have you running the scans on all Staff and Faculty home machines since they connect in to campus occasionally.
Re:Inadequate disclosure (Score:3, Insightful)
from the URL, It looks like Bradford Campus Manager. [bradfordnetworks.com]
It's what we use for remediation at the college where I work, and that URL, Particulary the Remediation part, is the same area that Bradford puts their CSA.
I can only say how we use the system, so I can't vouch for cmich or other school networks, but we pretty much use BCM for these purposes.
1) Check for patches on a system.
2) Check for the university supplied Virus scanner and how up to date it is.
3) Send messages to users. Specificially as part of our emergency alert strategy in case of severe weather or Schoolwide Crisis.
4) Locate PC's (Or anything with a MAC address for that matter) if they are lost or stolen and are still being used on our network.
5) Block Rogue DHCP servers, like someone mistakengly plugging in their home router on their LAN side (instead of WAN), or running Internet connection sharing, or a virus that is DHCP Spoofing.
As far as I know, it doesn't do any kind of traffic or system spying of any sort. Its basicially designed to keep non university users (or users with a problem, such as outdated AV) from getting into the network and doing damage by subnetting anything thats not registered at the switch end. The only thing a non-registered user can do is see the remediation page and login, and if they can't login their SOL.
As for the Net itself, although we use a QOS system to control bandwidth usage, we don't track anything other than what traffic is using how much bandwidth and throttle based on demand vs performance. IE if Bittorrent is sucking 80% of our bandwith, we throttle Bittorrent so that other services, (WEB, Email, XBOX, ETC) can get more traffic. My guess is that most schools follow the same principal.
Sue the bastards; it's unconstitutional (Score:3, Insightful)
A private university might get away with this, but a public institution is constrained by the Constitution. I'd say that scanning your hard drive is an unconstitutional search, because there are less invasive means of keeping their network safe.
I can't write your brief for you, but talk to the ACLU and the EFF.
Re:Solution For College's Bad Network Policy? (Score:4, Insightful)
You do it like the Australian PBS shakes down big pharma.
An Australian agency does a cost-benefit analysis on the "product" getting offered. If the price is right, and the "product" (i.e. course) is beneficial*** then you offer a subsidy. If the cost-benefit is not there, you don't subsidize.
The agency is completely isolated from Parliament (to prevent corruption)
* Or if the Fed is too wasteful, state based agencies**
** Actually, merge some of your states - California and Idaho should not be in the same category
*** the benefits of education (especially higher education) are very very hard to judge, especially if there is some chance that the metric will be gamed. Targeting student-teacher ratios can reduce admin / building overheads, but it also cuts research. Targeting graduate salaries can just make schools pick privileged, well connected students. Student satisfaction (which Australia targets) is risky - as it reduces rigor. Targeting research is also a nightmare (as researches then game the metric). Subjective judgments are open to lobbying.
Education is just one of those wicked problems where the free market isn't ideal (as students are too poor and too inexperienced to make their own decisions, and it's a return to feudalism if rich kids are the only ones who get a good education), but the state can't just set some metrics and create a pseudo-market by dishing out subsidies. Health is another.