Solution For College's Bad Network Policy? 699
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
Linux (Score:5, Interesting)
Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.
Use a VM (Score:5, Interesting)
If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.
I've faced this same issue (Score:3, Interesting)
thumb drive linux (Score:4, Interesting)
My Solution (Score:5, Interesting)
entrepreneur (Score:5, Interesting)
"There are no wireless broadband providers available in the area, I already checked."
Start one. Given what you've told us, there should be plenty of demand.
You're not as interesting as you think you are (Score:5, Interesting)
I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.
So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.
You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.
Computer science major (Score:5, Interesting)
Odds are they'll simply tell him that linux is not supported under their network.
Disallowing operating systems other than Windows might make certain parts of CMU's computer science program [cmich.edu] more difficult for students.
Re:Your question is bad, and you should feel bad. (Score:3, Interesting)
How do you know what the app does? Do they provide source code? Can you compile it yourself and run it? If not, you do not know.
His concern that this application may read local files, sniff network traffic, or log keystrokes is completely valid.
What is wrong with Internet Connection Sharing? Maybe he has two computers and wants one to act as a firewall for the other. Or maybe he is developing clustered applications and wants to use his own high-speed switch behind one computer acting as a router.
I would go to a different college.
Re:No. (Score:5, Interesting)
One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:
P2P traffic was capped at 50% of total bandwidth.
There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)
If you picked up a virus, you were isolated from the network. The only thing you could get to was windowsupdate.com, until you removed the virus and called the helpdesk to promise you had an antivirus installed.
Re:No. (Score:5, Interesting)
common, not good (Score:5, Interesting)
This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.
I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.
My suggestions are:
-live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
-when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)
Re:That's STILL insane. (Score:4, Interesting)
That's the polite reason they give for shitlisting Limewire.
The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.
This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.
On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?
Re:No. (Score:2, Interesting)
My sister goes to Central Michigan, and she got capped after using "too much" bandwidth talking to her boyfriend on Skype, so don't expect to use too much of the bandwidth even if you get around the program.
Re:That's insane. (Score:5, Interesting)
Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.
That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.
Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.
Gotta love Slashdot (Score:3, Interesting)
But, if you walk into my office bitching about our "draconian network policices," I'm going to get annoyed with you, but I'll kindly explain why they're in place (and how I'm not the one that made them). If you grab a PS3 and declare that "You can't install your Nazi CSA program on this!" I'm going to ask you to leave, and contact my boss. If you work with the IT people, and are nice to them, it's easy to maintain your decent level of freedom and privacy (except for piracy, sorry) while at your university. If you make every attempt to side step it, abuse the network, and generally come across as a jerk, it's a fast way to get your internet usage permanently rescinded.
Re:Solution For College's Bad Network Policy? (Score:5, Interesting)
Run their trojan in WINE, in an account that can't do anything?
Inadequate disclosure (Score:5, Interesting)
The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware [stopbadware.org], run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" [cmich.edu] is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration [aclu.org], so this probably won't surprise them.
It's not even clear whose Client Security Agent [cmich.edu] they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.
Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.
Re:Linux (Score:3, Interesting)
Newsflash: It's -their- network. Now, chew on this:
Say it was -your- responsibility to keep a network running which was used by a bunch of college students who don't know the first thing about maintaining and protecting their PCs. What, in your expert opinion, would be a "well guided" and "well managed" solution?
Re:Linux (Score:4, Interesting)
When they keep out the commercial ISPs so they're the only network available and when their classes require network access, I'm a little less concerned about their rights to their network. If they're going to force you to eat their dog food, they at least have to make it palatable.
I don't know why universities bother providing network access if it's sooo hard to maintain. Comcast, AT&T, etc. handle the off-campus students just fine without any of that crap. It's not like their job is any easier or their customers are any smarter.
If I were running the network at a university, I'd leave the dorms to the commercial providers and let them compete for business. In the labs have the students use university PCs which are locked down as needed. For wireless, you offer a "clean" network that requires CCA or whatever and a guest network that is on the other side of the firewall and throttled.
Re:Solution For College's Bad Network Policy? (Score:4, Interesting)
Let's just hope that this tool only monitors files on his computer and communicates them to the base. It could also monitor some other stuff, like names of hardware equipment, such as VMWARE CD-ROM DRIVE or whatever.
Pretty much any of that can be configured out of the VM in one way or another. Worst case he can use Xen which, being open source, can be completely modified to report anything.
Or it may insist on talking directly to its network. Or it may actually be responsible for authenticating the detected MAC address.
Not a problem. MAC addresses are full programable and the virtual nic maps directly to the physical nic - i.e. it hands packets directly to the physical nic, fully formed and vice versa. I'm doing something very similar at home right now - running pfsense in a vmware machine on a Windows XP host as my internet firewall. I disabled the all of XP's ip protocols on the wan nic so that the pfsense firewall runs the entire show on that physical nic.
Re:No. (Score:3, Interesting)
Every honor code I've ever heard of has been used as a tool for a college to rid itself of students that it deems undesirable. In my experience, enforcement of these codes varies enormously. Recently, the University of Virginia came under fire for using its honor code to expel students for seemingly trivial offenses.
Honor codes are great in theory, although the ones I've seen put far too much power in the hands of far too few.
Re:Solution For College's Bad Network Policy? (Score:4, Interesting)
To be fair, I've been a linux user over a decade, and upon returning to uni one of the first programming courses I had was .net with microsoft everywhere. So I setup a development environment with monodevelop and mono.
Development has been rather painless so far at least for CLI programs, and the resulting binaries run with the .net framework aswell as mono, on linux, windows and mac.
The moment I no longer need to use c# I'll instantly go back to c++ and c coding. Even in instances where your uni 'makes' you use microsoft stuff, linux is so flexible nowadays that there is almost always some way to do it in linux without them being any the wiser.
Other solutions? (Score:3, Interesting)
Considering the many posts saying the CSA is a bad idea, it raises a question. The fact that students get their Windows machines infected with every virus, trojan, and rootkit imaginable, how else shouls IT departments handle it? In the corporate world, it seems easier. However, a network of user-controller machines sounds like an administrative nightmare. For those who think the CSA is a bad idea, what are your alternatives?
Re:Solution For College's Bad Network Policy? (Score:5, Interesting)
Run your real system in a NATed VM (Score:3, Interesting)
It'd be nice to just run the agent in a VM and isolate your real system that way, but it wouldn't work because they'll almost certainly be filtering by MAC address.
What you _CAN_ do is run the agent on the physical host with a minimal OS install, and then put everything else in a VM. Have the VM connect through the real host using NAT, so it has the same MAC address as the real host. The network won't know the difference.
Re:Solution For College's Bad Network Policy? (Score:3, Interesting)
"Everyone needs a college education" is a scam created by the baby boomers. They use higher and higher education / experience requirements so they can lock out the next generations from the workforce. The previous generation, they used a "overqualified" scam as an excuse to not hire older people. They also used any excuse to fire / lay off the older people to scam them out of pensions. After the bailout scam, there may not be any higher paying jobs anyway.
Be practical. Don't bother going to college unless:
Otherwise you are just going to end up with huge loans to pay off while you end up flipping burgers for the rest of your life. Have fun barely surviving, while if you didn't go on to higher education, you'd at least be able to take care of yourself and maybe save some money.
Have a real plan people. Figure out what you want to do before you go on to "higher" education. Be sure going to school will fit your goal and you will get a higher paying job, which is the real reason to go to school, not some abstract notion of being "educated" and "well rounded" or following in someone's footsteps. If you want to educate yourself, read books, try things out yourself. It is much cheaper.
Re:Solution For College's Bad Network Policy? (Score:2, Interesting)
Re:Solution For College's Bad Network Policy? (Score:2, Interesting)