Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Solution For College's Bad Network Policy?

timothy posted more than 5 years ago | from the must-be-monoculture-compatible dept.

Education 699

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Sorry! There are no comments related to the filter you selected.

Solution For College's Bad Network Policy? (5, Insightful)

John Hasler (414242) | more than 5 years ago | (#28234869)

A different college.

Re:Solution For College's Bad Network Policy? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28235063)

Kill yourself while you watch me fuck your dead great grandmother.

Re:Solution For College's Bad Network Policy? (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28235349)

Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.

Using a virtual machine and TrueCrypt can also save you from additional headaches.

This assumes that you at least have sufficient rights on the client PC.

Re:Solution For College's Bad Network Policy? (0)

Anonymous Coward | more than 5 years ago | (#28235411)

Just keep your nose clean for a few years.

Oh.. right, it's college. Sorry.

Don't use their network? (1)

arb (452787) | more than 5 years ago | (#28234871)

Or find another school...

Re:Don't use their network? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28235249)

Alternately, the submitter could run Windoze in WINE or some other VM and set up a partition for its storage.

Then submitter could use Truecrypt to encrypt his bestiality, child pornography, guro, shitting dick nipples, or what ever horrors get his rocks off.

Linux (5, Interesting)

Timmmm (636430) | more than 5 years ago | (#28234883)

Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

Mod Parent Up Please! :) (5, Informative)

gavron (1300111) | more than 5 years ago | (#28234917)

Run Linux. That's the answer. The silly Windows agent won't run on it, and your files can even be protected through filesystem encryption, and safe from magically being shared with spyware writers, botnet managers, and spam sources.


Re:Mod Parent Up Please! :) (5, Informative)

binarylarry (1338699) | more than 5 years ago | (#28234999)

Yep and you could run windows in a virtual machine with NAT setup and the client installed. That way, they'd get to scan "your machine" but wouldn't be able to access anything on the Linux side.

Re:Mod Parent Up Please! :) (5, Insightful)

Jurily (900488) | more than 5 years ago | (#28235239)

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

-- Theo de Raadt

Re:Mod Parent Up Please! :) (0)

Anonymous Coward | more than 5 years ago | (#28235375)

You should be fine simply _saying_ you run linux. I've done this before in similar situations, and they just say "OK" and let you proceed when you claim that. Of course, you're "signing" some (probably unenforceable) maybe you don't want to do that at your own school. Parent probably suggested the safest answer. :-)

Re:Mod Parent Up Please! :) (2, Informative)

artor3 (1344997) | more than 5 years ago | (#28235125)

Of course, other silly Windows programs, like SolidWorks, PSpice, Photoshop won't run either. Might make certain classes difficult depending on your major, though I'm sure it can be worked around. In the worst case, you could keep a Windows partition specifically for essential programs.

Re:Mod Parent Up Please! :) (2, Informative)

RichardJenkins (1362463) | more than 5 years ago | (#28235165)

You could run the agent in a wine environment without access to your real file system.

Re:Mod Parent Up Please! :) (5, Insightful)

Anpheus (908711) | more than 5 years ago | (#28235169)

Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.

And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.

Dealing with idiotic, forced software is a pain no matter what your OS is.

Re:Linux (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28234981)

Tell them they are noobs, and you pwn noobs like them for breakfast.
Tell them their policy is bad and they should feel bad. Then Player-kill them in war craft.

They will change the policy.

Re:Linux (3, Insightful)

nurb432 (527695) | more than 5 years ago | (#28235019)

Or they will deny you access.

Re:Linux (1)

Majikk (60247) | more than 5 years ago | (#28235077)

If only. Odds are they'll simply tell him that linux is not supported under their network.

Computer science major (4, Interesting)

tepples (727027) | more than 5 years ago | (#28235141)

Odds are they'll simply tell him that linux is not supported under their network.

Disallowing operating systems other than Windows might make certain parts of CMU's computer science program [] more difficult for students.

Tether. (0)

Anonymous Coward | more than 5 years ago | (#28234885)

Get a cellphone plan. Ensure that your phone supports "Tethering". Attach your phone to your pc with a Data cable. Access the internets with freedom.

Re:Tether. (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28235067)

That has got to be the first time I've ever heard cellphone internet described as "freedom".

Can't tether there. (2, Informative)

tepples (727027) | more than 5 years ago | (#28235171)

Get a cellphone plan. Ensure that your phone supports "Tethering".

From the summary: "There are no wireless broadband providers available in the area, I already checked." Therefore, we can assume that none of the available phones support tethering.

Use a VM (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28234887)

If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

Re:Use a VM (3, Informative)

Nimey (114278) | more than 5 years ago | (#28235069)

That may not work if the network authenticates against your MAC address.

Re:Use a VM (0)

Anonymous Coward | more than 5 years ago | (#28235119)

Use VMWare's NAT service. Traffic appears to come from your machine.

Or use tcpdump/ethereal and rewrite it...

Re:Use a VM (2, Informative)

lukas84 (912874) | more than 5 years ago | (#28235127)

That'd be stupid, it can be easily faked.

I've secured school networks with 802.1x and EAP-TLS. Works fine - and VLAN assignment works automatically, depending on the computer plugged in.

Re:Use a VM (1)

MikeBabcock (65886) | more than 5 years ago | (#28235231)

MAC addresses are indeed easily faked.

802.1x is a real option and not difficult to configure.

Re:Use a VM (2, Informative)

Idiot with a gun (1081749) | more than 5 years ago | (#28235113)

As a tech support at another University that requires said "Client Security Agent," I can tell you this will not work. I have tried.

Or Use Two Computers (1)

scruffy (29773) | more than 5 years ago | (#28235367)

Use one computer that passes the test as a proxy.

No. (3, Informative)

ChinggisK (1133009) | more than 5 years ago | (#28234891)

Do all colleges have such extreme measures in place?

No, mine doesn't. Technically we just have to have antivirus software installed, and keep up with MS's security patches, and they really don't ever even check for those.

Re:No. (4, Interesting)

Macman408 (1308925) | more than 5 years ago | (#28235353)

One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:

P2P traffic was capped at 50% of total bandwidth.

There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)

If you picked up a virus, you were isolated from the network. The only thing you could get to was, until you removed the virus and called the helpdesk to promise you had an antivirus installed.

Re:No. (5, Interesting)

finalfrog (1379051) | more than 5 years ago | (#28235371)

My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

Re:No. (2, Insightful)

Tacvek (948259) | more than 5 years ago | (#28235409)

Mine does not even require antivirus software, although they deliberately design the system into tricking students into installing it, and some other crap. However, if you machine is rooted, and begins disrupting the network, they reserve the right to ban your computer from the network.

Virtualbox + OpenVPN (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28234907)

Use Virtualbox to run the security agent in a virtual machine and OpenVPN to tunnel your traffic to a host on a less bigbrotherish network. If you feel like going against administration, you could also try to get the policy changed...

Question (2, Insightful)

Vinegar Joe (998110) | more than 5 years ago | (#28234911)

Are you required to run Windows? If not, don't.

That's insane. (5, Informative)

KingSkippus (799657) | more than 5 years ago | (#28234915)

Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.

Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!

Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.

As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.

If you do call them up and ask about Macs and Linux machines, let us know what they say.

Rally the professional protest set (2, Insightful)

linzeal (197905) | more than 5 years ago | (#28235115)

Uh, this is sorta pathetic that we computer science literate folk cannot muster up the courage to tell him to confront the policy with a student protest. However, that is what I would expect from Slashdot where everything is resolved by lawsuit or clever hack. Well sometimes we need to go piss in someone's cheerios. That is what we should be telling him to do, go down to the lib arts colleges and rally up the professional protest set, get some cogent arguments laid out and make sure you notify all media within a few hundred miles because for whoever is having a slow news day you might make the cut.

Re:Rally the professional protest set (-1, Flamebait)

The Mighty Buzzard (878441) | more than 5 years ago | (#28235361)

Maybe we just don't like hippies.

Re:That's insane. (5, Informative)

Idiot with a gun (1081749) | more than 5 years ago | (#28235175)

I'm a tech support (ResNet, CMU has it too) at a different university that has a similar "Client Security Agent." I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire). If anyone fails these, they are instructed to uninstall limewire, update anti-virus, whatever, and rescan. We don't prosecute based off of any data, but it's more of a prevention system to avoid any DMCA notices.

That being said, this is for windows only. Mac and Linux are only single time scans (for what, I do not know), and after that your MAC is white listed with your ID. The beauty is that once registered, it's MAC specific, not OS. I should note that our provider is promising a Client Security Agent for Mac soon, but I doubt a Linux one is coming.

Re:That's insane. (1)

MikeBabcock (65886) | more than 5 years ago | (#28235253)

So grab a laptop with a fresh copy of Windows, assign it your PC's MAC address, install the software and get it white-listed and voila, you can use your own PC on the network now.

Re:That's insane. (1)

Registered Coward v2 (447531) | more than 5 years ago | (#28235331)

Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.

You seem to be confused about who really matters at a university. Clue: The faculty.

Virtual Box? (0)

Anonymous Coward | more than 5 years ago | (#28234919)

Have you thought of running their spyware on a virtualbox session of whatever OS they support; and accessing only non-sensitive sites through that session. Can't you wait till you get home for the other stuff? If not maybe an encrypted pipe would do the trick.

I've faced this same issue (3, Interesting)

reeeh2000 (1328037) | more than 5 years ago | (#28234923)

What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.

thumb drive linux (3, Interesting)

elwinc (663074) | more than 5 years ago | (#28234929)

Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.

maybe you should have thought... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28234931)

about that before you were a fuckup in high school and couldn't get into anywhere better than Central Michigan

I had the same problem (4, Informative)

Xocet_00 (635069) | more than 5 years ago | (#28234937)

We were required to have a "Cisco Clean Access Agent" installed on our machines. There were two options available for me, and I ended up going with the second.

1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.

2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?

Virtual Machine (0)

Anonymous Coward | more than 5 years ago | (#28234961)

Perhaps you could try installing those pieces of software within a virtual machine, and keep the virtual machine running all the time. Then it could return its results, and (hopefully) be sandboxed away from the rest of your system. In any case, make sure your concerns/complaints are heard.

My Solution (5, Interesting)

Adam Zweimiller (710977) | more than 5 years ago | (#28234973)

When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

Re:My Solution (4, Informative)

lorenlal (164133) | more than 5 years ago | (#28235369)

McAfee? Wow.

I happen to do a little work for a local in a town that some of us are familiar with [] . She happens to be involved with the local university [] who also uses McAfee as their supported antivirus solution. I got called in a panic by this person because her system was crazy infected. It turned out that the infection disabled the McAfee framework service (which can't be started in safe mode) and totally owned her laptop.

The reason? The updates stopped working [] . I opted to put AVG free on there asked her to try it out, and if she wanted to we could look into purchasing the more complete suite if she wanted.

Point of the story? I'm rather upset that CMU, or other schools would *force* a particular AV solution. I'm more upset that they force down one that has, IMHO, a critical flaw in design. Namely, you can't update, install, or uninstall the scanner in safe mode (yes, safe mode with networking). It just sets up too easily for a massive infection. Fortunately, the policy of the University I mentioned earlier did not have restrictions on AV, so this was still acceptable.

I don't know what deal McAfee has with pretty much everyone that provides AV to "non-commercial" users... but I find it terrible, resource intensive, and just too easy to knock out.

Sandbox it with Sandboxie (1)

BountyX (1227176) | more than 5 years ago | (#28234975)

This is similar to the linux and virtual machine suggestions from above. Go here [] to download it. Once downloaded and installed, run their stupid little application in sandboxie and it will no longer be able to scan you machine. You can even specify which files/folders it has access to and if it has interenet access, etc. I believe that will solve your problem with minimal hassle.

Re:Sandbox it with Sandboxie (2, Informative)

BountyX (1227176) | more than 5 years ago | (#28235045)

Forgot to mention, sandboxie can also be setup so that anytime their program is started, it will run inside of your specified sandbox automaitcally. Very useful for running keygens too, btw ;)

Re:Sandbox it with Sandboxie (2, Informative)

Idiot with a gun (1081749) | more than 5 years ago | (#28235305)

Sandboxie is usually designed to protect your computer against malicious writes. Besides, at my university, if you sandbox the CSA to prevent certain reads or internet access, we'll just drop you off the network. If the CSA can't scan properly, or if the server doesn't hear back from it, it assumes you don't have it installed, and puts you into a small private VLAN, where every webpage except for university stuff, and anti-virus stuff is redirected to the "re-mediation" page.

Client Page. (1)

themassiah (80330) | more than 5 years ago | (#28234983)

The client page says exactly what the client will do when it's installed. Nothing about sniffing traffic, scanning your hard drives, etc. Perhaps you could voice your concern to the HelpDesk or network engineers?

VPN (1)

nurb432 (527695) | more than 5 years ago | (#28234985)

To get around the 'client security agent' tracking your apps/keystrokes/etc, use a VM and NAT the network connection. To get around the network tracking of what comes out of the VM you buy another PC and stick it at your parents or friends house somewhere else as a VPN server then use it to do all your 'sensitive' work. Then let them track it, its encrypted. The stuff you don't care about, go thru the school's network directly.

I suppose you could use one of those free/pay proxies instead of a 'home VPN', but that would be a bit more obvious what you were doing and set off some red flags ( or is blocked in the first place ).

Im assuming in this case its your PC and you can install whatever you please.

Oh, and consider protesting.

Wireless (1)

cgitz (1098047) | more than 5 years ago | (#28234987)

Find somebody that lives off campus - they probably have normal Cable or DSL. Setup a wireless link to their location and offer to pay for part of their Internet costs. There can be some complexities involved in setting up the wireless - you probably don't want it to be noticeable otherwise the school may make you take it down, so the shot probably has to be to somewhere you can see from your window.

entrepreneur (4, Interesting)

TheSHAD0W (258774) | more than 5 years ago | (#28234995)

"There are no wireless broadband providers available in the area, I already checked."

Start one. Given what you've told us, there should be plenty of demand.

Re:entrepreneur (1)

Firethorn (177587) | more than 5 years ago | (#28235355)

My thought was 'Is Verizon completely absent there?'. I know it's not the fastest and it's capped; but it should work as long as you're not extensively filesharing. Set up a machine at home if you need to fileshare.

Heck, consider getting a box at a hosting site. ;)

Virtualization? CoLinux? (1)

Majikk (60247) | more than 5 years ago | (#28235001)

That they disable bridging is really the killer, here. The obvious answer is to turn the 'campus facing' machine into nothing more than a gateway, and you can't do that. I'd also like to point out that this stupid program makes it harder for you to run any OS except windows. Are you sure this school is okay?

That said, what about running linux and keeping this program inside of a vmware instance. Alternately, you could do the opposite: Accept that the stupid program will be running on your machine and see if a CoLinux tap would still work, at which point the machine is merely a host for another kernel.

Re:Virtualization? CoLinux? (0)

Anonymous Coward | more than 5 years ago | (#28235389)

Even if bridging is forced off, there are always other solutions. A ssh server redirecting to a VPN. A SOCKS server. Heck, even the old wingate proxies which were the bane of IRC admins in the past for a while might be an answer. All it takes is one program that can take data from one interface and write it to another, and you are home free.

Whoa what? (5, Insightful)

IICV (652597) | more than 5 years ago | (#28235005)

From the first link:

The contents of all storage media associated with OIT facilities may be considered property of CMU unless the contents are licensed software, licensed databases (e.g., InfoShare), intellectual property owned by others, or protected by CMU's Intellectual Property Rights Policy. The university has the right of access to the contents at any time for any legitimate purpose including moving or deleting files to preserve system security and performance, or examining files when there is a legitimate "need to know."

"If you use our network, we own what's on your hard drives. Thanks!"

There's a get out (3, Insightful)

Kupfernigk (1190345) | more than 5 years ago | (#28235303)

Did you notice the "intellectual property owned by others"?
  • 1. Register your one-person software company
  • 2. Assign all your non-CMU material to your company
  • 3. Encrypt everything
  • You are now protected by (a) their policy and (b) the DMCA.

You're not as interesting as you think you are (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28235011)

I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

Re:You're not as interesting as you think you are (3, Insightful)

hedwards (940851) | more than 5 years ago | (#28235229)

That's a good point. I recall my senior year in college the IT department installed traffic shaping hardware on the network. Basically killing the performance of P2P apps. in order to make the network useful for more general use applications

At that time, most of the file sharing was being done directly via file shares and often times there'd be virus infected files. From what you're saying, it's probably not that much different than when antivirus software would delete files on r/w enabled shares.

But to be honest, the terms kind of scare me, just because you're a professional doesn't mean the nitwits running that network are, and it's a blatant violation of copyright law to declare ownership over files in that manner.

Re:You're not as interesting as you think you are (1, Insightful)

gavron (1300111) | more than 5 years ago | (#28235273)

Very accurate. Should be "5 interesting". Of course /. rewards argumentative counterculture copycats and lemmings... not anyone who actually tells it like it is.

VPN plus VM equals privacy! (1)

EmperorOfCanada (1332175) | more than 5 years ago | (#28235013)

VM Windows with their stupid client and use your normal OS for the rest. For completely secure internet access use a VPN service. There are VPN services that are a few dollars in a month(The Swiss are good that way). Then you can bounce your regular OS internet activity off your VM OS with the VPN client accessing the internet from outside the university. This way you have your cake and eat it too. As far as your university would be concerned you would have the most boring OS in the world in that you basically do nothing but transmit encrypted crap back and fourth to your VPN.

There are others who share your concern. (0)

Anonymous Coward | more than 5 years ago | (#28235025)

Ask the students who go there.

Penn State - not as bad (1)

Phantom784 (973144) | more than 5 years ago | (#28235027)

To answer your question about other colleges, I'm a student at Penn State, and our policies are not nearly as extreme (at least currently). We don't have to install any sort of client on our computer (with the exception of the Cisco VPN client to use the WiFi), and, in their official policy at least, they say don't monitor the content you send/recieve, only the amount (we have a 4 gigabyte/week bandwidth limit in the dorm rooms, but it only counts off-campus traffic). They will call you into "Judicial Affairs" if they get a letter from the (RI/MP)AA, and if they detect a virus on your computer (I dunno how they do that, and it seems to go against their claim they don't scan content you send on the network), they require you to bring it in to be reformated, or forfeit dorm room Internet access, which I believe is a privacy violation. As far as the scanner goes, I recall reading about some sort of "install this scanner to access the network" program that only worked on Windows, so if they detected you were on Mac or Linux, you wouldn't have to install it. I dunno if your school is using the same program, but if they are, using a non-Windows operating system might keep your information more secure.

You could always try... (0)

Anonymous Coward | more than 5 years ago | (#28235031)

Try to find the method by which you're granted access.

If it's just by MAC address, try to spoof a whitelisted one. I believe a number of Universities allow residents to have their game-systems or other electronics granted access upon request; if you have one, or can make one up, it's an option.

Alternatively you could attempt to spoof the communication that says you're clean, or rig up their client to simply say that you are.

VMWare in NAT mode might help (0)

Anonymous Coward | more than 5 years ago | (#28235033)

Your host OS can be running the Client Security App and you could keep your personal files inside the VM. You could also run encrypted filesystems inside the guest VM and even if the Client Security App is smart enough to scan inside the vmdk disk files, you are still cool.

You would not be able to hide any file sharing, etc. unless you tunnel, and you might have port forwarding issues at the vmware virtual switch and some overhead in NAT mode for any surfing you do inside the VM.

Ask the higher ups (0)

Anonymous Coward | more than 5 years ago | (#28235039)

In my experience, not all universities are this restrictive. Many that do have these policies do not strictly enforce them (my school required that you do a virus scan on windows machines once per semester, but live cds let you get by by having a non-windows machine at scan time). Most schools will have people at the freshman dorms helping new students get connected. See if you can get in touch with the school's IT staff through these people (they are usually students), and ask the IT staff how to connect non-windows machines to the network. With the popularity of online gaming consoles and non-windows operating systems, I'm sure there will be a procedure.
The other advantage of talking to the IT staff is that some schools hire students to do field work, answer phones, and staff NOCs (my first real job). You never know what opportunities will open up (my school let me unofficially run boxes in the main machine room, with unrestricted access to I2 and the sprint and verizon uplinks).

Your question is bad, and you should feel bad. (1)

KiahZero (610862) | more than 5 years ago | (#28235047)

You could always use TrueCrypt or similar products to protect anything remotely sensitive from snooping while you're on their network. So long as you know when the Client Security Agent is running, simply keep those partitions dismounted while the Agent is running, and they won't be able to see your stash of boring porn.

However, this isn't a particularly disorganized or egregious network usage policy. What language, exactly, do you think "expose[s your] web browsing habits, emails, and . . . passwords?" Also, looking at the "Client Security Agent," it appears to be nothing more than an app to turn on automatic updates, disable internet connection sharing, and check your anti-virus.

Re:Your question is bad, and you should feel bad. (2, Interesting)

characterZer0 (138196) | more than 5 years ago | (#28235327)

How do you know what the app does? Do they provide source code? Can you compile it yourself and run it? If not, you do not know.

His concern that this application may read local files, sniff network traffic, or log keystrokes is completely valid.

What is wrong with Internet Connection Sharing? Maybe he has two computers and wants one to act as a firewall for the other. Or maybe he is developing clustered applications and wants to use his own high-speed switch behind one computer acting as a router.

I would go to a different college.

College's Liability (0)

Anonymous Coward | more than 5 years ago | (#28235073)

Does this expose the college to any sort of liability risk?

They have to have an internal policy on what information they can take and use from your computer. If they go beyond that, what happens?

How do you stop their IT from looking at your banking info or personal images?

Other than the obvious (1)

vilain (127070) | more than 5 years ago | (#28235085)

Some colleges require you to live on campus for the first year. During that time, you'll have to "suck it up" and live with the networking restrictions. Or switch to a computer and OS they don't support, like MacOS 9 or CPM or RT-11 or whatever to ensure you have the privacy you need. Or just don't use the computer (or the phone) for anything you don't want anyone to know about. If the school requires you to run an OS that they support, then you have your answer. For more ideas along this vein, read Cory Doctorow's Little Brother: []

Some colleges are really worried about the infringing material on their networks and applying some rather heavy handed response. Yours seems to focusing on prevention rather than assuming the students are adults and capable of making their own choices and dealing with the consequences. There's a fine line between "policing" and "fascism". Your college crossed it, IMO. If they require the dorm resident advisors to search your room periodically for "contraband", then I think you have to find another college or a good lawyer to fight it.

Take physical notes with pen, paper, and notebook--it uses a different part of your brain than typing. I still can't actively listen to a lecture and type note. I have to take them by hand. A client told me about Lightscribe, a pen computer which he uses for meetings and downloads what he wrote to his computer later: []

My experiences in Truman, MO (2, Informative)

wasabioss (1196799) | more than 5 years ago | (#28235093)

We have it here too.

The "Clean Security Agent," if I'm not wrong, is the Cisco Clean Access Agent [] that comes with the Cisco NAC Appilance, which runs on Windows only, and is a pain esp. for those who are running Vista. This beast have to run under Administrator privilesges and pops up a login window everytime you connect back to the network, and doesn't even want to accept certain types of Anti-virus software (such as Avira.)

Workaround: It doesn't run on Mac and Linux. If you use WIndows, you can convince the NAC you're using Linux and it will believe it until the appliance gets restarted. If you have Linux - great, the NAC just let you pass through. If you have Windows, Kevin [] , a program with a great icon, used to work but recently it didn't, but there is always an easy way to get over it: boot into Linux and fire up firefox and click on a link, and then boot back to Windows.

And just FYI: Due to an insane number of complaints received from the students, the IT Staff over here is getting rid of the Cisco CCA this summer :-)

We are Bot.NET, Punch our Monkey! (1)

ae1294 (1547521) | more than 5 years ago | (#28235105)

FAKE VR Machine running on same NIC for their RIAA monitoring program and a VPN to your moms house.

Tor Browser Bundle (0)

Anonymous Coward | more than 5 years ago | (#28235107)

The FLOSS project, Tor has a set of programs that make it very easy to secure your browsing. It is a portable copy of Tor, Privoxy, and Firefox, working together to give you a private route to the internet.

If you are worried about the information stored on your machine, use a live distro of Linux... Knoppix or Fedora live, and keep your private data on an encrypted USB key.

Our policy is probably a good one (1)

Daimanta (1140543) | more than 5 years ago | (#28235131)

Every computer that needs to access the internet directly needs to have its MAC-adress registered. If something goes wrong, you can trace it back to the MAC-address account. It isn't foolproof(think MAC-spoofing) but there is little more security on our networks(mobile computers need to log in with student accounts).

Think about a different college. GVSU or others. (0)

Anonymous Coward | more than 5 years ago | (#28235149)

Grand Valley State does not implement such restrictions on its students. All that is required there is an AntiVirus client, of your choosing and a request that you install MS patches on a regular basis. They do not track web usage and have a reasonably secure network.

Mikeiver (0)

Anonymous Coward | more than 5 years ago | (#28235153)

Well you could go with one of the cell phone based WAN providers for the internet and bypass all of them. It is $60.00 a month from AT&T or Verizon. Verizon puts a 5GB cap on your total transfer though it is fast in my area. I even made an antenna and get stupid strong signal. It gives me about 2.5Mb/sec down and about 160Kb/sec up. The advantage is that you get internet just about anywhere and you don't have to go through all the schools BS.

Firefox with different User-Agent String (1)

americamatrix (658742) | more than 5 years ago | (#28235159)

If you've got Firefox installed, you actually have a few options. To change your User Agent string, type the special URL "about:config" in the browser's location bar to access the browser's properties and do a right click to add a new string property with the name "general.useragent.override" and the value "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6", or really any user agent string that lacks "windows". If you experience any problems, go back to the properties list and simply remove the new property "general.useragent.override" you just added.

Solution! (1)

DaveV1.0 (203135) | more than 5 years ago | (#28235161)

Don't use the university's network.

Problem solved.

Re:Solution! (1)

ClosedSource (238333) | more than 5 years ago | (#28235271)

Yes, that was my answer as well. If he's addicted to the Internet and has no other alternatives, he could always move his private stuff to flash drive or encrypt it. As one college IT guy posted, the school isn't really interested in him specifically anyway.

we had that CSA thing at uni (1)

wjh31 (1372867) | more than 5 years ago | (#28235163)

yes it scanned the computer, but it was looking for programs not illegal files. It was used to make sure that each computer accessing the network had all the 'neccecery' security software installed. While understandable it was somewhat annoying when it required windows updates that didnt work very well through the restictie firewall you were put behind until you passed the security check. It was something you downloaded and ran once per term. It didnt actually require and install and wasnt needed beyond that (might be used more depending on the exact policy of your college).

As some have pointed out, linux/mac is the answer if you really dont want it on your computer. The .exe obviously wont run outside of windows, so anyone running linux/mac was waved through security for the duration with no real checks atall. Infact a few of my friends would dual boot MS/linux and use linux to be waved through the security then revert to MS when they were through

CSA Work=around (0)

Anonymous Coward | more than 5 years ago | (#28235173)

At my school they also wanted us to use CSA. I realized (after some testing) that the computer that checks to make sure your computer is CSA-compliant is actually the DNS server (at least in my case). Solution? Use OpenDNS and you never have to worry about installing CSA.

Have you ever read a ULA? (1)

mediis (952323) | more than 5 years ago | (#28235201)

If you think this is bad, then you better freaking skip working in the IT field; where everything is scanned, deep packet inspections, and if you ever place a personal laptop on the network they install a secret application to monitor you.

Welcome to the real world (0)

Anonymous Coward | more than 5 years ago | (#28235215)

The corporate world has had products like this for a while. It's not a conspiracy, it's to make sure your pc is up to date with patches, AV software and such. Many University have had lots of problems with pcs that get infected and become zombies. They also have a lot of geeks that are curious and knowledgeable and problably have spent some time sniffing the network they're on. Many University networks give you a semi-permanent IP address (for hardwired machines) and network speeds that are insane - it's not uncommon to have 100Mbit right to your dorm room.

Network vendors have come up with "solutions" that are a client that sits on a machine and requires AV software to run daily, recent OS patches be applied and also take take data from the PC and encrypt is (typically using some VPN type solution). The client after checking everything has run talks to a machine that then allows your packets to be routed onto the the network. Without the clients magic message, the first upstream router/switch discards all the data you send. It's pretty effective at cutting down the amount of machines infected. It's not to spy.

Most Universities are pretty liberal and have strict policies about those type of shenanigans. Anyone caught doing that type of stuff would quite likely get canned at most places.

Most Colleges Have This Problem... (1)

pankajmay (1559865) | more than 5 years ago | (#28235221)

Most colleges (including mine) implement a similar solution - asking a user to download a program to give network access for Windows especially. And don't even get me started on that bloatware McAfee.

Don't simply discard your college because of the network policy - choose it/discard it based on the quality of programs it offers. :-)

You have many excellent options to choose from above. Personally with powerful computers and oodles of RAM, I choose to run a thin layer of Linux and Virtualize Windows within it. However it may not be the most desirable situation on a laptop if Windows IS your primary OS.

However, in my opinion, whatever you decide to implement - it is important that you bring up the privacy issue with the IT department of your school. Someone needs to raise that issue emphatically. If they give you a written assurance of your privacy and later you discover that in fact it is not true, you can always sue them! ;-)

Solution? (1)

no-body (127863) | more than 5 years ago | (#28235233)

get somewhere outside (your non-college home?) a Linux box hooked up to the internet, then use putty to create a secure tunnel, proxy a browser through it and the only thing they see outside is ssh traffic.

If that is creating a fuss, just say you were trying something out to see if it works, educating yourself, learning.....

Perfectly reasonable (1)

lukas84 (912874) | more than 5 years ago | (#28235247)

Keeping a school network secure is very, very hard.

NAP solutions, such as Ciscos Clean Access Agent are a good way to ensure that basic security requirements on clients are met. Unfortuantely, if configured incorrectly it's rather easy to circumvent Cisco's stuff if configured wrong - which it is at most schools.

And then there are the "experts" that don't want to deal with NAP, circumvent it the poorly configured NAP and start spreading viruses.

Unfortunately, the only way to properly secure such a network is to use NAP in combination with 802.1x and a secure 802.1x authentication mechanism, like EAP-TLS. This can ensure security in a school network.

Of course there are privacy concerns with NAP solutions, but i don't think the complaints are valid - if you want to use your own computer in school AND the school agrees you to give you access to their network, it should very clearly be on the terms of the school. Otherwise, you can also bring your own internet connection - many laptops have integrated UMTS as an option, and almost all carriers sell UMTS cards.

Solution! (1)

NSN A392-99-964-5927 (1559367) | more than 5 years ago | (#28235251)

Do not use the campus network connections for anything other than study related tasks and save your work to a flash drive. If I were you, I would ask a local company, if you could do some work experience for them and use their internet connection. I do not know if this is frowned upon in the USA, but certainly here, I run an almost bulletproof network and any student that asked me to have access based on what you have said would be fine with me! You probably can get wireless, stick an omni on your roof and you will certainly increase your range by 5 miles! Also modifying wireless cards is not that hard. Netgear and Atheros cards are pretty forgiving! There will be some students that can help you out with that and maybe feel the same why that you do! I did read terms and conditions, but it was shocking enough just reading "The policies below are intended to supplement other existing university and external policies, regulations and laws" None of which they cleary define what the "other" means! I am confident enough you will find a way around this issue. Remember the best way to defeat an enemy is to be for more creative! I sincerely wish you luck!

Both CYA & BS (2, Informative)

indytx (825419) | more than 5 years ago | (#28235281)

I am assuming that you will be living in the dorm, otherwise the CMU website gives a list of ISPs. [] The list includes mobile broadband cards from Sprint, etc., so I'm not sure what you mean by no wireless broadband providers, though this would be a huge downgrade from the internet speed you can probably get on campus.

The Acceptable Use Policy looks to be general CYA boilerplate B.S. which lets you know that you have some expectations of privacy, but don't hold your breath if there's a subpoena or other legal action trying to get the data. As to the CSA, this appears to be an overreaction to the perceived security risks of Windows systems. On the other hand, bandwidth is expensive, and the IT department may have decided that this is a good way to prevent the spread of viruses and bots on the campus network. All of this is probably academic as it doesn't look like it's Windows only. [] Mac or Linux should probably work.

Use OpenDNS (1)

daimou (605041) | more than 5 years ago | (#28235283)

My school's DNS server was the point of contact with CSA. By using OpenDNS I avoided having to install CSA or even be checked for it.

fill up before you go (0)

Anonymous Coward | more than 5 years ago | (#28235287)

Build up a decent collection before you go, and refill whenever you go get mom to do the laundry.

Simple Fix (0)

Anonymous Coward | more than 5 years ago | (#28235311)

Get an old box (p3 will suffice, and add a couple of nics), throw windows on it, and run windows internet connection sharing. Install the client on THAT windows box, and encrypt all of your connections from that box to a similar box located somewhere with clean network.

Its basically an advanced router with vpn functionality, except you can get an old computer for free instead of shelling out big bucks for a cisco router. Best part is, it shows up to the network as a windows machine and completely legit.

(You can also add a wireless NIC and make an ad-hoc wireless network)

I've done this at my school and it works flawlessly.

join the computer club (5, Insightful)

snsh (968808) | more than 5 years ago | (#28235313)

You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.

This is the point of being at college, after all.

University of Nebraska-Lincoln (1)

rob1980 (941751) | more than 5 years ago | (#28235321)

The day you move in, they have you download a program that as far as I can see just checks your security status in Windows to verify that everything is green. After that you're granted access and you can throw the program away. This persists through OS reloads and moving between dorms (I did both last year) so I guess you're authenticated by your MAC address.

Having a Windows-only policy on campus is an insanely shortsighted thing to do, given the number of students using Macbooks and the presence of UNIX-type environments in computer science departments. I'd wager if you just told them you run Linux you'd get a pass.

It's no worse than being at work (1, Flamebait)

petes_PoV (912422) | more than 5 years ago | (#28235359)

Congratulations - you're about to get a life-lesson.

In the real world, if you want freedom to do as you please you have to pay for it yourself. In this case it might mean you have to fork out for your own 3G internet connection and pay accordingly (oh yes, and comply with the providers rules) or go and live somewhere where you can get a normal net connection from an ISP (oh yes, and comply with their rules).

This is all good experience for when / if you graduate and get a job. Suddenly you'll find that you can't goof around on other people's networks all day - downloading whatever the hell you please and doing whatever you want, they'll expect you to DO WHAT THEY TELL YOU TO. Consider this and the restrictions your university is imposing to be one, small step down this road. if you don't like it, well you can always go and buy your own ISP and then create whatever rules or freedoms you want.

OSfuscate yourself into a Dreamcast (1)

Suertreus (946768) | more than 5 years ago | (#28235365)

Software like this invariably uses a technique called TCP stack fingerprinting to determine whether your device is of the sort that requires the software installed. Basically, invalid or strange TCP packets are sent to you upon first appearance (or at DHCP time or something), and the response to each helps the security system to decide whether you're a Windows box, a Linux box, a handheld something, or a game console, because the stack on each of these systems responds a little differently to out-of-RFC TCP junk.

There are several pieces of software out there, most notably OSfuscate ( and sec_cloak (, but the link is quite broken), that reconfigure your Windows TCP stack via the registry to appear to these tools like something entirely different. After doing that, just tell your IT department that you need to get your other device on their network and most places will whitelist you. The most popular choice for what to emulate is a Sega Dreamcast; why that is the case is left as an excercise to the reader...

At most places, looking like something that can't run their spyware gets you online, but some places want to see the hardware (especially for game consoles), so if you're concerned, say the machine runs Linux sometimes and show it to them running Linux (off a LiveCD if you must) if they ask. Then use software to make your Windows look like Linux too, and the exception they'll have put in for "a Linux box with MAC xx:xx:xx:xx:xx" will cover both systems.

Linux works best from experince (1)

Suisho (1423259) | more than 5 years ago | (#28235391)

At my university- basically Linux was whitelisted, and had very little problems. Also, some computers in the lab were set to boot from CD first, and DSL worked just fine.

As for using windows, I tried to make a work-around, but it didn't really work. I was *extremely* annoyed to also HAVE to have Norton. I *think* this could have been fixed by a couple phone calls, but I didn't want to go through the hassle. Though, running a VM or another partition sounds like a great workaround I didn't try.

Waaah. (5, Informative)

Idiot with a gun (1081749) | more than 5 years ago | (#28235393)

Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.

Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden .exe's, or simple .bat scripts would bypass the network policies.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?