p2pnet news | Freedom:- If you’re a regular p2pnet reader, you’ll have noticed comment posts from Liam Jewell, every now and then.

Jewell, 21, is currently a full-time senior at Plymouth State University, reading for his Bachelor of Science Degree in Business Administration with a minor in Information Technology.

He’s also full-time national director of marketing for a national mortgage company and has a serious interest in computer security and privacy.

But this extends beyond the educational arena into the much larger issues of peoples’ right to privacy and, “freedom speech in all of its expressions”.

As of Monday, August 27, PSU began insisting students download a Network Access Control (NAC for short) application called Bradford Client Security Agent if they wanted to go online.

The ’security agent’ also seems to have been foisted on Kansas State University, the Benedictine University network and Chapman University, if Google is correct.

And there may be more.

If your school is among those to have imposed the system, you’ll definitely be interested what Jewell has to say.

In his case, “This is in addition to the other school-mandated software that is already required for access to the internet (McAfee Anti-Virus Enterprise, and McAfee EPO),” he blogs, continuing >>>

The school has provided no documentation about what this program does on your computer, stating that you need to, ‘Download a Health Check Application‘ as the reasoning for PSU installing this software.

Oh, did I mention that even though it says it’ll uninstall automatically, it doesn’t for the Windows version, and is not supposed to?

Privacy has always been a top concern for me and as such, installing software that admits to monitoring some aspects of my daily computing activities is a red flag that I felt needed to be investigated. After talking with an individual working for the school who has knowledge on the new system, it’s abilities, it’s current functions, and it’s future possible uses, I made some very interesting discoveries. A complete list of what the program does, can do, and cannot do is located at the end of this post. I provide this small service so you’ll at least know what’s being installed on your computer and after you review the ‘features’ of this program, you’ll probably agree that both its download and installation are unnecessary for a variety of reasons.

First, let’s examine why any company would consider using a Network Access Control solution like the program the school has decided to use.

Controlling access to any network, business or education, is important to protect the security of it’s users and the institution itself. Previously, students were forced to submit their PSU-provided user name and password every 24-48 hours when they went online. If the school’s anti-virus were running and up to date, you’d be allowed online. The EPO software that students downloaded at one point also set Windows Updates into Automatic Mode and prevented the user from changing this. More recently, Windows itself has been pushing this and the school stopped forcing it on their own. This means that with the school’s previous measures, your computer was up to date against Spyware, viruses, and known operating system vulnerabilities. In addition, each section of campus is on it’s own subnet (which is like a little mini network), so in a worst-case scenario (let us say a massive virus outbreak), you could turn off internet to that network and the virus would only affect the users on your particular subnet and would not harm users elsewhere on the network. I believe Plymouth is split up into 30 or 40 subnets, but feel free to enlighten me if the number is different.

The purpose of the client students are now forced to download is to make sure your Anti-Virus and your Operating System (I.E. Windows) is up-to-date with all the latest patches. Also to prevent massive virus outbreaks. Wait a minute… Oh yeah, the school was already doing that as I just outlined above… So my question is this: What is the CSA’s real purpose? It does nothing that is not already being performed!

This is the exact question I asked my contact at PSU’s IT Department. According to them, the previous authentication system was fast becoming out of date. This means the school needed to evaluate another solution to authenticate students or else be technologically restrained. This still does not however explain why they chose such a strict and invasive program to take its place, and why they needed a program that is run on each students computer and not just on their own server, like they were doing before.

I’m sure that many of Plymouth State University’s Tech Geeks and Computer Science/IT majors out there are sure to be looking for a way to circumvent this software in order to gain access to the school’s network without installing their the CSA. Let me at least give you a head start on techniques that are proven not to work with the version that the school is currently using (1.6.1).

(I’m sorry that this next section is a bit technical, but it needs to be for the audience it’s aimed at to have a clear understanding of what’s already been tried). I also remind all users that any attempts to do so may violate the school’s AUP (maybe?). I don’t endorse it, you shouldn’t even think about it, blah, blah, blah.

Essentially: don’t blame me if the school decides to make an example out of your ass, I warned you and take no responsibility for your actions. [Jewell's emphasis]

- Using an alternate Operating System is not an option. The software has versions for Apple, Linux, and Windows. This means that using a program like Firefox’s user agent switcher to pretend you are another Operating System will fail as well.

- Using Virtual PC as a dummy client fails

- Most NAC’s fail when you assign yourself a Static IP address, this one does not. Sorry not an option this time people.

- Changing your MAC address to match another already authenticated user’s address with a program such as Mac Makeup does not work.

- Using a switch as either a router or a gateway to other computers on your network is a no-go.

- Use a router that copies the MAC address of a dummy computer that has the software installed, so that other computers connected to the router have access, will not work either.

- I’m unaware of any current security flaws in the software they are using which might allow a workaround.

- Using a Linux boot disk doesn’t work because the Linux version of the software is not working correctly. Sorry no Knoppix workarounds this time.

As I hear more/am told of more, I’ll post them here.

POSSIBLE WORKAROUND:(Hopefully the first of many)

This won’t apply to a lot of people, but does apply to some: Discovery credit goes to Efeion. If you have a mac book pro which dual boots XP and OSX, you can authenticate with CSA software on the Mac OS, then boot into windows and have access to the internet. This may only be a temporary solution however because when the school checks back in with the computer that is online, it’ll see it without the software and you’ll be asked to download it again.

If this article does get around and distributed for whatever reason I imagine the IT department will have something to say about it. If this were so, I imagine Dwight Fischer would post something to his blog. Let me take the time and effort of bringing up what he may bring up, and then responding to it right now and saving everyone the trouble.

S = School’s Statement

R = Liam’s viewpoint and response

S: ‘We are forced to update the system to stay up with the times and not fall behind technologically’

R: Why not implement another Server-only solution, as you had previously? Why take the additional step of making it yet another program that a student has to download and keep running on their computer?

S: ‘If there is a school disaster similar to Virginia Tech, we now have a way to let all students know what is going on immediately.’

R: You have already implemented a solution to this via the e2campus subscription service that is new this year. That system will send students text messages on their cell phones and emails as soon as there is an emergency. The likelihood that there is a student without a cell phone that would be using the computer at the time of an emergency is very small. Small enough to not constitute such an invasion of privacy anyway.

S: ‘If students are going to use our network, they need to accept and comply by our rules to use it. We are only protecting them after all.’

R: I’m calling Bullshit. I do not see Time Warner or Comcast ‘protecting’ their users by installing software on their computers as a ’service.’ Additionally, the school does not care about protecting their students from unauthorized lawsuits. Why would they care about anything else relating to student privacy and rights? They wouldn’t be limiting bandwidth, or monitoring all of our traffic if that were the case.

S: Students agree to the Acceptable Use Policy (AUP) in order to get access to the school’s resources, under that policy, you waive your rights to not have us ‘Protect You’ by any means we see as necessary.

R: According to your most recent version of the Acceptable Use Policy, which was last updated in March of 2006:

‘All devices that connect to the PSU network need to be approved and authorized by ITS. Once approved, users who connect personal computers and/or network devices – wired or wireless – assume responsibility for maintaining specified operating system and network security and protection software.’

Interesting. That means, by your own rules anyway, that after we have installed your anti-virus, and your anti-spyware, and everything else you make us download, we are approved. Then after that, it is our own responsibility for maintaining our, ‘Personal computers and/or network devices.’ Why then do we have to have your software installed after its initial installation to access the internet? You state that after the initial check, it is up to us. Ooops, looks like you have been violating your own policies for a couple of years now. Good job.

S: Students do not have to use the school’s internet, it is a service which they can ignore. They can get their own provider.

R: You have me there. I could go somewhere else for my internet, I should not have to, but I could.

Anyone interested in chapter and verse on PSU Client Security Agent ‘features’ should head on over to Jewell’s blog.

Slashdot it!

---

Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.

This entry was posted on Thursday, August 30th, 2007 at 7:34 am and is filed under Freedom. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 4743 times