Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security Government Politics Your Rights Online

University Professor Chastised For Using Tor 623

Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom.
This discussion has been archived. No new comments can be posted.

University Professor Chastised For Using Tor

Comments Filter:
  • Bravo (Score:5, Insightful)

    by QuantumG ( 50515 ) * <> on Thursday February 08, 2007 @06:14PM (#17940142) Homepage Journal
    Good to see some university professors still have integrity.
    • Re:Bravo (Score:5, Insightful)

      by Maxo-Texas ( 864189 ) on Thursday February 08, 2007 @06:16PM (#17940166)
      I wish I had "tenure" at my day to day job.
      • Re:Bravo (Score:5, Informative)

        by Anonymous Coward on Thursday February 08, 2007 @06:23PM (#17940276)
        He is an assistant professor. He is unlikely to have tenure.
        • Re:Bravo (Score:5, Insightful)

          by Maxo-Texas ( 864189 ) on Thursday February 08, 2007 @06:27PM (#17940344)
          Even executing my "academic freedom" would result in instant unemployment in the private sector. That severely constrains my interest in executing it since my health care bills would be $300 a month easily for blood pressure and cholesterol medicine alone.

          I applaud his efforts. And I chose not to work in academia so it's my responsibility that he has privileges that I do not.
          • Re:Bravo (Score:4, Insightful)

            by Anonymous Coward on Thursday February 08, 2007 @06:32PM (#17940426)
            Even executing my "academic freedom" would result in instant unemployment in the private sector. That severely constrains my interest in executing it since my health care bills would be $300 a month easily for blood pressure and cholesterol medicine alone.

            That's why the Government should be providing health insurance, and limiting the price of medication, like in every other first-world country.
            • Re: (Score:3, Insightful)

              by MightyYar ( 622222 )
              Yes, because two things that government is known for are low costs and high quality.
              • Re:Bravo (Score:5, Insightful)

                by san ( 6716 ) on Thursday February 08, 2007 @07:12PM (#17941030)
                In the case of health care, governments are known for low costs and high quality. Total medical expenditure per capita in western countries with universal healthcare tends to be around a quarter of what it is in the US, and people live longer and healthier lives.

                These are fairly well established facts (I'm not going to dig up references now, but for example, there was a Nature article last year on how Brits live longer than Americans -- even if you account for any conceivable cultural/economical/whatever difference, and Brits have a lower life expectancy than other European countries. That should get you started). You can also easily look up medical expenditure per capita.

                Whether you want universal healthcare should mainly be a political question: it does, undeniably, take away freedom (you're going to be taxed and you don't have a very direct say on how that money gets spent --- you're still free to go to any doctor you want if you're willing to pay more for it).

                In many countries, people think it's worth the trade-off.
                • Re: (Score:3, Insightful)

                  by MightyYar ( 622222 )
                  I don't want to talk past each other with statistics, because that's been done to death, and frankly neither side ever seems to trounce the other. All I know is that I keep seeing wealthy Canadians and even Europeans coming to the States for their elective procedures. You can live a long time and still be miserable because you can't get the knee surgery that you need.

                  The other problem is that the US market is currently subsidizing drug and equipment development (even in other countries). If you make the US
                  • Re:Bravo (Score:4, Insightful)

                    by san ( 6716 ) on Thursday February 08, 2007 @10:25PM (#17943368)

                    I don't want to talk past each other with statistics, because that's been done to death, and frankly neither side ever seems to trounce the other. All I know is that I keep seeing wealthy Canadians and even Europeans coming to the States for their elective procedures. You can live a long time and still be miserable because you can't get the knee surgery that you need.

                    You're right, that's indeed one of the trade-offs. Although on average people do get more and easier access to decent healthcare, that doesn't mean that specific cases are better off -- quite the opposite for some people. If you have a rare disease, you might be out of luck.

                    The other problem is that the US market is currently subsidizing drug and equipment development (even in other countries). If you make the US market like France or Germany, either everyone's costs will rise or the rate of drug/device/procedure development will slow. It's not rocket science - if money flow goes down, the research dollars will flow elsewhere.

                    I don't see how this is an argument against universal healthare in the US. If anything, it would force more equitable prices. There's still a lot of money to be made on sick and unhealthy people, no matter who pays.

                    There is the other issue, too. The model countries for socialized health care are Germany and France. These countries have horrible economic problems as a result of their social spending. I don't like the thought of 50% unemployment for those under 25. The last thing we need is more government spending.

                    That argument keeps coming up, but people fail to realize that Germany had jumped in population but not in GDP when it unified; East Germany (1/3 of current Germany) really was bankrupt. Other countries are doing just fine with their socialized care (the Netherlands, Sweden, etc.). The UK (with its uber-socialized NHS) is doing fine, but it's true that France has been a basket-case for quite a while.

                    I do support reform, however. The current system is not great. Specifically, our "universal health care" is the emergency room. We need to offer free or cheap clinics that will keep people out of the very expensive emergency rooms. I have no problem with government spending or social programs, but I believe that they should have as small a scope as is possible while still attacking the problem. Government is inefficient (by design) and usually inept (not by design, but in practice).

                    I was in for quite a shock when I had an accident and ended up in an emergency room for the first time in the US. Those places really epitomize the failure of a system where free markets collide with basic ethics (like not turning away people without insurance).

                    Another shock upon coming here was the inefficiency of government: bureaucracy and slowness are more like what I'd seen in communist countries than like what I've experienced in Northwestern Europe. I think it has to do with the fact that working for government in the US has such low status and that many government agencies are chronically underfunded.

                    You get what you pay for, also in government :-)

                  • Re:Bravo (Score:4, Insightful)

                    by Anonymous Brave Guy ( 457657 ) on Friday February 09, 2007 @08:47AM (#17946752)

                    The other problem is that the US market is currently subsidizing drug and equipment development (even in other countries). If you make the US market like France or Germany, either everyone's costs will rise or the rate of drug/device/procedure development will slow.

                    Or the drug companies will simply make less money.

                    It's not rocket science - if money flow goes down, the research dollars will flow elsewhere.

                    Except that there's nowhere else for the drug companies to spend their money. Big Pharma is probably the most lucrative commercial R&D area since forever. Even with significantly lower prices, the companies would still be very profitable. They're not stupid, and not likely to back out of a good deal just because an obscenely good deal is no longer an option.

                • Re:Bravo (Score:4, Insightful)

                  by rearden ( 304396 ) on Friday February 09, 2007 @10:23AM (#17947436) Homepage
                  There are three major and important facts that proponents of Universal Heathcare ignore when pointing to Germany, Sweden, etc...

                  1. The US is both population wise and land wise considerably larger- at last estimate over 300 million people. This means the logistical and administrative demands of any such system would be orders of magnitude larger than anything Germany (82m ppl), England (60m ppl), or Sweden (9m ppl) have thus making the program harder to manage and much more expensive.

                  2. Germany, England and Sweden are central government countries. They have a strong national government with mutiple parties working in coalitions and the Prime Minister is selected from this. This allows for things to work "all in one direction". However, the US is fragmented with a weakened federal government (though stronger over the last 50 years) and many fragmented states with no single direction or goal- and often opposit goals. This would make it both politically and socially difficult to implement a single Universal Heathcare without it being very regonal, complex, and beholden to local politics thus negating many of the advantages of "national heathcare".

                  3. The US has no National will. It is far easier to geta majority of 80, 60 or especially 9 million people to have a single set of goals or objectives. Especially when that social structure has been in existance for over a thousand years, they all speak the same language and they share common cultural and social norms. The US is to use a cliche a melting pot only 200 years old- getting five random people in a room that have anything in common is nearly impossible in a big city. Trying to find commonality beyond Nation & Citizenship for 300 million in this country is pipe dream.

                  Antoher issue is Univeral Healthcare does not solve the litigation issue in this country, but that is a whole nother topic.

                  So, that said what do I think the solution is? Univeral Healthcare laws. Too many of our basic healthcare laws are done state by state thus making it an administrative and paperwork nightmare. Meeting the laws in each state, region and area drive the cost of Healthcare and Insurance up. We need to allow people to pool their insurance- without requiring the involvment of their employer, and we need to standardize the laws across the nation thus lowering the adminstrative and legal cost for both insurers and providers. Once this is done the free market competition in insurance will help drive down cost as each insurer demands lower prices for drugs, medical equipment, and even procedures.

                  My 2 cents
          • Re:Bravo (Score:5, Insightful)

            by ceoyoyo ( 59147 ) on Thursday February 08, 2007 @06:57PM (#17940810)
            Your job is to go to work and perform some task for the company that hired you. HIS job is to know about things like Tor, think about what they mean, and educate his students. See the difference? Knowing about Tor is part of his job.

          • Re:Bravo (Score:5, Insightful)

            by flithm ( 756019 ) on Thursday February 08, 2007 @07:06PM (#17940936) Homepage
            Even executing my "academic freedom" would result in instant unemployment in the private sector.

            This is not necessarily true. I've actually put myself into a position where I was SURE I'd be fired for refusing to go along with a company policy that I felt to be morally (and ethically) wrong. When you have righteousness on your side you'd be amazed at what can actually happen. (I wasn't fired, and I didn't follow policy).

            I'm not saying you're lying or anything, because I don't know your situation. But I do know how scary it is to put yourself out there like that, and I know that it's a lot easier to say "Ohh pfft, he's in academia so he can get away with that... I could never do that." But really that's nothing more than an excuse.

            There's plenty of situations where someone in the private sector could get away with a lot more than someone in academia, and vice versa. Making an insinuation that somehow life is easier in academia is not only wrong, but it's also a little insulting to what he decided to put himself through.

            I'm not suggesting that you start using Tor even if it's against company policy (that would be something entirely different than what he did), but executing your basic rights as an individual will not result in instant unemployment.

            Stand up for what you believe in! If it gets your fired, you're working in the wrong place. If you worked somewhere that wasn't going to immediately fire you for doing something you feel to be just, then maybe your blood pressure wouldn't be so high!
          • And yet... (Score:3, Insightful)

            by spun ( 1352 )
            Everyone says the free market leads to freedom. It seems to lead to people having to shut the hell up or not eat, to me. Wage slavery is still slavery. No matter that you are free to pick your master, if you can't speak your mind or do what you want with your time and resources, you are a slave.
      • Re: (Score:3, Insightful)

        by Synic ( 14430 )
        You aren't preparing the youth of the country for their future lives either, though, are you? ;)
      • Re:Bravo (Score:5, Insightful)

        by KerberosKing ( 801657 ) on Thursday February 08, 2007 @06:29PM (#17940384)
        The thing is, tenure is earned by outstanding scholarship over years of teaching and research. It is a long-standing tradition of university life. Further, it is crucial that we as a society have high-profile people that can question and critique the status-quo of governments, companies and other powerful groups without great fear of reprisals. Such protections are needed, else the relatively low pay and long hours of professors would hardly seem worth it when contrasted with executives and their exorbitant pay.
      • Re:Bravo (Score:4, Insightful)

        by nomadic ( 141991 ) <> on Thursday February 08, 2007 @06:37PM (#17940494) Homepage
        I wish I had "tenure" at my day to day job.

        This incident illustrates the precise reason tenure exists.
  • ill prepared? (Score:5, Insightful)

    by mhokie ( 988228 ) on Thursday February 08, 2007 @06:21PM (#17940250) Homepage
    "The visitors said it was likely against university policy"

    Could they not be bothered with actually checking the policy since they were there to enforce it?

    • Re: (Score:3, Insightful)

      by Anonymous Coward
      big brother gets pissed off when they cant see everything your doing
    • Re:ill prepared? (Score:5, Insightful)

      by Selanit ( 192811 ) on Thursday February 08, 2007 @06:32PM (#17940432)

      "The visitors said it was likely against university policy" Could they not be bothered with actually checking the policy since they were there to enforce it?

      In fact, they brought a printout of the policy to the meeting with the professor. The reason they weren't sure is that when the policy was written, Tor didn't exist yet. It might violate the policy, but they hadn't faced this kind of thing before, so they weren't certain.

    • Re:ill prepared? (Score:5, Insightful)

      by Kadin2048 ( 468275 ) <> on Thursday February 08, 2007 @06:49PM (#17940692) Homepage Journal
      Well, we can't say for sure now, because it's not like TFA included a copy of the relevant policy (although, if someone wanted to, they could probably figure out where the guy in the article works, and find the policy from there), but he admits that it's vaguely written, and was written back before Tor existed. So there are two immediate issues:

      1) The policy may be so vague, as written, so as to make it unclear whether Tor is legitimate or not. For instance, it could simply have a blanket prohibition of doing things that are detrimental to the network, but not specify exactly what's prohibited and allowed. This is fairly common in most AUPs that I've read, particularly academic ones; rather than attempting to specifically outline what you can't do, they basically say "anything that's bad, don't do it." (Usually in a more verbose fashion, but that's the general idea.) Sometimes they're clear about who decides what is 'bad,' other times less so. It all depends on how bright a person wrote the policy.

      2) The policy, as written, may actually prohibit Tor, but the faculty member, who said he was part of the committee that wrote the policy, believes that owing to the age of the policy and his knowledge of the writers intentions, that it was never intended to prohibit something like Tor. Thus, his usage, while technically in violation, he believes is OK because -- to put it bluntly -- he knows what behaviors the policy was supposed to prohibit better than the sysadmin does. (This seems like it could be a dangerous position for him to take, but I guess if you've got tenure, you might as well use it.)

  • by gd23ka ( 324741 ) on Thursday February 08, 2007 @06:24PM (#17940310) Homepage
    --"The other men were not familiar, but a quick glance at their cards told me they were detectives on our campus police force."

    _Detectives_ of the campus police force. What's next? Agents of the Campus Intelligence Agency?
    the Department of Campus Security?

    This is really ridiculous.
    • by IthnkImParanoid ( 410494 ) on Thursday February 08, 2007 @06:43PM (#17940606)
      I know it was a joke, but...
      Many campuses have their own PD and FD. Why?
      10,000 staff.
      25,000 students.
      A couple square miles
      It's basically a small, densely populated town...only with higher rates of rape, assault, drug use, theft, and copyright infringement.
      You know, the big 5 :)
    • Re: (Score:3, Insightful)

      by Surt ( 22457 )
      Large universities commonly have their own police force. Try to find a city in this country with a population over 25,000 without one. We have a number of universities with populations higher than that, even twice that.
    • Why not? (Score:3, Insightful)

      by TWX ( 665546 )
      It's not really surprising to have Detectives on a campus police force. There are rapes, burglaries, drug deals, prostitutes, assaults, and even the occasional murder on large college campuses, and the cities that the colleges are located in usually don't have the resources to direct that much attention to that area. Also since much of the in-residence populace is temporary the city's funding wouldn't be as stable for covering that segment of the population. The campus police force is paid for ultimately
    • Re: (Score:3, Insightful)

      by ChaosDiscord ( 4913 ) *

      _Detectives_ of the campus police force.

      Yes, detectives. Note that he's talking about "police," not "security guards." Large enough campuses can benefit from having a focused police force. These aren't thugs in the employ of the university, these are just a real police just like the city-wide force, they just have a more specialized focus. They have the same powers and restrictions. As such it's only logical that they would have detectives, just like the city-wide force. By being specialized they c

  • question (Score:5, Interesting)

    by Peter La Casse ( 3992 ) on Thursday February 08, 2007 @06:26PM (#17940328)

    Widespread use of Tor could be a huge headache for network-security administrators, particularly in higher education. My university alone has more than 21,000 students. Imagine what would happen if even a tenth of them and a similar percentage of faculty and staff members started using Tor regularly. With all the spam scams, phishing scams, identity theft, and related criminal enterprises going on around the world many of which involve remotely hijacking university-owned computers we could approach technological anarchy on the campus.

    How does Tor enable those things, and how would more people using Tor make those things worse than they already are?

  • by imaginaryelf ( 862886 ) on Thursday February 08, 2007 @06:26PM (#17940336)
    According to the article, he's in Bowling Green State University [], which is in Ohio. So DHS will be on this case in no time.
  • But... (Score:3, Funny)

    by Stanistani ( 808333 ) on Thursday February 08, 2007 @06:27PM (#17940342) Homepage Journal
    Nothing really happened to him... no sanctions, penalties, threats of actions... they didn't even say "Halt thy nefarious actions, or I shall chastise thee anon!"

    • Re:But... (Score:5, Insightful)

      by baptiste ( 256004 ) <mike@b a p t i s t e .us> on Thursday February 08, 2007 @06:45PM (#17940626) Homepage Journal
      It's not overblown at all. Just like the earlier article about the RIAA sending cease and desist just because you were in a swarm, not actually up or downloading. This professor was doing something completely legal and as asked by law enforcement to stop - it is inferred because they could not monitor his activities. This has a chilling effect. Notice that it wasn't just an IT person requesting he stop - he showed up with two detectives - who probably instigated the entire thing.

      Common sense would dictate that the detectives, doing their jobs and trying to investigate an online scam, ask the professor some questions to determine if he was involved. But instead they asked him to stop doing something legal, tried to get him to NOT share something with his students, and used some vague provisions of an IT policy to back it up. This is a direct attack on academic freedom - 'Thou shalt not tell your students about this' and even worse, telling him not to use Tor himself - obviously because they couldn't track what he was doing.

      Overblown? Hardly - we are losing our rights bit by bit by bit and people who think something like this is 'overblown' are part of the reason. By the time you all realize you've lost most of your rights it'll be too late.

  • by Anonymous Coward on Thursday February 08, 2007 @06:27PM (#17940356)
    Asking the professor not to use Tor on the university-owned network is reasonable.
    Attempting to censure what he can say to his students is clearly not reasonable.
  • by mark-t ( 151149 ) <> on Thursday February 08, 2007 @06:31PM (#17940412) Journal
    After all, they were able to identify him as one of the users of the application.
  • by BronsCon ( 927697 ) <> on Thursday February 08, 2007 @06:35PM (#17940472) Journal
    If using the service was against university policy, they very well could have Tor him a new one.
  • University IT (Score:4, Insightful)

    by Schraegstrichpunkt ( 931443 ) on Thursday February 08, 2007 @06:37PM (#17940492) Homepage

    What is it about university IT departments that attracts such incompetent people?

    Hint: If you're pouncing on people as often as a small frisky dog does, you're the problem.

    • by TheMCP ( 121589 ) on Thursday February 08, 2007 @07:27PM (#17941216) Homepage
      I was a university IT director a few years ago. The university told me outright when they hired me that they expected to pay me 25% less than an identical job would pay in industry, because they're a not-for-profit organization, and that I should desire to accept this because of the benefits of working in an academic environment (which they listed as long term job security and minimum of four weeks of vacation per year). Okay, fine. They weren't happy when I came back with documentation showing that my industry value was about twice what they thought, but they coughed up the 75% of my industry value that they said they would.

      Then when I wanted to hire anyone, however, they dictated to me what I could offer, and refused to accept any input regarding what industry norms were. So, when I needed a DBA (and frankly needed a really good one), they told me I should get someone Oracle certified, and that I should pay no more than $50k. Skilled, experienced, product certified DBAs, as you may know, tended to go for over twice that (usually more like three times that) a few years back in Boston, and our database wasn't Oracle anyway. I ended up hiring a junior-level person (when I really needed a senior level person) because that was the best I could get for the money they were offering (in fact the only applicant we had received who had any experience with the database products we actually used), and told HR they could forget about certification. Their response was to complain a lot that I hadn't hired a good enough person, despite that they hadn't actually asked me (his manager) about his performance, and he was actually doing unusually well for someone of his level. They also nagged me extensively to replace him with a woman who had applied who was oracle certified (which was still useless because we still didn't have oracle), but didn't actually speak English. (Presumably that's why she was willing to take the lousy pay rate.)

      10 months after I was hired the university outsourced my job, proving that their claim of long term job security was a lie in the first place. (I hear they had to hire three consultants to replace me, each one at a cost of two to three times my salary.)

      I've seen this pattern repeatedly in university IT groups; they won't pay what it really costs to get someone who can really do the job, but they insist on unreasonable qualifications given the pay level they're offering, so instead of either shelling out what it costs to get what they want or accepting the best qualified person who would normally be in the pay range they're offering, they instead hire the loser who is willing to both take the low pay rate AND inflate their qualifications (either by exaggeration or outright lies) to meet the university's unreasonable demands. So, when they most need a skilled, experienced person, they're most likely to get a lying fraud who can't get the job done and will give everyone else a hard time to try to make it look like nothing is their fault.
  • by nuintari ( 47926 ) on Thursday February 08, 2007 @06:38PM (#17940512) Homepage
    I attended said university, I know Paul very well. I still run into him in town occasionally, and I will be sure to shake his hand for this.

    I could say a lot of BAD things about *university* ITS, but I'd probably get me in far more trouble than it is worth to say them out loud. I am not there anymore, they don't effect me. I will just be happy that Paul is still the fine individual I have always looked up to.
  • by brouski ( 827510 ) on Thursday February 08, 2007 @06:47PM (#17940664)
    If he had only used Log Deleter 5.0, there would have been no record of his router hopping.
  • by Anonymous Coward on Thursday February 08, 2007 @06:57PM (#17940820)
    From TFA: "Someone looking up potentially sensitive information might prefer to use [Tor] -- like a person who is worried about potential exposure to a sexually transmitted disease and shares a computer with roommates."

    So, sharing a computer with roommates might give you an STD and Tor will protect you from it? Hmmm...
  • by ThePepe ( 775625 ) on Thursday February 08, 2007 @07:02PM (#17940894)
    Its possible that I'm simply missing the point, but if Tor is so effective then how exactly did a university IT guy and two campus cops find out it was in use and trace it so easily to the professor in question? Isn't anonymity the whole point?
    • by vga_init ( 589198 ) on Thursday February 08, 2007 @10:31PM (#17943416) Journal

      Its possible that I'm simply missing the point, but if Tor is so effective then how exactly did a university IT guy and two campus cops find out it was in use and trace it so easily to the professor in question? Isn't anonymity the whole point?

      Every technology has its limits, and the anonymity is actually pretty good. When you browse with TOR, you do these things:

      • Prevent anyone between your computer and TOR from discovering what data is being transferred. In this case it's the university.
      • Prevent anyone between your computer and TOR from discovering the destination of the data.
      • Prevent the recipient of the data (whoever you are connecting to) from discovering its source (who/where you are).

      The university can see that something went between TOR and one of their computers, but they have no idea what that something is or where it's going. Since anyone who can get access to a computer can use it, the university actually doesn't know who was using the computer. They can only guess because it belongs to that professor and is in his office.

      If the professor had taken an extra precaution and used a computer that was not linked to his identity, there really would have been no way to catch him unless they ran over to the machine while he was on it. If were truly a sneaky bastard, he would have installed TOR along with a program to activate it and do some communications and left before it went on. At some later time he could come back to that machine briefly just to retrieve the data.

      If you are in a repressive country, you could start by using TOR discretely at an internet cafe. As long as the managers of the cafe are not actively policing their clients, you won't get caught. Better still, your government has no clue and will mistake TOR for traffic they're not interested in.

  • Poor excuse (Score:3, Insightful)

    by adambha ( 1048538 ) on Thursday February 08, 2007 @07:03PM (#17940904) Homepage
    From the article:

    Of course, anonymous Web surfing can be used to conceal fraud and other forms of electronic malfeasance. That was why the police had come to see me.
    Sure, that logic is like saying, "Of course, steak knives can be used to commit murderous crimes. That was why the police had began questioning all of the patrons at a local Outback Steakhouse..."
  • by Vellmont ( 569020 ) on Thursday February 08, 2007 @07:12PM (#17941024) Homepage
    I'm curious about the problems that Tor creates. I was talking with someone who runs a Tor node, and he was dismayed that he was banned from most EFNet IRC servers. My guess was that people had abused Tor and used it to escape bans on IRC. It seemed perfectly reasonable to ban all Tor nodes if it created those problems.

    So my question is, what problems does Tor create for us all? I'm all for people being able to escape governments that want to control what they do.. but I can't imagine that this doesn't create other problems, so of which might not be immediately apparent.
  • VPN, Proxies, etc... (Score:3, Interesting)

    by Ohio Calvinist ( 895750 ) on Thursday February 08, 2007 @07:44PM (#17941512)
    I used to work for a large Midwestern University, and we blocked outgoing connections to some services, such as VPNs and some proxies. The reason we did this was during the outbreak of the virus (can't remember the name), that hammered Windows on Port 135, we blocked incoming Port 135 connections at the University border. It was hypothesized that if users VPNed to other networks, they would circumvent the port block and become a vector.

    I know everyone worth their weight in IT realizes that a secure border isn't enough. We had virus protection available for free for every seat on campus, however, in a huge distributed environment (where departments and colleges were "islands" in a network ocean, with their own IT staff) we couldn't gaurantee the integrity of these machines. But we were sure going to be the ones to take the hit when their "nice kid that they liked to much to see them move on after graduation system admin" didn't bother to CHECK to see if the definitions his AD-out-the-box for dummies was pushing those defs.

    We also disallowed some of these services because it became harder to effectively monitor our network. When some s5r1pt k1dd13 in CIS 201 decides that he is now a UNIX god is and is going to put "Bush Sucks - $college_name is #1, fark $rival" on to impress his pink haired, pot smoking, PETA member across the hall in the dorms who only talks to him when he removes the spyware she got trying to download off KaZaa, we look like complete dickheads when the Feds show up (or the **AA) and the best we can do is say "I don't know... what goes on in them there tubes" the suits tend to get pretty agrivated.

    On the other hand, even if they are SSHing into an intermediary (which we strongly encouraged over telnet), we can at least say "Well, we had an outgoing SSH connection from 4 machines on campus at that time going to these 4 addresses, do any of those ring a bell? We happened to have authenticated WPA, so we can tell you who these folks are even if the machine name is PoPPySeeD420 and done from the student union.

    Privacy is wonderful, but when the shit hits the proverbal fan, IT would like to know who is pulling shenanagins on the network. The rest of the time, 99.9999% of the time, we'd rather NOT know what you're up to, and every one of us in the office (except for that one windows fanboi MS office specialist who we used to throw beanbags at) had our open source/linux/free as in beer and freedom/crypto-privacy street cred.
  • Bigger breach (Score:4, Interesting)

    by lord_sarpedon ( 917201 ) on Thursday February 08, 2007 @07:59PM (#17941760)
    Admins should be more concerned about Tor's Hidden Service feature. It's handy to avoid censorship and all, but it allows you to connect to hosts behind a NAT or firewall (the node keeps a circuit open). Not only that, the person using the service remotely is unrelated to the host that shows up in the logs... It's a drop-in backdoor tool. Instant access to the internal network.
  • Bat#*($# Insane (Score:4, Interesting)

    by The Second Horseman ( 121958 ) on Thursday February 08, 2007 @10:26PM (#17943386)
    I'm a systems and network administrator at a University. Frankly, we'd never dream of doing this to anyone on campus (faculty, staff or student). Unless there was compelling evidence of illegal activity, or activity that had a serious impact on the network, we leave them alone. Even staff - supervising staff is their manager's job, not the responsibility of the IT group. If he was sharing his password and outside folks were crowding up the terminal server, or he was running a warez site, sure. But this?

    Here's a legit situation I can see coming up - if a faculty person was somehow using 90% of our internet bandwidth, we'd have to have a chat. Sure, it might be for their research, but that doesn't matter in that case. It's a shared resource, there's a limited (by the University) budget, and it's not an academic freedom issue. It might be convenient for one of the physics faculty to have a supercollider as well, but it's not in the University's budget. You have to partner with someone outside, or get grants, etc. Every instituation has limits and priorities.

    But this? This is bizarre. The only awkward situation I can think of in some states is that state schools can fall under open records laws that require that the public can check on certain information (in some states, browser histories have come up in the past). In that case, as a state employee, they might be violating the open records law by going out of their way to hide their activity. Hell, even under a Patriot Act search, we'd have to give them whatever information we had about a user, but we're not obligated to keep information to track back every outbound internet connection - even under CALEA. We probably can't link a PAT assignment on the outside of our firewall to an inside machine for more than a couple of days, at best We just don't have the space to keep the logs.

  • by harpune ( 557684 ) on Friday February 09, 2007 @12:35AM (#17944444) Homepage
    A little digging on BGSU's website comes up with what is likely the actual policies: []

    12. Attempting to circumvent computer system or computer network security systems. Attempting to circumvent University computer system or computer network security systems, or using University computer systems or computer networks in attempting to circumvent security systems elsewhere.


    22. Anonymous use, or use of pseudonyms on a computer system or computer network to escape responsibility. No person shall use a computer system or computer network anonymously or use pseudonyms to attempt to escape from prosecution of laws or regulations, or otherwise to escape responsibility for their actions.

    Now, the first one seems like it is worded vaguely and may or may not apply in this situation, but the second one is pretty clear: as long as you are using anonymity services "to escape responsibility". Clearly, the professor was not trying to skirt the law or detection for any shady behaviour. of course, in the eyes of admins, allowing any use of such anonymizers could be dangerous to their network, and make their jobs harder.

    I take most issue to the detectives' request that the professor refrain from discussing Tor in his classes. It would be academically unethical for the prof to bend to this pressure because a little pressure was put on him by the rent-a-cops. The detectives can ask the professor to do whatever they want, but dictating what he can and cannot teach in his classroom is inappropriate.

Over the shoulder supervision is more a need of the manager than the programming task.