Schools to Avoid: University of Florida

Iphtashu Fitz writes "The University of Florida has apparently come up with a technological approach to deal with P2P file sharing on their campus networks. According to this article on wired.com they have developed a program that scans the PCs of students in the UF dorm rooms. The program, dubbed 'Icarus' not only detects P2P applications but viruses, worms, and other trojans. If a P2P application is found then an e-mail is sent to the user, a message is popped up on their screen, and their internet connection is disconnected. First time offenders lose their connection for 30 minutes. The second offense results in a 5 day loss. The third strike results in an indefinite loss of connectivity. An editorial in The Independent Florida Alligator, the student newspaper, called the use of Icarus 'an invasive and annoying system that further deters students from living in dorms (see also another story).'"

iptables

[Feyr]

i'm not sure what they expect to do with this thing, but it wouldn't be that hard to fire up tcpdump and get a range of "management" ips. you then block those ips from connecting to your computer with iptables/ipchains/ipfwadm/windows firewall/your favorite bagel. that and it surely won't stop hardcore downloader from logging on IRC and downloading from there (surely everyone know only newbies use kazaa, the rest are still on irc)

they can try to block losers, but they won't get the truly geek. and i sure wouldn't accept any violation of MY privacy and limiting legitimate uses (private servers,game servers, research projects, name it)

and before i get blasted into oblivion, no i don't use kazaa et al, my music is all legitimately got from www.emusic.com, go check it out

Great. Soon coming to an ISP near you!

[Billy_D_Goat]

It is news like this which causes me to drink more Dew. More and more ISPs (whether they are colleges or corportations) are acting as Big Brother to their subscribers. There was a story a while ago which talked about ISPs acting as a firewall for the stupid. Well, now we have them looking out for our interests by tracking down virii, trojans, P2P. I guess one could see as vaguely similar to how cable companies control what is fed to their viewers. Great. Can't wait till Roadrunner picks up this feature.

An Inside Perspective

[Anonymous Coward]

I am currently a sophomore at the University of FL who works part time as part of the campus network ops group. This provides me an intimate knowledge of how Icarus works.

Icarus is a VB application which attempts to connect to the standard ports used by the various P2P apps. If it is able to connect to one of these ports, the IP is marked as suspect in the central DB.

Addresses marked as suspect are then sniffed, and all packets going to and from that IP are logged to a central server. The RIAA has already subponeaed most of this data for further analysis (and more lawsuits, I would expect).

Hope this helps
-sk

Re:Switchable MAC address...

[GearheadX]

As a former resident of the UF dorms, I can answer this question. The last time someone hooked a router into a dorm room connection, they blew out the entire building's network connection for several days.

The Division of Housing does NOT look kindly upon someone who so much as mentions the word 'router' in their hearing.

Re:Switchable MAC address...

[LostCluster]

You're still screwed. The lockdown can be placed at the switch port(s) that leads to your room. Can't spoof those without breaking into the locked closet... which hopefully the RA should be able to stop.

Re:Switchable MAC address...

[edwdig]

Common practice at colleges is you have to have your MAC address registered to get an IP address through DHCP.

You could try taking someone else's MAC address, but you'd probably get noticied fairly quickly, and be in a lot of trouble.

Amen

[alex_ant]

Speaking as someone living in a university apartment, whatever the IT guys can do to restrict P2P or even block it altogether is fine by me. There was a lot of moaning from a small subset of users after Packeteer (bandwidth limiter) was installed on the network a couple years ago, but the effect for 90% of the users has been a dramatic increase in general responsiveness. You can still use Kazaa and so on here, but they're throttled down to 20K/sec.

Re:doesn't matter

[Anonymous Coward]

yes, but firewalls dont matter... its the traffic packets that can screw up your system code. i had a guy on mIRC do it to me when i was in his channel. He was an @. He threatened to take me offline. I have a firewall. He took me offline with special created packets not destined for any port. I wish firewalls were better at block such things.

Re:Switchable MAC address...

[redcup]

I used to work at the helpdesk at my school, so I can tell you this would most likely have no effect.

To give a real example from my university: By default, all the network jacks are on, and if you use it and don't pay for the dorm internet connection, it gets cut off after a week. If it is never used, it is left on (this helped reduce the mess of getting everyone set up the first week in the fall).

One day in the middle of the spring semester, we detected port scanning from a student townhouse dorm, coming from an unregistered jack (the townhouse had 4 of them, 2 of which were being paid for). The jack was still on because it was previously unused. Solution? We simply had the NOC kill the jack.

The student had switched the jack his computer was connected to, thinking it would prevent us from tracking him down. He was half right - perhaps we couldn't say which student in the townhouse was doing it. If he had a router behind it, we didn't need to know - the jack was all we cared about.

Lo and behold, within a few minutes one of the students at that room called up to say his network connection had died. It was hilarious... it was practically a confession. Of course he denied it, but refused my offer to come over and check his computer since it was port scanning without his knowledge. We let him off with a warning, and to the best of my knowledge, he didn't do it again.

Re:What the fuck?

[Tack]

Well, correct me if I'm wrong, but Ethernet has a standard for how many segments you can tack together (5 is it?)

Adding a router does not extend the segment. It creates a new segment and a new subnet. The 5-4-3 rule does not apply to routers. Just imagine how broken the Internet would be if we could have at most 4 routers between end points. :)

Jason.

Re:E-mail?

[phoenix_rizzen]

Internet connection, not network connection. They'd still be connected to all the internal servers so they could receive e-mail. Just their access to the outside world via the Internet gateway would be blocked.

Do students have alternatives?

[RockClimbingFool]

"It's the universities network, they can do anything they want. You have to agree to their policies or don't use the network." If there are alternative ways to get on the Internet, then I agree. However, a lot of universities require incoming freshman to stay in dorms. The university is the only provider of cable television, phone and Internet access for those particular students. So dictating what programs they can and cannot use is definitely infringing on some freedoms.

Re:Firewall them!

[httptech]

Firewall denies their check, they consider that a failure, the switch in the closet it told to forget about the port to which your wire is connected to, you're off the network, buh-bye.

iptables -j REJECT --reject-with tcp-reset

Icarus sees port as being closed instead of filtered. Problem solved.

INDEPENDENT florida alligator

[Anonymous Coward]

Like its name says, the florida alligator is NOT run by students, or affiliated with the university in any way. It's an independent company that makes a living by selling its paper to students. That is the only respect in which it is a "student" paper, and the views found in the Alligator bear little or no resemblance to reality. They want people to read their paper, so they can sell your eyeballs to their advertisers, and that's it.

Re:An Inside Perspective

[numatrix]

That's nice, but you didn't tell them the whole story. I work at the as one of only three full-time security people for the whole university, so you probably know me. Let me fill in the gap.

The system is more than just a port scanner. If you think you can evade it simply by blocking probes, you're dead wrong. The system is more than that, it also incorporates passive monitoring. Here's a hint. There ain't no way to disguise high bandwidth. No encryption, no port changes, nothing that will hide that. If you're downloading massive amounts of data, you will be found. Period.

Also, for those people who are arguing about morality, ethics, service, responsibility, priveledges, whatever, it's a moot point.

When you move into the campus housing, you sign a legal document to the effect that you will not run P2P. No, it's not illegal to run it, but it ~is~ a violation of your living agreement, and housing is well within their rights to shut you off or take other action for P2P or abuse of services (as many other posters have noted, the few that abuse the service often make it unusable for those who legitimately need it).

Re:Anti-Intellectual Environment

[Stackis]

I work for the UC system as a Sys Admin, and couldn't agree w/you more. Too many students seem to plug their machines into the Resnet, and not bother about AV software, or the bandwidth wasted when they share large files over the network. I think what U of F is doing is nothing but protecting their network from the inevitable...

Re:Schools to no longer avoid!

[alienw]

Most require? I haven't been to college in a good number of years, but that seems like a big load of crap to me.

I haven't done an extensive survey, but all of the universities I applied to (such as UIUC) had such a policy. Sure, they sometimes make exceptions (if you live with your parents, are married, have children, have disabilities that the university cannot accomodate and have a doctor's letter saying so, are over 21, and so on). As for widespreadness, a quick google search [google.com] shows that such policies are rather common, especially at public institutions.

Re:Anti-Intellectual Environment

[James Lewis]

The issue here is the invasion of privacy. There are plenty of ways to control bandwidth usage without doing this. My college (Ga Tech) had huge problems with p2p software taking up all available bandwidth. For about two semesters the pings were 1000 even to across the street, and the network was almost unusable because of this. Finally Ga Tech did something smart: they updated the hubs so that they could limit everyone to 60 kb/sec upload on a port by port basis. The vast majority of traffic created by P2P is from uploading. Now everything runs smooth.

Bzzz.

[mikedaisey]

Actually, they are looking inside the computers themselves, identifying files, viruses and apps.

P2P bad, spyware also bad.

[Nucleon500]

P2P causes a lot of traffic and is expensive, and often results in C&D letters. Obviously colleges have an incentive to get it off their network, or at least throttle it. But there are much better ways.

Florida's current solution is much too invasive, and not very effective. Does the app run in Linux? Wine? Mac? Limiting operating system choices is a very bad thing for a university, especially for the computer science students who are trying to widen their experience.

It's also not effective. What's to stop someone from running the spyware in an emulator? Renaming their P2P programs?

The problem is that a university network has untrusted (in the security usage) clients. But it's not a problem: It's easy to tell who's running P2P programs, and who's infected, centrally. This is more effective and less limiting.

Re:Anti-Intellectual Environment

[Worminater]

Actually, you are required to use the schools internet if your on campus.

bastards dont allow outside lines to come in, or else i would have dsl right now:-p(school network sucks for just about everythign including web browsing)

P2P is *horrible* for networks

[Alioth]

I disagree with scanning people's PCs.

However, P2P sharing is the *worst* thing your network can be beset with. The leeches hog incredible amounts of bandwidth. Kazaa et al. are also very network hostile with measures to get around a sysadmin's attempt to shape traffic.

It takes more and more admin time just blocking malware and P2P music sharing. The university network is there primarily for academic purposes, not wholesale music piracy.

It's a frigging nightmare. If I were a University admin, my goal would be to not block ports or traffic because I want proper end-to-end connectivity. But then you get the cancer that is Kazaa which actively tries to evade your attempts at sharing traffic. The only route left for the admin is a strict anti-music sharing policy. If only the leeches could control themselves instead of getting not only their mouths in the trough, but their front trotters too, it wouldn't be such a big deal. But of course, they show no restraint.

If I were a university admin, I'd make it very plain what the policy is when students get their connection. The policy would be no music sharing, no spam, no malware (if you want to share legitimate music, then you either put it on the music department's website or rent your own server). Anyone caught sharing music otherwise would have their account locked and would have to come to me for a bollocking. Three offences and it'd be disciplinary action.

Re:the punishment should be harsher

[Anonymous Coward]

Nice trolling, assfuck.

The kids are forced to pay for university network access, and no other options are available. I also love how lots of people are for UF telling you what programs your computer can run, but they get all pissy when MS tries it.

Re:More draconian measures to come?

[Knightfall]

I had to bite on this one. I am a sysadmin at a medium sized private college. The LAST thing I want is anything related to me or my job directly on a student's computer. I don't want them as members of my domain, and I don't want any access to their computer. Do you have any idea the lawsuits that would open up? I control from the network jack on back. If your computer is soaking up all the bandwidth, for whatever reason, it is the schools (and being the designated agent of the school, my) right to shut your connection off. At least colleges like mine and the UoF are checking to make sure there is not a legitamate reason for you to be bringing down the bandwidth house!

My 2/100 of a $.

Re:An Inside Perspective

[mliesenf]

"Yeah, it's all true. As part of the ICARUS package we are going to provide our VB application development suite for Unix. Open source!

Or not." -wills, DHnet Administrator

http://www.dhnet.ufl.edu/forums/viewtopic.php?t= 17 5
(ps. they all use bsd)

Re:Bzzz.

[omega_cubed]

Is it really possible to "scan inside the computer"? I know that with many of my peers, the computer is so poorly locked down that anyone on the subnet can get read/write priv. to their Windows boxes. But there are also a great number who pay attention to such things. And wouldn't bypassing security/privacy for PC's constitute cyber-crime?

Since the article didn't really elaborate, my best guess is that for Icarus to be legit, all they can really do is to do a port scan on the machines. The "worms and viruses" they refer too often open up otherwise unused ports, and the classic 6*** ports used by P2P apps can be easily determined.

The article mentions that

Icarus then scans their computer, detects any worms, viruses or programs that act as a server, such as Kazaa.

One way to read is the program scans the computer's contents and look for files, viruses and apps. Another way to look at it is the program scans the computer's ports and see if there's anything listening on ports that is "not allowed" to be open, i.e. worms that act as servers, viruses that act as servers AND apps that act as servers.

My school implemented a similar policy last year, when they monitor the traffic going to and from common p2p ports, and only allow us to have one upload going on at a given time. (The school acknowledges the legit uses of p2p, and so long as you don't violate copyright, you are wellcome to use it, if you do not overburden the university network. It was a purely bandwidth issue.) Other servers, such as the ones for games, or http or ftp (and as far as I can tell, SMTP too) are left to the owner's discretion.

My reading of the article is that the school created nothing more than an automated Portscan->Winpopup->Email->Access-Shutdow n system.

On a different note, I found it quite perculiar that no student have spoken up against UF's guilty until proven innocent stance. And blocking LAN games? That hardly consumes any bandwidth (going in and out of the university infrastructure), and I certainly hope that the Dorms are not so crowded that half a dozen guys playing Unreal Tournament drags down the network for the entire building! If that's the case, you wouldn't want to live there to start with.

Then again, I loved the quote

The no file-servers policy has actually been in place for several years because several enterprising students had used the university network covertly to run their own commercial websites, some of which were illegal, according to Bird.

"One of the more popular websites for creating fake IDs was run off one of the student computers in the residence halls," he said. "It was up for about a month and a half. That example highlights exactly what you don't want to happen.

"The peer-to-peer file-sharing policy is a direct extension of that," he said.

Yep. University life should be just like real life. We banned the making of bicycles because some hoodlum terrorized pedestrians and committed robbery on one.

W

Re:Anti-Intellectual Environment

[MaestroRC]

Absolutely wrong. I am a student at the University of Tennessee in Knoxville, and they here take P2P and such quite seriously. If you are found to be sharing files that are against copyright (which, by the way, you are PUBLICLY sharing, so they are quite legally allowed to look at it), you get disconnected. All they do is see who the users of P2P are by looking at the network traffic, then take a little app and have it see what you have shared, if anything. Then its nothing major for them to link your MAC address to you IP address, which here is also linked to your NetID, which identifies you as you. When one plugs into the network, there is a TOS agreement that you have to click through to register your computer and get on the internet. Part of that is that they can do what as far as the network goes with your computer to ensure copyright law and security.

I for one have no qualms about them scanning the hell out of my system, or blocking P2P traffic (we have a port shaper that allows only 1% of available bandwidth to recognized P2P ports on the network), since BEFORE these policies were implemented, the campus connection was painfully slow. I'm not talking ISDN slow, rather, 14.4Kbps slow. And this is only 3-4000 students being served by an OC-48. After it was implemented, web browsing was increased dramatically (downloads to other universities and large corps went back up to 3-5Mbit, like it should be), and overall everyone was happier. People are stupid, get over it. When stupid people get together in large masses (the ResNet is one huge LAN), everything is multiplied exponentially... virus problems, worms, and bandwidth usage. It may be "evil", but its a necessary one.

You want the inside perspective? Here it is.

[Anonymous Coward]

I am the architect of ICARUS, and I felt a need to address some of the overall comments in this thread as I have watched them develop.

0. Downloading large files, etc. will never trigger ICARUS. This is not a simple matching system, by any means.
1. ICARUS is not some magic bullet super scanner. We use, and promote all open source tools, open source operating systems and free speech. We do not install a client package, we do not "hack" systems and we do not look at files, process tables, etc. on the client systems.
2. ICARUS is a system for integrating a vast array of tools together, making complex policy decisions based on data collection, and then taking complex actions. Yes, it can stop P2P apps in a wide variety of ways. It can do a lot of things regarding management. In that regard, it's not focused at all, it's something you use to manage everything around you. For example, you say you want to determine who has patched themselves against some certain vulnerability? Then select the appropriate methods for collecting the data you need, and decide what actions you want to take. Actions are limited by...perl.
3. "You are responsible for considering the moral implications of what you create, and how it is used"
I simply can't believe this statement. We DID consider the implications of it. Extensively. In fact, my co developer and I wrestle with it all the time. Vastly more good comes from what we are creating than bad. ICARUS is a policy enforcement tool...that can encompass a number of things. It is the policy of the University to prohibit illegal activity on their network. We are simply able to enforce it.
4. Florida Sunshine Law: Actually, this is explicitly covered as a mechanism of security policy enforcement. There is no legal access under this law to source code or anything else.
5. We will likely be making this a public open-source project in the spring. We intend to offer it free of charge, although the licensing itself has not been determined (likely GPL).
6. The individual claiming to know how it was written (re: VB, subpoened database, etc.), fabricated every part of that post. Only a tiny handful of people have seen the source code or been involved in a discussion about its internals.

Calm down, folks. Some day, you'll probably want to use it for something, I promise ;).
Take care,
Rob

Actual information

[Anonymous Coward]

I am the architect of ICARUS, and I felt a need to address some of the overall comments in this thread as I have watched them develop.

0. Downloading large files, etc. will never trigger ICARUS. This is not a simple matching system, by any means.
1. ICARUS is not some magic bullet super scanner. We use, and promote all open source tools, open source operating systems and free speech. We do not install a client package, we do not "hack" systems and we do not look at files, process tables, etc. on the client systems.
2. ICARUS is a system for integrating a vast array of tools together, making complex policy decisions based on data collection, and then taking complex actions. Yes, it can stop P2P apps in a wide variety of ways. It can do a lot of things regarding management. In that regard, it's not focused at all, it's something you use to manage everything around you. For example, you say you want to determine who has patched themselves against some certain vulnerability? Then select the appropriate methods for collecting the data you need, and decide what actions you want to take. Actions are limited by...perl.
3. "You are responsible for considering the moral implications of what you create, and how it is used"
I simply can't believe this statement. We DID consider the implications of it. Extensively. In fact, my co developer and I wrestle with it all the time. Vastly more good comes from what we are creating than bad. ICARUS is a policy enforcement tool...that can encompass a number of things. It is the policy of the University to prohibit illegal activity on their network. We are simply able to enforce it.
4. Florida Sunshine Law: Actually, this is explicitly covered as a mechanism of security policy enforcement. There is no legal access under this law to source code or anything else.
5. We will likely be making this a public open-source project in the spring. We intend to offer it free of charge, although the licensing itself has not been determined (likely GPL).
6. The individual claiming to know how it was written (re: VB, subpoened database, etc.), fabricated every part of that post. Only a tiny handful of people have seen the source code or been involved in a discussion about its internals.
7. We don't terminate user access, we restrict them to campus-only access. Termination is an temporary action in last resort cases with multiple violations.

Calm down, folks. Some day, you'll probably want to use it for something, I promise ;).
Take care,
Rob

I deal with the program everyday

[Cardoe]

So here's the low down on this program. As a RA (Resident Assistant) on UF's campus and also being somewhat of a knowledgable Linux user (read: former Gentoo dev).

Basically they port scan you. If you've accidently left WinXP's default Shared Doc's folder shared or anything shared then they say in the Housing Agreement you sign that they can log in and look at anything you have openly shared.

Now just cause they know people will run their own firewalls to block them out and then still run whatever apps they want.. they require you to leave certain ports and accept certain packets (i.e. ping, netbios stuff, etc).

The message that they pop up on your screen is actually a net send message.

In actually application, it has slowed down the max speeds of the network and latency is about the same. It does kick you offline for very short periods (long enough for IRC to reset sometimes and GAIM to definitely have to reconnect)