A University of Portland student was suspended for writing a program to bypass the Cisco Clean Access NAC system on campus. Apparently this incredibly dangerous activity is a Patriot Act violation. Or, at least, it is if you believe the letters being sent out by the administration at UP who seem to be confusing "skipping security checks" and "hack into a licensed product"

First, let me mention that I work as a Senior Security Engineer at the University of Florida. I spend 40hrs a week (at least!) dealing with exactly the same type of threats that the folks at the University of Portland deal with and strongly understand the value of NAC in protecting such a difficult network to defend. I should mention that what I write here is obviously not in any way official UFL policy or opinion. I've never been concerned by methods to evade NAC. People who are capable of evading NAC are not the users you're trying to protect from compromise by ensuring they're secure anyway. Deal with the vast majority of users who need NAC for their own protection and the protection of the network and don't worry about the few smart enough to actually evade it.

UP's reaction was not proportionate to the issue. From what's been posted online of the policies and reactions the administrative staff has had to the incident ([1] [2] [3] [4] ), somebody seriously over-reacted. Let's put it this way -- what the program that Mr. Maass wrote did was essentially make his computer look like a PDA. Or a game-system, or any other network device besides those supported by the version of CCA at UP. He didn't hack in without using a username and password, or steal anyone else's account. He didn't attack the CCA system itself with any exploit at all.

That's not to say he didn't handle it poorly. And his actions probably should be a violation of campus policy even if it wasn't when he did it (UP: add some language about "attempting to evade security measures meant to protect the network" and you're done). But suspension? The letter to the local newspaper mentions that there were no less than 19 other lesser sanctions that could have been taken in this instance (see [3] above). A suspension is ridiculous.

It's also odd the way that other students at UP who possessed the program are having action taken against them. One uses a Mac and couldn't even use the program if he wanted to and yet is still having sanctions taken against him. If all it takes is a program that can be used to evade security, they'd better take action against every student, faculty, and staff on that campus running a web browser (most of them, I would imagine). A browser and a little knowledge is all the weapon you need to hack most websites. Better crack down on butter knives and forks in the cafeteria too while you're at it.

Of course, maybe I'm only taking this position because not too many years ago I showed my own little brother how to evade an early version of CCA on his campus merely by changing his User-Agent string to resemble a Mac (that technique has long since stopped being an effective way to bypass CCA, but there are still many others and always will be in a system where you're trying to get trusted responses from an untrusted system).

Thanks Alan for mentioning the article from Tim Greene that brought this to my attention.