Preventing internet traffic from being snooped - legitmit reason

[southwind]

I get my internet through a university and I connect with an ethernet cable. I know they sniff packets and know what is downloaded. Is there a way to encrypt all traffic so they can't?

I'm not planning on any illegal activity, I just want privacy. I don't want people to read my emails, what I do on facebook, chat, even typing this message. Can they even get my banking information when I log into my banks website?

 

[imagoon]

Easiest is to buy your own.

Alternative some VPN style service. However they (the school) will see the encrypted packets and some actively block the common protocols.

 

[spidey07]

Easiest is to buy your own.

Alternative some VPN style service. However they (the school) will see the encrypted packets and some actively block the common protocols.

Or use a tranparent SSL proxy and can read all their stuff. Students tend to think they are smarter than the admins.

 

[imagoon]

Or use a tranparent SSL proxy and can read all their stuff. Students tend to think they are smarter than the admins.

BUT BUT BUT INTERNET IS A RIGHT! They are not allowed to read my stuff!

</sacrasm>

 

[Railgun]

I just want privacy.

Then tear up your credit cards, close your bank accounts, lose your cell phone, don't drive through toll booths, and stay off the Internet.

Unless you have a camera in the bedroom that you're streaming to the world, the stuff that you and 99.999% of the population does on a day to day basis is really unimportant enough to not need to worry about what you think someone else is looking at.

Now that you have created this post, the google spiders will now allow anyone to find it and know that you're looking to hide and quite possibly you've now drawn more attention to yourself.

/super sarcasm

 

[drebo]

If you send data over someone else's network, they can see it, and there is nothing you can do about it. Period.

Get used to that fact, and you will be a lot less bothered by the Internet.

 

[NXIL]

Hey Southwind--not to be a grammars nazi, but, if you attend university, endeavor to spell "legitimate" correctly.

As for your privacy: yes, there are many things you can do to protect your privacy. It's a big issue right now--the majority of people are throwing their privacy away using facebook, and other social media.

Your cellphone, web search habits, friend lists--all are out there.

Check this out from today's news:

As Banks Start Nosing Around Facebook and Twitter, the Wrong Friends Might Just Sink Your Credit

http://www.betabeat.com/2011/12/13/...friends-might-just-sink-your-credit/?show=all

With a credit report someone can summarize your life pretty darn well.

So, it's not just your university sniffing your packets. That did not sound right. It's not the university observing your data stream per se--they can and will to make sure you are not downloading music and movies.

There are a lot more places you should be looking into this rather than here.

To start: proxies.

http://www.google.com/#sclient=psy-...w.,cf.osb&fp=868032395a21deba&biw=853&bih=587

84 million hits.....

Learn openssl.

Look into PGP: Phil Zimmerman wrote this a few decades ago and almost went to jail from coming up with very difficult (not impossible) to break encryption. Why was this a crime? It wasn't, but, the Federal Government did not want good encryption out there for you to use. They shouldn't have worried: most people don't bother.

(Blackberry messages used to be well encrypted and protected from prying eyes...they sold out.)

Ha. PGP now owned by Symantec.

http://www.symantec.com/business/theme.jsp?themeid=pgp

Well, good enough to protect your privacy on university network. Has a back door now though.....

Read what these guys have to say:

https://www.eff.org/

Subscribe to Schneier's cryptogram

http://www.schneier.com/crypto-gram.html

Been following SOPA?

http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act

No? Then you probably don't know the military can arrest and hold without trial or counsel "terrorists" found on American soil. That happened this week. NoBama did not veto it like he said he would.

What's a terrorist? You if they say so.

 

[heymrdj]

Or use a tranparent SSL proxy and can read all their stuff. Students tend to think they are smarter than the admins.

And some admins are too confident in their "years of experience" .

 

[MtnMan]

You can't disguise IP adresses, URL, and port numbers so what site you connect to and the services you are accessing is easily captured and logged, if they want to.

Specific addresses may even trigger logging of traffic.

Their network, their rules, that's the way it works.

Content of packets can be encrypted, but it also requires that the other end supports SSL for what ever you are doing.

 

[alkemyst]

if they have physical access you are f***d.

 

[kornphlake]

I get my internet through a university and I connect with an ethernet cable. I know they sniff packets and know what is downloaded. Is there a way to encrypt all traffic so they can't?

I'm not planning on any illegal activity, I just want privacy. I don't want people to read my emails, what I do on facebook, chat, even typing this message. Can they even get my banking information when I log into my banks website?

You're concerned about your university snooping on what you do on facebook or what you post on a forum? Duh, the whole world can see that, if the university wants to snoop on you they can snoop without your computer on their network. I know, that was irony right, cause anything a college student does or says that seems foolish is done ironically.

I believe a https connection is encrypted from your PC, your school might be able to see that you often visit a bank's website but they shouldn't be able to intercept any account information, your bank's website does use a https address right?

 

[gevorg]

just get an encrypted VPN service

example: http://hidemyass.com

 

[pitz]

If you're extra-paranoid, an encrypted virtual machine on a remote machine accessed through an encrypted tunnel may be the way to go. If its set up correctly, they'll basically have to waterboard you to get the passwords to retrieve any data from it.

Networking is fast enough these days that, video playback excepted, such VM's offer excellent performance. The VM itself can often be access 'out of band' which means that it, in turn, can be hooked up to some sort of encrypted transport.

 

[southwind]

Would this do the job? http://www.blacknet.biz/pricing.php I'm not clear on the difference between "Premium Encrypted Tunnelling" and "VPN Service".

 

[VinylxScratches]

Get a VPN router and put it in your parent's place and connect to it. Make sure to use DynDNS on one of their computers to dynamically update the IP address to the host name you choose.

 

[nitrous9200]

I would recommend an SSH server/Squid setup and then just connect to that.
There are plenty of guides on installing/configuring OpenSSH and Squid; install those on a Linux box (or a virtual machine), open the port on your router, and then connect to that from your dorm. That's an oversimplified explanation but it will be an encrypted tunnel that they can't get into.
That or go with a paid VPN service but I wouldn't bother.

 

[freegeeks]

Or use a tranparent SSL proxy and can read all their stuff. Students tend to think they are smarter than the admins.

I'm no expert but in my understanding this only works transparant to the user if you have control of the client, else there will be a security alert popup (certificate warning) triggered on the client
Transparant ssl proxy are nothing more then a man-in-the-middle attack, if you don't control the host, he/she will know that something is going on by the browser security warnings

Am I right?

 

[freegeeks]

I get my internet through a university and I connect with an ethernet cable. I know they sniff packets and know what is downloaded. Is there a way to encrypt all traffic so they can't?

I'm not planning on any illegal activity, I just want privacy. I don't want people to read my emails, what I do on facebook, chat, even typing this message. Can they even get my banking information when I log into my banks website?

ssh + port forwarding to an outside host under your control

 

[Binky]

Tor?
https://www.torproject.org/

 

[spidey07]

I'm no expert but in my understanding this only works transparant to the user if you have control of the client, else there will be a security alert popup (certificate warning) triggered on the client
Transparant ssl proxy are nothing more then a man-in-the-middle attack, if you don't control the host, he/she will know that something is going on by the browser security warnings

Am I right?

Yes, which is why you make students install your "security software", part of which is it puts it's SSL proxy in your browser cert trust list.

 

[thecoolnessrune]

Yes, which is why you make students install your "security software", part of which is it puts it's SSL proxy in your browser cert trust list.

I know very few universities that would require this. If they did, I know I most certainly wouldn't attend.

I understand where you're coming from, with the idea of total security and the ability to completely see and view whats going on in a network that you own, however in business as I'm sure you'd understand, there needs to be costs vs. performance. These could be monetary or some other form. For instance, people make the payment every day to facebook saying that the information they give facebook is worth the services facebook provides to them.

Basically you would have to provide services to the students that justifies needing the ability to read all their traffic. I personally cannot think of anything that a university could offer me that would justify this compared to any other university.

I tunneled at my university and they didn't even snoop traffic (I worked with the network admin extensively while there). I had no particular reason to do it being as I didn't do anything illegal on their networks. But I made it my business to not make it their business. Just because someone needs my credit card to do a transaction does not mean I'd go advertising my secure code to all who wanted it. I tunneled, and made no effort to hide the fact that I tunneled from the network admin.

Again, while I understand where you're coming from, there's way to many schools out there who do not use security to the silly extent you're calling for, to make it so that any university that did ask for it would then be considered sub-par. Everyone will have their own limits on what they find acceptable. For me the can do anything on the network they want up to the point they begin asking me to put software on my computer. I'll evaluate and decide whether its needed or not but I would not put software on my personal computer simply because the school wants to monitor my traffic.

 

[imagoon]

I know very few universities that would require this. If they did, I know I most certainly wouldn't attend.

I understand where you're coming from, with the idea of total security and the ability to completely see and view whats going on in a network that you own, however in business as I'm sure you'd understand, there needs to be costs vs. performance. These could be monetary or some other form. For instance, people make the payment every day to facebook saying that the information they give facebook is worth the services facebook provides to them.

Basically you would have to provide services to the students that justifies needing the ability to read all their traffic. I personally cannot think of anything that a university could offer me that would justify this compared to any other university.

I tunneled at my university and they didn't even snoop traffic (I worked with the network admin extensively while there). I had no particular reason to do it being as I didn't do anything illegal on their networks. But I made it my business to not make it their business. Just because someone needs my credit card to do a transaction does not mean I'd go advertising my secure code to all who wanted it. I tunneled, and made no effort to hide the fact that I tunneled from the network admin.

Again, while I understand where you're coming from, there's way to many schools out there who do not use security to the silly extent you're calling for, to make it so that any university that did ask for it would then be considered sub-par. Everyone will have their own limits on what they find acceptable. For me the can do anything on the network they want up to the point they begin asking me to put software on my computer. I'll evaluate and decide whether its needed or not but I would not put software on my personal computer simply because the school wants to monitor my traffic.

The part you are missing is really simple: It isn't your network. You can choose to not install the package, but then you are choosing not to use the school network. It is extremely common to require a "security pack" for many schools now because they became tired of the people that never did updates and never bothered with antivirus spamming crap across the LANs and bittorrenting the bandwidth away. Many use NAC tools now, force a copy of some AV on to the machine, register the mac address and force you to use a NAC tool on the machine otherwise you get sent to the "/dev/null" vlan.

PS these "sub par" universities you mention include places like MIT, Harvard, nearly all private schools I have done work with and coming close to 75%ish of the state schools.

 

[heymrdj]

The part you are missing is really simple: It isn't your network. You can choose to not install the package, but then you are choosing not to use the school network. It is extremely common to require a "security pack" for many schools now because they became tired of the people that never did updates and never bothered with antivirus spamming crap across the LANs and bittorrenting the bandwidth away. Many use NAC tools now, force a copy of some AV on to the machine, register the mac address and force you to use a NAC tool on the machine otherwise you get sent to the "/dev/null" vlan.

PS these "sub par" universities you mention include places like MIT, Harvard, nearly all private schools I have done work with and coming close to 75%ish of the state schools.

Sounds pretty "sub par" to me goony. I'm dealing with an emergency rescue group right now that enforced the new SEP 12 on all systems, including guest systems. Well SEP 12 screwed up (generating hundreds of GB of .tmp files every week on each system) on ALL their systems, bringing both business and personal systems in this living building to an unusable state. People no longer have access to any of their computer systems, personal or otherwise because they were "required" to install their "superior" AV system.

BTW, lots of schools have reached major fail on your other points as well. Block bittorrenting? That's nice. Now WoW won't update anymore. Class assignments? (we had to develop a BT client that did away with alot of the current routing issues) Well you're not doing that either unless you manage to squeeze in lab time before it closes at 9PM. Xbox won't sign on. Windows Update runs into port issues.

What about rental systems? My class assignment robot running on wifi can't use NAC tools, obviously it can't install an AV and it can't run updates or even identify itself in some form that the wireless manager understands. Can't run your own wireless AP because those are attacked by the wireless watchdogs.

What we have here by these "sub-par" schools, and many other places I've worked at, is the failure of network admins to be network admins. The old whiny coots that are "too busy to watch this" or "don't want to fix that". Have a BT problem? Go to the kid's room and yank his plug, you have that authority. Virus issue? Ban his MAC. Be a damn admin. All these places just want software to take care of it for them, so they can drink their pepsi and watch their porn in the office on their specially opened network. I'm glad to say at least in my role of 2,700 systems, I watch every one of them without keeping humanity in a macbox with a browser that only goes to the school's website.

 

[imagoon]

Sounds pretty "sub par" to me goony. I'm dealing with an emergency rescue group right now that enforced the new SEP 12 on all systems, including guest systems. Well SEP 12 screwed up (generating hundreds of GB of .tmp files every week on each system) on ALL their systems, bringing both business and personal systems in this living building to an unusable state. People no longer have access to any of their computer systems, personal or otherwise because they were "required" to install their "superior" AV system.

BTW, lots of schools have reached major fail on your other points as well. Block bittorrenting? That's nice. Now WoW won't update anymore. Class assignments? (we had to develop a BT client that did away with alot of the current routing issues) Well you're not doing that either unless you manage to squeeze in lab time before it closes at 9PM. Xbox won't sign on. Windows Update runs into port issues.

What about rental systems? My class assignment robot running on wifi can't use NAC tools, obviously it can't install an AV and it can't run updates or even identify itself in some form that the wireless manager understands. Can't run your own wireless AP because those are attacked by the wireless watchdogs.

What we have here by these "sub-par" schools, and many other places I've worked at, is the failure of network admins to be network admins. The old whiny coots that are "too busy to watch this" or "don't want to fix that". Have a BT problem? Go to the kid's room and yank his plug, you have that authority. Virus issue? Ban his MAC. Be a damn admin. All these places just want software to take care of it for them, so they can drink their pepsi and watch their porn in the office on their specially opened network. I'm glad to say at least in my role of 2,700 systems, I watch every one of them without keeping humanity in a macbox with a browser that only goes to the school's website.

Key point, no matter how you spin it: It is not your network. The school honestly doesn't have to give 2 craps about your xbox or WoW. When you sign in to these schools, you likely signed something that says you agree to all this.

However more to the point:
WoW does have http downloads of the patches. #2 they advertise their trackers so they are often unlocked but throttled. (when the school admins play it, it happens)

Sorry to here someone set up SEP12 incorrectly, you might want a pro to take a look at that. I personally as a business am not worried about personal systems (unless there is some other reason why I should be, like they live there. In this case they would have a "personal" vlan that is throttled to the net.)

Obviously class assignments could be exempted. Most schools have separate class room vs dorm networks access anyway. Also does your robot actually need web access? If not use your own AP that is only attached to the local robot and you control system. If the AP doesn't have web access I doubt the sys admins would care.

They already ban ports on the networks for the violations you mentioned. However you comment about them laying around in there open network is not what I normally see, what we normally see is a bunch of over worked, understaffed group required to manage a system in a business that full of people that only think about themselves. Read up on Ars about the user "Danger Mouse" over there. He works in academics. It gives you a real clue about the mess that goes on over in the schools.

All so you can complain that you didn't get your WoW update at the full speed from the multigig connection the school has.

 

[drebo]

LOL, this forum is indeed better than ATOT now. So many armchair network admins...it's great. Trollolol.

Lots and lots of schools use NAC to force things like this. Perfigo (no Cisco Clean Access) is extremely popular in the dorms of these institutions. The key here is that if you don't like it, you don't have to use the network.

Network administration on this scale must be proactive, not reactive. If you wait until there's a problem with a host (whether that be a virus or excess BT traffic, or whatever) and then address that host individually, your network will never work. Remember, we're talking about thousands of unmanaged nodes on this network. You don't have the fortune to join them all to an AD domain, so you can't use GP to restrict potentially dangerous activities. The most efficient way to police this type of network is to block restricted services outright. That means tools like Clean Access to force antivirus and update policies and aggressive firewalling.

You think the network administrator should wait for a problem and then go to the student's dorm and unplug them manually. You'll need 50 techs under you to police that type of network. I can run the same network with 2 techs, and provide the same level of security and the same level of quality. These tools exist for a reason and they're used for a reason.

Additionally, you do know that the school is liable for anything and everything downloaded from within its network. Whether that is music, movies, CP, whatever. Doesn't matter. Easier for the school to block access to BT or TOR or usenet or other types of services than to deal with individual DMCA cease and desist notices. It's an accounting nightmare.

You'd know all this if you'd ever actually managed a large unmanageable network.