First, let me mention that I work as a Senior Security Engineer at the University of Florida. I spend 40hrs a week (at least!) dealing with exactly the same type of threats that the folks at the University of Portland deal with and strongly understand the value of NAC in protecting such a difficult network to defend. I should mention that what I write here is obviously not in any way official UFL policy or opinion. I've never been concerned by methods to evade NAC. People who are capable of evading NAC are not the users you're trying to protect from compromise by ensuring they're secure anyway. Deal with the vast majority of users who need NAC for their own protection and the protection of the network and don't worry about the few smart enough to actually evade it.

UP's reaction was not proportionate to the issue. From what's been posted online of the policies and reactions the administrative staff has had to the incident, somebody seriously over-reacted. Let's put it this way -- what the program that Mr. Maass wrote did was essentially make his computer look like a PDA. Or a game-system, or any other network device besides those supported by the version of CCA at UP. He didn't hack in without using a username and password, or steal anyone else's account. He didn't attack the CCA system itself with any exploit at all.

That's not to say he didn't handle it poorly. And his actions probably should be a violation of campus policy even if it wasn't when he did it (UP: add some language about "attempting to evade security measures meant to protect the network" and you're done). But suspension? The letter to the local newspaper mentions that there were no less than 19 other lesser sanctions that could have been taken in this instance (see [3] above). A suspension is ridiculous.

Click Here to Continue Reading This Article