Semi OT: Academic Firewall Rules

[Mauro Souza]

On my University (Brazil, back in '02-05), we had a single 1Mbps link for
everybody, something close to 1.000 students. The sysadmins blocked almost
everything: proxies, news channels, download repos, chat, ICQ, IRC,
emule/kazaa, webmail, and almost everything non-http(s) related. Telnet,
SSH, FTP, all blocked. But WinMX seemed to work. And you could print only
10 pages per month. No extensions, no exceptions.

The vast majority of the computers ran a heavily locked-down Windows 2000,
with a special driver that hid all .exe file on the system, except for the
previoysly approved ones, and files created by the compilers on a specific
folder. And the system had barely 200MB of disk available. That time, USB
drives were a rarity, and 64MB was the largest ones around. No cd burners
on the computers too. There were only one computer with a cd burner and 1GB
of disk available, and everybody flocked to it. Downloading anything bigger
than a couple MB was almost impossible. A few systems ran Windows 98,
without that "hide-everything driver", but they had 16MB of RAM, and a tiny
disk, so they were almost useless. But we could run anything that could fit
on a 1.44MB floppy disk.

They password-protected the BIOS, and the system would only boot from the
hard drive, and nothing else, so putting a live-cd was impossible.
Installing anything was impossible.

I know that you must preserve order, keep the consumption of resources on
sane levels, and restrict the amount of damage the students could do, but
that was draconian. I felt discouraged to do anything, and everybody hated
the sysadmins.

Until one happy day. We discovered by accident that powering on the system
with a notebook (a paper notebook, not that modern ones made of plastic and
electronics) over the keyboard (pressing some 20 keys at the same time)
would trigger some bug and boot from floppy. We could start Windows 98 on
secure mode, remove the hider driver, uninstall all the locks, and install
our emulator for the Orwellian control program. Our version would open a
screen with exactly the same look, but execute a BlockInput API call and
"lock up" the computer every time the sysadmins tried to do any admin
related task on the computer. So they thought the system was defective and
re-imaged it, erasing our programs and all evidences.

Before graduating, I used the exploit to install a OpenBSD in one of the
computers. I don't know what the admins felt when they saw a OpenBSD on the
lab, and I never asked about it. But I would like to have been on the room
when that happened.

The network locks persisted, but we could at least manage to run some games
on the system, download large files piece by piece (20MB each piece), and
so. The admins never knew it, and I found my programs running on the
ancient systems a couple years after graduating.

Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.


2014-05-22 10:03 GMT-03:00 William Witteman <wwitteman-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>:

> On 22 May 2014 08:04, "Neil Watson" <tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
>
> > Universities used to be bastions of free thinking. Now they seem to be
> > run by despotic lawyers and accountants </rant>
>
> Litigation didn't used to be a business model of IP licencing companies, a
> student couldn't independently sabotage infrastructure half a world away or
> steal a million credit cards from their dorm.
>
> Lazy, busy people without a technical clue promote those who offer
> solutions, not ideals.
>
> "Trust but verify" makes no more sense for 18-year olds than it does for
> toddlers. If you have a defensible reason for an open net at university you
> can get it sanctioned, but you have to ask now.
>
> Sorry for brevity, typos (phone)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140522/3b0a178e/attachment.html>