1. 29

  2. 13

    I have to admit I have no context here, and was mislead by the headline into clicking through, because I read “you” as “any arbitrary person,” and not “specific people who got a letter from Brown University about accessing Brown buildings and networks,” so I was curious, and then a little annoyed…

    But with that out of the way, were there really people surprised by these letters, and needing it spelled out?

    People are so naive they don’t think the University is tracking access to their buildings and networks? What do they think the access cards are for?

    1. 13

      There are college students so naive they don’t think the University is tracking access to their buildings and networks?

      Yeah. 🙁 This situation has surprised a lot of students on campus.

      1. 4

        Disappointing, but fair enough.

        1. 4

          The silver lining is that now there will be an increased awareness of this behavior, so that’s something (even if it is fleeting for the most part…)

        2. 8

          It’s interesting how many people do not realize this and more. Few year ago some students broke into campus in Maryland and sprayed some swastikas and racial messages. They were caught because their phones connected to school wifi with their logins…

          1. 6

            They think the access cards are to get into buildings - it doesn’t occur to them that it’s an entire, campus-wide networked system because it doesn’t look like it is. It’s easy for us in a technology forum to realize that this kind of tracking is possible and probably occurring, but imagine you didn’t have the technical background to understand that there must be some sort of centralized network/database/etc. Do you really think you would make the connection? Both that this kind of logging is possible in the first place, but also that the university might actually be doing this (extremely invasive) logging? IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

            1. 6

              I doubt even many computer science students have this in their threat models…

              1. 9

                Exactly. I mean frankly I spend a lot of time/effort protecting my privacy and security and am pretty much the most paranoid person I know on my campus (at least when it comes to technology). I assume my university WiFi is hostile (especially because on the guest network, which admittedly seems to be run by a different organization than the regular network, I have used OONI Probe to catch them censoring traffic), and generally speaking I do not fully trust the IT department. And even I didn’t seriously consider that the university might be going to this extreme level to surveil students, although I did wonder if they were monitoring building swipes to enforce no-guest policies*.

                It isn’t news that Brown (or my university, or presumably tons of other universities) has these capabilities. It’s just a reminder that they do, and that those surveillance systems are ripe for abuse. But more importantly, what’s really noteworthy here is that Brown actually decided that it was a good idea to deploy this kind of invasive surveillance and tracking against students. Whether the public health benefit of enforcing the Student Code of Conduct’s COVID-19 policies outweighed the cost of the invasive way they did so is a separate, highly complex issue that honestly I don’t want to comment on without having more information. But I don’t think it’s controversial to say that said cost was quite high.

                *: it was later confirmed to me by a university official that they considered this - implemented this? I can’t remember - but that it wasn’t/wouldn’t be effective because swipe access is deactivated for residential buildings you don’t have authorization to be in. So most students wouldn’t even try the swipe because they knew it wouldn’t work; instead they’d just call their friend they were going to see to let them into the building.

                1. 6

                  I TAed my university’s security class. For one of the assignments (which really was a CTF I put together), I gave our students access to a rpi3 that they could comb for flags.

                  I don’t know how much nmapping of the school network was done from the pi, but I do know that it was a nonzero amount, mostly by accident by scanning too many subnets in the process of learning how nmap worked. And no one seemed to care ultimately…

                  The extra credit on the assignment was to break into my Linux account via a privilege escalation. Only one team succeeded, but I had a pair of students determine which building I lived in from examining reverse DNS. I wish I could have given them extra credit for that.

                  Anyway, it was the coolest group of students ever.

                  1. 3

                    Man, that sounds fantastic. I wish I could take that class!

                    1. 2

                      They had fun. The group that basically was able to track me down with metadata in our pentest assignment made lots of that grading worth it.

                      There was another group that said that I had been social engineered by giving them an account on the raspberry pi. Technically correct, since it was given to them so they could do the assignment :-)

                      On our binary exploitation project, another group accidentally got a shell on one of the targets with ROP. That’s a discussion for another day…

              2. 1

                IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

                Doesn’t helping to enforce quarantine during a pandemic count as keeping students safe?

                1. 1

                  The rule being enforced relates more so to where you quarantine, not whether you’re quarantining. It does not apply to the significant number of Brown students in Providence who elected to take an academic leave this semester (but are oftentimes still employed as TAs).

            2. 5

              Nice writeup. COVID is giving people the excuse to use the treasure trove of individual behavioral data they already have access to.

              1. 1

                Yes, almost like a dry-run for the arguably-inevitable “cyberpunk/Orwellian” future we’ll find ourselves in

              2. 4

                I work at a university, and at least here they explicitly told us they were going to be looking at keycard swipes for contact-tracing. That was one of the justifications for all buildings being card-access only this semester, so they have a list of who was inside each building on each day (the other justification is increased risk of theft/vandalism due to many buildings being largely empty).

                1. 2

                  During my studies we had a custom chat app that we were required to use to exchange with other students and teachers. It was obvious nothing was encrypted whatsoever between messengers, but also clear that it was logging the time your computer was active and present on campus.

                  You could argue that other big companies are doing the same with even more details, but coming from an educational entity felt different.