Part one of a two-part examination of information security at The New School. Click here for part two.
Crile recalled that during the course of the class discussion, someone raised the topic of SafeConnect — the software that New School students must download in order to access the university’s wireless internet network.
“Just through people talking about it,” Crile said, “it became clear that it was a little bit [messed] up.”
SafeConnect is a network access control product implemented by The New School in 2010 through the Lakeland, Florida company Impulse Point. Crile graduated without ever having downloaded the software, which made it impossible for her to access The New School’s wireless Internet network from her laptop.
“If I was doing a lot of work, I normally didn’t want to be doing it at school anyway,” Crile said. “I’d go to [NYU’s] Bobst [Library], and if I needed to print or just do random things I would go the computer lab,” she said.
For Crile, her privacy was worth the inconvenience. She described her initial reaction upon hearing of the program’s capabilities.
“It felt really Big Brother-y,” she said. “I understood that there must be reasons for why the school would use the software, but it turns me off from wanting to trust The New School.”
SafeConnect acts as a gatekeeper to the university’s Internet network. Any user who tries to access the New School network must first pass a security check — a log-in page asking for the user’s New School ID. Network access controls allow large networks that serve many users and devices to set rules about who can and cannot log on. Before SafeConnect green-lights a user onto the information super-highway, the program runs a check to see if his or her device has installed current anti-virus software or up-to-date security patches.
Under the Communications Assistance for Law Enforcement Act of 2004, all universities in the United States are required to maintain a private Internet network. In addition to these guidelines, the Higher Education Opportunity Act of 2008 made it necessary for all schools to “combat the unauthorized distribution of copyrighted materials through illegal downloading or peer-to-peer distribution of intellectual property,” as a condition of obtaining Federal Pell Grants for students and participating in other federal financial aid programs. In 2004, in order to satisfy these requirements, The New School employed Cisco Systems’ network admission control, Cisco Clean Access, to perform the necessary authorization checks.
By 2009, with the proliferation of wireless devices requesting network access, The New School’s information technology department performed a significant overhaul of the university’s wireless networking capabilities. In addition to providing greater bandwidth campus-wide, the revamp was intended to allow students to change locations within the network without the need to re-authenticate.
During this process, according a September 2010 memorandum by the university’s IT department, Cisco Networks had modified their licensing model in a change that would have forced TNS to pay more in order to continue using the product. After reviewing a number of alternatives to Cisco, the university settled on Impulse Point’s SafeConnect product.
“The implementation of SafeConnect cost significantly less than it would have cost to continue use of our Cisco Clean Access implementation,” wrote David Curry, director of information security at The New School, in an email to the Free Press. “We carefully evaluated several network access control products before making the switch and, in the end, we concluded that SafeConnect offered The New School the best combination of security, flexibility, scalability and price.”
Not everybody shared the IT Department’s confidence. Ted Byfield, assistant professor in the communication design and technology department at Parsons, compiled a report in 2009 detailing the technical dimensions of SafeConnect, and outlined numerous aspects of its implementation, design, and potential capabilities that he felt were “incompatible with [TNS]’s history, values, and mission.”
It was Byfield’s assertion that “given [TNS]’s progressive mission, it is entirely reasonable to assume that this policy may directly conflict with the beliefs of many of the affected people, may contravene policies and practices of organizations they are affiliated with, and/or may violate other laws to which they are subject.”
At the same time, students and faculty at other institutions that had adopted SafeConnect were voicing their own suspicions of the software. At Presbyterian College in South Carolina, student Kristen Hallman started a petition warning her peers to “Protect Your Rights and Protest SafeConnect spyware.”
Her concerns echoed those of St. John Johnson, currently a senior PHP software developer for Yahoo! Inc. Johnson was pursuing his MS in computer science with network security certification in 2008 when Sacred Heart University in Fairfield, Connecticut first adopted Impulse Point’s software.
“I’ve always been a computer geek,” Johnson told the *Free Press.* “After being presented with this new prompt, I was curious about this new software and proceeded to download it.”
Johnson created a “virtual machine” on his computer to run the software while “tricking” it into believing it was operating on a real device. While observing SafeConnect’s functions in this safe environment, Johnson realized that the program was attempting to communicate with an unknown third-party.
“It was sending network packets to ‘approve’ me,” Johnson said. “I wasn’t quite sure the purpose of it, [but] I felt it was a huge breach of my privacy.”
So Johnson’s solution was to program a “bypass” around SafeConnect, which he posted online to be freely downloaded from his own personal website. His trick was to simply tell SafeConnect that his computer was not his computer; after some research, Johnson determined that the system only worked on three operating systems: Windows, Mac, and Linux.
“This means they didn’t have support for other devices,” he said. “So I thought about it: What device exists in a college environment, required internet access, couldn’t download software, and had no way to enter login information?” He was amused to find that, on a college campus with residence halls full of 18-24 year olds, the device he was looking for was “the Xbox.”
Ultimately, Sacred Heart University’s lead network engineer pressed Johnson to remove the download, stating a conflict of interest in consideration stemming from Johnson’s time as a student employee with the university’s IT department. Johnson agreed and promptly complied; however, he remained untrusting of a program with potentially far-reaching capabilities.
“I understand [the school's] concern about protecting their network, but this isn’t the right way to do it,” he said. “What if it started reporting back my browser usage, file contents, chat conversations, etc.? I can easily come up with justification for each: protecting against malware sites, looking for common viruses, and identifying chat worms, respectively.”
By the summer of 2011, The New School’s implementation of SafeConnect had resulted in controversy and backlash within the university community. In response to growing faculty concern, the faculty senate formed an “Infrastructure Committee” to work with the school’s IT department, attempting to strike a balance between maintaining the privacy of students and faculty and the requisite compliance with federal guidelines.
Across the country, however, a doctoral student in New Mexico was also concerned with the prowess of the SafeConnect software. Jeffery Knockel, a Ph.D. student in computer science at the University of New Mexico, working under the guidance of his Ph.D. advisor, Jedidiah Crandall, developed a “working exploit” of the SafeConnect policy key, which, while purposefully benign, demonstrated a vulnerability within the program’s architecture.
Crandall requested that the *Free Press* not reveal the details of the exploit, in order to protect anybody who may still have a vulnerable older version of the SafeConnect software installed on their computers. While more recent versions have received updates addressing the issue, Crandall wrote via email that he and Knockel are “still opposed in principle to users being required to run software with administrative privileges on their machines just to connect to a university network.”
Last fall, Cindy Cohn and Seth Schoen of the Electronic Frontier Foundation, a non-profit digital rights advocacy group, discovered the same SafeConnect vulnerability. Cohn and Schoen reported their findings to Impulse Point, who responded that the company was aware of the vulnerability issue and that their clients had already received updated versions of the software.
“We have no concerns at all about older versions because the problem had been corrected,” Anne Torgler, director of marketing at SafeConnect, told the *Free Press*.
Impulse Point has asserted that students who have graduated from universities that implement SafeConnect, and were therefore unable download the fix as it was necessary for them to log in to the school network, would be notified of the vulnerability. The company, however, has made no mention of how they would reach former students.
“The SafeConnect software automatically updates itself,” said David Curry, director of information security at The New School. “All users received the fixed version the next time they connected to the network, and no notification was necessary,” Curry added.
Byfield, however, wrote in an email to the Free Press that he “knows of no effort to contact those people.” He added that he doubts there exists a way to contact every user who ever downloaded the vulnerable software. “In my view,” Byfield wrote, “that’s unbelievably negligent.”
Reporting by Simone Egipciaco and Joey Mulkerin
Additional reporting by Katie Bamberger and Kayla Monetta.