[ISN] Caught in the Network

From: InfoSec News (alerts@private)
Date: Sun Feb 11 2007 - 22:38:05 PST


The Chronicle Review
February 9, 2007
Volume 53, Issue 23, Page B5

At 9:15 one Thursday morning, there came a polite knock on my mostly 
closed office door. I was expecting the knock. A student was coming to 
talk to me about getting into one of my courses, which he needed to 

So when I heard the knock, I said, "C'mon in, Kyle." Someone said, 
"Hello?" and came in, along with two smartly dressed men extending 
business cards to me.

I recognized the speaker as a network-security technician in my 
university's office of information-technology services. The other men 
were not familiar, but a quick glance at their cards told me they were 
detectives on our campus police force. They closed my office door behind 
them, sat down, took out notepads and pens, and asked if I had a few 
minutes to speak with them about Tor.

Tor an acronym for The Onion Router is a freely available, open-source 
program developed by the U.S. Navy about a decade ago. A browser 
plug-in, it thwarts online traffic analysis and related forms of 
Internet surveillance by sending your data packets through different 
routers around the world. As each packet moves from one router to the 
next, it is encoded with encrypted routing information, and the previous 
layer of such information is peeled away hence the "onion" in the name.

Basically, Tor is a way to surf the Internet anonymously. Someone 
looking up potentially sensitive information might prefer to use it like 
a person who is worried about potential exposure to a sexually 
transmitted disease and shares a computer with roommates. Abuse 
survivors might not want anyone else knowing they have visited Web sites 
for support groups related to rape or incest. Journalists in repressive 
regimes with state-controlled media use Tor to reach foreign online news 
sites, chat rooms, blogs, and related venues for information.

Tor can also be useful in e-commerce. For example, Amazon.com knows more 
about my shopping habits and tastes than my wife does. I appreciate 
Amazon's ability to make recommendations based on my previous purchases. 
But in 2000, Amazon admitted experimenting with so-called dynamic 
pricing, charging different people different prices for the same MP3 
player; the prices were presumably based on estimates of what each user 
would be willing to pay, considering prior purchases. Online merchants 
could all do that, thanks to traffic analysis. They know who I am when I 
log on unless I delete their cookies or use Tor.

Of course, anonymous Web surfing can be used to conceal fraud and other 
forms of electronic malfeasance. That was why the police had come to see 
me. They told me that only two people on our campus were using Tor: me 
and someone they suspected of engaging in an online scam. The detectives 
wanted to know whether the other user was a former student of mine, and 
why I was using Tor.

Widespread use of Tor could be a huge headache for network-security 
administrators, particularly in higher education. My university alone 
has more than 21,000 students. Imagine what would happen if even a tenth 
of them and a similar percentage of faculty and staff members started 
using Tor regularly. With all the spam scams, phishing scams, identity 
theft, and related criminal enterprises going on around the world many 
of which involve remotely hijacking university-owned computers we could 
approach technological anarchy on the campus.

My reason for downloading and installing the Tor plug-in was actually 
simple: I'd read about it for some time, was planning to discuss it in 
two courses I teach, and figured I should have some experience using it 
before I described it to my students. The courses in question both deal 
with controlling technology, diffusing it throughout society, and 
freedom and censorship online.

When I cover online censorship in countries with no free press, I focus 
on how those countries rely on hardware, software, and phalanxes of 
people to make sure citizens can reach only government-approved media. 
Crackdowns on independent journalists, bloggers, and related dissidents 
all too often result in their being beaten, incarcerated, or worse. 
Technologies like Tor represent a beacon of freedom to people in those 
countries, and I would be doing my students a disservice if I didn't 
mention it.

The detectives and network-security technician listened patiently to me, 
wearing their best poker faces. They then gave me a copy of the 
university's responsible-use policy, which employees must agree to abide 
by when we first sign up for our e-mail accounts. They pointed out that 
my actions violated at least three provisions of that policy.

I wasn't particularly impressed. I had helped edit and revise that 
policy when I worked for the information-technology office before I 
earned my Ph.D., and I knew that neither Tor nor any similar program had 
existed when the policy was first written. I also knew that the 
provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent 
use of Tor. While I couldn't dispute most of the details in the logs, 
they seemed inaccurate. For example, the technician said I had been 
using Tor earlier that morning. In fact, I had been at Wal-Mart that 
morning looking for a good deal on an HDTV; I had reached my office only 
about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All 
they demonstrated was that I, like thousands of others around the world, 
had installed and infrequently used Tor. In my case, of course, there 
was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and 
that I avoid covering it in class.

Having been on the administrative end of academic technology, I 
appreciate the difficulties facing the information-technology staff. No 
one pats you on the back if nothing goes wrong, but if something does if 
a virus or worm sweeps through the campus's network infrastructure, or 
someone hijacks some computers to churn out spam you are off everyone's 
Christmas-card list. The last thing my former colleagues needed was some 
smarmy faculty member spouting off about academic freedom and 
threatening to demonstrate Tor to 100-plus students each semester.

Their job is to protect the network that allows me to do my job: to 
teach classes that are mostly or entirely online, and to conduct 
research. If they weren't here as the first or even only line of defense 
against the unscrupulous elements of our technological society, my 
university would cease to function. It's as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it 
outside the context of my courses. I find all that routing makes it slow 
to use, even with the superfast connection I have at work.

But it is being used all around the world, by people in countries that 
restrict their access to information, by corporate whistle-blowers, and 
by digital-rights activists. It's even being used by average people like 
me, as a way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff 
members play on my campus and my understanding of the role I have to 
play for my students, my need for academic freedom won. I found myself 
lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded 
me that I was probably violating the responsible-use policy, and left. 
They had bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives 
had come back to ask if I would reconsider my position. I told him that 
while I would think about giving up Tor, I honestly felt that this was a 
clear case of academic freedom, and I could not bow to external 
pressure. I reminded him that Tor is a perfectly legal, open-source 
program that serves a wide variety of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation, 
patriotism, and dread, I closed the door.

Almost immediately, I heard still another knock. In perhaps an overly 
dramatic fashion, I raised my voice and bravely said, as I opened the 
door, "I'm sorry, but it's about academic freedom!"

There was Kyle, add/drop slip in one hand, pen in the other, grooving to 
his iPod, looking at me blankly.


Paul Cesarini is an assistant professor of visual communication and 
technology education at Bowling Green State University.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Sun Feb 11 2007 - 22:41:52 PST