[stx]

I was at a school who was just starting to do some similar things. They had students register the mac of their devices (wired and wireless). So they identified students by mac. With this it was actually pretty easy for a bad actor to frame someone else by just changing their mac to another device on the network.

Same school would also lock your university account after 3 bad password attempts and you could only unlock in person at the library help desk. Again you can see the problem.

[mulmen]

We required MAC registration but you also had to auth with 802.1x to get an IP so we knew who was doing what and when. MAC registration came in handy several times for locating stolen laptops and phones. I think there may have been an exception for devices that couldn't auth but it could have been a different vlan and probably port.

We also had adaptive password expiration and complexity policies based on length. If you used a passphrase (~15+ characters) you could use dictionary words but if it was under that you couldn’t and had to include a number and symbol too.

Passphrases had like a 90 or 180 day expiration. Passwords were I think 30? You set them in the same text box and the rules were based on your entry.

I think the lockouts had a timer with an exponential increase. You'd get like five or ten tries before you'd have to start waiting minutes for the next attempt. Not sure if there was a hard lockout option. Phone support was daytime hours in the main office, all times when labs were open (some labs were 24 hour) and email support was 24/7. 24/7 lab monitors worked the ticket queues as well.

It was a great department actually. Lots of great work being done to make things easier for students. Relied heavily on students to operate the department and gave a lot of people careers.

Back in the 90s a student wrote a ticket management app in Perl. The university hired him and he was still in the department writing code 20 years later when I was there. One of the techs I worked with was hired by the law school to handle their IT. I got several jobs including my first out of school through people I met and worked with there.

[secfirstmd]

Some Universities in the UK for a number of years have been making students download certificates that allow SSL decryption as part of counter radicalisation efforts.......

[dmix]

Oh god, Universities with CS divisions allow this sort of thing? Where are the sane people who go wtf?

These "IT" people who push to implement this probably end up working for the DoD or White Hall and push anti-encryption measures.

I find `mulmen`'s efforts very distasteful (trying to stop piracy on networks is like trying to stop kids from doing drugs) but not crossing the line as much as forcing certs on kids personal machines.

[mulmen]

> I find `mulmen`'s efforts very distasteful (trying to stop piracy on networks is like trying to stop kids from doing drugs) but not crossing the line as much as forcing certs on kids personal machines.

You have badly misinterpreted my comments here. Everything we did was to protect the student's interests. We were the gateway between them and whoever was trying to sue them. The University took whatever action it needed to in order to maintain that position and keep students safe from abuse. We were often riding the line of legal action taken against us by those rights holders, frivolous or not.

I'm not aware of any student ever losing network access because of piracy. We just sent a lot of emails saying "please stop" and in general students did.

I'm not sure what you find distasteful about that but I stand by my words here and my actions at the time.

[mulmen]

That seems like a very different requirement. The University I worked for just had hundreds of wired and wireless access points and limited staff to manage them so devices had to be registered to protect everyone. It was self-service IIRC. If you connected with an unrecognized device it just took you to a login page and then the device was registered to you. I don't think there was any tracking of what students were actually doing once they were connected. Certainly not at the kind of detail that could suggest anything about radicalization.

[tdeck]

Wow, both of those describe the system at my alma mater Washington University. The 3 strikes logout was the biggest pain ever. I knew someone who got DOSed because his papercut printer driver kept trying to use old credentials, which somehow kept locking him out of his account until they diagnosed it.