UCI Housing Network and Cable TV Issues

I now have proof (as if that was really necessary, people in the know have known that for a long time...) that CCA doesn't do its job in preventing hijacked computers on the network.

The situation: I tried sending an email from this computer within UCI's on-campus residential housing network to one of my off-campus email accounts. The registrar that provides the email service for that off-campus account is very good with respect to spam prevention (one of the reasons I use them.)
The email got rejected by their email server, with this line:

Remote host said: 553 Dynamic pool 128.195.105.207. <http://unblock.secureserver.net/?ip=128.195.105.*>

The only conclusion is that at IP address 128.195.105.207, there is or was a zombied machine sending out spam that resulted in the whole subnet being entered into the registrar's blacklist (which, btw, is standard operating procedure in the spam-fighter community, with escalation if the netblock owner doesn't stop the spam.)
One of the oh-so-highly touted "features" of CCA is that such hijacked machines would automatically be put into quarantine. From the listing above, it is obvious that that didn't happen.
Conclusion: Yet more proof that CCA is faulty and needs to be abolished.

Update: While the block was gone shortly after I put this post up, it is back again, with the same IP address. Indeed, CCA isn't worth a buck, much less it's $50K+ price tag, if it can't prevent such issues. It really needs to be scrapped.

I came across this site today: http://daa1000.tripod.com/
It has another program to prevent installation of the CCA client agent. It apparently uses the same kind of TCP parameter changes that our little tool does (described here.)
I have no contact with the operator(s) of that site, I don't know anything about them. The site shows, however, that it is not just a couple of people here who don't like the intrusiveness of CCA.

A little diversion from the usual Resnet/Cable TV stuff...

I just got one of the new iPod nanos, the 8GB model. Pretty cool player.
I wish I could say the same about iTunes 7 for Windows. But unfortunately, iTunes 7 is a complete piece of crap.
It doesn't find the iPod when I unplug it and plug it back in. Only with a repair or the iTunes installation does it recognize it again. It has a "nice" feature to download album artwork from Apple. But for some reason, the artwork didn't show up on the iPod (and yes, the "show artwork on iPod" checkmark is checked.)

But thankfully, the Open Source community to the rescue. I have used gtkpod on my Linux box for some time. The latest CVS snapshot works fine with the new nano, and, unlike the POS iTunes 7, transfers the album artwork correctly to the iPod.

Update: there is an upgrade of iTunes 7, and it is supposed to be better. I haven't tried it yet, though.

After pounding on Resnet for ages regarding brain-dead installation instructions that caused lots and lots of problems they removed their instructions last September.
It took them nearly another full year to come up with correct instructions. Wow. Talk about speed...
The main stuff:

* Connect your computer (PC or MAC) to any one of the LAN ports, only
* Connect the wall port to a WAN port on your Router

It still is beyond me how they could ever post anything else.

But anyway, now that they clearly have acknowledged that I and others who have pointed out the old false instructions were correct all along, I hope they have started to see the light.
Their next step should be to abolish Cisco's Clean Access product, since it has fundamental design flaws that have been exposed here.
Anybody can easily bypass the CCA client installation using this program, and I am sure a lot of students will do so.

Over the last week and a half, I have been busy coming up with ways to bypass the CCA client installation on Windows.
In my last post on this topic I had already hinted at the idea.
Basically, the current CCA version (now called Cisco NAC Appliance) uses a variety of methods to determine the operating system the connection is made from. Cisco has come quite a way from the simple and trivially defeatable browser user-agent string... With the use of the user-agent string, they violated one of the basic laws of Web development: never trust data sent by the client...
They are now using multiple avenues to detect the OS. They still use client data: the browser user-agent, and in addition get the OS string through Javascript. These are still trivially circumvented.
In addition, though, they use more sophisticated methods. Namely, they use the TCP fingerprint and possibly the SSL negotiation phase to determine the OS.
Every network implementation has different settings and ideosyncracies. Lists of such ideosyncracies are readily available for all popular operating systems. So, by comparing the ideosyncracies of the connection to such a list, it is possible to determine the OS.
That leaves us with finding ways to change the ideosyncracies reported, so that the comparison with a list doesn't work anymore.
And that is exactly what a colleague and I have done.
We have identified a way to get around the CCA OS detection:
Modifying the TCP parameters. A description of this method has been posted to Bugtraq and the Full Disclosure mailing list. We made a program available that makes the process really painless.

So, to make a long story short, the program to bypass the CCA installation on Windows is here. Instructions are here.

And to make it even easier to use, we have created a setup program that installs the tool on any Windows machine. Get it here.