On May 16, 2006, at 4:32 PM, Michael Holstein wrote:
Specifically, we're arguing to various administrative and technical
committees that the whole damn network shouldn't be trusted by
services that we subscribe to... and instead, the proxy service that
berkeleyites use to connect to library services off campus should be
used on campus too (so that a much smaller segment of our network is
"trusted").
We actually already have this as well .. a proxy that allows
internal users to breeze through, and external ones to
authenticate. Why the journals think it fit to trust a /16 or
greater is beyond me.
Are the on-campus proxies really necessary in that case?
Problem is .. I don't think they'll buy the argument "you need to
change your way of doing things so I can offer an anonymous proxy
and not cause you problems". They'll just say "why run the proxy at
all?".
For the short-term, I wrote a script that wgets the library's list
of subscriptions, and munges that to get the unique domain links,
and puts those into /etc/hosts with bogus addresses that are denied
by the exit policy (eg: 127.0.0.2 some.domain). Yes, I realize this
doesn't prevent access by IP, but if I can keep out 95% of the
miscreants, that's fine by me.
I hate to break things on purpose, but I do have to dance around a
bit to keep this going.
My biggest mistake perhaps was actually giving the library folks an
honest answer when they asked .. had I just said "oh .. I'll look
into that" and fixed it, they'd have happily gone away. Instead, I
sent them the boiler-plate response about TOR and they started
asking questions.
Lesson learned : don't call TOR an "anonymous proxy". It's a
"privacy router designed to help the Chinese".
Try making up some other excuse, like being able to track who is
accessing journal articles and with what frequency. I think that
will work.
/mike.
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
