At least with carriers you will know for sure that you have not expectation of privacy. .... > http://clark.com/technology/how-opt-out-verizons-super-cookie-tracking/
> Apr 28, 2017, at 8:12 PM, Jeffrey D. Sessler <[email protected]> wrote: > > Philippe, > > This statement, “each user that uses eduroam has a verified affiliation with > a University/College somewhere in the world” while sort of true, is also > meaningless. They are numerous universities out there that grant identities > to anyone in their local community for the sake of services like the library > and wireless. There is certainly a loose affiliation, but that in no way > means the university has vetted that person or would attest to anything more > than they filled out a form i.e. the fact that they have credentials doesn’t > in any way add to the “eduroam is vastly superior” claim. > > Trust – Sure, we need to trust each other, and that’s why we have mechanisms > to do so such as federation. That’s only one part of the trust, and in the > case of eduroam, what requirements are there concerning how client data will > be handled as it terminates and transverses a participating college’s > network? A campus is free to record all activity, from DNS records, URLs, > flows, etc. And that’s the rub with eduroam. A member of my community has > knowledge of our AUP and what we collect as part of normal network operation. > When they auto-roam to another campus’ eduroam, there is no disclosure as to > how it operates. The user falsely assumes it’s the same as the home campus. > > As for Passpoint/HT2.0, with its wider adoption, it will be interesting to > see if universities accomplish this via eduroam or/and via affiliations with > existing cellular or network providers, especially if there is a way to > monetize the university’s wifi network. I’d rather get paid by Verizon for > allowing a student’s Verizon cell phone access to our network, then to > provide that service for free via eduroam. > > Jeff > > From: "[email protected]" > <[email protected]> on behalf of Philippe Hanset > <[email protected]> > Reply-To: "[email protected]" > <[email protected]> > Date: Friday, April 28, 2017 at 2:51 PM > To: "[email protected]" <[email protected]> > Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > > On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler <[email protected]> > wrote: > > Philippe, > > I’m not arguing the “convenience factor” or OTA encryption, which eduroam > certainly provides, just that users (and universities advocating for it) > shouldn’t blindly trust it any more, or less, than any other guest network. > > > Jeff, > > eduroam is authenticated and each user that uses eduroam has a verified > affiliation with a University/College somewhere in the world. Each NRO signs > an agreement, and each NRO makes > each school agree to RADIUS logs holding and other privacy features. How is > this “little behind it”? > > eduroam is vastly superior to other guest networks, unless you require direct > identification with an ID at the help desk to join Wi-Fi (and even IDs can be > very fake). > > The same way that schools trust other directory services with Shibboleth or > even transcripts, at one point we have to rely on the fact that other members > of our community are on a acceptable standard > that we can relate to make our lives easier and save time for all of us. > > We do not ask schools to make it the primary SSID, most decide that it makes > more sense. It is simpler to make users be ready to travel and reduces SSID > confusion. > As I mentioned earlier, users still need to me reminded that eduroam allows > them to connect around the world. Having eduroam as the main SSID is not > sufficient. > > Having a local secure SSID is still very useful especially when there are > potential eduroam conflicts due to schools’ proximity. > But this will soon be a moot point when Passpoint/HT2.0 becomes predominant. > You will be able to welcome many roaming communities on your network and even > set your own preference for your clients to avoid > "SSID conflicts" when same SSIDs advertised by different locations conflict > with each other (the client will always prefer the network from its own > school) > > Philippe > > > > > > > > > > > You touch on my concern with this statement, “Most Schools tend to give more > privileges/bandwidth to eduroam because it is acommunity of trust.” > > eduroam should in no way be considered “…a community of trust” as there is > little behind it to guarantee as such. In promoting it across EDUs, and > making it the primary SSID, universities are certainly making it appear as if > it is to those using it, but it’s an illusion. No matter how it’s painted, at > the end of the day it’s still an unregulated, multi-ISP, guest network. > > I’m not arguing against broadcasting eduroam (which my campus does), or its > convenience for guests, just don’t hold it up as something it’s not. > > Jeff > > > From: "[email protected]" > <[email protected]> on behalf of Philippe Hanset > <[email protected]> > Reply-To: "[email protected]" > <[email protected]> > Date: Friday, April 28, 2017 at 11:14 AM > To: "[email protected]" <[email protected]> > Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > > Jeff, > > > > > Why do I say this? > · Organization - A university can’t assume and/or guarantee that > “eduroam” is administered at another campus in the same way that it is at > home. There is no guarantee of privacy, be it the data collected during > authentication/authorization, or information being sent/received by the > client while traversing the other organization’s network. There is no > guarantee user data won’t be sold, studied, or otherwise used as the > organization terminating the client’s connection sees fit. eduroam is a name > only. > · User – Assumption that “eduroam” away from their home campus is the > same as “eduroam” at another organization. Assumption that there is the same > level of data security, privacy, or other safeguards/guarantees as provided > at home. Assumption that the same resources are available. Assumption > “eduroam’ out in the world is superior than connecting to an open network. > > > Connecting to eduroam is superior to connecting to an open network for at > least 4 reasons: > (other may add to the pile) > > 1-No wasted time “hunting” for an SSID that who knows what it is in a list > that is larger every day (especially for Urban Campuses) > 2 -If the network is accepting your RADIUS infrastructure certificate, you > know that you are on a trusted network part of a community > (I will send another email to respond to the MiTM attack on PEAP and > EAP-TTLS…use the CAT tool to mitigate that, or EAP-TLS if you can afford it) > 3-Encryption over the air as part of WPA2-enterprise for guests as a great > side effect > 4-The local school knows that if needed, the user can be found (infected > machine, abuse, DMCA, etc…) > > I agree that all eduroam networks are not equal, but neither are Open > Networks. It is in the end a guest experience. > I actually have the same with my cellular network… sometimes it is LTE or 4G, > sometimes 3G with very little capacity, even though > it always references the same carrier and I pay the same! > It is our job as Network Operators to inform our users that there is no > guarantee of service > > Most Schools tend to give more privileges/bandwidth to eduroam because it is > a community of trust. > So, in most cases you will experience a better experience that classic Open > Guest Networks. > > > > > > Certainly, some of the data privacy pieces could be mitigated by using a > home-campus VPN while traveling, but now you are creating rules that the > end-user must remember. These rules become confusing when you are in an area > with multiple organizations all broadcasting “eduroam”, where to simplify the > user experience i.e. they can get to the same resources, the default becomes > using VPN all the time. Once you force the use of a VPN, then is “eduroam” > any different than using an open/suest networ > I would prefer to see “eduroam” in the same light as say, using Facebook to > login to other applications i.e. The university advertises that the guest > wireless SSID supports the “eduroam” authentication service. The visiting > person connects to your branded guest SSID using their home college > credentials – understanding that they are bound to your AUP or other local > decisions on the use of their data. There is no confusion about who owns, > administers, or otherwise controls the network the client is connected to and > no assumptions about resource availability. > > > > So for every campus that you visit you have to suffer: > Hunting for the SSID > Trust that SSID > Read the AUP > Share your Social Identity (talk about big data here) > And as a network Operator you have to hope that the Social Identity is > somewhat real! > > Schools don’t have time to look at big data for their traveling users or > their guests, and the only info is username@domain or if you want > anonymous@domain. > You actually have the choice to anonymize yourself, it is not against any > rule. > > The same goes for NROs (National Roaming Operators for eduroam), we have all > signed an agreement that we cannot use user data other than troubleshooting > and monitoring unless required by law enforcement. > I doubt that Facebook or any other Social Provider can guarantee that…they > make money out of your data! > > Again, if you fear to be tracked on eduroam, definitely anonymize your > outer-identity. It is accepted, and many do it (it can even be done > automatically in the CAT tool). > In case of abuse or infection, a user can be found by contacting the campus > of origin (so you let the IDP decide how to deal with Privacy for their > users!). > > Finally, there is a reason why the big carriers did a push for > Hotspot2.0/Passpoint. Protocols like 802.1X/WPA2-enterprise are great for > security and authentication (both of the infrastructure > and users), and the guest Wi-Fi industry is moving toward those standards. We > all have done it with eduroam way ahead of the carriers. > The privacy issue with large carriers might be an issue, but we suffer the > same with our Cellphones already. > Privacy and Net Neutrality is at stake every day. > > Hope this helps, > > Philippe > > Philippe Hanset, CEO > www.anyroam.net > www.eduroam.us > +1 (865) 236-0770 > > GPG key id: 0xF2636F9C > > > > > > > > > > > Jeff > > > From: "[email protected]" > <[email protected]> on behalf of Marcelo Maraboli > <[email protected]> > Organization: UC > Reply-To: "[email protected]" > <[email protected]> > Date: Thursday, April 20, 2017 at 2:16 PM > To: "[email protected]" <[email protected]> > Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) > > Hello everyone. > > We are finally adopting EduROAM in our University and we currently have one > SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x > upgrade > for us as well. > > Would you be so kind to respond a couple of questions?: > > > If you adopted EduROAM as your primary SSID: > - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this > SSID?) > - How did you "force-move" your users to EdoROAM from your old SSID ? > > If you added EduROAM as just another SSID: > - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) > - Is your primary SSID also 802.1x o MAC-based ? > - if 802.1x, why have 2 SSIDs with 802.1x ? > > > thank you all, > > -- > Marcelo Maraboli Rosselott > Subdirector de Redes y Seguridad > Dirección de Informática > Pontificia Universidad Católica de Chile > http://informatica.uc.cl/ > -- > Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul > Santiago, Chile > Teléfono: (56) 22354 1341 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
