By Cole Vonder Haar
The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA).
Maass noticed flaws in CCA that would allow it to be bypassed in "antivirus and operating system check." Essentially, a program could be written that fooled CCA into thinking it was receiving correct information identifying a computer's operating system and antivirus as current and up to date.
According to Information Services Director Bryon Fessler, a fundamental purpose of CCA is that it "evaluates whether computers are compliant with security policies (i.e., specific antivirus software, operating system updates, patches, etc.)."
In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues.
He says that the method he chose is "one of six that I came up with."
Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed.
"I was planning on going to Cisco with the vulnerability this summer," Maass says.
Maass' program was in use for approximately seven months before the University froze his UP account.
Additionally, he gave the program to several friends and one professor. As a result, they suffered judicial consequences including having their account frozen, residence hall probation, writing a 3-4 page reflection paper and having their computers inspected by IS to get network access back, according to Maass.
Many of these students declined an interview with The Beacon for fear of more sanctions from the University.
"They (University judicial officials) said they would most likely get in contact with the people (who has Maass's program) and ask them to delete the software," Maass said. "They weren't definitive, but I can tell you I was surprised (when the University punished them), and I thought it was hurtful."
Residence Hall probation is "a serious warning. Any further misconduct for any reason may result in removal from the residential system," according to this year's student handbook.
Maass believes his computer program finally came to the attention of the Judicial Board because of a facebook.com group he created in order to publicize the security research he was doing.
"There was nothing in [the policies] that stood out to me that I would be in violation of," Maass said of his thinking at the time he authored the program.
Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board.
Originally Maass was suspended for the rest of this academic year and the fall 2007 semester. He would be eligible to reapply for the fall 2009 semester after going through counseling for "internal integrity, ethics and identity issues."
But following an appeal process in which he was supported by many friends and faculty, the University ruled that Maass will be allowed to finish out the rest of this semester, but will be suspended through next semester
Natalie Shank, University Judicial Coordinator, was unavailable to make any comment concerning the case, and John Goldrick, vice president of student services, declined to interview due to legal confidentiality.
Some students think the University was too harsh.
"In this case, nobody was hurt; there is no concrete evidence of any kind that University policy was broken, and there was no state or federal regulation that was broken," said one of a handful of students sanctioned by the University for having and running the program on their computers. The student asked that his name not be revealed.
Some members of the School of Engineering faculty also wrote letters on behalf of Maass to persuade UP not to act too harshly in sentencing.
Other UP groups have spoken out about Maass's case as well.
One facebook.com group - I'm Never Giving UP One Cent - has added a situation to with details similar to the Maass case to their list of grievances, making it number two on their list.
Junior Robert Vandermeulen believes Maass's actions did not warrant his punishment.
"No one was damaged, really. Nothing bad happened," Vandermeulen said.
The judicial actions taken against Maass could impact his college career in multiple ways.
"This (suspension) puts my (ROTC) scholarship in jeopardy ... I'll owe anything the Air Force has ever given me," Maass said.
Vandermeulen, an electrical engineering major, said Maass's actions shouldn't be that big of a deal because he was merely testing out something he had learned in class.
"We have classes where they teach you how to do that kind of stuff," Vandermeulen said.
Moreover, Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said.
"I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.
Although this case raises questions about the effectiveness of CCA, Bryon Fessler assures, "The?network security appliances and applications utilized by Information Services are updated and audited on a regular basis."
Maass hopes that some good will come out of his case.
He does not know if the incident will change UP's security, but he would at least like to warn students that there are many policies at UP and "people need to find these and read them."
"A lot of these policies are written to be very vague and flexible so that they can be ... [used] in whatever situation they (the University) need to use them in," he says.
Goldrick declined to comment on issues concerning policies.
Student policies can be found in handbooks available in the Office of Residence Life, the Office of Student Activities, and Information Services.
Caitlin Moran contributed to this report.
