Slashdot Mirror
Colleges Urged To Ban Telnet And FTP
M100 writes: "The Chronicle of Higher Education reports in this story that a computer-privacy 'expert' has told colleges that they should ban Telnet and FTP because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.'"
The story is based on Simson Garfinkle's writings ... it's mostly about other stuff, too. (Besides, who doesn't at least use ssh?)
yeah maybe mark it down for being stupid, but not for being off-topic! moderators marking stuff wrong?! no!
We really need to cut all these cables, remove the wireless systems, and ban networking altogether. I think 40 years have demonstrated that networking gives unauthorized personnel to Secrets Man Was Not Meant To Know.
The real solution is to ban nothing, and try to educate the users about security.
This is totally dead on. Frankly, I use telnet mainly out of ingrained and ignorant habit. But any network service has security holes. The solution isn't to remove the service, it is to secure it. SSH, as everyone and their brother pointed out, is one answer.
But we shouldn't be thinking about what services we should be cutting off, we need to think about how they can be made secure.
ssh and scp can completely replace them
Umm... read the whole article. The person writing the article doesn't quote him as actually giving any reason for the no telnet/ftp suggestion other than 'the users can use them to get to private information'. Read it again. The entire article says 'Web servers record private information in log files. users can get to these log files with telnet and ftp. therefore, don't use telnet or ftp.' Now, of course, this is completely nonsensical, as you can put the log files somewhere nobody can see them, and thus the problem no longer exists.
Also, the article never mentiones any alternatives to telnet and ftp. Why? Because *any* method of accessing the machine configured in such a way allows you to get to the improperly configured log files. The problem isn't with the insecurity of the connection method, its a problem with the insecurity of the data on the machine itself!
FTP doesn't grant unauthorized access, people get unauthorized access.
Maybe we need to hire the NRA lobbyists to protect older software?
NFS is a huge security hole that lets evil college students share their files seamlessly. It must be stopped, by any means necessary.
Additionally, rumors have been flying that some male students have been writing little bits of drivel on paper, then passing these notes to women they find attractive. It must stop now. All pencils, pens, crayons and tablets must be seized and burned. Our young women must be protected.
The best and final solution is to simply stop educating the young. The "teacher-student" interface is a massive security hole that fosters the communication of ideas between people without the tacit approval of the state. These evil young people may then use the technology in ways the tribe of elders have not approved. This must be stopped.
Thanks You,
The Controller
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Funny thing is, the wonderful UNT network people were only blocking connections that were coming in on 2 ports - 21 and 23 (ftp and telnet, fyi). Thats all. Nothing else. Um, guys, maybe thats not too bright. Solution? Just run the services on another port...not too tough, just add a few lines to
Of course, the System Admin is the one person who is least likely to be thwarted by your use of PGP. Face it, the only thing that protects your privacy from your sustem administrator is the admin's professionalism. That & the fact that the admin doesn't have time to waste reading your email.
Of course, that assumes people are stupid enough to not run a portscanner before an attack. Frankly, I would imagine only the most neophyte crackers would neglect a portscan, especially since there are often easier and more tempting ports to target (especially in the first few days after an exploit is published).
no, you're redundant cause you're asking why you were marked as Redundant.
I think educating people as to what really happens when they telnet or ftp isn't stressed enough. The IMAP mail server at our school doesn't support ssh, but uses kerberos instead (I hope I have that right ;) Students are thus encouraged not to use Netscape to check their e-mail but to use Pine or another kerberos enabled program instead. Of course how do they run Pine? Unsecured telnet to the unix servers! And how many people just don't realize you can't hide something in your web folder? AFS/IFS surfing is a favorite lunch time activity for those in the know :)
It's enlightening to see what your superior education does for your social skills.
I don't; I _can't_.
My summer job (here at unisys, whose stock makes interesting watching these days) has me sitting behind a firewall. This I can live with and in fact find quite reasonable.
The firewall is set to only allow outgoing connections to specific machines/ports. This I find highly annoying, but if it let out the right ports I wouldn't mind.
The ports I know of that I'm allowed to connect to are 21, 23, 80, 81, 443, 8000, 8080, and any port on AOL's IM servers. Nothing else. You'll notice that 22 isn't in that list. That's right - the corporate firewall is so secure that you can't use ssh. Telnet access, however, apparently meets some business need.
I'd actually like it if every school started dropping telnet access and only allowing ssh. Maybe the cry of "let me read my school email" from all the interns would get the corporate firewall policy changed.
I used to work as the network manager for a college, which had a couple of hundred ethernet sockets in student accommodation. Here's my take on this and on why I think it's likely to be less of a problem in the future.
Why are unencrypted protocols so much of a problem?
The main reason why telnet (particularly) is singled out as a security culprit is that's so trivial to harvest passwords, if you have the potential to eavesdrop on a network connection. The username and password are transmitted in the clear, right at the start of the connection: all you need to do is grab the first hundred bytes of any connection to port 23, and you'll get 9 out of 10 passwords.
Why is eavesdropping more of a problem in the residential network environment?
The residential network environment is chaotic, and there is usually very little capacity for control of what is physically connected to the network. I've heard of administrators who are getting serious problems with their ethernets, who eventually track the problem down to a student with a hub in their room, or whatever.
Ethernet is (in its basic form) a shared-media broadcast protocol; everyone gets everyone elses packets as well as theirs. Zap your adapter into promuiscuous mode and there it all is. There are two basic ways around this from the hardware perspective. You either go for switched ethernet (which was traditionally been prohibitively expensive for the relatively low priority residential networks), or need-to-know hubs, which track the MAC addresses attached to each port, and scramble the data that goes to the others (for example, the 3Com SuperStack II portswitch hubs); both of these technologies have been significantly more expensive than the sort of baseline kit that has traditionally been specified in campus LANs.
Aggravating risk factors
We're seeing a lot more students running multiuser systems; Linux, *BSD, whatever. These are quite often not the best maintained machines. They are relatively frequently subjected to root exploit, and are less likely to be quickly detected as such than well run systems.
Also, the prevalence and reliance on network services is on the increase. As the density of usage increases, so increases the potential for catastrophic breaches of security. It is not unheard of for thousands of accounts to compromised by a sniffer attack from a rooted Linux box.
Why the future is rosier...
For a start, networking kit that isn't susceptible to sniffing attacks is becoming cheaper. I personally got budgetary approval to replace all our hubs with need-to-know hubs, and my successor is installing switches to service student ethernet ports.
IPv6 is on its way; hopefully bringing network layer encryption and authentication. This is the ideal solution; SSH is great, but this sort of stuff should not be going on at application layer.
There is a significantly greater awareness of the issues on the part of university technical staff. I reckon some of the security people here know more about 'r00t-kits' and 'skripts' than most of the 'kyddies'. This also trickles down into the administration: they realise its bad press to be hacked, and it's also tremendously expensive to recover from it. Coupled with the decreasing costs of doing it right, as mentioned above, it means that 'network security' is becoming a higher budgetary priority.
In summary...
The campus networks that are being installed today are probably highly resilient to being snooped, but there are a lot of legacy installations, based on equipment that's possibly 3-5 years old, that is horrifyingly insecure. Ideally, in the future, we won't have to worry about layer-2 insecurity, because we'll be protected by the IP network itself; however, in the meantime, SSH Is Your Friend!
Cheers, Nick.
-- O improbe amor, quid non mortalia pectora cogis!
Regarding the article on Tuesday, June 27, 2000 by Florence Olson, I must
disagree with Simson L. Garfinkel's conclusion. Telnet and File Transfer
Protocol have been pivotal in the advancement of the internet, and these
programs or variations thereof will continue to be essential. The article
states:
Log files, for example, are created on Web
servers whenever users click on the "search"
button. Mr. Garfinkel asked, Who has access
to those log files? What computers are
capturing those log files? What policies do
institutions have for automatically deleting
those files on a regular basis?
This quote says nothing about Telnet or FTP, and in fact implies that web
servers are a problem. It also doesn't properly state what the log files
record. The standard log file is configured to record every download of
every document on the server, and from which ip the download was initiated,
as well as every attempted download that triggered an internal error.
Typically, these files are stored in a directory which normal users don't
have access to.
The article also quotes Mr. Garfinkel as saying, "We're moving into a regime
in which far, far more information is going to be collected -- and
frequently, that's going to be done over some sort of campus network." As
quoted, he implies that the campus network will be actively involved in the
collection of this information. The problem here is that the vast majority
of information collection will happen when a user connects to a remote site
not affiliated with the campus. The campus' role here is limited to
providing a wire connecting the user's computer to the outside world. The
campus has no control over what information is collected and how it is used.
Telnet is a program used to connect the local client machine to the
destination server via a text-based window. Such a connection is, for many
operating systems, essential for remotely executing commands on the server
or performing other tasks. FTP servers allow for the transfer of files,
such as assignments or sample code, to and from the local client machine.
While it may be true that the World Wide Web has significantly reduced
reliance on this type of file transfer, FTP is still the most common choice
of methods for password protected transfers.
The danger which Mr. Garfinkel seems to address is the fact that the log
files of an improperly configured web server may be accessed via Telnet or
FTP, and therefore these services should be halted. The real solution to
the web server issue is to be certain that the web server is properly
configured and that the log files it generates are only visible to accounts
assigned to work with them.
The only indication of problems that might be related to Telnet or FTP is in
the last paragraph, where he is quoted as urging "the more than 300
residential-network managers and student-coordinators attending the
conference to stop the common practice of using unencrypted passwords to
secure network-user accounts." I'm not quite sure just what passwords he's
implying are stored in an unencrypted format, since most telnet servers run
on Unix, which stores its passwords in an encrypted format, and most ftp
servers either use the Unix password file or an encrypted file of their own
format. This argument may refer to CGI scripts which, being written by the
user who wrote the webpage, can use whatever form of data storage the user
desires.
In summary, Telnet and FTP are not the culprits here. Poorly configured web
servers are the problem. The possible remedies are as follows:
1) Shut down the web server.
A drastic and undesirable action, as you might expect.
2) Protect the log files.
This isn't difficult. In fact, on most of the systems web servers run on,
log files are protected by default from unauthorized viewing.
3) Turn of CGI.
Web servers can be configured to not run CGI scripts that aren't in a
specified location. Thus, the possibility that an uninspected user-written
CGI script can be executed is completely eliminated.
4) Train system administrators in security.
A commonly overlooked area of system administration which needs to be
addressed.
5) Run the web server on a separate machine.
The users web directory can be accessed over the internal network by the web
server, but its log files will be written to the machine its running on.
With this solution, the directories the log files are stored in aren't even
visible by the machine accessed by Telnet or FTP.
Do not look to Telnet and FTP as a solution to these problems, as they are
merely a means access the data which should be protected from them to begin
with. The real culprit is the web server.
Close, but no banana. You can talk smtp, pop3, http et al with a telnet client, but they're based on the *TCP/IP* stack, not the telnet stack (whatever a 'telnet stack' is).
smtp doesn't send usernames or passwords at all, let alone in clear text. http *can*, but if you're using this for anything other than trivial access controls or in a tightly secured network, you're very silly. Websites that ask for logins should be using https, especially if those logins are the same as logins used for other protocols.
pop3 *does* send usernames and passwords in plain text, and these will often been the same user names and passwords that can be used to gain shell access on other machines (or on the mail server in a poorly-designed setup).
The issue is not that there's something wrong with the telnet protocol as such. The issue is that there's *lots* wrong with sending clear-text passwords on broadcast media (campus or even company ethernet) or networks you don't control (the Internet). telnet, ftp and pop3 show this problem - they can be replaced with ssh, scp and pop3 over ssh tunnels.
As to '90 percent of the traffic on the internet' being insecure - most of that traffic (I take it you mean http traffic) doesn't contain user names and passwords!
Regards,
Tim.
Speaking as a system administrator for a college network with 18000 users I would say the main threat is from inside the network. We have banned all forms of unsecure comunications on our network (telnet, ftp, pop) and the amounts of "hackers" an malicious behavior has decreased tremendously.
Kerberos pretty much solves all our problems (almost)
NOTE: all users can still telnet and ftp of course, but they have to use Ktelnet, ssh or such
/das Ix
This is my sig, show me yours
Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.
[1] Ssh tunnelling is cool because it can make most protocols much more secure. You connect to a computer via ssh, with the correct options to forward a port to or from it, and any traffic to a local port that you pick is sent over the secure connection, then sent to the remote host. When the remote host and the ssh host are the same, this is pretty secure (no chance for sniffing), and when they aren't the same, the sniffing risk goes down significantly if the server network is separate from the student nets, since that one is much less likely to be sniffed.
Seems that your sys-admin needs to hop on the clue-train.
Oh, believe me when I say that there's a whole lot of b0rken computer systems on campus. We see a lot of "user-obsequious" here.
Some of it has gotten better, mind -- the network maintainers do a good job implementing things that they think need to be done. It used to be nothing for the Banyan LAN to crash and be down for three days at a time. I rarely suggest things any more (like implementing SSL, or uncrippling the libraries on our servers, or...) because the people responsible ignore any and all feedback.
There is a spellbook here; eat it? [ynq]
I attend (at least, will be attending) the University of Illinois down here in CornTown, and students register via Telnet on computers. Telnet is obviously a vital protocol that many universities still rely on - I could see this place banning it - "Whoops... well, no one's registered. Thanks for the money though!" For those universities still using old Telnet systems, it's crucial that it be a protocol that is used widely but still needs to be secure.
How many times are we going to hear and listen to this "web logs are evil" crap before someone points out that it's all total BS? If you're that paranoid, you should stay off the entire 'net. Logging is a fact of life; how else do you expect server admins to know if their nav is working right, or what parts of their sites are most popular to sell ads? It just doesn't add up. For most, who cares if their IP is seen and logged? It's dynamically assigned every time they log on anyway. Even if it's not... what difference does this possibly make? The claims of traceability here are total nonsense, and I can't see any reason anyone would believe this crap.
---
Tim Wilde
Gimme 42 daemons!
I think a lot of people are missing here that the danger isn't for someone to break into some guy's account and read their email (which only affects the user who was connecting insecurely), th danger is that when someone breaks into an insecure box they often use it as a launching point for attacks on other systems, which affects everyone. If it was just the single user who was harmed I might agree that banning protocols MIGHT not be the best solution, but usually when a user's account is compromised they don't even notice. Someone just gets in and launches attacks, or uses other vulnerabilities to get root on the local machine, etc.
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
I wrote:
Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality
kawaii wrote:
Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.
You need some PuTTY - it makes Windows usable. It's a free SSH client for Windows, that also (if I remember correctly) supports port-forwarding etc. It is released under the MIT licence (kinda similar to the BSD licence) which is 'Open Source certified'.
Just as an aside; how recently is it that SSH has become a standard part of Linux distributions?
Cheers, Nick.
-- O improbe amor, quid non mortalia pectora cogis!
Take SecureCRT, for example. We currently have a site license for plain old non-encrypted CRT, which means we can distribute it freely to everyone affiliated with the university. However, it is impossible for us to get a site license for SecureCRT, because Van Dyke has to pay a royalty for each copy sold, and therefor can't distribute an unspecified number of copies. This a. Makes the price of SecureCRT prohibitive and b. Limits our methods of distribution.
Yes, there are free implementations, and many people use them. But these aren't legal in the US so we can't distribute them, or even really endorse them (a public university encouraging people to break the law is usually frowned upon).
I'll be extremely happy when the patent expires in September.
Hold, hold, hold on here a second. Banning the protocol doesn't make sense. On some computers, one can telnet in and play a game of rogue as the games user, for example. Don't ban anonymous FTP as well - it's been one of the backbones (not literally) of the Internet for years.
Do encourage system administrators and users to never, ever log in and send their password from remotely over telnet. Inside the college network is a different idea. (And some vendors, *cough* *cough* most of them *cough* *cough* don't have the good sense to pre-install ssh on their systems! Telnet can be a good thing.)
FTP, Telnet, and all the other protocols are useful in one way or another.
Yes, these are both useful services. But why run them when secure versions (ssh, scp, etc.) exist. These secure alternatives can do everything ftp and telnet can do, but more securely. You would be a fool to keep the plaintext services.
As far as HTTP goes, the number of machines running a web server should be FAR less than those requiring telnet/ftp type access. Thes few web servers are much easier to keep track of.
And another thing:
Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files
See that: partially. I would ammend that by saying: Telnet and FTP are security risks mostly because they transmit passwords in plaintext. It is this problem that lets crackers get into you system and get access to your precious logs.
I think that computer networks, in general, provide an easy mechanisim for accessing personal data. How can this be tolerated?
If there is a file on one computer and I want to use it on another, what choice do I have except for a computer network? This is incredibly insecure!
And don't EVEN get me started about floppy drives!
-- IANAEG - I am not an elder god.
"TELNET IS INSECURE!!!" - Well, duh, you fucking dumbass.
"WATCH YOUR EMPLOYEES FOR PERSONALITY CHANGES. THAT COULD MEAN THEY ARE TAKING DRUGS OR EMBEZZLING MONEY!!" - Well, duh, you fucking dumbass.
"HACKERS COME FROM THE INTERNET" - Well, duh, you fucking dumbass.
I would like to propose a new Internet Acronym (IA) of WDYFD (I think you can figure out what it stands for) to be used in reply to pompous, overzealous announcements to impress those who haven't quite figured out what that shiny square thing is sitting in front of them...
"The sky is blue!" :)
"WDYFD..."
Douglas Adams first documented this phenomenon in the Hitchhiker's Guide to the Galaxy. "It sure is a nice day, isn't it?" - However, it seems like the security dorks are really trying to cash in on this to keep their paychecks coming in. But, I hope they all remember the story about the little boy who cried Woof! (er, um, Wolf!) The more they keep desensitizing us to their "profound" announcements, the less we are going to pay attention when they actually have something important to say.
Is it just me, or do other notice the same thing amongst the security mailing lists (M Kabay comes to mind) and security trade rags?
I'm not saying that security is a bad thing. But I just want them to tell me something that I don't know. Not a bunch of obvious crap. Ways to work with technology, not a Luddite view of "oh, no, lets not use it at all!"
I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins;
Maybe I'm wrong about this, but it seems that free SSH clients are rare and far in between for the Mac OS? My school _does_ only allow access to some machines by ssh, but they also have a few alphas standing by with telnet as a proxy into those ssh machines for the Mac users who don't want to shell out the $$ to buy a commercial ssh package.
Because it allows for dissemination of illegal and innapropriate media, let's ban writing of any type aside from the pre-approved literature!
I don't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.
Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?
"I'm not even supposed to BE here today!"
This sounds awfully like a very bad article, written on the basis of a half-heard and barely understood talk. Given who Simson Garfinkel is, I think he does know what he's talking about, but that article reads as if it was written by an intern from the paper's "religion and dog shows" desk.
As an example, Log files, for example, are created on Web servers whenever users click on the "search" button.
Telnet and FTP can be replaced with secure variants, telnet by SSH, ftp by pulling sutff over the SSH link. Surely any campus which does this should be applauded.
Obiously holding mirrors of things for the local community on a public access server is different but these should not be directly linked into the campus network anyway if they're taking a hit traffic wise.
Matt Thompson - Actuality - Insert product here.
Yes, OpenSSL+OpenSSH is real easy to install on Solaris. ./config ; make ; make install ; cd .. ; ./configure ; make ; make install. There won't be any RSA patent problems as you are in Canada. Seems that your sys-admin needs to hop on the clue-train.
Bitchslapped? Give Rob a bitchslap from bitchslapped.com.
>also, all .edu's are Internet2, so they are faster than most mirrors,
.edu has a wimpy T1 connection for 1800 students. My average throughput is about 2-3kB/s and it isn't even a healthy steady 2-3kB/s like you'd get thru a 28.8 modem, it jerks and stalls and is generally horrible. In fact, I have seriosly considered putting in a modem and paying for a local ISP so I can get smooth access (maybe with load balencing so I can still use the college network too, but I'd have to figure that out). Please don't go speading blatent misinformation like that. (Oh, and it's not like my college is some cheapo backwoods place either, they just haven't caught on to what's important yet.)
Hello? My
And indeed, how are they supposed to do without FTP when there are not SCP clients for all common platforms? There was even a period of two or three months between the school's switch to SSH and the release of a reliable SSH client for Mac OS, when I had no way of getting a shell from off campus.
I'm not very happy using FTP with my password, but it's the only way I know of to save a source file on my UNIX account for compiling over SSH.
And don't tell me I should be using a UNIX text editor, because I won't listen. vi and emacs may be great, but I have better things to learn. Not to mention editing with a noticeable network latency is just too annoying.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
MindTerm is a java SSH client that is quiet usable, and is what I use on my G3 Powerbook over Niftytelnet.
-OT
OK, it's true. The article doesn't call for banning of telnet or ftp. Just unsecure telnet and ftp.
But will college administrators (not technical administrators, organizational administrators) understand this? These are the same people who decided the best thing was to convert everything over to NT, at my school....
Tweet, tweet.
"It would be great to go ssh only, but the client side issues are a pain in the neck because of the stupid RSA patent."
Just as a reminder, the patent on RSA runs out in a few months. I don't remember the exact date...
Learn to spell: nickel, missile, lose, solely, amendment, speech, kernel, probably, ridiculous, deity, hierarchy, versus
Hehe...one time I managed to confuse the hell out of a friend of mine by printing stuff on his printer through Network Neighborhood, including a document that said something like "Doesn't it suck having people print random stuff in your room? Take your printer off the network and you won't have this problem." He had to get me to do it, but at least he was more security conscious from then on.
Of course, this is the same guy whose dorm room I rewired so he couldn't turn off his lights...
---
Zardoz has spoken!
Oper on the Nightstar
That's what I'm asking! I don't understand how in the world this is offtopic from the story!
What are the new W2K SMP ports? I haven't heard of those yet.
Are they a well-known port number that can easily be blocked, like 137-139, or are they dynamic? I hope they are the former...
Dr. Demento On The 'Net!
If you interpret what the author's saying in the article as "firewall in your on-campus network and deny all ftp- and telnet-like access from the outside" then the analogy makes perfect sense.
GoAT.
There is a spellbook here; eat it? [ynq]
At West Virginia University, the only computers you can connect to in any way other than using http on port 80 are the ones on the same router as you. You can not ftp or telnet to any computer (other than one on your router) that isn't a University specified server.
Imagine if Walnut Creek shut down their server and said "Sorry folks! No more unencrypted ftp. We only allow secure logins." For truly anonymous ftp, you have to cater to the lowest common demoninator.
OTOH, telnet, rlogin, et.al. are evil and should have been wiped out long ago. Go ssh! :)
I may be biased, but I work on housing network stuff at the University of Illinois (UC) and I don't think this is an issue. Our campus-wide network is comprised mostly of switches, making packet sniffing tough. And the dorm networks, which are likely the most dangerous place to have people sniffing, were set up with hubs that scramble data for anyone besides the recipient of that packet (that was the beginning of switching technology, 8 years ago). They're being replaced with full-fledged switches as i type this.
That being said, I would hope that most other campuses have taken similar precautions against packet sniffing when they designed their networks. There's nothing really radical here, mostly using switches instead of hubs.
On a well designed network, choice of protocol should matter a lot less.
chris
well... openssh is good, but it has some dependencies that need to be installed as well. I generally don't mess with it and just get it from ftp.ssh.fi and get the tarball
I agree that something should be done about unsecured Telnet and FTP -- when I was in the dorms, my box was hacked, and used as a stepping stone for other attacks.
I had closed all security holes I knew about at the time. (Linux 0.99pl14, log in as username "-pfroot", you're in like Flynn!) But, the network was unswitched so I was still vulnerable to a sniffed password.
Telnet and FTP and POP3 probably won't go away anytime soon because they're everywhere, and this really helps when using someone else's computer (at an Internet cafe, for instance).
Tunneling is a good way to add some security to these protocols. SSH is good for tunneling, but it's hard to tunnel FTP because it opens new connections for each file.
Offtopic: I would *love* an extension to the FTP protocol that would allow files to be transferred inline, so that control and data would share the same connection. Something like "INLI length ", in place of PORT or PASV, that would cause the next STOR or RETR to take place over the control connection, for the next length bytes. Has something like this already been done? If not, it seems easy enough to add...
Dr. Demento On The 'Net!
When I'm not protected by some other means like peer-to-peer VPN, and can't use scp or ftp tunneled over SSL, I've used SSH's port forwarding to forward localhost port 8021 to port 21 and then used FTP in passive mode. This at least protects your authentication channel, I think.
Someone please correct me if this is wrong.
-OT
This article is published in a higher education journal, but is filled with grammatical mistakes and doesn't have a consistent flow of ideas. There are enough technical mistakes to make me grit my teeth.
/. where we can all get off the subject and onto better discussions like the goodness of SSH.
I have a feeling Simson was talking about creating privacy friendly policies about log files, and during that discussion he related that protocols like FTP leave traces in log files. The author of this article then misunderstood what he was talking about and came up with a standard troll leader.
And any article with a good troll headline gets posted to
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I was suggesting the VT100 terminal was on another system, hence the need for telnet and the network. As far as the RS-232 bob, keyboard logger, spy satelite, mind control beams, and hacker demonic possesions, ummmmm yeah, right.
Speeding never killed anyone. Stopping did.
Think protocol layers and evolution. Ethernet, which is hardware based needs (generally) a software stack - such as TCP/IP. TCP/IP then has other protocols which ride on top of it such as HTTP, pop3, ftp, etc. (just go look in /etc/services) Most of these protocols were coded with the same concept that telnet had - they are based upon the same telnet protocol. In the early days a telnet "send ayt" used to reply with "Yes" under many of these. A lot of this functionality has been stripped from most software by now.
As per smtp, uh yes it can send usernames in clear text. Look at the new RFCs. Thank God most people who implement smtp auth use at least use some form of encryption.
To think that HTTP doesn't send passwords is just silly. Look at all the portal sites in the world. Most "common users" use the same password - and wow usually they are plain text. Most people don't even think about the option to "sign in securely" that most portal / chat / etc. sites use these days.
....Or maybe it was so simple as a student using pine over a telnet connection? :)
Chris
-- Humans, because the hardware IS the software.
A my school they were going to do this during the fall semester of last year. They even went so far as to buy a 10,000 user site license for the Windows users so they could use SecureCRT.
Anyway, despite the fact I'm a unix sysadmin at work, I still was against this move. First of all, my school has a HUGE proportion of international students (somewhere around 35%). Some of these students are from countries where their legal status to use such encryption in the US is questionable at best. Secondly my school apparently hadn't compiled in the RSARef library and the sysadmin couldn't figure out how to do it. (When you pay $30K for a sysadmin you get a $30K sysadmin).
But the bigger issues were these. First of all, there was no suitable legal Macintosh SSH client at the time as NiftySSH apparently suffered from the same nasty patent problems. Secondly, most school systems have HUGE amounts of accounts (this system has 14000+ accounts on it), many of these have never been used and getting access via a default password (usually last.first or social security numbers at most places) is trivial.
Turning off telnet then only really makes it a headache for people who can't get SSH, or who go home for the weekend and don't have an SSH client. It doesn't address the poorly configured log files which are the real problem in the first place.
As a postscript, my school has now implemented some crappy java/html insecure mail system which makes it easier to read other peoples email because now it's sent all at once and you don't have to filter out the cursor keys in sniffit logs.
It's true, if SSH were available for every platform, freely (FAIB and FAIS) then this would be good, but it's not, telnet and FTP are.
My Slashdot account is old enough to drink...
*shrug*
the official ssh packages at ssh.com are free for non-commercial use. we have a site license here at u of i, and i don't think we payed anything for it.
Neither are we (JHU). But I meant one of the Windows GUI clients (DataFellows or something simliar). Or, better, pay a bunch of crypto-minded CS students to do a reimplementation. Free servers and Unix clients don't mean much if the majority of people can't (or won't) use them.
To respond to the people who say "not everyone has SSH," do what I do -- if the machine is also running a web server (likely) put up a page containing a Java applet SSH client implementation. MindTerm Lite is nice and can be used by Netscape 4.6+ or IE 4+, and you'll probably have one of those available anywhere you go.
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
That is, unless you use a proxy.
Gah... *attempting to remove foot from moutn* Most people don't bother to use an anonymous proxy just to d/l stuff over ftp. Most ppl don't care, and most anon ftp sites are not the kind of places that would sell marketing data or otherwise do Bad Things.
You're absolutely right. Only those fortunate enough to go to some of the bigger, wealthier schools have that, and it's still location based. My school is close enough to MIT that we can use I2, and even UNH (Univ. of New Hampshire) is on I2. You certainly can't judge a school by its bandwidth.
There are four boxes used in defense of liberty: soap, ballot, jury, ammo. Use in that order.
It's not like these are the only plain text protocols out there, and they are not even the biggies. What about POP access which in most cases is going to be plain text or HTTP connections doing authentication? If the goal is security, all unnecessary daemons should be disabled of course but it seems illogical to target these services when far more prevalent ones are in general use. If it just the file sharing business, enact quotas for all users and use a mailer daemon that can filter out non-text attachements (which will at least stop the non-technical users from sending files this way).
if you're willing to use ssh.com's software, scp works rather well between their windows client and a unix ssh2 server.
that's the only one i know of, but it works well enough for me to replace ftp with it whenever i'm going over an unsecured network.
chris
telnet clients use plain old TCP/IP, without any layers of abstraction on top (which is why you can telnet into a web server and make HTTP requests, even though HTTP is built on top of TCP/IP and not on top of your hypothetical "telnet" protocol--try it). As far as not reading the article goes... touché (although I don't think that allowing unencrypted telnet and ftp threatens the security of an entire network unless you're allowed to su to root via an unencrypted connection [thus transmitting the root password unencrypted], otherwise it'd just be a security hazard for individuals who chose not to use something like ssh or ktelnet). I'm sorry if you got the impression that I was passing myself off as an expert; this was not my intention. If you would like to do some research of your own on this subject, I suggest you start here, and take a look at the accompanying example code found here.
From the article:
Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files, which can then be used by crackers. But then, he goes on to say that web search forms have the same problem (see quoted paragraph above). So why isn't he urging the colleges to consider shutting down HTTP as well? Heck, log files must be on every server, so block TCP/IP while you're at it!
I think it's been posted before, but the answer isn't removing access to various protocols. Colleges ought to give out a pamphlet of basic security measures to every incoming student, a sort of primer on protecting your computer from crackers. Maybe even provide firewall software for their students? Let's face it: most of them are't going to know anything about computer security, and it's probably their first time they have a high-bandwith always-on connection.
FTP, Telnet, and all the other protocols are useful in one way or another. The potential for misuse shouldn't lead to banning them or blocking them.
--
The real Captain Derivative has a Slashdot ID.
Unfortunately, not every place has SSH. And sometimes SSH is simply overkill. If I just want to check my email, I don't care too much if someone along the pipe sees me deleting 10 messages on how to "make money fast!", but I don't want them sniffing my password. Sure, but there is value in just adding to the encrypted traffic : if you only encrypt the valuable data, then encrypted traffic is an obvious target for attack, but if you encrypt everything, you burden the potential attacker with plenty of decoys.
>but a dedicated cracker will find a way in anyway if they really want to
:)
We're talking about university residence networks. On most such networks there would be very few people who would consider making a good, well-planned attack. There are a _lot_ of people with some free time, curiosity, and knowledge who can easily sniff networks for passwords (unless the networks are fully switched.) These are the people that make telnet and ftp a Bad idea in a university network.
Think about how many people just memorize how to upload files using what to them might as well be voodoo. Teaching them scp voodoo instead of ftp voodoo makes little difference to them, since they don't understand what's going on either way, but then they will be doing their uploads in the best way possible
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
A replacement for telnet, it encrypts all your transmissions making sniffing of passwords, connection hijacking and all those other tricks impossible (or at least extremely difficult). If you want to get it (and you SHOULD) go to www.openssh.com for those guys from OpenBSD's implemetation. It's free, and has lots of kickass features for us Open Source folks (like all those nasty algorithms that are patented so we can't use 'em removed).
You are more than the sum of what you consume.
Desire is not an occupation.
My friend was just at USENIX, and one of the stories that he had (aside from some /very/ interesting anectodes about some of our community elders) was this: Some dude (I think from CMU) wrote some software that captures packets out of the air, for everybody using the wireless network USENIX provided for them. Using these he was able to sniff out passwords and the like. At the end of the conference he presented one of those working papers (something he hacked up while at the conference) on all the stuff he had found. He had a list of usernames and passwords a mile long. This is USENIX--and he was still able to get more passwords than most /etc/password files contain.
What he says is, paraphrased:
*You're a bunch of incompetent idiots who refused to properly secure your systems/networks - so disable the tools that reveal your stupidity*
That's a pretty bold and irresponsible statement to make. If he has examples of specific institutions doing specific things in a vulnerable manner, than he should be assisting those institutions/individuals correct the vulnerability - NOT advocating the banning of useful, and (FTP at least) an often critical component of the systems.
I AM, therefore I THINK!
That is a very nice program, thank you for telling me about it. It makes windows much more bearable. Though there could be patent issues for it in the US (an issue for colleges who want their students to use it), it looks like they will clear up soon (in September 2000). I'll definitely suggest it when I get back on campus in September (though it could be more well documented...).
Also, I didn't see anything about port-forwarding when I wandered through the webpage or in the program itself. But that could probably be added fairly painlessly, if it isn't in there now.
Just as an aside; how recently is it that SSH has become a standard part of Linux distributions.
I has been a standard part of at least the non-free parts of linux for around 2 or 3 years AFAIK. Now that OpenSSH is out, it is essentially standard on all systems where it isn't specificly unwanted.
-nh
The department had continued problems, though, with students too lazy to install ssh clients on their own desktops who would telnet into one of the other campus Unix machines and then ssh into the CS servers. Of course, this completely defeats the security. Warnings and reprimands didn't work; the staff eventually had to implement automatic filtering to stop people from doing this.
Poorly-behaved users will make any security scheme worthless. The most important thing IT departments can do to improve their security is help users understand why it's important, and what they can do to help. Many students don't realize that when they leave their own box insecure or broadcast their own password over the network, they are not only endangering themselves. A single weak point on a LAN endangers everyone, and makes it easier for an attacker to breach every other box on the network. Keeping your own accounts and connections secure is part of being a good neighbor to those whose systems you share.
Try going to openssh.com, they have a free (and legal) version of ssh that does not use the RSA patents.
-- no
I want to stress the point that it isn't a matter of university sysadmins not taking proper care of security (although that's probably true far too often). Some protocols are fundamentally insecure. Telnet and ftp are prime examples. Anonymous FTP can be acceptable, but as http provides exactly the same functionality without the truly ugly multiple port mess of ftp (which can be a pain if you're running a firewall), it's time to put ftp to sleep as well. The problem IS with the protocols, which were designed when the internet was a much, much smaller and safer place.
Another Anonymous, but sysadmin@.edu, Coward
actually, part of the reason that ssh wasn't required to connect to students.uiuc.edu to register was that at the peak of registration, when a few hundred students would be using each machine in the cluster, the encryption overhead would become pretty nasty. the suns they use do a lot, and the extra work for hundreds of ssh connection isn't something they need.
i believe this scenario actually happened a while back when housing installed ssh as the default telnet client in the dorm labs.
chris
I think there's a major flaw with this, and it comes down to:
Sure, we dig finding new, better, more secure ways to do our computing. That's because it's our hobby and our thrill.
The average Joe or Jane User? They just want their email. They already spent an obscene amount of effort and grief learning how to use it already, so cut them some slack (I'm being sarcastic, but it IS how they regard it). If you let them continue with the old insecure methods, they're not going to change one iota.
I don't let people use telnet at my office, and I don't let them use anything lower than symmetric encryption on PCAnywhere (twitch, twitch, shudder), and screw 'em if they don't like it. They bitched during the changeover, but now it's just rote repetition, just like before, and the systems are (more) secure.
I completely disagree with encouraging the ban on telnet and ftp. Here are the reasons: 1. As the issue pertained to ResNets on college campuses, one of which I work at, one authentication method for internet access registration is via plain text telnet in a perl script. Basically, when the user registers for their room connection, a script telnets to the mail server to check if a valid email account exists (to authenticate the student, that s/he goes to that school). 2. The issue isn't really about breaking or rooting systems, but about access to logs. Unencrypted telnet/ftp is a very big security issue on a public server, but most traffic on a campus network is segmented usually with multiple routers. Unless you were physically on campus, and on the same supernet (which a stranger would have to hack a router to deduce the complex topology) it would be hard to intercept plaintext transmissions from off-campus. Again, the threat would be from within the university that someone would deliberately try to access logs. 3. this is all from my own limited personal experience at the University of Connecticut, so i might be wrong.
MIT uses kerberized telnet (and increasingly SSH). It's secure and allows remote access.
Arun
For MacOS, there's NiftyTelnetSSH, which includes SCP support. (and decent, fast terminal emulation, unlike NCSA telnet.)
All these programs are gratis, but NiftyTelnet might not be libre. (PuTTY and pscp are.)
For Unix, of course, there's OpenSSH.
For VMS, there's an FAQ, which recommends a server and a client.
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
Pushing people to use SSH isn't going to help too much when the majority of students will still have to send passwords in plaintext format over FTP.
scp works fine. And actually sftp is part of the ssh2 distro, and IIRC there are (commercial) windows clients for it as well. If the unis really want security, buy a site license for a Windows ssh2 client, give it to everybody who wants a copy, then turn off telnet and non-anonymous-ftp on all college-owned machines (installing ssh1, ssh2, sftp, etc as replacements), and encourage (but do not require) everyone else on the network to do the same.
I can offer my personal experiences as a network administrator on a college campus. Several years ago, I was the network admin for the Admissions Office for a local University. For years, all of the administrative computing had taken place on an IBM SNA network, with the academic computing on a separate TCP/IP network. When the administration switched from terminals to PCs, they decided to phase out SNA and replace it with TCP/IP, using Telnet and TN3270 for mainframe terminal sessions. I tried (and tried, and tried) to convince the campus admins of the dangers of using unsecured protocols. I even gave them a demo with a shareware DOS based packet sniffer, showing them how I could catch anyone's username and password as they were typed across the network. Cost issues won out. At this campus, at this very moment, any student with knowledge of the field could get the username and password for anyone in the Administration. Changing grades, modifying records, reaping general havoc, all within easy grasp.
The problem is not just that this is a security issue, but that providing what amounts to unrestricted access to academic records is a violation of the Buckley Amendment. This school, and countless others are putting the academic records of their students at risk. Students should really be the most vocal critics of these schools, demanding that their academic records be afforded the protection that they deserve, and that the law requires.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
The Chronicle of Not-So-High Education reports in this story that a computer-privacy 'expert sensationalist' has told colleges that they should ban computers because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.' "Computer crime has increased at an alarming rate, and data suggests that the key event that triggered it all was the introduction of computers into society. As computer usage has gone up, there has always been a corresponding increase in computer crime. The link is undeniable." said 'expert sensationalist' Joe Fudd. With such incontrovertible evidence, colleges across the nation are expected to set policies in place that would heavily penalize the use of computers.
http://secureftp.glub.com or http://secureftp.sdsc.edu
the official ssh packages at ssh.com are free for non-commercial use. we have a site license here at u of i, and i don't think we payed anything for it.
chris
The nice thing about Windows Networking is that it has already essentially been banned from the Internet -- most larger ISPs make a point of blocking ports 137-139 (probably missing the new W2K SMP ports), and I would imagine that Universities block it at their border. So, unlike telnet/ftp which has traditionally been open to the entire Internet on campus networks, Windows filesharing is an internal problem.
My question is: Did Microsoft or OEMs ship a version of Windows 9x so that it shares drives by default? (I know NT has it's admin shares.) Would they really be that stupid?
(I've seen users that can't figure out how to print, but yet somehow have filesharing turned on, but everytime I've installed Windows, it seems like you need to take 3 extra steps to get it working.)
When I hear the word 'innovation', I reach for my pistol.
>Which is all well and good, but then I get to
>access my e-mail using said password via either
>pine on an SSH terminal (safe) or... POP3.
Why not tunnel your POP session through ssh?
S.
My school doesn't run sshd on all of their servers for reasons I don't understand, but they do offer Kerberos-aware versions of telnet and FTP. This makes a great deal of sense in a distributed Unix environment, and since most modern mail readers (i.e. Eudora, Outlook) don't choke on KPOP, it's reasonably convenient even for those without Unix boxes.
But before you start thinking too highly of computing at Iowa State, note that there's an Ultrix box in my office...
Pushing people to use SSH isn't going to help too much when the majority of students will still have to send passwords in plaintext format over FTP. There is no real cross-platform replacement for FTP, AFAIK. I've heard mention of SFTP, but when I went looking for it, it seems it's someone's pet project for Unix machines only. I've become real bothered by this lately now that I'm getting in the habit of using SSH.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
http://secureftp.glub.com or http://secureftp.sdsc.edu Go to the websites to get all the info.
IMHE ssh is far from teh silver bullet as is it quite unreliable. I have numerous sshd'z hang on me ... I just had a friend working from a major company call me and asking what could be done to access his box as the sshd was locked (2 months uptime ) ... they had disabled all other access (telnet and ftpd r*) so they couldn't even ftp something like a crontab to bounce the box ...
anyone have similar experiences with sshd?
How about letting your "boys" decided where they want to go to college? They will be adults, won't they?
What he's saying is that telnet and ftp are insecure and that sysadmins are not doing anything to address that issue, which is fair enough. Telnet should not be used over the internet, ssh should be instead, and any anonymous ftp server should not give a black hat access to the rest of the network.
This is not a 'ban ftp' thing but merely a take care and always read the security announcements.
The Telnet protocol provides options for strong authentication and encryption. Telnet authentication can be performed with Kerberos, Secure Remote Password, X.509 certificates, ... Privacy and integrity protection is provided by TLS. The same is true for FTP. The problem is not the protocol but the lack of secure implementations in the distributions of most operating systems. In the same way that you must install SSH and other secure clients and daemons, you must install secure versions of Telnet and FTP.
There are not many web hosting services that allow you shell access at all, let alone secure shell. One that does is the one I use, Seagull Networks.
The funny thing is I use SCP to upload my web pages. Anyone on the net who wants to can look at my web pages after they're uploaded, but they won't have my password.
Do you use a different password for important sites like your web host from the many websites out there that require passwords for you to register for some service? Good.
Even better is if you use a different password for every website you register one, because some of the websites offering some useful service may be doing double duty as password stealers.
Since most people use the same password everywhere a site can give you, say, a free trial of some porn in return for your password and email and then hack your oaccount.
I would suggest that any university or company do what Apple did when I worked there and require the combination of a password and a cryptographically generated key that's made by some device.
At Apple I had a little credit-card device that showed a different password each minute. I think they basically calculate a new secure hash every minute from the old one, combined with a password that's programmed into the unit but not visible to the user.
See my page on why everyone should use encryption.
-- Could you use my software consulting serv
What i did was setup sshd to listen on port 80 on a server i setup for a friend's house with cable internet. So from inside my company's workplace, I connect to that server's port 80 via ssh.
From there, i can then ssh elsewhere unrestricted.
Banning incoming Telnet does seem reasonable anyway, as that blocks simple system-access attempts. Sure, pinholes will be needed for systems which need the service -- such as the Telnet library info which some facilities use.
There's a program called sftp in the ssh package that lets you do file transfers over ssh.
scp (secure copy), also part of the standard ssh package, also works well for moving files around securely.
Eric
"Seven Deadly Sins? I thought it was a to-do list!"
So telnet, ftp and unencrypted passwords lead to vulnerability of data on college networks.....well duh
Never underestimate the dark side of the Source
Seriously Rob, what gives with that comment?
SSH is not really all THAT secure. Sure, it means a kiddie running a script probably can't find out your password or your nethack secrets or steal the code you are crafting, but SSH isn't so fearsome that someone who has decent skill in cryptography can't work it and milk out some info. Further, SSH has had some nasty security bugs in the past, and you never know when the next one might pop up.
The solution? Well, first of all, SSH is fine and good, but #1 don't use real passwords. Use one-time passwords if you are really serious about security. Second, don't use telnet, SSH or ftp (or sftp) to do critical stuff. You can't snoop a zip disk in your pocket.
If you think it's not worth the effort to cart around that way, it's probably not worth the effort to protect. One time passwords give a lot of protection in this case, but no one uses them because they don't like having to keep a card in their wallet with the latest passwords.
- Paradox
Man of the C!!!
Slashdot. It's Not For Common Sense
Besides, who doesn't at least use ssh?
The answer: Yeshiva University which stopped allowing SSH access to the main e-mail server. I heard the reason they gave was they wanted to be able to monitor who was logging on to the system or something like that.
Don't ask.
By the same logic, we should remove all windows from houses (I'm referring to the pane-glass variety; I'll say nothing of the other kind.) Don't you know that they can be used to violate your privacy and access your personal possessions?
The author seems to think that taking all the windows out is a better idea then the compromise of using locks and curtains.
There is a spellbook here; eat it? [ynq]
I'm paraphrasing here, but Gene Spafford (co-author of Firewalls and Internet Security, and generally considered to be a security expert) has said many times "The only way to make a computer be totally secure is to power it off, lock it in a vault, post armed guards outside, and even then I'm still not entirely convinced."
---
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
The problem is not with the two protocols in themselves, but more with network administrators that don't have the time or concern to implement the full range of security measures that are required to make them safe.
Not allowing FTP or Telnet to be used will increase the security for wide-open systems to an extent, but a dedicated cracker will find a way in anyway if they really want to. The trick is to make it hard enough so as not to be worth the effort, and there are a lot more things which should be done before banning FTP and Telnet will help secure a network.
And on an offtopic note, what the Hell has been happening with /. today? It comes on for ten minutes, dies for an hour and then repeats... is it anything to do with the 1.05 slash code update?
---
Jon E. Erikson
Jon Erikson, IT guru
Well, I'd say it should be banned and then allowed to be used only in certain circuimstances. ;-)
For example allow for people to connect to ftp only from localhost, so that they can use their favorite ftp client to logon to machine, port forward the FTP and do file transfers that way - not everyone can use scp in windows
I've done it for one of the companies I've worked for and they still use it =)
That's why I was surprised to see that he was involved in trying to "ban" FTP and Telnet. However, the blub is misleading. SG was saying that there are inadequate protections for student privacy within the University context. I've got to agree. The number of University machines that get cracked (either due to negligence, laziness, or ignorance) is astounding. Then, start shooting unencrypted traffic around, and the cracker has every username/password pair thay might want.
The problem is just what SG says-- there ARE ways to encrypt traffic and make personal data more secure, but there is no infrastructure (in terms of human support and resources for teaching the end-user about these things).
One of the reasons whe secure FTP hasn't taken off is that it's a HUGE CPU hog. I've had difficulty transferring large files without one side of the connection dropping off with scp.
What I would like to see is a "less secure" secure FTP protocol that would scramble user/password transactions ONLY, and let the files transfer in "plaintext". Or just amend the FTP protocol so that regular FTP servers can be configured to demand this.
Come on now. Every single time there is anythign in this world that can cause any sort of harm, we have these people that try there hardest to just get rid of it. In this specific case, why not invest the time and energy in ways that will be more productive such as better security measures at the campus level to help prevent such attacks.
Besides...what kind of generation would we produce if our college students could not MUD! I know many students who would probably not have made it through college had they not been able to MUD (releasing that built in stress out to the rest of the MUD).
-= Xafloc =-
alinuxbox.com
N
I would ban windows networking first. If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions. Telnet and FTP take some effort to set up, at least on win9x.
The real solution is to ban nothing, and try to educate the users about security. Little things like, "turn off inetd," "disable sharing," "if you do share, give it a good password," etc. Colleges throw persistant megabit connections at their students without so much as a flyer for common security issues.
Most educational organizations and I think almost all commercial organizations have already rejected use of any protocol that sends passwords unencrypted .. so very often usual protocols are available only via ssl-wrapper, telnet+ftp is replaced with ssh+scp. This doen't apply to anonymous ftp of course as there's no passwds. Not a bad thing.
I swear to god, lets just ban it all. And better yet, lets ban windows and doors on houses because after all, if someone breaks in they're probably going to use one of those methods. And get rid of doorknobs too..just to be safe.
--
|-_-| . o O ( bEef!)
ssh is kinda an encrypted telnet, with extra features see http://www.ssh.org and http://www.openssh.org
I work at a University (I won't say which one for fear of job saftey) that has repeatedly made ignorant security decisions like the one above. The first was to disallow outside access to all ports less than or equal to 1024 (except for those machines in the server farm). While this can argueably make sense, it's painfully annoying when trying to get on irc.
Yes, I stopped caring about trying to get directly on irc and just used a shell. Not having ident is extremely painful at times, though, I must tell you.
The second ignorant decision? Firewalling off ICQ. Yes, ICQ. Apparantly ICQ presents such an amazing security risks that they cannot allow students to use it on their own computers. Naturally, I used a previously mentioned shell to run a socks5 proxy, but that's not the issue. Most people wouldn't do such things. They think that all security is the responsibility of the network administrator, and not the end user.
I should mention that they advocate the use of AIM, and use nothing but Netscape on the network right now....
Are IT professionals at colleges as ignorant as they appear to be? I find it hard to believe that people who set up a hetereogenous network of solaris, linux, aix, windows nt, and macos x servers using an oc3 uplink and fiber optic backbone connections between buildings could think that ICQ was enough of a security risk to justify firewalling it off.
Then again, they blocked port 4000 alltogether.
Maybe it is possible.
--
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
telnet just uses plain old TCP/IP. I'm sure they don't want to ban *that*, or else nothing would work.
/index.html
telnet slashdot.org 80
GET
I was wondering about the funny score as well. But since I'm a serious karma whore, I'll take what I can get.
:-)
Yup, this article didn't deserve a precious post on slashdot. By posting this worthless troll, a jon katz article may have been rejected. What a shame
the funny AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Here's what the author actually said in the article for those who cannot read:
Garfinkel said the main lesson of his new book, published by O'Reilly & Associates, is that students and faculty members cannot rely on themselves or on technology to protect their privacy when they use computer networks.
It's a nothing quote from an author I've grown to repect over the years with regards to UNIX security in particular. All the quote means is; networks are inherently insecure.
We knew that.
They're not going to ban Telnet and FTP, and the article doesn't call for that. What the article is calling for is to ban the practice of unsecured Telnet and FTP, something highly advised at schools such as mine.
According to the article, many colleges don't set proper access restrictions on log files containing vital information, so those files may even be indexed when a user does a search on the school's web site. That's just stupid, as any admin can see. Furthermore, most students, even at privacy-minded schools like mine, don't bother with using encrypted Telnet or FTP sessions. They figure nobody's out to get them, and so they don't need to authenticate. My next-door neighbor, before getting effectively kicked out of the school, wound up sniffing all of the passwords of everyone on our subnet who even once logged in unencrypted. While he didn't use that data for malicious purposes, a more unscrupulous character could easily publish them.
For more information, click here.
Step 1: encrypt the files you want to upload to a remote host using your favorite method. /pub/incoming or something similar.
Step 2: login anonymously, upload to
Step 3: ssh in, mv the files, chown/chgrp/chmod them, and decrypt them.
Colleges better not heed this warning or the students they produce will be ignorant then they already are. Run two seperate networks if security is a must, don't close down the ability for students to use telnet and ftp. For college students it is much easier just downloading your work then carrying around a 3 1/2 inch floppy. Plus not all students are running a unix box at home, and hello they need something to log into when they are taking the Unix course. So come on give me a break, two networks, not ban ftp and telnet.
Get your own Red Swingline Stapler
they all so give students an easy way to access their data...
ReadThe ReflectionEngine, a cyberpunk style n
They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.
So how do you prevent people from sniffing web-mail passwords?
The shareholder is always right.
A skilled administrator will use SSH.
An unskilled administrator will use Telnet.
An unskilled administrator is a risk. (They're also called 'students', but who's counting?)
People actually shouldn't be telnetting in from the outside world, and I'm starting to flat out distrust wu-ftpd. Banning servers at all on campus would violate the purpose of the university, and the rather nice job market facing college interns and graduates who cut their teeth on their home networks is nothing to sneeze at.
Not particularly sure about my position on this. Comments appreciated.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
And we all know how useful that network would be...
In there eyes of, oh, say, Mattel, or AOL/Time Warner, or the RIAA/MPAA - the PERFECT NETWORK. Or at the least, a step towards the perfect network. The perfect network being a one-way path for the delivery of useless content surrounded by propoganda and advertising, all of which can be relentlessly pushed down the pipe, and where control of content/criticism and speech is absolute. What better place to start than in the schools? Today's users will never accept it, but the next generation...?
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
Ok, I can understand dumping telnet for ssh. I've personally witnessed someone using a sniffer to watch e-mail being written. As for FTP... it is very useful for shuffling data around. Many websites also have FTP, so that you can upload your homepages.
I know to use SSH as a replacement for telnet, but what about ftp? And don't tell me use scp either, as that is essentially a wrapper for ssh that just grabs files that you tell it too, not interactive like ftp. Anyone writing sftp out there?
You are more than the sum of what you consume.
Desire is not an occupation.
How will I ever upload my Pr0n to my school's web server so I can have their servers serve my Pr0n??? Give me FTP or give me death!!!
LDAP would be a great tool if well implemented in universities (for both between departments and between students).
http://www.openldap.org/ has lots of information on this, since I'm not informed well enough with the subject to explain it myself. i.e. it's just an idea I'm trowing on the table.
FTP servers have a long history of security issues, but they are still ubiquitous. For example, our university network consists of over 10,000 hosts, and approximately 2,000 of them is providing FTP services, of which a huge number even permits anonymous access. For several reasons, it wasn't possible to block incoming FTP connections at the main router in the past, but AFAIK there's a strong commitment to reduce the number of FTP hosts considerably (read: to 20 or so), which are well-maintained and cut off from the rest of the university network.
Telnet servers are even more widespread in our network. Unfortunately, telnet is completely insecure. Passwords and entire sessions can be eavesdropped quite easily, and it's even possible to hijack telnet sessions.
I think other universities have similar problems, and there for a cry for banning FTP and telnet seems reasonable.
I'm glad the above article was moderated up, but why did it got moderated "funny"?
Jeez, the author of the IT article was painfully confused -- if anyone took the time to read it, you'd discover that "C.G.I. programs are easily exploited by network attackers", and are "invasive of users privacy". Criminy -- since its impossible for the client to know if the server just served up a CGI or a static page, the only solution would be to ban HTTP entirely too. Oh my god! It's The Death of The Internet as We Know It!!! (tm). Think of the Children!!!!! (tm).
The original author demonstrated painful cluelessness in the article, and it's impossible for me to guess what Simson L. Garfinkel had in mind from the misunderstood snippets the article's author has presented us. Why are any of us spending any time on this?
BTW -- do any of us remember Simson Garfinkel, the guy from salon who told us about Mattel Spyware just two weeks ago? Does anyone read or think about these articles?
Slashdot is jumping the shark. I'm just driving the boat.
That's a good solution for Unix, but the real problem is the lack of free/legal clients for Mac and Windows.
The apparent goals of this movement are to maintain user-privacy within a University environment and to minimize the vulnerability of the systems.
What I think they are talking about is the tightening down of services on Campuses, since they're very prone to attacks and abuses. They are encouraging campuses to instead require students to make use of POP / IMAP for mail, Instant Messengers for communication (instead of the online talk / write), of remote GUI's or client applications for access to other types of services such as databases / statistical packages.
The advantage is both the additional security of the main information servers and the alleviation of load, especially since desktops are a hell of a lot more powerful today than ever before. So much so, that the lag from a telnet window on a heavily loaded machine can be almost unbearable.
The only way this could work is if there were separate CIS / scientific networks that could still take full advantage of UNIX services like telnet. Just try taking telnet away from a CIS department and see how far you get. So long as the information contained in these extraneous networks were segmented, and contain a minimal number of accounts and services, the intention of this movement would be upheld.
From my point of view, however, removing telnet and FTP cripples the power of UNIX. First and foremost, you lose seamless remote administration, which is the main advantage over NT as far as I'm concerned. Next it'll remove familiarity of UNIX from future generations of college graduates, which in the work place would make it harder to find those with such experience; a good number of people stay in Windows as it is. I believe the main reason that a lot of people opt for Linux is because they want to have the sort of power that they're use to on campus on their own desktop. Being shielded from this technology might diminish potential future Linux devotees. It just smells too much like a windows promotion to me.
-Michael
security by obscurity is never the answer. You could change the port, but a cracker would simply need to portscan you.
Lowmag.net
This Garfinkle guy has had no career since he split up with Paul Simon. Personally I think him trying to ban FTP and Telnet is just his way to trying to get back in the limelight.
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
Try IMAP with a reasonable AUTH mechanism (yes, part of the protocol includes the ability to encrypt whole sessions), or APOP. I'm less familiar with APOP, but in general, IMAP were designed to be good protocols -- optional encryption, all information over one channel, etc.
--Matthew
Why can't Publius' enemies defeat the system merely by anonymously spamming all the servers with large files of random text? Unless the authors are limited to a defined group of people (in which case they are not anonymous), wouldn't this strategy eventually suck up all Publius server resources, thereby censoring the text by drowning?
Perhaps the marketplace of ideas requires antitrust laws, too?
Inspired by this, I'm going to pull the engine out of my car because it might contribute to my crashing the car!
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
I think a big part of the problem is that it's so easy to pass yourself off as a "security expert" without any real credentials (or in this case, any clue what you're talking about).
Heck, why not ban networks entirely, since they are the #1 entry point for those evil hackers.
My mom is not a Karma whore!
PuTTY is wonderful. I have it in my user directory on the campus network for when I'm at a Windows machine. It actually does VT100 reasonably well (still trying to get page down to work correctly), certainly better than Windows Telnet. The distro also comes with pscp, a windows command line implementation of Secure Copy, that lets you avoid ftp as well.
Might be a good thing if they mean to migrate people to use ssh instead. Getting people weaned off telnet is hard unless:
a) A machine gets cracked and their data get hosed.
b) You disable telnet and force them to use ssh.
Of course, if they mean 'We should not allow people to access remote computers at any time' then they need hitting with the cluestick.
RSA's patent expires September 20th, 2000.
This is exaclty what we did at my uni when they banned ftp traffic. Just switch the port.. they did start complaining when over 2gigs a day were being accessed on my warez site, but it was fun while it lasted..
Fortunately, most of the people that are too clueless to protect their own privacy are also too clueless to configure their machines to reveal too much about themselves. And none of those people are able to type telnet, let alone actually use it.
<sinister-conspiracy> Perhaps banning the protocols is part of a deeper plot by the RIAA to prevent thieves from obtaining Napster and other burglary tools... :-) </sinister-conspiracy>
John
Telnet...what's that? Just about one of two ways for most .edu's to get their e-mail. Either use a mail client, or just telnet in. And what if you wanted to check your mail remotely. What are you going to tell them? NO, you can't! Sure you will.
I am at NYU, and they will shortly be migrating to this HUGE Sun computer that is going to handle the web-site, mail, etc, etc. They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.
Anyway, in short, I think this story is the same as "patenting the <a href=*> idea."
Also, all .edu's are Internet2, so they are faster than most mirrors, which is great for me when I want to install something new. So lets get rid of all that. We don't like fast FTP access, because they are hacker prone. Hey...EVERYTHING is hacker prone, so people should stop crying!
"Time is long and life is short, so begin to live while you still can." -EV
At UC Berkeley EECS, we're planning to turn off telnet on all our systems (except for kerberos authentication), and we've already turned off FTP on a lot of our systems. As a system administrator, I think this proactive move has resulted in a sharp decrease in the number of passwords getting sniffed. People who want to log in remotely or copy files over the net now have to use strong crypto to do so. ... We didn't turn off anonFTP, obviously. And there are always problems getting good free encrypted login/file-transfer clients out to people who need them, especially for esoteric platforms like Windows. :-) But on the whole it has been a plus for everyone, and as a bonus we don't have to teach people to set their DISPLAY variable anymore when they use X clients.
as long as you are doing it for the right
reasons. if you are providing people
with more secure alternatives that provide the
same functions (ssh, scp, etc) then
fine!
Telnet and ftp are inherently insecure protocols
designed for an age where everyone knew
everyone else on a single network. those days
are gone now...
A year spent in artificial intelligence is enough to make one believe in God.
You're the first person to post who has obviously read the article.
Its a trend I only noticed recently on slashdot. You only read the paragraph posted on the front page, draw your conclusion immiedately and then proceed to backup your point with no information about the rest of the actual article what-so-ever.
Its just life I guess.
---
Let me tell you what happens when a campus disables incoming telnet and ftp.
Disabling incoming telnet and ftp might sound like an easy road to security. But it is a big pain in the butt for your users. And it vitiates many reasons for getting networked in the first place. Furthermore, it does nothing to address bigger security holes like easily-guessed passwords, Windows "network neighborhoods", ports that are wide open to script kiddies, buffer overflow bugs in forms, etc.
Apparently Mr. Garfinkel thinks that the best way to ensure user privacy is for the system to not have users.
At the very least, all colleges should PROVIDE encrypted access to college servers and email. There's no need at this point to ban all telnet and ftp, but when someone has their personal data compromised, then the administration has room to say, "Well, you would have been fine if you had been using a secure protocol like this ssh here that we told you to use." As it is, a lot of colleges don't even support encrypted connections on the server side, making it a wide open playing field for anyone who wants to compromise even the security conscious people.
Also from the opinion I get from sysadmins, Win2000 is still considered a largely untested product. I've been told that in the UK in order for larger educational instituitions to adopt it they will have to evaluate and come to a collective decision which will take 18-24 months! That may be good news for us linux-ers but the current waste in resources due to NT is staggering and honestly beyond belief.
Having been the Network Administrator for a satellite campus of a large University, I am all too aware of the problems with security on university computers. We have to balance between keeping intruders out, and providing enough access for students and faculty to use the systems. The university environment presents a unique challenge.
To disable telnet and FTP access and believe it will curtail most or all unauthorized access to these computers is as short-sighted as companies purchasing firewalls and believing that they are complete security. A firewall only prevents some kinds of attacks.
The real answer, as in most anything, is better education. Network and system administrators need to be more aware of security issues, and deal with them at the host/server/PC level. Don't need filesharing on a PC, turn it off! Don't need rexec access, turn it off! Watch the system like your job depends on it; eternal vigilence.
Just because IT professionals are paid well doesn't give us an excuse to neglect our duties.
What's that smell? Ah, that's my karma burning...
Mr. Garfinkel also urged the more than 300 residential-network managers and student-coordinators attending the conference to stop the common practice of using unencrypted passwords to secure network-user accounts. "But you won't," he chided. "And so you're going to keep having accounts broken into."
With switched environments becoming the norm, I think the problem is more with users choosing bad passwords...People need to be better informed of what kind of responsiblity comes with getting an account on a system...i'd say at least twenty-five percent of our users have their passwords taped to their monitors or tabletop even after we give them the shpeel about keeping their passwords secure...
- [grunby]
*sarcasm* Oh, just ban the whole internet. Afterall it's only used by pedophiles and 14 year old kids who play video games. */sarcasm*
I go to UofI, and we just had to switch to an encrypted program to do our online registering-all well and good. Yet at the same time no provisions had been made to use ssh-everyone used telnet and ftp and sent their passwords in cleartext. I could run packet sniffers and capture passwords with no problem at all-it was pretty pathetic at how bad our security was. The problem isn't the university, though-it's the people who use the internet with no idea what's happening. People I knew were still struggling with telnet at the end of the year, and had no idea how to use FTP. Pretty sad state of affairs. Universities need to educate everyone when they come in on the proper usage of the internet, which almost no one knows if they haven't been around computers a lot.
Colin Winters
It's not really necessary to ban insecure login protocols; what is needed is for schools not to provide them. Since schools generally provide at least email if not shell accounts, and usually provide the software to the students to give them access to these services (at least they did in '95 when I got my machine set up for the school network), they could just switch to requiring secure clients to access the provided services. Then, since the students are using secure clients for at least some applications, they are likely to only set up secure services if they set up servers (since that's what they are used to using clients for).
This entirely avoids the problem of enforcement and detection, and permits anonymous ftp and plaintext password logins to unimportant accounts.
Of course, the problem with Windows networking (and other unrestricted sharing protocols) remains, since people do that without prompting from the official school services. Probably the administration should scan for these and tell the owners that their computers have security problems.
They don't want people running a linux box thats insecure. Scan a resnet subnet and see how many linux boxes you find, how many are running the default install with every service loaded? How many are vulnerable to remote root exploits? Once you get in you can feel free to use their bandwidth for DoS attacks or 0wning something else.
Besides most people just use windows file sharing instead of ftp.
Only the State obtains its revenue by coercion. - Murray Rothbard
Good idea. Now all you have to do is find a good encryption protocol that's unemcumbered w/ patents and bogus copyrights, convince lots of people to start using it, and make sure it's compatible w/ SSH so you don't ostracize the people already using "secure" connections. All these components are out there btw - it's getting them put together, standardized, and fighting off the large corporations (and not-so-large corps) who want everybody to "standardize" on their proprietary protocol that makes it difficult. :>
ObTagLine: The more you run over the 'possum, the flatter it gets.
True. True. But, the big thing is: ENCRYPTION IS *NOT* FOR NEWBIES. The current methods of encryption are too hard to deal with for newbies (just like most of the other Open Source stuff, which some of you can't seem to understand-- that's why Linux is not any time soon going to take on Windows! NT, maybe. But not Consumer Windows or even Consumer MacOS. If Microsoft dies completely, Apple takes over.). We're getting there, but it is going to take some work.
WorldMaker
So there are great alternatives for using Telnet, FTP and HTTP. One of the most important parts of the internet is still e-mail for many people and companies... and lots of those people use their e-mail clients to check their mail on remote POP3 servers...
:-)
I guess we should just ban e-mail as well
If you go along this guy's method of thinking, we might as well turn off all of the ports, unplug the keyboard and monitor and turn off the power. Then we will be nice and secure. How the hell does this guy expect a computer to be of any use if you cannot login? This proposal defeats the purpose of having a computer in the first place.
Its about time these self proclaimed privacy/security experts crawl out from under their rock and learn that there is more to computers than the world wide web. People ACTUALLY get work done on the text interface part of the server! My recommendation to this guy is to put down his copy of Window$ 9X and pickup a book on unix. Maby he can just look over the shoulder of a CS student in any college or uni. New Headline: Mr. Garfunkel officially certified idiot.
System security and system usability go hand in hand. One must sacrifice a little security to make the system usable. CGI scripts make a page dynamic and easy to use (usually) but they are a big security risk. Telnet is a security risk, but a system is useless without it. Hell, any login script is a security hole, but what are you gonna do, not let ANYONE in?
Speeding never killed anyone. Stopping did.
How can the Center for Higher Education... Be making a statement so Idiotic? 90% of the work I do at my University is VIA telnet / SSH. Why is a center for Higher Education trying to put a Handicap on our learning.
--------========+++Dont Feed The Lab Techs+++========--------
There are far more uses for Telnet, and FTP than simply high wiring it in to a college campus, so you can run TRW reports on students 6 months behind on college loans.
Network Security is a rapidly expanding business in this world, regardless of what planet that "expert" is from. Numerous resources are out there for free, let alone at a fair cost, that, when properly implemented, make such information damn near impossible to get to.
The idea that every network connected to the outside is 100% secure IS a fallacy. But then, the idea that people who know what the hell they are doing are actually interested in getting a bit o info on a student.
One of the main concepts of target hardening (AKA Network Security) is not to totally prevent. Make the perp look for an easier target.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
ok, so ive been reading these responses and what ive noticed most is that these services (ftp and telnet) r very beneficial and much needed. wehn i was at school last year and i decided i wanted to learn how to ftp serve, and how to do it well, there was only one logical choice. set up my computer to ftp serve. so i did and now i understand the process much better. and as far as telnet goes -- damn, if theres anything i ever wanted more.
in my infinite wisdom i set up my school email account on netscape communicator and then proceeded to give ppl my school email. well needless to say i had a load of email i had to check on that account. when im kickin it in a friends room across campus or im off-campus and i want to go through and toss the mail what other way is there to take care of it quickly. just telnet in and check it without the need to trek across campus or just wait a couple days until im back at school. and what a remote log-in for us linux users. if my friend just got a cool program theres no reason for me to go back to my room to download it. just log-in through telnet and, thanks to the bandwidth, transfer the file.
i can see where ftp would become a problem. ive seen some ftp crazy kids, but telnet!! give me a break. and for all those none tech savvy students, well they should take a minute to ask someone more knowledgeable a question or two. u hav more to worry about from some script kiddie across the nation than a mad-hacker next door. what they dont know doesnt hurt them and not many people are malicious to the point of no repair to someones computer. its all fun and games, nothing that cant be fixed.
can schools please stop being so paranoid. its just becoming an annoyance at this point.
RESPECT MY AUTHOR - A - TAH!!!!!
~j0sh
This is a profesional who has good reasoning capabilitys forgetting that many people out there are still functioning on the "computers = magic" mode and treat experts like wizards.
So while he may recomend replacing Telnet and FTP internally with secure protocals the "Folows of the all knowing and all powerful expert" will go ripping FTP and Telnet clients out of boxes screamming of "Security hazzards".
Give it a week you'll hear about FTP and Telnet click viruses (Think 'I-Lov-U'.. or better yet think 'Good times') infecting everyone. (No accual virus just rummors).
Napster aside... we are talking about a group who think banning Unix as a security risk is a good idea and then install Windows in it's place.
"We are protecting you from all those nasty Unix emplots... someone could hack into your box from remote and... oh dam.. anyone know what back oraface is?"
I say teach students security issues and let them fend for themselfs. I mean gezz. Trial by fire.... no better way to learn... Oh yeah and take your box off the network when you need to study.. just in case...
I don't actually exist.
if they're after the overclocked sysadmins, why not just let them *free-hunting* for a while, killing a port here, conning the neighbouring campus? ,duh, better?-) and so they all find out what it is to get burned big time.
killing two birds w/ a stone:
everybody gets exerience (which is good) and ALMOST everybody gets hurt (which is
it's all too simple- you wanna get sth done, DIY or make them understand the consequences. campuses ARE test-fields, but cutting off their wings (not to mention MUDs) is worse.
Now, make your WISE move...
Now, Make Your WISE Move...
Working at a college myself, there is no way that you could do this feasibly. Standard college users (both faculty and students) would have no clue what-so-ever how to change the port on their client. To some of those users (read: "important" faculty), this would mean that the servers are broken.
I hope that he isn't implying that remote access should be banned altogether. Nowadays you tend to notice the wasted computing resources in universities, especially during the night and when students are away on holidays, primarily because machines run WinNT which have very limited remote access capability. Imagine the power that researchers can harness from these machines, and the amount that can be saved if only proper remote access facilities were made available on NT. Many people fail to realize that the need for remote access is more than for checking mail and browsing the web.
I should have expanded on my initial post further (I just got excited that it would be in the first 10 posts :-)
My solution was meant for students who were affected by, say, blocking all port 21 and 23 access. If students wished to continue to use telnet and FTP, they could merely switch the port.
This is not a security approach universities should take.
Telnet, Rlogin and FTP are the bigest problem with secruity on university campuses. I worked at an university for many years. We had Linux and NT boxes and none of the NT Boxes had Telnet all fo the Linux Boxes did. All of the NT boxes did only one thing only mail (pop)only FTP. The linux boxes where set up to do every thing. When a cracker would hit us which it happened at lest 4 times a year. I would point out that we could turn off telnet and rlogin untill things can be fixed. NO WAY it was like a religion The same people who set up NT with out Telnet some how felt Linux could not work with out it. If you want to use telnet that is OK but not on every system with important information on it unless it was really nessary. The NT boxes did not do much better on security they went down a lot via DDS. People at universitys often are very green very understaffed and very much underpaided. They normaly dont have a clue what security is or how to obtain it or why. University Techs often have very little say on emplemting security. Telling them to just put up a stone wall ( no telnet, rlogin, FTP) is a good first step. The other solution would be to get more good people and more understanding and respect for what security is and why it is needed.
There will always be people who can hack into computer systems, regardless of the protocols used.
My 2 cents.
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
More than likely most colleges will just close off ports 21 and 23. When they closed off the ports Napster uses, students just changed the port # and it worked fine. I dont claim to know if this can be done with telnet and ftp, but changing the port # seems like a work around to me.
Where am I going and why am I in this handbasket?
At my university, the CS dept. switched to ssh/scp instead of telnet/ftp when we had a cracker on our networks sniffing out passwords. At a university, there is always going to be some machines which are poorly administrated. So you have to protect yourself from external and internal sources.
--
"How many six year olds does it take to design software?"
dinner: it's what's for beer
>>is published in a higher education journal, but is filled with grammatical mistakes and doesn't have a consistent flow of ideas.
Kinda funny, when you think about it.
While all of us here will all agree that removing Telnet/FTP traffic from campus networks is a very silly thing indeed, the worrying thing is that it's not going to be the IT literate people who will make the decision.
Imagine, if you will, the head honcho at the college. For years s/he's been bombarded with tales of insecurity, hacking (sic) and other computer misuse. They see an article in a 'trusted' publication which seems to solve all their problems. What are they going to do? Out of sheer ignorance, they'll make the order that Telnet and FTP should be banned.
Ah well. At least I left university 8 years ago.
Nick.
... 'cause those chat programs are the tool of the devil. >:)
I don't know where you come off saying that telnet and ftp are insecure, let's look at some other internet protocols, such as smtp, pop3, http, oddly all of them are based upon the telnet stack. This makes almost 90 percent of the traffic on the internet insecure. As per gaining entry to a box, I would have to say that most of the 'hacking' in the world is due to lax security policies. Letting every student have access to /bin/csh or the shell of their choice is a bad idea for a server house.
Looking at his argument about log files I can all but wonder how long he has been in the business. A log file is there to aide the administration of a box - if the log file itself is a security hole then put some policies around it. Christ here it comes again - someone complaining that CGI is a bad idea.
My overall opinion of this "expert" is that he is no more a security expert than I am an auto mechanic. I would wonder what his fix to all this is? Run NT?
Hey, didn't this Simson Garfinkle guy have a band in the 60's?
Perhaps the underlying question is what is the future of the old Telnet and FTP protocols in a modern network.
.rhosts or similar tools improves effeciency. Conversly, if the communication is not within a secure network, anything but SSH or the like is asking for trouble.
It seems that with modern options, Telnet provides a middle-ground, false sense of security that may do more harm than good. If you are communicating between machines within a truly secure network, then opening the machines with
Obviously, it would take a very long time before these legacy protocols are truly left behind, but in an ideal world, are they needed?
Hold on a second. In only the first paragraph does it say "colleges should ban telnet and FTP." If you read the rest of the article its only discussing how web servers can track personal information, and we shouldn't rely on technology to protect our privacy. It seems to me, someone is using a "ban something" approach to just get heard.
I was expecting the article to discuss reasons telnet and FTP are bad, instead I read about how a web server can log what you type in a search box.
---
Mr. Garfinkel also was known at the conference for harassing the poor presenters at the sessions. The presenters were talking about a web program their students just wrote for them, showing how good and valuable student help was. Simson however kept interrupting and askinga bout how secure the program was and how much access the students had to the data saying that a verbal consent to not release the info was not enough. All in all, he did not leave a very good impression.
The conference overall was great though. You can see the many ResNet admins and how much they care about and want to improve the situations for students in their dorms. All the presentations and more infor on the conference can be seen online at: http://www.rescomp.upenn.edu/resnet2000/
-jay
sort of garbage. The article has precious little information on why we should do this, or rather, little information that's compelling if you know anything at all about what the writer is talking about.
In its brief duration the article convinced me that 1)he understands very little about what he's talking about ad therefore 2) he assumes I know even less.
As a student, I find such poor writing shocking. Such a narrow-minded viewpoint is inappropriate in an educational journal; such poor writing and thought is unacceptable.
And they are supposed to do what? HTTP all of the data? WVU just has their hosts.conf file set up properly, doesn't that make a bit more sense?
Eh...
I can understand banning telnet, because there is already a widespead substitute in place--ssh--that is secure and generally considered superior to telnet. Many places, schools included, have already turned off telnet (it's as simple as editing /etc/inetd.conf) and have started enforcing an ssh-only policy. Since ssh is available for just about every platform, there's really no reason to argue (unless you can't handle ./configure; make; make install).
My question is, what alternative does Mr. Garfinkel offer to FTP? HTTP is too slow and inflexible to replace FTP. Are there more secure solutions out there that do the same thing as FTP? And if so, why are they not more popular? All the major OS vendors have endorsed both telnet and FTP (see Red Hat, Sun, SGI, etc) by enabling them by default on their OS's. If there are such superior alternatives, why haven't they caught on yet?
I've read Practical UNIX and Internet Security. I didn't get the impression I now see. The man is a nazi. He talks of P3P, a protocol for collecting information on people who visit web sites (more detailed than DoobieClick), and banning Telnet. This guy is crazy. What college whould ban telnet? Many of them use telnet for student services. The internet was built on free use of protocols like and including Telnet. If we begin to ban them (especially where most of the internet was created, colleges), technological growth would undoubtedly be stunted.
-------
Oh shit! I forgot to click "Post Anonymously"...
The report talks about privacy and the fact that connections are logged with connection times, IP addresses etc etc.
Only an administrator who was out of his mind would not log everything possible. It's specifically designed to allow the admin to check that there is nothing amiss. Yes and the logs are backed up and stored for years as well.
I could see his bloody point if he was complaining about plaintext passwords and unencrypted sessions but not about logging.
And WHY do I have to keep turning off this bloody No score thing? Why isn't it turned off by default?
Government of the people, by corporate executives, for corporate profits.
I have been trying to do that for years.. people keep calling me BOFH
You see the problem is that the use of "password in the clear" protocols allows one person's poor maintenance to undermine many other hosts that are just accessed via the original host's network.
Keep in mind, anonymous ftp and telnet for use of anonymous services isn't really the issue. I wouldn't even block the ports on a router. Instead, I'd simply institute the policy of scanning the network and coming down hard on anyone running the daemon. Not perfect, but doable.
I remember back in the days I could log into the University of Minnesota's Gopher server, and practically get any student's(or faculty member's) real name, home address, and phone number rather easily. You can get your real info out of the public eye, but it's out there by default. Why not take the initiative to lock THAT out? As for SSH/SSL/whatever on everything, I'm all for that.
Unfortunately, not every place has SSH. And sometimes SSH is simply overkill. If I just want to check my email, I don't care too much if someone along the pipe sees me deleting 10 messages on how to "make money fast!", but I don't want them sniffing my password. So, a one time password system is an ideal solution - if someone intercepts it, it's useless anyway. And it only requires installation on the server side. And if I want to do admin-type work, sudo also takes a one time password which again keeps my password secure.
In a perfect world, SSH would be everywhere. But in the meantime, one time password systems aren't a bad compromise for when your password is vital, but the data you're dealing with isn't.
Ita erat quando hic adveni.
...and it consists of ftp and telnet. Please don't kill this easy-to-access information and remote processes just yet. The right solution isn't to ban the telnet and ftp protocol, then having to figure out what program to use to get stuff done each time you need to. Instead, wrap the telnet, ftp and every other information protocol inside a _standard_ security protocol. I don't want to know if I have to use freessh, ssh2, openssh or whatever is out there. I don't want to have to compile these on machines I don't own. You could even make it transparent to the user (so we can continue using telnet and ftp on that machine). Leave the choice to the user wether he wants security or not. And notify him/her if the connection is not secure.
Just my 2 cents.
- Steeltoe
http://www.debunkingskeptics.com/
Just ban HTTP too, that pesky protocol allows files to be sent to a remote user!!! Funny thing is, they're trying to ban FTP to stop file transfers, btu what do they think happens when they go to a webpage? It transfers the files to you computer. If FTP gets banned I'm sure we'll see tons of HTTP-based file servers. Ugh who are these people ssuggesting this? Luddites?? Wyverns
It would make sense for the colleges to disable telnet and ftp access TO their machines. Disable telnetd and ftpd in the inetd.conf and you lose quite a few obvious routes of attack. Password sniffing is something that can be easily avoided if you just take precautions. You can always run a separate server for anonftp. But really, all this outcry about big brother and the freedom of speech is just a wee bit over the top. You simply should not take risks when it comes to system security.
--
Full Time Idiot and Miserable Sod
Full Time Idiot and Miserable Sod
Nothing is real but the pain
I think that it isn't sound to argue that we should continue to use telnet and ftp simply becaues they were useful in the past. Furthermore having a system with both telnet and ssh is like having a system with just telnet; it is equivalent to building a private room (your login sessions) with a steal door (ssh) and glass walls through which everything inside can be seen(telnet).
We don't have end-user FTP because our average end-user won't want to jump through the hoops necessary to make it work securely. Instead, we use an SSL-enabled website that gives a web view to people's netork spaces and where they can upload and download files. Soon we'll be doing the same thing with SSL-enabled WebDAV.
I think a blanket statement banning all FTP and Telnet, however, is stupid. The idea is to minimize unencrypted password transfer, and the rest of the time make sure people are consciously aware of the risks involved, and encourage them to change their passwords if they've traveled unencrypted over an untrusted network.
-- Of course I'm paranoid. I'm a sysadmin.
There's a program called sftp in the ssh package that lets you do file transfers over ssh.
--
I was at this keynote session. The interesting part is that after Mr. Garfinkel made all these remarks, someone asked if he practiced what he preaches at his own ISP (he apparently operates an ISP at Martha's Vineyard), and his response was something along the lines of 'well, as an ISP my cost structure is a lot different, and I have to keep my customers happy, and they aren't very technical... so I don't ban ftp or telnet.'
He also chastised all of us at universities for not having good privacy policies in place, and again when asked about his privacy policy, he remark was along the lines of 'well, we're in the process of being bought out, so we're working on getting a good policy together with the new owners, so for now we don't really have a policy available, but we don't do anything with the information we log anyway.'
Basically, the most interesting and insightful thing Mr. Ganfinkel had at this presentation was a lot pictures and info about Sealand.
In latest developments, security experts are urging colleges and universities not to send *ANY* information over computer networks at all! Studies have shown that 96% of colleges, universities and ISPs do not have adequate protection, and are urged to cease use of the following protocols: ftp, tftp, http, telnet, gopher, talk, sendmail, smtp and C3PO. Files are not to be stored in digital, analog or any other elegtronic, electric or magnetic format. The use of digital or analog data or telephone lines is strongly discouraged. If you have windows, remove them. If you have doors, remove them too. And for Pete's sake, DO NOT talk to anyone! This is the only way to ensure your data is protected.
----------
Something cleverStandard telnet, FTP, and POP are insecure because they require the user to pass their password in plaintext. Because man-in-the-middle-attacks are trivial and indetectable. Because playback attacks are trivial and indetectable. Because...
I emphasize *standard* because I'm a "security moron" who uses telnet and FTP. Of course, both of these programs use Kerberos authentication so the password is not sent in plaintext. Man-in-the-middle attacks are believed to be impossible, due to the mutual authentication. Playback attacks are impossible outside of the narrow window defined by the clock skew parameter - less than a minute.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
USERNAME: XXX
and then
PASSWORD: XXXXXX
I thought eek, so much so that I'm pestering my school (which is normally sealed tight as drum in respects of security) to get on the ball. Maybe they have a solution, but i ain't obvious to me. In regards to the whole SSH/telnet argument.
Well, our school supports both, and even though they don't go out of their way to get people to use SSH most do [probably because its WPI] and those who don't run risk/could care less. In terms of things that _don't_ matter, ICMP is completely firewalled outside of the intranet and overall im impressed.
Now its time for my point:
I go to a tech school and many of us know tux by his first name, BUT when i visit _other_ schools [liberal arts type stuff that i dont know dick about] its surprising how much people just don't care about their security, and education will not wash there, because the users just dont care as long as they get their pr0n and mp3s...
sigh what to do
Lemure, wtf! Don't you mean Lemur?
The only time (that I know of) where my server was cracked was caused by a legitimate user logging in from an ivy league university via telnet.
.elm directory. Running strings on it revealed a bunch of german words. It appeared to be a netcat-like port redirector to avoid the packet filter and service logs. There was also, luckily, a bunch of evidence in .bash_history because the person typo'd the command to shut history off. The .bash_history file revealed the work of someone who was highly efficient and didn't waste time. They tried a bunch of stack-smashing attacks and common-vulnerability exploits to gain root, but luckily I was all patched up.
The person's password was sniffed on the university side, and the cracker was able to log into my machine user the user's account. About 18 hours later (too long, I know) I noticed the intrusion because the time of the cracker's logins didn't match up with the user's usual pattern which I luckily happened to know.
After calling the real user up and confirming that there was a problem, we found some kind of nohup daemon running called "bash" in the
After cleaning up the system, changing passwords, and mandating the use of SSH (especially with RSA authentication) I didn't have any more problems. A few weeks later the affected user received an email-advertisement for sniffit from an anonymous source at her university email box.
Much later, I received an email from a german university saying that someone had broken into their servers from a variety of sites, one of them was mine. The date they claimed matched up with the date of the intrusion. They said that the cracker had installed a modified IRC eggdrop bot with root priviledges at a certain port, and that these bots were also apparently still running on most of the systems that the cracker had logged in from. Sure enough, the ivy league university was on the list.
I tried sending them mail on a few different occasions, but never got a response. I guess the point of this rant is that universities have terrible security and that banning inherently insecure protocols when secure alternatives exist is a good idea for EVERYONE, not just the people at the university. Sure it was a pain converting my userbase from ftp and telnet to ssh and ftp-over-ssh / scp / full VPN but it was well worth it and was a one-shot issue.
-OT
Introducing the meta-wetware virus: Write an article that scares PHBs into demanding that their IT staffs turn off critical system services.
It's as deadly as the love bug, and you don't even have to know anything about computers to write one.
--
Sheesh, evil *and* a jerk. -- Jade
To the powerless college student it really doesn't matter what the article actually says, which seems to be a high matter of debate here. What matters is what the idiot luser adninnies will interpret it to mean, which will, in fact, be ban everything except port 80. Some might go so far as to yank the firewall cable right out of the friggin wall. Remember, these are the same guys that decided that linux was a 'hacking tool'.
Telnet is for hackers! FTP can be used to pirate Windows! Good obedient students concerned about getting a good corporate drone job only use the industry standard, Windows, because everyone else does! IT'S ALL PINE'S FAULT!
[rant mode off]
--ze
I don't dress this way to be scary. I dress like this because it's easier to sort my laundry. "...black...black...blac
Most of my education in security came not from the college's network center, but the local LUG. I suppose that's OK though, since that means that I'd be less of a target, since I'm not telnetting to everything...
Now if only the people from the RIAA would stop looking for shared MP3s... (Ok, I'm not sure if they were ACTUALLY from the RIAA but I do know one person who had his account suspended until he unshared some MP3s - or maybe just moved them into a password-protected shared folder with a name like PAPERS. But he was a w4r3z d00d so I didn't really care...)
You are in a maze of twisty little relative jumps, all alike.