Slashdot Mirror
Colleges Urged To Ban Telnet And FTP
M100 writes: "The Chronicle of Higher Education reports in this story that a computer-privacy 'expert' has told colleges that they should ban Telnet and FTP because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.'"
The story is based on Simson Garfinkle's writings ... it's mostly about other stuff, too. (Besides, who doesn't at least use ssh?)
Hold, hold, hold on here a second. Banning the protocol doesn't make sense. On some computers, one can telnet in and play a game of rogue as the games user, for example. Don't ban anonymous FTP as well - it's been one of the backbones (not literally) of the Internet for years.
Do encourage system administrators and users to never, ever log in and send their password from remotely over telnet. Inside the college network is a different idea. (And some vendors, *cough* *cough* most of them *cough* *cough* don't have the good sense to pre-install ssh on their systems! Telnet can be a good thing.)
You try explaining Windows security to Stacey the sorority girl on the 4th floor who just wants to check email, surf the web, and play cd's and mp3s. Good luck.
You'd be better off just throwing the "official university software" cd at her for $10 and telling her to run only programs off of that disk. (including SSH and whatever crap ya want.)
Hehe...one time I managed to confuse the hell out of a friend of mine by printing stuff on his printer through Network Neighborhood, including a document that said something like "Doesn't it suck having people print random stuff in your room? Take your printer off the network and you won't have this problem." He had to get me to do it, but at least he was more security conscious from then on.
Of course, this is the same guy whose dorm room I rewired so he couldn't turn off his lights...
---
Zardoz has spoken!
Oper on the Nightstar
This article is published in a higher education journal, but is filled with grammatical mistakes and doesn't have a consistent flow of ideas. There are enough technical mistakes to make me grit my teeth.
/. where we can all get off the subject and onto better discussions like the goodness of SSH.
I have a feeling Simson was talking about creating privacy friendly policies about log files, and during that discussion he related that protocols like FTP leave traces in log files. The author of this article then misunderstood what he was talking about and came up with a standard troll leader.
And any article with a good troll headline gets posted to
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Pushing people to use SSH isn't going to help too much when the majority of students will still have to send passwords in plaintext format over FTP. There is no real cross-platform replacement for FTP, AFAIK. I've heard mention of SFTP, but when I went looking for it, it seems it's someone's pet project for Unix machines only. I've become real bothered by this lately now that I'm getting in the habit of using SSH.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The problem is not with the two protocols in themselves, but more with network administrators that don't have the time or concern to implement the full range of security measures that are required to make them safe.
Not allowing FTP or Telnet to be used will increase the security for wide-open systems to an extent, but a dedicated cracker will find a way in anyway if they really want to. The trick is to make it hard enough so as not to be worth the effort, and there are a lot more things which should be done before banning FTP and Telnet will help secure a network.
And on an offtopic note, what the Hell has been happening with /. today? It comes on for ten minutes, dies for an hour and then repeats... is it anything to do with the 1.05 slash code update?
---
Jon E. Erikson
Jon Erikson, IT guru
I would ban windows networking first. If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions. Telnet and FTP take some effort to set up, at least on win9x.
The real solution is to ban nothing, and try to educate the users about security. Little things like, "turn off inetd," "disable sharing," "if you do share, give it a good password," etc. Colleges throw persistant megabit connections at their students without so much as a flyer for common security issues.
They're not going to ban Telnet and FTP, and the article doesn't call for that. What the article is calling for is to ban the practice of unsecured Telnet and FTP, something highly advised at schools such as mine.
According to the article, many colleges don't set proper access restrictions on log files containing vital information, so those files may even be indexed when a user does a search on the school's web site. That's just stupid, as any admin can see. Furthermore, most students, even at privacy-minded schools like mine, don't bother with using encrypted Telnet or FTP sessions. They figure nobody's out to get them, and so they don't need to authenticate. My next-door neighbor, before getting effectively kicked out of the school, wound up sniffing all of the passwords of everyone on our subnet who even once logged in unencrypted. While he didn't use that data for malicious purposes, a more unscrupulous character could easily publish them.
For more information, click here.
Try puTTY. A nice, one-binary-only windows client that is Free!
PuTTY is wonderful. I have it in my user directory on the campus network for when I'm at a Windows machine. It actually does VT100 reasonably well (still trying to get page down to work correctly), certainly better than Windows Telnet. The distro also comes with pscp, a windows command line implementation of Secure Copy, that lets you avoid ftp as well.
Telnet...what's that? Just about one of two ways for most .edu's to get their e-mail. Either use a mail client, or just telnet in. And what if you wanted to check your mail remotely. What are you going to tell them? NO, you can't! Sure you will.
I am at NYU, and they will shortly be migrating to this HUGE Sun computer that is going to handle the web-site, mail, etc, etc. They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.
Anyway, in short, I think this story is the same as "patenting the <a href=*> idea."
Also, all .edu's are Internet2, so they are faster than most mirrors, which is great for me when I want to install something new. So lets get rid of all that. We don't like fast FTP access, because they are hacker prone. Hey...EVERYTHING is hacker prone, so people should stop crying!
"Time is long and life is short, so begin to live while you still can." -EV
as long as you are doing it for the right
reasons. if you are providing people
with more secure alternatives that provide the
same functions (ssh, scp, etc) then
fine!
Telnet and ftp are inherently insecure protocols
designed for an age where everyone knew
everyone else on a single network. those days
are gone now...
A year spent in artificial intelligence is enough to make one believe in God.
Having been the Network Administrator for a satellite campus of a large University, I am all too aware of the problems with security on university computers. We have to balance between keeping intruders out, and providing enough access for students and faculty to use the systems. The university environment presents a unique challenge.
To disable telnet and FTP access and believe it will curtail most or all unauthorized access to these computers is as short-sighted as companies purchasing firewalls and believing that they are complete security. A firewall only prevents some kinds of attacks.
The real answer, as in most anything, is better education. Network and system administrators need to be more aware of security issues, and deal with them at the host/server/PC level. Don't need filesharing on a PC, turn it off! Don't need rexec access, turn it off! Watch the system like your job depends on it; eternal vigilence.
Just because IT professionals are paid well doesn't give us an excuse to neglect our duties.
What's that smell? Ah, that's my karma burning...
There are far more uses for Telnet, and FTP than simply high wiring it in to a college campus, so you can run TRW reports on students 6 months behind on college loans.
Network Security is a rapidly expanding business in this world, regardless of what planet that "expert" is from. Numerous resources are out there for free, let alone at a fair cost, that, when properly implemented, make such information damn near impossible to get to.
The idea that every network connected to the outside is 100% secure IS a fallacy. But then, the idea that people who know what the hell they are doing are actually interested in getting a bit o info on a student.
One of the main concepts of target hardening (AKA Network Security) is not to totally prevent. Make the perp look for an easier target.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
Idon't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.
Sorry, but did you even read the article? The presentation that is alluded to in the story places a strong emphasis on the rights of individuals; especially on the privacy perspective.
The point seemed, to me at least, that telnet and ftp were (for campus networks) very insecure protocols. Anyone who's ever run a packet sniffer on a shared media ethernet can testify to this. Yes, ideally all the college residential networks would be switched, or protected by Need-To-Know scrambling hubs (cf. 3Com SuperStack II PS). However, this equipment tends to be more expensive than 'dumb' hubs, and wiring of accommodation does tend to be a lower priority from the funding perspective.
We're now seeing students running Linux boxes from their dorm rooms, connected to such shared networks. We'll assume that their honesty isn't in question (however spurious such an assumption may be!); the fact still remains that such boxes are frequently ill-maintained and the subject of frequent root exploits. Once you've rooted a machine on a shared media network that runs a lot of telnet/pop/ftp, it's trivial to harvest large numbers of passwords: and don't say it doesn't happen, because I know for a fact that it does.
Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality.
Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?
I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins; spewing off about shutting down such services effectively being the thin end of a wedge that ends with 'SHUTTING DOWN' the internet; well, that just looks silly.
I agree wholeheartedly with the presenter's point: I'd go one step further - it's not just telnet and ftp that present the problem; IMAP and POP are also generally insecure, not to speak of the numerous HTTP-based webmail services. The solution here is less clear-cut: nice alternatives like SSH are not widely available. Roll on IPv6 and network-level encryption, eh?
Cheers, Nick.
-- O improbe amor, quid non mortalia pectora cogis!
PuTTY is a very usable, free Win32 ssh/telnet client.
When I worked in tech support, we got a lot of calls from folks who tried to run "telenet" on their Windoze machine and couldn't get it to work.
"Did you type telnet?"
"Yes, I typed telenet."
"No, telnet: t-e-l-n-e-t."
"OK... t-e-l-e-n-e-t, telenet. No, it still doesn't work..."
Exactly.
I'd be a lot more concerned about POP3 than telnet. Last year at my school it was discovered that someone managed to get the passwords of nearly half the students simply by sniffing the POP3 packets. (One could of course argue that this could have been achieved via simply sniffing all packets--people generally have the same password for POP email as they do for telnet and FTP--but my point is that it was found that a LOT of people on campus use POP clients to read their email. Far more people use POP to read email rather than simply ssh'ing in and using pine (my preferred method, which is significantly more secure).
I'm aware that most POP clients provide support for client-server encryption so the passwords are not sent plaintext, but my school never quite seemed to think that was worth the trouble, even though the vast majority of people are comp. sci. students who could probably handle such additional complexities with ease.
The fix to "all this" is *not* to ban protocols or limit the availability of services to students. Students subsidize the campus information infrastructure through their fees and tuition. The solution is to educate everyone on campus--faculty, staff and students--to use encryption whenever reasonably possible (ssh is not non user-friendly or invasive), and to use strong passwords. A lot of script kiddies and not-so-good hackers are born as a result of a campus trying to limit students' capabilities.
At the very least, I know a lot of people (myself included) who would have a few words to say to those in charge if it were decided that banning things, rather than employing workarounds or educating the people, was the correct solution.
The only time (that I know of) where my server was cracked was caused by a legitimate user logging in from an ivy league university via telnet.
.elm directory. Running strings on it revealed a bunch of german words. It appeared to be a netcat-like port redirector to avoid the packet filter and service logs. There was also, luckily, a bunch of evidence in .bash_history because the person typo'd the command to shut history off. The .bash_history file revealed the work of someone who was highly efficient and didn't waste time. They tried a bunch of stack-smashing attacks and common-vulnerability exploits to gain root, but luckily I was all patched up.
The person's password was sniffed on the university side, and the cracker was able to log into my machine user the user's account. About 18 hours later (too long, I know) I noticed the intrusion because the time of the cracker's logins didn't match up with the user's usual pattern which I luckily happened to know.
After calling the real user up and confirming that there was a problem, we found some kind of nohup daemon running called "bash" in the
After cleaning up the system, changing passwords, and mandating the use of SSH (especially with RSA authentication) I didn't have any more problems. A few weeks later the affected user received an email-advertisement for sniffit from an anonymous source at her university email box.
Much later, I received an email from a german university saying that someone had broken into their servers from a variety of sites, one of them was mine. The date they claimed matched up with the date of the intrusion. They said that the cracker had installed a modified IRC eggdrop bot with root priviledges at a certain port, and that these bots were also apparently still running on most of the systems that the cracker had logged in from. Sure enough, the ivy league university was on the list.
I tried sending them mail on a few different occasions, but never got a response. I guess the point of this rant is that universities have terrible security and that banning inherently insecure protocols when secure alternatives exist is a good idea for EVERYONE, not just the people at the university. Sure it was a pain converting my userbase from ftp and telnet to ssh and ftp-over-ssh / scp / full VPN but it was well worth it and was a one-shot issue.
-OT