Slashdot Mirror

← Back to Stories (view on slashdot.org)

Colleges Urged To Ban Telnet And FTP

Posted by CmdrTaco on from the won't-somebody-please-think-of-the-children dept.

M100 writes: "The Chronicle of Higher Education reports in this story that a computer-privacy 'expert' has told colleges that they should ban Telnet and FTP because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.'" The story is based on Simson Garfinkle's writings ... it's mostly about other stuff, too. (Besides, who doesn't at least use ssh?)

9 of 304 comments (clear)

  1. Half-good, half-bad by gavinhall · · Score: 5
    Posted by 11223:

    Hold, hold, hold on here a second. Banning the protocol doesn't make sense. On some computers, one can telnet in and play a game of rogue as the games user, for example. Don't ban anonymous FTP as well - it's been one of the backbones (not literally) of the Internet for years.

    Do encourage system administrators and users to never, ever log in and send their password from remotely over telnet. Inside the college network is a different idea. (And some vendors, *cough* *cough* most of them *cough* *cough* don't have the good sense to pre-install ssh on their systems! Telnet can be a good thing.)

    1. Re:Half-good, half-bad by MartinG · · Score: 5

      > they would have to use some secure methode such as ssh.

      This is a very good thing IMO. For too long the general attitude has been "Don't use encryption unless you have to" when it should be "always use encryption unless you have a reason not to"
      This has led to several bad things:
      - Those sensible enough to use encryption by default (such as PGP for mail) for their communications are treated like they have "something to hide" by some.
      - Because only a minority use encryption technologies instead of their more widespread unencrypted counterparts, governments find themselves able to legally force this to continue with draconian anti-encyrption bills. (RIP bill in the UK soon to be passed? - see http://stand.org.uk)

      The sooner the masses are educated about the advantages of using encryption more in ssh, for file xfer, for mail, and everything else the better. Where better to start the ball rolling than in universities.

      --
      -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  2. Re:A bigger problem... by gwalla · · Score: 5
    If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions.

    Hehe...one time I managed to confuse the hell out of a friend of mine by printing stuff on his printer through Network Neighborhood, including a document that said something like "Doesn't it suck having people print random stuff in your room? Take your printer off the network and you won't have this problem." He had to get me to do it, but at least he was more security conscious from then on.

    Of course, this is the same guy whose dorm room I rewired so he couldn't turn off his lights...


    ---
    Zardoz has spoken!
    --
    Oper on the Nightstar
  3. Banning them is only a half solution by Jon+Erikson · · Score: 5

    The problem is not with the two protocols in themselves, but more with network administrators that don't have the time or concern to implement the full range of security measures that are required to make them safe.

    Not allowing FTP or Telnet to be used will increase the security for wide-open systems to an extent, but a dedicated cracker will find a way in anyway if they really want to. The trick is to make it hard enough so as not to be worth the effort, and there are a lot more things which should be done before banning FTP and Telnet will help secure a network.

    And on an offtopic note, what the Hell has been happening with /. today? It comes on for ten minutes, dies for an hour and then repeats... is it anything to do with the 1.05 slash code update?



    ---
    Jon E. Erikson
    --

    Jon Erikson, IT guru

  4. A bigger problem... by ywwg · · Score: 5

    I would ban windows networking first. If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions. Telnet and FTP take some effort to set up, at least on win9x.

    The real solution is to ban nothing, and try to educate the users about security. Little things like, "turn off inetd," "disable sharing," "if you do share, give it a good password," etc. Colleges throw persistant megabit connections at their students without so much as a flyer for common security issues.

  5. Not bloody likely by generic-man · · Score: 5

    They're not going to ban Telnet and FTP, and the article doesn't call for that. What the article is calling for is to ban the practice of unsecured Telnet and FTP, something highly advised at schools such as mine.

    According to the article, many colleges don't set proper access restrictions on log files containing vital information, so those files may even be indexed when a user does a search on the school's web site. That's just stupid, as any admin can see. Furthermore, most students, even at privacy-minded schools like mine, don't bother with using encrypted Telnet or FTP sessions. They figure nobody's out to get them, and so they don't need to authenticate. My next-door neighbor, before getting effectively kicked out of the school, wound up sniffing all of the passwords of everyone on our subnet who even once logged in unencrypted. While he didn't use that data for malicious purposes, a more unscrupulous character could easily publish them.

    --
    For more information, click here.
  6. Re:For that matter... by nhw · · Score: 5

    Idon't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.

    Sorry, but did you even read the article? The presentation that is alluded to in the story places a strong emphasis on the rights of individuals; especially on the privacy perspective.

    The point seemed, to me at least, that telnet and ftp were (for campus networks) very insecure protocols. Anyone who's ever run a packet sniffer on a shared media ethernet can testify to this. Yes, ideally all the college residential networks would be switched, or protected by Need-To-Know scrambling hubs (cf. 3Com SuperStack II PS). However, this equipment tends to be more expensive than 'dumb' hubs, and wiring of accommodation does tend to be a lower priority from the funding perspective.

    We're now seeing students running Linux boxes from their dorm rooms, connected to such shared networks. We'll assume that their honesty isn't in question (however spurious such an assumption may be!); the fact still remains that such boxes are frequently ill-maintained and the subject of frequent root exploits. Once you've rooted a machine on a shared media network that runs a lot of telnet/pop/ftp, it's trivial to harvest large numbers of passwords: and don't say it doesn't happen, because I know for a fact that it does.

    Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality.

    Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?

    I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins; spewing off about shutting down such services effectively being the thin end of a wedge that ends with 'SHUTTING DOWN' the internet; well, that just looks silly.

    I agree wholeheartedly with the presenter's point: I'd go one step further - it's not just telnet and ftp that present the problem; IMAP and POP are also generally insecure, not to speak of the numerous HTTP-based webmail services. The solution here is less clear-cut: nice alternatives like SSH are not widely available. Roll on IPv6 and network-level encryption, eh?

    Cheers, Nick.

    --
    -- O improbe amor, quid non mortalia pectora cogis!
  7. Re:For that matter... by Spock+the+Vulcan · · Score: 5

    PuTTY is a very usable, free Win32 ssh/telnet client.

  8. True Story (or, a personal way of being redundant) by Outland+Traveller · · Score: 5

    The only time (that I know of) where my server was cracked was caused by a legitimate user logging in from an ivy league university via telnet.

    The person's password was sniffed on the university side, and the cracker was able to log into my machine user the user's account. About 18 hours later (too long, I know) I noticed the intrusion because the time of the cracker's logins didn't match up with the user's usual pattern which I luckily happened to know.

    After calling the real user up and confirming that there was a problem, we found some kind of nohup daemon running called "bash" in the .elm directory. Running strings on it revealed a bunch of german words. It appeared to be a netcat-like port redirector to avoid the packet filter and service logs. There was also, luckily, a bunch of evidence in .bash_history because the person typo'd the command to shut history off. The .bash_history file revealed the work of someone who was highly efficient and didn't waste time. They tried a bunch of stack-smashing attacks and common-vulnerability exploits to gain root, but luckily I was all patched up.

    After cleaning up the system, changing passwords, and mandating the use of SSH (especially with RSA authentication) I didn't have any more problems. A few weeks later the affected user received an email-advertisement for sniffit from an anonymous source at her university email box.

    Much later, I received an email from a german university saying that someone had broken into their servers from a variety of sites, one of them was mine. The date they claimed matched up with the date of the intrusion. They said that the cracker had installed a modified IRC eggdrop bot with root priviledges at a certain port, and that these bots were also apparently still running on most of the systems that the cracker had logged in from. Sure enough, the ivy league university was on the list.

    I tried sending them mail on a few different occasions, but never got a response. I guess the point of this rant is that universities have terrible security and that banning inherently insecure protocols when secure alternatives exist is a good idea for EVERYONE, not just the people at the university. Sure it was a pain converting my userbase from ftp and telnet to ssh and ftp-over-ssh / scp / full VPN but it was well worth it and was a one-shot issue.

    -OT