Slashdot Mirror
Openness and Security on Campus
djeaux writes "The April issue of Syllabus includes an interview with Jeff Schiller, Network Manager at MIT, about openness and security in academic computing. Schiller has some interesting things to say about product liability for software, including an out for open source software and boils security down to a simple maxim: You must install patches. He also says that what makes security hard is that it's a 'negative deliverable.'"
It would be perfect to have an operating system that was secure out of the box (due to features built-in) like the worlds greatest personal firewall. However I just dont see this as being a likely solution. I think an operating system should have a basic firewall like XP or any linux distro. But to ask a software developer to focus a ton of time on making me a bullet proof firewall instead of making the OS more stable just doesnt make sense. As stated in the article there's only so much development time and then you have to get your product out the door or you're going to have some pissed off users. I would want (in the case of OSes) the comapny to spend the majority of their time making the OS stable and a little bit of firewall is nice. But i would much rather use another means of securing my network instead of using 2,000 personal firewalls.
See Sig! See Sig Zig! Zig Sig Zig!!!!!
Openness and security can co-exist ONLY when everyone is trustworthy.
I'm not entirely certain what you mean by that, but I don't think any "open" security details short of handing out keys and passwords should automatically destroy the security. It might make it a lot harder to keep everything going safely, but there are plenty of benefits too. I don't think security requires a "fence" if the thing behind the fence is safe. In the physical world, an invasion involves someone physically entering an area. In the electronic world, someone has to find some way to get the thing behind the fence to do something it wasn't intended to do.
1) If the thing behind the fence is extremely well-designed, it won't allow something like this.
2) If security is "closed", it's only secure because nobody understands it or because nobody has a chance to touch it.
That sounds a lot like locking yourself in a secret underground bomb shelter and calling yourself "secure".
I attend the University of Alabama in Huntsville, an engineering/research institution with enrollment around 15k. The Network Services people around here aren't really concerned about the value of openness to academia; in fact, most of their security is directed inward, against the students who have to use the machines.
For instance, the "start" button on every lab computer has been disabled--people only have access to the icons on the desktop. Furthermore, right-click context menus have been disabled.
On some public computers, even access to the address bar in IE is disabled--all you can do is follow the links from the homepage in IE.
When I took a Mathematica class in the physics lab, we used a heavily neutered version of Windows NT, with file permissions set unusably tight. Browsers would crash on startup because they didn't have write access to their cache files, virtual memory was disabled (!), and the like.
Network Services also has banned the use of BitTorrent on campus, causing consternation among people wanting to download contraband like, uh, Mandrake images.
This is the same campus where average packet loss on ResNet is 20-30%. Students play games over dialup because it's faster and more stable than ResNet.
quote
:)
[
but who's to say offhand that Triple-DES or
AES are better than Blowfish or plain DES
]
No-one does. There is no proof that for any algorithms we've thought up yet that there isn't a way to recover the encrypted text faster than brute force.
It is possible DES is more secure than AES or Blowfish.. we just don't know..
So like most things business, it's a risk management issue. The chances are that encryption is your strongest link. You need to insure you've got your weaker links covered: namely, the two primary points being the users and the OS.
Computer security sucks.. yes.. but that's a risk of doing business.. and most of us have our jobs because that risk pays off
Simon.
I'd just suggest that the users computer serves the white-hat worm for a day or two (kind of like a Bit Torrent), and then automatically deletes it.
Is that a bad idea?
The Philosophy of Liberty | lewrockwell.com
You understood openness correctly, but mis-understood security. A safe is secure, even if 500 people know the combo... as long as those people are trustworthy.
Interesting point.
But using the same example, what if an outsider pretended to be someone that one of those 50 people knew, found out details from that person, and used it to trick one of the other 50 people, etc...
One thing that struck me about American culture in general is that people seem to be a lot more trusting, and despite what a lot of Americans think, it IS a lot more of an open society than (probably most) other parts of the world.
Coming from South Africa to study in the US (between 1999 and 2001) was an eye-opening experience. I don't know how much things have changed since the 9-11 incident and so on, but back then I was amazed at how open and helpful people were, for example, getting student visas, a social security number, a driver's license at the DMV...all very smooth, despite the fact that I was a complete forgeiner. In South Africa, it is often more difficult to get basic things like licenses and so forth processed as a citizen than it was to get them done as a forgein student in the USA! I don't know if it's just a different outlook people in the USA have, but dealing with South African bureaucracy has become even more painful since I returned to South Africa, remembering how comparitively smooth everything was in the US.
The same with campus security. I'm fairly sure that if someone wanted to be underhanded, they could fairly easily socially engineer situations to break security systems.
Speaking of stolen items: there's a reason people call them "fenced".
Anyway, there's a way to have openness and seurity.
You put a table in a field and put a log of nice candy on it. (the goodies, no fence)
Then you put an east-german martial arts instructor in a soviet-era uniform with an AK-74 and a german shepherd on a short leash next to the table. (security)
Anyone can come and browse, but I guarantee you they won't take any candy without leaving a few dimes in the jar.
Security should be obvious, and punishment should be swift and brutal.
Then you can have openness and security.
"Piter, too, is dead."
It has been done and it was done so poorly that it caused a bigger problem because the damn thing was spreading so quickly that it was taking up all the bandwidth and causing the machines it patched to essentially not be able to get online because of all the damn packets it was sending out.
At my university we require students to run an antivirus software (we provide if they dont have) and to keep their machine patched and secured and if they dont well they will quickly be taken off the network once their machine gets infected with a worm or is hacked and we recieve an outside complaint. They then get all mad that we took them offline and we have to go through expplaining to them that they agreed when signing up for our resnet service they would do the following and they violated the agreement. We charge them a 25 dollar reconnect fee which includes us taking their machine in, or going out there, and cleaning it up and securing it , as well as educating them on how to keep their machine secure.
The other day at work I had a kid yelling at me that we cant just take him off the network without warning. The reason we had taken him off was because his machine was sending spam to aol address and recently aol has been blocking all email from our domain because of it. I said to him because of you everyone on this campus can now no longer send emails to their friends at aol and we have to contact aol once we are done with your machine and get off their blacklist. That shut him up.
You know, I've read this argument a couple of times here on Slashdot, and I've never in my life heard of this happening to anybody I know. Can somebody provide an example?
And why do you say the patches "particularly [break] competitor's applications"? All this means to me is that Microsoft tests the patches thoroughly with their own software. I certainly wouldn't expect them to release patches that break their own software (that they know and can test) more than their competitors' software.
Maybe I'm visiting the wrong web sites, but it's great to hear these things from someone who's been on the cusp of network administration from the beginning.
S: So education is a part of this?
JS: Education is a part of this, both for the people who own personal computers and work with the data and for the people running these systems.
I can vouch for the end part of the article for sure, as I'm sure many Slashdot readers can. Right now I'm doing an Information Security Risk Assessment as part of a graduate level class that I'm taking. Fortunately, for the K-12 schools on which we perform these assessments we cover user education as part of an overall Information Security program. Also, it gives us the chance to see user education and awareness from their point of view, which helps us make the case for having user awareness training. A lot of end users don't realize that having a weak password is like giving away the key to your organization (or school in this case). I'll give you two guesses as to the biggest topic that we've discussed with the school corp. and the first one doesn't count ;)
You would not believe how woefully inadequate schools are when it comes to an Information Security Program. If you have the opportunity to help a school out, do it. It will help you learn something, help the school better themselves, and better the community by protecting the little ones' information.
It is just a bad practice to upgrade to each and every patch released by a vendor.
For server side and data center machines, patches usually result in more problems since they break things that already work.
It's common practice in the mainframe world to skip every other patch/upgrade as well as let patches age for a while before applying (to avoid getting an untested in the field patch).
Desktop users are more able to get and apply patches since their reliability requirements are much lower.
My little company tries to make money selling software, but I'll tell you what, I sure can't afford to shoulder liability for our mistakes. If you make me liable, I'm out of business. You use my software at your own risk, and if for some reason it becomes impossible for me to say that to you, I'm through.
The other thing that makes me laugh is "indemnification." I'm running around "indemnifying" multi-billion dollar corporations against lawsuits from people who might claim that our code violates their patents or their intellectual property. If I refuse to sign the indemnification clause, I don't get their business, it's as simple as that.
Obviously, one nuisance lawsuit from some asshole somewhere means that I'm finished. Probably they'll come after my personal property, too, and I'll die penniless in some gutter. What can I do? I'm screwed.
It's time to reform the whole goddamn tort system, because I can tell you, it's really no fun at all out here, trying to sell software, when who knows what jackass is going to emerge from some closet somewhere and claim to have patented the "if" statement.
Welcome to the insanity. Move your money to the Cook Islands while you still can. Me, I don't have enough to bother at this point.
In general, the MIT "firewalls are false security" mantra is a good thing, particularly at MIT where there is a high concentration of bright and inquisitive people. You can never count on the black- and grey-hats being on the other side of your fire wall. You have to assume that the networks on both sides of your firewall are hostile. Each host must be a castle unto itself. This is simply a much more robust security model than "keep the bad guys over there".
On the other hand, shortly before MS started covering IIS on WindowsUpdate, the house had a rash of IIS exploits and RPC exploits. I asked for advice about setting up an OpenBSD firewall to only allow outgoing connections from most machines (and knocking holes in the firewall for MIT Network Security's vulnerability scanners). The response I got was basically "If you have to ask, we won't help you. Just patch everything and it will be fine." They didn't seem to realize that a sophmore can't just run around the house pestering everyone to keep their machines up to date. Basically, my powers were limited to waiting for problems and then finding the offender and saying "MIT is threatening to cut the entire house off from the Internet in two hours unless you do what I say now!". Sure, I send out reminders and heads up emails, but when they didn't listen and got compromised I would invariably be the one to do their OS reinstall because if I didn't, half of them would just put the compromised machine back online without fixing anything.
This last year, MIT actually stepped out of the ivory tower and did some port-based filtering (firewalling) when tons of students came back from Summer to take their computers out of storage. Many of the students would get compromised while updating, even if they patched as soon as connecting the machine to the Internet.
I think they also permanently firewall off their MS Windows-Athena computer cluster. (side note: the internal code name for the project to modify Windows to work with the rest of the Athena network was Pismere -- Latin for horse piss)
I also pestered MIT for about a month after RedHat released the ptrace bug kernel fix and they hadn't pushed the fix out to the official RedHat-Athena packages. Their position was that local root exploits weren't a problem since MIT gives the root password to most of the machines to students who ask. I pointed out that many departments and individual students set up machines so that absolutely anyone with an Athena account could SSH in as a normal user. There had been no warning emailed out that RedHat-Athena machines were still vulnerable to the ptrace local root exploit. Most of these machines owners assumed that the problem had been taken care of by RedHat-Athena's daily automatic updates. It was by sheer luck that I looked at the file modification date on my friend's kernel and realized the modification date was long before the ptrace vulnerability had been discovered. After all, I had already checked that it was up to date on all of the patches MIT put out for RedHat-Athena.
In short, MIT netowrk security policy is a strange patchwork of opinions.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.