Openness and Security on Campus

djeaux writes "The April issue of Syllabus includes an interview with Jeff Schiller, Network Manager at MIT, about openness and security in academic computing. Schiller has some interesting things to say about product liability for software, including an out for open source software and boils security down to a simple maxim: You must install patches. He also says that what makes security hard is that it's a 'negative deliverable.'"

Campuses need more openness

[SnappingTurtle]

For beginners, streaking has totally gotta come back in style.

Simpler than that

[stanmann]

Security is simpler than that. Security requires fences, in the electronic world just as in the physical world.

those fences can be visible or invisible, incorporated or separated, But they will NEVER stop dis-honest people. No fence will categorically keep out all burglars. No computer security(short of pulling all the plugs) will keep everyone off your computer. Openness and security can co-exist ONLY when everyone is trustworthy.

Re:Simpler than that

[lukewarmfusion]

Openness and security are mutually exclusive (if I'm understanding your use of 'openness' correctly).

You don't need security if everyone is trustworthy, and you can't have openness is everyone is not.

Just quibbling.

Re:Simpler than that

[Rikus]

Openness and security can co-exist ONLY when everyone is trustworthy.
I'm not entirely certain what you mean by that, but I don't think any "open" security details short of handing out keys and passwords should automatically destroy the security. It might make it a lot harder to keep everything going safely, but there are plenty of benefits too. I don't think security requires a "fence" if the thing behind the fence is safe. In the physical world, an invasion involves someone physically entering an area. In the electronic world, someone has to find some way to get the thing behind the fence to do something it wasn't intended to do.
1) If the thing behind the fence is extremely well-designed, it won't allow something like this.
2) If security is "closed", it's only secure because nobody understands it or because nobody has a chance to touch it.
That sounds a lot like locking yourself in a secret underground bomb shelter and calling yourself "secure".

Re:Simpler than that

[ColonelPanic]

You don't need security if everyone is trustworthy, and you can't have openness is everyone is not.

The sad truth is that you can't have openness if anyone is untrustworthy.

Re:Simpler than that

[no+longer+myself]

Security requires fences

You forgot the razor wire, the minefield, the 18 foot tall concrete wall, and the ant-aircraft guns. Oh, and don't forget about the B-1 Bomber fleet with a heaping pile of MOAB's... While we're at it, let's throw in some propaganda and tactical nukes and some chemical and biological--

Oh wait... This is just getting plain silly.

Firewalls, patches, and frequent monitoring for suspicious activities... yep... Along with a prayer, that's about the best you can do.

Re:Simpler than that

[Rikus]

...you can always go over or through the fence

I emphasize: if the thing behind the [nonexistent] fence is very safe, no "fence" should be necessary. I define the fence as the thing that prevents people from having a chance to interact with the fenced item. In the real world, someone can use their strength to break through a fence or break through a wall within the fence. In the electronic world, there needs to be an actual mistake or problem before a similar thing can happen.

...not being able to(YET?) categorically determine that joe is joe.

That's done with signatures/public-key cryptography and symmetric cryptography. If that's not sufficient to determine that Joe is Joe, then Joe might need to be a bit more careful Someone installed a keystroke-logger and stole his secret key? Someone is holding a gun to Joe's head? Those are the dangers of the physical world.

Defeating security by munging URLs

[tcopeland]

From the interview:

S:Are there any other weaknesses to keep in mind, particularly when accessing data on the Web?
JS: This gets into engineering implementations. The devil is in the details. Let me give you an example. There's a Web site out there--I won't identify them--that offers survey services. You can set up surveys and revisit them to see the data collected or to edit them. But if you look closely at the actual URL in the little bar at the top of your browser, you will see some long number.

A few of us wanted to know, "Well, wonder what happens if we go into that title bar there where the URL is and just add one to that number?" And we did so, and all of a sudden we were looking
at somebody else's survey, and seeing their answers. The devil is in the details.

Yup. Each HTTP request needs to be checked separately for privilege violations. Not doing so is like opening your internal API to anyone who wants to call it... next thing you know, someone is injecting SQL and your database is executing a "DROP TABLE users". Yikes.

Patches?

[Swamii]

I read in a magazine recently that a Microsoft exec said Windows users would be "much safer" if we all would just download software patches from Windows Update. According to the article, no one took him seriously.

Re:Patches?

[sphealey]

I read in a magazine recently that a Microsoft exec said Windows users would be "much safer" if we all would just download software patches from Windows Update. According to the article, no one took him seriously.

Well, there's that little problem where Microsoft patches tend to break other applications, particularly competitor's applications. Which makes automatic patching a bit of a concern when mission-critical apps get broken.

sPh

Re:Patches?

[kfg]

Wanna have some fun? Just walk up quitely behind your sysadmin and say, in a mild voice, "Windows patch."

Don't expect any work from him for the rest of the day though. Just let him gibber quietly in the corner. It'll go away.

KFG

Re:Patches?

[sphealey]

The canonical example is Windows NT Service Pack 6, which broke Lotus Notes (both server and client). Note (ha ha) that Notes had at that time both the largest market share and by far the largest installed base of any corporate e-mail system. Microsoft denied the problem for about 6 weeks, then suddenly released SP6a with no explanation.

That's the worst I know of (since it was marked a security release, and since it affected so many sites), but I have certainly run across others.

And while I agree Microsoft can't test _every_ 3rd party app out there, I do think that given their 96% desktop market share (at that time; closer to 99% today) that they have a responsibility to test the leading apps of the leading functions, whether or not they are Microsoft's. Novell certainly used to do that.

sPh

Negative Deliverable

[re-Verse]

People have to accept security as a regular part of life. There are LOTS of negative deliverables we subscribe to in our lives, and pay quite handsomly for. Off of the top of my head, I think of auto insurance. I mean - yeah we see nothing making it better.... but we know very well the hell that may arise if we don't have it.

One thing that gives me pause...

[Sheetrock]

Anybody that can give an answer about the cryptographic algorithms one should use that quickly without reflecting on the different strengths and weaknesses inherent worries me a bit. Sure, most of the focus should be on making access simpler and easier in practical situations, but who's to say offhand that Triple-DES or AES are better than Blowfish or plain DES?

Nor would I applaud Automatic Update as a triumph for the end-user -- it delivers more than security fixes and can affect the stability of a machine. But the point about firewalls only being as good as the policy on employee laptops is a good one.

Re:One thing that gives me pause...

[Ckwop+Johnson]

quote
[
but who's to say offhand that Triple-DES or
AES are better than Blowfish or plain DES
]

No-one does. There is no proof that for any algorithms we've thought up yet that there isn't a way to recover the encrypted text faster than brute force.

It is possible DES is more secure than AES or Blowfish.. we just don't know..

So like most things business, it's a risk management issue. The chances are that encryption is your strongest link. You need to insure you've got your weaker links covered: namely, the two primary points being the users and the OS.

Computer security sucks.. yes.. but that's a risk of doing business.. and most of us have our jobs because that risk pays off :)

Simon.

Software liability

[GillBates0]

JS:Now, the problem is that if you decide to put liability upon software authors, you destroy open source--because those people can't tolerate any liability. So, if I were king, I would rule that if you're selling software then you bear a certain liability; but if you're giving it away in open source, then you don't.

But, I fear that the commercial interests in this game, if they felt that Congress was backing them into a situation where they would have to accept liability, my guess is they would strenuously lobby that liability applies to everything, including open source, in an attempt to kill off open source. So that's the conundrum.

That was a very insightful quotes regarding the worry I've been having off late. Given their way, lawyers, lobbyists, anti-opensource corporations and their political puppets will all rally to impose liability for software on the end-developer.

If such a development happens, we could very well see software developers forced to buy "malpractice insurance" like doctors/medical professionals - that alone will be enough to kill opensource software, not to mention the plethora of lawsuits and ugly frivoulous lawsuits which've plagued the US medical system and escalated medical costs.

And ust to play devil's advocate to his suggestion that free software developers not be held liable - since they're "giving away" their stuff: somebody could turn my anology around and make outrageous claims like "exempting voluntary software developers from liability is like encouraging quacks to pursue their medical endeavours".

Re:Software liability

[jadavis]

One interesting point about the liability issue is that proprietary software developers would benefit greatly from liability laws, and consumers would probably suffer.

It's natural to assume that placing barriers or restrictions would hurt the vendors. Intuitively, anti-drug laws would hurt drug dealers, but in reality they drive the price up, and therefore the dealers' profits.

It's the same with software vendors. It would take more time to develop a quality product, and so it would eliminate most of the smaller developers. In effect, it would drive the price of software up across the board. Most consumers don't care about security or stability, they really don't. And developers would shy away from some of the most useful features for fear it could be considered a security problem. So the consumers are getting no real benefit, but paying a huge cost.

In the case of doctors, a patient's body would qualify, in computer terms, as "mission critical", meaning one problem is too many. So the patient loses if they see a quack. But, if a consumer gets bad software they reboot a few times a week, and maybe re-download some mp3s.

A better solution is if the vendors who actually do provide mission-critical software would provide guarantees. You can get a lot better guarantee from IBM or Oracle than MS, and enterprises recognize that.

well, duh!

[evenprime]

Of *course* you have to install patches. There is a bored 11 year old out there somewhere who thinks can prove he's "133t" by downloading a sploit off of packetstorm and owning your box.

It doesn't matter that he has no knowledge of how to code a similar sploit himself, or that he could not admin your university WAN. It doesn't matter that university cut-backs mean you don't have enough money for a test LAN to make sure the latest buggy patches won't break business critical software/services or bring your servers to their knees. All that matters is that he can go on IRC and tell everyone how "k-rad 133t" he is.

Stupidity wants to be free! :(

All in One Box

[Wedge1212]

It would be perfect to have an operating system that was secure out of the box (due to features built-in) like the worlds greatest personal firewall. However I just dont see this as being a likely solution. I think an operating system should have a basic firewall like XP or any linux distro. But to ask a software developer to focus a ton of time on making me a bullet proof firewall instead of making the OS more stable just doesnt make sense. As stated in the article there's only so much development time and then you have to get your product out the door or you're going to have some pissed off users. I would want (in the case of OSes) the comapny to spend the majority of their time making the OS stable and a little bit of firewall is nice. But i would much rather use another means of securing my network instead of using 2,000 personal firewalls.

Give them a reason to patch

[sdjunky]

He also says that what makes security hard is that it's a 'negative deliverable.'"

I'm certain there are countless flaws in this idea. But hey, you don't post to slashdot without some risk of being shown what a moron you are right?

How about having DSL/Cable companies give an incentive to customers whose computers do not become infected during the blitz of mass email worms and trojans. Something like a few bucks off of your ISP bill to free software. Some kind of incentive for NOT getting infected besides the fact that you don't have anything on your computer.

It would benefit them in that it lowers their costs and increases their reliability if hundreds to thousands of their customers aren't sending DOS, etc.

Of course, there are issues such as privacy implications (how would they know you're infected or not) to hardware costs for the ISP.

most patches aren't trustworthy

[foosballhound]

>> You must install patches.

in the "real world", when there is a security
threat, such as a gas leak, you call the repair
person, who fixes it.

This is the equivalent of "install patches"

Note that there is a level of confidence in
calling the repair person, that they won't
paste adds all over your living room, or install
a wire-tap on your phone line, or a spycam
in your bedroom.

unfortunately, in the computer world, all too
often the "patches" are used as trojans.

they change user settings, put in spyware,
brake working code, etc

so, ppl are hesitant to apply patches, with
good reason.

Re:most patches aren't trustworthy

[Entropius]

I don't think anyone objects to installing patches. What I, and others, object to is being railroaded into other things while I install them. If I own a house with a natural gas system, I don't want to sign a contract that says "you must call our technicians to fix any problems with your gas"--especially if I happen to know how to fix such things myself, or know someone else who does.

This is why the OSS model works better for security. I *can* run urpmi --update and trust that the results will be what I want. I can also look under the hood at exactly what gets updated and how. Or, I can download individual packages... or download things and compile them from source... or, if I want and have the skill and time, I can fix things myself.

Now, simply because there are alternatives, there is competitive pressure on the people who make autoupdaters to make them efficient, effective, and transparent--because, otherwise, people will stop using them.

From the Article

[RAMMS+EIN]

``JS: The reason it doesn't crash all that often is because system software developers took some time and effort to make that the case. If they would take the time and effort to make it be secure, it would be secure.''

No. More secure, but not secure. For one thing, things will be overlooked. For another, there will always be things that were not known to be security holes at the time, but that will later turn out to be such.

``JS: I think Linux is much more secure than a lot of the other stuff that's out there, because so many people look at the source code--not everyone looks at it, but enough people do, so that problems get fixed earlier, rather than later.''

Many people look at the sources, but do they find the vulnerabilities? See also above.

In short, nothing is going to give you guaranteed security. Having said that, crackers will only go so far to break a system, so absolute security isn't even required. This makes any security measure useful, including firewalls (which JS argues against).

As a closing remark, despite these minor points, I found the article a very good read; JS seems to have his heart in the right place. Heh, it makes me frown every time people say "security" and mean "restrictions" (see also MicroSoft and Trusted Computing).

I just HOPE

[Prince+Vegeta+SSJ4]

they make the Girls Dorm open source

My campus is all security, no openness.

[Entropius]

I attend the University of Alabama in Huntsville, an engineering/research institution with enrollment around 15k. The Network Services people around here aren't really concerned about the value of openness to academia; in fact, most of their security is directed inward, against the students who have to use the machines.

For instance, the "start" button on every lab computer has been disabled--people only have access to the icons on the desktop. Furthermore, right-click context menus have been disabled.

On some public computers, even access to the address bar in IE is disabled--all you can do is follow the links from the homepage in IE.

When I took a Mathematica class in the physics lab, we used a heavily neutered version of Windows NT, with file permissions set unusably tight. Browsers would crash on startup because they didn't have write access to their cache files, virtual memory was disabled (!), and the like.

Network Services also has banned the use of BitTorrent on campus, causing consternation among people wanting to download contraband like, uh, Mandrake images.

This is the same campus where average packet loss on ResNet is 20-30%. Students play games over dialup because it's faster and more stable than ResNet.

Re:My campus is all security, no openness.

[SpaFF]

I attend the University of Alabama in Tuscaloosa. It's funny that two campuses in the same University system would take different approaches to security.

Here at UA, everyone gets a real IP address: there is no NAT. There is a "traffic shaper" on resnet which limits upload speeds and blocks incoming connections on some of the lower service ports (80, 25, etc). Central computing blocks incoming connections to port 25 except for mailservers, but that is just to prevent open-relay spam. Other than that, there is no firewall.

Each college has it's own labs. The arts and sciences labs are locked down one way, the engineering another way, c&ba another way, etc. In most cases students can't copy files to the hard drive or fiddle with the control panel, but other than that there is no real "lock down".

I work for one of the colleges on campus and we have been trying to get a firewall for our labs and faculty for years, but central computing won't allow it. They won't the network to be open, not for academics sake, but so that they can keep tabs on what everyone is doing. They think that if we put up a firewall it will keep THEM out too.

Re:I only agree somewhat with this article.

[psycho_tinman]

In my experience, there are basically two things that are *MOST* commonly seen in academic networks; one is either internal or external parties trying to take advantage (and misuse) the massive bandwidth that campuses have available, or someone trying to discover and manipulate potentially sensitive documents (such as grades).

I think firewalls have their place, you're right. But being at the receiving end of a rather draconian installation/firewalling policy for no apparent reason other than just reducing work for the systems operators (and increasing work for students, supervisors in general); I'm thinking that there should at least be a set of carefully monitored, but open machines for people to just mess around with. It's a campus, a seat of learning. Sometimes, when you're trying to learn something, things break. Do you want to be too worried about breaking a piece of "mandated" software and having a risk of getting your ass chewed, instead of experimenting ?

Campuses have different security requirements and needs from commercial outfits, IMHO. Sometimes, administrators just don't understand that and try to implement the same policies willy nilly. Security isn't just about procedures and blanket firewalling.

Re:I only agree somewhat with this article.

[BlueQuark]

Well I probably should of been more specific in what I wrote. In a hurry to eat lunch, free Chinese food from the Windows server admins.

I believe in an open academic network for the students, faculty and researchers.

But for the administrative computing, where I work, which does all the data processing, there is no reason for an open network.

The funny thing is is that the major research projects we have on campus, have erected firewalls to protect themselves. And basicaly have told academic computing to go screw themselves and their patch only policy. And these firewalls are being mandated by the 'personalities' and Nobel laureates that we have here. Actually we have more Nobel laureates than MIT has ;-)

It's the same old saw

[ChiralSoftware]

"Security is about patches." That statement implies the belief that security flaws are inevitable, an inherent part of having software. This simply isn't true. We should not accept such thinking. If a product doesn't have security holes the day it is released, it still won't have security holes a thousand years from now, patches or not. The question is, how do we ship products without holes? The reasons we have security holes in products are not because developers are stupid or careless, or because the business side of the company wants to ship the product now. No, the reason we have holes is because we're still using horrible software development tools which make security problems almost inevitable. Humans just can't think like C compilers and if we write a long enough program in plain old C, we end up with buffer overflows and lack of bounds checking on things. If we used safer tools like Java, which don't have buffers and which store data in structures which know their own size (collections), the vast majority of vulnerabilities would never even be created. If a user sends malicious input to a Java process, we know that no matter how broken the Java is, that malicious input can't stomp on memory and be executed, no matter what, because the JVM and the bytecode verifier don't allow it to. That is the kind of assurance that software should have.

It is always possible to make security problems at the design level, like forgetting to check an account balance before allowing a withdrawal in bank software, but humans are very good at thinking in those ways, and those kinds of problems are rare.

---------
Create a WAP server

Too Much Reliance On Patches...

[pandrijeczko]

Security is just about "effort vs reward".

You put as many "locked doors" as possible in the way of a potential intruder so that each time the intruder is faced with a new "door", he or she may simply decide your system is no longer worth the effort and give up trying to get in.

Patches are the "last locked door" - in other words, once you've definitely decided that you need to run a specific application on the Internet, you make sure that it's updated to the latest version.

However, prior to that, you've already ensured the application is configured correctly, that the box it's running on has security permissions locked down, that the box is behind a firewall and probably a NAT box also for good measure.

Not to mention some good system logging and alarming going on so you have the best chance of shutting the box down when someone does get in.

In security, only the paranoid survive...

American culture.

[PlatinumInitiate]

You understood openness correctly, but mis-understood security. A safe is secure, even if 500 people know the combo... as long as those people are trustworthy.

Interesting point.

But using the same example, what if an outsider pretended to be someone that one of those 50 people knew, found out details from that person, and used it to trick one of the other 50 people, etc...

One thing that struck me about American culture in general is that people seem to be a lot more trusting, and despite what a lot of Americans think, it IS a lot more of an open society than (probably most) other parts of the world.

Coming from South Africa to study in the US (between 1999 and 2001) was an eye-opening experience. I don't know how much things have changed since the 9-11 incident and so on, but back then I was amazed at how open and helpful people were, for example, getting student visas, a social security number, a driver's license at the DMV...all very smooth, despite the fact that I was a complete forgeiner. In South Africa, it is often more difficult to get basic things like licenses and so forth processed as a citizen than it was to get them done as a forgein student in the USA! I don't know if it's just a different outlook people in the USA have, but dealing with South African bureaucracy has become even more painful since I returned to South Africa, remembering how comparitively smooth everything was in the US.

The same with campus security. I'm fairly sure that if someone wanted to be underhanded, they could fairly easily socially engineer situations to break security systems.

Welchia worm

[bdigit]

It has been done and it was done so poorly that it caused a bigger problem because the damn thing was spreading so quickly that it was taking up all the bandwidth and causing the machines it patched to essentially not be able to get online because of all the damn packets it was sending out.

At my university we require students to run an antivirus software (we provide if they dont have) and to keep their machine patched and secured and if they dont well they will quickly be taken off the network once their machine gets infected with a worm or is hacked and we recieve an outside complaint. They then get all mad that we took them offline and we have to go through expplaining to them that they agreed when signing up for our resnet service they would do the following and they violated the agreement. We charge them a 25 dollar reconnect fee which includes us taking their machine in, or going out there, and cleaning it up and securing it , as well as educating them on how to keep their machine secure.

The other day at work I had a kid yelling at me that we cant just take him off the network without warning. The reason we had taken him off was because his machine was sending spam to aol address and recently aol has been blocking all email from our domain because of it. I said to him because of you everyone on this campus can now no longer send emails to their friends at aol and we have to contact aol once we are done with your machine and get off their blacklist. That shut him up.

What a great article

[jkitchel]

Maybe I'm visiting the wrong web sites, but it's great to hear these things from someone who's been on the cusp of network administration from the beginning.

S: So education is a part of this?
JS: Education is a part of this, both for the people who own personal computers and work with the data and for the people running these systems.

I can vouch for the end part of the article for sure, as I'm sure many Slashdot readers can. Right now I'm doing an Information Security Risk Assessment as part of a graduate level class that I'm taking. Fortunately, for the K-12 schools on which we perform these assessments we cover user education as part of an overall Information Security program. Also, it gives us the chance to see user education and awareness from their point of view, which helps us make the case for having user awareness training. A lot of end users don't realize that having a weak password is like giving away the key to your organization (or school in this case). I'll give you two guesses as to the biggest topic that we've discussed with the school corp. and the first one doesn't count ;)

You would not believe how woefully inadequate schools are when it comes to an Information Security Program. If you have the opportunity to help a school out, do it. It will help you learn something, help the school better themselves, and better the community by protecting the little ones' information.

Which side of the fence is which?

[billstewart]

One of the canonical Internet security threats was always "some college student with lots of resources and technical skill and too much time on their hands" attacking your system. If you're running the Internet security for a university, a firewall is not going to keep that kind of threat _out_, because the students are already _inside_. (Ok, it'll discourage students from other colleges from hacking your college, but the most motivated threats are already inside your firewall.) Protecting administration computers is a different problem from protecting student computers, faculty computers, and shared workspace computers. Some of this can be helped by appropriate partitioning, and Schiller's point about keeping all the machines patched and as secure as possible is critical.

Some university administrations are concerned with protecting the rest of the Net from their students; others think that interferes too much with legitimate research. Some other poster commented that their university's policies are to be "open", but they block incoming Port 80 and Port 25 to student residence networks - meaning that students can't run their own web servers or mail servers, which is distinctly *not* openness.