Slashdot Mirror

← Back to Stories (view on slashdot.org)

Openness and Security on Campus

Posted by michael on from the too-much-kiddie-energy dept.

djeaux writes "The April issue of Syllabus includes an interview with Jeff Schiller, Network Manager at MIT, about openness and security in academic computing. Schiller has some interesting things to say about product liability for software, including an out for open source software and boils security down to a simple maxim: You must install patches. He also says that what makes security hard is that it's a 'negative deliverable.'"

8 of 145 comments (clear)

  1. Campuses need more openness by SnappingTurtle · · Score: 5, Funny

    For beginners, streaking has totally gotta come back in style.

    --
    I've found that my posts don't format quite right w/o a sig.
  2. Simpler than that by stanmann · · Score: 5, Insightful

    Security is simpler than that. Security requires fences, in the electronic world just as in the physical world.

    those fences can be visible or invisible, incorporated or separated, But they will NEVER stop dis-honest people. No fence will categorically keep out all burglars. No computer security(short of pulling all the plugs) will keep everyone off your computer. Openness and security can co-exist ONLY when everyone is trustworthy.

    --
    Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
    1. Re:Simpler than that by ColonelPanic · · Score: 5, Insightful

      You don't need security if everyone is trustworthy, and you can't have openness is everyone is not.

      The sad truth is that you can't have openness if anyone is untrustworthy.

      --
      "Skill shows through where genius wears thin." -Wittgenstein || Religion: uniting aviation and architecture.
  3. Defeating security by munging URLs by tcopeland · · Score: 5, Insightful
    From the interview:

    S:Are there any other weaknesses to keep in mind, particularly when accessing data on the Web?
    JS: This gets into engineering implementations. The devil is in the details. Let me give you an example. There's a Web site out there--I won't identify them--that offers survey services. You can set up surveys and revisit them to see the data collected or to edit them. But if you look closely at the actual URL in the little bar at the top of your browser, you will see some long number.

    A few of us wanted to know, "Well, wonder what happens if we go into that title bar there where the URL is and just add one to that number?" And we did so, and all of a sudden we were looking
    at somebody else's survey, and seeing their answers. The devil is in the details.
    Yup. Each HTTP request needs to be checked separately for privilege violations. Not doing so is like opening your internal API to anyone who wants to call it... next thing you know, someone is injecting SQL and your database is executing a "DROP TABLE users". Yikes.
    --
    The Army reading list
  4. Patches? by Swamii · · Score: 5, Funny

    I read in a magazine recently that a Microsoft exec said Windows users would be "much safer" if we all would just download software patches from Windows Update. According to the article, no one took him seriously.

    --
    Tech, life, family, faith: Give me a visit
  5. Negative Deliverable by re-Verse · · Score: 5, Insightful

    People have to accept security as a regular part of life. There are LOTS of negative deliverables we subscribe to in our lives, and pay quite handsomly for. Off of the top of my head, I think of auto insurance. I mean - yeah we see nothing making it better.... but we know very well the hell that may arise if we don't have it.

  6. Give them a reason to patch by sdjunky · · Score: 5, Insightful

    He also says that what makes security hard is that it's a 'negative deliverable.'"

    I'm certain there are countless flaws in this idea. But hey, you don't post to slashdot without some risk of being shown what a moron you are right?

    How about having DSL/Cable companies give an incentive to customers whose computers do not become infected during the blitz of mass email worms and trojans. Something like a few bucks off of your ISP bill to free software. Some kind of incentive for NOT getting infected besides the fact that you don't have anything on your computer.

    It would benefit them in that it lowers their costs and increases their reliability if hundreds to thousands of their customers aren't sending DOS, etc.

    Of course, there are issues such as privacy implications (how would they know you're infected or not) to hardware costs for the ISP.

  7. Re:I only agree somewhat with this article. by psycho_tinman · · Score: 5, Insightful

    In my experience, there are basically two things that are *MOST* commonly seen in academic networks; one is either internal or external parties trying to take advantage (and misuse) the massive bandwidth that campuses have available, or someone trying to discover and manipulate potentially sensitive documents (such as grades).

    I think firewalls have their place, you're right. But being at the receiving end of a rather draconian installation/firewalling policy for no apparent reason other than just reducing work for the systems operators (and increasing work for students, supervisors in general); I'm thinking that there should at least be a set of carefully monitored, but open machines for people to just mess around with. It's a campus, a seat of learning. Sometimes, when you're trying to learn something, things break. Do you want to be too worried about breaking a piece of "mandated" software and having a risk of getting your ass chewed, instead of experimenting ?

    Campuses have different security requirements and needs from commercial outfits, IMHO. Sometimes, administrators just don't understand that and try to implement the same policies willy nilly. Security isn't just about procedures and blanket firewalling.