Slashdot Mirror
UC Berkeley Cleaning up its Security Act
Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."
From TFA:
Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95].
Right idea, wrong scope.
May the Maths Be with you!
Security... NEXT PAGE
has lapsed... NEXT PAGE
but we are... NEXT PAGE
doing our best... NEXT PAGE
trying to... NEXT PAGE
improve. END ARTICLE
"Sure there's porn and piracy on the Web but there's probably a downside too."
Obviously they haven't been rotating their passwords frequently enough, just force everyone to change theirs every three weeks and all security problems will be solved!
Infomative how?? Anyone cliked on the link?
The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive information].
So I guess its back to pens and paper? Surely a disk is even easier to steal than a laptop! But at least its network secure (unless its inside the laptop!)
, , , , , karma elon
Kind of reminds me of the Harvard story where someone pointed out the lack of firewalls.
;-)
I wonder what kind of information is readily available?
$30 Off All Plans: Use code TRIPLESAWBUCK
Here's the article text, moderators, please mod the parent into the ground!
Securing UC Berkeley's network
School looks to shore up security in wake of breaches.
Linda Leung,Network World,04/24/06
The University of California at Berkeley has made a name for itself in networking, with innovations such as Unix, Berkeley Internet Domain Name, Smart Dust and SETI@home. But the school has made headlines over the past few years for some things of which it is less proud, namely a couple of security breaches (a stolen laptop containing personal information on graduates and a compromised database of California residents).
At the start of this year, the university published a scathing self-study of its Information Systems and Technology department. It acknowledged the school's advanced IT network and talented professionals but recommended radical changes to the IT department's governance and structure (read the report).
Clifford Frost, director of Berkeley's Communications and Network Services (CNS), recently spoke with Network World Senior Online News Editor Linda Leung about what the university is doing to ensure that when people think of the school, they think "innovation," not "infiltration."
How has IT evolved at the university?
It's been haphazard. In the case of the network, it's been pretty organized. Back in the '80s, there were campuswide committees that said networking is going to be important so let's start building it up now. The campus financial and administrative systems are pretty advanced. But campus student systems [such as online registration and course catalogs] are less well-funded and organized because there has not been a single high-level sponsor. This is one of key things the campus is open to addressing in the reorganization.
Also: What makes Harvard's net tick
What is your security plan?
Every networked device has to have its operating system kept up to date with security patches - Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95]. There are microscopes controlled by old operating systems - [the owners] have to put a firewall in front of them. We have software that people can use for free - they don't have to buy their own firewall or anti-virus software.
Having a policy only goes so far. McAfee's Foundstone scanner allows us to scan the network continuously for vulnerabilities. [If something is found] we tell [the device owners] to fix it or we turn off their access. Departments can log in and scan their own nets.
How else do you secure the network?
We do intrusion detection at the border of the campus network and more and more inside the network. We monitor to detect when systems have been broken into or are being broken into or about to launch an attack, and we can turn them off. We use McAfee IntruShield Snort, Nessus and Bro Intrusion Detection System. [Intrusion detection] is a big issue because we've had some pretty big security breaches on campus [see stories hereand here]. There is a big thrust in getting people to encrypt data on their desktop or laptop.
How do you get ahead of the security challenges?
The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive i
There are shills on slashdot. Apparently, I'm one of them.
Berkeley UNIX (the original BSD) was full of security holes. It shipped with such beauties like being able to get a shell by typing the right command at the SMTP server and multiple buffer overflow bugs in just about every server and command line program. And many people knew about it, both at Berkeley and elsewhere, but nobody cared much until the Morris worm. Apparently, while the world has moved forward, Berkeley still isn't taking security all that seriously.
...with no password. I know someone who did a term paper using that account.
It takes educating users. So far I haven't experienced resistance to education, but the amount we have to do is pretty staggering.
The issue is not about educating the professors and staff. Most everyone will happily participate. The issue is getting them to actually change their practices once they've been through the education. You need education, then support for the education, then regular audits about the education, then some more education.
FTA: ...the department has Smart Dust - tiny sensors that run TinyOS and TinyDB. They scatter this stuff out there - put it in trees, on animals - they're all networked together and people monitor them. That's different than [managing] a connection in every office.
I dunno, I'm pretty sure some of my past employers spend their days hanging from trees, or on animals... even in the office.
$nice = $webHosting + $domainNames + $sslCerts
Yeah, I always suspected I can't trust the security of *BSD...
There's quite a bit seperating openBSD & the Berkeley Software Distribution. netBSD was based on the last Berkely distribution & openBSD split from netBSD because some developers wanted security to be a stronger focus.
The openBSD project has completely rewritten most userland tools & also done a complete code audit looking for security bugs. The relationship between the current codebase & what came out of Berkeley ten years ago is pretty minimal.
There are shills on slashdot. Apparently, I'm one of them.
The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information.
Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!" Why weren't they using some method of protecting the student's data at all? If I had access to data like that, I would only expect to get it on-demand from a server across a secure VPN with a tough password (SecurID perhaps).
I don't understand why you would want such information downloaded unless you were going to do something malicious. Could someone explain to me why these people were just walking out the doors with entire databases in their rucksacks?
This must be a giant right-wing conspiracy to keep those UCB Hippies from doing what they do best, whining about worthless causes and smoking pot...
I know The Joke was a little on the subtle side, but c'mon, didn't -anyone- get it?
If Berkeley isn't secure what makes us think any Berkeley derivative is secure!?!?! (OpenBSD, NetBSD, FreeBSD) Obviously this is a joke, but I'm sure someone will take offense... {poke}
Berkley wouldn't stoop to using any of these mere derivative works. They only use the original all-Berkley code!
"The first thing I intend to do as IT Chief to fix this security issue is to give a widely-disseminated public interview telegraphing the specific steps I intend to take to the public at large. I'm sure that will have the desired effect of reducing my network's overall risk level. Absolutely."
Er, thats not really the case. OpenBSD has concentrated on security for most of its life but thats not the reason that it was forked from NetBSD. The reason for that is that Theos CVS access was revoked and he had lots to contribute, so he decided to bypass NetBSD and contribute directly. You can probably find a bunch of history at wikipedia if you are really interested.
traditional math, physics, astrology
I really want to know what goes on in the astrology cluster. Can you really parallelize reading the tarot? I wonder what kind of hardware they use; a giant Magic 8-Ball array? And what kind of qualifications does a sysadmin have to have there?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Funny....I work in corporate america, and we are pretty farqing in-secure as well...Pitty I can't tell you all who I work for, you would run screaming away from the thing most people charish most when getting a new job. :o) Politics/Policies are how they try to secure the IT Infrastructure, forget technical controls, and what about best practices? forget about it!!!! Not to mention risk mitigation, we accept most risk without any kind of mitigation. This is the norm for _most_ companies, and will be the death of lots of them. They just have not been tested yet, but when they are, they will fail miserably!
----- I have bad karma for a reason! -----
Search for site:berkeley.edu inurl:asp inurl:id, and have some fun. Unfortunately, rosinstrument is down right now, or I would have had a go at it myself...
No, blocking IP's from MIT will only solve the forged spam problems...
BBS Scene.... Back in the early 90's we used to share password files in the back rooms of bbs's. It was notoriously easy to guess
a password on a UCB machine, then cat the unshadowed password file. Well, then you know what to do next, right: Leave crack running on the file on the old Sun 3 in the corner and some day or days later we would have a stack of accounts. Most of them were cracked with dictionary words. Too easy.
Berkeley sucks donkey ass. It's a bunch of dumb-ass, smelly hippies that don't shave. And they are ugly scants.
You'd think that since BSD comes from Berkeley, it should be a popular OS on campus... Think again. Everyone's #1 choice is: Windows XP.
You go to a (non-CS) computer lab. You login with your SID and password. A new Administrator account is created for you. Go ahead, do whatever you want - when you logout, all your files will be deleted, and everything will be restored to the original state. Completely secure, until you realize... "Duh. I have an administrator account. Why can't I just prevent the computer from restoring everything on logout?".
I reported this to one of the lab workers, and even demonstrated: she logged into her own account, but the desktop background picture said in big red letters, "Caution: This system has been haxx0red". She was pretty shocked, and said she would inform the system administrators.
This was half a year ago... Nothing has changed.
The CS labs are different, though. They run Solaris 9. Security shouldn't be a problem here. Usability is, though. How many of you guys remember what Gnome 2.0 looks like? How about Acrobat Reader 4? I do, unfortunately. And the Slashdot jokes about "^H" suddenly made so much sense...
This is Berkeley we're talking about. The IT department probably turns half of their new hardware into bongs.
when I interviewed at UC Berkeley for an IT job, none of the people seemed to understand the technology and of the handful of 'workers' there none were doing any work. One was sitting motionless staring zombie-like at the screen the entire time I was there. The others avoided any questions I asked about technologies and started to sweat... when I asked who was responsible for working on what.
A professor friend of mine got his PhD at Berkeley and did several years of postdoc work there. I constantly had to help him with network and IT issues in his lab, because the state of IT at the university was utterly appalling. The network was a complete clusterfuck, because there was no security to speak of anywhere and machines were getting hacked left and right. I wanted to help my friend at least get a local hardware firewall in his lab, but the IT department wouldn't allow it for some reason. So he had to individually secure each machine on his network, since as a result they each had routable IP addresses. And that wasn't easy.
There was also the problem of stupid people needing IP addresses for new machines and just using whatever IP address from their subnet that they felt like using. Invariably the IP address was one that was already in use by someone else (often one of my friend's machines), so connectivity could go away at a moment's notice. And tracking down the perpetrator was usually a futile task, given the large expanse of campus covered by a subnet.
The IT staff was also pretty much incapable of running the mail servers correctly as well. Authenticated SMTP? Ha! Mailbox quota size too small? Tough! Completely useless people. The sad thing was that the head of IT at the time openly admitted that he and his group were essentially not competent to solve the problems facing the campus network. Oy.
This was all about 8 years ago, so perhaps things are better, I can't say. But it is appalling that a campus like Berkeley, where much of the Internet itself began, was ever in such a sorry state.
Most of the comments about this article are FUD, UCB is bound by the same Senate Bill 1386 as all the rest of the UC campuses.
Which means that if a security breach exposes personal or confidential information it must be reported to the state and any individual it affects, creating a whole legal mess. All UC system administrators (myself one of them) take security very seriously and do everything we can to avoid a 1386 incident. Working at a large educational institution and being a constant target of spam and cracking groups is trying, but I can tell you that UC has a very tough stance on securing our systems.
Even more fun would be to get one of the SS-90's online (these were haunting the basement of Corey Hall in the early 70's).
A Shadeless room is a brighter room.
I've seen worse. At least the EECS department's Hardware is only 3-5 years old. Some places still have Mac II/Se's.
This is true of many "corporate" type environments. When any group gets large enough, you'll have this type of problem. I've seen it at various places where the total employee count is above 1000. It's basically the 80/20 split. About 20% do 80% of the work and the remaining 80% do 20% of the work. It's hard to keep under control since the interviewers in HR don't know the requirements well enough.
You do well, and your manager gives you more work. You do poorly and your manager gives you less critical stuff. If you feel lazy, you can easily do very little in large corporations and always be stuck as a lowly wage earner. Those who do well will generally have easier times getting jobs elsewhere when layoffs occur. Those that don't generally end up flipping burgers.