Slashdot Mirror
UC Berkeley Cleaning up its Security Act
Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."
Kind of reminds me of the Harvard story where someone pointed out the lack of firewalls.
;-)
I wonder what kind of information is readily available?
$30 Off All Plans: Use code TRIPLESAWBUCK
Berkeley UNIX (the original BSD) was full of security holes. It shipped with such beauties like being able to get a shell by typing the right command at the SMTP server and multiple buffer overflow bugs in just about every server and command line program. And many people knew about it, both at Berkeley and elsewhere, but nobody cared much until the Morris worm. Apparently, while the world has moved forward, Berkeley still isn't taking security all that seriously.
...with no password. I know someone who did a term paper using that account.
It takes educating users. So far I haven't experienced resistance to education, but the amount we have to do is pretty staggering.
The issue is not about educating the professors and staff. Most everyone will happily participate. The issue is getting them to actually change their practices once they've been through the education. You need education, then support for the education, then regular audits about the education, then some more education.
FTA: ...the department has Smart Dust - tiny sensors that run TinyOS and TinyDB. They scatter this stuff out there - put it in trees, on animals - they're all networked together and people monitor them. That's different than [managing] a connection in every office.
I dunno, I'm pretty sure some of my past employers spend their days hanging from trees, or on animals... even in the office.
$nice = $webHosting + $domainNames + $sslCerts
It sounds like you might be making a joke about this one but at my university (University of Warwick, uk) they had the worlds most lax attitude to security it was insane. There were several huge security leaks and no one seemed to question why they weren't using and changing secure passwords... someone script kiddie broke into the main server (taking all of our private info stored on it) using nothing more than a simple brute force crack... it gave in so easily because they'd used a word from a standard dictionary... I figure it would have taken no more than 60 seconds to get in. The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information, store nothing on their computers, use a different password for the log on there and for everything else (if you insist on using the same one everywhere)
*''I can't believe it's not a hyperlink.''
That's ridiculous.
I had heard bad stories about the IT provision at Warwick (particuarly their Resnet service), but didn't realise it was that bad.
Here at Bristol, I've worked for our Resnet over the summer, which is housed along with the IT guys. Security is absolutely paramount, and even for little Resnet projects, we would sit down for a couple of hours for a threat assessment (SQL injection, what happens if a dictionary attack succeeds, could we place exponential back-off on the login page).
That said, the physical security wasn't paid proper attention and some guys just broke in and stole thousands of pounds worth of rackmount computers from the machine room. Obviously they knew that the good stuff was down there, so they must have had some intelligence, but it should not have been so easy to get it. That's all changed now. You'd be lucky to get out with anything now.