Slashdot Mirror

← Back to Stories (view on slashdot.org)

UC Berkeley Cleaning up its Security Act

Posted by ryuzaki0 on from the case-studies-in-self-evaluation dept.

Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."

79 comments

  1. Link to print version by Whiney+Mac+Fanboy · · Score: -1

    Link to version of tfa where you don't have to navigate through 5 pages here

    --
    There are shills on slashdot. Apparently, I'm one of them.
    1. Re:Link to print version by Anonymous Coward · · Score: -1, Troll

      second post!!

    2. Re:Link to print version by Anonymous Coward · · Score: 0

      Infomative how?? Anyone cliked on the link?

    3. Re:Link to print version by Anonymous Coward · · Score: -1, Offtopic

      Whoever modded it Overrated (before you replied) either clicked on that link or probably has personal issues with Whiney Mac Fanboy. Let's assume that person clicked on that link. :)

    4. Re:Link to print version by Whiney+Mac+Fanboy · · Score: 4, Informative
      God, that was silly of me! (didn't check the URL before posting)

      Here's the article text, moderators, please mod the parent into the ground!

      Securing UC Berkeley's network

      School looks to shore up security in wake of breaches.

      Linda Leung,Network World,04/24/06

      The University of California at Berkeley has made a name for itself in networking, with innovations such as Unix, Berkeley Internet Domain Name, Smart Dust and SETI@home. But the school has made headlines over the past few years for some things of which it is less proud, namely a couple of security breaches (a stolen laptop containing personal information on graduates and a compromised database of California residents).

      At the start of this year, the university published a scathing self-study of its Information Systems and Technology department. It acknowledged the school's advanced IT network and talented professionals but recommended radical changes to the IT department's governance and structure (read the report).

      Clifford Frost, director of Berkeley's Communications and Network Services (CNS), recently spoke with Network World Senior Online News Editor Linda Leung about what the university is doing to ensure that when people think of the school, they think "innovation," not "infiltration."

      How has IT evolved at the university?

      It's been haphazard. In the case of the network, it's been pretty organized. Back in the '80s, there were campuswide committees that said networking is going to be important so let's start building it up now. The campus financial and administrative systems are pretty advanced. But campus student systems [such as online registration and course catalogs] are less well-funded and organized because there has not been a single high-level sponsor. This is one of key things the campus is open to addressing in the reorganization.

      Also: What makes Harvard's net tick

      What is your security plan?

      Every networked device has to have its operating system kept up to date with security patches - Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95]. There are microscopes controlled by old operating systems - [the owners] have to put a firewall in front of them. We have software that people can use for free - they don't have to buy their own firewall or anti-virus software.

      Having a policy only goes so far. McAfee's Foundstone scanner allows us to scan the network continuously for vulnerabilities. [If something is found] we tell [the device owners] to fix it or we turn off their access. Departments can log in and scan their own nets.

      How else do you secure the network?

      We do intrusion detection at the border of the campus network and more and more inside the network. We monitor to detect when systems have been broken into or are being broken into or about to launch an attack, and we can turn them off. We use McAfee IntruShield Snort, Nessus and Bro Intrusion Detection System. [Intrusion detection] is a big issue because we've had some pretty big security breaches on campus [see stories hereand here]. There is a big thrust in getting people to encrypt data on their desktop or laptop.

      How do you get ahead of the security challenges?

      The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive i

      --
      There are shills on slashdot. Apparently, I'm one of them.
    5. Re:Link to print version by Whiney+Mac+Fanboy · · Score: -1, Offtopic

      Why would anyone have personal issues with me?

      What an odd thought!

      --
      There are shills on slashdot. Apparently, I'm one of them.
  2. Not Nearly Frightened Enough by ObsessiveMathsFreak · · Score: 1

    From TFA:
    Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95].

    Right idea, wrong scope.

    --
    May the Maths Be with you!
    1. Re:Not Nearly Frightened Enough by Anonymous Coward · · Score: 0

      That's a misquote on the part of the article author. Windows 95 is not allowed. Period. No operating system that is not *currently* supported by its vendor/open source project is allowed. Exceptions will only be made for certain types of lab equipment and other devices that are both necessary and cannot be upgraded and there must be other mitigation plans (e.g. extra firewalls). Read:

      http://security.berkeley.edu/MinStds/

      (which is the actual policy) and then decide.

  3. To Solve by zaguar · · Score: -1, Troll

    If they want to stop the problem of hackings, just block all IP's coming from MIT and Caltech!

    --
    "Sure there's porn and piracy on the Web but there's probably a downside too."
    1. Re:To Solve by ArsenneLupin · · Score: 1

      No, blocking IP's from MIT will only solve the forged spam problems...

    2. Re:To Solve by DurendalMac · · Score: 1

      This is Berkeley we're talking about. The IT department probably turns half of their new hardware into bongs.

    3. Re:To Solve by Anonymous Coward · · Score: 0

      I've seen worse. At least the EECS department's Hardware is only 3-5 years old. Some places still have Mac II/Se's.

  4. The Article by zaguar · · Score: 4, Funny

    Security... NEXT PAGE
    has lapsed... NEXT PAGE
    but we are... NEXT PAGE
    doing our best... NEXT PAGE
    trying to... NEXT PAGE
    improve. END ARTICLE

    --
    "Sure there's porn and piracy on the Web but there's probably a downside too."
    1. Re:The Article by just_another_sean · · Score: 1

      I find using the printable link helps mitigate this. Of course I can't provide the link here though because they use javascript instead of html to provide the link.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    2. Re:The Article by nutsy · · Score: 1

      You just need to practise interpreting (mumble)script in your head. Here, one-page printable article.

  5. Faulty Password Protection by Xaositecte · · Score: 2, Funny

    Obviously they haven't been rotating their passwords frequently enough, just force everyone to change theirs every three weeks and all security problems will be solved!

    1. Re:Faulty Password Protection by linj · · Score: 2, Funny

      You'll end up with cycling passwords of "hello" and "password" every three weeks.

    2. Re:Faulty Password Protection by Anonymous Coward · · Score: 0

      In our physics lab (@UC Berkeley), we're required to change our password once every two weeks, with each password restricted from being any of the previous 15 iterations. On top of that, it's a minimum of 8 characters, including one number, a mix of capital and non-capital letters, and a non-alphanumeric character. On top of that, any part of the password cannot be a word (minimum three letters) that can be recognized by a dictionary.

      While the incidences of forgotten passwords have increased, there's zilch in terms of security infractions.

    3. Re:Faulty Password Protection by linvir · · Score: 1

      As good as it sounds, I bet I could find a lot of passwords written on the backs of notepads.

    4. Re:Faulty Password Protection by joe+155 · · Score: 3, Interesting

      It sounds like you might be making a joke about this one but at my university (University of Warwick, uk) they had the worlds most lax attitude to security it was insane. There were several huge security leaks and no one seemed to question why they weren't using and changing secure passwords... someone script kiddie broke into the main server (taking all of our private info stored on it) using nothing more than a simple brute force crack... it gave in so easily because they'd used a word from a standard dictionary... I figure it would have taken no more than 60 seconds to get in. The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information, store nothing on their computers, use a different password for the log on there and for everything else (if you insist on using the same one everywhere)

      --
      *''I can't believe it's not a hyperlink.''
    5. Re:Faulty Password Protection by LilGuy · · Score: 4, Insightful

      You know, having so many rules might narrow down the crack time as well, if you know what they are. Obviously if you can get a huge dictionary, you won't need to try any combination of characters with a word in it. You won't need anything less than 8 characters, and you'll have to try at least one capital letter and a number, but most people will probably use two. People tend to like symmetry even in their passwords because it makes it easier to remember one half of something and then just spit it out again backwards. The non-alphanumeric character is kinda the stickler though. My best guess is that it will either be in the middle of the password or at the very end... probably by someone getting frustrated on their 10th attempt to set the password and finally figuring out what a non-alphanumeric key is.

      But I'm not saying it's not a good idea. I just wanted to point out that the more rules you have to make your passwords secure, the less secure they may become.

      --

      You're nothing; like me.
    6. Re:Faulty Password Protection by Lewisham · · Score: 2, Interesting

      That's ridiculous.

      I had heard bad stories about the IT provision at Warwick (particuarly their Resnet service), but didn't realise it was that bad.

      Here at Bristol, I've worked for our Resnet over the summer, which is housed along with the IT guys. Security is absolutely paramount, and even for little Resnet projects, we would sit down for a couple of hours for a threat assessment (SQL injection, what happens if a dictionary attack succeeds, could we place exponential back-off on the login page).

      That said, the physical security wasn't paid proper attention and some guys just broke in and stole thousands of pounds worth of rackmount computers from the machine room. Obviously they knew that the good stuff was down there, so they must have had some intelligence, but it should not have been so easy to get it. That's all changed now. You'd be lucky to get out with anything now.

    7. Re:Faulty Password Protection by bensafrickingenius · · Score: 2

      "You'll end up with cycling passwords of "hello" and "password" every three weeks."

      There needs to be a "whoosh" mod category. Can you guys at slashdot get working on that?

      Grandparent knows that the password rotation scheme is common practice in *many* environments, and was pointing out the uselessness of such a strategy. It's called "illustrating absurdity with absurdity"

      --
      I am not left-handed, either!
    8. Re:Faulty Password Protection by Anonymous Coward · · Score: 0
      As good as it sounds, I bet I could find a lot of passwords written on the backs of notepads.

      You know, you'd probably find dozens of passwords written on yellow sticky notes around my desk, but you'd have a difficult time finding the username and system it belonged to. ;-)

    9. Re:Faulty Password Protection by Kadin2048 · · Score: 1

      Oh we'll make it so that you can't use old passwords again, either.

      Instead, you'll have to do: password, hello, password1, hello1, password2, hello2 ...

      You laugh, but I've been there.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    10. Re:Faulty Password Protection by voice_of_all_reason · · Score: 1

      The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information

       Doesn't that mean I can't go to college? I'm not worried about some warez monkey stealing my physics paper off the shared drive, I'm worried about them breaking into the bursar server and getting my SSN, bank account details, credit card number, etc. Colleges have no reason to clean up their act in that respect because it doesn't hurt them in the least if *your* security is compromised.

    11. Re:Faulty Password Protection by The+Snowman · · Score: 1

      Where I work currently, the network saves my last 27 passwords. New passwords cannot be in that list, and are checked for similarity to those passwords. A certain number of characters must be different, and not just switched around ("password" v. "apssowdr"). Users cannot just cycle through passwords, there is a minimum and a maxmimum age.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    12. Re:Faulty Password Protection by geoffspear · · Score: 1

      If they're saving your password in a format where they can easily tell if your new password is some permutation of the characters in the original password (i.e., they're either storing the original password as plaintext or in a format that they can easily decrypt to check for permutations, rather than using a one-way hash function), then they're sacrificing actual security for the illusion of security. Nice.

      --
      Don't blame me; I'm never given mod points.
    13. Re:Faulty Password Protection by shish · · Score: 1

      *whoosh*, indeed -- I'm almost certain great grandparent was actually referring to this specific story, rather than illustrating absurdity with absurdity.

      --
      I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
    14. Re:Faulty Password Protection by buysse · · Score: 1
      Alternately (and far more likely), they're comparing permutations of your *new* password against the old hash. They're not recovering plaintext for the old password, but using the plaintext of the new password to create the permutations. See pam_passwdqc for an example of this technique, or npasswd. Most password checking systems will do this.

      --
      -30-
    15. Re:Faulty Password Protection by el_gordo101 · · Score: 1

      They could be saving the hashes of the old passwords.

      Step 1. Once the new password is entered, you hash it, check against the list of saved hashes to see if that exact phrase had been used already. If so, deny new password, if not, move to step 2.

      Step 2. Take the plain text of the new password that was entered, re-arrange and/or substitue some characters (E.G. "password" becomes "asswordp"), generate a hash of this value and check against the old saved hashes. If the new hash matches one in the list, deny password, if not repeat Step 2 until you are satisfied that the password is unique enough. Once the system is satisfied, add the hash of the new password to the list of saved hashes and mark it as the current one.

      --
      TODO: Insert witty sig
    16. Re:Faulty Password Protection by The+Snowman · · Score: 1

      As other posters mentioned there are ways around this, but still, it is focusing on the wrong area. There are much more productive ways to spend time increasing security than pissing and moaning about reusing a password several years old. 27 passwords at 3 months per password is almost 7 years. Who cares? Try dual authentication, better passwords to begin with, and better security over the network itself (e.g. encrypting traffic).

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    17. Re:Faulty Password Protection by geoffspear · · Score: 1

      I stand corrected. On the other hand, I think I was right in saying that you can't do it "easily", as the system you descibe is going to require checking a lot of permutations one by one instead of coming up with some quick fuzzy check of similarity. I guess if you've got the processing power to do it, that's a good solution to the problem.

      --
      Don't blame me; I'm never given mod points.
    18. Re:Faulty Password Protection by el_gordo101 · · Score: 1

      You're right, it wouldn't be easy or straight forward. The logic as to what combinations and permutations of the password to test and how many iterations to do so would be a PITA. It would also probably be overkill for most systems.

      --
      TODO: Insert witty sig
    19. Re:Faulty Password Protection by Anonymous Coward · · Score: 0

      Actually, those tests are quite fast on today's systems. If you've ever run L0phtCrack or John the Ripper, you'd know that going through a standard dictionary and all its permutations, with number substitutions and a few standard "733t" character substitutions can take less than a day now. I've seen some passwords come up now that would have been secure enough a decade ago.

      The number of permutations to go through for a single one word password would take mere seconds. It's not too much of a delay to generate several thousand hashes to compare to several hundreds of previous password hashes.

  6. OpenBSD too by KiloByte · · Score: -1, Offtopic

    Yeah, I always suspected I can't trust the security of *BSD...

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:OpenBSD too by Whiney+Mac+Fanboy · · Score: 2, Informative

      Yeah, I always suspected I can't trust the security of *BSD...

      There's quite a bit seperating openBSD & the Berkeley Software Distribution. netBSD was based on the last Berkely distribution & openBSD split from netBSD because some developers wanted security to be a stronger focus.

      The openBSD project has completely rewritten most userland tools & also done a complete code audit looking for security bugs. The relationship between the current codebase & what came out of Berkeley ten years ago is pretty minimal.

      --
      There are shills on slashdot. Apparently, I'm one of them.
    2. Re:OpenBSD too by Plunky · · Score: 1
      There's quite a bit seperating openBSD & the Berkeley Software Distribution. netBSD was based on the last Berkely distribution & openBSD split from netBSD because some developers wanted security to be a stronger focus.

      Er, thats not really the case. OpenBSD has concentrated on security for most of its life but thats not the reason that it was forked from NetBSD. The reason for that is that Theos CVS access was revoked and he had lots to contribute, so he decided to bypass NetBSD and contribute directly. You can probably find a bunch of history at wikipedia if you are really interested.

  7. The return of the pen and paper by simonjp · · Score: 0

    The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive information].

    So I guess its back to pens and paper? Surely a disk is even easier to steal than a laptop! But at least its network secure (unless its inside the laptop!)

    --
    , , , , , karma elon
  8. From TFA by graemecoates · · Score: 3, Funny
    Both have incredible amounts of data. As for clustering, there are a few computational clusters already around campus for traditional math, physics, astrology
    Good to see they know what the networks are *really* being used for...
  9. Hmmmm by Sqwubbsy · · Score: 2, Interesting

    Kind of reminds me of the Harvard story where someone pointed out the lack of firewalls.

    I wonder what kind of information is readily available? ;-)

    --
    $30 Off All Plans: Use code TRIPLESAWBUCK
  10. 20 years later and still the same by penguin-collective · · Score: 3, Interesting

    Berkeley UNIX (the original BSD) was full of security holes. It shipped with such beauties like being able to get a shell by typing the right command at the SMTP server and multiple buffer overflow bugs in just about every server and command line program. And many people knew about it, both at Berkeley and elsewhere, but nobody cared much until the Morris worm. Apparently, while the world has moved forward, Berkeley still isn't taking security all that seriously.

    1. Re:20 years later and still the same by nacturation · · Score: 1

      And in the old days, some people left their servers online with no root password so that those who needed to make a change would be able to. Surely you're not suggesting that that atmosphere of respect and trust is no longer around??

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  11. I wonder if they still have the "rms" account... by Anonymous Coward · · Score: 1, Interesting

    ...with no password. I know someone who did a term paper using that account.

  12. Education vs. Change by Dekortage · · Score: 2, Interesting

    It takes educating users. So far I haven't experienced resistance to education, but the amount we have to do is pretty staggering.

    The issue is not about educating the professors and staff. Most everyone will happily participate. The issue is getting them to actually change their practices once they've been through the education. You need education, then support for the education, then regular audits about the education, then some more education.

    FTA: ...the department has Smart Dust - tiny sensors that run TinyOS and TinyDB. They scatter this stuff out there - put it in trees, on animals - they're all networked together and people monitor them. That's different than [managing] a connection in every office.

    I dunno, I'm pretty sure some of my past employers spend their days hanging from trees, or on animals... even in the office.

    --
    $nice = $webHosting + $domainNames + $sslCerts
    1. Re:Education vs. Change by Anonymous Coward · · Score: 0

      The issue is not about educating the professors and staff. Most everyone will happily participate.

      You don't work with professors. They can't be educated - they're already genius, smarter than you.

    2. Re:Education vs. Change by Anonymous Coward · · Score: 0

      Faculty and user resistence isn't the only issue. It has been my experience that the people in University IT departments often become pretty entrenched, and seniority rather than competence too frequently dicates who is calling the shots. Keep in mind that need for more than perfunctory security is still, in relative terms, fairly new. Sadly the older IT people are not always living in the present -- human nature I guess.

  13. Slashdot bug test comment by Anonymous Coward · · Score: -1, Offtopic

    please ignore.

    [ 1470529 ] Improper Parsing of Archive.org URL's.
    http://sourceforge.net/tracker/index.php?func=deta il&aid=1470529&group_id=4421&atid=104421

    posted as AC using "Plain old text"

    Attempting to use an Archive.org URL in slashdot.

    testing begins:

    Pasted as actual raw text: http://web.archive.org/web/19981206055207/http://w ww.replaytv.com/faq.html#q9

    Direct url syntax: http://web.archive.org/web/19981206055207/http://w ww.replaytv.com/faq.html#q9>

    'A' link: http://www.replaytv.com/faq.html#q9'>replaytv test

    See pudge, it messes up....

  14. Sensitive stuff on laptops by Lewisham · · Score: 2, Insightful

    The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information.

    Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!" Why weren't they using some method of protecting the student's data at all? If I had access to data like that, I would only expect to get it on-demand from a server across a secure VPN with a tough password (SecurID perhaps).

    I don't understand why you would want such information downloaded unless you were going to do something malicious. Could someone explain to me why these people were just walking out the doors with entire databases in their rucksacks?

    1. Re:Sensitive stuff on laptops by rjune · · Score: 2, Informative

      A list of all of the students is commonly used to prepare reports required by the Department of Education (google IPEDS), providing data for college guides (we do about 50 per year), and surveys from professional organizations (e.g. Engineering Workforce Commission) However, the first thing you do with a file like that is to delete the following columns: Social Security Number, Names, Phone Numbers, Next of Kin data, and Addresses (except perhaps Country or State of Origin). The EMPLID (or college ID number) can be retained if additional data needs to be joined in. It is very easy to retain the necessary demographic data and delete the personal data that can uniquely identify a person. There is no excuse for such carelessness with sensitive personal data.

    2. Re:Sensitive stuff on laptops by Lewisham · · Score: 1

      Wonderful, thanks for that rjune :) I couldn't think of a legit reason to have SSNs, and it seems there isn't!

    3. Re:Sensitive stuff on laptops by bfields · · Score: 1
      The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information. Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!"

      Maybe they're talking about research data. Enforcing standard procedures for everyone in the registration office could be easier than, say, policing every PhD candidate that's collecting data from human subjects....

    4. Re:Sensitive stuff on laptops by buysse · · Score: 2, Informative
      Under FERPA, even a name and a grade for a paper is federally-protected private data. So, if you have a spreadsheet with the scores from the last quiz, that's sensitive, personal data about students that triggers those laws. It isn't necessarily SSNs and CC#s. Hell, under FERPA, even the names of students in a class can be protected if one student has preferred to have their directory info suppressed. There's a report available from my current employer that has names and ID pictures for all the students in a class -- again, protected data.

      The threshold is so low for private data that basically any academic staff is using it every day, and carrying it on their laptops, on USB sticks, on their home computers, etc.

      --
      -30-
    5. Re:Sensitive stuff on laptops by Anonymous Coward · · Score: 0

      The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information.

      As someone who works in IT at UC Berkeley and someone who was one of the 98,000 people that had their SSN on that laptop, I have been asked, and had to ask the same question. Basically, the owner of the laptop (who was NOT in the central IT organization) just plain screwed up.

  15. Hippies hate Security... Hippies hate "The Man" by Anonymous Coward · · Score: 0

    This must be a giant right-wing conspiracy to keep those UCB Hippies from doing what they do best, whining about worthless causes and smoking pot...

  16. WTF mods? by Xaositecte · · Score: 0

    I know The Joke was a little on the subtle side, but c'mon, didn't -anyone- get it?

  17. If the BSD root isn't secure why... by C_Kode · · Score: 0, Troll

    If Berkeley isn't secure what makes us think any Berkeley derivative is secure!?!?! (OpenBSD, NetBSD, FreeBSD) Obviously this is a joke, but I'm sure someone will take offense... {poke}

  18. Re:If the BSD root isn't secure why... by Anonymous Coward · · Score: 0

    Berkley wouldn't stoop to using any of these mere derivative works. They only use the original all-Berkley code!

  19. The first thing... by irregular_hero · · Score: 1

    "The first thing I intend to do as IT Chief to fix this security issue is to give a widely-disseminated public interview telegraphing the specific steps I intend to take to the public at large. I'm sure that will have the desired effect of reducing my network's overall risk level. Absolutely."

    1. Re:The first thing... by Kadin2048 · · Score: 1

      I know your joking, but in all seriousness, your security should never depend on not disclosing your strategy. If it does, something's wrong.

      Pretty much anybody in IT can tell you what the "best practices" are, there's nothing secret about them, and a good implementation doesn't depend on the attacker not knowing what they are.

      So if the guy's ONLY strategy is to give a public interview, and then not do anything, of course he's got problems. But just giving the interview about what he's doing isn't problematic, because we'd like to hope that he's not doing anything that depends on being secret in order to be secure. An administrator who was really confident in his security practices wouldn't have any problem with frequent audits and public scrutiny of their practices, and I think this can only be a good thing since it would neither give the users an unwarranted lack of confidence or false sense of security in their IT resources.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    2. Re:The first thing... by irregular_hero · · Score: 1

      Oh, absolutely true. Your security shouldn't depend on your silence, but silence should be a component of it (I believe the expression is "loose lips sink ships"). I'm not saying to keep completely tightlipped about the strategies you employ currently, but telegraphing your future steps in a public forum just adds to the overall risk of your current architecture and your future deployments.

      That's not the reason for my post, though. It's been my experience that someone in a position like this who does interviews that are almost totally comprised of "we're going to do this" statements almost always DON'T. They never get that far.

      I wish guys like him would save their interviews until after they DO something. Then they'd give us Infosec people less of a bad name. :>

  20. Re:If the BSD root isn't secure why... by Anonymous Coward · · Score: -1, Offtopic

    You know, it's a lot easier to troll if you don't come out and announce you're trolling.

  21. Astrology cluster? by Kadin2048 · · Score: 2, Funny

    traditional math, physics, astrology

    I really want to know what goes on in the astrology cluster. Can you really parallelize reading the tarot? I wonder what kind of hardware they use; a giant Magic 8-Ball array? And what kind of qualifications does a sysadmin have to have there?

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Astrology cluster? by dodobh · · Score: 1

      And what kind of qualifications does a sysadmin have to have there?

      User: Help, my computer is broken.
      Sysadmin: By looking at the entrails of your computer, I know what is wrong.

      --
      I can throw myself at the ground, and miss.
  22. Job Security by infosec_spaz · · Score: 1

    Funny....I work in corporate america, and we are pretty farqing in-secure as well...Pitty I can't tell you all who I work for, you would run screaming away from the thing most people charish most when getting a new job. :o) Politics/Policies are how they try to secure the IT Infrastructure, forget technical controls, and what about best practices? forget about it!!!! Not to mention risk mitigation, we accept most risk without any kind of mitigation. This is the norm for _most_ companies, and will be the death of lots of them. They just have not been tested yet, but when they are, they will fail miserably!

    --
    ----- I have bad karma for a reason! -----
  23. berkeley.edu still vulnerable! by ArsenneLupin · · Score: 1

    Search for site:berkeley.edu inurl:asp inurl:id, and have some fun. Unfortunately, rosinstrument is down right now, or I would have had a go at it myself...

    1. Re:berkeley.edu still vulnerable! by ArsenneLupin · · Score: 1

      Oh, and before somebody will point out that this search points to Microsoft problems, not BSD problems, let me ask you one thing:
      Where did Microsoft copy their networking code from? ;-)

  24. Re:I wonder if they still have the "rms" account.. by Anonymous Coward · · Score: 1, Informative

    BBS Scene.... Back in the early 90's we used to share password files in the back rooms of bbs's. It was notoriously easy to guess
    a password on a UCB machine, then cat the unshadowed password file. Well, then you know what to do next, right: Leave crack running on the file on the old Sun 3 in the corner and some day or days later we would have a stack of accounts. Most of them were cracked with dictionary words. Too easy.

  25. Berkeley sucks donkey ass by Anonymous Coward · · Score: 0

    Berkeley sucks donkey ass. It's a bunch of dumb-ass, smelly hippies that don't shave. And they are ugly scants.

    1. Re:Berkeley sucks donkey ass by Anonymous Coward · · Score: 0

      I'm sorry. You couldn't get in, right?

  26. Security in Berkeley? Riiiight by BerkeleyDude · · Score: 3, Informative

    You'd think that since BSD comes from Berkeley, it should be a popular OS on campus... Think again. Everyone's #1 choice is: Windows XP.

    You go to a (non-CS) computer lab. You login with your SID and password. A new Administrator account is created for you. Go ahead, do whatever you want - when you logout, all your files will be deleted, and everything will be restored to the original state. Completely secure, until you realize... "Duh. I have an administrator account. Why can't I just prevent the computer from restoring everything on logout?".

    I reported this to one of the lab workers, and even demonstrated: she logged into her own account, but the desktop background picture said in big red letters, "Caution: This system has been haxx0red". She was pretty shocked, and said she would inform the system administrators.

    This was half a year ago... Nothing has changed.

    The CS labs are different, though. They run Solaris 9. Security shouldn't be a problem here. Usability is, though. How many of you guys remember what Gnome 2.0 looks like? How about Acrobat Reader 4? I do, unfortunately. And the Slashdot jokes about "^H" suddenly made so much sense...

    1. Re:Security in Berkeley? Riiiight by mako1138 · · Score: 1

      Yeah, the Sun stuff is amusingly out of date. Should note that most of the EE computer labs are Windows machines, though they're locked up in terms of account permissions. Also, the inst.eecs webspace gets ddos-ed every so often.

      I've never bothered to try a non-EECS domain computer... maybe I should.

    2. Re:Security in Berkeley? Riiiight by BerkeleyDude · · Score: 1

      Should note that most of the EE computer labs are Windows machines, though they're locked up in terms of account permissions.

      Yeah. But now that Knoppix has a pretty decent NTFS write support... Well, I'm still trying to do something cool with it :)

  27. Jobs at UC Berkeley are for insiders, friends, fam by Anonymous Coward · · Score: 0

    when I interviewed at UC Berkeley for an IT job, none of the people seemed to understand the technology and of the handful of 'workers' there none were doing any work. One was sitting motionless staring zombie-like at the screen the entire time I was there. The others avoided any questions I asked about technologies and started to sweat... when I asked who was responsible for working on what.

  28. Clusterfuck by tuxlove · · Score: 1

    A professor friend of mine got his PhD at Berkeley and did several years of postdoc work there. I constantly had to help him with network and IT issues in his lab, because the state of IT at the university was utterly appalling. The network was a complete clusterfuck, because there was no security to speak of anywhere and machines were getting hacked left and right. I wanted to help my friend at least get a local hardware firewall in his lab, but the IT department wouldn't allow it for some reason. So he had to individually secure each machine on his network, since as a result they each had routable IP addresses. And that wasn't easy.

    There was also the problem of stupid people needing IP addresses for new machines and just using whatever IP address from their subnet that they felt like using. Invariably the IP address was one that was already in use by someone else (often one of my friend's machines), so connectivity could go away at a moment's notice. And tracking down the perpetrator was usually a futile task, given the large expanse of campus covered by a subnet.

    The IT staff was also pretty much incapable of running the mail servers correctly as well. Authenticated SMTP? Ha! Mailbox quota size too small? Tough! Completely useless people. The sad thing was that the head of IT at the time openly admitted that he and his group were essentially not competent to solve the problems facing the campus network. Oy.

    This was all about 8 years ago, so perhaps things are better, I can't say. But it is appalling that a campus like Berkeley, where much of the Internet itself began, was ever in such a sorry state.

    1. Re:Clusterfuck by Anonymous Coward · · Score: 0

      This is why the EECS department at UCB has a completely separate group. It takes a day or two to activate a net tap at with DHCP(you have to wait for the servers to reload the tables and propagate the DNS entries) in the EECS department versus 1-3 months from the main campus group, CNS.

      CNS is also about a year or more behind EECS in implementing projects, but, in all fairness, they have a much larger area and many more users to cover. CNS covers all of campus(except for EECS) vs. EECS's 3 buildings - growing to 4 buildings in a few years when that slow ass Citris Project finally gets going. The EECS department already has Gigabit if you're willing to spend your research funds for the higher speed. It would speak volumes indeed if somehow CNS was better than EECS when it comes to computers and networks.

  29. 1386 Violation by ecliptik · · Score: 1

    Most of the comments about this article are FUD, UCB is bound by the same Senate Bill 1386 as all the rest of the UC campuses.

    Which means that if a security breach exposes personal or confidential information it must be reported to the state and any individual it affects, creating a whole legal mess. All UC system administrators (myself one of them) take security very seriously and do everything we can to avoid a 1386 incident. Working at a large educational institution and being a constant target of spam and cracking groups is trying, but I can tell you that UC has a very tough stance on securing our systems.

  30. Can we get the CDC-6400 back on-line? by calidoscope · · Score: 1
    I have fond memories of using that beast during my stay at Cal. Would be fun to be able to run some of the stuff that was on there, e.g. the original versions of SPICE, OJM Smith's POWERSYS and CAPSYS and dabble in COPMASS again.

    Even more fun would be to get one of the SS-90's online (these were haunting the basement of Corey Hall in the early 70's).

    --
    A Shadeless room is a brighter room.
  31. Re:Jobs at UC Berkeley are for insiders, friends, by Anonymous Coward · · Score: 0

    This is true of many "corporate" type environments. When any group gets large enough, you'll have this type of problem. I've seen it at various places where the total employee count is above 1000. It's basically the 80/20 split. About 20% do 80% of the work and the remaining 80% do 20% of the work. It's hard to keep under control since the interviewers in HR don't know the requirements well enough.

    You do well, and your manager gives you more work. You do poorly and your manager gives you less critical stuff. If you feel lazy, you can easily do very little in large corporations and always be stuck as a lowly wage earner. Those who do well will generally have easier times getting jobs elsewhere when layoffs occur. Those that don't generally end up flipping burgers.