spaf@gatech.UUCP (01/19/87)
We're about to get hooked up to SURAnet, and thence to the Internet.
There are some concerns here about suddenly making Internet ftp and
rlogin a reality for many hundreds of students.
Our first thought is to draft some kind of document stressing that it
is impolite and possibly illegal to snoop around the net or try to
break into other systems. This document would be distributed along
with accounts.
How do other campuses handle this issue? Is it handled? Has there
been much incidence of problems? We tend to have very aggressive and
adept students here, so our concern is more than just the usual
paranoia :-)
--
Gene Spafford
Software Engineering Research Center (SERC), Georgia Tech, Atlanta GA 30332
CSNet: Spaf @ GATech ARPA: Spaf@gatech.EDU
uucp: ...!{akgua,decvax,hplabs,ihnp4,linus,seismo,ulysses}!gatech!spafneves@ai.WISC.EDU (David M. Neves) (01/19/87)
Unless DARPA has changed its policy (which I doubt) its network is for
use by DARPA work only. If you have gateways into Internet then it is
your job to see that non authorized persons do not have access. DARPA
has pulled the plug on sites in the past (I can think of one) that
violate its policies.
Now being realistic only a fraction of network traffic could be
considered valid. There are many researchers who use utilities like
mail and FTP and this greatly aids the research community as a whole.
There is also a good deal of traffic in human interest mailing lists
and there are some sites that serve as file servers for micro related
files. For now DARPA looks the other way on these uses of its network.
If you are worried about your undergraduates then you should restrict
read assess to FTP, telnet, rlogin, etc. I believe this is done at
our site. I am sure Unix wizards could come up with more imaginitive
ways. At our site we have all students sign a sheet that gives our
definition of malicious hacking and describes penalties that are
levied (such as loss of account) if our rules are not followed. If
the student does not sign the sheet he does not get an account.
You have to be careful if you decide to restrict some things and not
others. I do remember getting an account on a site for the first time
and finding that I didn't have access to telnet. I used FTP to get a
telnet from a "public access" site and used it until root gave me the
right privs.
--
David Neves, Computer Sciences Department, University of Wisconsin-Madison
Usenet: {allegra,heurikon,ihnp4,seismo}!uwvax!neves
Arpanet: neves@rsch.wisc.eduyerazuws@rpics.RPI.EDU (Crah) (01/19/87)
In article <9994@gatech.EDU>, spaf@gatech.EDU (Gene Spafford) writes: > We're about to get hooked up to SURAnet, and thence to the Internet. > There are some concerns here about suddenly making Internet ftp and > rlogin a reality for many hundreds of students. > > Our first thought is to draft some kind of document stressing that it > is impolite and possibly illegal to snoop around the net or try to > break into other systems. This document would be distributed along > with accounts. > > How do other campuses handle this issue? Is it handled? Every account comes on a piece of paper that has "Computer Ethics" printed on it- and a notation that screwing with what thou art not supposed to screw with is a punishable offense. I don't think the boilerplate contains a reference to the ECPA of 1986, but it should. Problems? Sure, occasional problems. But if you treat electronic burglary the same as physical burglary the situation improves very quickly after a couple of years. Maybe someday "hacker" will come to mean what it used to mean. -Bill Yerazunis
lear@aramis.UUCP (01/19/87)
I am a student at Rutgers University and I do systems support work
here on the side. At Rutgers, 99% of the time, in order to get onto
the ARPAnet, one needs to present a grant number or one has to be
involved in support. The DEC-20s provide a mechanism for control,
and Dr. Hedrick has added code into the UNIX kernels so network
access can be controlled. Furthermore, our gateways contain access
mechanisms to restrict packets out onto the ARPAnet.
Rutgers is particularly tight about access because at one point, we
had our plug pulled. From what I understand, Berkeley and MIT are
considerably looser about access.
...eliot
--
[lear@rutgers.rutgers.edu]
[{harvard|pyrnj|seismo|ihnp4}!rutgers!lear]trent@cit-vax.Caltech.Edu (Ray Trent) (01/19/87)
In article <490@ai.WISC.EDU> neves@ai.WISC.EDU (David M. Neves) writes: >If you are worried about your undergraduates then you should restrict >read assess to FTP, telnet, rlogin, etc. I believe this is done at >our site. I am sure Unix wizards could come up with more imaginitive Unfortunately, (fortunately?) there is almost no secure way of doing this except ripping out the ARPA connection by its roots. (short of kernal and device hacking) Just as an example, even if you make all of these files unreadable, telnet/ftp et al, are really not all that hard to write from scratch. Possibly better, is to hack up an addition to these programs that logs the people who use them, then---either by hand or automatically--- restrict their access until they go talk to the sysman who will slap them on the wrist and restore access. (unless they have priors) Of course, this isn't secure either, but... On the other hand, you could just trust them not to f*ck around out there, as is done here. (I would be willing to bet our students are as, if not more, devious as/than GA Tech's) -- "A journey of a thousand miles..." ../ray\.. (trent@csvax.caltech.edu, rat@caltech.bitnet, ...seismo!cit-vax!trent)
glgreely@athena.mit.edu (Greg Greeley) (01/20/87)
In article <9994@gatech.EDU> spaf@gatech.EDU (Gene Spafford) writes: ... >There are some concerns here about suddenly making Internet ftp and >rlogin a reality for many hundreds of students. > >How do other campuses handle this issue? Is it handled? Has there >been much incidence of problems? We tend to have very aggressive and >adept students here, so our concern is more than just the usual >paranoia :-) I've worked as a Student Consultant for MIT's Project Athena for several years now. We have several thousand students (most of them new to the timesharing world) on our system, and each of them has access to the internet. To the best of my knowledge, we've had few, if any, problems with this situation. I think there are two reasons for this: 1) we don't announce the fact that ftp, telnet, etc. connect to the rest of the world (i.e. off campus), and 2) those people who can figure out that we connect to the rest of the world are usually hired to help run or develop software for some system. -- Greg Greeley glgreely@athena.mit.edu
tihor@acf4.UUCP (Stephen Tihor) (01/20/87)
There are a set of kernel hacks around to add Internet validation down at the low level netowrk code. I will ask our networks guru about their origin.
jtr485@umich.UUCP (Johnathan Tainter) (01/21/87)
In article <1535@cit-vax.Caltech.Edu>, trent@cit-vax.UUCP writes: > In article <490@ai.WISC.EDU> neves@ai.WISC.EDU (David M. Neves) writes: > >If you are worried about your undergraduates then you should restrict > >read assess to FTP, telnet, rlogin, etc. I believe this is done at > >our site. I am sure Unix wizards could come up with more imaginitive > > Unfortunately, (fortunately?) there is almost no secure way of doing > this except ripping out the ARPA connection by its roots. (short of > kernal and device hacking) When I was at uofwisc-madison (where neves is), until a little over a year ago they had multiple machine. These were devided into educational and research and only the research machines actually had access to the outside world. The educational machines used a more restrictive local network to talk to the other machines. Of course, things were getting pretty muddy as I was leaving with the introduction of many sub microscopic vaxen and other new equipment. The 'I promise I will do only what my professor says to on this account' paper was a recent creation. It was actually a thrown together response to a security breach. The breach scared some of the administrators who were afraid the boondoggles they have been living under would get exposed and they were going to heavily overreact. This was curbed fortunatedly by more moderate and realistic viewpoints. --j.a.tainter > ../ray\..
gds@sri-spam.UUCP (01/24/87)
In article <490@ai.WISC.EDU>, neves@ai.WISC.EDU (David M. Neves) writes: > Unless DARPA has changed its policy (which I doubt) its network is for > use by DARPA work only. If you have gateways into Internet then it is > your job to see that non authorized persons do not have access. DARPA > has pulled the plug on sites in the past (I can think of one) that > violate its policies. Well, not everyone uses the ARPA Internet for "strictly" DARPA funded or associated research. The military uses it for operational purposes (that's what the MILNET (net 26) basically exists for). The ARPANET (which nowadays just consists of net 10 of the ARPA Internet) is primarily used for DARPA funded research. In general, I believe that access to the ARPA Internet is negotiated through the DCA (Defense Communications Agency) and their DDN PMO (Defense Data Network Program Management Office). My personal views on net access policies are somewhat biased from my undergraduate experiences at MIT. Some areas of MIT have in the past and to my knowledge continue to grant "guest accounts" to individuals (they need not be MIT students) which provide explicit or implicit access to the ARPA Internet. For example, mail from MIT's campus Chaosnet can be sent and received from the ARPA Internet, even via student course accounts with no other net access privileges. MIT's policy is more or less "don't cause trouble". People who cause trouble have been dealt with in various ways too numerous to mention here. People who have obeyed the rules have gone on to become network hackers at MIT and elsewhere. It's my feeling that some network access needs to be restricted, but not all. I don't believe receiving or sending Internet mail ought to be restricted if a good case can be made for the exchange (for example, the student may have an interest in an Internet mailing list which is not yet a usenet newsgroup). Access to junk mail lists ... well ... if it does not tie up the machine or use too much disk, I would be willing to look the other way. Probably access to other things (telnet, ftp, ping) should be restricted as they could be used maliciously. As others have said, people who become knowledgeable in the use of such programs typically go on to support these systems which are attached to the Internet, and they become authorized users. Disclaimer: This should not be construed as the official position of MIT on student access, but as a former MIT student's position on observed student access. --gregbo