gt6004a@prism.gatech.EDU (Michael Goldsman) (03/08/91)
This was recently posted to a georgia tech newsgroup: February 13, 1991 MEMORANDUM To: Vice Presidents Deans Directors Department Heads Lab Directors Academic Services Computing Subcommittee From: F. L. Suddath Vice President for Information Technology [misc stuff deleted] In order to comply with NSFNET, SURAnet, and Internet "Acceptable Use" policies and security guidelines, Network Technologies will implement a Network Access Control Policy utilizing a Trusted Host model for managing network security. The intent of the model is to ensure the integrity and security of GTnet and the Internet, while having the minimum impact on the connectivity of the networks users who depend upon the network. The Trusted Host model would provide support for Internet access for remote login and file transfer via a secure machine. Support for the exchange of electronic mail would be provided by a secure mail gateway system. Any member of the faculty or staff, with authority to access remote resources across the Internet, would be granted an account on the Trusted Host. Postdocs, Graduate Research Assistants, and Undergraduate students with a valid requirement to access remote resources would receive sponsorship from the appropriate faculty/staff member and be granted an account on the trusted host. Additional automated request services would be available to support Anonymous FTP with locally cached directories from a trusted FTP server. Tech would not be the first site to implement such a network security model. Numerous site on the Internet currently support Trusted Host network access including: MIT, Digital Equipment Corporation, Sun Microsystems, and numerous government sites. [stuff to the end deleted] Questions for you guys: 1. Have any other universities restricted access as Tech is about to do? 2. what exactly are NSFNet and SURAnet's policies?? We are going to try to fight this, and as of yet seems to have lots of support among student here. Please commment on this evil memo from hell... -Mike
kessler@hacketorium.Eng.Sun.COM (Tom Kessler) (03/08/91)
I find it interesting to note that this is very similar to the policy used by many large corporations (Sun included). A lot of the quality of network access and how restrictive it becomes for users depends on how you implement such a policy.
hes@ccvr1.ncsu.edu (Henry E. Schaffer) (03/08/91)
In article <23808@hydra.gatech.EDU> gt6004a@prism.gatech.EDU (Michael Goldsman) writes: | ... Any member of the faculty or staff, with authority to |access remote resources across the Internet, would be granted an account |on the Trusted Host. Postdocs, Graduate Research Assistants, and |Undergraduate students with a valid requirement to access remote |resources would receive sponsorship from the appropriate faculty/staff |member and be granted an account on the trusted host. Additional |automated request services would be available to support Anonymous FTP |with locally cached directories from a trusted FTP server. ... | |Please commment on this evil memo from hell... Exactly what is evil about this? I can see several aspects which various people might not like - but what specifically are the problems (both real and potential) with this policy? --henry schaffer n c state univ
lear@turbo.bio.net (Eliot) (03/08/91)
NSFNET requires connected networks must be able to identify those using the Internet at any given time. This seems to me an extreme interpretation of that policy. -- Eliot Lear [lear@turbo.bio.net]
wayner@thrall.cs.cornell.edu (Peter Wayner) (03/08/91)
Many companies have trusted host systems where one host acts as a gateway to the network. All but a few computers have no connection to the Internet. Mail and news are routed through these gateways in a way that is essentially transparent to the user. (Unless this one machine goes down or grows overloaded.) Rlogin, telnet and ftp priviledges though must be exercised by logging into the gateway machine. I've used the system at Xerox and the only problem I had was having to rlogin in an extra time. The added security was, in some ways, a good compromise. People with internal machines could set them up to do all sorts of things and not have to worry about the keeping them up to corporate security standards. On the other hand, they could easily get out to the net if they had an account which everyone at PARC did. The gateway machine was very stripped down and didn't run fun, but insecure, toys like finderd. So, if Georgia Tech wants to do this, it also allows them to have much freer standards internally and not worry about the one bad dude wrecking havoc. They can make their root passwords known globally (as MIT often does) so that any joe can fix their machine. Meanwhile they didn't need to worry about random hackers finding out about the root because these machines were only on the internal network. Silicon Graphics has a company wide root password that is a great thing. If an employee needs to fix something on a random, internal machine can just step right up. No nasty security that hamper productivity. One friend at another company (unnamed) needed to change something on his workstation in a way that required root priviledges. He wasn't cleared for this and the overworked support staff needed to help him. The friend couldn't get any help for a week so he just booted the Sun station in single user mode and slipped in. Security was a major hassle and cost productivity. As I see it, the situation at Georgia Tech is not necessarily any big deal. It depends on the attitude of the administrators handing out passwords to the gateway. If they'll only give it to you with signatures from 15 faculty members then this is a drag. If they are reasonable, it no problem. It should be noted that pornographic GIF files are the main attraction for undergraduates. These consume megabytes and megabytes of bandwidth for a cause that is wasteful (Penthouse has better bandwidth/dollar) and also a potential political timebomb. The next great usage for net access is faking mail and postings. It is much better if people do this locally, learn the insights and not clutter the net. The one thing that is lost is universality. I've enjoyed remotely logging into a host of systems around the country like Cleveland's Freenet. These are potentially great resources that are lost if the net doesn't include everyone. Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 Copyright 1991 Peter Wayner, All Rights Reserved.
gt1111a@prism.gatech.EDU (Vincent Fox) (03/09/91)
wayner@thrall.cs.cornell.edu (Peter Wayner) writes: [stuff deleted] >It should be noted that pornographic GIF files are the main attraction >for undergraduates. These consume megabytes and megabytes of bandwidth >for a cause that is wasteful (Penthouse has better bandwidth/dollar) and >also a potential political timebomb. The next great usage for net access >is faking mail and postings. It is much better if people do this locally, >learn the insights and not clutter the net. [more stuff deleted] Exactly where do you get your sweeping statistics? I know lots of undergrads in both engineering and computer science. Out of about 40, I can only think of 2 who professed any interest in this sort of thing. What do we use ftp for? Mainly jumping to uunet and similar places to get source code. I wish you would refrain from such statements without SOME sort of statistics. I am one of the many here at Tech opposed to this sort of restriction. We have a security guard in our library to glance at people's ids as they come in. But we don't X-ray and strip-search them, or lock off reference books for only "approved use". The kind of stringent security measures that are such a terrific idea for IBM, etc. are nothing but a massive annoyance in an academic environment. >Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 >EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 >Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 >Copyright 1991 Peter Wayner, All Rights Reserved. -- Vincent Fox (That's Mr. Bucko to you)|"Fleshy-headed mutant, are you friendly?" Georgia Tech, Atlanta GA |"No way, eh! Radiation has made me an SR-71: gt1111a@prism.gatech.edu | enemy of civilization." Pony Express:...!gatech!prism!gt1111a| - Bob & Doug in Strange Brew
wayner@kama.cs.cornell.edu (Peter Wayner) (03/09/91)
gt1111a@prism.gatech.EDU (Vincent Fox) writes: >wayner@thrall.cs.cornell.edu (Peter Wayner) writes: >[stuff deleted] >>It should be noted that pornographic GIF files are the main attraction >>for undergraduates. These consume megabytes and megabytes of bandwidth >>for a cause that is wasteful (Penthouse has better bandwidth/dollar) and >>also a potential political timebomb. The next great usage for net access >>is faking mail and postings. It is much better if people do this locally, >>learn the insights and not clutter the net. >[more stuff deleted] >Exactly where do you get your sweeping statistics? I know lots of undergrads >in both engineering and computer science. Out of about 40, I can only think >of 2 who professed any interest in this sort of thing. What do we use ftp >for? Mainly jumping to uunet and similar places to get source code. I wish >you would refrain from such statements without SOME sort of statistics. Well, okay, so it was a sweeping statement, and it was based on my experiences with a few undergraduates. In retrospect (note the time of the posting) it is almost certainly not true for any sort of majority. Graduate students are probably just as culpable. It could be even distributed over all users, but I get the impression that it is something people tend to grow out of. I've just known a few who filled disk packs with stuff they found over the net. A real pain when you need to space. Sorry about lumping all undergraduates into the same lumpen mass. Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 Copyright 1991 Peter Wayner, All Rights Reserved.
richd@prism.gatech.EDU (Richard Dellaripa) (03/10/91)
gt6004a@prism.gatech.EDU (Michael Goldsman) writes: [quoting from a memo from the Office of Information Technology] >... Any member of the faculty or staff, with authority to >access remote resources across the Internet, would be granted an account >on the Trusted Host. Postdocs, Graduate Research Assistants, and >Undergraduate students with a valid requirement to access remote >resources would receive sponsorship from the appropriate faculty/staff >member and be granted an account on the trusted host. I would like to point out that this set of conditions is almost identical to those Georgia Tech used to issue computer accounts before they started issuing accounts to all students, faculty and staff. (I'll also point out that all students got accounts a couple years before all faculty/staff received accounts). As I recall, in general, the restrictions were considered only a bother, as all it usually took was a friendly professor and/or some interesting project to gain an account. I have seen no indication that gaining an account on the trusted host would be much more difficult than that. If one is doing something reasonable that requires Internet access, then implications are that Internet access will be given. Most complaints about this policy announcement seem to merely complain that people can't use up precious bandwidth on whatever strikes their fancy at the moment, or a fear that people who truly need Internet access will be denied it. The first SHOULD be stopped, and the second will not, IMHO, be a problem. Richard C. Dellaripa -- GTRI/EOL "The opinions contained within are solely those of the author" Georgia Institute of Technology, Atlanta, Georgia, 30332 Internet: richd@prism.gatech.edu Phone: (404) 894-3357
louisg@vpnet.chi.il.us (Louis Giliberto) (03/10/91)
In article <23808@hydra.gatech.EDU> gt6004a@prism.gatech.EDU (Michael Goldsman) writes: > > >1. Have any other universities restricted access as Tech is about to do? Ha! I go to Loyola University in Chicago, and they NEVER let students on Internet or even Bitnet. They have a mainframe that's used by the libraries and the Medical Center, but they also have tons of machines running Unix. To my knowledge, they have 1 AT&T 3b15 and 3!!!! AT&T 3b2's. That's a lot of computing power for a University this small, not including the 386's they have running Unix, plus the mailer programs they have on the mainframes and the VAX's, but the policy is all staff gets access and accounts whether they use them or not. Grad students get it on request, and undregrads only with special permission (in other words, you don't get it). On top of that, we only get a Unix account for 1 year unless we take classes that need it and the classes extend past one year. The only reason I'm here is that the system I'm on is one of the few public access Unix systems in the country, and I pay out of my own pocket to use it. Now, my sister goes to U of I in Champaign, and they INVITE!!!! students to come and use their Internet links. I guess the more logon id's, the more funding they get. At any rate, it's a crock. Most of the teachers don't even use their accounts, and comp sci majors such as myself have to beg to get access (and then they wonder why people hack into systems to use them). It's a load of crap, and I've asked around who made the policy, but everyone points a finger at someone else. What they teach in the classroom is NOT enough to let you survive in the real world of computing (though theory *is* very important), and those who would like to learn and talk to others on their own time are not allowed to. On top of all that, the security on ALL the systems is VERY VERY bad. They don't even use a shadow file for the passwords on the 3b15. There are ways to access the mailer and elite operations on the mainframe using a one word command that the system administrators aren't even aware about. The LAN they have that students use for word processing and Turbo Pascal and stuff is a joke.I could blow (anyone could) that whole thing apart with a 100 byte or so virus in the programs. You can even write to the master hard drive!!! I've seen some of the "administrators," and what theymostly do is drink coffee and gab. If I had the guts, and didn't want a career in computer science, I'd pull a Morris on them and show everyone how they are failing to do anything for the academic community. If you expect to get any results, don't. When you start making waves you can expect them to find a reason to ban you from the system (as has happened to people I know at other colleges). One guy just want up to the root directory, and they said he was "a security risk." Yeah, right. The only security risk is the system administrators' laziness. Good luck, though. If it works, I'll be surprised. Louis -- --------------------------------------------------------------------------- ! "As above, so below; as below, so above" -- The Kybalion ! ! "I don't trust him; he has dark hair" -- My girlfriend's mother ! ! "So I'm stupid; what's your point?" -- Me !
cat@tygra.UUCP (John Palmer) (03/10/91)
In article <Mar.7.17.02.23.1991.5169@turbo.bio.net> lear@turbo.bio.net (Eliot) writes: >NSFNET requires connected networks must be able to identify those using >the Internet at any given time. This seems to me an extreme >interpretation of that policy. >-- >Eliot Lear >[lear@turbo.bio.net] MichNet (also known as Merit) has similar rules, although not that facist. You can theoretically access the greater net by simply dialing into a modem pool. They had to put restrictions on TELNETing out of net 35 (MichNET territory). Now they have an authorization server which will allow anyone to TELNET out as long as they have an authorization server account ($35/month). CAT-TALK will be allowing its users to TELNET from our site in a few months. The purpose of the "trusted host" site is that each TELNET/FTP/etc... session be tied to a user who can be identified. That seems reasonable to me. Why can't undergrad accounts at GA TECH access TELNET/etc?? They are identifiable users. Sound like another policy to exclude the ones who pay the most tuition.... Sigh. -- CAT-TALK Conferencing System | "Buster Bunny is an abused | E-MAIL: +1 313 343 0800 (USR HST) | child. Trust me - I'm a | cat@tygra.UUCP +1 313 343 2926 (TELEBIT PEP) | professional..." | ..sharkey!tygra! ********EIGHT NODES*********** | -- Roger Rabbit | ..cat
qseclrb@prism.gatech.EDU (BOB BAGGERMAN) (03/11/91)
In article <23963@hydra.gatech.EDU>, richd@prism.gatech.EDU (Richard Dellaripa) writes: > As I recall, in general, the > restrictions were considered only a bother, as all it usually took was > a friendly professor and/or some interesting project to gain an > account. I have seen no indication that gaining an account on the > trusted host would be much more difficult than that. If one is doing > something reasonable that requires Internet access, then implications > are that Internet access will be given. Most complaints about this > policy announcement seem to merely complain that people can't use up > precious bandwidth on whatever strikes their fancy at the moment, or a > fear that people who truly need Internet access will be denied it. When I was an undergrad in the late 70's computer accounts where very restricted. In order for me to log on to the new, wonderful, and fast CYBER system to learn what it was all about I had to go kiss some guys butt in the EE department and convince him that I already was a CYBER jock so I could persue some worthwhile project. In reality I just wanted enough resources so I could get on, plunder around, and learn what it was all about. The experience after I finally got the account was invaluable. As an ACADEMIC institution, students (and researchers) need to be able to have and use these resources with as much freedom and openness as possible. Only in that way will we learn and be creative with this wonderful technology. The issue of academic freedom is one that I couldn't feel stronger about. I think we as a major technical institute should be fostering free and creative thinking and not saddle us with artificial restrictions. What if only the blessed few could have access to all the library books? Another major point (in my mind, anyway) is the level of service and access that IT can provide the campus. Way back when if you wanted to do serious computing you had to sign up for one of the major campus computers. Now most of the computing power is distributed around and is sitting on peoples desktops. I've got 150 MB of disk space on my VAX, 40 MB on my PC, but IT only gives me 256 kB on my hydra account. That's less than a floppy disk! The nature of computing now days is distributed and interconnected. There is no way IT can support by themselves all the users that require much less want internet access. And these days IT seems to be interested in providing less services and putting more of the responsability for support on the end users. Just look at the concept for the new mail system. I could support a more restrictive atmosphere if I felt it addressed a real problem and it was the only means to address that problem. But so far no one has demonstrated that a real problem exists, just a lot of what ifs. I strongly feel that I great disservice will be done to the overwhelming number of creative, inquisitive minds become someone on the hill perceives that one or a small number of trouble makers may do something regrettable and IT will powerless to do anything about it when it happens. Seems to me there are too many starched shirt and tie types running the show and not enough pasty skinned pencil necked geeks. I'd hate to see us go back to the days when only a few could use all the resources we have all helped to pay for. -- Bob Baggerman ! rwb@csdvax.gatech.edu Communications Systems Division ! qseclrb@hydra.gatech.edu Georgia Tech Research Institute ! bbaggerm@gtri01.gatech.edu Atlanta, GA 30332 ! 404-894-3525
pwh@bradley.bradley.edu (Pete Hartman) (03/11/91)
In <23988@hydra.gatech.EDU> qseclrb@prism.gatech.EDU (BOB BAGGERMAN) writes: >As an ACADEMIC institution, students (and researchers) need to be able to >have and use these resources with as much freedom and openness as possible. >Only in that way will we learn and be creative with this wonderful technology. >The issue of academic freedom is one that I couldn't feel stronger about. I >think we as a major technical institute should be fostering free and creative >thinking and not saddle us with artificial restrictions. What if only the >blessed few could have access to all the library books? There's a point of difference. The potential cost to the net at large is much greater (at least it seems to be to me) if someone gets out of hand than it is if someone succeeds in stealing/damaging library books. Just look at the projected costs from the Internet Worm (of course a fair amount of the blame rests on the holes in the system, but my point is the cost, not the means). Not only that, but being new technology, it's a more interesting place to vandalize than the local library. >I could support a more restrictive atmosphere if I felt it addressed a real >problem and it was the only means to address that problem. But so far no one >has demonstrated that a real problem exists, just a lot of what ifs. At our site, we have a long history of concrete examples of how some students (all of whom are given an account for the asking on one of our Unix systems or on our Cyber 932, depending on what they ask for) will abuse every break you give them. It becomes a serious drain on the time of the system administrators (there are two of us for the whole campus--it's a smallish campus, but there are quite a number of machines that we are responsible for) to have to find, verify, and shut down every single one of these people. > I >strongly feel that I great disservice will be done to the overwhelming number >of creative, inquisitive minds become someone on the hill perceives that one >or a small number of trouble makers may do something regrettable and IT will >powerless to do anything about it when it happens. Seems to me there are too >many starched shirt and tie types running the show and not enough pasty skinned >pencil necked geeks. I'd hate to see us go back to the days when only a few >could use all the resources we have all helped to pay for. There's a balance to be struck, I think. Free access, damn the consequences, seems pretty irresponsible to me, because it fails to protect the users who AREN'T a problem. And while there are a fair number of those capable of protecting themselves by way of their technical sophistication, at our site at least, the vast majority of users are very technically naive and appear to have no desire to change. As a sysadmin, I don't see it as my mission to force them to change. -- ----- Pete Hartman Bradley University pwh@bradley.bradley.edu One final word to the young people who listen to this record. Be cool. The retina of the eye quivers to the dance of soundwaves. Turn on. Tune in.
Cherry@Frodo.MGH.Harvard.EDU (J. Michael Cherry) (03/11/91)
gt6004a@prism.gatech.EDU (Michael Goldsman) writes: [quoting from a memo from the Office of Information Technology] >... Any member of the faculty or staff, with authority to >access remote resources across the Internet, would be granted an account >on the Trusted Host. Postdocs, Graduate Research Assistants, and ... Correct me if I'm wrong but it seems that the position that Georgia Tech is taking will slow the use of network services. In the science of molecular biology we are at the dawn of information sharing via network client/servers. Molecular Biologist's need access to very large databases of information that are growing at an ever increasing rate. Several university and government groups are developing network client/servers that will allow the scientists to query remote database servers and retrieve information. These servers are not simply a oneway exchange like a mail server, rather because of the amount of information and the type of questions molecular biologist's ask about this information the server and client interact in a dialogue traversing levels of organization and types of information. Ideally this exchange will occur using a familiar GUI to the user on microcomputers in laboratories where the data is used and generated. Requiring that all outside network exchange go through a trusted host may be just a bother to mail or telnet users but it eliminates the ability of the lab computer from accessing the remote server. All these clients will need to be placed on the trusted host and sufficient file space offered. The user also completely loses the GUI interface as they are being developed if one must login on a trust host. This will ultimately make use of the Internet more difficult of the non-computer savy users and require more network programming or redundant services within the restricted campuses. Mike Cherry cherry@frodo.mgh.harvard.edu Department of Molecular Biology Massachusetts General Hospital, Boston
gt1020a@prism.gatech.EDU (Ken Yousten) (03/11/91)
In article <1991Mar10.175557.4595@bradley.bradley.edu> pwh@bradley.bradley.edu (Pete Hartman) writes: >There's a point of difference. The potential cost to the net at large is >much greater (at least it seems to be to me) if someone gets out of hand >than it is if someone succeeds in stealing/damaging library books. Just >look at the projected costs from the Internet Worm (of course a fair amount >of the blame rests on the holes in the system, but my point is the cost, >not the means). Not only that, but being new technology, it's a more >interesting place to vandalize than the local library. But we have not been given any reason to think that the "trusted host" scheme will actually address the problems we are being told that it is a reaction to. Your example of the Internet worm is particularly meaningless. A trusted host there would not have stopped it, the only purpose served by bringing it up here is to explain the hysteria. Instituting more security measures in a knee-jerk fashion, without thinking about how they will accomplish desired ends is foolish. I am not objecting so much to the trusted host idea itself, just the way it is being "explained" to us. It's hard to object to the idea, when you are not given any straight information on it. -- o Ken Yousten "Oh my god...you're from the 60's! Back!" o o arpa: gt1020a@prism.gatech.edu o o uucp: ...!{allegra,amd,hplabs,seismo,ut-ngp}!gatech!prism!gt1020a
theo.bbs@shark.cs.fau.edu (Theo Heavey) (03/11/91)
gt6004a@prism.gatech.EDU (Michael Goldsman) writes: > Questions for you guys: > > > 1. Have any other universities restricted access as Tech is about to do? We have the same policy from our Academic Computing Organization. However we are very lucky that our Dept of Comp. Sci. is much more enlightened and permits our student chapter of the ACM to run a BBS that has USENET capability as well as internet access. Yes, I am a student and a researcher. However, under those restrictions I would be hard pressed to continue the frre flow of information needed for timely results and progress. > > > Please commment on this evil memo from hell... ^^^^^^^^^^^^^^^^^^^^^^ I think that what may have prompted this is the amount of bandwidth being generated at the location. OR the other "normal" complaint is that they have no control on what their users actually do via e-mail or ftp. It definitely SUCKS but we must enlighten these people. The easiest way may be through their own system -- I submit that a quick note to the responsible agency may clearly identify the reasoning behind the "memo from hell". > > -Mike
jon@athena.mit.edu (Jon A. Rochlis) (03/12/91)
Two comments:
First, MIT's name is being used in vain. MIT does not use and
is not contemplating such a system to restrict access to the Internet.
We would view such a system as a giant step backwards. As well as one
which would not achieve the results desired.
Eliot Lear stated that:
NSFNET requires connected networks must be able to identify
those using the Internet at any given time. This seems to me an
extreme interpretation of that policy.
I don't believe this is accurate. The NSFnet Interim Acceptable Use
Policy mentions nothing about identification of network users. It
basically says that traffic over NSFnet must be either research or
education releated or in support of such research/education
activities. You don't need to be able to identify network users in
order to comply with that! (Think about it. It helps sometimes but
it is not required and may well be counter-productive.)
My own personal belief is that even if you try to restrict network
access to only the good guys you can't possibly win. Face it: the genie is
out of the bottle. If you don't design and run systems that assume
*everybody* in the world has access to the network you are asking to
lose. Efforts to snuff out anonymous terminal servers might buy six
months of safety for some sites, but I think that is arguable.
If you think mail and packet filters are the way to go you should have
heard Dave Clark's talk on the subject at Interop '90. He basically
said that they break the internet model because they weren't
considered when the architecture was developed. You lose a lot of
what the network is for (new interactive applications that run *now*
for everybody without 50 site admins updating tables) and you don't
even get security because mail systems are one of the biggest security
vulnerabilities (witness the Moris virus ... your corporate mailhub
being infected by sendmail would easily get your whole "protected"
corporate net).
-- Jon Rochlis (jon@mit.edu)
MIT Network Serviceslee@wang.com (lee) (03/13/91)
As someone who hasn't been an undergrad for 25 years, I'd like to
comment on this business of "faculty and staff" access to the Internet.
(1) It's primarily a RESEARCH network, yet "postdocs" at Georgia Tech are
apparently not to be routinely granted full access without "staff"
authorization. The administration, "of course", gets unquestioned
access.
(2) It's secondarily an EDUCATIONAL network, yet it's considered important
for political reasons (I remember something about congressional approval)
to prevent those being "educated" (largely undergraduates) from having
full access.
(3) Porno GIF files are popular at commercial Internet and Usenet sites,
too. Some of our best programmers collect them. They do take too
much disk space. The solution is to determine how much public disk
space will be allowed to an individual, and discipline those who can't
give a very good reason for using an outrageous amount more.
I can still remember being an undergrad at Harvard in the early '60s,
where despite the many-thousand-dollar "surety bond" of tuition, we
were not permitted to check out books from Widener, the math library,
the music library, etc., for even a single day (and even books that
hadn't been read for generations) without specific faculty
authorization each time. I shelved books in Widener for spending
money, and still remember how the administration's lackeys would
make sure that we were out of the stacks when our jobs were done
(presumably to prevent our reading unauthorized material). At
46 years old, and 20 years beyond any contact with the procedures
of universities, I still boil at the thought, and still refuse
to contribute to the college fund.
--
------------------------------------------------------------------------
Lee Story (lee@wang.com) Wang Laboratories, Inc.
(Boston and New Hampshire AMC, and Merrimack Valley Paddlers)
------------------------------------------------------------------------wrs@Apple.COM (Walter Smith) (03/13/91)
Apple uses the "trusted host" scheme. We have a big VAX (apple.com) that
speaks to the Internet and transfers mail, and an internal network that is
completely separate. To use the Internet you must get an account on
apple.com, which usually requires very little effort (at least for R&D
employees).
Providing a "trusted host" was fine in the ancient (more than five years
ago) Internet environment, where mail and remote login was pretty much the
entire functionality one could want from a network. However, in the
modern Internet, we have progressed beyond such childish 7-bit ASCII games.
The most common example I can think of is the X Window System. To connect
the window server on my local workstation with a client on the Internet
requires the client to initiate a connection with my workstation. In the
trusted host scheme, this is impossible, since the client doesn't even
know my workstation exists.
As Internet technology progresses, I imagine that more services based on
such client/server protocols will appear. An institution that follows the
remote-login-and-mail-only trusted host model will be preventing its
members from using such services.
Certainly, there are valid concerns related to loosing thousands of young
explorers with Ethernet-equipped PC's onto the Internet. I think,
however, that eliminating these concerns by restricting an entire
institution to whatever Internet resources can be accessed through one-way
Telnet connections may be too extreme a solution.
- W
P.S. I hope no one takes offense at the phrase "young explorers". I
myself am a young explorer with an Ethernet-equipped Macintosh...
and a few years ago (at CMU), it was even on the Internet.
--
Walter Smith wrs@apple.com, apple!wrs
Apple Computer, Inc. (408) 974-5892
My corporation disavows any knowledge of my activities on the network.lear@turbo.bio.net (Eliot) (03/14/91)
Jon, I'm sorry, you're right. It indeed may not be an NSF requirement, but I believe that FARNET members are requiring that subscribers be able to identify who is/was? using the Internet at a given time. Certainly BARRNET requires it; and I think JvNC does as well (I seem to recall the people at Rutgers going through some hoops over this one), the point being that when someone does break in to some site, there will be means to trace the culprit. Again, it's not that they want to keep people out, per se, but they want to be able to identify who is on. -- Eliot Lear [lear@turbo.bio.net]
emv@ox.com (Ed Vielmetti) (03/14/91)
In article <Mar.13.18.37.23.1991.14919@turbo.bio.net> lear@turbo.bio.net (Eliot) writes:
I'm sorry, you're right. It indeed may not be an NSF requirement, but
I believe that FARNET members are requiring that subscribers be able
to identify who is/was? using the Internet at a given time.
Michnet seems to be jumping through some hoops right now to able
to support these kinds of restrictions.
nic.near.net:/docs/farnet-acceptable-use.txt has the most recent
farnet suggested guidelines that I can find. The closest thing in it
that I can see which would justify this kind of a policy is
Access to the internet should be protected through the use of
prudent security measures. Unauthorized connections to the
internet should not be permitted.
There may be further exegesis hiding somewhere describing what exactly
they mean, but I haven't seen it.
Eliot (or whoever), could you describe who and what FARNET is? All
the opinion that I have of them so far is quite negative, with them
more or less saying "you can't do that on the internet". Their press
release promised more position papers on interesting things (network
design and engineering, value-added services, commercialization) but
so far I have not seen one bit of it.
--
Msen Edward Vielmetti
/|--- moderator, comp.archives
emv@msen.comzane@ddsw1.MCS.COM (Sameer Parekh) (03/16/91)
In article <52892@cornell.UUCP> wayner@thrall.cs.cornell.edu (Peter Wayner) writes: >need to worry about random hackers finding out about the root because >these machines were only on the internal network. If a random hacker found out the root password, there wouldn't be a problem. If a random normal person (who knew how to use the system) found out the root password, there would be a problem. -- zane@ddsw1.MCS.COM
zane@ddsw1.MCS.COM (Sameer Parekh) (03/16/91)
In article <23887@hydra.gatech.EDU> gt1111a@prism.gatech.EDU (Vincent Fox) writes: >We have a security guard in our library to glance at people's ids as they >come in. But we don't X-ray and strip-search them, or lock off reference books >for only "approved use". The kind of stringent security measures that >are such a terrific idea for IBM, etc. are nothing but a massive annoyance >in an academic environment. No. They are not an annoyance. They are a hindrance. There is a difference. (If there was a high-pitched soft squeal while I was trying to relax, that would be an annoyance. If I had to study for a final and the middle 400 pages of my book were missing, that would be a hindrance.) -- zane@ddsw1.MCS.COM
brian@ucsd.Edu (Brian Kantor) (03/17/91)
Either 1) Georgia Tech has decided to abandon inter-university network research or 2) that "secure host" is going to have a lot of tunnels through it or 3) there will be a bunch of hosts at GAT that are on the network side of the "secure host". Hiding all your machines behind a secure gateway is incompatable with an awful lot of the things that university networking people like to do, it seems to me. I rather expect the end result to be a lot less draconian than the initial announcement would seem to be. But consider: It is very clear to me that the 18 to 25 year old span of the typical undergrad represents a WIDELY varying range of responsibility; the problem ALL we university people are faced with is how to provide the maximum facilities to those capable of handling them, and preventing damage by and to those who are not yet ready. And the hardest part is figuring out who is who, and when the previously immature have become mature. I don't know how to do it, and I'll wager no one else does either. So what do you do? Letting everyone have unrestricted access to the network has caused problems in the past, but it could be that that is the price we have to pay for the advantages gained thereby. Letting no one on to the network makes the network useless. Exams? Hostages? Monetary Bonds? Academic penalties? Someday someone may come up with the right answer. So far as I know, they haven't. Personally, I think GAT has come up with the wrong answer, but we'll have to see. - Brian
louisg@vpnet.chi.il.us (Louis Giliberto) (03/19/91)
In article <1991Mar16.042742.19416@ddsw1.MCS.COM> zane@ddsw1.MCS.COM (Sameer Parekh) writes: > > If a random hacker found out the root password, there wouldn't be >a problem. > If a random normal person (who knew how to use the system) found >out the root password, there would be a problem. I'm confused. Knowing or not knowing how to use the system has nothing to do with the danger involved (I wonder what rm *.* does? Let's see....). The danger is comes from the intent of the intruder, and only the intruder knows his intent. There is a problem if anyone knows it since he may tell others. Of course, the bigger problem is that all the security is bypassed with one simple password. Not very secure if you ask me. I remember reading an article in CuD about partitioning accounts or something like that. Maybe that would be a better way. At any rate, if there was an acceptable amount of access given, the only people who would be after the root would be those who wanted to cause harm rather than those who just want to upgrade their accounts so they can access USENET. The more access given, the less interesting the root account becomes. If, for example, they limited undergrads to viewing say 10 USENET groups and sending 20 letters per month (more with special permission), I, as an undergrad, would find that reasonable and serving both the student and the university in the best way. All this stuff is software dependent, not hardware dependent, so it can be changed to suit the policy. Shutting people out is not the right approach. Louis Giliberto -- --------------------------------------------------------------------------- ! "As above, so below; as below, so above" -- The Kybalion ! ! "I don't trust him; he has dark hair" -- My girlfriend's mother ! ! "So I'm stupid; what's your point?" -- Me !
studly@blake.u.washington.edu (Brian Boru) (03/19/91)
In article <1991Mar18.214218.29444@vpnet.chi.il.us> louisg@vpnet.chi.il.us (Louis Giliberto) writes: >The more access given, the less interesting the root account becomes. If, for >example, they limited undergrads to viewing say 10 USENET groups and sending >20 letters per month (more with special permission), I, as an undergrad, would >find that reasonable and serving both the student and the university in the >best way. Lesse - shared accts, limited # of mail messages, gee, doesn't that sound familiar? All we need is censored newsgroups, and we've got Prodigy! Neat! Prodigy finally comes to the Net! :-/ Brian -- Free Ireland!!
louisg@vpnet.chi.il.us (Louis Giliberto) (03/20/91)
In article <18668@milton.u.washington.edu> studly@blake.u.washington.edu (Brian Boru) writes: > Lesse - shared accts, limited # of mail messages, gee, doesn't that >sound familiar? All we need is censored newsgroups, and we've got Prodigy! >Neat! Prodigy finally comes to the Net! :-/ > > Brian > >-- Free Ireland!! I don't see the parallel. I was talking about a site, not the Net in general. Also, a limited acct. due to disk space restrictions and networking costs is notunreasonable especially since universities have budgets within which they must work. Most people would be willing to compromise since they would admit that the resources should be allocated to research projects and classwork before it is allocated to "recess" on the net. THe restrictions I talked about were meant to be implemented for extra-curricular use (learning on your own). Louis (louisg@vpnet.chi.il.us) -- --------------------------------------------------------------------------- ! "As above, so below; as below, so above" -- The Kybalion ! ! "I don't trust him; he has dark hair" -- My girlfriend's mother ! ! "So I'm stupid; what's your point?" -- Me !
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (03/20/91)
In article <1991Mar19.211732.14152@vpnet.chi.il.us> louisg@vpnet.chi.il.us (Louis Giliberto) writes: >> Lesse - shared accts, limited # of mail messages, gee, doesn't that >>sound familiar? All we need is censored newsgroups, and we've got Prodigy! >>Neat! Prodigy finally comes to the Net! :-/ [...] >I don't see the parallel. I was talking about a site, not the Net in general. >Also, a limited acct. due to disk space restrictions and networking >costs is not unreasonable especially since universities have budgets >within which they must work. Well, the limitations mentioned above are pretty trivial to work around. And they probably won't address the things that cost money. Most universities have plenty of bandwidth on their internet connection; they may lack disk space or terminals, but a limit on the # of mail messages won't address that problem. Stupid solutions rarely work, but at least they inspire creative work-arounds.
zane@ddsw1.MCS.COM (Sameer Parekh) (03/24/91)
In article <1991Mar18.214218.29444@vpnet.chi.il.us> louisg@vpnet.chi.il.us (Louis Giliberto) writes: >In article <1991Mar16.042742.19416@ddsw1.MCS.COM> zane@ddsw1.MCS.COM (Sameer Parekh) writes: >> >> If a random hacker found out the root password, there wouldn't be >>a problem. >> If a random normal person (who knew how to use the system) found >>out the root password, there would be a problem. > >I'm confused. Knowing or not knowing how to use the system has nothing to >do with the danger involved (I wonder what rm *.* does? Let's see....). >The danger is comes from the intent of the intruder, and only the intruder >knows his intent. Sorry if I confused you. I was trying to say that the use of the word 'hacker' implied intent. -- The Ravings of the Insane Maniac Sameer Parekh -- zane@ddsw1.MCS.COM