Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

UC Berkeley Cleaning up its Security Act 79

Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."
This discussion has been archived. No new comments can be posted.

UC Berkeley Cleaning up its Security Act

Comments Filter:
  • From TFA:
    Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95].

    Right idea, wrong scope.
  • The Article (Score:5, Funny)

    by zaguar ( 881743 ) on Tuesday April 25, 2006 @04:52AM (#15195333)
    Security... NEXT PAGE
    has lapsed... NEXT PAGE
    but we are... NEXT PAGE
    doing our best... NEXT PAGE
    trying to... NEXT PAGE
    improve. END ARTICLE
  • Obviously they haven't been rotating their passwords frequently enough, just force everyone to change theirs every three weeks and all security problems will be solved!
    • You'll end up with cycling passwords of "hello" and "password" every three weeks.
      • by joe 155 ( 937621 ) on Tuesday April 25, 2006 @06:07AM (#15195503) Journal
        It sounds like you might be making a joke about this one but at my university (University of Warwick, uk) they had the worlds most lax attitude to security it was insane. There were several huge security leaks and no one seemed to question why they weren't using and changing secure passwords... someone script kiddie broke into the main server (taking all of our private info stored on it) using nothing more than a simple brute force crack... it gave in so easily because they'd used a word from a standard dictionary... I figure it would have taken no more than 60 seconds to get in. The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information, store nothing on their computers, use a different password for the log on there and for everything else (if you insist on using the same one everywhere)
        • That's ridiculous.

          I had heard bad stories about the IT provision at Warwick (particuarly their Resnet service), but didn't realise it was that bad.

          Here at Bristol, I've worked for our Resnet over the summer, which is housed along with the IT guys. Security is absolutely paramount, and even for little Resnet projects, we would sit down for a couple of hours for a threat assessment (SQL injection, what happens if a dictionary attack succeeds, could we place exponential back-off on the login page).

          That said, t
        • The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information

          Doesn't that mean I can't go to college? I'm not worried about some warez monkey stealing my physics paper off the shared drive, I'm worried about them breaking into the bursar server and getting my SSN, bank account details, credit card number, etc. Colleges have no reason to clean up their act in that respect because it doesn't hurt them in the least if *your* security is compromis
      • "You'll end up with cycling passwords of "hello" and "password" every three weeks."

        There needs to be a "whoosh" mod category. Can you guys at slashdot get working on that?

        Grandparent knows that the password rotation scheme is common practice in *many* environments, and was pointing out the uselessness of such a strategy. It's called "illustrating absurdity with absurdity"
        • Where I work currently, the network saves my last 27 passwords. New passwords cannot be in that list, and are checked for similarity to those passwords. A certain number of characters must be different, and not just switched around ("password" v. "apssowdr"). Users cannot just cycle through passwords, there is a minimum and a maxmimum age.

          • If they're saving your password in a format where they can easily tell if your new password is some permutation of the characters in the original password (i.e., they're either storing the original password as plaintext or in a format that they can easily decrypt to check for permutations, rather than using a one-way hash function), then they're sacrificing actual security for the illusion of security. Nice.
            • Alternately (and far more likely), they're comparing permutations of your *new* password against the old hash. They're not recovering plaintext for the old password, but using the plaintext of the new password to create the permutations. See pam_passwdqc for an example of this technique, or npasswd. Most password checking systems will do this.

            • They could be saving the hashes of the old passwords.

              Step 1. Once the new password is entered, you hash it, check against the list of saved hashes to see if that exact phrase had been used already. If so, deny new password, if not, move to step 2.

              Step 2. Take the plain text of the new password that was entered, re-arrange and/or substitue some characters (E.G. "password" becomes "asswordp"), generate a hash of this value and check against the old saved hashes. If the new hash matches one in the lis
              • I stand corrected. On the other hand, I think I was right in saying that you can't do it "easily", as the system you descibe is going to require checking a lot of permutations one by one instead of coming up with some quick fuzzy check of similarity. I guess if you've got the processing power to do it, that's a good solution to the problem.
                • You're right, it wouldn't be easy or straight forward. The logic as to what combinations and permutations of the password to test and how many iterations to do so would be a PITA. It would also probably be overkill for most systems.
            • As other posters mentioned there are ways around this, but still, it is focusing on the wrong area. There are much more productive ways to spend time increasing security than pissing and moaning about reusing a password several years old. 27 passwords at 3 months per password is almost 7 years. Who cares? Try dual authentication, better passwords to begin with, and better security over the network itself (e.g. encrypting traffic).

        • *whoosh*, indeed -- I'm almost certain great grandparent was actually referring to this specific story [slashdot.org], rather than illustrating absurdity with absurdity.
      • Oh we'll make it so that you can't use old passwords again, either.

        Instead, you'll have to do: password, hello, password1, hello1, password2, hello2 ...

        You laugh, but I've been there.
  • From TFA (Score:3, Funny)

    by graemecoates ( 592009 ) on Tuesday April 25, 2006 @05:29AM (#15195403) Homepage
    Both have incredible amounts of data. As for clustering, there are a few computational clusters already around campus for traditional math, physics, astrology
    Good to see they know what the networks are *really* being used for...
    • traditional math, physics, astrology

      I really want to know what goes on in the astrology cluster. Can you really parallelize reading the tarot? I wonder what kind of hardware they use; a giant Magic 8-Ball array? And what kind of qualifications does a sysadmin have to have there?
      • And what kind of qualifications does a sysadmin have to have there?

        User: Help, my computer is broken.
        Sysadmin: By looking at the entrails of your computer, I know what is wrong.
  • Hmmmm (Score:2, Interesting)

    by Sqwubbsy ( 723014 )
    Kind of reminds me of the Harvard story [slashdot.org] where someone pointed out the lack of firewalls [slashdot.org].

    I wonder what kind of information is readily available? ;-)
  • by penguin-collective ( 932038 ) on Tuesday April 25, 2006 @05:43AM (#15195432)
    Berkeley UNIX (the original BSD) was full of security holes. It shipped with such beauties like being able to get a shell by typing the right command at the SMTP server and multiple buffer overflow bugs in just about every server and command line program. And many people knew about it, both at Berkeley and elsewhere, but nobody cared much until the Morris worm. Apparently, while the world has moved forward, Berkeley still isn't taking security all that seriously.
  • by Anonymous Coward
    ...with no password. I know someone who did a term paper using that account.
    • by Anonymous Coward
      BBS Scene.... Back in the early 90's we used to share password files in the back rooms of bbs's. It was notoriously easy to guess
      a password on a UCB machine, then cat the unshadowed password file. Well, then you know what to do next, right: Leave crack running on the file on the old Sun 3 in the corner and some day or days later we would have a stack of accounts. Most of them were cracked with dictionary words. Too easy.
  • Education vs. Change (Score:3, Interesting)

    by Dekortage ( 697532 ) on Tuesday April 25, 2006 @06:01AM (#15195482) Homepage

    It takes educating users. So far I haven't experienced resistance to education, but the amount we have to do is pretty staggering.

    The issue is not about educating the professors and staff. Most everyone will happily participate. The issue is getting them to actually change their practices once they've been through the education. You need education, then support for the education, then regular audits about the education, then some more education.

    FTA: ...the department has Smart Dust - tiny sensors that run TinyOS and TinyDB. They scatter this stuff out there - put it in trees, on animals - they're all networked together and people monitor them. That's different than [managing] a connection in every office.

    I dunno, I'm pretty sure some of my past employers spend their days hanging from trees, or on animals... even in the office.

  • by Lewisham ( 239493 ) on Tuesday April 25, 2006 @06:37AM (#15195569)
    The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information.

    Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!" Why weren't they using some method of protecting the student's data at all? If I had access to data like that, I would only expect to get it on-demand from a server across a secure VPN with a tough password (SecurID perhaps).

    I don't understand why you would want such information downloaded unless you were going to do something malicious. Could someone explain to me why these people were just walking out the doors with entire databases in their rucksacks?
    • A list of all of the students is commonly used to prepare reports required by the Department of Education (google IPEDS), providing data for college guides (we do about 50 per year), and surveys from professional organizations (e.g. Engineering Workforce Commission) However, the first thing you do with a file like that is to delete the following columns: Social Security Number, Names, Phone Numbers, Next of Kin data, and Addresses (except perhaps Country or State of Origin). The EMPLID (or college ID num
    • The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information. Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!"

      Maybe they're talking about research data. Enforcing standard procedures for everyone in the registration office could be easier than, say, policing every PhD candidate that's collecting data from human subjects....

    • Under FERPA, even a name and a grade for a paper is federally-protected private data. So, if you have a spreadsheet with the scores from the last quiz, that's sensitive, personal data about students that triggers those laws. It isn't necessarily SSNs and CC#s. Hell, under FERPA, even the names of students in a class can be protected if one student has preferred to have their directory info suppressed. There's a report available from my current employer that has names and ID pictures for all the stude
  • If Berkeley isn't secure what makes us think any Berkeley derivative is secure!?!?! (OpenBSD, NetBSD, FreeBSD) Obviously this is a joke, but I'm sure someone will take offense... {poke}
  • "The first thing I intend to do as IT Chief to fix this security issue is to give a widely-disseminated public interview telegraphing the specific steps I intend to take to the public at large. I'm sure that will have the desired effect of reducing my network's overall risk level. Absolutely."
    • I know your joking, but in all seriousness, your security should never depend on not disclosing your strategy. If it does, something's wrong.

      Pretty much anybody in IT can tell you what the "best practices" are, there's nothing secret about them, and a good implementation doesn't depend on the attacker not knowing what they are.

      So if the guy's ONLY strategy is to give a public interview, and then not do anything, of course he's got problems. But just giving the interview about what he's doing isn't problemat
      • Oh, absolutely true. Your security shouldn't depend on your silence, but silence should be a component of it (I believe the expression is "loose lips sink ships"). I'm not saying to keep completely tightlipped about the strategies you employ currently, but telegraphing your future steps in a public forum just adds to the overall risk of your current architecture and your future deployments.

        That's not the reason for my post, though. It's been my experience that someone in a position like this who does interv
  • Funny....I work in corporate america, and we are pretty farqing in-secure as well...Pitty I can't tell you all who I work for, you would run screaming away from the thing most people charish most when getting a new job. :o) Politics/Policies are how they try to secure the IT Infrastructure, forget technical controls, and what about best practices? forget about it!!!! Not to mention risk mitigation, we accept most risk without any kind of mitigation. This is the norm for _most_ companies, and will be the
  • by BerkeleyDude ( 827776 ) on Tuesday April 25, 2006 @12:38PM (#15198322)
    You'd think that since BSD comes from Berkeley, it should be a popular OS on campus... Think again. Everyone's #1 choice is: Windows XP.

    You go to a (non-CS) computer lab. You login with your SID and password. A new Administrator account is created for you. Go ahead, do whatever you want - when you logout, all your files will be deleted, and everything will be restored to the original state. Completely secure, until you realize... "Duh. I have an administrator account. Why can't I just prevent the computer from restoring everything on logout?".

    I reported this to one of the lab workers, and even demonstrated: she logged into her own account, but the desktop background picture said in big red letters, "Caution: This system has been haxx0red". She was pretty shocked, and said she would inform the system administrators.

    This was half a year ago... Nothing has changed.

    The CS labs are different, though. They run Solaris 9. Security shouldn't be a problem here. Usability is, though. How many of you guys remember what Gnome 2.0 looks like? How about Acrobat Reader 4? I do, unfortunately. And the Slashdot jokes about "^H" suddenly made so much sense...
    • Yeah, the Sun stuff is amusingly out of date. Should note that most of the EE computer labs are Windows machines, though they're locked up in terms of account permissions. Also, the inst.eecs webspace gets ddos-ed every so often.

      I've never bothered to try a non-EECS domain computer... maybe I should.
      • Should note that most of the EE computer labs are Windows machines, though they're locked up in terms of account permissions.

        Yeah. But now that Knoppix has a pretty decent NTFS write support... Well, I'm still trying to do something cool with it :)
  • A professor friend of mine got his PhD at Berkeley and did several years of postdoc work there. I constantly had to help him with network and IT issues in his lab, because the state of IT at the university was utterly appalling. The network was a complete clusterfuck, because there was no security to speak of anywhere and machines were getting hacked left and right. I wanted to help my friend at least get a local hardware firewall in his lab, but the IT department wouldn't allow it for some reason. So he ha
  • Most of the comments about this article are FUD, UCB is bound by the same Senate Bill 1386 [techtarget.com] as all the rest of the UC campuses.

    Which means that if a security breach exposes personal or confidential information it must be reported to the state and any individual it affects, creating a whole legal mess. All UC system administrators (myself one of them) take security very seriously and do everything we can to avoid a 1386 incident. Working at a large educational institution and being a constant target of spa

  • I have fond memories of using that beast during my stay at Cal. Would be fun to be able to run some of the stuff that was on there, e.g. the original versions of SPICE, OJM Smith's POWERSYS and CAPSYS and dabble in COPMASS again.

    Even more fun would be to get one of the SS-90's online (these were haunting the basement of Corey Hall in the early 70's).

Please go away.

Working...