Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
News

Colleges Urged To Ban Telnet And FTP 304

M100 writes: "The Chronicle of Higher Education reports in this story that a computer-privacy 'expert' has told colleges that they should ban Telnet and FTP because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.'" The story is based on Simson Garfinkle's writings ... it's mostly about other stuff, too. (Besides, who doesn't at least use ssh?)
This discussion has been archived. No new comments can be posted.

Colleges Urged to Ban Telnet and FTP

Comments Filter:
  • yeah maybe mark it down for being stupid, but not for being off-topic! moderators marking stuff wrong?! no!
  • We really need to cut all these cables, remove the wireless systems, and ban networking altogether. I think 40 years have demonstrated that networking gives unauthorized personnel to Secrets Man Was Not Meant To Know.

    The real solution is to ban nothing, and try to educate the users about security.

    This is totally dead on. Frankly, I use telnet mainly out of ingrained and ignorant habit. But any network service has security holes. The solution isn't to remove the service, it is to secure it. SSH, as everyone and their brother pointed out, is one answer.

    But we shouldn't be thinking about what services we should be cutting off, we need to think about how they can be made secure.

  • He's not saying that providing remote login and file transfer services is bad; he's saying that telnet and non-anonymous FTP are bad.
    ssh and scp can completely replace them

    Umm... read the whole article. The person writing the article doesn't quote him as actually giving any reason for the no telnet/ftp suggestion other than 'the users can use them to get to private information'. Read it again. The entire article says 'Web servers record private information in log files. users can get to these log files with telnet and ftp. therefore, don't use telnet or ftp.' Now, of course, this is completely nonsensical, as you can put the log files somewhere nobody can see them, and thus the problem no longer exists.

    Also, the article never mentiones any alternatives to telnet and ftp. Why? Because *any* method of accessing the machine configured in such a way allows you to get to the improperly configured log files. The problem isn't with the insecurity of the connection method, its a problem with the insecurity of the data on the machine itself!

  • FTP doesn't grant unauthorized access, people get unauthorized access.

    Maybe we need to hire the NRA lobbyists to protect older software?
  • NFS is a huge security hole that lets evil college students share their files seamlessly. It must be stopped, by any means necessary.

    Additionally, rumors have been flying that some male students have been writing little bits of drivel on paper, then passing these notes to women they find attractive. It must stop now. All pencils, pens, crayons and tablets must be seized and burned. Our young women must be protected.

    The best and final solution is to simply stop educating the young. The "teacher-student" interface is a massive security hole that fosters the communication of ideas between people without the tacit approval of the state. These evil young people may then use the technology in ways the tribe of elders have not approved. This must be stopped.

    Thanks You,
    The Controller
  • I live in a dorm at UNT (University of North Texas) and for a good while we had incoming telnet and FTP blocked (anything off of the campus network couldn't get in). It made it rather annoying when I went home for a weekend but wanted to telnet into my running box. And, I couldn't use ssh because I don't have time to download and install a client on every Windows box that I use. (who knows of a nice Windows ssh client? I haven't looked.)


    Funny thing is, the wonderful UNT network people were only blocking connections that were coming in on 2 ports - 21 and 23 (ftp and telnet, fyi). Thats all. Nothing else. Um, guys, maybe thats not too bright. Solution? Just run the services on another port...not too tough, just add a few lines to /etc/services and /etc/inetd.conf and restart inetd. Then you can telnet and ftp to your hearts content, just use the new ports.

  • Of course, the System Admin is the one person who is least likely to be thwarted by your use of PGP. Face it, the only thing that protects your privacy from your sustem administrator is the admin's professionalism. That & the fact that the admin doesn't have time to waste reading your email.
  • Of course, that assumes people are stupid enough to not run a portscanner before an attack. Frankly, I would imagine only the most neophyte crackers would neglect a portscan, especially since there are often easier and more tempting ports to target (especially in the first few days after an exploit is published).

  • no, you're redundant cause you're asking why you were marked as Redundant.
  • I think educating people as to what really happens when they telnet or ftp isn't stressed enough. The IMAP mail server at our school doesn't support ssh, but uses kerberos instead (I hope I have that right ;) Students are thus encouraged not to use Netscape to check their e-mail but to use Pine or another kerberos enabled program instead. Of course how do they run Pine? Unsecured telnet to the unix servers! And how many people just don't realize you can't hide something in your web folder? AFS/IFS surfing is a favorite lunch time activity for those in the know :)
  • cmu is for fags. real students go to MIT

    It's enlightening to see what your superior education does for your social skills.

  • I don't; I _can't_.

    My summer job (here at unisys, whose stock makes interesting watching these days) has me sitting behind a firewall. This I can live with and in fact find quite reasonable.

    The firewall is set to only allow outgoing connections to specific machines/ports. This I find highly annoying, but if it let out the right ports I wouldn't mind.

    The ports I know of that I'm allowed to connect to are 21, 23, 80, 81, 443, 8000, 8080, and any port on AOL's IM servers. Nothing else. You'll notice that 22 isn't in that list. That's right - the corporate firewall is so secure that you can't use ssh. Telnet access, however, apparently meets some business need.

    I'd actually like it if every school started dropping telnet access and only allowing ssh. Maybe the cry of "let me read my school email" from all the interns would get the corporate firewall policy changed.
  • I used to work as the network manager for a college, which had a couple of hundred ethernet sockets in student accommodation. Here's my take on this and on why I think it's likely to be less of a problem in the future.

    Why are unencrypted protocols so much of a problem?

    The main reason why telnet (particularly) is singled out as a security culprit is that's so trivial to harvest passwords, if you have the potential to eavesdrop on a network connection. The username and password are transmitted in the clear, right at the start of the connection: all you need to do is grab the first hundred bytes of any connection to port 23, and you'll get 9 out of 10 passwords.

    Why is eavesdropping more of a problem in the residential network environment?

    The residential network environment is chaotic, and there is usually very little capacity for control of what is physically connected to the network. I've heard of administrators who are getting serious problems with their ethernets, who eventually track the problem down to a student with a hub in their room, or whatever.

    Ethernet is (in its basic form) a shared-media broadcast protocol; everyone gets everyone elses packets as well as theirs. Zap your adapter into promuiscuous mode and there it all is. There are two basic ways around this from the hardware perspective. You either go for switched ethernet (which was traditionally been prohibitively expensive for the relatively low priority residential networks), or need-to-know hubs, which track the MAC addresses attached to each port, and scramble the data that goes to the others (for example, the 3Com SuperStack II portswitch hubs); both of these technologies have been significantly more expensive than the sort of baseline kit that has traditionally been specified in campus LANs.

    Aggravating risk factors

    We're seeing a lot more students running multiuser systems; Linux, *BSD, whatever. These are quite often not the best maintained machines. They are relatively frequently subjected to root exploit, and are less likely to be quickly detected as such than well run systems.

    Also, the prevalence and reliance on network services is on the increase. As the density of usage increases, so increases the potential for catastrophic breaches of security. It is not unheard of for thousands of accounts to compromised by a sniffer attack from a rooted Linux box.

    Why the future is rosier...

    For a start, networking kit that isn't susceptible to sniffing attacks is becoming cheaper. I personally got budgetary approval to replace all our hubs with need-to-know hubs, and my successor is installing switches to service student ethernet ports.

    IPv6 is on its way; hopefully bringing network layer encryption and authentication. This is the ideal solution; SSH is great, but this sort of stuff should not be going on at application layer.

    There is a significantly greater awareness of the issues on the part of university technical staff. I reckon some of the security people here know more about 'r00t-kits' and 'skripts' than most of the 'kyddies'. This also trickles down into the administration: they realise its bad press to be hacked, and it's also tremendously expensive to recover from it. Coupled with the decreasing costs of doing it right, as mentioned above, it means that 'network security' is becoming a higher budgetary priority.

    In summary...

    The campus networks that are being installed today are probably highly resilient to being snooped, but there are a lot of legacy installations, based on equipment that's possibly 3-5 years old, that is horrifyingly insecure. Ideally, in the future, we won't have to worry about layer-2 insecurity, because we'll be protected by the IP network itself; however, in the meantime, SSH Is Your Friend!

    Cheers, Nick.

  • Regarding the article on Tuesday, June 27, 2000 by Florence Olson, I must
    disagree with Simson L. Garfinkel's conclusion. Telnet and File Transfer
    Protocol have been pivotal in the advancement of the internet, and these
    programs or variations thereof will continue to be essential. The article
    states:

    Log files, for example, are created on Web
    servers whenever users click on the "search"
    button. Mr. Garfinkel asked, Who has access
    to those log files? What computers are
    capturing those log files? What policies do
    institutions have for automatically deleting
    those files on a regular basis?

    This quote says nothing about Telnet or FTP, and in fact implies that web
    servers are a problem. It also doesn't properly state what the log files
    record. The standard log file is configured to record every download of
    every document on the server, and from which ip the download was initiated,
    as well as every attempted download that triggered an internal error.
    Typically, these files are stored in a directory which normal users don't
    have access to.

    The article also quotes Mr. Garfinkel as saying, "We're moving into a regime
    in which far, far more information is going to be collected -- and
    frequently, that's going to be done over some sort of campus network." As
    quoted, he implies that the campus network will be actively involved in the
    collection of this information. The problem here is that the vast majority
    of information collection will happen when a user connects to a remote site
    not affiliated with the campus. The campus' role here is limited to
    providing a wire connecting the user's computer to the outside world. The
    campus has no control over what information is collected and how it is used.

    Telnet is a program used to connect the local client machine to the
    destination server via a text-based window. Such a connection is, for many
    operating systems, essential for remotely executing commands on the server
    or performing other tasks. FTP servers allow for the transfer of files,
    such as assignments or sample code, to and from the local client machine.
    While it may be true that the World Wide Web has significantly reduced
    reliance on this type of file transfer, FTP is still the most common choice
    of methods for password protected transfers.

    The danger which Mr. Garfinkel seems to address is the fact that the log
    files of an improperly configured web server may be accessed via Telnet or
    FTP, and therefore these services should be halted. The real solution to
    the web server issue is to be certain that the web server is properly
    configured and that the log files it generates are only visible to accounts
    assigned to work with them.

    The only indication of problems that might be related to Telnet or FTP is in
    the last paragraph, where he is quoted as urging "the more than 300
    residential-network managers and student-coordinators attending the
    conference to stop the common practice of using unencrypted passwords to
    secure network-user accounts." I'm not quite sure just what passwords he's
    implying are stored in an unencrypted format, since most telnet servers run
    on Unix, which stores its passwords in an encrypted format, and most ftp
    servers either use the Unix password file or an encrypted file of their own
    format. This argument may refer to CGI scripts which, being written by the
    user who wrote the webpage, can use whatever form of data storage the user
    desires.

    In summary, Telnet and FTP are not the culprits here. Poorly configured web
    servers are the problem. The possible remedies are as follows:

    1) Shut down the web server.
    A drastic and undesirable action, as you might expect.

    2) Protect the log files.
    This isn't difficult. In fact, on most of the systems web servers run on,
    log files are protected by default from unauthorized viewing.

    3) Turn of CGI.
    Web servers can be configured to not run CGI scripts that aren't in a
    specified location. Thus, the possibility that an uninspected user-written
    CGI script can be executed is completely eliminated.

    4) Train system administrators in security.
    A commonly overlooked area of system administration which needs to be
    addressed.

    5) Run the web server on a separate machine.
    The users web directory can be accessed over the internal network by the web
    server, but its log files will be written to the machine its running on.
    With this solution, the directories the log files are stored in aren't even
    visible by the machine accessed by Telnet or FTP.

    Do not look to Telnet and FTP as a solution to these problems, as they are
    merely a means access the data which should be protected from them to begin
    with. The real culprit is the web server.
  • Close, but no banana. You can talk smtp, pop3, http et al with a telnet client, but they're based on the *TCP/IP* stack, not the telnet stack (whatever a 'telnet stack' is).

    smtp doesn't send usernames or passwords at all, let alone in clear text. http *can*, but if you're using this for anything other than trivial access controls or in a tightly secured network, you're very silly. Websites that ask for logins should be using https, especially if those logins are the same as logins used for other protocols.

    pop3 *does* send usernames and passwords in plain text, and these will often been the same user names and passwords that can be used to gain shell access on other machines (or on the mail server in a poorly-designed setup).

    The issue is not that there's something wrong with the telnet protocol as such. The issue is that there's *lots* wrong with sending clear-text passwords on broadcast media (campus or even company ethernet) or networks you don't control (the Internet). telnet, ftp and pop3 show this problem - they can be replaced with ssh, scp and pop3 over ssh tunnels.

    As to '90 percent of the traffic on the internet' being insecure - most of that traffic (I take it you mean http traffic) doesn't contain user names and passwords!

    Regards,
    Tim.
  • Speaking as a system administrator for a college network with 18000 users I would say the main threat is from inside the network. We have banned all forms of unsecure comunications on our network (telnet, ftp, pop) and the amounts of "hackers" an malicious behavior has decreased tremendously.

    Kerberos pretty much solves all our problems (almost)

    NOTE: all users can still telnet and ftp of course, but they have to use Ktelnet [stacken.kth.se], ssh or such

    /das Ix

  • Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality

    Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.

    [1] Ssh tunnelling is cool because it can make most protocols much more secure. You connect to a computer via ssh, with the correct options to forward a port to or from it, and any traffic to a local port that you pick is sent over the secure connection, then sent to the remote host. When the remote host and the ssh host are the same, this is pretty secure (no chance for sniffing), and when they aren't the same, the sniffing risk goes down significantly if the server network is separate from the student nets, since that one is much less likely to be sniffed.

  • Seems that your sys-admin needs to hop on the clue-train.

    Oh, believe me when I say that there's a whole lot of b0rken computer systems on campus. We see a lot of "user-obsequious" here.

    Some of it has gotten better, mind -- the network maintainers do a good job implementing things that they think need to be done. It used to be nothing for the Banyan LAN to crash and be down for three days at a time. I rarely suggest things any more (like implementing SSL, or uncrippling the libraries on our servers, or...) because the people responsible ignore any and all feedback.

  • I attend (at least, will be attending) the University of Illinois down here in CornTown, and students register via Telnet on computers. Telnet is obviously a vital protocol that many universities still rely on - I could see this place banning it - "Whoops... well, no one's registered. Thanks for the money though!" For those universities still using old Telnet systems, it's crucial that it be a protocol that is used widely but still needs to be secure.
  • How many times are we going to hear and listen to this "web logs are evil" crap before someone points out that it's all total BS? If you're that paranoid, you should stay off the entire 'net. Logging is a fact of life; how else do you expect server admins to know if their nav is working right, or what parts of their sites are most popular to sell ads? It just doesn't add up. For most, who cares if their IP is seen and logged? It's dynamically assigned every time they log on anyway. Even if it's not... what difference does this possibly make? The claims of traceability here are total nonsense, and I can't see any reason anyone would believe this crap.

    ---
    Tim Wilde
    Gimme 42 daemons!
  • Really though, why leave ftp and telnet open? Users should be educated about some things like good passwords, but why educate some english literature major on the shortcomings of the telnet protocol if they're never going to need it again? It's sort of analagous to teaching them why they should use the web rather than gopher sites sort of, there's no real reason for them to have to LEARN that. Cause let's face it, 100% of people won't learn it.

    I think a lot of people are missing here that the danger isn't for someone to break into some guy's account and read their email (which only affects the user who was connecting insecurely), th danger is that when someone breaks into an insecure box they often use it as a launching point for attacks on other systems, which affects everyone. If it was just the single user who was harmed I might agree that banning protocols MIGHT not be the best solution, but usually when a user's account is compromised they don't even notice. Someone just gets in and launches attacks, or uses other vulnerabilities to get root on the local machine, etc.

  • I wrote:

    Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality

    kawaii wrote:

    Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.

    You need some PuTTY [greenend.org.uk] - it makes Windows usable. It's a free SSH client for Windows, that also (if I remember correctly) supports port-forwarding etc. It is released under the MIT licence (kinda similar to the BSD licence) which is 'Open Source certified'.

    Just as an aside; how recently is it that SSH has become a standard part of Linux distributions?

    Cheers, Nick.

  • This is exactly the problem at my university. All the main servers accessible by university affiliates are accessible via both ssh and telnet. It would be great to go ssh only, but the client side issues are a pain in the neck because of the stupid RSA patent.

    Take SecureCRT, for example. We currently have a site license for plain old non-encrypted CRT, which means we can distribute it freely to everyone affiliated with the university. However, it is impossible for us to get a site license for SecureCRT, because Van Dyke has to pay a royalty for each copy sold, and therefor can't distribute an unspecified number of copies. This a. Makes the price of SecureCRT prohibitive and b. Limits our methods of distribution.

    Yes, there are free implementations, and many people use them. But these aren't legal in the US so we can't distribute them, or even really endorse them (a public university encouraging people to break the law is usually frowned upon).

    I'll be extremely happy when the patent expires in September.

  • by gavinhall ( 33 ) on Friday June 30, 2000 @03:19AM (#966070)
    Posted by 11223:

    Hold, hold, hold on here a second. Banning the protocol doesn't make sense. On some computers, one can telnet in and play a game of rogue as the games user, for example. Don't ban anonymous FTP as well - it's been one of the backbones (not literally) of the Internet for years.

    Do encourage system administrators and users to never, ever log in and send their password from remotely over telnet. Inside the college network is a different idea. (And some vendors, *cough* *cough* most of them *cough* *cough* don't have the good sense to pre-install ssh on their systems! Telnet can be a good thing.)

  • FTP, Telnet, and all the other protocols are useful in one way or another.

    Yes, these are both useful services. But why run them when secure versions (ssh, scp, etc.) exist. These secure alternatives can do everything ftp and telnet can do, but more securely. You would be a fool to keep the plaintext services.

    As far as HTTP goes, the number of machines running a web server should be FAR less than those requiring telnet/ftp type access. Thes few web servers are much easier to keep track of.

    And another thing:

    Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files

    See that: partially. I would ammend that by saying: Telnet and FTP are security risks mostly because they transmit passwords in plaintext. It is this problem that lets crackers get into you system and get access to your precious logs.

  • I think that computer networks, in general, provide an easy mechanisim for accessing personal data. How can this be tolerated?

    If there is a file on one computer and I want to use it on another, what choice do I have except for a computer network? This is incredibly insecure!

    And don't EVEN get me started about floppy drives!
  • I am getting really sick of these lame security alarmists lately. They have apparently ran out of intelligent things to say and now have taken to restating the obvious as if it is a profound new discovery.

    "TELNET IS INSECURE!!!" - Well, duh, you fucking dumbass.

    "WATCH YOUR EMPLOYEES FOR PERSONALITY CHANGES. THAT COULD MEAN THEY ARE TAKING DRUGS OR EMBEZZLING MONEY!!" - Well, duh, you fucking dumbass.

    "HACKERS COME FROM THE INTERNET" - Well, duh, you fucking dumbass.

    I would like to propose a new Internet Acronym (IA) of WDYFD (I think you can figure out what it stands for) to be used in reply to pompous, overzealous announcements to impress those who haven't quite figured out what that shiny square thing is sitting in front of them...

    "The sky is blue!"
    "WDYFD..." :)

    Douglas Adams first documented this phenomenon in the Hitchhiker's Guide to the Galaxy. "It sure is a nice day, isn't it?" - However, it seems like the security dorks are really trying to cash in on this to keep their paychecks coming in. But, I hope they all remember the story about the little boy who cried Woof! (er, um, Wolf!) The more they keep desensitizing us to their "profound" announcements, the less we are going to pay attention when they actually have something important to say.

    Is it just me, or do other notice the same thing amongst the security mailing lists (M Kabay comes to mind) and security trade rags?

    I'm not saying that security is a bad thing. But I just want them to tell me something that I don't know. Not a bunch of obvious crap. Ways to work with technology, not a Luddite view of "oh, no, lets not use it at all!"

  • I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins;

    Maybe I'm wrong about this, but it seems that free SSH clients are rare and far in between for the Mac OS? My school _does_ only allow access to some machines by ssh, but they also have a few alphas standing by with telnet as a proxy into those ssh machines for the Mac users who don't want to shell out the $$ to buy a commercial ssh package.

  • Because it allows for dissemination of illegal and innapropriate media, let's ban writing of any type aside from the pre-approved literature!

    I don't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.

    Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?
  • by Mojojojo Monkey Inc. ( 174471 ) on Friday June 30, 2000 @05:53AM (#966076)
    You try explaining Windows security to Stacey the sorority girl on the 4th floor who just wants to check email, surf the web, and play cd's and mp3s. Good luck.

    You'd be better off just throwing the "official university software" cd at her for $10 and telling her to run only programs off of that disk. (including SSH and whatever crap ya want.)
  • This sounds awfully like a very bad article, written on the basis of a half-heard and barely understood talk. Given who Simson Garfinkel is, I think he does know what he's talking about, but that article reads as if it was written by an intern from the paper's "religion and dog shows" desk.

    As an example, Log files, for example, are created on Web servers whenever users click on the "search" button.

  • by sesca ( 149978 ) on Friday June 30, 2000 @03:22AM (#966080)
    My understanding of this is that the article is only encouraging universities not to provide telnet and ftp services to thier students. So rather than allow students to login to thier accounts via telnet they would have to use some secure methode such as ssh.
  • TeraTerm Pro [vector.co.jp] is free and the SSH extenstions for it are also free. It is the client that I always download when I am on the road and need SSH access to my home machine.

    A quick look through WinFiles terminals section should turn up others. SecureCRT and ZOC are not the only SSH enabled terminals out there.
  • OK, it's true. The article doesn't call for banning of telnet or ftp. Just unsecure telnet and ftp.

    But will college administrators (not technical administrators, organizational administrators) understand this? These are the same people who decided the best thing was to convert everything over to NT, at my school....
  • "It would be great to go ssh only, but the client side issues are a pain in the neck because of the stupid RSA patent."

    Just as a reminder, the patent on RSA runs out in a few months. I don't remember the exact date...
  • by gwalla ( 130286 ) on Friday June 30, 2000 @08:13AM (#966088) Homepage
    If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions.

    Hehe...one time I managed to confuse the hell out of a friend of mine by printing stuff on his printer through Network Neighborhood, including a document that said something like "Doesn't it suck having people print random stuff in your room? Take your printer off the network and you won't have this problem." He had to get me to do it, but at least he was more security conscious from then on.

    Of course, this is the same guy whose dorm room I rewired so he couldn't turn off his lights...


    ---
    Zardoz has spoken!
  • I don't think anonymous ftp ought to be phased out. Since there's no password required, and since most ftp servers reserve the right to log all transactions, users of anonymous ftp should have no illusions of privacy.

    Imagine if Walnut Creek shut down their server and said "Sorry folks! No more unencrypted ftp. We only allow secure logins." For truly anonymous ftp, you have to cater to the lowest common demoninator.

    OTOH, telnet, rlogin, et.al. are evil and should have been wiped out long ago. Go ssh! :)

  • I may be biased, but I work on housing network stuff at the University of Illinois (UC) and I don't think this is an issue. Our campus-wide network is comprised mostly of switches, making packet sniffing tough. And the dorm networks, which are likely the most dangerous place to have people sniffing, were set up with hubs that scramble data for anyone besides the recipient of that packet (that was the beginning of switching technology, 8 years ago). They're being replaced with full-fledged switches as i type this.

    That being said, I would hope that most other campuses have taken similar precautions against packet sniffing when they designed their networks. There's nothing really radical here, mostly using switches instead of hubs.

    On a well designed network, choice of protocol should matter a lot less.

    chris
  • This article is published in a higher education journal, but is filled with grammatical mistakes and doesn't have a consistent flow of ideas. There are enough technical mistakes to make me grit my teeth.

    I have a feeling Simson was talking about creating privacy friendly policies about log files, and during that discussion he related that protocols like FTP leave traces in log files. The author of this article then misunderstood what he was talking about and came up with a standard troll leader.

    And any article with a good troll headline gets posted to /. where we can all get off the subject and onto better discussions like the goodness of SSH.

    the AC

  • Think protocol layers and evolution. Ethernet, which is hardware based needs (generally) a software stack - such as TCP/IP. TCP/IP then has other protocols which ride on top of it such as HTTP, pop3, ftp, etc. (just go look in /etc/services) Most of these protocols were coded with the same concept that telnet had - they are based upon the same telnet protocol. In the early days a telnet "send ayt" used to reply with "Yes" under many of these. A lot of this functionality has been stripped from most software by now.

    As per smtp, uh yes it can send usernames in clear text. Look at the new RFCs. Thank God most people who implement smtp auth use at least use some form of encryption.

    To think that HTTP doesn't send passwords is just silly. Look at all the portal sites in the world. Most "common users" use the same password - and wow usually they are plain text. Most people don't even think about the option to "sign in securely" that most portal / chat / etc. sites use these days.

  • A my school [iit.edu] they were going to do this during the fall semester of last year. They even went so far as to buy a 10,000 user site license for the Windows users so they could use SecureCRT.

    Anyway, despite the fact I'm a unix sysadmin at work, I still was against this move. First of all, my school has a HUGE proportion of international students (somewhere around 35%). Some of these students are from countries where their legal status to use such encryption in the US is questionable at best. Secondly my school apparently hadn't compiled in the RSARef library and the sysadmin couldn't figure out how to do it. (When you pay $30K for a sysadmin you get a $30K sysadmin).

    But the bigger issues were these. First of all, there was no suitable legal Macintosh SSH client at the time as NiftySSH apparently suffered from the same nasty patent problems. Secondly, most school systems have HUGE amounts of accounts (this system has 14000+ accounts on it), many of these have never been used and getting access via a default password (usually last.first or social security numbers at most places) is trivial.

    Turning off telnet then only really makes it a headache for people who can't get SSH, or who go home for the weekend and don't have an SSH client. It doesn't address the poorly configured log files which are the real problem in the first place.

    As a postscript, my school has now implemented some crappy java/html insecure mail system which makes it easier to read other peoples email because now it's sent all at once and you don't have to filter out the cursor keys in sniffit logs.

    It's true, if SSH were available for every platform, freely (FAIB and FAIS) then this would be good, but it's not, telnet and FTP are.

  • if you're willing to use ssh.com's software, scp works rather well between their windows client and a unix ssh2 server.

    that's the only one i know of, but it works well enough for me to replace ftp with it whenever i'm going over an unsecured network.

    chris
  • From the article:

    Log files, for example, are created on Web servers whenever users click on the "search" button. Mr. Garfinkel asked, Who has access to those log files? What computers are capturing those log files? What policies do institutions have for automatically deleting those files on a regular basis?

    Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files, which can then be used by crackers. But then, he goes on to say that web search forms have the same problem (see quoted paragraph above). So why isn't he urging the colleges to consider shutting down HTTP as well? Heck, log files must be on every server, so block TCP/IP while you're at it!

    I think it's been posted before, but the answer isn't removing access to various protocols. Colleges ought to give out a pamphlet of basic security measures to every incoming student, a sort of primer on protecting your computer from crackers. Maybe even provide firewall software for their students? Let's face it: most of them are't going to know anything about computer security, and it's probably their first time they have a high-bandwith always-on connection.

    FTP, Telnet, and all the other protocols are useful in one way or another. The potential for misuse shouldn't lead to banning them or blocking them.

  • My school's computer science department [hmc.edu] and the staff of their student-run servers barred all plaintext logins (telnet, FTP, rlogin, rsh) to their systems over a year ago. We wish that admins of the other servers on campus would do the same.

    The department had continued problems, though, with students too lazy to install ssh clients on their own desktops who would telnet into one of the other campus Unix machines and then ssh into the CS servers. Of course, this completely defeats the security. Warnings and reprimands didn't work; the staff eventually had to implement automatic filtering to stop people from doing this.

    Poorly-behaved users will make any security scheme worthless. The most important thing IT departments can do to improve their security is help users understand why it's important, and what they can do to help. Many students don't realize that when they leave their own box insecure or broadcast their own password over the network, they are not only endangering themselves. A single weak point on a LAN endangers everyone, and makes it easier for an attacker to breach every other box on the network. Keeping your own accounts and connections secure is part of being a good neighbor to those whose systems you share.

  • I completely disagree with encouraging the ban on telnet and ftp. Here are the reasons: 1. As the issue pertained to ResNets on college campuses, one of which I work at, one authentication method for internet access registration is via plain text telnet in a perl script. Basically, when the user registers for their room connection, a script telnets to the mail server to check if a valid email account exists (to authenticate the student, that s/he goes to that school). 2. The issue isn't really about breaking or rooting systems, but about access to logs. Unencrypted telnet/ftp is a very big security issue on a public server, but most traffic on a campus network is segmented usually with multiple routers. Unless you were physically on campus, and on the same supernet (which a stranger would have to hack a router to deduce the complex topology) it would be hard to intercept plaintext transmissions from off-campus. Again, the threat would be from within the university that someone would deliberately try to access logs. 3. this is all from my own limited personal experience at the University of Connecticut, so i might be wrong.
  • Simon Tatham who wrote PuTTY also wrote pscp, an SCP client for Win32 [greenend.org.uk]. It's command line, but works great. BTW, PuTTY has great terminal emulation and speed, unlike MS Telnet and QVT/net (which Dal installs in their PC computer labs.) (BTW, I think MS fixed their telnet client in win2k, so it doesn't suck nearly so much now.)

    For MacOS, there's NiftyTelnetSSH [lysator.liu.se], which includes SCP support. (and decent, fast terminal emulation, unlike NCSA telnet.)

    All these programs are gratis, but NiftyTelnet might not be libre. (PuTTY and pscp are.)

    For Unix, of course, there's OpenSSH [openssh.com].

    For VMS, there's an FAQ [stacken.kth.se], which recommends a server [ohio-state.edu] and a client [free.lp.se].
    #define X(x,y) x##y

  • I can offer my personal experiences as a network administrator on a college campus. Several years ago, I was the network admin for the Admissions Office for a local University. For years, all of the administrative computing had taken place on an IBM SNA network, with the academic computing on a separate TCP/IP network. When the administration switched from terminals to PCs, they decided to phase out SNA and replace it with TCP/IP, using Telnet and TN3270 for mainframe terminal sessions. I tried (and tried, and tried) to convince the campus admins of the dangers of using unsecured protocols. I even gave them a demo with a shareware DOS based packet sniffer, showing them how I could catch anyone's username and password as they were typed across the network. Cost issues won out. At this campus, at this very moment, any student with knowledge of the field could get the username and password for anyone in the Administration. Changing grades, modifying records, reaping general havoc, all within easy grasp.

    The problem is not just that this is a security issue, but that providing what amounts to unrestricted access to academic records is a violation of the Buckley Amendment. This school, and countless others are putting the academic records of their students at risk. Students should really be the most vocal critics of these schools, demanding that their academic records be afforded the protection that they deserve, and that the law requires.
  • Yes, lets all use algorithms that we don't know if they have been proven or not that will solve the problem, not. Of course no cryptosystem is completely secure, but thats not the question that should be asked. The real question is, is this cryptosystem secure enough for the task at hand. PGP is general is secure enough for most tasks(like all those X rated emails you send to your girlfriend that you don't want the System Admin reading). Sure its very well possible that PGP can be cracked by the right person under the right conditions, but what are your odds of running across that person? As for an unpublished algorithm, you can not be sure of the risks involved because, for all you know that algorithm could have a backdoor in it.

  • by Valdrax ( 32670 ) on Friday June 30, 2000 @05:24AM (#966142)
    Pushing people to use SSH isn't going to help too much when the majority of students will still have to send passwords in plaintext format over FTP. There is no real cross-platform replacement for FTP, AFAIK. I've heard mention of SFTP, but when I went looking for it, it seems it's someone's pet project for Unix machines only. I've become real bothered by this lately now that I'm getting in the habit of using SSH.
  • What he's saying is that telnet and ftp are insecure and that sysadmins are not doing anything to address that issue, which is fair enough. Telnet should not be used over the internet, ssh should be instead, and any anonymous ftp server should not give a black hat access to the rest of the network.
    This is not a 'ban ftp' thing but merely a take care and always read the security announcements.
  • I only use SSH (secure shell) and SCP (secure copy) to access my web hosting service.

    There are not many web hosting services that allow you shell access at all, let alone secure shell. One that does is the one I use, Seagull Networks [seagull.net].

    The funny thing is I use SCP to upload my web pages. Anyone on the net who wants to can look at my web pages after they're uploaded, but they won't have my password.

    Do you use a different password for important sites like your web host from the many websites out there that require passwords for you to register for some service? Good.

    Even better is if you use a different password for every website you register one, because some of the websites offering some useful service may be doing double duty as password stealers.

    Since most people use the same password everywhere a site can give you, say, a free trial of some porn in return for your password and email and then hack your oaccount.

    I would suggest that any university or company do what Apple did when I worked there and require the combination of a password and a cryptographically generated key that's made by some device.

    At Apple I had a little credit-card device that showed a different password each minute. I think they basically calculate a new secure hash every minute from the old one, combined with a password that's programmed into the unit but not visible to the user.

    See my page on why everyone should use encryption [goingware.com].

    Tilting at Windmills for a Better Tomorrow.

  • Besides, who doesn't at least use ssh?

    The answer: Yeshiva University which stopped allowing SSH access to the main e-mail server. I heard the reason they gave was they wanted to be able to monitor who was logging on to the system or something like that.

    Don't ask.
  • by Jon Erikson ( 198204 ) on Friday June 30, 2000 @03:23AM (#966162)

    The problem is not with the two protocols in themselves, but more with network administrators that don't have the time or concern to implement the full range of security measures that are required to make them safe.

    Not allowing FTP or Telnet to be used will increase the security for wide-open systems to an extent, but a dedicated cracker will find a way in anyway if they really want to. The trick is to make it hard enough so as not to be worth the effort, and there are a lot more things which should be done before banning FTP and Telnet will help secure a network.

    And on an offtopic note, what the Hell has been happening with /. today? It comes on for ten minutes, dies for an hour and then repeats... is it anything to do with the 1.05 slash code update?



    ---
    Jon E. Erikson
  • That's why I was surprised to see that he was involved in trying to "ban" FTP and Telnet. However, the blub is misleading. SG was saying that there are inadequate protections for student privacy within the University context. I've got to agree. The number of University machines that get cracked (either due to negligence, laziness, or ignorance) is astounding. Then, start shooting unencrypted traffic around, and the cracker has every username/password pair thay might want.

    The problem is just what SG says-- there ARE ways to encrypt traffic and make personal data more secure, but there is no infrastructure (in terms of human support and resources for teaching the end-user about these things).

  • One of the reasons whe secure FTP hasn't taken off is that it's a HUGE CPU hog. I've had difficulty transferring large files without one side of the connection dropping off with scp.

    What I would like to see is a "less secure" secure FTP protocol that would scramble user/password transactions ONLY, and let the files transfer in "plaintext". Or just amend the FTP protocol so that regular FTP servers can be configured to demand this.
  • by ywwg ( 20925 ) on Friday June 30, 2000 @03:24AM (#966168) Homepage
    I would ban windows networking first. If you go online in any dorm, you'll see a whole host of people happily sharing their hard drives and printers with full permissions. Telnet and FTP take some effort to set up, at least on win9x.

    The real solution is to ban nothing, and try to educate the users about security. Little things like, "turn off inetd," "disable sharing," "if you do share, give it a good password," etc. Colleges throw persistant megabit connections at their students without so much as a flyer for common security issues.
  • I work at a University (I won't say which one for fear of job saftey) that has repeatedly made ignorant security decisions like the one above. The first was to disallow outside access to all ports less than or equal to 1024 (except for those machines in the server farm). While this can argueably make sense, it's painfully annoying when trying to get on irc.

    Yes, I stopped caring about trying to get directly on irc and just used a shell. Not having ident is extremely painful at times, though, I must tell you.

    The second ignorant decision? Firewalling off ICQ. Yes, ICQ. Apparantly ICQ presents such an amazing security risks that they cannot allow students to use it on their own computers. Naturally, I used a previously mentioned shell to run a socks5 proxy, but that's not the issue. Most people wouldn't do such things. They think that all security is the responsibility of the network administrator, and not the end user.

    I should mention that they advocate the use of AIM, and use nothing but Netscape on the network right now....

    Are IT professionals at colleges as ignorant as they appear to be? I find it hard to believe that people who set up a hetereogenous network of solaris, linux, aix, windows nt, and macos x servers using an oc3 uplink and fiber optic backbone connections between buildings could think that ICQ was enough of a security risk to justify firewalling it off.

    Then again, they blocked port 4000 alltogether.

    Maybe it is possible.
    --
    If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.

  • I was wondering about the funny score as well. But since I'm a serious karma whore, I'll take what I can get.

    Yup, this article didn't deserve a precious post on slashdot. By posting this worthless troll, a jon katz article may have been rejected. What a shame :-)

    the funny AC
  • by generic-man ( 33649 ) on Friday June 30, 2000 @03:24AM (#966180) Homepage Journal

    They're not going to ban Telnet and FTP, and the article doesn't call for that. What the article is calling for is to ban the practice of unsecured Telnet and FTP, something highly advised at schools such as mine [cmu.edu].

    According to the article, many colleges don't set proper access restrictions on log files containing vital information, so those files may even be indexed when a user does a search on the school's web site. That's just stupid, as any admin can see. Furthermore, most students, even at privacy-minded schools like mine, don't bother with using encrypted Telnet or FTP sessions. They figure nobody's out to get them, and so they don't need to authenticate. My next-door neighbor, before getting effectively kicked out of the school, wound up sniffing all of the passwords of everyone on our subnet who even once logged in unencrypted. While he didn't use that data for malicious purposes, a more unscrupulous character could easily publish them.

  • Step 1: encrypt the files you want to upload to a remote host using your favorite method.
    Step 2: login anonymously, upload to /pub/incoming or something similar.
    Step 3: ssh in, mv the files, chown/chgrp/chmod them, and decrypt them.
  • Yes, that reminds me of a case that happened at my university (DeMontfort in Leicester, England) where the Unix network (an HP-UX network) also had a 386 or something PC connected to it to facilitate FTP. This was vital when you wanted to download stuff very fast from the university network and sneaker-net it home on floppies :) .. Such as I did before I had internet access from home the following year.

    Anyway, this PC got cracked very easily (the obvious fact that it had a floppy drive on it to do the ftp also meant it was bootable via that) and a password sniffer was installed, thereby getting everyone's password when they used the FTP program to get their files via FTP from the HP network.

    They caught the guy very quickly though, I can't remember how now but it was easy because he was local .. I don't know if the external security was much tighter, I believe it was though. I remember the network admin coming around telling people to change their passwords as they had reason to believe they'd been compromised, of which I was one of them ... Hi AJC, if you're reading :)

    I'm blathering anyway.. but I agree with the above two posts that yes, universities are 'almost' as bad as the real world .. I think that's because people (students) tend to view the campus network as more of a 'playground' and would try things they'd never try against a company that might sue them into obvlivion.
    --
  • They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.

    So how do you prevent people from sniffing web-mail passwords?
  • A skilled administrator will use SSH.
    An unskilled administrator will use Telnet.

    An unskilled administrator is a risk. (They're also called 'students', but who's counting?)

    People actually shouldn't be telnetting in from the outside world, and I'm starting to flat out distrust wu-ftpd. Banning servers at all on campus would violate the purpose of the university, and the rather nice job market facing college interns and graduates who cut their teeth on their home networks is nothing to sneeze at.

    Not particularly sure about my position on this. Comments appreciated.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • And we all know how useful that network would be...

    In there eyes of, oh, say, Mattel, or AOL/Time Warner, or the RIAA/MPAA - the PERFECT NETWORK. Or at the least, a step towards the perfect network. The perfect network being a one-way path for the delivery of useless content surrounded by propoganda and advertising, all of which can be relentlessly pushed down the pipe, and where control of content/criticism and speech is absolute. What better place to start than in the schools? Today's users will never accept it, but the next generation...?

    "I will gladly pay you today, sir, and eat up

  • by (void*) ( 113680 ) on Friday June 30, 2000 @07:01AM (#966190)
    Try puTTY [greenend.org.uk]. A nice, one-binary-only windows client that is Free!
  • Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), ...
    There is a Java implementation of SSH called MindTerm [mindbright.se] that I'm using with great success (CA to IL). It does X forwarding, which is was I mainly crave. And no, it isn't hideously slow.

    The best thing about a Java implementation is that you can run it off anybodys computer without a lot of grumpy installation. I've always missed SSH when I've come to some random, locked-down machine.

    -Lars

  • The apparent goals of this movement are to maintain user-privacy within a University environment and to minimize the vulnerability of the systems.

    What I think they are talking about is the tightening down of services on Campuses, since they're very prone to attacks and abuses. They are encouraging campuses to instead require students to make use of POP / IMAP for mail, Instant Messengers for communication (instead of the online talk / write), of remote GUI's or client applications for access to other types of services such as databases / statistical packages.

    The advantage is both the additional security of the main information servers and the alleviation of load, especially since desktops are a hell of a lot more powerful today than ever before. So much so, that the lag from a telnet window on a heavily loaded machine can be almost unbearable.

    The only way this could work is if there were separate CIS / scientific networks that could still take full advantage of UNIX services like telnet. Just try taking telnet away from a CIS department and see how far you get. So long as the information contained in these extraneous networks were segmented, and contain a minimal number of accounts and services, the intention of this movement would be upheld.

    From my point of view, however, removing telnet and FTP cripples the power of UNIX. First and foremost, you lose seamless remote administration, which is the main advantage over NT as far as I'm concerned. Next it'll remove familiarity of UNIX from future generations of college graduates, which in the work place would make it harder to find those with such experience; a good number of people stay in Windows as it is. I believe the main reason that a lot of people opt for Linux is because they want to have the sort of power that they're use to on campus on their own desktop. Being shielded from this technology might diminish potential future Linux devotees. It just smells too much like a windows promotion to me.
  • Why can't Publius' enemies defeat the system merely by anonymously spamming all the servers with large files of random text? Unless the authors are limited to a defined group of people (in which case they are not anonymous), wouldn't this strategy eventually suck up all Publius server resources, thereby censoring the text by drowning?

    Perhaps the marketplace of ideas requires antitrust laws, too?
  • by volsung ( 378 ) <stan@mtrr.org> on Friday June 30, 2000 @07:17AM (#966210)
    PuTTY is wonderful. I have it in my user directory on the campus network for when I'm at a Windows machine. It actually does VT100 reasonably well (still trying to get page down to work correctly), certainly better than Windows Telnet. The distro also comes with pscp, a windows command line implementation of Secure Copy, that lets you avoid ftp as well.
  • The article's author raises a few interesting points, but I don't think he's got enough evidence to support his claims. Have you looked at an anonymous FTP log lately? Oh, here's one: user=anonymous, password=valued-customer@aol.com

    Fortunately, most of the people that are too clueless to protect their own privacy are also too clueless to configure their machines to reveal too much about themselves. And none of those people are able to type telnet, let alone actually use it.

    <sinister-conspiracy> Perhaps banning the protocols is part of a deeper plot by the RIAA to prevent thieves from obtaining Napster and other burglary tools... :-) </sinister-conspiracy>

  • by akiaki007 ( 148804 ) <(ude.uyn) (ta) (613aa)> on Friday June 30, 2000 @03:31AM (#966217)
    OK...how many people in college know what telnet really is? FTP? To them, FTP is the program on the computers in the Computer Labs all around campus that lets them put and take files from their .edu account. Sometimes they can use this to e-mail their Prof. their late assignment. Tell them it's File Transfer Protocal, and they'll look at you like they actuall care (sarcasm....)

    Telnet...what's that? Just about one of two ways for most .edu's to get their e-mail. Either use a mail client, or just telnet in. And what if you wanted to check your mail remotely. What are you going to tell them? NO, you can't! Sure you will.

    I am at NYU, and they will shortly be migrating to this HUGE Sun computer that is going to handle the web-site, mail, etc, etc. They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.

    Anyway, in short, I think this story is the same as "patenting the <a href=*> idea."

    Also, all .edu's are Internet2, so they are faster than most mirrors, which is great for me when I want to install something new. So lets get rid of all that. We don't like fast FTP access, because they are hacker prone. Hey...EVERYTHING is hacker prone, so people should stop crying!

  • by brg ( 37117 )
    At UC Berkeley EECS, we're planning to turn off telnet on all our systems (except for kerberos authentication), and we've already turned off FTP on a lot of our systems. As a system administrator, I think this proactive move has resulted in a sharp decrease in the number of passwords getting sniffed. People who want to log in remotely or copy files over the net now have to use strong crypto to do so. ... We didn't turn off anonFTP, obviously. And there are always problems getting good free encrypted login/file-transfer clients out to people who need them, especially for esoteric platforms like Windows. :-) But on the whole it has been a plus for everyone, and as a bonus we don't have to teach people to set their DISPLAY variable anymore when they use X clients.
  • by CrudPuppy ( 33870 ) on Friday June 30, 2000 @03:31AM (#966220) Homepage
    as long as you are doing it for the right
    reasons. if you are providing people
    with more secure alternatives that provide the
    same functions (ssh, scp, etc) then
    fine!

    Telnet and ftp are inherently insecure protocols
    designed for an age where everyone knew
    everyone else on a single network. those days
    are gone now...
  • AFAIK what I use (TeraTerm + SSH) are freely available without restrictions. The TeraTerm SSH component is written by Robert O'Callaghan in Australia (home page here [zip.com.au]) and does not come with any RSA encumbered algorithms by default like PuTTY does.

    Together with OpenSSH for Linux (where I SSH to), I'm a happy camper :)

    --
  • At the very least, all colleges should PROVIDE encrypted access to college servers and email. There's no need at this point to ban all telnet and ftp, but when someone has their personal data compromised, then the administration has room to say, "Well, you would have been fine if you had been using a secure protocol like this ssh here that we told you to use." As it is, a lot of colleges don't even support encrypted connections on the server side, making it a wide open playing field for anyone who wants to compromise even the security conscious people.
  • Having been the Network Administrator for a satellite campus of a large University, I am all too aware of the problems with security on university computers. We have to balance between keeping intruders out, and providing enough access for students and faculty to use the systems. The university environment presents a unique challenge.

    To disable telnet and FTP access and believe it will curtail most or all unauthorized access to these computers is as short-sighted as companies purchasing firewalls and believing that they are complete security. A firewall only prevents some kinds of attacks.

    The real answer, as in most anything, is better education. Network and system administrators need to be more aware of security issues, and deal with them at the host/server/PC level. Don't need filesharing on a PC, turn it off! Don't need rexec access, turn it off! Watch the system like your job depends on it; eternal vigilence.

    Just because IT professionals are paid well doesn't give us an excuse to neglect our duties.

  • My school [www.wlu.ca] refuses to implement SSH as well.

    I'm no BOFH (and so don't know for sure), but is adding SSL to your system a big deal? Once I found the packages, I had openssl and secure replacements for telnet, telnetd, lynx, and w3m installed in (literally) 15 minutes on my linux box. (School runs Solaris(tm) though...)

  • by krystal_blade ( 188089 ) on Friday June 30, 2000 @03:34AM (#966255)
    The idea that a protocol, or port cannot be secured, or controlled is utter rubbish. Privacy information IS obtainable on UNSECURE networks. People who know their stuff don't seem to have any problems keeping such info out of the hands of no-goodniks...

    There are far more uses for Telnet, and FTP than simply high wiring it in to a college campus, so you can run TRW reports on students 6 months behind on college loans.

    Network Security is a rapidly expanding business in this world, regardless of what planet that "expert" is from. Numerous resources are out there for free, let alone at a fair cost, that, when properly implemented, make such information damn near impossible to get to.

    The idea that every network connected to the outside is 100% secure IS a fallacy. But then, the idea that people who know what the hell they are doing are actually interested in getting a bit o info on a student.

    One of the main concepts of target hardening (AKA Network Security) is not to totally prevent. Make the perp look for an easier target.

    krystal_blade

  • Actually.... there *is* an sftp program...

    http://www.xbill.org/sftp/
    http://rpmfind.net/linux/RPM/sftp.html
  • This is a profesional who has good reasoning capabilitys forgetting that many people out there are still functioning on the "computers = magic" mode and treat experts like wizards.

    So while he may recomend replacing Telnet and FTP internally with secure protocals the "Folows of the all knowing and all powerful expert" will go ripping FTP and Telnet clients out of boxes screamming of "Security hazzards".
    Give it a week you'll hear about FTP and Telnet click viruses (Think 'I-Lov-U'.. or better yet think 'Good times') infecting everyone. (No accual virus just rummors).

    Napster aside... we are talking about a group who think banning Unix as a security risk is a good idea and then install Windows in it's place.
    "We are protecting you from all those nasty Unix emplots... someone could hack into your box from remote and... oh dam.. anyone know what back oraface is?"

    I say teach students security issues and let them fend for themselfs. I mean gezz. Trial by fire.... no better way to learn... Oh yeah and take your box off the network when you need to study.. just in case...
  • by nhw ( 30623 ) on Friday June 30, 2000 @03:53AM (#966285) Homepage

    Idon't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.

    Sorry, but did you even read the article? The presentation that is alluded to in the story places a strong emphasis on the rights of individuals; especially on the privacy perspective.

    The point seemed, to me at least, that telnet and ftp were (for campus networks) very insecure protocols. Anyone who's ever run a packet sniffer on a shared media ethernet can testify to this. Yes, ideally all the college residential networks would be switched, or protected by Need-To-Know scrambling hubs (cf. 3Com SuperStack II PS). However, this equipment tends to be more expensive than 'dumb' hubs, and wiring of accommodation does tend to be a lower priority from the funding perspective.

    We're now seeing students running Linux boxes from their dorm rooms, connected to such shared networks. We'll assume that their honesty isn't in question (however spurious such an assumption may be!); the fact still remains that such boxes are frequently ill-maintained and the subject of frequent root exploits. Once you've rooted a machine on a shared media network that runs a lot of telnet/pop/ftp, it's trivial to harvest large numbers of passwords: and don't say it doesn't happen, because I know for a fact that it does.

    Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality.

    Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?

    I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins; spewing off about shutting down such services effectively being the thin end of a wedge that ends with 'SHUTTING DOWN' the internet; well, that just looks silly.

    I agree wholeheartedly with the presenter's point: I'd go one step further - it's not just telnet and ftp that present the problem; IMAP and POP are also generally insecure, not to speak of the numerous HTTP-based webmail services. The solution here is less clear-cut: nice alternatives like SSH are not widely available. Roll on IPv6 and network-level encryption, eh?

    Cheers, Nick.

  • For MacOS, there's NiftyTelnetSSH, which includes SCP support.

    Now that's exactly what I've been looking for and have been unable to find. Thanks for the tip. Now I've got to try it out on our local servers. Hopefully this should work just fine.

  • Well unfortunatly there aren't alot of free ssh implementations out there for windows (which most kids use). Telnet comes with the system, so its easier for them to get people to use it. I would love to just use ssh, but the only windows ssh client i know of costs $100; not many college students want to shell that out.
  • by Spock the Vulcan ( 196989 ) on Friday June 30, 2000 @04:06AM (#966303)
    PuTTY [greenend.org.uk] is a very usable, free Win32 ssh/telnet client.
  • Have a look at Tera Term [vector.co.jp], a freeware terminal emulator for Windows for which ssl and ssh plugins are available.
    --
    Change is inevitable.
  • And they are supposed to do what? HTTP all of the data? WVU just has their hosts.conf file set up properly, doesn't that make a bit more sense?
  • (for non-anonymous uses anyway) I do incident response on a University campus regularly. I use ssh exclusively and my center, CERIAS [purdue.edu], does as well. The problem is that the widespread use of telnet and ftp and pop on some university networks is that once one a machine is broken into, hundreds if not thousands of others are taken as well. This is because the first thing the 3l33t k1dd13 does is install a sniffer. I've seen sniffer logs that were many megs of just username/password pairs.

    You see the problem is that the use of "password in the clear" protocols allows one person's poor maintenance to undermine many other hosts that are just accessed via the original host's network.

    Keep in mind, anonymous ftp and telnet for use of anonymous services isn't really the issue. I wouldn't even block the ports on a router. Instead, I'd simply institute the policy of scanning the network and coming down hard on anyone running the daemon. Not perfect, but doable.

  • The problem is just what SG says-- there ARE ways to encrypt traffic and make personal data more secure, but there is no infrastructure (in terms of human support and resources for teaching the end-user about these things).

    I know that at my school, they do offer SSH (but if you go to the CCC (College Computer Center) web area (off the main site) they suggest using telnet for everything, including changing one's password. Great. Well, I've got a new password set up now that I use only through SSH once I learned why telnet was a bad idea...

    Which is all well and good, but then I get to access my e-mail using said password via either pine on an SSH terminal (safe) or... POP3. Great, I just love sending my password over the network in plain text. Now I think I understand why most of the Linux geeks on campus use their own mail servers. (We get DNS entries at my college, along with semi-static IPs - the IPs change every year. And yes, we are allowed to host webservers et al. Even better, there's no firewall. After most breaks, we get the horror stories of the few people whose boxes got cracked.)

  • by MartinG ( 52587 ) on Friday June 30, 2000 @04:10AM (#966318) Homepage Journal
    > they would have to use some secure methode such as ssh.

    This is a very good thing IMO. For too long the general attitude has been "Don't use encryption unless you have to" when it should be "always use encryption unless you have a reason not to"
    This has led to several bad things:
    - Those sensible enough to use encryption by default (such as PGP for mail) for their communications are treated like they have "something to hide" by some.
    - Because only a minority use encryption technologies instead of their more widespread unencrypted counterparts, governments find themselves able to legally force this to continue with draconian anti-encyrption bills. (RIP bill in the UK soon to be passed? - see http://stand.org.uk)

    The sooner the masses are educated about the advantages of using encryption more in ssh, for file xfer, for mail, and everything else the better. Where better to start the ball rolling than in universities.
  • You are completely misunderstanding what's being asked of them, and thus overreacting to something you don't understand.

    He's not saying that providing remote login and file transfer services is bad; he's saying that telnet and non-anonymous FTP are bad.

    ssh and scp can completely replace them.

    Anonymous FTP can be left for transfer of publicly-accessible files, although HTTP might be better.

    --
  • A skilled administrator will use SSH.
    An unskilled administrator will use Telnet.

    An unskilled administrator is a risk. (They're also called 'students', but who's counting?)

    Unfortunately, not every place has SSH. And sometimes SSH is simply overkill. If I just want to check my email, I don't care too much if someone along the pipe sees me deleting 10 messages on how to "make money fast!", but I don't want them sniffing my password. So, a one time password system is an ideal solution - if someone intercepts it, it's useless anyway. And it only requires installation on the server side. And if I want to do admin-type work, sudo also takes a one time password which again keeps my password secure.

    In a perfect world, SSH would be everywhere. But in the meantime, one time password systems aren't a bad compromise for when your password is vital, but the data you're dealing with isn't.

  • Uh, yeah, if someone is telnetted in and editing their email message in pine/pico, etc, you can watch them writing their messages.
  • It would make sense for the colleges to disable telnet and ftp access TO their machines. Disable telnetd and ftpd in the inetd.conf and you lose quite a few obvious routes of attack. Password sniffing is something that can be easily avoided if you just take precautions. You can always run a separate server for anonftp. But really, all this outcry about big brother and the freedom of speech is just a wee bit over the top. You simply should not take risks when it comes to system security.
    --
    Full Time Idiot and Miserable Sod
  • by lyonsj ( 51249 ) on Friday June 30, 2000 @04:11AM (#966333)
    When I worked in tech support, we got a lot of calls from folks who tried to run "telenet" on their Windoze machine and couldn't get it to work.

    "Did you type telnet?"
    "Yes, I typed telenet."
    "No, telnet: t-e-l-n-e-t."
    "OK... t-e-l-e-n-e-t, telenet. No, it still doesn't work..."
  • There's a program called sftp in the ssh package that lets you do file transfers over ssh.
    --
  • by Myrrh ( 53301 ) <(moc.liamg) (ta) (575nider)> on Friday June 30, 2000 @04:13AM (#966336)

    Exactly.

    I'd be a lot more concerned about POP3 than telnet. Last year at my school it was discovered that someone managed to get the passwords of nearly half the students simply by sniffing the POP3 packets. (One could of course argue that this could have been achieved via simply sniffing all packets--people generally have the same password for POP email as they do for telnet and FTP--but my point is that it was found that a LOT of people on campus use POP clients to read their email. Far more people use POP to read email rather than simply ssh'ing in and using pine (my preferred method, which is significantly more secure).

    I'm aware that most POP clients provide support for client-server encryption so the passwords are not sent plaintext, but my school never quite seemed to think that was worth the trouble, even though the vast majority of people are comp. sci. students who could probably handle such additional complexities with ease.

    The fix to "all this" is *not* to ban protocols or limit the availability of services to students. Students subsidize the campus information infrastructure through their fees and tuition. The solution is to educate everyone on campus--faculty, staff and students--to use encryption whenever reasonably possible (ssh is not non user-friendly or invasive), and to use strong passwords. A lot of script kiddies and not-so-good hackers are born as a result of a campus trying to limit students' capabilities.

    At the very least, I know a lot of people (myself included) who would have a few words to say to those in charge if it were decided that banning things, rather than employing workarounds or educating the people, was the correct solution.

  • Standard telnet, FTP, and POP are insecure because they require the user to pass their password in plaintext. Because man-in-the-middle-attacks are trivial and indetectable. Because playback attacks are trivial and indetectable. Because...

    I emphasize *standard* because I'm a "security moron" who uses telnet and FTP. Of course, both of these programs use Kerberos authentication so the password is not sent in plaintext. Man-in-the-middle attacks are believed to be impossible, due to the mutual authentication. Playback attacks are impossible outside of the narrow window defined by the clock skew parameter - less than a minute.
  • There is an IETF draft for doing FTP over SSL [ietf.org]. Widespread use of SSL(except through browsers) is still not possible because of the RSA patent(which lapses soon).
  • The only time (that I know of) where my server was cracked was caused by a legitimate user logging in from an ivy league university via telnet.

    The person's password was sniffed on the university side, and the cracker was able to log into my machine user the user's account. About 18 hours later (too long, I know) I noticed the intrusion because the time of the cracker's logins didn't match up with the user's usual pattern which I luckily happened to know.

    After calling the real user up and confirming that there was a problem, we found some kind of nohup daemon running called "bash" in the .elm directory. Running strings on it revealed a bunch of german words. It appeared to be a netcat-like port redirector to avoid the packet filter and service logs. There was also, luckily, a bunch of evidence in .bash_history because the person typo'd the command to shut history off. The .bash_history file revealed the work of someone who was highly efficient and didn't waste time. They tried a bunch of stack-smashing attacks and common-vulnerability exploits to gain root, but luckily I was all patched up.

    After cleaning up the system, changing passwords, and mandating the use of SSH (especially with RSA authentication) I didn't have any more problems. A few weeks later the affected user received an email-advertisement for sniffit from an anonymous source at her university email box.

    Much later, I received an email from a german university saying that someone had broken into their servers from a variety of sites, one of them was mine. The date they claimed matched up with the date of the intrusion. They said that the cracker had installed a modified IRC eggdrop bot with root priviledges at a certain port, and that these bots were also apparently still running on most of the systems that the cracker had logged in from. Sure enough, the ivy league university was on the list.

    I tried sending them mail on a few different occasions, but never got a response. I guess the point of this rant is that universities have terrible security and that banning inherently insecure protocols when secure alternatives exist is a good idea for EVERYONE, not just the people at the university. Sure it was a pain converting my userbase from ftp and telnet to ssh and ftp-over-ssh / scp / full VPN but it was well worth it and was a one-shot issue.

    -OT
  • running sshd in user mode is trivial -- all you need is some sort of shell on the remote host.

    The only difference from an official sshd install is that it will run on a 1024+ port and only work for you.

    Johan

An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"

Working...