Colleges Urged To Ban Telnet And FTP 304
M100 writes: "The Chronicle of Higher Education reports in this story that a computer-privacy 'expert' has told colleges that they should ban Telnet and FTP because 'they offer easy routes for unauthorized people to gain access to personal data on campus networks.'"
The story is based on Simson Garfinkle's writings ... it's mostly about other stuff, too. (Besides, who doesn't at least use ssh?)
(Score:1)
What we really need to do. (Score:2)
We really need to cut all these cables, remove the wireless systems, and ban networking altogether. I think 40 years have demonstrated that networking gives unauthorized personnel to Secrets Man Was Not Meant To Know.
The real solution is to ban nothing, and try to educate the users about security.
This is totally dead on. Frankly, I use telnet mainly out of ingrained and ignorant habit. But any network service has security holes. The solution isn't to remove the service, it is to secure it. SSH, as everyone and their brother pointed out, is one answer.
But we shouldn't be thinking about what services we should be cutting off, we need to think about how they can be made secure.
Re:For that matter... (Score:1)
ssh and scp can completely replace them
Umm... read the whole article. The person writing the article doesn't quote him as actually giving any reason for the no telnet/ftp suggestion other than 'the users can use them to get to private information'. Read it again. The entire article says 'Web servers record private information in log files. users can get to these log files with telnet and ftp. therefore, don't use telnet or ftp.' Now, of course, this is completely nonsensical, as you can put the log files somewhere nobody can see them, and thus the problem no longer exists.
Also, the article never mentiones any alternatives to telnet and ftp. Why? Because *any* method of accessing the machine configured in such a way allows you to get to the improperly configured log files. The problem isn't with the insecurity of the connection method, its a problem with the insecurity of the data on the machine itself!
Information is like a gun. (Score:1)
Maybe we need to hire the NRA lobbyists to protect older software?
don't forget NFS (Score:2)
Additionally, rumors have been flying that some male students have been writing little bits of drivel on paper, then passing these notes to women they find attractive. It must stop now. All pencils, pens, crayons and tablets must be seized and burned. Our young women must be protected.
The best and final solution is to simply stop educating the young. The "teacher-student" interface is a massive security hole that fosters the communication of ideas between people without the tacit approval of the state. These evil young people may then use the technology in ways the tribe of elders have not approved. This must be stopped.
Thanks You,
The Controller
If you block it, at least do it right. (Score:1)
Funny thing is, the wonderful UNT network people were only blocking connections that were coming in on 2 ports - 21 and 23 (ftp and telnet, fyi). Thats all. Nothing else. Um, guys, maybe thats not too bright. Solution? Just run the services on another port...not too tough, just add a few lines to
Re:Half-good, half-bad (Score:1)
Re:Gee... (Score:1)
Re:And the news is? (Score:1)
Educate (Score:1)
Re:Not bloody likely (Score:1)
It's enlightening to see what your superior education does for your social skills.
Re: who doesn't use ssh? (Score:1)
My summer job (here at unisys, whose stock makes interesting watching these days) has me sitting behind a firewall. This I can live with and in fact find quite reasonable.
The firewall is set to only allow outgoing connections to specific machines/ports. This I find highly annoying, but if it let out the right ports I wouldn't mind.
The ports I know of that I'm allowed to connect to are 21, 23, 80, 81, 443, 8000, 8080, and any port on AOL's IM servers. Nothing else. You'll notice that 22 isn't in that list. That's right - the corporate firewall is so secure that you can't use ssh. Telnet access, however, apparently meets some business need.
I'd actually like it if every school started dropping telnet access and only allowing ssh. Maybe the cry of "let me read my school email" from all the interns would get the corporate firewall policy changed.
Insider's perspective (Score:2)
I used to work as the network manager for a college, which had a couple of hundred ethernet sockets in student accommodation. Here's my take on this and on why I think it's likely to be less of a problem in the future.
Why are unencrypted protocols so much of a problem?
The main reason why telnet (particularly) is singled out as a security culprit is that's so trivial to harvest passwords, if you have the potential to eavesdrop on a network connection. The username and password are transmitted in the clear, right at the start of the connection: all you need to do is grab the first hundred bytes of any connection to port 23, and you'll get 9 out of 10 passwords.
Why is eavesdropping more of a problem in the residential network environment?
The residential network environment is chaotic, and there is usually very little capacity for control of what is physically connected to the network. I've heard of administrators who are getting serious problems with their ethernets, who eventually track the problem down to a student with a hub in their room, or whatever.
Ethernet is (in its basic form) a shared-media broadcast protocol; everyone gets everyone elses packets as well as theirs. Zap your adapter into promuiscuous mode and there it all is. There are two basic ways around this from the hardware perspective. You either go for switched ethernet (which was traditionally been prohibitively expensive for the relatively low priority residential networks), or need-to-know hubs, which track the MAC addresses attached to each port, and scramble the data that goes to the others (for example, the 3Com SuperStack II portswitch hubs); both of these technologies have been significantly more expensive than the sort of baseline kit that has traditionally been specified in campus LANs.
Aggravating risk factors
We're seeing a lot more students running multiuser systems; Linux, *BSD, whatever. These are quite often not the best maintained machines. They are relatively frequently subjected to root exploit, and are less likely to be quickly detected as such than well run systems.
Also, the prevalence and reliance on network services is on the increase. As the density of usage increases, so increases the potential for catastrophic breaches of security. It is not unheard of for thousands of accounts to compromised by a sniffer attack from a rooted Linux box.
Why the future is rosier...
For a start, networking kit that isn't susceptible to sniffing attacks is becoming cheaper. I personally got budgetary approval to replace all our hubs with need-to-know hubs, and my successor is installing switches to service student ethernet ports.
IPv6 is on its way; hopefully bringing network layer encryption and authentication. This is the ideal solution; SSH is great, but this sort of stuff should not be going on at application layer.
There is a significantly greater awareness of the issues on the part of university technical staff. I reckon some of the security people here know more about 'r00t-kits' and 'skripts' than most of the 'kyddies'. This also trickles down into the administration: they realise its bad press to be hacked, and it's also tremendously expensive to recover from it. Coupled with the decreasing costs of doing it right, as mentioned above, it means that 'network security' is becoming a higher budgetary priority.
In summary...
The campus networks that are being installed today are probably highly resilient to being snooped, but there are a lot of legacy installations, based on equipment that's possibly 3-5 years old, that is horrifyingly insecure. Ideally, in the future, we won't have to worry about layer-2 insecurity, because we'll be protected by the IP network itself; however, in the meantime, SSH Is Your Friend!
Cheers, Nick.
Letter to the Chronicle editors. (Score:1)
disagree with Simson L. Garfinkel's conclusion. Telnet and File Transfer
Protocol have been pivotal in the advancement of the internet, and these
programs or variations thereof will continue to be essential. The article
states:
Log files, for example, are created on Web
servers whenever users click on the "search"
button. Mr. Garfinkel asked, Who has access
to those log files? What computers are
capturing those log files? What policies do
institutions have for automatically deleting
those files on a regular basis?
This quote says nothing about Telnet or FTP, and in fact implies that web
servers are a problem. It also doesn't properly state what the log files
record. The standard log file is configured to record every download of
every document on the server, and from which ip the download was initiated,
as well as every attempted download that triggered an internal error.
Typically, these files are stored in a directory which normal users don't
have access to.
The article also quotes Mr. Garfinkel as saying, "We're moving into a regime
in which far, far more information is going to be collected -- and
frequently, that's going to be done over some sort of campus network." As
quoted, he implies that the campus network will be actively involved in the
collection of this information. The problem here is that the vast majority
of information collection will happen when a user connects to a remote site
not affiliated with the campus. The campus' role here is limited to
providing a wire connecting the user's computer to the outside world. The
campus has no control over what information is collected and how it is used.
Telnet is a program used to connect the local client machine to the
destination server via a text-based window. Such a connection is, for many
operating systems, essential for remotely executing commands on the server
or performing other tasks. FTP servers allow for the transfer of files,
such as assignments or sample code, to and from the local client machine.
While it may be true that the World Wide Web has significantly reduced
reliance on this type of file transfer, FTP is still the most common choice
of methods for password protected transfers.
The danger which Mr. Garfinkel seems to address is the fact that the log
files of an improperly configured web server may be accessed via Telnet or
FTP, and therefore these services should be halted. The real solution to
the web server issue is to be certain that the web server is properly
configured and that the log files it generates are only visible to accounts
assigned to work with them.
The only indication of problems that might be related to Telnet or FTP is in
the last paragraph, where he is quoted as urging "the more than 300
residential-network managers and student-coordinators attending the
conference to stop the common practice of using unencrypted passwords to
secure network-user accounts." I'm not quite sure just what passwords he's
implying are stored in an unencrypted format, since most telnet servers run
on Unix, which stores its passwords in an encrypted format, and most ftp
servers either use the Unix password file or an encrypted file of their own
format. This argument may refer to CGI scripts which, being written by the
user who wrote the webpage, can use whatever form of data storage the user
desires.
In summary, Telnet and FTP are not the culprits here. Poorly configured web
servers are the problem. The possible remedies are as follows:
1) Shut down the web server.
A drastic and undesirable action, as you might expect.
2) Protect the log files.
This isn't difficult. In fact, on most of the systems web servers run on,
log files are protected by default from unauthorized viewing.
3) Turn of CGI.
Web servers can be configured to not run CGI scripts that aren't in a
specified location. Thus, the possibility that an uninspected user-written
CGI script can be executed is completely eliminated.
4) Train system administrators in security.
A commonly overlooked area of system administration which needs to be
addressed.
5) Run the web server on a separate machine.
The users web directory can be accessed over the internal network by the web
server, but its log files will be written to the machine its running on.
With this solution, the directories the log files are stored in aren't even
visible by the machine accessed by Telnet or FTP.
Do not look to Telnet and FTP as a solution to these problems, as they are
merely a means access the data which should be protected from them to begin
with. The real culprit is the web server.
Re:Listen security morons (Score:1)
smtp doesn't send usernames or passwords at all, let alone in clear text. http *can*, but if you're using this for anything other than trivial access controls or in a tightly secured network, you're very silly. Websites that ask for logins should be using https, especially if those logins are the same as logins used for other protocols.
pop3 *does* send usernames and passwords in plain text, and these will often been the same user names and passwords that can be used to gain shell access on other machines (or on the mail server in a poorly-designed setup).
The issue is not that there's something wrong with the telnet protocol as such. The issue is that there's *lots* wrong with sending clear-text passwords on broadcast media (campus or even company ethernet) or networks you don't control (the Internet). telnet, ftp and pop3 show this problem - they can be replaced with ssh, scp and pop3 over ssh tunnels.
As to '90 percent of the traffic on the internet' being insecure - most of that traffic (I take it you mean http traffic) doesn't contain user names and passwords!
Regards,
Tim.
Re:Half-good, half-bad (Score:2)
Kerberos pretty much solves all our problems (almost)
NOTE: all users can still telnet and ftp of course, but they have to use Ktelnet [stacken.kth.se], ssh or such
/das Ix
Re:For that matter... (Score:2)
Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.
[1] Ssh tunnelling is cool because it can make most protocols much more secure. You connect to a computer via ssh, with the correct options to forward a port to or from it, and any traffic to a local port that you pick is sent over the secure connection, then sent to the remote host. When the remote host and the ssh host are the same, this is pretty secure (no chance for sniffing), and when they aren't the same, the sniffing risk goes down significantly if the server network is separate from the student nets, since that one is much less likely to be sniffed.
Re:SSH Banned (Score:1)
Seems that your sys-admin needs to hop on the clue-train.
Oh, believe me when I say that there's a whole lot of b0rken computer systems on campus. We see a lot of "user-obsequious" here.
Some of it has gotten better, mind -- the network maintainers do a good job implementing things that they think need to be done. It used to be nothing for the Banyan LAN to crash and be down for three days at a time. I rarely suggest things any more (like implementing SSL, or uncrippling the libraries on our servers, or...) because the people responsible ignore any and all feedback.
Registering using Telnet. (Score:1)
How many times... (Score:2)
---
Tim Wilde
Gimme 42 daemons!
Re:A bigger problem... (Score:2)
I think a lot of people are missing here that the danger isn't for someone to break into some guy's account and read their email (which only affects the user who was connecting insecurely), th danger is that when someone breaks into an insecure box they often use it as a launching point for attacks on other systems, which affects everyone. If it was just the single user who was harmed I might agree that banning protocols MIGHT not be the best solution, but usually when a user's account is compromised they don't even notice. Someone just gets in and launches attacks, or uses other vulnerabilities to get root on the local machine, etc.
Re:For that matter... (Score:1)
I wrote:
Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality
kawaii wrote:
Except that on Windows, ssh is not a stock part of the OS (there are /no/ free versions that I'm aware of, and even the pay versions don't seem to support tunnelling[1], etc), and there is no secure way to access email, ftp, etc. IMHO this is one of the worst aspects of Windows (low emphasis on security), but it means that there is no way to force security without more work than most people are interested in.
You need some PuTTY [greenend.org.uk] - it makes Windows usable. It's a free SSH client for Windows, that also (if I remember correctly) supports port-forwarding etc. It is released under the MIT licence (kinda similar to the BSD licence) which is 'Open Source certified'.
Just as an aside; how recently is it that SSH has become a standard part of Linux distributions?
Cheers, Nick.
Re:banning telnet and ftp makes sense (Score:2)
Take SecureCRT, for example. We currently have a site license for plain old non-encrypted CRT, which means we can distribute it freely to everyone affiliated with the university. However, it is impossible for us to get a site license for SecureCRT, because Van Dyke has to pay a royalty for each copy sold, and therefor can't distribute an unspecified number of copies. This a. Makes the price of SecureCRT prohibitive and b. Limits our methods of distribution.
Yes, there are free implementations, and many people use them. But these aren't legal in the US so we can't distribute them, or even really endorse them (a public university encouraging people to break the law is usually frowned upon).
I'll be extremely happy when the patent expires in September.
Half-good, half-bad (Score:5)
Hold, hold, hold on here a second. Banning the protocol doesn't make sense. On some computers, one can telnet in and play a game of rogue as the games user, for example. Don't ban anonymous FTP as well - it's been one of the backbones (not literally) of the Internet for years.
Do encourage system administrators and users to never, ever log in and send their password from remotely over telnet. Inside the college network is a different idea. (And some vendors, *cough* *cough* most of them *cough* *cough* don't have the good sense to pre-install ssh on their systems! Telnet can be a good thing.)
Re:Going far enough? (Score:1)
FTP, Telnet, and all the other protocols are useful in one way or another.
Yes, these are both useful services. But why run them when secure versions (ssh, scp, etc.) exist. These secure alternatives can do everything ftp and telnet can do, but more securely. You would be a fool to keep the plaintext services.
As far as HTTP goes, the number of machines running a web server should be FAR less than those requiring telnet/ftp type access. Thes few web servers are much easier to keep track of.
And another thing:
Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files
See that: partially. I would ammend that by saying: Telnet and FTP are security risks mostly because they transmit passwords in plaintext. It is this problem that lets crackers get into you system and get access to your precious logs.
Is this going far enough? (Score:1)
If there is a file on one computer and I want to use it on another, what choice do I have except for a computer network? This is incredibly insecure!
And don't EVEN get me started about floppy drives!
Bah Humbug (Score:1)
"TELNET IS INSECURE!!!" - Well, duh, you fucking dumbass.
"WATCH YOUR EMPLOYEES FOR PERSONALITY CHANGES. THAT COULD MEAN THEY ARE TAKING DRUGS OR EMBEZZLING MONEY!!" - Well, duh, you fucking dumbass.
"HACKERS COME FROM THE INTERNET" - Well, duh, you fucking dumbass.
I would like to propose a new Internet Acronym (IA) of WDYFD (I think you can figure out what it stands for) to be used in reply to pompous, overzealous announcements to impress those who haven't quite figured out what that shiny square thing is sitting in front of them...
"The sky is blue!" :)
"WDYFD..."
Douglas Adams first documented this phenomenon in the Hitchhiker's Guide to the Galaxy. "It sure is a nice day, isn't it?" - However, it seems like the security dorks are really trying to cash in on this to keep their paychecks coming in. But, I hope they all remember the story about the little boy who cried Woof! (er, um, Wolf!) The more they keep desensitizing us to their "profound" announcements, the less we are going to pay attention when they actually have something important to say.
Is it just me, or do other notice the same thing amongst the security mailing lists (M Kabay comes to mind) and security trade rags?
I'm not saying that security is a bad thing. But I just want them to tell me something that I don't know. Not a bunch of obvious crap. Ways to work with technology, not a Luddite view of "oh, no, lets not use it at all!"
Re:For that matter... (Score:1)
Maybe I'm wrong about this, but it seems that free SSH clients are rare and far in between for the Mac OS? My school _does_ only allow access to some machines by ssh, but they also have a few alphas standing by with telnet as a proxy into those ssh machines for the Mac users who don't want to shell out the $$ to buy a commercial ssh package.
For that matter... (Score:1)
I don't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.
Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?
Re:What we really need to do. (Score:3)
You'd be better off just throwing the "official university software" cd at her for $10 and telling her to run only programs off of that disk. (including SSH and whatever crap ya want.)
Why read it ? It's terrible (Score:1)
This sounds awfully like a very bad article, written on the basis of a half-heard and barely understood talk. Given who Simson Garfinkel is, I think he does know what he's talking about, but that article reads as if it was written by an intern from the paper's "religion and dog shows" desk.
As an example, Log files, for example, are created on Web servers whenever users click on the "search" button.
Re:Half-good, half-bad (Score:3)
Re:For that matter... (Score:2)
A quick look through WinFiles terminals section should turn up others. SecureCRT and ZOC are not the only SSH enabled terminals out there.
Will College Administrators Understand this? (Score:2)
But will college administrators (not technical administrators, organizational administrators) understand this? These are the same people who decided the best thing was to convert everything over to NT, at my school....
Re:banning telnet and ftp makes sense (Score:2)
Just as a reminder, the patent on RSA runs out in a few months. I don't remember the exact date...
Re:A bigger problem... (Score:5)
Hehe...one time I managed to confuse the hell out of a friend of mine by printing stuff on his printer through Network Neighborhood, including a document that said something like "Doesn't it suck having people print random stuff in your room? Take your printer off the network and you won't have this problem." He had to get me to do it, but at least he was more security conscious from then on.
Of course, this is the same guy whose dorm room I rewired so he couldn't turn off his lights...
---
Zardoz has spoken!
anonymous ftp (Score:2)
Imagine if Walnut Creek shut down their server and said "Sorry folks! No more unencrypted ftp. We only allow secure logins." For truly anonymous ftp, you have to cater to the lowest common demoninator.
OTOH, telnet, rlogin, et.al. are evil and should have been wiped out long ago. Go ssh! :)
it's not the protocols (Score:2)
That being said, I would hope that most other campuses have taken similar precautions against packet sniffing when they designed their networks. There's nothing really radical here, mostly using switches instead of hubs.
On a well designed network, choice of protocol should matter a lot less.
chris
poorly written article, misses the point, trolls (Score:3)
I have a feeling Simson was talking about creating privacy friendly policies about log files, and during that discussion he related that protocols like FTP leave traces in log files. The author of this article then misunderstood what he was talking about and came up with a standard troll leader.
And any article with a good troll headline gets posted to
the AC
Re:Listen security morons (Score:2)
As per smtp, uh yes it can send usernames in clear text. Look at the new RFCs. Thank God most people who implement smtp auth use at least use some form of encryption.
To think that HTTP doesn't send passwords is just silly. Look at all the portal sites in the world. Most "common users" use the same password - and wow usually they are plain text. Most people don't even think about the option to "sign in securely" that most portal / chat / etc. sites use these days.
My Experience With This (Score:2)
A my school [iit.edu] they were going to do this during the fall semester of last year. They even went so far as to buy a 10,000 user site license for the Windows users so they could use SecureCRT.
Anyway, despite the fact I'm a unix sysadmin at work, I still was against this move. First of all, my school has a HUGE proportion of international students (somewhere around 35%). Some of these students are from countries where their legal status to use such encryption in the US is questionable at best. Secondly my school apparently hadn't compiled in the RSARef library and the sysadmin couldn't figure out how to do it. (When you pay $30K for a sysadmin you get a $30K sysadmin).
But the bigger issues were these. First of all, there was no suitable legal Macintosh SSH client at the time as NiftySSH apparently suffered from the same nasty patent problems. Secondly, most school systems have HUGE amounts of accounts (this system has 14000+ accounts on it), many of these have never been used and getting access via a default password (usually last.first or social security numbers at most places) is trivial.
Turning off telnet then only really makes it a headache for people who can't get SSH, or who go home for the weekend and don't have an SSH client. It doesn't address the poorly configured log files which are the real problem in the first place.
As a postscript, my school has now implemented some crappy java/html insecure mail system which makes it easier to read other peoples email because now it's sent all at once and you don't have to filter out the cursor keys in sniffit logs.
It's true, if SSH were available for every platform, freely (FAIB and FAIS) then this would be good, but it's not, telnet and FTP are.
Re:Doesn't answer FTP problem (Score:2)
that's the only one i know of, but it works well enough for me to replace ftp with it whenever i'm going over an unsecured network.
chris
Going far enough? (Score:2)
From the article:
Garfinkel was arguing that FTP and Telnet are insecure partially because the servers can run log files, which can then be used by crackers. But then, he goes on to say that web search forms have the same problem (see quoted paragraph above). So why isn't he urging the colleges to consider shutting down HTTP as well? Heck, log files must be on every server, so block TCP/IP while you're at it!
I think it's been posted before, but the answer isn't removing access to various protocols. Colleges ought to give out a pamphlet of basic security measures to every incoming student, a sort of primer on protecting your computer from crackers. Maybe even provide firewall software for their students? Let's face it: most of them are't going to know anything about computer security, and it's probably their first time they have a high-bandwith always-on connection.
FTP, Telnet, and all the other protocols are useful in one way or another. The potential for misuse shouldn't lead to banning them or blocking them.
User education is key. (Score:2)
The department had continued problems, though, with students too lazy to install ssh clients on their own desktops who would telnet into one of the other campus Unix machines and then ssh into the CS servers. Of course, this completely defeats the security. Warnings and reprimands didn't work; the staff eventually had to implement automatic filtering to stop people from doing this.
Poorly-behaved users will make any security scheme worthless. The most important thing IT departments can do to improve their security is help users understand why it's important, and what they can do to help. Many students don't realize that when they leave their own box insecure or broadcast their own password over the network, they are not only endangering themselves. A single weak point on a LAN endangers everyone, and makes it easier for an attacker to breach every other box on the network. Keeping your own accounts and connections secure is part of being a good neighbor to those whose systems you share.
This is less rational than banning Napster (Score:2)
Re:Doesn't answer FTP problem (Score:2)
For MacOS, there's NiftyTelnetSSH [lysator.liu.se], which includes SCP support. (and decent, fast terminal emulation, unlike NCSA telnet.)
All these programs are gratis, but NiftyTelnet might not be libre. (PuTTY and pscp are.)
For Unix, of course, there's OpenSSH [openssh.com].
For VMS, there's an FAQ [stacken.kth.se], which recommends a server [ohio-state.edu] and a client [free.lp.se].
#define X(x,y) x##y
Unsecured Telnet on College Campuses (Score:2)
The problem is not just that this is a security issue, but that providing what amounts to unrestricted access to academic records is a violation of the Buckley Amendment. This school, and countless others are putting the academic records of their students at risk. Students should really be the most vocal critics of these schools, demanding that their academic records be afforded the protection that they deserve, and that the law requires.
Re:Half-good, half-bad (Score:2)
Doesn't answer FTP problem (Score:4)
Read the article (Score:2)
This is not a 'ban ftp' thing but merely a take care and always read the security announcements.
I only use SSH and SCP to access hosting service (Score:2)
There are not many web hosting services that allow you shell access at all, let alone secure shell. One that does is the one I use, Seagull Networks [seagull.net].
The funny thing is I use SCP to upload my web pages. Anyone on the net who wants to can look at my web pages after they're uploaded, but they won't have my password.
Do you use a different password for important sites like your web host from the many websites out there that require passwords for you to register for some service? Good.
Even better is if you use a different password for every website you register one, because some of the websites offering some useful service may be doing double duty as password stealers.
Since most people use the same password everywhere a site can give you, say, a free trial of some porn in return for your password and email and then hack your oaccount.
I would suggest that any university or company do what Apple did when I worked there and require the combination of a password and a cryptographically generated key that's made by some device.
At Apple I had a little credit-card device that showed a different password each minute. I think they basically calculate a new secure hash every minute from the old one, combined with a password that's programmed into the unit but not visible to the user.
See my page on why everyone should use encryption [goingware.com].
SSH Banned (Score:2)
The answer: Yeshiva University which stopped allowing SSH access to the main e-mail server. I heard the reason they gave was they wanted to be able to monitor who was logging on to the system or something like that.
Don't ask.
Banning them is only a half solution (Score:5)
The problem is not with the two protocols in themselves, but more with network administrators that don't have the time or concern to implement the full range of security measures that are required to make them safe.
Not allowing FTP or Telnet to be used will increase the security for wide-open systems to an extent, but a dedicated cracker will find a way in anyway if they really want to. The trick is to make it hard enough so as not to be worth the effort, and there are a lot more things which should be done before banning FTP and Telnet will help secure a network.
And on an offtopic note, what the Hell has been happening with /. today? It comes on for ten minutes, dies for an hour and then repeats... is it anything to do with the 1.05 slash code update?
---
Jon E. Erikson
Simpson G. usually seems so reasonable (Score:2)
The problem is just what SG says-- there ARE ways to encrypt traffic and make personal data more secure, but there is no infrastructure (in terms of human support and resources for teaching the end-user about these things).
FTP Password encryption only??? (Score:2)
What I would like to see is a "less secure" secure FTP protocol that would scramble user/password transactions ONLY, and let the files transfer in "plaintext". Or just amend the FTP protocol so that regular FTP servers can be configured to demand this.
A bigger problem... (Score:5)
The real solution is to ban nothing, and try to educate the users about security. Little things like, "turn off inetd," "disable sharing," "if you do share, give it a good password," etc. Colleges throw persistant megabit connections at their students without so much as a flyer for common security issues.
College-level system ignorance. (Score:2)
I work at a University (I won't say which one for fear of job saftey) that has repeatedly made ignorant security decisions like the one above. The first was to disallow outside access to all ports less than or equal to 1024 (except for those machines in the server farm). While this can argueably make sense, it's painfully annoying when trying to get on irc.
Yes, I stopped caring about trying to get directly on irc and just used a shell. Not having ident is extremely painful at times, though, I must tell you.
The second ignorant decision? Firewalling off ICQ. Yes, ICQ. Apparantly ICQ presents such an amazing security risks that they cannot allow students to use it on their own computers. Naturally, I used a previously mentioned shell to run a socks5 proxy, but that's not the issue. Most people wouldn't do such things. They think that all security is the responsibility of the network administrator, and not the end user.
I should mention that they advocate the use of AIM, and use nothing but Netscape on the network right now....
Are IT professionals at colleges as ignorant as they appear to be? I find it hard to believe that people who set up a hetereogenous network of solaris, linux, aix, windows nt, and macos x servers using an oc3 uplink and fiber optic backbone connections between buildings could think that ICQ was enough of a security risk to justify firewalling it off.
Then again, they blocked port 4000 alltogether.
Maybe it is possible.
--
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
Re:funny? (Score:2)
Yup, this article didn't deserve a precious post on slashdot. By posting this worthless troll, a jon katz article may have been rejected. What a shame
the funny AC
Not bloody likely (Score:5)
They're not going to ban Telnet and FTP, and the article doesn't call for that. What the article is calling for is to ban the practice of unsecured Telnet and FTP, something highly advised at schools such as mine [cmu.edu].
According to the article, many colleges don't set proper access restrictions on log files containing vital information, so those files may even be indexed when a user does a search on the school's web site. That's just stupid, as any admin can see. Furthermore, most students, even at privacy-minded schools like mine, don't bother with using encrypted Telnet or FTP sessions. They figure nobody's out to get them, and so they don't need to authenticate. My next-door neighbor, before getting effectively kicked out of the school, wound up sniffing all of the passwords of everyone on our subnet who even once logged in unencrypted. While he didn't use that data for malicious purposes, a more unscrupulous character could easily publish them.
Here's a kludgy workaround: (Score:2)
Step 2: login anonymously, upload to
Step 3: ssh in, mv the files, chown/chgrp/chmod them, and decrypt them.
Re:Half-good, half-bad (Score:2)
Anyway, this PC got cracked very easily (the obvious fact that it had a floppy drive on it to do the ftp also meant it was bootable via that) and a password sniffer was installed, thereby getting everyone's password when they used the FTP program to get their files via FTP from the HP network.
They caught the guy very quickly though, I can't remember how now but it was easy because he was local
I'm blathering anyway.. but I agree with the above two posts that yes, universities are 'almost' as bad as the real world
--
Re:yeah...everyone is a techie! (Score:2)
So how do you prevent people from sniffing web-mail passwords?
Interesting Argument (Score:2)
An unskilled administrator will use Telnet.
An unskilled administrator is a risk. (They're also called 'students', but who's counting?)
People actually shouldn't be telnetting in from the outside world, and I'm starting to flat out distrust wu-ftpd. Banning servers at all on campus would violate the purpose of the university, and the rather nice job market facing college interns and graduates who cut their teeth on their home networks is nothing to sneeze at.
Not particularly sure about my position on this. Comments appreciated.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:banning telnet and ftp makes sense (Score:2)
And we all know how useful that network would be...
In there eyes of, oh, say, Mattel, or AOL/Time Warner, or the RIAA/MPAA - the PERFECT NETWORK. Or at the least, a step towards the perfect network. The perfect network being a one-way path for the delivery of useless content surrounded by propoganda and advertising, all of which can be relentlessly pushed down the pipe, and where control of content/criticism and speech is absolute. What better place to start than in the schools? Today's users will never accept it, but the next generation...?
"I will gladly pay you today, sir, and eat up
Re:If you block it, at least do it right. (Score:3)
Re:For that matter... (Score:2)
The best thing about a Java implementation is that you can run it off anybodys computer without a lot of grumpy installation. I've always missed SSH when I've come to some random, locked-down machine.
-Lars
interesting idea, but I don't like it (Score:2)
What I think they are talking about is the tightening down of services on Campuses, since they're very prone to attacks and abuses. They are encouraging campuses to instead require students to make use of POP / IMAP for mail, Instant Messengers for communication (instead of the online talk / write), of remote GUI's or client applications for access to other types of services such as databases / statistical packages.
The advantage is both the additional security of the main information servers and the alleviation of load, especially since desktops are a hell of a lot more powerful today than ever before. So much so, that the lag from a telnet window on a heavily loaded machine can be almost unbearable.
The only way this could work is if there were separate CIS / scientific networks that could still take full advantage of UNIX services like telnet. Just try taking telnet away from a CIS department and see how far you get. So long as the information contained in these extraneous networks were segmented, and contain a minimal number of accounts and services, the intention of this movement would be upheld.
From my point of view, however, removing telnet and FTP cripples the power of UNIX. First and foremost, you lose seamless remote administration, which is the main advantage over NT as far as I'm concerned. Next it'll remove familiarity of UNIX from future generations of college graduates, which in the work place would make it harder to find those with such experience; a good number of people stay in Windows as it is. I believe the main reason that a lot of people opt for Linux is because they want to have the sort of power that they're use to on campus on their own desktop. Being shielded from this technology might diminish potential future Linux devotees. It just smells too much like a windows promotion to me.
Why can't this be defeated by Spamming? (Score:2)
Perhaps the marketplace of ideas requires antitrust laws, too?
Second that! (Score:4)
No evidence (Score:2)
Fortunately, most of the people that are too clueless to protect their own privacy are also too clueless to configure their machines to reveal too much about themselves. And none of those people are able to type telnet, let alone actually use it.
<sinister-conspiracy> Perhaps banning the protocols is part of a deeper plot by the RIAA to prevent thieves from obtaining Napster and other burglary tools... :-) </sinister-conspiracy>
yeah...everyone is a techie! (Score:3)
Telnet...what's that? Just about one of two ways for most .edu's to get their e-mail. Either use a mail client, or just telnet in. And what if you wanted to check your mail remotely. What are you going to tell them? NO, you can't! Sure you will.
I am at NYU, and they will shortly be migrating to this HUGE Sun computer that is going to handle the web-site, mail, etc, etc. They will be removing Telnet access, but they are enabling web-mail, so there is still a way to get mail remotely.
Anyway, in short, I think this story is the same as "patenting the <a href=*> idea."
Also, all .edu's are Internet2, so they are faster than most mirrors, which is great for me when I want to install something new. So lets get rid of all that. We don't like fast FTP access, because they are hacker prone. Hey...EVERYTHING is hacker prone, so people should stop crying!
BTDT (Score:2)
banning telnet and ftp makes sense (Score:3)
reasons. if you are providing people
with more secure alternatives that provide the
same functions (ssh, scp, etc) then
fine!
Telnet and ftp are inherently insecure protocols
designed for an age where everyone knew
everyone else on a single network. those days
are gone now...
Re:PuTTY (was Re:For that matter...) (Score:2)
Together with OpenSSH for Linux (where I SSH to), I'm a happy camper
--
Add, don't subtract. (Score:2)
SSH, not just for breakfast anymore (Score:3)
Having been the Network Administrator for a satellite campus of a large University, I am all too aware of the problems with security on university computers. We have to balance between keeping intruders out, and providing enough access for students and faculty to use the systems. The university environment presents a unique challenge.
To disable telnet and FTP access and believe it will curtail most or all unauthorized access to these computers is as short-sighted as companies purchasing firewalls and believing that they are complete security. A firewall only prevents some kinds of attacks.
The real answer, as in most anything, is better education. Network and system administrators need to be more aware of security issues, and deal with them at the host/server/PC level. Don't need filesharing on a PC, turn it off! Don't need rexec access, turn it off! Watch the system like your job depends on it; eternal vigilence.
Just because IT professionals are paid well doesn't give us an excuse to neglect our duties.
Re:SSH Banned (Score:2)
My school [www.wlu.ca] refuses to implement SSH as well.
I'm no BOFH (and so don't know for sure), but is adding SSL to your system a big deal? Once I found the packages, I had openssl and secure replacements for telnet, telnetd, lynx, and w3m installed in (literally) 15 minutes on my linux box. (School runs Solaris(tm) though...)
Maybe colleges should ban idiots? (Score:3)
There are far more uses for Telnet, and FTP than simply high wiring it in to a college campus, so you can run TRW reports on students 6 months behind on college loans.
Network Security is a rapidly expanding business in this world, regardless of what planet that "expert" is from. Numerous resources are out there for free, let alone at a fair cost, that, when properly implemented, make such information damn near impossible to get to.
The idea that every network connected to the outside is 100% secure IS a fallacy. But then, the idea that people who know what the hell they are doing are actually interested in getting a bit o info on a student.
One of the main concepts of target hardening (AKA Network Security) is not to totally prevent. Make the perp look for an easier target.
krystal_blade
Re:FTP Replacement (Score:2)
http://www.xbill.org/sftp/
http://rpmfind.net/linux/RPM/sftp.html
The profesional has good reasons but... (Score:2)
So while he may recomend replacing Telnet and FTP internally with secure protocals the "Folows of the all knowing and all powerful expert" will go ripping FTP and Telnet clients out of boxes screamming of "Security hazzards".
Give it a week you'll hear about FTP and Telnet click viruses (Think 'I-Lov-U'.. or better yet think 'Good times') infecting everyone. (No accual virus just rummors).
Napster aside... we are talking about a group who think banning Unix as a security risk is a good idea and then install Windows in it's place.
"We are protecting you from all those nasty Unix emplots... someone could hack into your box from remote and... oh dam.. anyone know what back oraface is?"
I say teach students security issues and let them fend for themselfs. I mean gezz. Trial by fire.... no better way to learn... Oh yeah and take your box off the network when you need to study.. just in case...
Re:For that matter... (Score:5)
Idon't mean to get alarmist, but the biggest thing that scares me about this is the fact that it wasn't a workplace, or a repressed nation, or a government agency that was approached with these "solutions" - it was schools. Campuses. Institutes of higher learning, where people go to get an education. You know, where the frontline of defense of our rights has always been held, by protest or otherwise.
Sorry, but did you even read the article? The presentation that is alluded to in the story places a strong emphasis on the rights of individuals; especially on the privacy perspective.
The point seemed, to me at least, that telnet and ftp were (for campus networks) very insecure protocols. Anyone who's ever run a packet sniffer on a shared media ethernet can testify to this. Yes, ideally all the college residential networks would be switched, or protected by Need-To-Know scrambling hubs (cf. 3Com SuperStack II PS). However, this equipment tends to be more expensive than 'dumb' hubs, and wiring of accommodation does tend to be a lower priority from the funding perspective.
We're now seeing students running Linux boxes from their dorm rooms, connected to such shared networks. We'll assume that their honesty isn't in question (however spurious such an assumption may be!); the fact still remains that such boxes are frequently ill-maintained and the subject of frequent root exploits. Once you've rooted a machine on a shared media network that runs a lot of telnet/pop/ftp, it's trivial to harvest large numbers of passwords: and don't say it doesn't happen, because I know for a fact that it does.
Given that SSH implementations are now available on most any platform you care to mention, telnet should rightly be regarded as a legacy protocol. Anonymous ftp obviously has its place, but the 'nonymous' version could easily be supplanted by SCP style functionality.
Besides, aside from physically SHUTTING DOWN the entire internet (an impossible feat if there ever was one by now) how can they protect us from ourselves, as they seem to feel they need to?
I don't get the impression that what's being talked about is 'protecting' the tech-savvie user from themselves; but rather protecting the typical user from their ignorance. There isn't a good reason to retain telnet for passworded account logins; spewing off about shutting down such services effectively being the thin end of a wedge that ends with 'SHUTTING DOWN' the internet; well, that just looks silly.
I agree wholeheartedly with the presenter's point: I'd go one step further - it's not just telnet and ftp that present the problem; IMAP and POP are also generally insecure, not to speak of the numerous HTTP-based webmail services. The solution here is less clear-cut: nice alternatives like SSH are not widely available. Roll on IPv6 and network-level encryption, eh?
Cheers, Nick.
Re:Doesn't answer FTP problem (Score:2)
Now that's exactly what I've been looking for and have been unable to find. Thanks for the tip. Now I've got to try it out on our local servers. Hopefully this should work just fine.
Re:For that matter... (Score:2)
Re:For that matter... (Score:5)
Re:For that matter... (Score:2)
--
Change is inevitable.
And they are supposed to do what? (Score:2)
Banning these would be a great idea (Score:2)
You see the problem is that the use of "password in the clear" protocols allows one person's poor maintenance to undermine many other hosts that are just accessed via the original host's network.
Keep in mind, anonymous ftp and telnet for use of anonymous services isn't really the issue. I wouldn't even block the ports on a router. Instead, I'd simply institute the policy of scanning the network and coming down hard on anyone running the daemon. Not perfect, but doable.
Re:Simpson G. usually seems so reasonable (Score:2)
I know that at my school, they do offer SSH (but if you go to the CCC (College Computer Center) web area (off the main site) they suggest using telnet for everything, including changing one's password. Great. Well, I've got a new password set up now that I use only through SSH once I learned why telnet was a bad idea...
Which is all well and good, but then I get to access my e-mail using said password via either pine on an SSH terminal (safe) or... POP3. Great, I just love sending my password over the network in plain text. Now I think I understand why most of the Linux geeks on campus use their own mail servers. (We get DNS entries at my college, along with semi-static IPs - the IPs change every year. And yes, we are allowed to host webservers et al. Even better, there's no firewall. After most breaks, we get the horror stories of the few people whose boxes got cracked.)
Re:Half-good, half-bad (Score:5)
This is a very good thing IMO. For too long the general attitude has been "Don't use encryption unless you have to" when it should be "always use encryption unless you have a reason not to"
This has led to several bad things:
- Those sensible enough to use encryption by default (such as PGP for mail) for their communications are treated like they have "something to hide" by some.
- Because only a minority use encryption technologies instead of their more widespread unencrypted counterparts, governments find themselves able to legally force this to continue with draconian anti-encyrption bills. (RIP bill in the UK soon to be passed? - see http://stand.org.uk)
The sooner the masses are educated about the advantages of using encryption more in ssh, for file xfer, for mail, and everything else the better. Where better to start the ball rolling than in universities.
Re:For that matter... (Score:2)
He's not saying that providing remote login and file transfer services is bad; he's saying that telnet and non-anonymous FTP are bad.
ssh and scp can completely replace them.
Anonymous FTP can be left for transfer of publicly-accessible files, although HTTP might be better.
--
One Time Passwords + sudo (Score:2)
Unfortunately, not every place has SSH. And sometimes SSH is simply overkill. If I just want to check my email, I don't care too much if someone along the pipe sees me deleting 10 messages on how to "make money fast!", but I don't want them sniffing my password. So, a one time password system is an ideal solution - if someone intercepts it, it's useless anyway. And it only requires installation on the server side. And if I want to do admin-type work, sudo also takes a one time password which again keeps my password secure.
In a perfect world, SSH would be everywhere. But in the meantime, one time password systems aren't a bad compromise for when your password is vital, but the data you're dealing with isn't.
Re:Goodbye quick and easy access (Score:2)
It makes sense (Score:2)
--
Full Time Idiot and Miserable Sod
Re:No evidence (Score:3)
"Did you type telnet?"
"Yes, I typed telenet."
"No, telnet: t-e-l-n-e-t."
"OK... t-e-l-e-n-e-t, telenet. No, it still doesn't work..."
SFTP Re:What alternative to FTP? (Score:2)
--
Re:Listen security morons (Score:3)
Exactly.
I'd be a lot more concerned about POP3 than telnet. Last year at my school it was discovered that someone managed to get the passwords of nearly half the students simply by sniffing the POP3 packets. (One could of course argue that this could have been achieved via simply sniffing all packets--people generally have the same password for POP email as they do for telnet and FTP--but my point is that it was found that a LOT of people on campus use POP clients to read their email. Far more people use POP to read email rather than simply ssh'ing in and using pine (my preferred method, which is significantly more secure).
I'm aware that most POP clients provide support for client-server encryption so the passwords are not sent plaintext, but my school never quite seemed to think that was worth the trouble, even though the vast majority of people are comp. sci. students who could probably handle such additional complexities with ease.
The fix to "all this" is *not* to ban protocols or limit the availability of services to students. Students subsidize the campus information infrastructure through their fees and tuition. The solution is to educate everyone on campus--faculty, staff and students--to use encryption whenever reasonably possible (ssh is not non user-friendly or invasive), and to use strong passwords. A lot of script kiddies and not-so-good hackers are born as a result of a campus trying to limit students' capabilities.
At the very least, I know a lot of people (myself included) who would have a few words to say to those in charge if it were decided that banning things, rather than employing workarounds or educating the people, was the correct solution.
insecure because of plaintext, not stack (Score:2)
I emphasize *standard* because I'm a "security moron" who uses telnet and FTP. Of course, both of these programs use Kerberos authentication so the password is not sent in plaintext. Man-in-the-middle attacks are believed to be impossible, due to the mutual authentication. Playback attacks are impossible outside of the narrow window defined by the clock skew parameter - less than a minute.
Re:Doesn't answer FTP problem (Score:2)
True Story (or, a personal way of being redundant) (Score:5)
The person's password was sniffed on the university side, and the cracker was able to log into my machine user the user's account. About 18 hours later (too long, I know) I noticed the intrusion because the time of the cracker's logins didn't match up with the user's usual pattern which I luckily happened to know.
After calling the real user up and confirming that there was a problem, we found some kind of nohup daemon running called "bash" in the
After cleaning up the system, changing passwords, and mandating the use of SSH (especially with RSA authentication) I didn't have any more problems. A few weeks later the affected user received an email-advertisement for sniffit from an anonymous source at her university email box.
Much later, I received an email from a german university saying that someone had broken into their servers from a variety of sites, one of them was mine. The date they claimed matched up with the date of the intrusion. They said that the cracker had installed a modified IRC eggdrop bot with root priviledges at a certain port, and that these bots were also apparently still running on most of the systems that the cracker had logged in from. Sure enough, the ivy league university was on the list.
I tried sending them mail on a few different occasions, but never got a response. I guess the point of this rant is that universities have terrible security and that banning inherently insecure protocols when secure alternatives exist is a good idea for EVERYONE, not just the people at the university. Sure it was a pain converting my userbase from ftp and telnet to ssh and ftp-over-ssh / scp / full VPN but it was well worth it and was a one-shot issue.
-OT
Re:SSH Banned (Score:2)
The only difference from an official sshd install is that it will run on a 1024+ port and only work for you.
Johan