[1856] in SIPB_Linux_Development
Network Defense Forum minutes
daemon@ATHENA.MIT.EDU (Elliot Schwartz)
Thu Oct 9 22:02:33 1997
To: net-defense@MIT.EDU, linux-dev@MIT.EDU, net-security@MIT.EDU,
network@MIT.EDU
Cc: rjbarbal@MIT.EDU, michael@MIT.EDU, efoo@MIT.EDU, fubob@MIT.EDU,
mycroft@MIT.EDU, jhawk@MIT.EDU, khsiao@MIT.EDU, kwi@MIT.EDU,
kylee@MIT.EDU, bobmah@MIT.EDU, minoru@MIT.EDU, kmccorm@MIT.EDU,
pmccormi@MIT.EDU, nygren@MIT.EDU, adparker@MIT.EDU, mhpower@MIT.EDU,
kcr@MIT.EDU, jsrobert@MIT.EDU, bdrosen@MIT.EDU, rovnyak@ccnmr.mit.edu,
doval@MIT.EDU, elliot@MIT.EDU, ashah@MIT.EDU, sit@MIT.EDU, amu@MIT.EDU,
danw@MIT.EDU, aidan@MIT.EDU, jrb@MIT.EDU, ndf@MIT.EDU,
katyking@MIT.EDU, arma@MIT.EDU, deberg@MIT.EDU, rgmisra@MIT.EDU,
rhs@MIT.EDU, lin@MIT.EDU, markman@MIT.EDU, jsrobert@MIT.EDU,
dalie@MIT.EDU
Date: Thu, 09 Oct 1997 22:02:00 EDT
From: Elliot Schwartz <elliot@MIT.EDU>
These minutes are also available on Athena in:
/mit/elliot/Public/net-defense.97.10.09
Or on the web at:
http://web.mit.edu/elliot/Public/net-defense.97.10.09
Regards,
elliot
===
Minutes of the Network Defense Forum
5:00 pm, October 9, 1997
Attendees (name, e-mail, affiliation)
-------------------------------------
Richard J. Barbalace, rjbarbal
Michael L. Barrow, michael, IS (netops)
Edwin Foo, efoo, IS (RCC)
Kevin Fu, fubob, IS/SIPB/RCC
Charles Hannum, mycroft, SIPB (netbsd-dev)
John Hawkinson, jhawk, SIPB
Kai-yuh Hsiao, khsiao
Kyle Inhols, kwi, owner of hacked linux box
Kenneth Lee, kylee, RCC
Bob Mahoney, bobmah, IS (netops)
David Matsumoto, minoru
Kevin McCormick, kmccorm, TEP
Pat McCormick, pmccormi, IS
Erik Nygren, nygren, SIPB (linux-dev)
Andrew Parker, adparker
Matt Power, mhpower, SIPB
Karl Ramm, kcr, IS (ASO)
James Robertson, jsrobert
Brett Rosen, bdrosen, IS (athena/RCC)
David Rovnyak, rovnyak@ccnmr.mit.edu, Chemistry
Abel Sanchez, doval, IESL
Elliot Schwartz, elliot, SIPB
Archit Shah, ashah
Emil Sit, sit, IS/SIPB
Aaron Ucko, amu, SIPB (linux-dev)
Dan Winship, danw, IS (dev/ops)
Aidan, aidan
Jonathan, jrb
Introduction - Eric Nygren <nygren@mit.edu>
-------------------------------------------
The problem:
MIT runs an open network and lots of people are running linux now.
Non-expert hackers outside of MIT are breaking into machines using standard
techniques and installing sniffers to collect passwords. Since these people
don't necessarily have much expertise, it's not really worth while catching
them; we're better off just protecting ourselves against them. Unfortunately
most machines aren't maintained by people who care about security, and it
only takes one insecure machine on a subnet to cause problems.
There are a few technical solutions that we can take:
1. Use "safe" applications, i.e. ssh, keberized telnet
2. Fix bugs that allow people to get root access
However, we need to overcome social problems to get these to work.
In particular, we need to make it easy for people to "do the right thing",
as well as find out about the right thing.
This meeting is to let us coordinate and discuss our solution to this problem.
MIT Network Operations - Bob Mahoney, Michael Barrow, Dan Winship
-----------------------------------------------------------------
- The net-security is staffed with technical & support people.
Incidents should be reported here so we can keep track of them,
but don't necessarily expect we'll solve all your problems.
Feel free to ask to meet in person or send PGP-encrypted e-mail if
you need to pass on private information.
We'll take things seriously, but we're concerned with preventative
medicine, not catching people. Don't assume we don't know what the
problem is or that we don't care.
- We've been working on getting missing secure applications written.
We've been working on talking to lawyers re: software licenses.
If there are things you need from us, or contributions you'd like to make
to solving the problem, come talk to us.
- We turn off drops of people who's machines become real problems, and don't
turn them back on until they've been read the riot act.
- KERBEROS: We've started building distributions of kerberos for non-Athena
platforms; these are available in the net-security locker. We've been
working on kerberized ftp for the dialups, however we don't know of any
free clients for Macs or PCs.
- SSH: There will also be ssh in the net-security locker. We've been working
on an sshd that does all the athena login stuff to run on the dialups;
hopefully this will go into testing on the dialups next week. This will work
with stock ssh clients, however we don't know of any free clients for
Macs or PCs. Let us know if you do.
- We're working on getting the path from the modem pool to the dialups
encrypted.
- ktelnet for Win95 is broken (it only works sometimes). A new version of
the installer which fixes this is being prepared. For now, you can connect
to a specific dialup by name and it will work.
- We're thinking about taking out an ad in the Tech to advertise these
problems. Also working on new awareness posters.
- We're looking for Mac or Windows programmer with a lot of free time.
Linux Development - Aaron Ucko
------------------------------
SIPB maintains a Redhat Linux Distribution.
We're trying to get a release based on Redhat 4.2 out the door, RSN.
4.2 will be access-off by default.
Athena telnetd will probably run through tcpd for added logging.
People can install 4.2 beta now.
When Redhat posts new packages with bug fixes, we copy them to a locker on
Athena. Users should run the update script frequently. We may try to make this
more automatic with 4.2.
General Discussion
------------------
Problem: People not knowing their systems were broken into.
Problem: Many people at LCS and the AI lab telnet to dialups and send their
password in the clear (and vice versa).
Problem: Lack of secure file transfer capabilities.
Enable anonymous ftp on a machine, drop off/pick up files
there, and then turn off anonymous ftp. Or set a password
and just use it once. However, this still fails the ease of
use test.
Problem: Some old platforms aren't capable of running secure software.
Problem: Hackers were using dialup machines w/compromised accounts as a base
for ping flooding systems on the Internet.
Switch off unencrypted access to the dialups? Unfortunately,
very few people do use encrypted access, so we'd be
preventing many people from getting work done. However, this
may be the only way to continue supporting dialups. (The
temporary fix was to disable ping.)
Problem: Overseas researchers needing to use MIT computers.
Install encryption software before you go, or pick up things
available abroad (Both kerberos and ssh are available
abroad, even though MIT can't give it to people there.)
Problem: Security holes in random servers.
Don't install and run every server (e.g. samba), only run
those you need.
Problem: Users don't know what to do to make their machines secure.
Give users simple step-by-step instructions. Have people
attend the IAP security class. (Michael Barrow is interested
in putting on the class several times.)
Problem: RCCs could help, but they're too busy (understaffed), the tools
and documentation they need aren't available, and they haven't
been trained to deal with security or linux.
Problem: Even people who could fix things (linux-dev, RCCs, etc.) don't have
all the facts.
The net-security should keep the community up-to-date with
what they learn so that people can help each other.
Other Resources
---------------
net-users@mit.edu
Contains announcements of updates and fixes to
Linux-Athena. All Linux-Athena users should subscribe. Add
yourself with "blanche linux-announce -a $USER".
linux-alert@redhat.com
Contains announcements of security holes in Linux. To
subscribe, send mail with "subscribe" as the subject to
linux-alert-request@redhat.com.
net-defense@mit.edu
Forum for the coordination, discussion, and improvement of
campus-wide network security. You can add yourself with
"blanche net-defense -a $USER". Archived in the net-defense
discuss meeting on bloom-picayune.mit.edu.
linux-security@redhat.com
Discusses security holes in Linux. To subscribe, send mail
with "subscribe" as the subject to
linux-security-request@redhat.com. Archived in the
net-defense discuss meeting on bloom-picayune.mit.edu.
netusers@mit.edu
Receives CERT advisories, announcements of downtime for
MITnet, etc. You can add yourself with "blanche netusers
-a $USER".
http://web.mit.edu/linux/www/
Linux-Athena website.
http://web.mit.edu/is/help/ktelnet/
Distribution site for kerberized telnet clients.
http://web.mit.edu/network/unix_security.html
Pointers for how to make a UN*X machine secure and how to
deal with break-ins.
http://www.ssh.org/
Pointers to ssh-related resources.
linux-help@mit.edu
Forum for asking questions specific to Linux-Athena. You can
add yourself with "blanche linux-help -a $USER". Archived in
the linux-help discuss meeting on charon.mit.edu.
/mit/internet-drafts/draft-ietf-ssh-users-03.txt
Site Security Handbook written expressly for "users".
http://www.rootshell.com/
Simple ways hackers can break in.
The meeting was adjourned at 6:23 pm.
