The Tech - Online EditionMIT's oldest and largest
newspaper & the first
newspaper published
on the web
Boston Weather: 71.0°F | Mostly Cloudy

Loopholes Loom Large in MITnet

By Ifung Lu and Eric Richard
Staff Reporters

First in a series dealing with security and privacy issues of MITnet.

The expansion of MITnet to include undergraduate dormitories and independent living groups has raised several security issues which many users feel have not been properly addressed.

"The key here is being an educated user and making intelligent choices about what a given medium should and should not be used for," said Steven R. Lerman, chair of the Academic Computing Council and former director of Project Athena.

"Students need to be aware of what the level of security is for data communications when they use Resnet or any other part of the MIT network," Lerman said.

In particular, the privacy of a user's password, electronic mail, zephyrgrams, and files can easily be compromised through the use of programs called network or packet "sniffers." These security risks are greater for Resnet users, although they also pertain to Athena users.

Many Resnet users said they are not sufficiently informed of the security risks associated with their network connection. They also said that they have not received information on responsible, secure usage.

"I think that [Information Systems] should have made this more of an issue. They told us a little about it, but not enough," said Levent M. Talgar '97. "It would be best if they told us initially about the problems."

Packet "sniffing" prevalent

While packet sniffing programs are legitimately used for network diagnostics, they can be used to read data to or from other users, said Michael Barrow '93, consultant for Distributed Computing and Network Services. In addition, they are commonly available and can be found on local AppleShare servers and on public Athena workstations.

"Packet sniffing is a potential problem on any of MIT's existing networks as well as virtually all networks other than those explicitly designed for secure communications," Lerman said.

These programs allow a user to read others' files, e-mail, and zephyrgrams as they travel over the network. "By default, all data to and from any Athena service other than passwords is sent clear text,' " Lerman said. "Any computer on the MIT network can examine any information that passes by' on the local subnet."

Additionally, passwords are not encrypted when a user uses Telnet or File Transfer Protocol to connect to a remote site, as they are when a user logs into an Athena workstation.

"If you Telnet, then you are toast. Anyone who can monitor the [network] can see your password," said Jeffery I. Schiller '79, network manager for DCNS, in a meeting with the Residential Computing Consultants.

It is not possible to detect snoops who use such utilities. "You can't [find out] if people are sniffing [your data]," Schiller said. "You don't know."

Resnet applications limited.

"Resnet is a necessary part of a computing infrastructure that makes it possible for students to do much of their computing in their residence rather than public clusters," said Lerman said.

However, "to the extent that people find they need to Telnet to get to a service, rather than using a service directly on their personal computer, they are forced to expose their password to the network," Jerome H. Saltzer, former technical director for Project Athena.

"Coincident with the introduction of Resnet, the entire Athena system could have been made available on the Macintosh and the PC. That availablilty would have reduced the problem substantially because passwords would then never leave the owner's workstation," Saltzer said.

"It is one of the biggest loopholes that they should have worked out before they put the system up," said Rodgerick Newhouse '96, a student connected to Resnet.

Lack of awareness also a problem

Many users connected to Resnet said they were unaware of the security issues involved and that IS never made them aware of the problems.

While security issues were discussed at introductory Resnet meetings held in Janurary and Februrary at each of the dormitories, very few students attended these meetings, Barrow said.

Of 16 Resnet users interviewed, only two said that IS had informed them of the issues. The others were either unaware of the problem or were exposed to these issues from other sources.

"When I hooked up to Resnet, they didn't mention anything to me," said Yi-Hsiu E. Chen '96, "I didn't know about those things. I think [IS] should make people aware."

Many students believe that IS should actively publicize security issues in order for students to better protect themselves.

"Somebody will find out about [packet sniffing]. People are not stupid around here," said Anand R. Radhakrishnan '96. "If I don't know about it, then I won't take the proper measures into account."

"People only hear [about these issues] after the problem has been found and solved," said an RCC who wished to remain anonymous. "There should be some kind of information, because completely hiding it increases paranoia. There needs to be a freer flow of information."

Education, technical fixes necessary

Many people agree that the best way to deal with the security issues is to educate users about the possible risks so that they can properly protect their data.

"Education is always the key to whatever solutions you have," Barrow said. "If people are sloppy, then the crackers will always get in. You can't have a purely technical solution. It has to be a complete solution or there will be a weak link in the system."

"As a general rule, I am in favor of the widest possible disclosure of security holes that are discovered," Saltzer said. "That is the best way to alert users of their vulnerability and also because it is the best way to bring pressure on the system designer to fix the vulnerability."

"People should know what data is available to the casual observer, and learn to protect anything which they feel no one should be able to see," Atkins said. "If users protect their information, then that limits the ability of attackers to use that information to their advantage."

In addition to educating users, IS is working on solutions to the problems, Barrow said. However, Barrow emphasized the development of a permanent, long term solution over a less secure, short term one.

"We don't want to just throw together some mish-mash thing and call it security," he said. "We don't bother with neat hacks.'People will figure them out."

Approximately two weeks ago, a version of the telnet program was installed on each of the dialup machines, which allows users to encrypt all of their data sent across the network. According to Erik L. Nygren '96, this telnet program is still being tested.

(Daniel C. Stevenson contributed to the reporting of this story.)