The Tech - Snowy Online EditionMIT's oldest and largest
newspaper & the first
newspaper published
on the web
Boston Weather: 29.0°F | Light Snow Fog/Mist

How to Be Secure on MITnet

By Daniel C. Stevenson
Associate News Editor

The addition of dormitories and independent living groups in the MIT computer network greatly increases security threats to students' Athena accounts [see article, page 1]. To protect against these threats, there are several ways users can secure their accounts and files.

The main security threat results from the fact that users' data, including passwords, travel in unencrypted, or clear' text packets across networks between computers. These data packets, which could contain electronic mail, zephyr messages, or passwords, can be read by users on other machines.

"My advice to computer users is not to use the network communications (be they on Athena or on other machines) for personal matters," said Stephen R. Lerman, former director of Project Athena. "If people want to communicate privately, they can encrypt their mail using standard utilities available on all Athena workstations."

Choose a good password

"The security of an Athena user's data is based on that user's password," Lerman said. "If a user selects a simple password or gives his password to someone else, there is no real security."

"Change your password often, and choose good passwords," said Gregory B. Hudson '96, vice-chairman of the Student Information Processing Board. Users should also avoid typing their passwords when logged on to Athena over a network, Hudson said, because the password travels as clear text.

If a user needs to telnet to a dialup server, Hudson recommends using ktelnet - a kerberized version of telnet - which is available for Macintosh computers on the SIPB Appleshare server.

This program allows for all the information sent across the network to be encrypted and allows users to log into the dialups without transmitting their password over the network in clear text. However, this option is only available for Resnet users running on Macintosh or Linux platforms.

A good password is easy to remember yet also obscure, according to the Athena "Guidelines for Choosing a Password." To make a password obscure, a user "might deliberately misspell a term or use an odd character in an otherwise familiar term," the guide says.

Safe passwords consist of a combination of letters and numbers of at least six characters in length, and should not be any kind of common name or word in a dictionary, according to the guide.

"Never give your password to anyone under any circumstances, especially to people claiming to be system administrators," said Erik L. Nygren '96, a Course VI-3 major who often advises computer users. Systems administrators should never need to know a user's password, Nygren said.

Another security concern both in the Athena clusters and on MITnet is "packet sniffing." Using publicly available "snooping" programs, malicious users can read any data coming from or going to a particular computer on their local network, Hudson said.

"Avoid sending your password over the net in the clear" to prevent other users from snooping them, Nygren said.

Resnet users should try to use applications on a local machine whenever possible, said Michael L. Barrow '93, consultant for Distributed Computing and Network Services. "If they are using native applications, they won't be typing their passwords accross the network."

Electronic mail vulnerable

"Probably the easiest and most malicious thing a disruptive user can do to another user's account is to forge e-mail from that user," Hudson said. Because electronic mail is not an authenticated service, a user does not need to know another user's password to send mail that appears to be from that user, Hudson said.

To protect electronic mail, users can encrypt their messages and sign them with digital signatures. "There are a number of programs available to students to help protect their data, and each program has its particular features that would make it desirable in certain applications," said Derek A. Atkins G, former chairman of SIPB.

"For e-mail there are a number of programs, like RIPEM and PGP which people can use to encrypt and sign e-mail to prevent snooping and spoofing [forging]," Atkins said. "These [programs] allow users to send messages so that only the intended recipients can read them and also allow users to digitally sign the messages so that everyone knows that that message came from the user."

Users should "be aware that using PGP within the United States is legally problematic due to the patents" on the encryption algorithm, Hudson said.