MITnet extends to dorms, ILGs; poses security riskBy Ifung Lu
Last year heralded in a great expansion in MIT's growing electronic network with the introduction of MITnet into undergraduate dormitories, independent living groups, and graduate dormitories.
The dormitory network has provided students with greater convenience - bringing the Internet directly into their rooms and onto their personal computers - but it has also raised security and privacy issues that Information Systems has been working to address.
With a connection to the Resnet extension of MITnet, personal computer users can access news, mail, and general information archives anywhere on the global Internet. Applications such as Techmail, Gopher, Mosaic, and Zephyr allow students to use many of the features available from the Athena Computing Environment.
"Resnet is intended to extend the network to the residences," Resnet Support Coordinator Michael L. Barrow '93 said last year. "Students will get access to files, and will be able to communicate with other students around the world."
Started in the summer of 1993 by Information Systems, the Resnet project initially connected only the off-campus independent living groups and Huntington Hall to MITnet. However, with the completion of the second phase of the project last year, Resnet provided access to the entire undergraduate population.
Graduate students received network connections after a request by the Graduate Student Council for the timely installation of network services in graduate dormitories.
Currently, Ashdown House, Edgerton House, Green Hall, and Tang Hall have been connected, and Eastgate and Westgate will be coming on-line during the next academic year.
Convenience brings problems
Security problems on a large, public network, such as the MITnet, had always been present. However, the expansion of the network into the largely uncontrolled dormitories and independent living group environment raised security concerns.
In particular, in this type of environment, users can eavesdrop on the communications of other users by "packet sniffing."
Because of the method in which information is relayed within a computer network, packet sniffing programs, which are legitimately used for network diagnostics, can be used to read data sent to and from other users, Barrow said. The security of any information that travels over the network, including files, electronic mail, and zephyrgrams, can be compromised.
"Packet sniffing is a potential problem on any of MIT's existing networks as well as virtually all networks other than those explicitly designed for secure communications," said Professor of Civil and Environmental Engineering Steven R. Lerman '72, chair of the Academic Computing Council and former director of Project Athena.
The most recent attack on the MIT network involved the unauthorized interception of over 600 usernames and passwords during a two-day period in November.
The attackers had used a custom program to capture names and passwords of users accessing remote computers, including Athena dialup machines, from any computer on a part of MITnet covering Buildings 1, 3, 5, and 7.
Users who logged into Athena workstations may not have been affected because of the security features on the Kerberos authentication system. But programs like telnet, ftp, and rlogin were susceptible to the attacks, according to Thomas J. Coppeto '89, systems programmer for the Distributed Computing and Network Services division of IS
Information Systems has taken steps to address the security issues of MITnet, said Joanne Costello, manager of network support services for DCNS.
A secure telnet program, known as Kerberized telnet, is available for Macintosh computers and Athena workstations, Costello said. This new program encrypts the user's password when it is initially sent over the network. Any data sent over such a connection is also encrypted.
In addition, MIT released a new, free version of the popular encryption program PGP (for "pretty good privacy") last May. The release cleared up confusion over use of the program, which is protected by patents held by MIT and Stanford University.
PGP allows users to produce a digital signature to authenticate e-mail and other information exchanged on the Internet. In addition, users can encrypt the information itself so that only the intended recipient can have access.
"PGP is a high-security cryptographic software application which allows people to exchange files or messages with both privacy and authentication," Costello said.