A Balancing Act? Openess and Security on Campus

• 04/01/04

MIT’s network manager and security strategist Jeff Schiller comments
about security on today’s campus networks.

Syllabus: How do you balance the demand for today’s higher levels of security with the traditional openness of the higher education computing environment?
Jeff Schiller: You’re making an assumption that openness and security are on opposite ends of the spectrum and that you have to choose between them. If you look at the security problems we have today, they’re in fact not due to the openness of the network. They’re due to the software that people run.

S: Do you mean the end-user software?
JS: Yes. I mean basically every computer connected to the Internet. Put another way, you should not depend on the network to provide protection for your computer.

S: What about the firewalls and network security software?
JS: The firewall was never an integral part of the Internet architecture. Firewalls developed because end-host software wasn’t secure. A lot of software, particularly on PCs, was designed in the days before networks. It was designed to run on personal computer hardware that was not very sophisticated when the PC first appeared. So, putting protections into end user software is difficult. Then add to that various marketing pressures…for years security was simply not a priority. When you went to vendors, Microsoft and others, and said, “You should be putting some time and effort into making sure the software is not buggy as all-get-out,” the answer was, “Well, we promised we’d ship by Friday, and you know, this is Internet time. We’ve got to get this stuff out there—nobody cares about security anyway.”

And so, with that kind of history, firewalls got developed because quite frankly, the network managers were told to “do something,” and that’s the kind of thing you can do. But don’t mistake that to mean that the only way to have a secure network is to have a network that is restricted or closed.

S: Do you really think it’s possible to design a personal computer operating system to handle the security issues that now require firewalls and other complex network security measures?
JS: Yes. You own a Macintosh. How often d'es your computer crash?

S: Very rarely.
JS: The reason it d'esn’t crash all that often is because system software developers took some time and effort to make that the case. If they would take the time and effort to make it be secure, it would be secure.

S: So what is keeping that from happening?
JS: Some people have said that the problem is we don’t have normal product liability laws with software. Now, if you buy an automobile and pieces fall off as you’re driving out of the parking lot, the onus is on the dealer to make good. If you buy a toaster and it breaks, it’s the manufacturer’s problem to fix it. But you buy software, and the license says, “We’re granting you a right to use this software, but if it d'esn’t work, or if it destroys all of your property or your career, we owe you nothing.”

S: So there are no strong warranties with software…
JS: Well, they may say, “We warrant that the CDs the software comes on are made of plastic and they won’t physically crack in the first 30 days.”

S: Right!
JS:Now, the problem is that if you decide to put liability upon software authors, you destroy open source—because those people can’t tolerate any liability. So, if I were king, I would rule that if you’re selling software then you bear a certain liability; but if you’re giving it away in open source, then you don’t.

But, I fear that the commercial interests in this game, if they felt that Congress was backing them into a situation where they would have to accept liability, my guess is they would strenuously lobby that liability applies to everything, including open source, in an attempt to kill off open source. So that’s the conundrum.

S: How would it work then, if the commercial software authors were liable and the creators of open source were not?
JS:Open source is a fundamentally different thing. With open source, if there’s a problem I can fix it as the consumer. Obviously I have to have the skills to do that, but I do have the ability—the access—to do it. With closed source I don’t. I’m literally at the mercy of the vendor to fix it.

S: But realistically, is that happening? Do all the people who are running Linux boxes have better security, or add in better security?
JS: I think Linux is much more secure than a lot of the other stuff that’s out there, because so many people look at the source code—not everyone looks at it, but enough people do, so that problems get fixed earlier, rather than later.

S: What are the major security risks in the higher education environment that network users face from viruses and worms, and, given all that you’ve just mentioned about end-user systems being weak, what are the most reasonable protections?
JS: One of the things universities have is legions of students with poorly managed computers that don’t have patches installed, and those machines are likely to be compromised by any of the worms that are running around the network right now. That’s one view of it.

Another view is the risk to administrative data. Situations vary a little bit from institution to institution, but one problem is that administrators use the same type of poorly managed PCs that the students use. If they put sensitive information on those desktops, it can be compromised. But exactly how at-risk each institution is depends a lot on how it manages data and what its various policies are.

I would also go somewhat out on a limb and say that the more sophisticated research-oriented universities are probably in deeper trouble.

S: Why would that be?
JS: Speaking as a network manager at an institution with Nobel laureates, it’s harder for me to set policy and make it stick. The more famous your faculty, the more they’re in charge. And the more the faculty can do whatever they want, the more chaotic your network’s going to be.

S:So how do you manage that—do you have a firewall?
JS: People have often asked me, “Could you firewall MIT?” And, you know, I don’t want to and I think it’s the wrong thing. Even if I wanted to, my faculty would not permit me. Or more to the point, the faculty would say, “Yes, sure,” but as soon as they couldn’t do something on the network, they’d say, “Take out the firewall” or “Put in an exception so I can do what I want to.” Firewalls that are filled with holes because somebody wants to do something quickly become useless.

S: If not a firewall, then what is your strategy?
JS: There is one good technique, and it’s the only one that’s effective. No firewall, no port blocking—none of that will work. The solution is that you must install patches.

S:Patches for each and every PC, then...
JS: If you own a PC, you must install patches. You must pay attention. And, and if you’re running a more modern version of Windows, things like automatic update can help. I’m going to give Microsoft some credit there. They’ve tried to make the installation of patches as painless as possible. But it’s still something that you have to sign up for.

I might add, by the way, firewalls don’t protect you against these worms. Because once a worm gets on the other side of the firewall, then the firewall’s useless. For example, at one point the State Department’s visa processing system got one of the worms. And you can guess there’s a big firewall between that and the Internet. In fact, I’d be willing to bet that thing is not even connected to the Internet. And yet one of the worms got through to it. Probably by somebody taking a laptop, connecting it to the public Internet, catching the worm, unplugging the laptop, coming to their office, plugging it into the secure network and boom, now the secure network has the worm.
That’s why I say firewalls are not useful.

S: What about attacks specifically directed at the network itself?
JS: Well, the only worms we’ve seen that have “hurt the network” do so by creating so much traffic that the network gets overloaded.

There have been occasional distributed denial of service attacks against network infrastructure. About a year or two ago there was an attack against several of the root servers. Since then the root, DNS servers have been hardened. They’re actually a lot harder to attack now than they were then. It’s amazing we have to learn these lessons one at a time. Now, there is a lot of attention to protecting the infrastructure of the Internet itself against attack. I’m less concerned about this than I was a year ago.

S:I wanted to ask about the state of encryption technology—the safety of data going over the network.
JS: Encryption technology, and sometimes ciphers are out there—the cipher du jour. People should either be using what’s called triple DES, the data encryption standard applied three times over in a subtle way, or AES, the Advanced Encryption Standard that NIST sponsored that has been out a few years. Encryption is not the problem. Getting it deployed into actual products is where the challenge remains, and how to do that in a way that mere mortals can handle. There are places where encryption has been so successful you don’t even know it’s there. The classic example is HTTPS on the Web.

Go to any major eCommerce site—where you enter your credit card number, that transaction is encrypted. And you don’t even have to put a lot of effort into worrying about how that’s happening. You see the little lock icon, and you’re good. So there’s an example of where encryption has been very, very successful.

S: Where could it be used more effectively?
JS: A place where it’s not been very successful, and where we could really use it in certain applications has been e-mail. There have been several attempts to try to do encrypted e-mail. The protocols are designed. There are many systems out there, but they’re just a little too hard to use for the average person, so they don’t tend to get used very much. We could really use some innovation to get encrypted e-mail up and running.

S:What would be the most needed or most useful applications of encryption on campus?
JS:Any time you’re going to send sensitive information over the network you want to encrypt it. For example, at MIT our students and their advisors can look at grades online. We made sure that they use a Web-based application with HTTPS so that we are covered with the encryption.

And in fact, a real benefit in the education space is that the more things you can offer as Web services, the easier it is to provide security.

S: So it seems like institutions that have Web-based portals could certainly take advantage of HTTPS.
JS: If the portal software supports secure connections, yes, they can. Now, there’s a subtlety here. Just because you encrypt the information going over the network d'es not mean that you can run insecure software on the servers.

Because of the widespread use of encryption on the Web, we don’t have people stealing credit card numbers by intercepting Web traffic and decrypting it, because that’s too hard. Instead, they break into the actual servers and steal thousands of credit card numbers—or lots of other data—at once.

So the important thing to remember about putting sensitive information on the Web is that you have to make sure the Web server software you’re using is secure and up to the task. I don’t want to say, “Oh, use the portal; you’re fine,” because I suspect that there’s probably a lot of portal software out there that’s not particularly secure.

S:Are there any other weaknesses to keep in mind, particularly when accessing data on the Web?
JS: This gets into engineering implementations. The devil is in the details. Let me give you an example. There’s a Web site out there—I won’t identify them—that offers survey services. You can set up surveys and revisit them to see the data collected or to edit them. But if you look closely at the actual URL in the little bar at the top of your browser, you will see some long number.

A few of us wanted to know, “Well, wonder what happens if we go into that title bar there where the URL is and just add one to that number?” And we did so, and all of a sudden we were looking
at somebody else’s survey, and seeing their answers. The devil is in the details.

S: What’s being done on campuses to protect student privacy and to comply with FERPA?
JS: Well, FERPA covers what we’re supposed to do, but it d'es not specify the level of protection you have to provide. It basically just says you’re supposed to protect student records and not willingly give them away to the wrong people. But it d'esn’t really go into what the standard is and how much protection should be offered. I’m sure the protection is different at different schools.

The biggest threat to student records is how your administration is set up. Universities are at risk if they let administrators with insecure machines download sensitive data and leave it on their hard drive. Some worm could come along and actually mail it out.

I mean, a lot of people, when you talk about security for administrative data, they’ll immediately say, “Well, you know, our registrar’s database is protected this way, that way, and the other way.” And you say, “Well, that’s all well and good, but where d'es that data go?” In fact, there’s an interesting conundrum here though it’s not as bad as the one I talked about before. This one’s about human nature.

You will have a situation where the administration will protect the data, and they’ll say, “Well, we’re going to only allow authorized representatives of the registrar’s office to get to the registrar’s data.” Kind of makes sense, right? And then a researcher comes along and says, “Well, in order to do my research, I need this much information about these students.”

And what would happen is, rather than giving the researcher access to the actual database where the data resides, someone will extract the data for the researcher and e-mail it to them on a spreadsheet. Chances are, it sits on the hard drive of the researcher and probably sits on the hard drive of the person who did the work for the researcher. So, in an attempt to restrict who can get at the data we wind up with the data getting splattered everywhere.

S: So education is a part of this?
JS: Education is a part of this, both for the people who own personal computers and work with the data and for the people running these systems. If somebody is eventually going to get the data [legitimately], maybe you would like to grant them access in the place where the data resides and simply say to them, “Don’t keep copies of this on your hard drive.”

But if they can’t get to the data themselves they’re much, much more likely to keep a copy on their hard drives, once you e-mail them a copy. Because they think it will be very hard to get another copy.

S: So who’s going to educate the users?
JS: Well, it’s a slow process. I think when a school gets burned they tend to have a lot of running around in-house and they try to figure out how it happened, and then everybody gets security-conscious for a year or so… before they go back to their old habits. One of the fundamental problems is that security is very hard. And what makes it hard is that it’s a negative deliverable. You really don’t know when you have it. You only find out belatedly when you’ve lost it.

S: So getting back to the original question about openness versus the need for high security…
JS: I don’t think it’s either-or. There’s a need for security but that d'esn’t mean we sacrifice openness to get it.

S: So would you say that you need a balance of both?
JS: Yes, you need a balance of both.

[Editor’s note: Jeff Schiller will give a keynote at the Syllabus2004 summer conference, to be held in San Francisco, July 18-22.]