networking
...st weakly guarded user account or service. [2] The third issue, which is especially important in large organizations such as HUT, is who owns and controls the equipment you use. Do you know those people and how much do you trust them? Computer administrators are required by Finnish law as well as the legislation of the EU and other areas of the world, to work ethically - but so are politicians, bank clerks and judges, too. Yet we have seen that every once in a while one of them can slip. So blind trust in unknown people is seldom likely to be a wise policy. [3] The fourth issue is akin to the third. Who else uses the computer or the network you are using? Do you know those people and how much do you trust them? Could some other user be curious about, say, your email and try to get to read those files? What about files containing next weeks exam questions? Or could someone try to copy your link list for an essay or your program code to get easier points on a home assignment? If they succeeded, could they get you in trouble? Your personal answers to these questions will naturally vary depending on what your role is at a given time and what kind of data you are handling. In my opinion, though, it would be short-sighted if you did not to consider them at all. Detailed examples of risks related to data, computer and network security are well covered in, for example, the Stoll and Garfinkel books, the Langley guide and RFC 1244. They are warmly recommendable for further study. Basic security tools, measures and mechanisms Together with "static" passwords, the file protection mechanisms in UNIX are your two most basic and best standardized security tools. That is why they are presented more in depth in this guide than the other tools. Passwords Passwords are one of the oldest security measures on multi-user computers. They can be compared with a key or a passport: an active user id (login) together with the correct password for it is enough to convince your generic UNIX computer. It will allow the person or program presenting this electronic ID to log on and use the full privileges of the user in question. [4]. When using the computers on HUTnet, you might have several "static" passwords, i.e. passwords you change yourself. These "static" passwords might include (but are by no means limted to): Your UNIX password for the CC general use computers An optional network password, if you log onto the HUTnet from home using the PPP protocol modems (numbers 6180911 and 451 4380) Your home computer password, if it has one These "static" passwords are usually relatively long-lived. For example, the HUT CC expects you to change your general purpose computers' password every six months. You should therefor choose your passwords with care. In six months time it is quite possible to crack a poor quality password, either by guessing (based on information about you personally) or by systematically going through word lists . A good password fills all the following criteria [4, 5, 6]: Is at least 8 characters long (only the first 8 are significant, but some additional ones may make the password more logical for you and hence easier to remeber) Can not be found in any dictionary or other word, name or acronym list in any language. Avoid misspelled words as well - there are several "bad spellers dictionaries". Can not be guessed on the basis of your everyday life (not your lisence number or student number, not a family member's, pet's nor a favourite actor's name or equivalent) Can not be derived from your user information (e.g. not your home directory path, not your user id number) Can not be found in any historical timeline concerning any culture (names of important places, wars, peace treaties, warlords, diplomats, ships, geniuses, artists, works of art etc.) Does not consist of numbers only Does not consist of lower case letters only Does not consist of UPPER CASE letters only Is never written down anywhere Is never the same on different systems (say, on the CC computers and on the CS department computers, e.g. Niksula) Is easy and fast for you to type, preferably without your looking at the keyboard Note that a bad password does not become noticeably better by any of the following letter or syllable replacements: 1 = i or L, 2 = Z, 3 = E, 4 = A, 5 = S, 6 = G, 0 = O, 4 = "for", 2 = "to" or "too", 8 = "ate" or "eigh" In short: use password with lower case and UPPER CASE letters and numbers mixed. You may also throw in some punctuation character(s) - but do chose them from the ones that can easily be found on most keyboard layouts, for example: , . ! # % [5]. Here are a few examples of methods which, combined with the above described letter or syllable replacements and/or some inserted numbers or punctuation marks, produce good quality passwords [4, 5, 6]: Choose a line or two from a song or poem, and use the first letter of each word Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words which are usually pronounceable, and thus easily remembered. Choose two short words from two different languages and concatenate them together with one or more punctuation characters and/or numbers between them. File and directory protection in UNIX In UNIX, unlike many personal computer operating systems, you have a home directory, a place of your own in the computers directory tree (often called "file system"). This is the place where you end up when you log on to the computer and where all your files and subdirectories are stored, unless you explicitly tell the computer to do otherwise. To see what you have under your home directory, type the command "ls -la" in one of the CC UNIX computers (alpha, beta, gamma, delta, vipu, oboe, kantele, setri, kastanja, safiiri or other). The output should resemble this: gamma ~ 14 % ls -la total ... drwx------ 23 yourid users 8192 Nov 4 21:58 . drwxr-xr-x 141 root users 8192 Oct 13 11:05 .. -rwx------ 1 yourid users 1814 Sep 18 17:44 .cshrc -rw------- 1 yourid users 3043 Nov 4 21:44 .history -rwx------ 1 yourid users 351 Mar 23 1993 .login drwx------ 2 yourid users 8192 Oct 31 15:56 .netscape -rw-r--r-- 1 yourid users 10351 Oct 20 15:18 .pinerc -rw-r--r-- 1 yourid users 1073 Sep 18 18:01 .plan drwx------ 38 yourid users 8192 Nov 3 16:08 mail drwx------ 2 yourid users 8192 Sep 10 16:03 News drwxr-xr-x 11 yourid users 8192 Oct 23 20:09 public_html -rw------- 1 yourid users 21167 Sep 12 1996 topi.log gamma ~ 15 % where "yourid" is your user name (your login). The name of the file or directory is always the last "word" on a line. The first 10 characters on each line of output (for example: "drwxr-xr-x") tell you each file's or subdirectory's mode. The first of these 10 characters tells you whether the object is a directory "d" or a file "-". The next 9 characters are actually three groups of three characters each (rwx) which tell the rights different users of the computer have to that file or directory. The characters from second to fourth report what rights you have yourself. The next three are related to the group (in the example above "users") and the last three describe what "others" (not you nor your group) may do with that file or directory. Within these groups of three: r means the right to Read the file or list the contents of a directory w means the right to Write the file or change the contents of a directory by e.g. adding or deleting files in it x means the right to execute the file (necessary for files that contain programs you want to use) or move into a directory with the "cd dir" command, where "dir" is the directory name So, in the example above, as the rights on the first line are "drwx------", only the user in question may look into her/his home directory. Nobody else may do anything within this user's home directory. (The current directory is called "." ). In this case, however, this seems rather counterproductive, because the user in this example appears to have intended some material to be world-readable. Yet they cannot be seen if the home directory is "closed". The file ".plan" has the mode "-rw-r--r--", meaning that the user may read and write it and both the group members and others may read it (but not write). The subdirectory "public_html" has the mode "drwxr-xr-x" meaning that everybody (user, group and others) may read the contents and even the contents of the sub-subdirectories under "public_html", if there are any, but the user is the only one who may write (change) the directory. To change the mode of a file or directory, one uses the command "chmod". The "chmod" command takes as its first argument a three-part character combination, where the first character is one of four letters: u, g, o or a (for "user", "group", "other" or "all", respectively), the next is either + (to add rights) or - (to limit rights) and the last is one of the mode characters, r, w or x. As its second argument "chmod" needs the name of the file(s) or directory/ies to change the mode of. For example, if this user wants her/his .plan file to show, when other's use the "finger" command on her/him or wishes to have a home page on WWW, (s)he should alter her/his home directory mode. The command would be "chmod a+x ~", adding the right to execute (access) the home directory ("~" for shorters) for all. On the other hand, after making that change, (s)he may feel that it is unn...