Dick Admins
Throughout my graduate studies, I built my PhD work on the backbone of a thoughtfully designed computer infrastructure. I synchronized files across multiple machines using rsync, utilized proprietary software (matlab) from home via X forwarding, and also made use of CMU’s subnet to access protected resources, like online journals, on the web via a socks proxy (that’s what it’s called- honest).
All of these were made possible by ssh, (which stands for Secure SHell), one of the classic and certainly one of the most secure network communication programs in existence. SSH gives me access to a machine that is nearly equivalent to actually sitting at the keyboard, uses strong point-to-point encryption and allows me to transfer files and send data from other programs through secure “tunnels”. Fortunately for me (at the time), I was at CMU, which has a remarkably enlightened network administration policy that advances productivity and creativity on the users’ terms, while using sophisticated monitoring to detect and block irregular or inappropriate access.
At the time, I found CMU’s network admins to be a nuisance, but they were blessedly reasonable in comparison to the folks at UCSB. Computing here is hamhanded and kludgey, and services are bare-minimum (not to mention entirely microsoft-oriented). The standard answer to questions is “No.” And they make the collossal mistake that is so familiar in the IT-infrastructure world: they forget that the point of network security is not only to secure the network, but to secure the activities of the network’s users. It would be a bonus for them to consider facilitating productivity over simple enforcement.
As a consequence, they make positively bizarre policies. For example: They don’t let you choose or change your password. They assign you an 8-character “cryptographically secure” password that you can write on a sticky note and place on your monitor. THEN, they don’t provide secure email access– so every person who checks email over the free wireless network at a conference sends his cryptographically secure password in plaintext over IMAP. They don’t seem to support AT ALL sending mail from remote– their SMTP server doesn’t listen to me when I’m outside the network, anyway.
The only reason I’m writing about them is because they just shut off the one secure service they once provided, which was SSH, even if it was to an 11-year-old box running solaris. Now I have no access to work content (”Use dropbox,” said the admin when I asked– I guess outsourcing to a private company is preferable to running a daemon).
Of course, before I asked, I had to give my own demonstration of hamhandedness, so I tried to find computers running sshd on port 22 on the Bren School network (128.111.110/23) using nmap. I am not a hax0r so my use of nmap, say, lacks finesse. Now it seems I’ve angered the Intrusion Detection System and ALL traffic from my home IP address (which is static) is filtered completely. I can’t even see the Bren webpage from home (nor my home webpage from work), much less check my email. And, since I can’t access the Bren SMTP server I can’t send email TO anyone at work from home, which means I have to work from the office all the time and go “off grid” when I come home at night. Its now been 36 hours since my nmap attempt and still nothing. For all I know, their automated IDS firewall permanently blocks IP addresses, which seems unduly punitive for a false positive but- that’s the breaks.
So now I have to wander in, tail between my legs, and ask them to remove the IP address from the filter, sit through a lecture about how much of an asshole I am to try to use network infrastructure in a sophisticated way, and probably wait 7 to 10 days for them to “get to it.”