Reading Rudenstine's Email

Right now, I'm reading your electronic mail. I have no idea who you are, but you made a mistake. All it takes is one mistake for those thoughts and secrets you held most dear to be distributed to anyone I choose. Your mistake? You left your terminal for only a second in the Science Center basement. Or you were accidentally disconnected over a dialup connection. Or I ripped your password off.

The first rule of computer security is that there isn't any. The only way to keep a computer safe is to unplug the phone line, unplug the network connection, never use diskettes and to prohibit anyone from using it. A windowless room and a handful of deadbolt locks comes in handy, too.

Anything less is an invitation to disaster. The scenario I described happens all too often with the Harvard Arts and Sciences Computer Services (HASCS) computers, the only ones most of us will see during our residence. I have seen more than one practical joke played on the unwary--ranging from replacing the greeting "husc8%" with "Hi [expletive]!" to fake email.

All of which were harmless. I have yet to encounter a truly malicious abuse. But just because I haven't heard of it doesn't mean it isn't happening.

We are very lucky. The relative indifference shown by the University towards computing (as evidenced by the resources they provide) makes targets scarce here at Harvard. We have neither the tradition of hacking nor the proper demographics to have the problems of the technical school down the river.

It seems hackers have been with us since the dawn of computing. "Hacker" used to be a term of respect. Now it is portrayed by the media as the title of a nefarious criminal.

Hacking was popularized in the movie "War Games." It took a young high school student nothing more tan a 300-baud modem and a computer less powerful than some calculators to bring the would to the brink of nuclear war. Prior to this he had changed his grades form borderline passing to honor roll. This was an exploit everyone could relate to.

The motivation behind backing varies. The most malicious is that done by disgruntled employees. They have nothing to lose and knows and system intimately. The most common is the young make (female backers are few and car between). With a few hundred dollars of equipment, the world is at his fingertips.

Most of these young hackers are explorers. They believe strongly in freedom of information. Everything should be known by everyone--or at least by those few both skillful and determined enough to root it out.

Their illegal activities begin small. Stealing free phone service is a favorite so they can call "bulletin boards" across the country and converse with other hackers without their parents' illegal copies of software priced far beyond the means of an adolescent on these board either.

The phone company doesn't play around. The annual cost of pirated long distance is measured in the billions. Getting caught means jail time and a nasty fine. "Philes" on bulletin boards describe everything from breaking into phone switches to hooking up electronic video games to the phone line in order to destroy phone company computers trying to trace the hacker.

The holes here at Harvard are gaping. The five-digit access codes used by the Harvard University Student Telephone Office ensure a working one will be found in ten to 20 tries. While abuse is heavily prosecuted and the extensions are recorded, a quick survey of the wiring beneath my dorm showed that switching my phone line with my proctor's would be cake.

The computer system is even worse. A backdoor into the mail system allows even the most inept hacker to masquerade as President Rudenstine when sending electronic Mail. This means that any email receiyed could be real or it could be a blatant forgery-and the recipient has absolutely no way of knowing.

Other tidbits acquired in less than a year are how to acquire unlimited storage space, an easy method of stealing passwords and how to noxious thing to anyone using a graphics terminal.

Complete power over every file and every user is held by anyone with the root password. My friends at MIT deem Harvard's security too pathetic to be worth a challenge.

I would think they were bluffing if it weren't for the fact that one had "become root" (for just long enough to flaunt it to the director of computing) on MIT's Athena. Unlike our own wimpy system, Athena is one of the most powerful university networks in the world--and one of the best defended.

Our problems will increase exponentially with the network that will be in place when the first-year students arrive next fall. One of the basic tenets of networking is physical security.

It's impossible to monitor data traffic if you can't reach the cable or if the network will crash you break the cable. As it is, any enterprising reporter for The Crimson with a $3000 protocol-analyzer could read everything going in or out of anyone's networked computer.

Companies advertising the TEMPEST shielding used by the Defense Department used to do demonstrations in which they would pull sensitive information without difficulty from the cabling of conventional networks.

While there was a certain degree of chicanery in the demo, improvements in technology have turned that magic into fact for collegiate hackers, too.

With the new data network, the administration will want to move a large part of university business onto electronic mail.

This is misguided. It is blatantly illegal and difficult to break into normal mail. It is child's play to break into electronic mail.

In addition, the network will be the perfect target for hackers. An attack on South Podunk U. is shrugged off by the media--a successful peek at Harvard's internecine feuding would make The New York Times.

The network will give us tremendous power and flexibility but at the price of privacy and reliability, My advice is not to put anything on it that you wouldn't mind seeing on the front page of tomorrow's Crimson.

John E. Stafford, a contributing editor, would like you to know that neither he nor The Crimson would ever do such a thing.