Security FAQ (Frequently Asked Questions)

Why did you post this document?

We hope that through this page both students and faculty of the CS department can learn about how to protect themselves on the CS department network.

Why should I be interested in security?

Your information and privacy can be protected by following a few simple steps. We hope that everyone can become aware of how to do this, so keep reading.

How secure is the CS department network?

Right now we have many security measures implemented. We have firewalls installed to block traffic from the outside, logging, and many other security systems. Nevertheless, the system is only as secure as the users make it. We have installed many programs that can help us, so on these pages we will show how you can use these to help secure your privacy and information.

What is Remote Access, and Why Make It Encrypted?

There are two types of operations that you would perform on your CS Department account from a remote machine (like your PC at home): executing commands on the remote machine (telnet does this), and copying files from the remote machine to your local machine (ftp does this). Not all programs perform both of these functions, so you should be aware of the difference. You should also understand that programs like telnet, rlogin, and ftp do not encrypt your password or the data transferred. This means that anyone sniffing the network can see everything you type, download, or upload. They can take the information and then use it. Especially dangerous is if they take your password and use it to log onto the CS network, and then use our machines to perform other illegal activities. You then get blamed for their crimes. This is why you need to use an encrypted login. All the machines in the CS Department support secure logins (SSH) so it should always be used. Telnet is only supported if you would like to connect to an outside computer that does not use SSH, and that is risky business. Here is a general overview of some of the programs for secure remote logins that are popular.

What are RSA Keys, and Why Does my SHH Program Ask Me About Them?

RSA Keys are used to encrypt and decrypt a communication. When you SSH, SCP, or SFTP into a computer, the remote computer gives you a copy of their public RSA key so that you can encrypt the data you are sending to that machine. Using its private key, only that machine can decrypt the information you send. RSA keys can be used to identify a machine and make sure that the machine you are logging into really is the one you expect. The first time you log into a machine you will store a copy of the public key, and each successive time you log in the key you receive will be compared with your stored key for that machine. If the key changes that means one of two things: that machine changed its key while it was being upgraded, or someone is pretending to be that machine and get you to send them your information. Your SSH program will alert you to this situation.

What Computer Do I Log Into for Access to My Student Account?

To access your CS Department Student Account you can log into any linux machine in the open access labs. To do this remotely, simply list the machine's name (you get it from the white sticker attached to the computer in the labs) and its address as the hostname in your SSH client. The address of a department computer is its name followed by .cs.byu.edu. Please note that it does not matter which machine you login to when getting access to your files, every machine that is remotely accessible will allow you access to your home directory.

Are the programs ''telnet'', ''ftp'', and ''rlogin'' safe to use?

Answer: '''No'''. Both programs send passwords as cleartext (no encryption used) so anyone with a sniffing program can see them as you type. We will be disabling the use of these insecure clients within the coming semester(Winter '04), please make changes now. It is better to use programs such as ''ssh'' (secure shell) to do remote logins, and programs such as ''scp'' (secure copy) and ''sftp'' (secure ftp) for file transfers. All of these use encryption so third parties can't read the information that is being sent.

What happens if I am caught breaking into computer systems, viewing pornography, or using CS computers for some other illegal activity?

The least that will happen is that you will not be able to register for CS classes for one year and your account will be disabled during that time. You will be reported to the proper authorities at BYU and, if necessary, to civil authorities as well. As a warning, there are currently systems in place that check for users visiting and viewing sites that contain pornographic material.

Password Tips

Poorly chosen passwords are a big vulnerability for any system. To encourage our users to select good passwords, the CS Department has implemented a password checker that will compare passwords against a dictionary and disallow obviously insecure passwords. Some of the following techniques can help you come up with a good password.

  • First of all, a password is yours. '''Don't give your password to anyone.'''

  • Change your password frequently.

  • Use different passwords for different systems.

  • Choose passwords that are hard to guess and are not found in dictionaries. Remember you can have any combination of upper and lowercase letters, numbers, and characters (ex: $#!-+). Use them. Here are a few examples:

    • If your dog's name is snoopy, don't use "snoopy" as a password. Try something like "$n00pY" (those are zeros). They are harder to guess and it is much harder for password cracking programs to figure it out.
    • Use acronyms such as "Tiahptg" (This Is A Hard Password To Guess).
    • Longer passwords are better. Its better to have "L0ngPa$$" than "Pa$$". Right now, depending on the system, password lengths can vary, but 8 characters limits are the normal limit. In the near future longer password lengths will be possible.

  • Avoid obvious passwords like your name, your username, a family member's name, your age, your Social Security Number, anything related to BYU or Utah, or any other word that can be quickly and easily linked to you.

Remote Network operations

What to use

To use and access the network remotely you will need to use

ssh, sftp, or scp.

Remote Mounting You're Home Directory

If you are familiar with Linux, you can mount your CS Department home directory on your remote machine. These commands should work, but we advise you not to use them without reading the man pages to see how they work. We take no responisibilty for any negative effects caused by these commands:

ssh -N -f -L <port-number>:ranger.cs.byu.edu:139 <open-lab-linux>
smbmount //samba/<username> <mount-point> -o port=<port-number>,ip=127.0.0.1

Where:

  • <port> is a random port number above 1024
  • <open-lab-linux> is the name of an open lab linux machine
  • <username> is you're username
  • <mount-point> is the directory you want to mount it as

Be aware that many systems do not have smbmount or smbumount installed set uid root. You may want to make them set uid root (chmod u+s /usr/sbin/{smbmount,smbumount}) or run these commands as root. If you run them as root, you will need to add a user=<username> where <username> is you're cs username.

You should now be able to access you're cs account files in that directory. Over the network, this may be slow.

To unmount the directory when done:

smbumount <mount-point>

List of Accessible Computers

You can get a current list of the accessible CS Department computers in the Accessing Lab Machines Remotely document.