l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2002 Oct 03 10:44

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] ucsb outlaws win2k and NT 4.0 from its resnet
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] ucsb outlaws win2k and NT 4.0 from its resnet



On Thu, Oct 03, 2002 at 12:34:46AM -0700, Rick Moen wrote:
> Quoting Peter Jay Salzman (p@dirac.org):
> 
> [Explanation from harried UCSB admin quoted.]
> 
> That's still dumb.  Here's the properly BOFHish solution:
> 
> 1.  Whenever you detect that a student's machine has gone zombified or
> is otherwise behaving an an aggressively antisocial manner, shut off 
> its port.  Wait for the owner to call or drop by.

This is policy at many universities. It is a good idea. I voted for it
in a security meeting, and it passed for policy at my uni too. It is
heavy handed - yes, but makes for a less congested network, and offers
better security - especially when you have firewall rules to stop
certain kinds of traffic from the outside, but nothing from the inside.

> 2.  Inform the owner that he (not the university) has a problem, and 
> show him the log excerpts that prove it.  Tell him he's welcome to come
> back when he feels he no longer has that problem, to get his port
> re-enabled.  At that time, he'll have to put up a $100 deposit,
> refundable at the end of the school year if there are no recurrences,
> and only then will the port be re-enabled.

AFAIK, we don't charge money. Though this would be very effective, you
would be amazed at how many different departments have to be "on-board"
before money can exchange hands at a state university, *and* it is very
likely that you (personally, or your department) won't even be able to
keep the money, as it will go to build new housing, or parking lots, or
help pay for a new building. If you are lucky, it could pay for
networking/telecommunications infrastructure, but collected money often 
does not stay to help the place it was collected.

> 3.  When the student professes lack of accountability because he's 
> hapless (or any equivalent excuse), tell him you're confident he'll
> find some effective way to compensate for his inability to run a secure
> system, because otherwise he's going to be $100 poorer and get the port
> disabled again.  Which of course he can re-enable a second time upon 
> posting a replacement $100 deposit.  Later, rinse, repeat.

Here, I would go one step further in the line of the BOFH, and have a
function that is linear at least, or exponential at best.
Say, "Deposit=$100(incident)" or "Deposit=$10^(incident)"
Do you know how much bandwidth many of the DDoS use? How about the
latest SSL worm? This impacts everyone. The cost of the used bandwidth
is often far greater than $100. If you include the cost of HR to
diagnose, troubleshoot and actually make the change, it is even higher.
Passing on the cost to "fix" the problem would be easily above $100 for
each incident. Depending upon the work, it could easily exceed $1000.

> 4.  At the end of the school year, the sysadmins may well have beaucoup 
> beer money.  And being a security problem will have become an expensive
> mistake.  You win, and Papa Darwin wins.

Working at a university, I can say that too many people would disagree
with this. However, this procedure listed above could be *very*
effective at a university - the very place where people would strongly
disagree with using it. If the network were permitted to be less stable,
then the call for a fix would be better received. (Along the lines of
allowing terrorists to blow stuff up pushes Americans to be quite happy
to go to war and go blow the enemy's stuff up - not saying this is what 
really happened, but that it would be very effective if it were done.)

(Certainly, my prowess at *getting jokes* is often not up to par, so
your #4 comment could entirely be a joke, in which case this part of my
response would seem rather silly. :-)

At universities, there is often a duality of contradiction:

1) An image is put forward to "embrace new ideas and not be
judgemental."

2) New ideas and thoughts on doing things differently are almost always
disliked by over 50% of the people who are judgemental and have
pre-fabricated opinions and prejudice on the suggested change. The
people complaining the most are often the ones who have to do the work
or receive the blunt end of the change.

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.