Configuring your own Computer
A few notes for those connecting computers to TCM's network (or other Cambridge networks) and not employing a CO to do the difficult bits for them. These notes do not stand on their own, and should be read with other documents such as the relevant connection rules (e.g. TCM's connection rules).
Computers are nowadays much cheaper than a few years ago, network connections much easier to obtain, and Windows / Linux much easier to install and configure. And that is the Bad News. Yes, the Bad News.
The Problem
Athough debates about how warped one's mind must be before one becomes a virus writer or hacker are interesting, in the Real World hackers and virus writers exist. One must therefore limit the damage such people can readily do, in the hope that they will find softer targets elsewhere.
Currently malicious people scan TCM looking for potential weaknesses about once every two hours. Several times a week an attempt to exploit a potential weakness is made. A gratitously insecure machine is unlike to survive a whole day connected to the CUDN before it is hacked, and very unlikely to survive a week.
Viruses come in at least as frequently, and it is important to avoid sending them out again...
The Potential Impact
Dealing with a hacked machine is (relatively) easy. After any analysis that the UCS and others may want, one simply wipes the disks of all data, reinstalls the operating system and applications, restores one's files from the last backup which provably predates the hack, and, of course, removes whatever vulnerabilty was used to hack the machine in the first place. A mere couple of days work for a single machine, and several weeks work for a more extended network. Mind-numbingly boring too.
As machines in Cambridge tend to be more trusted by other machines in Cambridge than external machines, once one machine falls, others may fall rapidly due to attacks from it. Thus an insecure laptop may be the route into a chain causing many tens of thousands of pounds worth of downtime and inconvenience. This may upset your colleagues.
Viruses need similar treatment, and can be similarly expensive.
If one is spectacularly unlucky, one's hacked laptop is used to launch attacks on US military computers. This can be hard to explain.
The Advice: UNIX
According to some slightly old pages on the UCS WWW server, `So you want to run a secure Unix system, do you?', which starts ` This document is just to get you started; it is not exhaustive' the time investment involved is:"Spend at least a fortnight getting familiar with your system. Understand what the files and commands really do. This will take a huge chunk out of your research time, but that's too bad; it's the price you have to pay for the convenience of a system on the Internet."
and
"Expect to spend two to three hours every week looking after your machine."
One could argue that this over-estimates the time involved in securing a single-user UNIX machine (though not a multi-user one!). However, to argue thus one must ensure the machine is fairly securely configured:
- Does it need to offer any services to the world?
- Does it need to offer any services to anyone else?
Of course, do check your machine occassionally: I have often found services running I had intended to turn off, and failed (or a patch kit had helpfully turned back on).
The Advice: Windows
With Windows viruses are a much greater issue than under UNIX, and IIS (the default WWW server) is a complete disaster: don't use it. One should remember that viruses can be caught from infected WWW sites as well as from emails.
Do run a virus scanner. The Computing Service allows downloads of a scanner which is free for personal use within this University and at home. Do keep the virus scanner up-to-date, either manually, or, better, automatically. (This scanner is also available for MacOS).
The Advice: General
You must read the relevant fora for security information for the system you are running, and you will need to patch the thing (un)fairly frequently. Windows has an automatic update system, as do most Linux distributions, and there are various other resources such as the ucam.comp.security.announce newsgroup (all OSes), the BugTraq email list (all OSes), the UCS maintains a list of recent Windows patches, and many other resources exist. Beware of automatic update services which fail to cover all your installed software (many Windows update services fail to cover MS Office, and third party software is most unlikely to be covered by your OS's main update service). Be aware too that some updates require a reboot in order to take effect. You may wish to think about how to schedule these.
You should check these sources more than once a week: a serious new hack or virus can spread a long way in a couple of days. If you don't know how to read newsgroups, are you sure you should be running your own computer attached to the network? Indeed, you should be familar with the differences between server-side and client side authentication, plain-text and encrypted protocols, and, for UNIX people, privileged and unprivileged ports. But that is all learnt in about two hours, a small fraction of the two weeks that the CS believes you will need to spend.
Once the OSes manufacturer no longer releases security patches for an OS, running it safely becomes (much) harder. Ancient versions of Windows, Linux (especially RedHat, but including SuSE), Irix and the rest do need upgrading.
Common Sense
If a man in a dirty raincoat and a thick accent accosted you in Market Sqaure, pulled a disk from an inside pocket, and said "Pssst. Put a load of this on your computer at work" most people would refuse. If an email full of forged headers turns up reading "Click here to download and install this excellent piece of high-quality free software" many happily do so. I have never understood why.
(If the email claims to be from someone whom you trust, you do check the headers for obvious forgery, or ask yourself whether you were expecting the software, don't you? Microsoft does not send out unsolicited patches, though a recent virus did in its name.)
Private Addresses / Firewalls
You may well be given a 'private' IP address (one which permits connection only to other machines within the institution), or your computer may be firewalled by your institution. Indeed, at present, the University does do some basic port blocking automatically. Although such measures do improve security, they are no substitute for keeping the machine intrinsically secure, and they do not imply that the person running the firewall has taken over all (or any!) responsibity for your machine's security.
Passwordlesss Accounts
These are a very bad idea. Just because you never try to log into your computer remotely does not mean that you have disabled all the mechanisms for doing so. If you haven't, someone will try and succeed easily. Even if you have, you need to remember never to do anything which causes them to be re-enabled. (I am told that running Windows safely with passwordless accounts is almost impossible. Certainly a good number of machines get hacked via this trivial route.)
The Bottom Line
Your computer was not designed to be connected to a hostile network. By doing so you are using it in a manner for which it was not designed. There is nothing wrong in this, except that it is your responsibility to understand in some detail what you are doing. For researchers in TCM, you are all numerate scientists, and the excuse 'I can't get my head around computers' is likely to raise questions about whether you can cope with intellectually similar areas, such as Mathematics and Physics...
If your computer causes trouble, it will be disconnected. Possibly permanently. If its owner is the greater source of trouble, he too can be suspended, possibly permanently.
The purpose of this document was to remind you that a computer on a public network needs proper servicing, just as a car driven on a public road does. There is no absolute requirement to involve oneself in the hassle and expense of car ownership, or of dealing with computers on public networks. However, some enjoy the experience, and it would seem unfair to stop them, whilst they act safely.
MJR, as you will have guessed from the style.