Paranoid or...justified?
I'm gonna let you in on a little secret.
This is a story that almost didn't happen. This is a story that was supposed to scare the hell out of you--a story that was supposed to bring down The Man, The Machine and every cog in The System. A story that was gonna send you scrambling to call the Office of Information Technology if your hand could stop shaking long enough to hold the phone.
There was just one problem: Duke security--for email, the DukeCard, filesharing--is good. Real good. The tech administration is not Big Brother; rather, privacy has emerged as the watchword, the alpha and the omega of computing at Duke. But that's what makes the rest of it all so scary.
Read what's here. Then call me paranoid. Or slighted. Call me bitter. Or justified. It's your pick. But just read.
Everything in this piece is public knowledge--except that the public doesn't know it. Like that your NetID, along with everyone else's at the University, is listed in a 162-page database on an MIT website straight out of The X-Files. Or that a lone hacker brought BlackBoard Inc.--maker of the DukeCard--to its knees after taking down the Georgia Tech equivalent with a makeshift screwdriver. And what about how 14 recording industry groups have already scanned your hard drive?
There's no smoking gun here. No scathing manifestoes, no underground labs. (Don't mind those servers in the East Campus tunnels.) No wire-tapping, no bullet-dodging. All there is to offer is the truth.
MIT has you
It's freaky what you can do in eight characters.
Eight characters means 6,095,689,385,410,816 different ASCII combinations, says OIT. Eight characters means 193.16 years for the cleverest programs, trying one million combinations a second, to guess your password.
Eight characters is all it takes to define every single assistant professor of economics, fifth-year English graduate student, Chick-fil-A clerk, GG1 housekeeper, first-year neurobiology research associate, secretary to the provost, West-Central-East bus driver, Wallace Wade security guard and awkward freshman.
And those eight characters mean that MIT has you, in NetID form. Just take a look at the website:
http://lost-contact.mit.edu/afs/net.mit.edu/project/afs32/acpub/backup/mailshare/userdb.111302
It's all part of a little piece of handiwork called the Andrew File System. OIT doublespeak provides one explanation: "AFS, or the Andrew File System, is a secure, cross-platform, network-based, distributed file system that enables computers running the AFS client to share access to files and data stored on AFS server machines across a local-area or wide-area network," reads the site. "Your acpub account includes storage space on Duke servers for your personal files. AFS gives you access to these files from the computer labs or any other computer connected to DukeNet." The MIT listing is legal, of course--even encouraged. "One of the interesting features of AFS is that it's possible to access public information at another site," says Chris Cramer, information technology security officer. "So, for example, if there's public information on an MIT AFS server, it'd be possible to get access through Duke. A couple of years ago, MIT made a web interface to AFS.... The only reason I can imagine [the NetIDs] would be there is if it's considered not [confidential]."
Maybe. But you've got to wonder who exactly is profiting from the MIT site--someone who wants a full directory to send out spam? Meanwhile, the only other ways to find a NetID--the Duke database search and the print version of the phonebook--are not available to anyone outside the Duke community.
NetID, anyone?
"Duke Directory Server Gateway" reads the website's title, but this probably wasn't the sort of portal they had in mind.
https://directory.duke.edu/dsgw/bin/search?context=dsgw
Type in a NetID--or a name--and up pops a screen of data. Some of it's run-of-the-mill online phonebook data--first and last name, mailing address, phone number. Some of it isn't.
For students, there's a box called "directory key," listing a unique 32-digit code, divided into five hyphenated sections--an alphanumeric combination that maps out an identity's position in Duke's Lightweight Directory Access Protocol, says OIT. For medical center personnel, there's a DEMPOID, or Duke Electronic Mail Post Office Identification.
The real kicker, though, is the UniqueID. For everyone except students (the Family Education Rights and Privacy Act prohibits matriculated individuals' listings), it's public information and appears, listed as DukeID, right next to the directory key. Skeptical? Go look up Coach K--it's 0113655 (his NetID, appropriately, is "allkays"). Dean Sue's is 0027858; L-Mo's is 0281423.
Access to another person's UniqueID shouldn't let you do anything--but The System isn't perfect: Faculty and staff only need to identify themselves with name and UniqueID to change their directory listing. Take a look at http://www.oit.duke.edu/phonebook/opdfacstaff.html.
That's a blank check for meddlers: A malicious user might put Nan's (0115198) office in Cambridge, Mass., change Tallman Trask's (0116830) mailing address to the Bryan Center walkway, or link Bruce Jentleson (0230556) to the Psychic Friends Network hotline.
Lost your DukeCard? You guessed it--the UniqueID is the very piece of identification the DukeCard office is most likely to ask for, says Matthew Drummond, senior manager of information technology. That means it's gonna be only too easy for some troublemaker to call the DukeCard office and, putting on his best James Bonk (0114075), get his professor's card deactivated in time for that Chem 83 final. The administration can look at any email it wants, any time, for any reason.
They're watching you
It just hasn't ever happened--yet. "God, no!" Cramer shouts at the suggestion that it's a common occurrence. "I would quit before I said that seemed reasonable.... What it amounts to is, as a private institution, we have the legal right to look at any information on the network. But no one wants to live in that environment--it would be unpleasant if we wanted to look at staff email."
Every email you send and receive goes on a 4-inch-by-1-inch cassette cartridge as part of OIT's server backup data. The tapes get overwritten after graduation; though there's no specified time period, the time until deletion is a matter of months, Cramer says. But OIT doesn't look--honest. Even after a judge ordered a subpoena on all the tapes as part of a lawsuit tangentially involving Duke, OIT reps said it would take so many hours and thousands of dollars that it wouldn't be feasible.
That doesn't mean others aren't trying. About once every four months, Cramer says, someone demands OIT provide a user's clickstream--the logged path of websites he or she has accessed. It's usually an employer trying to spy on an employee suspected of not doing work, and, fortunately, OIT hasn't once complied. Only an order from "one or more senior officers" can force data disclosure. "It just seems so evil to me," Cramer says.
A rogue FBI agent, Cramer recalls, once came even closer to getting in. The agent demanded over the phone that Duke provide the name of an individual based on the user's email address. The reason? Never ascertained. When OIT responded that it would not comply without a subpoena and search warrant, the agent hung up and never called again.
But while the University pledges to keep its nose out of your hard drive, the recording industry and other copyright watchdogs haven't been quite so trusting: A number of groups constantly scan shared folders at Duke and other schools in relentless pursuit of illicit .mp3s and movies. If they find anything, they don't tell you--just OIT.
Over 14 organizations--Universal, the Motion Picture Association of America, the Recording Industry Association of America, Paramount, and the like--have sent 408 e-mails as of early November to Cramer, notifying him of student copyright infringements. Two or three per day pop up in his mailbox. OIT doesn't explicitly forbid peer-to-peer file sharing--Cramer points out there are plenty of legitimate uses--but has opted instead for an Acceptable Use policy that requests universal compliance with national and state law.
"There's a distinct possibility we'll get a subpoena from the RIAA," Cramer warns. Until then, Cramer continues to simply forward the group's email to the student violator. After a few days, Cramer tells the group whether or not a user has responded.
But OIT isn't all smiles: When overwhelmingly excessive use of bandwidth crippled the Duke network, the group elected to monitor your bandwidth usage. After a global bandwidth restriction for residence halls launched last November failed to speed up connections, Cramer says OIT started looking at traffic data user by user. "Ten percent of the people on the network were using 90 percent of the bandwidth," he says. "The cap, at five gigabytes a day, is still really high. The network is a lot faster for everyone." Cramer says OIT flushes the data every day at midnight to assure privacy. "It's not discoverable in the case of a lawsuit," he promises.
Infecting the system
We know your computer isn't safe.
You say you hate typing a password every time. You say you'll download the patch next week. You say those little McAfee pop-ups will go away if you ignore them. We know the story.
We know that even the best security won't necessarily protect you. It's a lesson almost 400 students found out a few years ago when malicious users broke into their dorm comps. Although AFS--which Duke's infrastructure relies on--sets files to "private" status by default, Cramer says, Windows 2000 requires users to opt out of the default open file sharing. And even worse, Windows 2000 doesn't include an administrative password unless users go out of their way to set one. Windows XP isn't much better.
"The biggest problem with computers in the dorms is that the vast majority of students are students, not system administrators," says Tracy Futhey, vice president for information technology and chief information officer. "The fact that the operating systems make it necessary to be sysadmins is a concern.... You've got to change the passwords. You've got to keep up with the patches [free software upgrades generally designed to combat new viruses]. They've got to be installed weekly, if not daily." You probably don't even know the difference between a worm and a virus--and that's half the problem. A virus is a malicious file--but one that can't spread without user interaction. You run that infected file attachment, you run the virus. A worm, on the other hand, clandestinely seeks out your computer, then propagates itself onto every other computer connected to yours. Individual copies of McAfee VirusScan, which OIT provides for free, can root out viruses. But the worms? Not so much.
On the morning of August 18, sobig.f--a nasty worm-virus combo that took down email systems across the country at the expense of thousands of businesses--found its way into the Duke system. OIT's response, fortunately, was swift. By 11 a.m., Futhey recalls, sysadmins had installed filtering software. By Aug. 24, OIT had caught 2.5 million copies of sobig.f.
But Duke hasn't always been so successful. Back in January 1999, a malicious user, using a Danish computer, hijacked Duke's godzilla6 server to launch a denial of service attack. Overloading the prey computer here with bogus requests, the hacker was able to target computers at NASA and the Tennessee state government. For six days, the attack compromised 2,600 acpub accounts, leading OIT personnel to spend a month compiling the afflicted accounts and sending emails. And who knows when it could happen again?
The DukeCard Story
Every drunken return to the dorm, every Corona on points, every xeroxed page of physics notes, every Blue Zone bust-in--your DukeCard record has it all.
A swipelog, if you will, is available 24 hours a day on some computer. Of course, all DukeCard employees sign a non-disclosure agreement and follow FERPA guidelines, Drummond says, but that doesn't mean it can't be held against you. Residential Life and Housing, Dining Services and the Duke Police have all used the data in years past for consumer records and judicial action.
Back in 1994, for instance, Public Safety used DukeCard data to track down Clayton Summer Peterson, then a freshman, for allegedly planting a firebomb in the Allen Building. And the same day police discovered the bomb, officers also found that an ID camera, blank ID cards, a card laminator and a checkbook--presumed ingredients for making fake DukeCards--were missing.
We know you don't give much thought to swiping that DukeCard for the laundry machines. Let's say you want to buy a soda. You swipe your card, and the reader takes your account number off the card and sends it along with your personal identification information--at Duke, that's the UniqueID. The networks processor, or NP, receives a signal via RS-485--a data communication protocol highly resistant to electrical noise--and then, deducting the price of the soda from your account, sends a second signal back to the AP, or applications processor. The AP then talks to the soda machine and sends "coin pulses" to the board in the machine equivalent to the price; a dollar's worth of laundry means four quarter-sized pulses.
But the system--which, in frighteningly appropriate fashion, came into being in 1984--hasn't always been fail-safe. In April 2001, a kid at Georgia Tech brought the whole thing down--with little else than a homemade screwdriver. Using a "long, thin knife," one Billy Hoffman, nom de guerre Acidus, undid the four flathead screws on the back of an MW/MHWMENC wall-mount enclosure, which instantly exposed the four critical wires that led from the box to the central database server.
What happened next is the secret BlackBoard, maker of Tech's BuzzCard as well as the DukeCard, has fought so hard to keep under wraps. Hoffman managed to intercept the NP signal and replicate it from his laptop. Actually, he found three ways to do it--intercepting the NP signal en route to the AP, communicating directly with the AP and cloning other BuzzCards. Data encryption? Useless--because the AP can't tell a laptop is any different from the NP. At Tech, those same flimsy flathead screws guarded readers for laundry machines, door readers and photocopiers. The soda machines, meanwhile, had an RS-485 line completely exposed. Access to buildings, billing information and everything in between was wide open.
BlackBoard--and the Tech campus police--didn't take the news so well. When Hoffman wrote up his findings in the Spring 2002 issue of hacking magazine 2600 with Virgil Griffith, a computer science student at the Alabama University at New College, BlackBoard found out. The BuzzCard office launched an inquiry, refusing in the meantime to confirm or deny his findings. Hoffman presented his research at two hacker roundtables--in late August at Atlanta's Interz0ne conference, and in November at the Phreaknic 6 conference in Nashville. But when he tried to speak again at the 2003 Interz0ne conference in April, a judge slapped him with a temporary restraining order. Since then, he's been hired as a consultant for Nuvision Networks and remains compelled to silence on the BlackBoard front.
So is it safe at Duke? It should be, though the administration isn't talking much.
"OIT has evaluated our security practices after the Georgia Tech incident and determined that the DukeCard system complies with University standards and is safe to use," writes Matthew Drummond.
Safe...for now
Everything you've read is public knowledge.
It's hot. It's scary. It's the promise and the peril of the Internet--complete, instant access to more than you ever wanted to know about anything and anyone. If this is what they consider okay for the public, just think about the stuff that's private. And all I know is, my email account's been acting real funny these past few days.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.