[Dshield] "Academic Freedom" vs Computer Security

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Fri Feb 13 03:06:16 GMT 2004


On Thu, 12 Feb 2004 16:50:03 -0500 "Jon R. Kibler" wrote:

> Background: Probably 80% (give or take a few %) of the spam attempts
> we see that originate from academic institutions, originate from
> less than a half-dozen sources (unrelated to our IPs, geographic
> region, etc.).

That's not very clear. What, in your experience, is the ratio of
academic versus non-academic spam sources? (I see mostly DSL users).

> Several of these institutions do not even have working abuse email
> addresses.

They deserve blacklisting or other punishment (publication?). There is
no excuse for not having an abuse address. However, in contrary to
commercial email addresses, academic email addresses are usually "all
over the place". With MyDoom, many people will be sending complaints
to abuse "I received a virus from xyz at university.tld" - which obviously
is wrong, and causes abuse mailboxes to overflow.

Which BTW is what Microsoft advises people to do (like in most spams,
mydoom also spoofs sender addresses):
> November 24, 2003
| Report junk e-mail and its senders
| Get active. Put spammers on the defensive and report junk e-mail:
| - Forward spam to the originating ISP. Most ISPs and e-mail services
|   have a complaint address to help eliminate junk e-mail from their
|   systems. If you get unwanted mail, the sender's address will show
|   the ISP name after the at (@) sign. If it came from MSN.com,
|   forward the entire e-mail, with headers, to abuse at msn.com. If the
|   spam originated from another ISP, forward it directly to the
|   postmaster or abuse alias at that ISP.

Tip: learn to analyse mailheaders, find out the originating IP, and
complain with their ISP. If that's too hard: send ALL your complaints
to abuse at msn.com, regardless of originator ISP.

Note: yesterday I complained with a USA company. They accepted mail
from a blacklisted IP (not me), then bounced to the (spoofed) sender at
my site, but with return-path: spam at spam.com (MX= Because
the spoofed sender at my site does not exist, the DSN got stuck in the
queue. I complained to them, and received the following response:

Return-Path: <postmaster at company.tld>
From: postmaster at company.tld
Mail could not be delivered to:
  postmaster at company.tld
  abuse at company.tld
(Afterwards I sent to sales, info etc. which made them fix the issuse).
I can tell you similar stories about totally clueless quik.com (they
don't respond to abuse mails, and don't fix) etc. Don't just blame
academic institutions.

> the response is almost universal: "We can't tell our students and
> staff that they cannot run open proxy servers (etc.) because it would
> be an infringement of their academic freedom."

The same applies to all those DSL users that seem to be getting faster
connections every day. However, IMO academic institutions do have a
responsibility, and we do have problems on our campus, and we're doing
our best trying to resolve them.

> One school (who knowingly runs an open relay mailer) also stated that
> even suggesting that students and staff use AV software was an
> infringement of "academic freedom."

Not the case on our campus (inbound 25/tcp has been blocked for many
years to prevent on-campus open relays or multi-stages). We do suggest
to run AV (we have licenses), and inbound mail is filtered (I think
there was a few-hour window where mydoom's slipped through; personally
I haven't received a single one - but quite some virus-removed bounces

> So here is my question: How does practicing basic computer security
> infringe on academic freedom? Also, I am looking for suggestions on
> the proper (civil) way to discuss this issue.

What does "basic computer security" look like? Do not use operating
system X? Do not use browser Y? Use AV and update hourly? I tend to
walk outside not wearing a bullet-proof vest. Am I stupid?

All these moron attackers are making us believe that they are RIGHT,
and those who have missed one single patch, failed to install all
anti-whatever products (wasting money and slowing PC's down enormously,
often introducing incompatibilities and sometimes new security issues),
pressed a wrong button once, or opened an attachement with an unvisible
".pif" because of 70 spaces preceding it, are WRONG. This just doen't
make sense.

> Two other comments:
>   1) We are just about to the point of blocking these institutions
>      at our border router as a way of solving this problem. However,
>      I can envision this creating a whole other set of problems.

Don't. Use blacklists like XBL (spamhaus.org) or cbl.abuseat.org,
or spamcop.net, and the common blacklists for open relays. It saves you
a lot of work maintaining your own lists. However, you may want to add
a whitelist for those that tend to end up on blacklists but should not
(think mailing lists, including this one). A student's home PC on our
campus was spamming last week, it was on CBL within a few hours. BTW,
in contrary to SORBS, it is very easy to get removed from CBL.

>   2) Yes, when looking at the big picture, academic institutions are
>      but a relatively small source of insecure, spammer infected
>      systems. That is not the real issue here. With the exception of
>      2 or 3 ISPs, everyone else takes immediate action when you notify
>      them of an infected system.

In my experience there are a LOT MORE than 2 or 3 ISP's. Their helpdesks
are generally understaffed, and it is not in their interest to upset
their customers by disconnecting them, then wasting time trying to
explain them what a "backdoor" or a "spamproxy" is, and how to fix.

>      The problem I am having is the use of "academic freedom" as and
>      excuse for lax computer security.

Academic institutions tend to be hit by viruses and worms sooner than
companies that are "better" protected by perimeter firewalls. However,
quite a lot of (huge) companies have suffered delayed hits from worms
like blaster and nachi - they were even more lax on security (they had
more time to patch but didn't bother either).

> Bottom line request: Would someone from the academic world please
> explain the "Academic Freedom" issue and why it can be viewed as
> superseding common sense computer security?

Most, if not all, computer users do not like to be limited in any way.
Academic users are no exception. It has everything to do with education,
better, the lack of it. In my experience, if you provide users with
a good setup, and explain that it is in their own interests that the
PC still works when they start writing their thesis, they will accept
a lot if things. Including not having admin rights (no write access on
most of the C: drive etc) and thus not being able to install software.

However, there are exceptions. Some guys (and girls) are smarter and
develop software. You don't want to bother a C++ programmer with AV he
or she can't disable. Making them understand the risks is all what it's
about really. AV helps but also has flaws (think on-access scanners not
checking compressed files for example).

> I hope this posting did not step on too many toes...

Not mine :)

Erik van Straten
Not speaking on behalf of my employer
Just a local sysadmin/technician
Delft University of Technology
The Netherlands

> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214

More information about the list mailing list