Volume 62 Issue 5
![[HOME]](/images/b_home.jpg){kind=small}
![[NEWS]](/images/b_news.jpg){kind=small}
![[FEATURES]](/images/b_features.jpg){kind=small}
![[EDITORIALS]](/images/b_ed.jpg){kind=small}
![[LETTERS]](/images/b_letters.jpg){kind=small}
![[COLUMNS]](/images/b_columns.jpg){kind=small}
![[ENTERTAINMENT]](/images/b_enter.jpg){kind=small}
![[SPORTS]](/images/b_sports.jpg){kind=small}
![[ABOUT]](/images/b_about.jpg){kind=small}
![[STAFF]](/images/b_staff.jpg){kind=small}
![[ARCHIVES]](/images/b_archives.jpg){kind=small}
Student Grades Vulnerable
Serious Flaws Found in University Computer Network
By: Commentator Staff
For the past several weeks, students familiar with computers have had the ability to change their grades or eliminate their YU bills from the comfort of the library computer bank. Due to a University oversight in the organization of its computer network, any student could have connected to the YU administrative network and manipulated its contents with little difficulty.
Explaining the feasibility of penetrating the YU network, a number of technically inclined students stated that by buying a $15 cable from Radio Shack and adjusting the connections on one of the computer kiosks in the lobby of Furst Hall, a student can easily build a "bridge" (a technical term referring to a device that joins computer networks, making them act as a single network) that would give the student access to passwords whenever someone checks financial records or changes anyone's registration on the internal network through the use of a readily available monitoring program called a sniffer.
In an effort to alert YU officials to this significant system flaw, the Commentator sent three YC students on a special assignment to apply their networking knowledge and demonstrate how one could take advantage of this deficiency. The experimented highlighted the lack of security in the YU network as the students were able to make an easy connection to BANNER, the grades computer, by using the same telnet program that many students use to check their email. At this point, the students had the opportunity to easily change their grades.
In response to this demonstration, a number of computer aficionados went to the Department of Management Information Systems (MIS), the university department responsible for the campus computer infrastructure, to find out how such an error could have gone undetected for so long. Arthur Myers, the director of MIS, tried to allay the students' fears by explaining to them that "you're asking a question that... everyone's dealing with." He explained that the job of tightening up security never ends, since experts are always finding new security flaws. To combat the problem, MIS has engaged a consulting firm, Trusted Information Systems, to review the University's security measures and to give seminars to University personnel about computer security.
However, some students have expressed their disappointment over the perceived lack of initiative taken by the MIS department in analyzing the weaknesses of the YU computer system. Many students feel that it should not be their obligation to compensate for the inactivity of MIS officials. Commenting on this experiment, Josh Spoerri (YC '98) remarked, "It's tragic that students have to fight to give MIS much needed help."
The following are observations made by Computer Science major, Aryeh Sanders (YC '98), after an in-depth study of the YU computer system. Sanders submitted a record of his experience to the Commentator.
Computer Lab Follies
To research the extent of the problems with computers in the labs, I decided to try to print a web page from 20 computers. I started by repairing one of the printers in the library in order to give the computers a fair chance. The results: 4 out of 10 library computers managed to print without playing with the settings, and 8 of the 10 in the labs on the 11th floor of Belfer. However, even among those that managed to print, 3 printed sideways, one had a broken mouse, and one shrunk the printout to one quarter of the paper size. Of those that did not get that far, some had mysterious errors; three computers stopped responding, one didn't have a functioning copy of Netscape, and one didn't have a printer driver installed. When I first arrived in the Belfer labs, neither printer was functioning. An MIS employee partially repaired one while I waited.
When told of the results of this experiment, Myers told me, "I don't doubt the statistics you gave me." He, as well as other MIS personnel, blamed students who change the computers' setup for the sorry state of the computer labs.
Myers explained that MIS is working on finding a way to refresh the computers automatically. As it stands, an MIS employee must repair every broken computer by hand, with problems appearing faster than they can be fixed. Recently, the school invested in removable hard drives that could be refreshed easily, but several drives were stolen as the locks were easy to open.
At the beginning of the school year, I offered to set up a demonstration of a program that would refresh the computers over the network. Two weeks after sending a detailed proposal to MIS, I received a request to come and explain this proposal in person. When I completed my presentation, I was thanked for my efforts and told that someone would try to follow up on my suggestions. This took place last September, and since then I have not been contacted at all by the MIS department as to whether any changes have been made.
Can I have an operator please?
This year there has been no student operator program, whereby students would be available in the computer labs to fix problems and provide assistance. Myers stated that the program will still proceed with some revisions despite the late start. When students are finally selected for the program, they may have to commit to working more hours than in previous years.
Tangled Up In Webs
The status of web pages has been a sore point in Yeshiva University's transition to the Computer Age. The web pages on www.yu.edu have stagnated over the past few years. In an effort to remedy this, the University has brought in Tom Deering, a consultant, to update the web site as well as the computer kiosks located in the lobby of Furst Hall. He has redesigned the web site, but the changes can not be posted until they are approved by the Department of Public Relations.
Myers vowed as well, that teachers could post course materials on the YU web site if they could get approval from Public Relations.
Looking for Guidance
The back end of the "Guide to the Perplexed" correction forms, resides on a separate web server because MIS wanted to review the code for security reasons. Unfortunately, as their UNIX guru is now studying at the Gruss Institute in Israel and only working part time, the review process was far too slow to be practical.
Installation Problems
In addition to the technical problems of the computer connections, MIS officials have also failed to protect the integrity of the hard drives of the school's computers. Some students have installed software on most of the computer lab machines that allows them to run any program on the machine from anywhere. Moreover, some computers have two or three such programs installed, probably by competing groups of computer hackers. While conducting his research of the YU computer system, I discovered one program found on some of the machines allows people to connect with the standard telnet program, complete with a login name and password. Another program, installed on most of the lab machines allows anyone to run programs by typing "rsh machine_name command_name" from any UNIX account in the world. Unfortunately, under the standard operating procedure used by MIS officials, keeping the machines clear of such programs would take MIS employees to service each computer for fifty minutes each day.
Then, there are also programs that record keystrokes, convenient for collecting passwords as people log in to their email accounts.