Topics

1) General News: Personnel changes
2) General Reminder: Email to everyone@chemistry
3) General News: Free SSH clients for Macs; free SSH Java applet
4) General News: Windows SSH client upgrade
5) Security News: Don't run any unnecessary services
6) General News: FTP block at the firewall
7) Windows News: Windows file sharing; firewall block
8) General News: TWIG problems
9) Lab News: PCs in 2105 NW need not authenticate anymore
10) General Reminder: email addresses; NAME@chemistry vs. NAME@osu.edu
11) Network Reminder: Don't rip out coax cables in EL and JL
12) Network News: Our network topology
13) Security News: denial-of-service attacks

Newsletter Archive:

        http://www.chemistry.ohio-state.edu/compsupp/Newsletter/

Due to the many hyperlinks, COMPNEWS is best viewed on the web
at the above URL, or by going to the main Chemistry page and
clicking on Internal --> Computer Support --> The Newsletter Archive



1) General News: Personnel changes:


Andy Fenner, our webmaster, left us in July to work for a company. We wish
him the best of luck in his new position. We are in the process of hiring a
new webmaster.

Our student worker Travis Julian left in June. His replacement is Waqas
Quraishi; if you haven't met him yet, he is tall, dark and handsome, and he
has a lot of hair (probably more than the remaining male members of Computer
Support combined).


2) General Reminder: Email to everyone@chemistry:


We created the mailing list

        misc@chemistry.ohio-state.edu

in February and tried to make it very clear that everyone@chemistry is only
for Chemistry Department related and/or sponsored material, not for football
tickets, girl scout cookies, pets, etc.

The policies are clearly laid out on our web pages under

  Internal --> Computer Support --> Policy Statements --> Email to everyone@chemistry

Did you know about misc@chemistry and that you can unsubscribe from
misc@chemistry? If you didn't know, please read the policy.

Computer Support does not wish to moderate or censor any material, but we
also do not wish to get complaints from faculty.


3) General News: Free SSH clients for Macs; free SSH Java applet:


Free SSH clients for Macs have been illegal in the US until now. From now on,
they are legal!

The reason why there have been no free legal SSH clients for Macs until now
is that the existing ones have all been based on a version of the SSH
protocol that relies on encryption libraries that were patented and thus
illegal to run in the US. The patent would have expired on September 20, 2000
(after 17 years). RSA Data Security Inc., the holder of the patent, put the
RSA public-key encryption algorithm into the public domain on September 6,
2000, two weeks before the natural expiration of the patent. This means that
United States users can now download and use these free SSH clients legally.
Yippee. The SSH Primer has been updated accordingly.

Another SSH client affected by the RSA patent (or now the lack thereof) is
the Java-based Mindterm SSH client. It can be set up on a web page as a
downloadable Java applet, which can be executed by any client that supports
Java (PCs, Macs, or Unix workstations running reasonably modern versions of
Netscape or Internet Explorer with Java enabled). This client is also
mentioned in the SSH Primer. If you want to SSH to the chemistry Unix server
and you don't have another SSH client installed on your Mac, PC or Laptop,
you can run the Java applet from our web pages:

  Internal --> Computer Support --> SSH to chemistry Unix server


4) General News: Windows SSH client upgrade:


If you have downloaded the free "SSH Secure Shell, V2.1" client from the UTS
Software To Go Site onto your PC at home, you should upgrade to the latest
version, V2.3. There are some security issues with version V2.1 that are
troublesome if you have a broadband "always on" connection such as DSL or
cable modem (Roadrunner). If you enable port forwarding (which is something
you need to do if you want to use Eudora at home), your forwarded ports are
not protected, and everybody on the Internet can telnet to your ports. These
telnet attempts will go through your SSH-tunnel (presumably) to our Unix
server, they draw unwanted attention to your PC and even more hackers to our
server, and they can use up your bandwidth.

You are protected against this "feature" of the SSH client if you have
installed a Personal Firewall on your home PC.


5) Security News: Don't run any unnecessary services:


Whether you run your own Linux computer, or a Windows 95/98/NT/2000
computer, one of the most important guidelines to keep your machine
secure is the following:

  Don't run any unnecessary services!

In particular,

 o don't run a web server (use the chemistry server instead)
 o don't run anonymous FTP (use the chemistry server instead)
 o don't run any FTP server on a Windows computer
 o don't share entire disks on a Windows computer
 o absolutely don't share any files or directories without passwords


6) General News: FTP block at the firewall:


Many users operate FTP servers that allow anonymous uploads and subsequent
anonymous downloads. This is very dangerous. Several computers in the
Department were exploited a few months ago, turning them into repositories
for illegal software that was downloaded from users all over the world. This
activity filled up all available disk space and kept the computers so busy
that they became useless (which caused attention).

We are planning to block FTP for all general-purpose machines at the firewall
some time this fall. FTP, including anonymous FTP, will always be available
to the chemistry Unix server. If you want to make files available for
anonymous download, we can create a directory for you within FTP on the
chemistry Unix sever. Also, FTP can be partially tunneled through SSH; see
the Great SSH Primer for more information. This would allow you to FTP to
your research computers (non-anonymously) through chemistry, thus bypassing
the firewall block.

If you think that an FTP block would affect you, please send us email.


7) Windows News: Windows file sharing; firewall block:


You should never share your Windows filesystems read/write without passwords!
You shouldn't even share them read/write with a password unless absolutely
necessary. Windows file sharing is not currently blocked by the departmental
firewall, but we're planning to block it at some point in the future. Please
send us email if you think this will have an impact on you.

If you leave your shares unprotected, your computer is vulnerable, and all
your data on it can potentially be deleted or modified (which is even more
insiduous). Even worse, your system can be used to spread viruses and to
attack the rest of the Department behind the firewall, thus rendering the
firewall useless. Also, it can be used as a "zombie" computer to take part in
a distributed denial-of-service attack against high-profile web sites such as
Yahoo or Amazon.com, resulting in possible legal action against the
University and/or the Department.


8) General News: TWIG problems:


We have recently fixed a problem with TWIG that caused some users to get an
error message after they successfully logged into TWIG and clicked on an
email message to read. This problem only affected users with the following
characters in their passwords: an unpaired single quote ', an unpaired double
quote ", or a back-slash \.

We believe we have fixed this problem. Please let us know if you notice
similar issues.


9) Lab News: PCs in 2105 NW need not authenticate anymore:


The PCs in the Graduate Computer Lab 2105 NW are no longer behind a "public
lab firewall". At this point, everybody has their own NT account, there are
no generic accounts anymore (such as the "student" account that was in use
until the beginning of this year), and anonymous access to the PCs is no
longer possible.

The public lab firewall required PC users to first "enable access"
(authenticate) by signing on with their osu.edu username/password before full
network access was granted. This restriction is required by the University
for all computers that allow "public" access.

Since there are no logins on the Macs, user of the Macs still need to "enable
access" before gaining full access to the Internet.


10) General Reminder: email addresses; NAME@chemistry vs. NAME@osu.edu:


Please use USERNAME@chemistry.ohio-state.edu in preference to NAME.N@osu.edu!

This has been a recurring topic in COMPNEWS since November 98 when "The Great
Email Primer" was released in issue 16. Also see issues 26 and 28.

Recently we have been seeing very erratic behavior in the delivery of email
when sent through osu.edu. Mail routing through osu.edu is a service of OIT
(formerly known as UTS). Chemistry Computer Support is entirely separate from
OIT and has not control of this service, which is frequently slow. In fact,
We see 2-4 times a year that service through osu.edu degrades as huge swarms
of incoming students arrive in fall and all read/send email at once. In late
summer or during other breaks in the school year OIT adjusts/upgrades the
computers associated with mail delivery or address translation. This has in
the past had brief (several hours or days) disastrous effects on email
delivery.

Some users have complained in the last few weeks of mail disappearing without
response when sent to osu.edu. Others have complained of 4-18 hour delays in
delivery. This becomes inconvenient when the message is something like "the
meeting has been moved to McPherson". Still others have had problems sending
large attachments via osu.edu.

Many people complain that chemistry.ohio-state.edu is to long to type.
We would like to point out that:

* the length has no effect when the address is an alias or nickname.

* when sending mail through chemistry (when chemistry is set to be your SMTP
  or "Simple Mail Transfer Protocol" server), one only need to use the
  username, e.g. parker, and not parker@chemistry.ohio-state.edu or even
  parker@chemistry.

  In fact if you are in the Department and Support has set up your computer,
  you are using the chemistry Unix server as your SMTP server, and if you
  send email to parker.12@osu.edu, your mail goes through chemistry to
  osu.edu and back to chemistry. This is like driving to the Columbus Airport
  via Cleveland.

* We have made the naming scheme very simple. In our opinion, it is easier to
  guess that Dr. Anderson's email address is
  anderson@chemistry.ohio-state.edu than it is to guess that it is
  Anderson.45@osu.edu, and not anderson.997 who is the other Larry Anderson
  presently employed at OSU.

* We can help with mail sent or received via chemistry. We also have backups
  in case you accidentally delete mail. We cannot help with mail stuck at
  osu.edu. Delivery problems with addresses that use osu.edu should be
  directed to OIT's help line at 8-HELP (8-4357) or 8help@osu.edu (if this
  ever reaches them :).


11) Network Reminder: Don't rip out coax cables in EL and JL:


Based on "popular demand", we repeat this reminder of what NOT to do with
coax network cables in EL and JL.

Time and again we get complaints that portions of the network in Evans Lab
and/or Johnston Lab go down. This is almost always caused by users
interrupting coax loops or simply unplugging entire strands of coax from the
wall outlets.

All our other buildings have 10/100BaseT ("twisted pair") cabling with
individual jacks in offices and labs for each piece of computer equipment to
be networked. If you unplug such a twisted pair cable, you only interrupt
networking for your own equipment. If you open up a coax segment, however,
you interrupt networking for everybody on that segment, typically several
dozen users. You may remove a T-connector from an Ethernet card, but you must
not open up the two coax cables going to the T-connector.

Evans and Johnston Labs will be converted to 10/100BaseT cabling over the
next few years as funding becomes available.


12) Network News: Our network topology:


This is an update on our network topology and on recent changes in our
network. Also see the article about Network Topology in COMPNEWS issue 24
(September 17, 1999).

To read about our present network topology, go to this link under

  Internal --> Computer Support --> The Support Bulletin Board


13) Security News: denial-of-service attacks:


On 25 July, starting at approximately 3:18 pm and lasting until 4:40 pm, our
main network connection to Baker Systems was lost. This repeated on 26 July
at 2:22 pm and again at 4:27 pm.

All of these were caused by a denial-of-service (DOS) attack from a hacked
machine in another Department. The machine was finally identified and taken
off the network.

This should again illustrate the need to keep current on all system patches
and virus data files. Many users have stated that they are not concerned with
security on their machines saying "I don't have anything worth stealing on my
computer. Why should I worry?" When outsiders compromise the security on your
machine they can then use this hack to launch an attack against other
computers. In this case they brought down most of the network on this part of
campus. The security (or lack thereof) on your computer can and does effect
others. If you need help in evaluating your security needs please contact
Computer Support.