BARATUNDE R. THURSTON'S TechTalk

Just when you thought you were comfortable with your new FAS account password, I'm writing to scare you into caution. In today's episode of TechTalk, we will be discussing network security and encryption.

The issue of privacy of on-line data has become increasingly prevalent as the industrial world becomes more dependent upon electronic data exchanges like e-mail messages, groupware and e-commerce.

Much of the talk about such privacy and security issues centers around mega-unethical-corporation X and its trade secrets. However, big companies aren't the only ones vulnerable to having their information viewed or manipulated.

Anyone on a computer network should be aware of how private (or not) one's data is.

The natures of most computer networks as they stand today are that they are inherently insecure, for their purpose is to share, not hide, data.

The problem is that with many networks based on TCP/IP, (the sort that comprise the Internet) a lot of the information flowing over them is accessible to parties other than the intended ones. Let's take the Harvard network as an example.

From the point of view of student housing, the network is divided into three large sections: Yard, River and Quad. Within each of these sections there are subnets, usually corresponding to a House (though some Houses contain many subnets).

The termination points for a subnet are the ethernet datajacks in student rooms. Within the subnet, the traffic on the network actually travels to all points, so that when you enter your password, the information is broadcast across the subnet to every datajack.

What prevents others from simply grabbing your information is that most of the time, your computer only views what is intended for it. However, there are tools that allow access to all network traffic on a subnet. Such a technique is referred to as IP-sniffing, and if put to malicious use someone can, for example, collect all the login information flying across the subnet.

So how can this be prevented? Enter encryption.

In order to combat the ease with which skilled electronic Peeping Toms can access others' information, encryption exists to secure your connection and the data that flows over it.

Encryption converts data into a locked or 'ciphertext' version. In order to decipher the data, a key is needed. The quality of an encryption key is measured in bits. The more bits, the merrier. The strongest commercially available encryption is currently 128 bits, (although there is some insane company that just announced 4,096 bit encryption).

An issue among the government and technical communities is just how good encryption should be and where. Even with the key system of securing network data, a persistent set of fast computers can "crack" the key by trying different permutations of bits. With the increasing speed of computers, keys get more complicated.

The U.S. government, however, treats encryption as a munition, thus subjecting it to export restrictions. The current export restriction is 40 bits.

For its own part, Harvard University is taking steps to make its network less vulnerable to the sort of IP sniffing mentioned. On subnets, traffic will soon be directed solely to the intended recipient rather than broadcast.

Until then, you can do a few simple things to minimize the chances of someone sniffing your data. There are telnet programs available that encrypt your session (one example is SecureCRT, whose demo is available at www.tucows.com).

Also, be sure if you are running a Unix operating system like Linux, that you know what you are doing. Helpful system security information is available at www.cert.org.

The last thing is simply to remember that any network traffic can potentially be viewed by anyone on the network, so don't pass those secret world takeover documents around via e-mail.

Baratunde R. Thurston '99 is the Crimson's on-line-technology chair and a member of HASCS's Advanced Support Team. He passes around world takeover plans via e-mail...really.