SECURITY POLICY FOR THE THEORY NETWORK
Serious problems with the security of computer networks around the
world have forced us to introduce a formal policy regarding
the use of computers on our network.
Accounts on the UBC Theory systems are a priviledge, not a right, and are
provided under the following conditions:
Those who do not abide by these rules are subject to having
their computer priviledges revoked. In other words we are
really serious about this! We have been fortunate so far
in our group but there have been many other systems on
the international network which have been very seriously
affected by security violations.
- ) All your accounts will be terminated a few days after you leave UBC.
You may request an extention of the life of
your account for the purposes of transfering files to your
- ) Your account and your password are supplied for your use only.
give your password to anyone else. If you believe that anyone
might know it, change it immediately. If you have a guest or a friend
who needs brief access to a computer, either sign him on to your
account yourself, or ask us to give him/her a temporary account.
Use anonymous ftp to transfer files to users elsewhere- do not
give them your password to sign onto your account.
Evidence that others are using your account will result in loss
of the account.
- Do not type in your password to ANY program or file.
The only legitimate time any computer program will ask you for your
password is when you log into your account. Do not type in your
password in any other situation. If you do so accidentally ( for
example when anonymous ftp asks you for your password--- at which
point you are supposed to type in your email address, not your password--)
immediately change your password on all machines on which you use that
Gaining access to anyone's account is the first step used almost
always by crackers. Once they have gained such initial access,
they can almost always gain unlimited access to the system, and could
destroy your and other people's work.
- The password which you choose MUST NOT be a word in
any language nor a proper name nor anything which can
be easily guessed. (The digets of pi are a bad password for example.)
The best thing to do is to use a long password with many words or
phrases. This is easier for you to remember and hard for an attacker
A common suggestion is to include
some numbers, punctuation, or capital letters in some
arbitrary manner within a password. The problem is that this makes it
hard for you to remember, but still is not that hard for computer
attackers to figure out. Length beats complexity.
Programs now exist which can test all of the words in a
dictionary, backwards and forwards, together with any and
all permutations of any parts of your name in a few hours.
These cracking programs are a
key way in which strangers from anywhere in the world can
get at your password and our machines.
- In addition, if you suddenly notice something strange about your
account--- new files which you don't remember creating, lost
files, etc, please let us know. It may be an indication of
- ) Although we will attempt to maintain a reasonable level of
confidentiality, your account, your files, your email, etc.
should be regarded as potentially public. If it is really important,
encrypt it, and de-encrypt it only when you need to use it. There are
programs (eg crypmount) which can make a file into an encrytped
container which you can mount when needed.
We reserve the right to access your accounts and files to fix
problems, or if we suspect wrongdoing of your or other's part
but we cannot read encrypted files. There is no known way of reading
an encrypted file without knowing the password.
Although backups are made nightly using rsync onto another machine,
however you assume the burden of keeping backups
of crucial information.
We will not be responsible for any
direct or consequential damages which result due to loss damage
or destruction of your data, however caused, or because of the
access to your data by anyone else, however caused.
- ) Never use telnet or .rhosts to access other machines. Always use ssh to
connect to other machines.
- ) Use the machines responsibly. UBC regulations do not allow the
machines to be used for outside for-profit activities without the
express permission of a designated UBC authority. Furthermore, the
use of the theory machines for personal, non-UBC related
affairs is condoned only in so far as such use does not hamper
the use of the machines for Univesity related business. In
particular the theory machines are for the use of the members of the
theory group on the Physics department.
Any use of the machines to harass, distribute pornography, or
to "spam" (mail to a large number of newsgroups or people who
you have no reason to believe want to receive your mail)
will result in immediate loss of your priviledge to use the
theory computers. Any complaints that we receive from others that such
activity has taken place will be taken very seriously.
- ) Theory group account holders must further agree to abide
by the general policy guidelines set out by the Physics and Astronomy
Department for computer use. These can be obtained from
Ron Parachoniak or read here:
The machines are for the use of the theory group. The above rules are to
ensure that they remain useful. At times the rules may get in the way.
Let us know if this happens so that we can find ways around the problems.
Please do not try to get around the security measures on your own, as the
problems created could affect everyone.
If you have any questions or if you disagree with any of these
rules please feel free to speak with Bill Unruh.
BUT YOU STILL MUST ABIDE BY THESE RULES.
Appeals for loss of your account should be directed in the first instance
to one of us, then to the head of the department of Physics and