February 28, 1995
A new computer security policy approved Feb. 8 by the SF State President's Council arms computing services with a needed tool to deal with cyberspace outlaws, more commonly known as hackers, who break into the university's computer system.
The hacking problem at SF State has grown because of the increase in the number of people now using the computer network known as the Internet, according to John True, executive director of computing services.
"Every time we plug a loophole, someone discovers another one -- it's daily, it's hourly, it's incredible," True said of the growing problem.
About 9,000 SF State accounts now access the Internet and World Wide Web from the university's computer system, True said, and this number is growing rapidly. Last fall academic computing received funding to allow any student, staff or faculty member to get a permanent account.
About 20 million people use the Internet worldwide and that number is expected to grow this year from use by giant on-line services like America On-Line, Prodigy and CompuServe, who have been increasing access for their Internet subscribers.
The new computer security policy at SF State says that users who engage in security violations including theft, vandalism or unauthorized access to computing services will be subject to restriction or loss of access to computing resources, and could be subject to civil and criminal penalties, as well as expulsion or disciplinary action taken by the university itself. Computer fraud and illegal use of a telephone access device like a modem, is a federal crime, punishable by up to 35 years in prison.
According to True, the main goal of most hackers is "file disruption and file corruption." There are two types of hackers, the vicious professional and the nonmalicious creative show-off who breaks into data-bases for fun and not to steal files, money or valuables. Fortunately, most hackers who violate the computing services system at SF State fall into the latter category, he said.
Last summer, for example, a hacker got hold of some passwords in the School of Science, said Tom O'Toole, one of the two computer system managers at SF State -- whose primary responsibilities are security, according to True.
"They did it for fun, not for course materials or grades," O'Toole said.
"Most hackers get their thrill just from doing it," said his partner in cyberspace police work, Patrick Lathrop, the system manager in charge of student course work and login server accounts. Laughing, Lathrop leaned back in his office chair, the gargoyle screen saver visible on the face of his computer beside him as he told the standard joke that he said goes around the computer offices.
"If we could find them dates on Friday nights -- we wouldn't have to deal with the problems," said Lathrop of the campus hackers.
Lathrop, who said he used to feel angry with hackers, now feels only pity, after having talked to two hackers about why they did it. "All they have is their computer screens," said Lathrop. "It's really quite sad."
One of the most wanted computer hackers, Kevin Mitnick, who was hunted down and arrested Feb. 15 in North Carolina after spending two years on the run stealing thousands of data files and more than 20,000 credit card numbers from computers, was reported to have been a loner addicted to computers.
Less than one-tenth of one percent of the legitimate users at SF State are hackers, according to Lathrop. But Lathrop said they cause a lot of trouble, which O'Toole said requires active monitoring by a great many people.
Asked how much time was spent on security each day, O'Toole said it varies, but that he has spent as much as four hours a day on it. Lathrop said he devotes two hours a day to cyberspace patrol work. In addition there is lost time and computer down time spent cleaning out the viruses hackers like to infect computer systems with.
Hackers sometimes use a "personal virus to leave their mark," True said.
"Students can help by paying attention to their own accounts and passwords," True said. The new computing security policy also requires users to protect their passwords and account names from all others to prevent unauthorized access to the computer system.
But, the only real way to protect an account is by encrypting it with a secret code, according to O'Toole.
The new Andrew File System installed by computing services has encryption capability. This adds another measure of security for the user, because the data that's passed back and forth across the network will now be encrypted, Lathrop said. The new system was installed for two reasons -- security and performance, he said.
The new login servers for SF State Internet accounts, Orion and Taurus, have no direct access to files, which are stored elsewhere, adding another level of security to Internet users, Lathrop said. One thing everyone in computer services agrees about is that security will be an ongoing concern for them.
"Why do people climb mountains? Because they're there," said True referring to computer hackers. "It's a constant chess game where there will never be a checkmate."