As Fermilab Today evolves, I will no longer have a regularly featured monthly column. The security team will continue to post news and helpful information about new threats and methods to protect our computing systems. But I wanted to use my last column to remind you of the kinds of actions that can and will lead to harm. Yes, you have probably heard all these before, but a short refresher won’t hurt.
Intellectual property. Failing to respect intellectual property rights can get both you and the entire laboratory in trouble. Don’t use unlicensed versions of commercial software. Vendors audit customers for compliance, and misuse can result in heavy penalties. Don’t download copyrighted material (films, books, music). Copyright owners police download sites and can institute legal action when they detect a violation. Especially avoid BitTorrent, where any files you download are simultaneously made available to other clients. Fermilab’s large network bandwidth will make your system hosting copyrighted material shine like a beacon. Violations in this area are sufficiently important that they can result in disciplinary action for employees or loss of site access for visitors.
Email. You can never trust the sender: It is trivial to forge a “from” address. Don’t open email attachments unless you are certain they are meant for you. (And don’t send attachments, tempting others into unsafe practices. Post documents you want reviewed on a FermiPoint site, for example.) Also, avoid clicking on links unless you are more than certain they’re meant from you, especially when you’re at home. The security team will block access to dangerous sites to prevent you from getting to those sites while on the lab network, but we can’t protect you when you are away from the laboratory!
Web browsing. Don’t try to get around the Web proxy server. It is there to protect you by preventing you from visiting known dangerous sites. Circumventing the proxy server leaves you open to malicious code. It is also a direct violation of lab policy that can lead to disciplinary action. Make sure your desktop support configures your browser to block pop-ups and other dangerous active Web content. As always, use caution in exploring new and unusual sites on the Web.
Offering services and opening ports. Every service your local machine offers to the Internet and every port you open is another opportunity for your system to be exploited. Normally only system administrators need worry about this, but easy-to-download software can often open up ports and services, so use extreme caution if you need downloads that are not part of standard installations.
Password management. By now everyone knows not to share passwords or to use simple-to-guess names or words for their personal accounts. But a distressing number of installed software applications are left with well-known manufacturer default values for passwords. This is like leaving your front door wide open with a sign reading “valuables inside.” Many of the problems described above have happened to otherwise sensible individuals at the laboratory who briefly relaxed their guard. You might even recognize yourself. We all need to learn from their experiences and avoid the actions that are almost guaranteed to lead to trouble.