The Chronicle: Daily news: 01/21/2003 -- 01

Search The Site

More options | Back issues

Day pass

Home

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities /r

Tuesday, January 21, 2003

U. of Colorado at Boulder Adopts Encrypting Links for E-Mail Software
By VINCENT KIERNAN

When students returned to the University of Colorado at Boulder campus this month, some discovered that their e-mail software no longer worked properly. But that should not have come as a surprise because university officials had been reminding them for months that Boulder would make a major change in its e-mail systems to tighten security.
Over the holiday break, the university changed its e-mail systems to require encrypted communications for transmitting messages between campus e-mail servers and client software used by individuals, such as Netscape Communicator and Outlook Express.
All users had to reconfigure their e-mail programs so that they could communicate with the servers. Most e-mail programs are not set to automatically use encrypted links, called Secure Sockets Layer.
Despite ample warning, some students and faculty and staff members did not reconfigure their software until the unencrypted links stopped working, on January 2.
Boulder is among a growing number of institutions that are switching to higher-security links for transmitting e-mail and other files across campus networks. The University of Washington recently made the same change, and Stanford University has already changed its practice.
Protecting Passwords
The problem with unencrypted links is that hackers can eavesdrop on them and extract e-mail passwords and other personal information sent by users to a college's server. Using such a password, a hacker could then gain access to a user's account. By contrast, encrypted links encode passwords and thus protect them from becoming known.
On January 2, Boulder also started requiring the use of encrypted links for two other popular online functions: FTP, which is used to transfer files from one computer to another; and telnet, which is used to gain remote access to one computer from another. As in the case of e-mail software, many popular programs used for FTP and telnet transmit unencrypted passwords, leaving them vulnerable to hackers.
Many of those programs also are unable to use encrypted links, so people on the Boulder campus who wanted to transfer files or to operate a computer remotely had to switch to other software that could, such as ssh, which is available free. Software for publishing Web pages also had to be reconfigured.
Reconfiguring most e-mail software is easy, requiring little more than checking the proper box on a program's configuration screen, said Daniel R. Jones, the Boulder campus's information-technology-security coordinator. "In most cases, it's a five-minute change," he said.
The hard part was getting people to make the change at all, he said. Boulder officials originally announced that the campus would switch to encrypted links on October 15. But as that date drew near, about 6,000 of the university's 29,000 computer users had not made the change, so officials postponed the shift to January.
Dennis M. Maloney, executive director of information-technology services at Boulder, said one key to getting people to switch to the encrypted links before the transition date was a computer program that automatically sent e-mail warnings to anyone who used an unencrypted link to an e-mail server or other system. The message reminded users about the forthcoming change and urged them to adjust or change their software.
"Once they made the change, they wouldn't receive any more e-mails," said Mr. Jones, who acknowledged that some people on the campus were upset at the nagging.
Since few users had to buy new software, Mr. Jones said, the principal cost for the changeover was in the 200 hours of staff time that was devoted to developing and executing a plan for communicating word of the change, including the technical information needed for people to reconfigure their software on their own.
He estimated that 89 percent of users were able to reconfigure the software by themselves, without any help from the information-technology staff. About 9 percent received help over the telephone, and about 2 percent required in-person help, he said.
Still, by the transition date, about 500 users were not using encrypted links, said Mr. Jones.
"Some people just weren't going to make the change until they had to," said Robert B. Schnabel, the university's chief information officer. "We just had to accept that that was the psychology."
"It's a pretty drastic thing to tell people that all of a sudden your e-mail isn't going to work," Mr. Schnabel said. Nevertheless, switching to encrypted links repaired a crucial security weakness, he said. "One person's insecurity is a risk to the whole organization."

Easy-to-print version

E-mail this article

Bush will seek more money for historically black and Hispanic-serving colleges

U. of Southern Mississippi eliminates 4 deans' positions in streamlining of colleges

Low-income families need more information about student aid, report says

7 new chief executives are announced

U. of Colorado at Boulder adopts encrypting links for e-mail software