At least two California institutions--Stanford University and the University of California at Santa Barbara--have said their computers were taken over and used in last week's attacks on sites including Yahoo, eBay and CNN. While federal investigators and private companies scramble to prevent a repeat of last week's incidents, universities say they can't guarantee their systems won't be used as launching points again.
"You can't just put a whole campus behind a firewall," said Robert Sugar, a UC Santa Barbara physics professor and chair of that college's Information Technology Board. "Universities have particular problems because of the huge numbers of computers on campuses that have to be very open."
Last week's so-called denial of service attacks, which temporarily shut down Yahoo, eBay, Amazon.com and other large Web sites, brought the Internet security issue to the forefront of national debate. It was the first time that high-profile and well-protected sites had been successfully targeted by Net vandals on this scale and has prompted a nationwide effort to prevent such incidents.
The attacks used a method known as "distributed denial of service," which involves sending a flood of innocent-looking Web traffic that forces a target's servers or infrastructure buckles under the load.
Launching an attack of this size requires the unwitting help of hundreds or even thousands of computers. Attackers do this by breaking into other computers connected to the Web and planting software that can be activated remotely at a later date, turning control of what is called a "zombie" computer over to the intruder.
That's where the universities come in. Because college computers often are more open to the public Internet than corporate systems and have high-speed connections to the Web, researchers say they have been--and will continue to be--prime targets.
Even before last week, campuses had proved to be the unwilling launching points for attacks on other institutions, including the University of Minnesota, and systems in France, Norway and Australia. Some computers connected to the high-speed Internet 2 were implicated in those attacks.
Universities have also been the focus of other digital controversies, such as students' widespread use of pirated MP3 music files.
At least part of the problem is a simple matter of resources. College campuses typically have thousands of computers--UC Santa Barbara has close to 12,000--with relatively few staff people dedicated to maintenance and security issues. That makes it extremely difficult to monitor what's happening on every single server and desktop connected to a university system, administrators say.
But universities say it's also an issue of academic and personal freedom--and of maintaining the openness that fostered the development of the Internet as it was originally used.
"Whenever you talk about restricting access, colleges are the first ones to stick their hands in the air and say, 'I don't think so," said Drew Williams, a security team leader for Net consultants BindView.
University officials say they need to allow students and researchers to use their systems while off campus and without tight restrictions. Openness and security need to be balanced, they say--but openness weighs more heavily in the equation.
"In trying to do one's best with security, we can't go to extremes that would prevent a university or company from carrying out what is its fundamental mission," Sugar said. "We try our best, but with that many computers and a small staff, to say that we are going to be 100 percent secure is unrealistic."
"It's like the gun companies being sued for not having trigger locks on guns that are used to kill someone," said Michael Wittig, CTO of network security company CyberGuard. "Basically those people who leave their systems open are not putting on trigger locks."
Campuses can install the latest security tools available online, searching for the known traces of hacker software like Tribal Flood Network or Trinoo, security consultants say. But the security environment changes too quickly to hold anyone--universities, companies or government--to any official minimum standard, many experts add.
"It's difficult to know what 'best security' practices would be," said Elias Levy, chief technical officer SecurityFocus.com, a security-focused Web site. "Would you make companies check the latest (security reports) and update their systems once a month? Once a week? It's a moving target."