about projects people publications resources resources visit us visit us search search

Resource for Biocomputing, Visualization and Informatics Security Policy

Computer security at UCSF is a serious and difficult issue. On one hand, a basic premise of the university environment is the free flow and interchange of information and ideas among students and scientists. On the other hand, our user base is large and diverse, with networks providing access to and from other computer systems located throughout the world. Today's high speed computer networks provide users convenient, and often untraceable, access to our machines. The 1988 infestation of a computer ``worm'' into several UCSF computers, as well as hundreds of other computers throughout the U.S., made us acutely aware of the need for better security. For this reason the policy has been adopted that ABSOLUTELY NO USER ACCOUNTS BE SHARED WITH ANOTHER INDIVIDUAL.

Your account is your personal responsibility and you will be held liable for its misuse by another individual. When you log into Unix you are told the last date and time you previously accessed the system. If this date does not correspond to what you remember, please call this fact to the attention of the system administrator in charge of the system you are using; someone else may be using your account without your knowledge. For example, at the Graphics Lab you should contact any of the laboratory staff. (Call on the telephone or come by the lab in person. Do NOT use electronic mail to notify the staff of a potential security breach.) Regardless of circumstances, passwords must never be shared or revealed to anyone else besides the authorized user; to do so exposes the authorized user to responsibility for actions that the other party takes with the password. USERS FOUND SHARING THEIR ACCOUNT WITH ANOTHER INDIVIDUAL WILL HAVE THEIR ACCOUNT DEACTIVATED IMMEDIATELY. Users found maliciously damaging or destroying another user's data or system programs, or using their account to illegally access another computer system will be referred to the authorities for possible prosecution under section 502 of the California penal code. The University of California has a Policy on Information Security that we adhere to.

Computer accounts at the Resource for Biocomputing, Visualization and Informatics (RBVI) are to be used only with authorization. Individuals using RBVI computer systems without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by system personnel. In the course of monitoring individuals improperly using RBVI computer systems, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using RBVI computer systems expressly consents to such monitoring, and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Unix system security is actually quite good, but your account is no more secure than your password is. An initial password will be assigned to your account, but this should be changed as soon as possible to something only you know. Use the Unix ``passwd'' command to do this. Passwords should NOT be common English words, should not be words found in the dictionary, should not be someone's name, should not be the same as your account name or car license number, etc. Try to choose a word you can easily remember (so you don't have to write it down), but use an unusual combination of lower/upper case characters or include punctuation or numbers in the word. It doesn't make any difference which character position is used for insertion of a special character or numeric. Their presence will insure that a ``match'' cannot be found by looking, for example, in a dictionary or a list of other commonly used words.

You should also get in the habit of periodically changing your password, say once every six months or so. That way if someone discovers what your password is and is using your account without your knowledge, they will be cut off automatically when you change your password.

Users accessing RBVI resources remotely are advised to use a secure remote login program such as SSH (this will be required in the future -- see Enhanced Security Measures). SSH provides an encrypted communications path between two untrusted hosts over a potentially insecure network and thus prevents user's passwords and other sensitive data from being transmitted across the network in clear-text form. SSH is available on virtually all computer platforms: Macintosh, Windows, and Unix. For more information see the SSH tutorial or query one of the many world wide web search engines.

Lastly, please note there is no guarantee of privacy on any of the RBVI computers (for e-mail, files, or even network activity). While we make a reasonable attempt at keeping data private, we lack the necessary resources, both in terms of software and manpower, to insure your data is never seen by someone else. If you have data you feel it absolutely essential never be compromised then you should not keep it on-line (on any computer system). Note that the University of California has an Electronic Communications Policy that addresses many issues, including privacy protection limits, that are relevant to e-mail and web pages.

Thanks for your cooperation and for taking computer security seriously.

Thomas Ferrin
Director, Resource for Biocomputing, Visualization and Informatics

All potential users of the Computer Graphics Laboratory must sign a printed version of this security policy indicating that they have read and agreed to the policy before their computer account will be considered for approval. This form last updated on 28 August 2000.

I have read, concur with, and agree to follow the above policy on computer security:

(Signature and date)