Since the sun-valley system was compromised, we are trying to be much more careful about passwords, especially those that get sent through the network in clear text.
We found a file on the system that had many of the active passwords in it. Some of your passwords were quite fun to read - but as far as we know, they are now in the public domain. We have removed all of your passwords and you will have to get a new one from us. IF NOTHING ELSE, USE A DIFFERENT PASSWORD. If only one of you uses your old password which happens to be compromised, we may have to go through this again.
If you are like most people, you use similar passwords on various systems. To prevent other systems from being compromised, change your password there, too. Don't change it to the same one as on sun-valley - that becomes a hackers dream. The Stanford Security group has the compromised passwords and will likely shut down any leland accounts that could be a security problem. You will need to go to Sweet Hall to get those re-activated.
How did this guy get in? We don't know for sure, but it really doesn't matter much. A system like ours has many security holes that an expert can find. We try to patch them as we can, but we will never find them all. But what really helps a hacker is access to a system as a regular user. Once they have that, it is just a matter of time before they can get root access and be super users. An easy way to get access into our system is to use another compromised system to collect password information about users there. Most likely, these passwords will also work here. If you send your sun-valley password, ever, as clear text to anywhere, within or outside the system, you are opening a hole into sun-valley.
Clear text passwords are those used by telnet, pop (e.g. Eudora), rlogin, windows, etc. At this point, the only safe way to log into another host is with ssh, because it encrypts your password. We have a full suite of ssh tools for the lab. This will allow you to log into our own clients securly and into other clients which also support ssh. However, NOTHING will PREVENT you from sending your password in clear text - we can only encourage you to do otherwise.
For more information on secure computing, please read the specific pages.