gail@well.UUCP (Gail Gurman) (07/15/89)
From San Jose Mercury News, Sunday morning, July 2, 1989
THE TEN COMMANDMENTS OF PERSONAL COMPUTING
by Paul Andrews
From congressional hallways to corporate board rooms nation-
wide, ethics are under scrutiny as never before. The choice
between right and wrong today has become increasingly complex and
agonizing where large sums of cash are involved--especially for
politicians and brokers.
How about personal computer users? Is our honor code as
bug-free as our program code? When we talk about the need for
standards, should we be addressing the ethical kind as well as
buses and operating systems?
The issues is worth rasing because the personal computer
world, still misunderstood by many, has generated its set of
ethical issues without formulating a clear set of rules to live
by. More quandaries seem to be emerging all the time, from
computer viruses to non-disclosure violations to "look and feel"
disputes.
The camaraderie and idea-swapping that marked much of the
personal computer's early evolution seems in the wake of secre-
cy, lawsuits and patent claims, relegated to rosy nostalgia.
Because there's so much money involved, and humans have a tenden-
cy to be greedy, the ethical stakes keep getting nudged higher
even as courtrooms overflow with high-tech cases.
But not all human endeavor can be legislated. So perhaps it
is time to adopt a computer code of honor blending ethics and
etiquette.
In that spirit, here are 10 Commandments of Personal Comput-
ing "Ethiquette" Version 1.0, issued from a word processor rather
than a mountaintop and inscribed on a magnetic disk rather than
tablets of stone.
And be warned: Moses wasn't around for this.
I. THOU SHALT NOT USE A PROGRAM THOU HAST NOT PAID FOR.
Most of us use our computers for some sort of personal gain,
e.g., saving time or making money. We ought to be willing to pay
for that benefit in the same way we would a lawn mower, VCR or
even shiatsu massage. The difference is that we know we can get
away with "borrowed" software. Ultimately, though, it's like
skimming from your child's trust fund--perhaps no one else may
know, but eventually the bad karma will get you.
II. THOU SHALT NOT FEEL GUILTY ABOUT BORROWING SOFTWARE TO TRY
IT OUT.
Software still costs plenty and doesn't always match its
glowing promises. If you pay $495 for Softhead Plus Version 5.0
and it doesn't automatically recalculate your fantasy league
batting averages while listing every known sighting of Elvis, you
feel cheated. But try asking for your money back.
I may get in trouble with software purveyors for saying
this, and perhaps I'm naive, but I feel it's OK to test drive a
program borrowed from a friend, under the assumption that if you
like it and wind up using it, you'll buy it. The key here is
_using_ it. Few people mind paying for a really good program.
III. THOU SHALT NOT BEAR FALSE WITNESS ON BULLETIN BOARDS.
This includes using phony names. In years of logging onto
electronic bulletin boards nationwide, I've never used a false
"handle" or someone else's identity. Often while researching
articles, I've left my phone number or address. And as a result
I haven't had to suffer any system crashes, junk mail or midnight
visits from the IRS. If you've got something to hide, you don't
belong on public-address boards in the first place.
IV. THOU SHALT NOT BE STINGY OR ARROGANT WITH THY ADVICE AND
ASSISTANCE.
The more people who compute, the better off the world will
be. But many novice users are soured on computers by the unre-
sponsiveness and outright rudeness of many an experienced user.
If someone asks "What does 'Abort, Retry or Ignore' mean?" don't
tell them to do a system reboot. Find out what the problem is,
and walk them through the steps required to fix it.
We've all gotten calls in the middle of dinner with some
unimaginable problem. My favorite (or worst) was the one from a
co-worker who had inserted a floppy disk in the slot _between_
two half-height drives (not a pleasant thing to undo). Be a good
Samaritan--ask them for a convenient time to call back, and
you'll save two souls from computer hell, your friend's and your
own.
V. THOU SHALT NOT INJECT VIRUSES INTO THY NEIGHBOR'S EQUIPMENT.
Thou knowest who thou art. We all pray thou shalt grow up
someday to be an honest, contributing, happy citizen of the
world.
VI. THOU SHALT NOT TREAT WOMEN AS COMPUTER INFERIORS.
Women feel excluded from computerdom today--partly because
boys hog computers in schools and partly because computer termi-
nology is macho and intimidating ("fatal error," "illegal device
name," "invalid device parameters," for example). But woman are
shortchanged of the benefits of computers mostly because males
tend to treat computers as their private domain. I'm as guilty
as the next guy--even when helping my wife I find my voice
gaining a testy edge.
Guys, we need to lighten up. Think of it this way: If your
boss wanted a hand setting up dBASE IV (and your boss is male),
would you ask _him_ if it was to keep recipes on?
[Note: I have a problem with this one. For one thing, the
author is apparently writing to a male audience. Also, while I
agree that he is essentially right about why many women are
excluded from "computerdom", I think he disregards the number of
women who ARE full card-carrying citizens of computerdom. End of
speech. -- G.G.]
VII. THOU SHALT SUPPORT THY FAVORITE BULLETIN BOARD SYSTEM.
Bulletin boards are among the most altruistic things person-
al computing has given to society. Uploading software, partici-
pating in message forums and even sending in a little cash now
and then seem small things to ask in return.
VIII. THOU SHALT MIND THY P'S AND Q'S AND TLA'S.
Computer culture is suffering from a severe case of initial-
itis. At first the shorthand was manageable: CP/M, ROM and RAM,
CPU and CRT had easily identifiable (albeit not readily explain-
able) concept attached to them.
Today, it's alphabet soup gone wild: DTP, TSR, EMS, DVI,
CAD and CAM, FAX and VAX, CGA, EGA, VGA, OS/2, PS/2, MCA--are you
still with me? OK, then how about: EGD, GUI, QBE, SQL, DSP,
AIX, LAN, RSI ... YGU? (You give up?)
We're starting to sound like small-town bureaucrats. Do
your part to fight TLA proliferation. (TLA, of course, stands
for Three-Letter Abbreviations.)
IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES
With the growing use of electronic mail and computers
connected in office networks, the issue of personal file integri-
ty is gaining attention. The policy here is good citizenship.
Would you open a letter addressed to someone else? Why should it
be any different with a personal computer file?
X. THOU SHALT LOVE THY COMPUTER AS THYSELF.
The way we use our computers speaks volumes about the way we
view ourselves. If you feel good about yourself, you will use
the computer to further your ideals and enhance humankind. If,
on the other hand, you are using your computer toward deceitful
ends, your conscience will eventually resemble a toxic-waste dump
site. Information is neutral--only people can decide its morali-
ty.
Follow these commandments, and even though you walk through
the Valley of the Shadow of Silicon, you will fear no evil. For
thy PC will be with thee, thy fax board and modem shall comfort
thee, and thou shalt dwell in the land of I/O forever.dsill@ark1.nswc.navy.mil (Dave Sill) (07/15/89)
In article <12702@well.UUCP> gail@well.UUCP (Gail Gurman) writes: >From San Jose Mercury News, Sunday morning, July 2, 1989 > >THE TEN COMMANDMENTS OF PERSONAL COMPUTING >by Paul Andrews Reprinted without permission. Well, I guess that's OK as long as you buy the paper if you decide to *use* the posting. > : >VI. THOU SHALT NOT TREAT WOMEN AS COMPUTER INFERIORS. > > : > > Guys, we need to lighten up. Think of it this way: If your >boss wanted a hand setting up dBASE IV (and your boss is male), >would you ask _him_ if it was to keep recipes on? > >[Note: I have a problem with this one. For one thing, the >author is apparently writing to a male audience. Also, while I >agree that he is essentially right about why many women are >excluded from "computerdom", I think he disregards the number of >women who ARE full card-carrying citizens of computerdom. End of >speech. -- G.G.] Of course he's writing to a male audience. That's what the "Guys..." is intended to indicate. He's not trying to convince *women* not to discriminate against women... > : >VIII. THOU SHALT MIND THY P'S AND Q'S AND TLA'S. > > : > We're starting to sound like small-town bureaucrats. Do >your part to fight TLA proliferation. (TLA, of course, stands >for Three-Letter Abbreviations.) TLA, of course, stands for Three-Letter *Acronymn*. -- Dave Sill (dsill@relay.nswc.navy.mil)
tale@pawl.rpi.edu (David C Lawrence) (07/16/89)
In <12702@well.UUCP> gail@well.UUCP (Gail Gurman) writes: > From San Jose Mercury News, Sunday morning, July 2, 1989 > > THE TEN COMMANDMENTS OF PERSONAL COMPUTING > by Paul Andrews > > III. THOU SHALT NOT BEAR FALSE WITNESS ON BULLETIN BOARDS. > > This includes using phony names. In years of logging onto > electronic bulletin boards nationwide, I've never used a false > "handle" or someone else's identity. [...] Gads, I wish some people wouldn't get so uptight about other people's nicknames. My name is David Charles Lawrence, (518)273-5385, living at 76 1/2 13th St in Troy NY 12180. I've never ever tried to hide such information about myself, though I frequent some interactive conferencing systems as "Tale" and many people know me that way. Many people know me as "Dave". That isn't my given name either, just some socially-accepted contraction of it. Is it "false"? I don't much care if you think it is because the other information that is apparently desired is right at hand. When I get on a system and see a "Paul Andrews" how is that really any different from seeing "Sue D Nymme" or "Anon Y Mouse"? From where I sit, I've just got a name with which to associate some ideas. > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES > > With the growing use of electronic mail and computers > connected in office networks, the issue of personal file integri- > ty is gaining attention. The policy here is good citizenship. > Would you open a letter addressed to someone else? Why should it > be any different with a personal computer file? Would I open a letter addressed to someone else? Overlooking odd circumstances (ie, mail to my dead grandfather), no. Why should it be any different with computer files? Because they aren't bloody mail! Ok, some of it is and I fully recognize that some people want to keep it private. Fine. The fact that I keep my Mail directory and the files is contains as world readable is merely a statement to the few members of society that happen to trip through it. I've only had to restrict access to one message recently because someone in his generosity to help me with a problem mailed me his password. This further illustrates the point though. Some one recently wanted me to help him with a problem he was having. I went to look at the file which was probably the source of the problem and found out I didn't have read access to it. It was just his bloody .rninit! No state secrets. No lurid stories. Just swiches to configure rn the way he likes to us it. Too many times I come up against this. Someone wants help with a problem he is having at login but I can't look at his login script without su'ing to do it. Someone else wanted help with her emacs initialization file and that was not easily accessed. I stumbled across some neat icons in a user's directory and couldn't look at them until I asked the person to permit them accordingly. She was much obliged and thought it was great that someone else wanted to see her artwork. If you've got something to hide, go ahead and hide it. Save yourself from the consequences. I am really opposed to this fellow telling me that I am practising immoral computer activity, though. Dave -- (setq mail '("tale@pawl.rpi.edu" "tale@itsgw.rpi.edu" "tale@rpitsmts.bitnet"))
cosell@bbn.com (Bernie Cosell) (07/17/89)
In article <TALE.89Jul15133947@imagine.pawl.rpi.edu> tale@pawl.rpi.edu writes: } > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES } > } > With the growing use of electronic mail and computers } > connected in office networks, the issue of personal file integri- } > ty is gaining attention. The policy here is good citizenship. } > Would you open a letter addressed to someone else? Why should it } > be any different with a personal computer file? } }Would I open a letter addressed to someone else? Overlooking odd }circumstances (ie, mail to my dead grandfather), no. Why should it be }any different with computer files? Because they aren't bloody mail! OK, do you feel free to roam through your colleagues offices/desks/briefcases/cars/floppy files just because they're not under lock and key? }If you've got something to hide, go ahead and hide it. Save yourself }from the consequences. I am really opposed to this fellow telling me }that I am practising immoral computer activity, though. Sorry, by my book that kind of behavior is frowned upon in almost EVERY other venue: if it ain't yours, the default is you need permission/invitation; why should your treatment of my computer files be any different. I don't see why you think there ought to be a distinction between listing of files in my attache case, backup copies of files in a floppyfile on my desk, and the real files on-line. Or do you think it is OK to 'poke around' in all three places for whatever you feel like finding? /bernie\
root@yale.UUCP (Root Of All Evil) (07/18/89)
In article <42793@bbn.COM> you write: > In article <TALE.89Jul15133947@imagine.pawl.rpi.edu> tale@pawl.rpi.edu writes: > } > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES > } > > } > With the growing use of electronic mail and computers > } > connected in office networks, the issue of personal file integri- > } > ty is gaining attention. The policy here is good citizenship. > } > Would you open a letter addressed to someone else? Why should it > } > be any different with a personal computer file? > } > }Would I open a letter addressed to someone else? Overlooking odd > }circumstances (ie, mail to my dead grandfather), no. Why should it be > }any different with computer files? Because they aren't bloody mail! > > OK, do you feel free to roam through your colleagues > offices/desks/briefcases/cars/floppy files just because they're not under lock > and key? Most people who discuss this overlook one fact in their analogies: When you look through someone's directory, the owner probably doesn't know that you are doing so and can't really find out. (I'm not talking about contrived cases of world-readable log files and such things here.) When your office (car, briefcase, desk) is left open or your floppies lying around, someone looking for things in them stands a chance (perhaps high, perhaps low) of being caught. There are people walking past my office all the time; a snoop will probably be caught either by a co-worker or by me. Of course, anyone pondering snooping through my stuff must first consider his chances of being caught and the consequences that he could face. Someone browsing through my files for whatever purposes, nefarious or not, will probably not be caught. Even if he is, I have little legal or political recourse. Someone suggested that it's unethical to look through a nai"ve user's files because he may not know about permissions, encryption, and such things. This is correct. However, it clouds the issue. I look only at the files of UNIXackers whom I know to be aware of security issues. I don't mind when others look through my files. Files that I don't want read I hide. (And highly confidential files I don't even keep around on a computer accessible to others.) Read permission from me is implicit permission from me to everyone else to read, copy, &c, the file bearing the permission. (Naturally, any copyright or other messages apply.) At times, I probably forget to deny permissions on files hastily created. Again, I'm prepared to take on any damages that I suffer because of this. But this is where the ethics issue comes in. Everyone knows that no one intends for a directory of love letters or tax information to be spread all over the net--or even seen by some malicious local user. Although I would lock such things, I wouldn't rummage through them in someone else's unlocked directory. --Scott Scott Horne Hacker-in-Chief, Yale CS Dept Facility horne@cs.Yale.edu ...!{harvard,cmcl2,decvax}!yale!horne Home: 203 789-0877 SnailMail: Box 7196 Yale Station, New Haven, CT 06520 Work: 203 432-1260 Summer residence: 175 Dwight St, New Haven, CT Dare I speak for the amorphous gallimaufry of intellectual thought called Yale?
gordon@sneaky.UUCP (Gordon Burditt) (07/18/89)
In article <12702@well.UUCP> gail@well.UUCP (Gail Gurman) writes: >From San Jose Mercury News, Sunday morning, July 2, 1989 >THE TEN COMMANDMENTS OF PERSONAL COMPUTING >by Paul Andrews > >I. THOU SHALT NOT USE A PROGRAM THOU HAST NOT PAID FOR. This guy has apparently never heard of non-commercial software. How come it's immoral for me to run MY OWN software (something I WROTE)? And how about software for which no payment is asked? There is lots of it around, and it's often better than the commercial stuff. The author has no objection, why should anyone else? Gordon L. Burditt ...!texbell!sneaky!gordon
epsilon@wet.UUCP (Eric P. Scott) (07/19/89)
I like to think things like my .profile/.login files are useful and instructive, hence I always leave them readable. I would not appreciate someone mindlessly copying something they didn't understand. But there's a lot of "so THAT's how you do that" in most timesharing systems. Yes, you can run a large user base with "no file protection." I was a Nonconsortium Macsyma User until MIT-MC "went out of business." It requires a different attitude: cooperation. I consider it one of most significant influences on my system management style: the machine's #1 priority is its own uptime. What you do to each other ... is your responsibility. Will the machine rat on you? You bet. Will it stand in the way of legitimate activity? Not if I can help it. "No security" is infinitely preferable to bungled security. The vast majority of systems I've seen have bungled security. There were a lot of times when I was hacking on something at 6:30 p.m. on a Friday ... only to be screwed until Monday because someone else "forgot" to make something essential available. You've got to have trust. -=EPS=-
ckd@bucsb.UUCP (Christopher Davis) (07/19/89)
In article <66667@yale-celray.yale.UUCP> root@yale.UUCP (Root Of All Evil) writes: - In article <42793@bbn.COM> you write: - > In article <TALE.89Jul15133947@imagine.pawl.rpi.edu> tale@pawl.rpi.edu writes: - > } > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES - [ . . . ] - Most people who discuss this overlook one fact in their analogies: When you - look through someone's directory, the owner probably doesn't know that you - are doing so and can't really find out. (I'm not talking about contrived - cases of world-readable log files and such things here.) - [ . . . ] - I don't mind when others look through my files. Files that I don't want read - I hide. (And highly confidential files I don't even keep around on a computer - accessible to others.) Read permission from me is implicit permission from me - to everyone else to read, copy, &c, the file bearing the permission. - (Naturally, any copyright or other messages apply.) I have a READ-ME! file in my directory spelling things out. Basically, I either lock things I don't want people reading (RMAIL & RMAIL~ are the top two) or toss 'em in a "lock" directory if I don't even want them knowing the filenames, and in READ-ME! give them blanket permission to poke around. It simplifies things nicely. - At times, I probably forget to deny permissions on files hastily created. Have I ever done this? Sure--as someone here at BU knows quite well. :-) - Again, I'm prepared to take on any damages that I suffer because of this. - But this is where the ethics issue comes in. Everyone knows that no one - intends for a directory of love letters or tax information to be spread all - over the net--or even seen by some malicious local user. Although I would - lock such things, I wouldn't rummage through them in someone else's unlocked - directory. And in the instance I alluded to, I was notified (in a private message) that the person involved had found an "interesting" file. It wasn't anything particularly sensitive, but was something that could have been mis-interpreted; the information in it was all from various public places. I think the other person acted fully appropriately in this case--and I hope most people would. - --Scott -- /\ | / |\ @bu-pub.bu.edu <preferred> | Christopher K. Davis, BU SMG '90 / |/ | \ %bu-pub.bu.edu@bu-it.bu.edu | uses standardDisclaimer; \ |\ | / <for stupid sendmails> | BITNET: smghy6c@buacca \/ | \ |/ @bucsb.UUCP <last resort> or ...!bu-cs!bucsb!ckd if you gotta. --"Ignore the man behind the curtain and the address in the header." --ckd--
ckd@bucsbXE12J$xP (Christopher Davis) (07/19/89)
Org
mwm@eris.berkeley.edu (Mike (I'll think of something yet) Meyer) (07/19/89)
In article <66667@yale-celray.yale.UUCP> root@yale.UUCP (Root Of All Evil) writes: <In article <42793@bbn.COM> you write: <> In article <TALE.89Jul15133947@imagine.pawl.rpi.edu> tale@pawl.rpi.edu writes: <> } > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES <> <> OK, do you feel free to roam through your colleagues <> offices/desks/briefcases/cars/floppy files just because they're not under lock <> and key? < <Most people who discuss this overlook one fact in their analogies: When you <look through someone's directory, the owner probably doesn't know that you <are doing so and can't really find out. (I'm not talking about contrived <cases of world-readable log files and such things here.) < <When your office (car, briefcase, desk) is left open or your floppies lying <around, someone looking for things in them stands a chance (perhaps high, <perhaps low) of being caught. There are people walking past my office all <the time; a snoop will probably be caught either by a co-worker or by me. <Of course, anyone pondering snooping through my stuff must first consider <his chances of being caught and the consequences that he could face. Right! Since you can't get caught snooping on a computer, it most be OK. Why do I feel sick... <mike -- Es brillig war. Die schlichte Toven Mike Meyer Wirrten und wimmelten in Waben; mwm@berkeley.edu Und aller-mumsige Burggoven ucbvax!mwm Die mohmem Rath' ausgraben. mwm@ucbjade.BITNET
mwm@eris.berkeley.edu (Mike (I'll think of something yet) Meyer) (07/19/89)
In article <294@wet.UUCP> epsilon@wet.UUCP (Eric P. Scott) writes:
<There were a lot of
<times when I was hacking on something at 6:30 p.m. on a Friday ...
<only to be screwed until Monday because someone else "forgot" to
<make something essential available.
<
<You've got to have trust.
This is the best reason in the world for _not_ making a habit of
snooping through peoples files at random. If you know that people will
only go through your files for things they need, you're a lot more
likely to leave things unprotected by default.
On the other hand, there's the dimwit who did "ls -R / | lpr" on one
of my systems today, thus grabbing a laser printer for hours. Didn't
even have the courtesy to do "find '' | lpr".
<mike
--
Must have walked those streets for hours, Mike Meyer
In the dark and in the cold, mwm@berkeley.edu
Before I really could accept, ucbvax!mwm
There's no place called hope road. mwm@ucbjade.BITNETandys@ulysses.homer.nj.att.com (Andy Sherman) (07/22/89)
In article <TALE.89Jul15133947@imagine.pawl.rpi.edu>, tale@pawl (David C Lawrence) writes: > > IX. THOU SHALT NOT SNOOP IN THY NEIGHBOR'S FILES > > > > With the growing use of electronic mail and computers > > connected in office networks, the issue of personal file integri- > > ty is gaining attention. The policy here is good citizenship. > > Would you open a letter addressed to someone else? Why should it > > be any different with a personal computer file? > >Would I open a letter addressed to someone else? Overlooking odd >circumstances (ie, mail to my dead grandfather), no. Why should it be >any different with computer files? Because they aren't bloody mail! >Ok, some of it is and I fully recognize that some people want to keep >it private. Fine. The fact that I keep my Mail directory and the >files is contains as world readable is merely a statement to the few >members of society that happen to trip through it. I've only had to >restrict access to one message recently because someone in his >generosity to help me with a problem mailed me his password. I administer systems in an R&D lab. I consider a user's home directory to be an extension of his/her filing cabinet. One does not rifle through it uninvited without a Real Good Reason, even if it is unlocked for convenience. I take a dim view of people tromping through other people's directories without permission, and I especially take a dim view of other super-users looking in my few unreadable directories uninvited. We have suspended accounts here for the sin of copying sources out of another users home directory and uucp'ing it to another system. Yes, we could have said, "this stuff is moderately sensitive, so we will put paranoid permissions on it" but that would have make life inconvenient for our users. Much better to get rid of the anti-social elements then create an anti-social environment in response. >If you've got something to hide, go ahead and hide it. Save yourself >from the consequences. I am really opposed to this fellow telling me >that I am practising immoral computer activity, though. I think common sense applies. I used vague terms like uninvited and Real Good Reason. Local practice will dictate what these terms mean. If your colleague is on vacation and the sources for something you're doing together are in his/her directory, that is a Real Good Reason. On the other hand, uninvited browsing for curiousity's sake is not. I'd call that immoral. -- Andy Sherman/AT&T Bell Laboratories/Murray Hill, NJ *NEW ADDRESS* AUDIBLE: (201) 582-5928 *NEW PHONE* READABLE: andys@ulysses.ATT.COM or att!ulysses!andys *NEW EMAIL* The views and opinions are my own. Who else would want them? *OLD DISCLAIMER*
dsill@relay.nswc.navy.mil (Dave Sill) (07/25/89)
In article <11917@ulysses.homer.nj.att.com>, andys@ulysses (Andy Sherman) writes: >... We have suspended accounts here for >the sin of copying sources out of another users home directory and >uucp'ing it to another system. Whatever policy your administrators decide on is fine, but I'd hope you have a requirement that new users be made aware of this rule.
eben@mmsac.UUCP (Eben R.S. Visher) (08/01/89)
Scott Horne hit it on the head: read permission to my files is implicit permission to browse. I occasionally remind my professional colleagues that if they think there is something useful to them among my letters, logs, programs, indexes, and trivia, then they should by all means make use of it. I work with professional software people, and Scott's approach is our rule of thumb among ourselves: if you don't want it seen, then RSA or DES it (of course, if you simply crypt(1) it, you're inviting someone to spend 7 minutes with Crypt Breaker's Workbench). --Eben +================================+================================+ | Eben R. S. Visher | sun.com!sacto!mmsac!eben | | Project Manager | {uunet,sun!sacto}!mmsac!eben | | Martin Marietta Data Systems | day: (916) 929-8864 | | 1770 Tribute Road, 2nd floor | vmail: (916) 441-8137 | | Sacramento, CA 95815 | fax: (916) 395-2135 | +================================+================================+ -- --Eben
jde@unify.UUCP (Jeff Evarts) (08/01/89)
In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes: >Scott Horne hit it on the head: read permission to my files is >implicit permission to browse. I disagree, but what follows is what I really contest... >[...] if you don't want it seen, then RSA or >DES it (of course, if you simply crypt(1) it, you're inviting someone >to spend 7 minutes with Crypt Breaker's Workbench). Okay, there are no smileys here, so I'm assuming you meant what you said. ABSOLUTELY NOT! This is frankly rediculous. This kind of "If I CAN do it, it must be OK with you" attitude is a real problem in today's computer industry. Gee, With an attitude like that, worms & viruses are completely allright, because you were stupid enough to have an insecure system The idea that I would have to encrypt a file to keep a coworker out of it really scares me. This is not the way things should be run. Just because you didn't lock your door, it's okay for me to come inside and watch TV in your house? BULL! (My excuse: Well, you didn't stop me, and I wasn't hurting anything...) > >--Eben > >+================================+================================+ >| Eben R. S. Visher | sun.com!sacto!mmsac!eben | >| Project Manager | {uunet,sun!sacto}!mmsac!eben | >| Martin Marietta Data Systems | day: (916) 929-8864 | >| 1770 Tribute Road, 2nd floor | vmail: (916) 441-8137 | >| Sacramento, CA 95815 | fax: (916) 395-2135 | >+================================+================================+ Sorry if this was more flame than opinion, -amarth (jde@unify)
mwm@eris.berkeley.edu (Mike (I'll think of something yet) Meyer) (08/01/89)
In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes:
<I work with professional software people, and Scott's approach is our
<rule of thumb among ourselves: if you don't want it seen, then RSA or
<DES it (of course, if you simply crypt(1) it, you're inviting someone
<to spend 7 minutes with Crypt Breaker's Workbench).
This is a perfectly reasonable rule for a group to adopt. However,
that doesn't mean that it's universal, or that it should be. There are
places where that attitude will get you into trouble.
And that's the whole point: unless you know what the house rules are,
and _know_ that everyone else understands those rules, then randomly
browsing someones files is wrong.
<mike
--
[Our regularly scheduled .signature preempted.] Mike Meyer
The Amiga 1000: Let's build _the_ hackers machine. mwm@berkeley.edu
The Amiga 500: Let's build one as cheaply as possible! ucbvax!mwm
The Amiga 2000: Let's build one inside an IBM PC! mwm@ucbjade.BITNETHorne-Scott@cs.yale.edu (Scott Horne) (08/01/89)
In article <1005@unify.UUCP>, jde@unify (Jeff Evarts) writes: > In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes: > >Scott Horne hit it on the head: read permission to my files is > >implicit permission to browse. > > I disagree, but what follows is what I really contest... I don't. :-) > >[...] if you don't want it seen, then RSA or > >DES it (of course, if you simply crypt(1) it, you're inviting someone > >to spend 7 minutes with Crypt Breaker's Workbench). > > Okay, there are no smileys here, so I'm assuming you meant what you said. > ABSOLUTELY NOT! This is frankly rediculous. This kind of "If I CAN do it, > it must be OK with you" attitude is a real problem in today's computer > industry. I see what you mean, but I don't think that Eben Visher meant that. It seems that that remark about `crypt' was made as a warning about security, not as a suggestion that people should be allowed to browse ~/personal/top_secret.crypt just because the decryption method is well-known. > The > idea that I would have to encrypt a file to keep a coworker out of it > really scares me. This is not the way things should be run. Does the idea that you should have to use a password scare you? How about the idea that you should have to lock your door? Take your keys out of the car? Seal your envelopes? Hide your valuables? --Scott Scott Horne Undergraduate programmer, Yale CS Dept Facility horne@cs.Yale.edu ...!{harvard,cmcl2,decvax}!yale!horne Home: 203 789-0877 SnailMail: Box 7196 Yale Station, New Haven, CT 06520 Work: 203 432-1260 Summer residence: 175 Dwight St, New Haven, CT Dare I speak for the amorphous gallimaufry of intellectual thought called Yale?
cosell@bbn.com (Bernie Cosell) (08/02/89)
In article <68274@yale-celray.yale.UUCP> Horne-Scott@cs.yale.edu (Scott Horne) writes: }In article <1005@unify.UUCP>, jde@unify (Jeff Evarts) writes: }> In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes: }> >[...] if you don't want it seen, then RSA or }> >DES it (of course, if you simply crypt(1) it, you're inviting someone }> >to spend 7 minutes with Crypt Breaker's Workbench). }> }> Okay, there are no smileys here, so I'm assuming you meant what you said. }> ABSOLUTELY NOT! This is frankly rediculous. This kind of "If I CAN do it, }> it must be OK with you" attitude is a real problem in today's computer }> industry. } }I see what you mean, but I don't think that Eben Visher meant that. It seems }that that remark about `crypt' was made as a warning about security, not as a }suggestion that people should be allowed to browse ~/personal/top_secret.crypt }just because the decryption method is well-known. That's not what he said: what he *said* was that if it has read access you can *expect* people to feel free to browse. That if you encrypt it you can *expect* people to try to crack the encryption.... sounds like a nice professional place to work. And the implication about encryption was even more ominous: it says that in HIS shop. *so* many people have root/operator/whateverforhisopsys privileges that you can't even trust PERMISSIONS! [if you think there is some other way to interpret that, you or he can let me know]. }> The }> idea that I would have to encrypt a file to keep a coworker out of it }> really scares me. This is not the way things should be run. } }Does the idea that you should have to use a password scare you? How about the }idea that you should have to lock your door? Take your keys out of the car? }Seal your envelopes? Hide your valuables? Yeah, it does... I don't think I could work at a place that requires the kind of aggressive paranoia that Eben apparently engenders and encourages in his shop. I don't lock my office door much, I don't tamper-proof-seal interoffice memos, I don't have the hifi in my office bolted down to its table. That EVERY time I take my eyes off of my attache case I can be assured taht some will be seeing if they can pick the lock; that every time I step out of my office I can expect that unless I lock my desk someone will rifle through it to see if there is anything interesting (and heaven forfend I should leave my attache case, or desk, or office door unlocked -- that means 'open season', right?). What is so special about a person's computer files that doesn't entitle them to the same respect and privacy that you would give to anything else of theirs? __ / ) Bernie Cosell /--< _ __ __ o _ BBN Sys & Tech, Cambridge, MA 02238 /___/_(<_/ (_/) )_(_(<_ cosell@bbn.com
Horne-Scott@cs.yale.edu (Scott Horne) (08/02/89)
In article <43611@bbn.COM>, cosell@bbn (Bernie Cosell) writes: > In article <68274@yale-celray.yale.UUCP> Horne-Scott@cs.yale.edu (Scott Horne) writes: > }In article <1005@unify.UUCP>, jde@unify (Jeff Evarts) writes: > }> In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes: > }> >[...] if you don't want it seen, then RSA or > }> >DES it (of course, if you simply crypt(1) it, you're inviting someone > }> >to spend 7 minutes with Crypt Breaker's Workbench). > }> > }> Okay, there are no smileys here, so I'm assuming you meant what you said. > }> ABSOLUTELY NOT! This is frankly rediculous. This kind of "If I CAN do it, > }> it must be OK with you" attitude is a real problem in today's computer > }> industry. > } > }I see what you mean, but I don't think that Eben Visher meant that. It seems > }that that remark about `crypt' was made as a warning about security, not as a > }suggestion that people should be allowed to browse ~/personal/top_secret.crypt > }just because the decryption method is well-known. > > That's not what he said: what he *said* was that.... See above: ``I don't think that Eben Visher meant that.'' He may have, in which case I misconstrued his intent and agree with you (Bernie). > }> The > }> idea that I would have to encrypt a file to keep a coworker out of it > }> really scares me. This is not the way things should be run. > } > }Does the idea that you should have to use a password scare you? How about the > }idea that you should have to lock your door? Take your keys out of the car? > }Seal your envelopes? Hide your valuables? > > Yeah, it does... I don't think I could work at a place that requires > the kind of aggressive paranoia that Eben apparently engenders and > encourages in his shop. I don't lock my office door much, I don't > tamper-proof-seal interoffice memos, I don't have the hifi in my office > bolted down to its table. Neither do I. Do you lock the front door of your house, or do you leave it open? Do you take your car keys with you, or do you leave them in the ignition with the door unlocked? Do you seal envelopes or leave them open? Do you use a password, or can I `telnet' to `bbn.com' and log in as cosell with no password? > That EVERY time I take my eyes off of my > attache case I can be assured taht some will be seeing if they can pick > the lock; that every time I step out of my office I can expect that > unless I lock my desk someone will rifle through it to see if there is > anything interesting (and heaven forfend I should leave my attache > case, or desk, or office door unlocked -- that means 'open season', > right?). No, it doesn't mean open season. You're just confusing the issue. No one has said anything about ``EVERY [capitalisation yours] time I take my eyes off of my attache case I can be assured taht [_sic_] some will be seeing if they can pick the lock''. Anyway, why is your attache' case locked? I thought you were Mr Anti-security. > What is so special about a person's computer files that > doesn't entitle them to the same respect and privacy that you would > give to anything else of theirs? The assumption that everyone can browse everyone else's files (if they're not protected; I certainly oppose the idea that one may try to decrypt files or `su' to root to override denied permissions) makes for a more pleasant and useful working environment. I tell people ``Just take file xxx out of my yyy directory'' all the time, as do others here. I don't leave everything readable, of course; no one does around here. I'd certainly respect a policy of staying out of others' files, even though I oppose such a policy. --Scott Scott Horne Undergraduate programmer, Yale CS Dept Facility horne@cs.Yale.edu ...!{harvard,cmcl2,decvax}!yale!horne Home: 203 789-0877 SnailMail: Box 7196 Yale Station, New Haven, CT 06520 Work: 203 432-1260 Summer residence: 175 Dwight St, New Haven, CT Dare I speak for the amorphous gallimaufry of intellectual thought called Yale?
bob@mmsac.UUCP (Bob Brown) (08/03/89)
>>Scott Horne hit it on the head: read permission to my files is >>implicit permission to browse. >I disagree, but what follows is what I really contest... >>[...] if you don't want it seen, then RSA or >>DES it (of course, if you simply crypt(1) it, you're inviting someone >>to spend 7 minutes with Crypt Breaker's Workbench). >Okay, there are no smileys here, so I'm assuming you meant what you said. >ABSOLUTELY NOT! This is frankly rediculous. This kind of "If I CAN do it, >it must be OK with you" attitude is a real problem in today's computer >industry. Gee, With an attitude like that, worms & viruses are completely >allright, because you were stupid enough to have an insecure system The >idea that I would have to encrypt a file to keep a coworker out of it >really scares me. This is not the way things should be run. Just because >you didn't lock your door, it's okay for me to come inside and watch TV >in your house? BULL! (My excuse: Well, you didn't stop me, and I wasn't >hurting anything...) The analogy sounds good but I'm afraid it doesn't hold up. The house is the computer, your files are simply desks and rooms in the house. To get into the house, someone must have the key (password). The point is that the door is locked and the person coming in has a key. Anything you leave laying around will probably be read. No one would be so impolite as to touch your stuff, but your roommates (other users) will probably read your mail if you leave it on top of your desk for all to see. The phrase "stupid enough to have an insecure system" is a bit much. In order for computers to be useful, people need to have access to them. We know the design of the system well enough to know that if a file (directory) has read access -- Joe Guest can browse. When something really needs to be secure, you give out less keys, you make special rules for this house (in advance) and you lock your desks and rooms. Worms and viruses would be more like having your roommates take an ax to your desk or burn your papers or break into your locked rooms and desks. It's clear that this is vandalism -- which mom (sys admin) would not and should not tolerate. 'nuff said bb
hollombe@ttidca.TTI.COM (The Polymath) (08/03/89)
In article <68274@yale-celray.yale.UUCP> Horne-Scott@cs.yale.edu (Scott Horne) writes: }Does the idea that you should have to use a password scare you? How about the }idea that you should have to lock your door? Take your keys out of the car? }Seal your envelopes? Hide your valuables? Damn right it does. These are things I'm forced to do to protect my property from _criminals_. Whether I do them or not, the acts they are meant to prevent are still _criminal acts_. (The fact that I foolishly left my keys in my car does not give anyone the right to get in and drive off, or even sleep in the back seat). Likewise for computer files. -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
reesd@gtephx.UUCP (David Rees) (08/03/89)
In article <26833@agate.BERKELEY.EDU>, mwm@eris.berkeley.edu (Mike (I'll think of something yet) Meyer) writes: > In article <1393@helios.mmsac.UUCP> eben@mmsac.UUCP (Eben R.S. Visher) writes: > <I work with professional software people, and Scott's approach is our > <rule of thumb among ourselves: if you don't want it seen, then RSA or > <DES it (of course, if you simply crypt(1) it, you're inviting someone > <to spend 7 minutes with Crypt Breaker's Workbench). > > This is a perfectly reasonable rule for a group to adopt. However, > that doesn't mean that it's universal, or that it should be. There are > places where that attitude will get you into trouble. > > And that's the whole point: unless you know what the house rules are, > and _know_ that everyone else understands those rules, then randomly > browsing someones files is wrong. The first thing I do when using a new system is to browse other user's files. It is simply the fastest, and easiest way to get information about how the system is set up. I agree with Eben's point of view... if the file has read access to the world, or to your group, or just to you then you can browse it. If the user does not want you to view it he can simply change the protections (or mark it personal). If the system standard is for people not to be able to view each others files, then files should be set with the read priority off automatically when created. (I know of very few systems where this is not possible). Of course, if the file (or directory) is named 'personal' that is something different... -David