rjd@tiger.UUCP (07/14/87)
> > > > ... phreak is the term that should be used to describe people that > > attempt malicious damage or theft. I use the term hacker to describe > > someone like myself who writes a 90% full implementation of rogue on > > a Z80, .. NOTHING I have done while wearing my hacker hat has ever > > constituted theft or malicious damage. > > > OK, as long as you're hacking away on your own machine, I have nothing > but respect for your ingenuity. As soon as you intentionally break into > someone else's machine YOU ARE A CRIMINAL! I don't care whether you damage > anything or not! Just like you wouldn't care whether or not I found some- > thing to take; if I broke into your house, you'd want me prosecuted. > > BTW this may sound like a flame, but it's not intended as such. This still sounds suspiciously like burying your head in the sand to a problem that does not go away just because you decide to ignore it. If no one breaks into the system with the express purpose to perform an audit (with or without the administrator's permission), the first person to find the security hole may very likely be a person that destroys something. I say this because I have gained acces to machines that are administered by friends, and then informed them of a hole in their system and the steps that must be taken to correct the holes that I see. I see your blanket statement as including me as a criminal. So be it. When I have performed audits on our company's machines, it is for the good of the company, but yet I defy anybody to determine my methods of access unless they were forewarned of them, or already have a secure machine. This makes your classifications of criminality pretty much a moot point, because you normally have to prove the act has taken place to prove me a criminal. In summary: I would like to modify your statement to say that a criminal act would be not informing the administrator of the security hole, once it is detected. Of course, any malicious damage or gaining of information without authorization is criminal, but that seems obvious to me. Randy
dlm@codas.ATT.COM (Don_L_Million) (07/16/87)
> This makes your classifications of criminality pretty much a moot > point, because you normally have to prove the act has taken place > to prove me a criminal. > > Randy I hope you're not saying that if you don't get caught you didn't do anything wrong. I may not be able to PROVE you committed a crime, but breaking into a computer and rifling through someone's disk is the same as breaking into their office and rifling through their file cabinet. If you do it to help I'll admire your motives, but if you get caught you COULD find yourself in BIG trouble. Don
rjd@tiger.UUCP (07/20/87)
>> This makes your classifications of criminality pretty much a moot >> point, because you normally have to prove the act has taken place >> to prove me a criminal. >> >> Randy > >I hope you're not saying that if you don't get caught you didn't do >anything wrong. I may not be able to PROVE you committed a crime, but >breaking into a computer and rifling through someone's disk is the >same as breaking into their office and rifling through their file >cabinet. If you do it to help I'll admire your motives, but if you >get caught you COULD find yourself in BIG trouble. > >Don I was afraid someone was going to take this out of context and only reprint part of the article and sure enough..... The part of my article that you left out answers your questions, but let me reitereate: I DO NOT condone "rifling through someone's disk", on the contrary, that is how I got involved with system security, someone pointed out how easy it was to "rifle" through mine, so I took steps to prevent it, then realized how many holes there were. I did not say that not proving a crime made it not a crime, rather that it makes this debate rather pointless; the debate about people such as I performing audits being criminals. Those who are saying that this activity IN GENERAL is criminal have no idea what they are talking about. I am saying that, performed responsibly, it can be a great service. This is all in response to the "Hacker Scholarship", if you recall... As to being in Big trouble, I do not bother with someone else's computer, especially any outside the company (AT&T), as that is their business, thus it is impossible for me to be in Big Trouble, just minor trouble if I should piss off an upper management type, which is very unlikely as I have been encouraged in the work of improving the security of the AT&T Unix systems. I have been asked for help by customers, and have provided it when possible, as I believe that AT&T wants us to be as helpful as possible, and they have said it many times. AT&T can have no qualms with my work in this regard, as it takes negligable time and does not take me away from my work - in my job, I do not normally have direct- customer contact. Basic security is easy and is often botched by lazy or uninformed administrators: Your first line of defense: (against totally unauthorized users) 1) no unpasworded logins, 2) verification of users, 3) and very careful networking using only secure software. This is usually very basic and simple to do. I usually deal with: Your second line of defense, against authorized users gaining unauthorized priviledges: 1) no user-writeable root (or any other system login)-setuid-programs 2) a biggie: no system directories of mode less secure than 755 (include /. and /..) and while we are at it, make sure that no user owns a system directory. 3) no user-writable programs executed by root or ANY system login (such as programs run from cron) 3a) root path NEVER set to search current directory (user makes an ls command in his directory to trap a nosy root). Its easy enough to type ./command if you need to. etc.... Randy Davis UUCP: ...(ihnp4!)3b2fst!randy All opinions and/or advice stated above are MY OWN, not those of AT&T, though the company may or may not agree with them.