ccastmg@prism.gatech.EDU (Michael G. Goldsman) (06/12/91)
I just read this on ga.general... ---------------------------------------------------------------- ---From: mcovingt@athena.cs.uga.edu (Michael A. Covington) ---Newsgroups: ga.general ---Subject: Student suspended for helping hackers ---Summary: Student deliberately compromised security of athena.cs.uga.edu ---Date: 11 Jun 91 04:21:01 GMT ---Organization: University of Georgia, Athens The University will soon be issuing a news release about this incident. In the meantime, here is a summary: (1) A number of unauthorized users have been using various University of Georgia computers. Most of them have left much more of a trail than they realized and will be hearing from us. (2) The first person actually caught as part of this incident has now been sentenced to 2 quarters' suspension, plus a probated expulsion, by the Student Judiciary. This was a U.Ga. student whose name cannot be released due to confidentiality of educational records. What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu to a "hacker" who had already penetrated another system, and who wanted to use a password-guessing program to break into athena. The student was fully aware that he was assisting in a break-in. Two points that everyone may need to be reminded of: (1) Unauthorized computer use is a felony under Georgia law (which is about to become even stricter, on this point, than it is already). (2) We cannot presume that any intruder is harmless. To keep the machine safe for everyone, we have to presume that every unauthorized user intends something destructive. It's very common for an intruder to say "I meant no harm" when in fact a transcript of his session shows that he was trying to crash the machine or delete people's files. The University of Georgia has no public-access UNIX machines. If anyone gives you a password on one of our machines, please contact me. ---------------------------------------------------------------- I didn't know that doing things with an /etc/passwd would be considered unauthoprized use. the file is readable by the world after all. The uga student was not the one who broke in. I have some serious problems with UGA supending him. I am a little too "exam-week-weary" to articulate my feelings well, but I thought that you guys should know about this. What if a student runs cops on /etc/passwd... would this be considered intent to break into a system and could he thus be suspended? Well, you guys can mull it over today, I need some sleep. -Mike Goldsman -- ------------------------------------------------------------------------ Mike Goldsman 36004 Georgia Tech Station Atlanta Georgia, 30332, 404-872-5146
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/12/91)
In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. > >the file is readable by the world after all. >The uga student was not the one who broke in. > >I have some serious problems with UGA supending him. >I am a little too "exam-week-weary" to articulate my feelings well, >but I thought that you guys should know about this. > I can tell you that this student knew full well that the /etc/passwd would be used to attempt a break-in. He belonged to an "elite group of hackers" whose hobby was breaking into computers and attempting to wreak havoc. It's like giving the plans of a building to a burglar. The plans may not be secret, but if you directly supply something essential for the burglary, knowing that's what it's going to be used for, you're a participant in the burglary yourself. >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? > Yes. Obtaining other users' passwords without proper authorization is forbidden. Even if you do it by using a standard software tool rather than by breaking into their desks. >------------------------------------------------------------------------ >Mike Goldsman >36004 Georgia Tech Station >Atlanta Georgia, 30332, 404-872-5146 -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (06/12/91)
In article <1991Jun11.221521.14402@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >>What if a student runs cops on /etc/passwd... would this >>be considered intent to break into a system and could he thus >>be suspended? > >Yes. Obtaining other users' passwords without proper authorization >is forbidden. Even if you do it by using a standard software tool >rather than by breaking into their desks. One would hope this was sarcasm, or a complete mis-reading of the question, but I'm afraid it probably isn't. Most laws consider such things as "intent" -- if the student intends to use the information as part of a research paper on security issues (e.g. "30% of the passwords were found in the dictionary"), and discards the broken passwords, then one could hardly claim that he had evil intent. Many of the laws relating to computer crime don't consider intent, but they certainly should.
bernie@metapro.DIALix.oz.au (Bernd Felsche) (06/12/91)
In <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: [ quoting from a ga newsgroup ] >Two points that everyone may need to be reminded of: >(1) Unauthorized computer use is a felony under Georgia law (which is >about to become even stricter, on this point, than it is already). >(2) We cannot presume that any intruder is harmless. To keep the machine >safe for everyone, we have to presume that every unauthorized user intends >something destructive. It's very common for an intruder to say "I meant no >harm" when in fact a transcript of his session shows that he was trying to >crash the machine or delete people's files. >---------------------------------------------------------------- [ end partially quoted quote ] >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? Is there reasonable proof that it was the particular _natural_ person who mailed the file? It is possible for a cracker to login as the accused and mail the passwd file. IMHO this leaves the situation wide open, in terms of "reasonable doubt". There is usually no _evidence_ which points the finger at the natural person, only his account. Is a student therefore guilty of the felony, simply because of a bad choice of password? The big-brother tactics of watching everything that everybody does would no doubt restrict creative experimentation. I'd say it's counter to the aims of an institution that calls itself a University. Also, how can one be sure that the logs used as "evidence" have not been fabricated or forged? How did they find out that /etc/passwd was being mailed? Do they routinely peek at e-mail? Are all the users aware that e-mail is not private? What springs to mind, regarding this is the issue of appropriate security. If you keep sensitive data on a machine/network which is accessible by students, then you're asking for trouble. There are students out there who are far more intelligent, experienced and creative than many system administrators. If students, using a machine, are made aware of the level of security which you expect of the machine and why this level has been chosen, then they will be more supportive in maintaining security. The primary objective is after all to protect _their_ work, not to create yet another ivory tower. I administer a public-access UNIX system with almost 200 registered users. Everybody is aware that it is _not_ secure, although every reasonable effort is taken to protect data. I have set the policy that I will only read the headers of mail messages, and only do so to determine appropriate actions. As far as I'm concerned, e-mail is private. Only under exceptional circumstances, and with the approval of the originator or designated recipient, do I ever look at the body of a message. -- Bernd Felsche, _--_|\ #include <std/disclaimer.h> Metapro Systems, / sold \ Fax: +61 9 472 3337 328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/12/91)
In article <1991Jun12.011740.20751@murdoch.acc.Virginia.EDU> gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: >In article <1991Jun11.221521.14402@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >>>What if a student runs cops on /etc/passwd... would this >>>be considered intent to break into a system and could he thus >>>be suspended? >> >>Yes. Obtaining other users' passwords without proper authorization >>is forbidden. Even if you do it by using a standard software tool >>rather than by breaking into their desks. > >One would hope this was sarcasm, or a complete mis-reading of the >question, but I'm afraid it probably isn't. Most laws consider such >things as "intent" -- if the student intends to use the information as >part of a research paper on security issues (e.g. "30% of the >passwords were found in the dictionary"), and discards the broken >passwords, then one could hardly claim that he had evil intent. Many >of the laws relating to computer crime don't consider intent, but they >certainly should. I wasn't being sarcastic, but I certainly _would_ consider intent. But a student who wants to run Cops for a legitimate reason should seek permission _first_, preferably. We're quite willing to grant permission for people to do any reasonable and non-destructive thing they want to. However, I see no reason why obtaining other people's passwords via Cops should be, prima facie, any different than obtaining them through other forms of snooping. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (06/12/91)
In article <1991Jun12.042513.20870@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >I wasn't being sarcastic, but I certainly _would_ consider intent. >But a student who wants to run Cops for a legitimate reason should >seek permission _first_, preferably. Why should he seek permission from you? Do you only allow students to run programs which are pre-approved? Is this your announced policy? Or, do you feel yourself qualified to decide legal matters, on par with a state or federal judge? I'm not trying to be rude, well, actually, I am being a little rude, but I am trying to illustrate a point. Normal environments generally believe in "innocent until proven guilty." Academic environments are allegedly supposed to encourage learning. I don't think this sort of policy is helping either. As a student I never felt the need to ask before committing actions that were legal and ethical. If you have many passwords that can be trivially broken using COPS, then the system administration down there isn't what I would consider good. It's my job as system administrator to make sure I don't leave obvious holes in my systems, and you may be leaving yourself open to negligence charges and/or lawsuits if someone breaks in and reads mail, for example. I'm not a lawyer, but I do know how my job should be done. Finally, if you're in such a lather about you leaving your own /etc/passwd world-readable, use shadow passwords and avoid the entire issue. Peace and quiet beats the opposite any day of the week.
sean@ms.uky.edu (Sean Casey) (06/12/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: |>What if a student runs cops on /etc/passwd... would this |>be considered intent to break into a system and could he thus |>be suspended? |> |Yes. Obtaining other users' passwords without proper authorization |is forbidden. Even if you do it by using a standard software tool |rather than by breaking into their desks. Ah so COPS is now burglary tools. Interesting... Sean -- ** Sean Casey <sean@s.ms.uky.edu>
porphano@lehi3b15.csee.Lehigh.EDU (Paul Orphanos) (06/12/91)
In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >---Subject: Student suspended for helping hackers >---Summary: Student deliberately compromised security of athena.cs.uga.edu >---Date: 11 Jun 91 04:21:01 GMT >---Organization: University of Georgia, Athens > >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. > >the file is readable by the world after all. >The uga student was not the one who broke in. > >-Mike Goldsman > The fact of the matter is that the student in question mailed the passwd file off to someone. That's like telling bank robbers where the safe is, and how to disable the alarms. Sure, you did'nt give them the combination, and you might not have been near the scene of the crime. But are you guilty of being an accomplis? Most definitely. With a passwd file, you don't have to guess ANY user id's, only passwords. And we all know how careful users are in choosing passwords. Paul
seward@CCVAX1.NCSU.EDU (Bill Seward) (06/12/91)
In article <31124@hydra.gatech.EDU>, ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: >---------------------------------------------------------------- >---From: mcovingt@athena.cs.uga.edu (Michael A. Covington) >---Newsgroups: ga.general >---Subject: Student suspended for helping hackers >---Summary: Student deliberately compromised security of athena.cs.uga.edu >---Date: 11 Jun 91 04:21:01 GMT >---Organization: University of Georgia, Athens > >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. > >the file is readable by the world after all. >The uga student was not the one who broke in. > >I have some serious problems with UGA supending him. > >-Mike Goldsman I don't see a problem with looking at it on that particular machine, but if you snarf a copy to send to someone who you know is going to use it to try to break into the system, then _I_ have a major problem with it. If I'm not mistaken (and I may be, I'm not a legal person), they call that "aiding and abbetting" and/or "accessory before the fact". I also think that he was lucky to just get suspended. If he had done something similar on one of "my" systems (we run VMS, so that particular act isn't possible) I would push to have him expelled and hopefully have charges brought against him. (I know I sound a bit extreme on this, but if we, as computer people, don't start more effectively with this sort of thing, others, who aren't as computer knowledgable, will try to do it for us and muck it all up.) ****************************************************************************** Bill Seward -- Analyst, Programmer, System Manager, User Training, Operations and whatever else needs doing. Cutaneous Pharmacology & Toxicology Center, NC State University SEWARD@NCSUVAX.BITNET SEWARD@CCVAX1.CC.NCSU.EDU
nerd@percival.rain.com (Michael Galassi) (06/12/91)
ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: >the file is readable by the world after all. >The uga student was not the one who broke in. I beg your pardon? It is readable by anyone who has a login on the machine, this is NOT the same as the whole world (though it may seem so to an "exam-week-weary" person). The twirp apparently mailed the file off-campus, a different (and better) world you will find when you recover from finals :-). >I have some serious problems with UGA supending him. >I am a little too "exam-week-weary" to articulate my feelings well, >but I thought that you guys should know about this. Being the asshole I am I would have expelled him, we need some examples on a cross to help discourage others. >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? Intent... hmmm... I think that has to be a judgement call, s/he could be interested in security for legitimate reasons. Have to take this on a case by case basis. >Well, you guys can mull it over today, I need some sleep. Good luck with finals Mike. cheers, -m -- Michael Galassi | nerd@percival.rain.com MS-DOS: The ultimate PC virus. | ...!tektronix!percy!nerd
df@sei.cmu.edu (Dan Farmer) (06/12/91)
Lots of stuff by different people, so I'm just mashing three articles together instead of posting three times (hope I got all the names with their posting straight...): > In article <bar.foo> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > I didn't know that doing things with an /etc/passwd > would be considered unauthoprized use. > > the file is readable by the world after all. > The uga student was not the one who broke in. The file is world readable to anyone *who has an account on the system*. As I understand it, the person shipped it offsite -- and people off the system *do not* normally have access to the file. This was the problem. If there was some guest account, or something, that the system crackers could use, and then the student gave them the password, that's another question. But the password file is the traditional "first wall" of defence on a Unix system. >> In article <foo> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >>>What if a student runs cops on /etc/passwd... would this >>be considered intent to break into a system and could he thus >>>be suspended? >> >>Yes. Obtaining other users' passwords without proper authorization >>is forbidden. Even if you do it by using a standard software tool >>rather than by breaking into their desks. Hmm. Perhaps this is a local policy. It appears that you are talking about cracking passwords -- what about the rest of the information cops gives? What if you have accounts without passwords? Can people even *look* at the file? Why not go to shadow passwords -- wouldn't this solve all of this? Seems it's a lot easier to remove the temptation and risk, then to hammer some student who does this. In article <foo.bar>, sean@ms.uky.edu (Sean Casey) writes: > |Yes. Obtaining other users' passwords without proper authorization > |is forbidden. Even if you do it by using a standard software tool > |rather than by breaking into their desks. > Ah so COPS is now burglary tools. Interesting... Hurm. Hope not. I'm not really thrilled with the idea of being a supplier. Comes with the territory, I guess, though. Unfortunately, it seems that with most breakins that I deal with, when I ask them if they've run cops, then they say "oh, no, but we're running it now..." A little late, folks. Just my not-so-humble opinion, of course. -- dan
morris@samson.bnr.ca (Morris Bernstein) (06/12/91)
In article <1991Jun12.122421.15562@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >|>What if a student runs cops on /etc/passwd... would this (deleted) > >|Yes. Obtaining other users' passwords without proper authorization >|is forbidden. Even if you do it by using a standard software tool >|rather than by breaking into their desks. > >Ah so COPS is now burglary tools. Interesting... > COPS is a burglary tool in the same way a crowbar is a burglary tool. If you want to use a crowbar for a valid purpose, it is perfectly legitimate. But is can also be used for unauthorized purposes. You have to distinguish the context. Morris -- Morris Bernstein phone: (514) 765-8275 Bell Northern Research Ltd. fax: (514) 765-0500 worldnet: bnrmtl!morris@larry.mcrcim.mcgill.edu "I just want to be the Norm Abrams of Computer Programming"
tighe@convex.com (Mike Tighe) (06/12/91)
In article <1991Jun12.122421.15562@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >|>What if a student runs cops on /etc/passwd... would this >|>be considered intent to break into a system and could he thus >|>be suspended? >|> > >|Yes. Obtaining other users' passwords without proper authorization >|is forbidden. Even if you do it by using a standard software tool >|rather than by breaking into their desks. Perhaps this is a bad analogy, but by the above logic it would seem to me that you would consider it intent to break-in if a student puts his hand on the computer room door, and tries to enter. You are immediately assuming he has evil intent. -- ------------------------------------------------------------- Mike Tighe, Internet: tighe@convex.com, Voice: (214) 497-4206 -------------------------------------------------------------
vince@bcsaic.UUCP (Vince Skahan) (06/12/91)
ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. I totally agree with UGa. There is nothing I can come up with that would justify such actions. >the file is readable by the world after all. The door on your car is open and the keys are visible. This doesn't mean that I can take those keys and open the trunk and start looking around, photograph stuff in there, take what I want, etc. >The uga student was not the one who broke in. He aided a break-in or attempted break-in. >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? If I was running the system, it absolutely does just that and I'd prosecute in addition to suspension if possible. -- ------------------------------------------------------------------------------- Vince Skahan ARPA: vince@atc.boeing.com UUCP: uw-beaver!bcsaic!vince ( As the five little pigs filled themselves up with beer, four of them ran to the bathroom, leaving the fifth little pig to go wee-wee-wee all the way home. )
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/13/91)
We are absolutely sure that the student whom we caught did indeed mail the /etc/passwd file and that he knew the recipient was interested in breaking in illegally. He admits both of these things. He pleaded guilty at his Student Judiciary hearing. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/13/91)
The way we originally found out /etc/passwd had been mailed is that an unauthorized user of another system left a copy of it behind, complete with email header. We would not look at the mail or files of an authorized user. In this case we were dealing with files that were stored on the machine without authorization, by a person we could not identify, and we looked at them to see what they were. On finding it, my first thought was of course that the email header was bogus, or that the "sender"'s account had been broken into. We deactivated the account, figuring that our hapless student was a victim of a break-in and would want a new password. To our astonishment the hapless student came around immediately and admitted the whole thing, bragging about an "elite" group of hackers and phreaks that he belonged to. There. We're not the fascists you thought, are we? -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
rita@eff.org (Rita Marie Rouvalis) (06/13/91)
In article <1991Jun12.055211.24457@murdoch.acc.Virginia.EDU> gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: >In article <1991Jun12.042513.20870@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >>I wasn't being sarcastic, but I certainly _would_ consider intent. >>But a student who wants to run Cops for a legitimate reason should >>seek permission _first_, preferably. > >Why should he seek permission from you? Do you only allow students to >run programs which are pre-approved? Is this your announced policy? >Or, do you feel yourself qualified to decide legal matters, on par >with a state or federal judge? Don't you think it might be wise to cover one's tracks by *notifying* a sysadmin of this kind of activity instead of waiting to get *caught*. The lab I used to work for is writing a piece of security software. In order to discover what kinds of holes are around the University's system, the programmers had to go and exploit them. This is an example of a *legitimate* reason for cracking UN*X boxes. And yes, the other sysadmins knew what we were working on. Of course, it is sad to not the passing of an era when people did not worry about this kind of thing. -- Rita Marie Rouvalis (NB new address!!) rita@eff.org The Electronic Frontier Foundation | when this yellow rose leaned, 155 Second Street | cupping yesterday's rain, Cambridge, MA 02141 | glassy drops extravagant and poised.
ccastmg@prism.gatech.EDU (Michael G. Goldsman) (06/13/91)
In article <1991Jun12.145613.3329@percy.rain.com> nerd@percival.rain.com (Michael Galassi) writes: >ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >>the file is readable by the world after all. >I beg your pardon? It is readable by anyone who has a login on the >machine, this is NOT the same as the whole world (though it may seem >so to an "exam-week-weary" person). The twirp apparently mailed the >file off-campus, a different (and better) world you will find when >you recover from finals :-). > I meant "World" in UNIX speak.. (three level of permission, user, group world) The guy is definitely a twerp, I will not argue that point, but therre are other things which bug me mainly the vague desciptions as to what constitutes appropriate use etc... -Mike -- ------------------------------------------------------------------------ Mike Goldsman 36004 Georgia Tech Station Atlanta Georgia, 30332, 404-872-5146
gt0812b@prism.gatech.EDU (John Adair) (06/13/91)
Why shouldn't a student run COPS? If my system has holes in it
that COPS reports, then I would fix them. Then the students
can run COPS all day. If sysadm's would _USE_ COPS, then
the question would be moot.
As to invading the "privacy" of e-mail (which didn't happen here),
if a sysadm or two grep'ing mail or even occasionally looking
through it by hand is offensive, what about 30 hackers rooting
through it? I'll always prefer a little lost privacy and "rights"
to ineffective "law enforcement". If I have a mail message sitting
around that says "the root password for athena.cs.uga.edu is frobiz",
I really deserve to get busted.
Recently, nearly two labs worth of machines (4 NeXT's, a PS/2,
about 5 macs) were stolen from Georgia Tech. There were
a limited number of people that could have know the combinations
to the labs. I would gladly allow a search of my property,
if all of the other "suspects" would be searched as well.
The breach of trust will probably cost us the "last bastion of
free computing" available 24 hours a day to undergrad peons.
If there was any e-mail or news traffic related to the theft,
I would want the people hauled in and questioned, and I wouldn't
give a shit about their "right" to private e-mail. Luckily,
they were as stupid as I hoped, and they were caught.
One last thing, what "elite group of hackers?" They don't sound
too elite to me, and they don't sound like LoD/LoH.
--
John Adair gt0812b%prism@gatech.edu BITNET: GT0812B%PRISM.GATECH.EDU@GITVM1
/\ uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt0812b
/<>\ SnailMail: 30812 Georgia Tech Station Atlanta, GA 30332
/____\ "I didn't do it. Nobody saw me do it. You can't prove anything."ben@wri.com (Ben Cox) (06/13/91)
nerd@percival.rain.com (Michael Galassi) writes: >Being the asshole I am I would have expelled him, we need some examples >on a cross to help discourage others. YOW! This is the most heinous thing I have read in ages! -- Ben Cox ben@wri.com Opinion[ben] != Opinion[wri.com]
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/13/91)
In article <ben.676781877@dragonfly.wri.com> ben@wri.com (Ben Cox) writes: >nerd@percival.rain.com (Michael Galassi) writes: > >>Being the asshole I am I would have expelled him, we need some examples >>on a cross to help discourage others. > >YOW! This is the most heinous thing I have read in ages! I agree. The guilty should receive only the punishment that they deserve, _not_ a more severe punishment designed to deter others. That's the main reason we chose to go through the student judiciary (with its limited powers) rather than bring criminal charges. We felt that this student was not a hardened criminal, merely a misguided person who had gotten severely out of touch with reality and needed to learn a lesson. Sure, a jail term would have deterred others, but it would not have been appropriate for this person. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
cosell@bbn.com (Bernie Cosell) (06/14/91)
ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: }I just read this on ga.general... }---------------------------------------------------------------- }---From: mcovingt@athena.cs.uga.edu (Michael A. Covington) }---Newsgroups: ga.general }---Subject: Student suspended for helping hackers }---Summary: Student deliberately compromised security of athena.cs.uga.edu }---Date: 11 Jun 91 04:21:01 GMT }---Organization: University of Georgia, Athens ... }What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu }to a "hacker" who had already penetrated another system, and who wanted }to use a password-guessing program to break into athena. The student was }fully aware that he was assisting in a break-in. .... }---------------------------------------------------------------- }---------------------------------------------------------------- }I didn't know that doing things with an /etc/passwd }would be considered unauthoprized use. I think that the statement said "assisting in a break-in" -- that is, accessory before-the-fact to a felony. }the file is readable by the world after all. }The uga student was not the one who broke in. First, it is not readable "by the world" --- by using that choice of words you seem to be intentionally misleading. In fact, at the best the file was readable *by*all*users*of*that*system*. That is hardly "the world", and surely did not include the hacker who actually penetrated the system. Second, far more reasonable than your "readable by the world after all" is the position that everything within the uga security perimeter should at least be presumed potentially sensitive. Third, the allegation is that the student KNEW that the information was sensitive and _knowingly_ gave it to the hacker for the purpose of attempting to crack passwords. Now, the student might not have known that this was actually as serious a matter as being a felony under Georgia law, but still can hardly be defended as a harmless/blameless action. /Bernie\
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/15/91)
In article <64655@bbn.BBN.COM> cosell@bbn.com (Bernie Cosell) writes: >ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >Third, the allegation is that the student KNEW that the information was >sensitive and _knowingly_ gave it to the hacker for the purpose of >attempting to crack passwords. Now, the student might not have known >that this was actually as serious a matter as being a felony under >Georgia law, but still can hardly be defended as a harmless/blameless >action. > Not merely an allegation; the student admitted it. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
rogue@cellar.UUCP (Rache McGregor) (06/15/91)
cosell@bbn.com (Bernie Cosell) writes: > ... > > }What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu > }to a "hacker" who had already penetrated another system, and who wanted > }to use a password-guessing program to break into athena. The student was > }fully aware that he was assisting in a break-in. > -------------------------------------------------------------------------- > > }the file is readable by the world after all. > }The uga student was not the one who broke in. > > First, it is not readable "by the world" --- by using that choice of > words you seem to be intentionally misleading. In fact, at the best > the file was readable *by*all*users*of*that*system*. That is hardly > "the world", and surely did not include the hacker who actually > penetrated the system. I can't help but notice your contradiction of the original article. The *ahem* hacker (please use cracker in the future, even if Georgians would get offended) clearly did not break into the system at uga. Only intent to break into athena was noted, not an actual break-in. Rachel K. McGregor : Let the fire be your friend : Call the a/k/a Rogue Winter : And the sea rock you gently : Cellar at rogue@cellar.uucp : Let the moon light your way : 215/336-9503 {tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free : BBS & Usenet
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/15/91)
In article <770J43w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: >cosell@bbn.com (Bernie Cosell) writes: > >> }What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu >> }to a "hacker" who had already penetrated another system, and who wanted >> }to use a password-guessing program to break into athena. The student was >> }fully aware that he was assisting in a break-in. >> >> }the file is readable by the world after all. >> }The uga student was not the one who broke in. >> >> First, it is not readable "by the world" --- by using that choice of >> words you seem to be intentionally misleading. In fact, at the best >> the file was readable *by*all*users*of*that*system*. That is hardly >> "the world", and surely did not include the hacker who actually >> penetrated the system. > >I can't help but notice your contradiction of the original article. The >*ahem* hacker (please use cracker in the future, even if Georgians would get >offended) clearly did not break into the system at uga. Only intent to break >into athena was noted, not an actual break-in. > The cracker had already broken into another of the University's computers. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
bei@dogface (Bob Izenberg) (06/16/91)
cosell@bbn.com (Bernie Cosell) writes: > Now, the student might not have known > that this was actually as serious a matter as being a felony under > Georgia law, but still can hardly be defended as a harmless/blameless > action. I don't know any of the people involved in this situation, and I don't attend the school in question, so I have to view it through fairly general but possibly Rose-colored (heh heh heh) glasses. We have, in all fairness, only heard one side of this issue speak with any authority. The student in question, whose name isn't mentioned here out of (what may be) respect for their privacy, hasn't had their say in this medium of expression. The pointy-eared among us may admit that there are two possibilities: "They are unable to respond. They are unwilling to respond." It's unknown whether the school account was his (the generic, "I don't know this person's gender but I need a pronoun here," his) sole method of electronic communication, and a little anonymity might look pretty good right now. But here's the problem that I have: It's always the "authorities" that talk about their view of what may or may not be found to be criminal activities. They talk and talk in as many forums as possible, in as sensational a form as possible (and I don't have Michael Covington in mind when I say that,) in some cases when they're not even "authorities" (except to The Media) anymore. The little guy, the accused, the one who we so blithely talk about denying higher education to, doesn't have a voice here. What we might hear would be an apology (perhaps heartfelt, perhaps mandated by courts or lawyers) or an explanation of the circumstances from their point of view. The school probably won't provide the student with an avenue for expression, and if it did, this might make a statement condemning the student's own actions seem like part of a compromise of some kind. Whatever we did hear (or read, rather) would be their own statement, filtered through lawyers, perhaps, but not (until I know otherwise) penned by a representative of the aggrieved University. I have a question or three for Michael Covington: Does the student in question still have computing privileges? Do they have access to Usenet, and can they post freely? If anything other than the student themselves would keep them from telling their own story, please say so. Is the computer that the passwd file came from funded in any way by student activities fees (or whatever the surcharge that supports the school paper, radio station, film club, et cetera is called) charged by the school? I remember more than a few instances of schools that assessed the activities fee and then unequally gave access to those media. Someone with a better memory may be able to give specific examples. The long and short of it seems to be that up to now, the school has had the floor. Remember the old saw about equal access to express your opinion not being so equal when your (conceptual) opponent has a clear channel radio station and you've got a soapbox on the corner. Side note: I understand that there are reasons why The Student's name doesn't appear here. In writing this, I felt the same sense of awkwardness that I get when reading the symbolic references to "The Central Park Jogger." There is more than one student, and more than one jogger, but the names of both people haven't been made public. In somebody's mind, there is an awareness that some people have been through enough, and ad hominem publicity won't make their lot any easier. While there is no similarity in their situations, there may be in our reaction. People who've had trouble, be it self-inflicted or not, shouldn't have to be hearing about it the rest of their lives, nor should their families and friends. -- Bob Opinions expressed in this message are those of its author, except where messages by others are included with attribution. No endorsement of these opinions by Ralph Kirkley Associates or IBM should be inferred. Bob Izenberg [ ] Ralph Kirkley Associates work: 512 838 6311 [ ] bei@presto.austin.ibm.com home: 512 346 7019 [ ] bei@dogface.UUCP CIS: 76615.1413@compuserve.com
learn@ddsw1.MCS.COM (William Vajk) (06/16/91)
In article <1637@lehi3b15.csee.Lehigh.EDU> Paul Orphanos writes: >passwd file off to someone. That's like telling bank robbers where the >safe is, and how to disable the alarms. Sure, you did'nt give them >the combination, and you might not have been near the scene of the >crime. But are you guilty of being an accomplis? Most definitely. Question #1: Is anyone going to learn anything because this particular student is being punished ? Question #2: What is the likelihood that this interruption to the student's education will become permanent. If we understand that the student's behavior, while not serious (in my opinion) was sociopathic, what has the university done other than to divest themselves of this troublesome individual ? I have never been convinced that suspensions or expulsions should be considered as discipline for non-academic failures in a university setting. It seems to me the entire raison d'etre is overlooked in these cases. >With a passwd file, you don't have to guess ANY user id's, only >passwords. And we all know how careful users are in choosing >passwords. Most of the unixoid systems I've used require combinations of numbers and letters in the password, this being bypassed by the root login authority. Bill Vajk
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/16/91)
I appreciate your concern that the student who was suspended cannot speak here to defend himself. However, let me point out that: (1) The suspension was imposed on him by a court of three of his fellow students; (2) At his hearing, he pleaded guilty and admitted knowing that he was sending /etc/passwd to someone who habitually tried to break into computers, and thereby facilitating a probable break-in. Computers at Georgia are not funded by student activity fees or lab fees. The main UNIX system was donated to the University by Sun Microsystems and is operated by the Department of Computer Science as a service to the University community. So this student is not being denied anything that he paid for. Finally, I reject the idea that the world divides sharply into "authorities" and "little guys." We're all computer users. Some of us are also sysadmins. Believe me, it was not just the sysadmins who were upset to find that /etc/passwd had been mailed out -- it was all the users who were knowledgeable enough to understand what this action meant. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
rogue@cellar.UUCP (Rache McGregor) (06/16/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > I appreciate your concern that the student who was suspended cannot > speak here to defend himself. > > However, let me point out that: > (1) The suspension was imposed on him by a court of three of his > fellow students; Since we've had discussions here before about the possible differences between a jury of fellow citizens and a jury of one's peers, what was the computer expertise of the three student judges? > (2) At his hearing, he pleaded guilty and admitted knowing that he > was sending /etc/passwd to someone who habitually tried to break into > computers, and thereby facilitating a probable break-in. Pardon me if this has been asked before, but I believe we've all been assuming that the cracker has no relationship to the University. What was the relationship, if any, between the University and the cracker? Was [he] a student? A former student or employee? What had [he] done while breaking into the other system, and what measures are being taken against [him]? > Computers at Georgia are not funded by student activity fees or lab fees. > The main UNIX system was donated to the University by Sun Microsystems > and is operated by the Department of Computer Science as a service to > the University community. So this student is not being denied anything > that he paid for. This is not to defend the student, but I'm of the "school" that if a student is paying tuition, they're paying for the entire university, and that anything (not underwitten by the defense department and requiring a security clearnce) set up for student use should be open to all students. > Finally, I reject the idea that the world divides sharply into "authorities" > and "little guys." We're all computer users. Some of us are also sysadmins. > Believe me, it was not just the sysadmins who were upset to find that > /etc/passwd had been mailed out -- it was all the users who were knowledgeabl > enough to understand what this action meant. Just out of curiosity, what's the facutly/student ratio of the sysadmins? Rachel K. McGregor : Let the fire be your friend : Call the a/k/a Rogue Winter : And the sea rock you gently : Cellar at rogue@cellar.uucp : Let the moon light your way : 215/336-9503 {tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free : BBS & Usenet
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/17/91)
Concerning the choice of punishment and the ultimate fate of this student, here are some details. The University had two concerns: (1) To get this student to grow up and understand his ethical obligations; (2) To deter others from attempting computer break-ins. On point (1), we chose to use the Student Judiciary rather than bring criminal charges, precisely so this fellow would not have a criminal record and so his name would be kept confidential. We felt that he was not a hardened criminal, but rather a basically immature person who failed to understand his responsibilities and was too easily influenced by others. The only penalties the Student Judiciary can impose are expulsion, suspension, or community service. As witness for the prosecution, I asked for a light sentence because I thought it would best serve both (1) and (2). Many crackers believe they will never suffer _any_ punishment for computer break-ins, so even a relatively light punishment will have a substantial deterrent effect. My own feeling is that 2 quarters' suspension is exactly right. It's desirable to get this person away from the University's computers for a while, and away from the small circle of crackers that he was apparently associating with. I don't think this will make him a college dropout. We especially ruled out computer-related community service (e.g., making him work, unpaid, at a help desk) because of the widespread myth that if you get caught cracking passwords, some employers will view this as proof that you are a computer genius. We wanted to make it clear that unethical behavior is never a qualification for a technical job, paid or unpaid. I would like to hear from others who have more specific ideas of how crackers should be punished. During this particular case I found that almost everybody wanted to be harsher than I did. Widespread sentiment was that he should have been expelled. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
jet@karazm.math.uh.edu (J Eric Townsend) (06/17/91)
Just a note on all of this. Recently, our department's master key (opens all our offices) was stolen. It wasn't hidden, it was kept in the receptionist's desk in the main office. We figure that a student took advantage of one of the many times the front office was left unattended for a few seconds to snatch the key. It's a regular occurence for a student to bring in some sort of paperwork to drop off with an advisor -- the receptionist(s) will usually go make a photocopy and give the student back the original. At any rate, people were exploding left and right, but it was never suggested that receptionists be fired or that it was their fault. The biggest problem was getting everybody new keys, since the semester was ending and many people were leaving for the summer. If the student(s) are caught, they'll probably be expelled. Period. How is this any different than stealing /etc/passwd from a unix system? -- J. Eric Townsend - jet@uh.edu - bitnet: jet@UHOU - vox: (713) 749-2126 Skate UNIX! (curb fault: skater dumped) -- If you're hacking PowerGloves and Amigas, drop me a line. --
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/17/91)
In article <cN8m44w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: >mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >> (1) The suspension was imposed on him by a court of three of his >> fellow students; > >Since we've had discussions here before about the possible differences >between a jury of fellow citizens and a jury of one's peers, what was the >computer expertise of the three student judges? > Minimal, as far as I know. Both the prosecution and the defense had the opportunity to present the judges with written briefs on the relevant technical aspects. >> (2) At his hearing, he pleaded guilty and admitted knowing that he >> was sending /etc/passwd to someone who habitually tried to break into >> computers, and thereby facilitating a probable break-in. >Pardon me if this has been asked before, but I believe we've all been >assuming that the cracker has no relationship to the University. What was >the relationship, if any, between the University and the cracker? Was [he] a >student? A former student or employee? What had [he] done while breaking >into the other system, and what measures are being taken against [him]? > I can't comment at this time; there is an ongoing investigation. >> Computers at Georgia are not funded by student activity fees or lab fees. >> The main UNIX system was donated to the University by Sun Microsystems >> and is operated by the Department of Computer Science as a service to >> the University community. So this student is not being denied anything >> that he paid for. > >This is not to defend the student, but I'm of the "school" that if a student >is paying tuition, they're paying for the entire university, and that >anything (not underwitten by the defense department and requiring a security >clearnce) set up for student use should be open to all students. Tuition pays about 20% of the cost of running a state university. The rest is paid by the taxpayers. Anyhow, the student isn't paying for the whole computer, he's paying for HIS SHARE of it, and if he endangers data not belonging to himself, he has obviously overstepped the limits. Are all our student computers open to all students? Of course not. The chemistry department does not provide computers for the art department. All our computers are open to all students who fall into the category for which they were set up. > >Just out of curiosity, what's the facutly/student ratio of the sysadmins? > None of the sysadmins of athena.cs.uga.edu are faculty. One is a full- time staff member, and the rest, as best I understand it, are students. In the AI lab (aisun1.ai.uga.edu and its kin), there is one faculty sysadmin and four or five student sysadmins. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
muffy@remarque.berkeley.edu (Muffy Barkocy) (06/17/91)
In article <1991Jun16.175816.7079@menudo.uh.edu> jet@karazm.math.uh.edu (J Eric Townsend) writes:
Just a note on all of this. Recently, our department's master key
(opens all our offices) was stolen.
[...]
How is this any different than stealing /etc/passwd from a unix system?
It's guaranteed that the key will open all of the offices; there is no
guarantee that the password file will give access to *any* of the
accounts, much less all of them. In addition, the only use for the key
is to open the offices; the password file can be used for several things
other than actually "opening" the accounts. One such use that I have
seen is discovering the percentage of passwords that *are* crackable.
Please don't start flaming about my trying to excuse or justify any
behavior; I'm just answering the question - there *are* differences.
Muffylearn@ddsw1.MCS.COM (William Vajk) (06/18/91)
In article <15434@athena.cs.uga.edu> Michael A. Covington writes: >Computers at Georgia are not funded by student activity fees or lab fees. >The main UNIX system was donated to the University by Sun Microsystems >and is operated by the Department of Computer Science as a service to >the University community. So this student is not being denied anything >that he paid for. You earlier stated that there are no public access systems at Ga. Now you further support the contention by stating that the Unix system is a service to the University community. Since the student was a student and has/had no other means or reason to access the Unix system in question, his access to the computer was tied up in the parcel of his matriculation, and as I generally understand matters, other students paying no greater fees than the student under discussion access the machine. In short, machine access is inseparable from paying tuition and fees to the Ga Tech. Thus, although there hasn't been till now a separate fee for computer access, he has actually paid computer access fees as part of the monies he paid to Ga Tech. The fact that Ga Tech has buried this cost within other fees and tuition isn't the student's problem, but might well come back to haunt the administration one of these days. Before anyone runs and thoughtlessly initiates a new fee structure for students using a university computer, it best be understood that if a separate fee structure is imposed, a much greater degree of professional system management will be required by those who are paying access fees than seems to be the standard fare on many of the internet systems. I am not being critical of any system. But there is a general awareness that with heavy student participation in the management and decision making the cost/benefit factors favor educating new sysadmins at the expense of reliability. This is, after all, one of the purposes of having such equipment available at universities. But what remains is that one cannot separate out some students, for any reason whatsoever, and stipulate they have no computer access and provide justification by saying that they didn't pay for access. Furthermore, if fees are charged, no part of the usage may be subsidized except from access fees. This means th real world costs associated with the computer must be paid for by the academic population actually using the computer. In the long run, it is easier to permit all students to access the machines, not kick anyone off, and not talk out of both sides of one's mouth at the same time. If you don't want students accessing some information or another, then safeguard it as well as you're supposed to. In my opinion, the student we're discussing behaved stupidly. But look at the wonderful example set by Ga Tech in their infinite wisdom. The system has behaved as stupidly as the student. Perhaps moreso. I lived in suburban Atlanta some 25 years ago. I had heard some progress was made down there. What I see and read here indicates to me that absolutely nothing has changed since I left in 1966. Bill Vajk
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/18/91)
In article <1991Jun18.011127.1782@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William Vajk) writes: > >But what remains is that one cannot separate out some students, for any >reason whatsoever, and stipulate they have no computer access and provide >justification by saying that they didn't pay for access. Huh? We didn't do any such thing. Several of our computers are open to all students. Our student was suspended for aiding a series of break-ins in progress. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
rogue@cellar.UUCP (Rache McGregor) (06/18/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > In article <1991Jun18.011127.1782@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William > > > >But what remains is that one cannot separate out some students, for any > >reason whatsoever, and stipulate they have no computer access and provide > >justification by saying that they didn't pay for access. > > Huh? We didn't do any such thing. Several of our computers are open > to all students. > > Our student was suspended for aiding a series of break-ins in progress. This is the second time you have made the statement "suspended for aiding a series of break-ins in progress." Yet when we ask you about the alleged cracker making the break-ins, you say that you can reveal nothing because an investigation is in progress. I'm sorry that it took me a day to notice the discrepancy. You have already tried, convicted, and sentenced a student in a court of academic justice for aiding someone who apparently has not been charged by any academic or state judicial system. Rachel K. McGregor : Let the fire be your friend : Call the a/k/a Rogue Winter : And the sea rock you gently : Cellar at rogue@cellar.uucp : Let the moon light your way : 215/336-9503 {tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free : BBS & Usenet
rita@eff.org (Rita Marie Rouvalis) (06/18/91)
In article <cN8m44w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: >mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > > >> Computers at Georgia are not funded by student activity fees or lab fees. >> The main UNIX system was donated to the University by Sun Microsystems >> and is operated by the Department of Computer Science as a service to >> the University community. So this student is not being denied anything >> that he paid for. > >This is not to defend the student, but I'm of the "school" that if a student >is paying tuition, they're paying for the entire university, and that >anything (not underwitten by the defense department and requiring a security >clearnce) set up for student use should be open to all students. Just a small point here. But if the accused student is paying for those computers, so is everyone else. And if that student acts to deny the rest of the students the proper access of the system, or compromises the system in some way, then he should not be allowed to. I used to work in the student union of my university overseeing the pool tables etc. Occasionally we would get some bonehead who would break a triangle or stick or something on purpose. The defense was always "Well, I paid for it with my student activity fee." My reply was always "So did I." -- Rita Marie Rouvalis (NB new address!!) rita@eff.org The Electronic Frontier Foundation | when this yellow rose leaned, 155 Second Street | cupping yesterday's rain, Cambridge, MA 02141 | glassy drops extravagant and poised.
gwangung@milton.u.washington.edu (Just another theatre geek.....) (06/18/91)
In article <0aNq42w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: !mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: !> In article <1991Jun18.011127.1782@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William !> >But what remains is that one cannot separate out some students, for any !> >reason whatsoever, and stipulate they have no computer access and provide !> >justification by saying that they didn't pay for access. !> Huh? We didn't do any such thing. Several of our computers are open !> to all students. !> !> Our student was suspended for aiding a series of break-ins in progress. ! !This is the second time you have made the statement "suspended for aiding a !series of break-ins in progress." Yet when we ask you about the alleged !cracker making the break-ins, you say that you can reveal nothing because an !investigation is in progress. ! !I'm sorry that it took me a day to notice the discrepancy. ! !You have already tried, convicted, and sentenced a student in a court of !academic justice for aiding someone who apparently has not been charged by !any academic or state judicial system. Big deal. Think about it. Do the words "separate investigation", "plea bargain" or "separate jurisdiction" mean anything to you? Jesus, folks....use some common sense..... -- ----- Roger Tang, gwangung@milton.u.washington.edu Middle-class weenie, art nerd and all-around evil nasty spermchucker
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/18/91)
In article <0aNq42w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: >mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >> Our student was suspended for aiding a series of break-ins in progress. > >This is the second time you have made the statement "suspended for aiding a >series of break-ins in progress." Yet when we ask you about the alleged >cracker making the break-ins, you say that you can reveal nothing because an >investigation is in progress. > >You have already tried, convicted, and sentenced a student in a court of >academic justice for aiding someone who apparently has not been charged by >any academic or state judicial system. > Of course. Never heard of separate jurisdictions? Must we catch all the crackers in the world before taking action against any one of them? What _this_ fellow did was perfectly clear. Related incidents are still being investigated. You folks are going to have to live with the fact that I can't post a full description of the case. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
abrams@cs.columbia.edu (Steven Abrams) (06/19/91)
I really hate to do this, but I'm fed up with this thread. There are only a few facts of relevance in this entire affair. 1) Student knew a cracker. 2) Student knew cracker was going to attempt to crack the UGa computers. 3) Student gave cracker /etc/passwd to help him or her crack the UGa computers. If the student offered /etc/passwd or responded to a request for /etc/passwd is a subtle point, but for the purposes of this discussion, all that is relevant is that the student knew that /etc/passwd would help the cracker and that the student gave it. We now have a simple case of aiding and abetting. In fact, it does not even matter if the crack was ever attempted; the student played an active role in assisting what was believed to be an attempted crack of UGa's computers. This was not a case of a student running COPS to check the security of the system. This was not a case of a student attempting to learn more about Unix or computers in general by hacking or cracking. This was a case of a student actively forwarding a crackers efforts at cracking the UGa system. Punishment is certainly in order. Arguments of the form ``Here's my /etc/passwd entry: Crack me!'' have no place here. Persons who post this information are obviously confident of the security of their password. That's their choice. The student in question did not say, ``Please notify me if you wish your /etc/passwd entry included in the list I am mailing to a cracker.'' The student just gave them out. There are net.people who are on their high moral horses about "Institutes of Higher Education" and how everything that takes place within those hallowed halls should be a learning experience. Maybe so, but there are cases where punitive measures are in order, as well as cases where the learning experience may need to be intimately connected with the punishment. The student may truly not realize how wrong this action was. If the punishment were help desk duty, community service, or some other primarily educational task, the student would not learn the severity of the offense; instead the student might learn how easy it is to manipulate the system to avoid punishment, or (worse) that a breach of computer security is less of an offense than a breach of any other type of security. Regardless, let me ignore the discussion on the severity of the punishment for now, as this is (I understand) being appealed by the student. All those who believe that this incident should go unpunished, or that the powers that be are flexing their neanderthal muscles by finding a poor helpless student guilty of an offense that is not really an offense, or all those that are ranting and raving over limiting access to campus computers (when such access is, as I understand it, being provided to the campus as a service of the CS department), need to get a grip on reality. If you're busy arguing about the fairness of a student judiciary committee, or of the administrative's totalitarian attitude, or convicting people without evidence, then guess what. You're convicting the administration based solely on your conjecture and your generalization of all such administrations. No due process, no innocent until proven guilty. In other words, you are guilty of the offense you accuse others of. I have noticed a long time ago that the ranters and ravers of this world (well, at least this net) are correct with a probability inversely proportional to their rant:reason ratio. I have seen very little in the way of reason directed against Michael Covington. And he has maintained diplomacy and poise in the face of inanitiy and flames. I congratulate him for this. Most of his net adversaries on this issue can not compete with him on this matter. Please note that I have no connection whatsoever with UGa, Michael Covington, the student in question, or the cracker. ~~~Steven /************************************************* * *Steven Abrams abrams@cs.columbia.edu * **************************************************/ #include <std/dumquote.h> #include <std/disclaimer.h> -- /************************************************* * *Steven Abrams abrams@cs.columbia.edu * **************************************************/ #include <std/dumquote.h> #include <std/disclaimer.h>
gl8f@astsun.astro.Virginia.EDU (Greg Lindahl) (06/19/91)
In article <ABRAMS.91Jun18172843@division.cs.columbia.edu> abrams@cs.columbia.edu (Steven Abrams) writes: >This was not a case of a student running COPS to check the >security of the system. Not only have I never said it was, I was attempting to make it clear all along that I was talking about UGa's COPS policy and NOT the current break-in. Looks like it's fairly useless to attempt to discuss more than one thing at a time. >All those who believe that this incident should go unpunished, I've seen only a couple of people here who thought this. Most of the discussion was on other topics, such as: o Why should students without evil intent be restricted? o Why are some sysadmins slow to close obvious security holes? Too bad no one has made much of an effort to present the "other side" on these topics.
rogue@cellar.UUCP (Rache McGregor) (06/19/91)
gwangung@milton.u.washington.edu (Just another theatre geek.....) writes: > Big deal. > > Think about it. Do the words "separate investigation", "plea > bargain" or "separate jurisdiction" mean anything to you? > > Jesus, folks....use some common sense..... > > > -- > ----- > Roger Tang, gwangung@milton.u.washington.edu > Middle-class weenie, art nerd and all-around evil nasty spermchucker Yes, and so do the words "Riggs" and "Neidorf." My argument is that I expect a University, with a smaller reach and perhaps more idealism, to use its judiciary system better than the government uses its. Rachel K. McGregor : Let the fire be your friend : Call the a/k/a Rogue Winter : And the sea rock you gently : Cellar at rogue@cellar.uucp : Let the moon light your way : 215/336-9503 {tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free : BBS & Usenet
ear@wpi.WPI.EDU (Eric A Rasmussen) (06/19/91)
In article <ABRAMS.91Jun18172843@division.cs.columbia.edu> abrams@cs.columbia.edu (Steven Abrams) writes: >I really hate to do this, but I'm fed up with this thread. > >There are only a few facts of relevance in this entire affair. [rest of article deleted for brevity] Congratulations on writing a very clear headed and to the point message, sir. I couldn't agree more, and you have saved me the trouble of having to write it myself. +---------< Eric A. Rasmussen - Mr. Neat-O (tm) >---------+ +< Email Address >+ | A real engineer never reads the instructions first. | | ear@wpi.wpi.edu | | (They figure out how it works by playing with it.) | | ear%wpi@wpi.edu | +---------------------------------------------------------+ +-----------------+ ((( In Stereo Where Available )))
mbrown@testsys.austin.ibm.com (Mark Brown) (06/19/91)
gl8f@astsun.astro.Virginia.EDU (Greg Lindahl) writes: > o Why should students without evil intent be restricted? Why should a sysadmin have to go around determining "intent" in the first place? Why shouldn't the student be forced to get permission *first*, before trying to compromise a system others use? > o Why are some sysadmins slow to close obvious security holes? What is *obvious*? To whom? Why are some users eager to abuse security holes? What else do sysadmins do for a living? DISCLAIMER: My views may be, and often are, independent of IBM official policy. Mark Brown IBM PSP Austin, TX. | Crazed Philosophy Student (512) 823-3741 VNET: MBROWN@AUSVMQ | Kills 15 In Existential Rage! MAIL: mbrown@testsys.austin.ibm.com | --tabloid headline
gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) (06/21/91)
In article <8589@awdprime.UUCP> mbrown@testsys.austin.ibm.com (Mark Brown) writes: >Why shouldn't the student be forced to get permission *first*, before >trying to compromise a system others use? The question was about running COPS. You can run COPS without compromising anything -- it tests for security holes, it doesn't break in and delete files. I see no reason why I, Joe Average User with no interest in breaking in, but a big interest in protecting my confidential files, should have to plead with the admin to run COPS. I just run it. >> o Why are some sysadmins slow to close obvious security holes? > >What is *obvious*? To whom? Well, we've heard examples of admins who apparently leave holes open that can be detected by COPS. To *me*, that's pretty obvious. >Why are some users eager to abuse security holes? Beats me. I'm not one of them. And not letting me run COPS is not a way to stop abuse.
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/21/91)
For the nth time, we did not suspend a student for running COPS. We suspended a student for sending an /etc/passwd file to a cracker who had requested it in order to commit a break-in. Two message threads have become cross-linked somehow. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (06/21/91)
In article <1991Jun21.021942.8150@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >For the nth time, we did not suspend a student for running COPS. I haven't seen anyone suggest that you did. You did say, however, that it's against policy for students to run COPS without "asking permission". >Two message threads have become cross-linked somehow. Yup, it helps if you read carefully.
mbrown@testsys.austin.ibm.com (Mark Brown) (06/21/91)
gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) writes: | mbrown@testsys.austin.ibm.com (Mark Brown) writes: | | >Why shouldn't the student be forced to get permission *first*, before | >trying to compromise a system others use? | | The question was about running COPS. You can run COPS without | compromising anything -- it tests for security holes, it doesn't break | in and delete files. The *question* is "why should students be criticized for probing security?". COPS is just one method used. | I see no reason why I, Joe Average User with no interest in breaking | in, but a big interest in protecting my confidential files, should | have to plead with the admin to run COPS. I just run it. I see no reason why I, Sam Harried-Administrator with 2000 users on 25 systems, should have to investigate the intent of every user who trips one of my security alarms. I'm not against the testing of system security. I just think it's common courtesy to ask permission first, since I'm responsible for the system you are "testing" (perhaps with a program more destructive - witness the Morris case). And, since [here comes the flame-bait] student users in general tend to be more inquisitive and less respectful of the system [flame bait over] [CAVEAT- I use my own student experience as an example] I would *require* permission in a University environment. [Dons asbestos underwear] DISCLAIMER: My views may be, and often are, independent of IBM official policy. Mark Brown IBM PSP Austin, TX. | Crazed Philosophy Student (512) 823-3741 VNET: MBROWN@AUSVMQ | Kills 15 In Existential Rage! MAIL: mbrown@testsys.austin.ibm.com | --tabloid headline
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (06/22/91)
In article <8670@awdprime.UUCP> mbrown@testsys.austin.ibm.com (Mark Brown) writes: >I see no reason why I, Sam Harried-Administrator with 2000 users on 25 >systems, should have to investigate the intent of every user who >trips one of my security alarms. Sorry, I guess I wasn't clear. I was saying that users should only be prohibited from doing security checks with evil intent. I don't bother to investigate anyone's intent; my system is secure against the holes that COPS checks for. >I just think it's common courtesy to ask permission first, since I'm >responsible for the system you are "testing" (perhaps with a program >more destructive - witness the Morris case). Which means you think it's OK to say "no" ? >And, since [here comes the flame-bait] student users in general tend to be >more inquisitive and less respectful of the system [flame bait over] >[CAVEAT- I use my own student experience as an example] I would >*require* permission in a University environment. Uhuh. Right. I'm glad you don't work for a university. Btw, I'm a student as well as a system administrator.
mbrown@testsys.austin.ibm.com (Mark Brown) (06/23/91)
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: | mbrown@testsys.austin.ibm.com (Mark Brown) writes: | | >I see no reason why I, Sam Harried-Administrator with 2000 users on 25 | >systems, should have to investigate the intent of every user who | >trips one of my security alarms. | | Sorry, I guess I wasn't clear. | | I was saying that users should only be prohibited from doing security | checks with evil intent. I don't bother to investigate anyone's | intent; my system is secure against the holes that COPS checks for. I guess *I* wasn't clear. _Who_decides_evil_intent_? _Do_I_have_to_determine_intent_every_time_an_alarm_goes_off_? I posit that it is labor-intensive and potentially harmful to users to be forced to question their "intent" all the time. I posit that notification in advance, while not only GOOD MANNERS, also frees me to check on *real* attempts without wasting time (on my part, or on the students' when she is investigated for "attempting to crack the system"). What do you have against this? I see it as a simple courtesy to the admins of the system you are prodding. One More Thing: _I_don't_care_if_it_is_COPS_or_any_other_device_. _That_is _not_relevant_. | >I just think it's common courtesy to ask permission first, since I'm | >responsible for the system you are "testing" (perhaps with a program | >more destructive - witness the Morris case). | | Which means you think it's OK to say "no" ? Yes, if I, as system admin, determine o your device is potentially destructive o your device is wasteful and you want to use it during peak time And to be clear: _Since_I_,_as_admin_,_am_*responsible*_to_ALL_users_of_ the_system_(as well as the owners of said system)_I_will_be_conservative_in _my_judgement_. If you wanted to run a "Morris worm" on an isolated system at 2am, then that's a different story. If you wanted to run COPS most any time, that's not a problem, but only because I know COPS. Your administrator may not know COPS from anything else -- what's the use in scaring her when you can be polite and ask in advance? Doesn't hurt anything. | >And, since [here comes the flame-bait] student users in general tend to be | >more inquisitive and less respectful of the system [flame bait over] | >[CAVEAT- I use my own student experience as an example] I would | >*require* permission in a University environment. | | Uhuh. Right. I'm glad you don't work for a university. | | Btw, I'm a student as well as a system administrator. [I *knew* I'd get a response!] I'm glad you have the time to deal with every "system tester" that comes along. DISCLAIMER: My views may be, and often are, independent of IBM official policy. Mark Brown IBM PSP Austin, TX. | Crazed Philosophy Student (512) 823-3741 VNET: MBROWN@AUSVMQ | Kills 15 In Existential Rage! MAIL: mbrown@testsys.austin.ibm.com | --tabloid headline
learn@ddsw1.MCS.COM (William Vajk) (06/23/91)
gwangung@milton.u.washington.edu (Just another theatre geek.....) writes: >In article <0aNq42w164w@cellar.UUCP> rogue@cellar.UUCP (Rache McGregor) writes: !!This is the second time you have made the statement "suspended for aiding a !!series of break-ins in progress." Yet when we ask you about the alleged !!cracker making the break-ins, you say that you can reveal nothing because an !!investigation is in progress. !!You have already tried, convicted, and sentenced a student in a court of !!academic justice for aiding someone who apparently has not been charged by !!any academic or state judicial system. > Big deal. > Think about it. Do the words "separate investigation", "plea >bargain" or "separate jurisdiction" mean anything to you? > Jesus, folks....use some common sense..... Don't be so quick, Roger Tang. You've apparently missed the obvious. There must be a trail of evidence. The student in question stands convicted of a "crime" which has not been proven. 1) there must be a crime. 2) now you procede to case #2 which is aiding and abetting by sending the file. McGregor has just demonstrated that according to the information available to us, step #1 hasn't happened. The validity of step 2 is seriously in doubt till the first step is established. Brings back into focus the problems associated with Darden, Riggs, and Grant, who made a very serious tactical error of pleading guilty before the Neidirf trial. >Roger Tang, gwangung@milton.u.washington.edu >Middle-class weenie, art nerd and all-around evil nasty spermchucker I am not amused. Bill Vajk
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/23/91)
Good point... a sysadmin cannot investigate "intent" every time an alarm goes off. The other thing about "intent" is that every cracker I've ever heard of has convinced _himself_ that his intentions were above reproach. Having good intentions is not enough; in a civilized society, people actually obey the rules. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/23/91)
In article <1991Jun22.232427.4643@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William Vajk) writes: > >Don't be so quick, Roger Tang. You've apparently missed the obvious. > >There must be a trail of evidence. The student in question stands convicted >of a "crime" which has not been proven. > > 1) there must be a crime. > > 2) now you procede to case #2 which is aiding and abetting > by sending the file. > At this point I cannot give you the precise evidence. However, it is _not_ necessary to convict the principal in a crime before convicting an accessory. It is only necessary to prove that the crime occurred and that the accessory knew he was assisting in the crime. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
gl8f@astsun8.astro.Virginia.EDU (Greg Lindahl) (06/24/91)
In article <1991Jun22.234109.25051@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >Good point... a sysadmin cannot investigate "intent" every time an >alarm goes off. Especially when your idea of an alarm is: OH MY GOD! THEY'RE RUNNING COPS! I have yet to have an alarm go off, because I've tested the security of my system and I'm not paranoid.
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) (06/24/91)
In article <8711@awdprime.UUCP> mbrown@testsys.austin.ibm.com (Mark Brown) writes: >I guess *I* wasn't clear. > >_Who_decides_evil_intent_? >_Do_I_have_to_determine_intent_every_time_an_alarm_goes_off_? I guess we're batting 0 for 2 here. I don't need to decide intent very often. Because I have, I think, fairly carefully checked security on my system, I don't care if the COPS runner has evil intent or not, because odds are they aren't going to find anything. >I posit that it is labor-intensive and potentially harmful to users to be >forced to question their "intent" all the time. An ounce of prevention is worth 10 pounds of harrassment of the poor users. >I posit that notification in advance, while not only GOOD MANNERS, also >frees me to check on *real* attempts without wasting time (on my part, or >on the students' when she is investigated for "attempting to crack the >system"). But why should I have to inform you about doing what I consider to be routine things? "Oh, I'm testing a program that uses fork(), I just wanted to warn you because there's a slight chance that I might have reversed some tests and could accidentally crash the system. Want to read my code just in case". Or, how about: "I'm about to type in a line to the shell, and you know that no matter what I set out to type, I could accidentally fill up the disk or something so you better review each line before I type it, OK?" The point I am attempting to illustrate is that on what I consider to be a reasonably secure system, the admin does not need to worry about users running COPS. >| Which means you think it's OK to say "no" ? > >Yes, if I, as system admin, determine > o your device is potentially destructive > o your device is wasteful and you want to use it during peak time That's fine. These are the same criteria every admin uses to evaluate anything, at least I do. But the original thread was about a sysadmin who says "no one can run COPS without my permission", and it was pretty clear that he would deny permission on other grounds, like "well, I don't know you and I don't trust you, so no, you can't." >If you wanted to run COPS most any time, that's not a problem, but >only because I know COPS. Indeed, so one might wonder why you jumped into a thread about COPS. I only brought up intent at all to show that it's silly to deny ALL users the right to run COPS. That's all it was mentioned for. >Your administrator may not know COPS from anything else -- what's the use >in scaring her when you can be polite and ask in advance? If I run into an administrator who has big holes that can be spotted by COPS, I don't want to use his machine. Period. I'm out of there. I don't understand why I should spend any of my time telling any sysadmin that I am about to do something that's totally ethical and legal. >I'm glad you have the time to deal with every "system tester" that comes >along. I've ignored them totally, and have had no problems. My system passes the non-password portion of COPS, and I pass around memos giving people hints on how to pick good passwords. That's the ounce of prevention. The pay-off is that I don't have to be paranoid about people reading world-readable files.
mbrown@testsys.austin.ibm.com (Mark Brown) (06/25/91)
gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: | mbrown@testsys.austin.ibm.com (Mark Brown) writes: | >I guess *I* wasn't clear. | > | >_Who_decides_evil_intent_? | >_Do_I_have_to_determine_intent_every_time_an_alarm_goes_off_? | | I guess we're batting 0 for 2 here. And *I'm* glad Greg and I have taken this to e-mail. Greg want to runs COPS unmolested. I wanted to expand this discussion to include "security probing" in general. We keep orbiting each other in our posts. | I don't need to decide intent very often. Because I have, I think, | fairly carefully checked security on my system, I don't care if the | COPS runner has evil intent or not, because odds are they aren't going | to find anything. I think I meet your criteria here. I believe in properly checking access lists, getting rid of setuid shell scripts, etc. | >I posit that it is labor-intensive and potentially harmful to users to be | >forced to question their "intent" all the time. | An ounce of prevention is worth 10 pounds of harrassment of the poor | users. I *still* maintain the if a "potential security tester" pounds on root's password 20 times (we log login attempts), I'm going to follow up. Call that harrassment, if you will. | >I posit that notification in advance, while not only GOOD MANNERS, also | >frees me to check on *real* attempts without wasting time (on my part, or | >on the students' when she is investigated for "attempting to crack the | >system"). | But why should I have to inform you about doing what I consider to be | routine things? "Oh, I'm testing a program that uses fork(), I just | wanted to warn you because there's a slight chance that I might have | reversed some tests and could accidentally crash the system. Want to | read my code just in case". | | The point I am attempting to illustrate is that on what I consider to | be a reasonably secure system, the admin does not need to worry about | users running COPS. COPS is one thing. I'm *still* trying to talk about the *GENERAL* case. I refer you to the Morris incident. Good intentions with bad results. | >| Which means you think it's OK to say "no" ? | > | >Yes, if I, as system admin, determine | > o your device is potentially destructive | > o your device is wasteful and you want to use it during peak time | | That's fine. These are the same criteria every admin uses to evaluate | anything, at least I do. Yow! We agree on something! | But the original thread was about a sysadmin who says "no one can run | COPS without my permission", and it was pretty clear that he would | deny permission on other grounds, like "well, I don't know you and I | don't trust you, so no, you can't." I tried to expand things to the *GENERAL* case, because COPS ISN"T THE ONLY THING USED to "probe" security. I agree, I agree, I agree, COPS IS SAFE. | Indeed, so one might wonder why you jumped into a thread about COPS. I | only brought up intent at all to show that it's silly to deny ALL | users the right to run COPS. That's all it was mentioned for. I wanted to explore restrictions of this type, in general. You want to stay mired in COPS. | If I run into an administrator who has big holes that can be spotted | by COPS, I don't want to use his machine. Period. I'm out of there. I | don't understand why I should spend any of my time telling any | sysadmin that I am about to do something that's totally ethical and | legal. Common courtesy, perhaps. Something that's still pretty rare out there in the Electronic Frontier. DISCLAIMER: My views may be, and often are, independent of IBM official policy. Mark Brown IBM PSP Austin, TX. | Crazed Philosophy Student (512) 823-3741 VNET: MBROWN@AUSVMQ | Kills 15 In Existential Rage! MAIL: mbrown@testsys.austin.ibm.com | --tabloid headline
gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) (06/25/91)
In article <8723@awdprime.UUCP> mbrown@testsys.austin.ibm.com (Mark Brown) writes: >| If I run into an administrator who has big holes that can be spotted >| by COPS, I don't want to use his machine. Period. I'm out of there. I >| don't understand why I should spend any of my time telling any >| sysadmin that I am about to do something that's totally ethical and >| legal. > >Common courtesy, perhaps. Er, to me "common courtesy" says that I don't bother an admin with meaningless tripe. It also says that if I spot a security problem, I tell them. That's what I do. I don't ask permission before I do legal and ethical things, like checking if half the users have trivial passwords. If you'd like to discuss what the limits of legal and ethical are, perhaps you could start with some examples of what you think isn't so that we have some idea what you think. It's hard to have a discussion without a starting point. It's also a good idea to carefully pick the group and the person you plan on discussing things with.
purdon@athena.mit.edu (James R. Purdon III) (06/25/91)
In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >I just read this on ga.general... >---------------------------------------------------------------- >---From: mcovingt@athena.cs.uga.edu (Michael A. Covington) >---Newsgroups: ga.general >---Subject: Student suspended for helping hackers >---Summary: Student deliberately compromised security of athena.cs.uga.edu >---Date: 11 Jun 91 04:21:01 GMT >---Organization: University of Georgia, Athens > >The University will soon be issuing a news release about this incident. >In the meantime, here is a summary: > >(1) A number of unauthorized users have been using various University >of Georgia computers. Most of them have left much more of a trail than >they realized and will be hearing from us. Here are the results of a "finger @athena.cs.uga.edu" command: [athena.cs.uga.edu] Login Name TTY Idle When Where dardis Anthony Dardis p0 Mon 16:11 uscn-gw.cc.uga.e fantz Todd Fantz p1 Mon 16:41 uscn-gw.cc.uga.e quelch Geoffrey E. Quelch p3 Mon 10:41 sheridan.ccqc.ug steele Frank Steele p4 Mon 16:46 128.192.24.30 greg Greg Whitlock *co Mon 16:54 ben Benjamin Jeyaretnam p0 Mon 16:57 uscn-gw.cc.uga.e lapena Chito Lapena p4 Mon 16:49 128.192.24.124 jalluri Ravi K. Jalluri p5 Mon 16:50 uscn-gw.cc.uga.e Does this constitute unathorized usage? Will I be hearing from UGA? If you claim that this is authorized usage on my part, please show me some policy statement indicating this. >(2) The first person actually caught as part of this incident has now >been sentenced to 2 quarters' suspension, plus a probated expulsion, >by the Student Judiciary. This was a U.Ga. student whose name cannot >be released due to confidentiality of educational records. > >What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu >to a "hacker" who had already penetrated another system, and who wanted >to use a password-guessing program to break into athena. The student was >fully aware that he was assisting in a break-in. Is UGA in the practice of monitoring its users' email? If so, does this include both outgoing and incoming messages? If it includes incoming messages, then is the reasonable expectation of privacy assumed by external senders of email being violated, as you have neglected to inform the net (at least within the United States, where such regulations hold) of your monitoring? In any case, should we assume that messages sent to our colleges at UGA are being read by other than their intended recipients? >Two points that everyone may need to be reminded of: > >(1) Unauthorized computer use is a felony under Georgia law (which is >about to become even stricter, on this point, than it is already). The Georgia law is so broad as to allow any sort of accusation to be made. Under Georgia law, my finger command can be labelled as unauthorized access, and I may be prosecuted. Under Georgia law, a bad login attempt due to a mistyped login name could be construed as unauthorized access. In any case, Georgia law makes for bad university policy. At the time I attended UGA there was not even a clearly formulated policy as to what constituted appropriate use - such use was decided in an entirely arbitrary fashion by the system administrators of OCIS. One would hope things have changed, but I doubt it. >(2) We cannot presume that any intruder is harmless. To keep the machine >safe for everyone, we have to presume that every unauthorized user intends >something destructive. It's very common for an intruder to say "I meant no >harm" when in fact a transcript of his session shows that he was trying to >crash the machine or delete people's files. Evidence, please. And from your statement you seem to be admitting that as a matter of course, UGA records the sessions of its authorized users. Have you informed your users of this fact? >The University of Georgia has no public-access UNIX machines. If anyone >gives you a password on one of our machines, please contact me. > >---------------------------------------------------------------- > >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. Its your tough luck to live in Georgia, where horribly broad laws determine what constitutes unauthorized use. What's even worse, you don't actually have to use, just attempt to use. Ever try to list a file only to find it wasn't readable? If you have, you're a potential felon. >the file is readable by the world after all. It hardly matters what the access permissions were. All that matters is authorization, which is not well-defined (actually, not defined at all). >The uga student was not the one who broke in. As a matter of fact, there is no indication (from the article) that there was a break-in at all. >I have some serious problems with UGA supending him. At the very least, one wonders if there was a publicly-known policy stating that the export of /etc/passwd constituted unauthorized use. One wonders at the methods used to gain evidence. One wonders if UGA is persuing a felony conviction. Should we mention due process? >I am a little too "exam-week-weary" to articulate my feelings well, >but I thought that you guys should know about this. Given my experience at UGA, it does not surprise me in the least. Of course, You should be careful. Your use of Usenet, if not specifically authorized could be construed as unauthorized use. >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? Under Georgia statute, a felony charge could be brought for "attempting to access a computer without authorization." Suspension certainly would be a possibility. >Well, you guys can mull it over today, I need some sleep. Its hard to sleep when you have badly written laws. > >-Mike Goldsman > > > >-- >------------------------------------------------------------------------ >Mike Goldsman >36004 Georgia Tech Station >Atlanta Georgia, 30332, 404-872-5146 -- Jim Once I was a fetus. Now I am a person, and a married person as well.
lear@turbo.bio.net (Eliot) (06/25/91)
purdon@athena.mit.edu (James R. Purdon III) writes: >If it includes incoming messages, then is the reasonable expectation >of privacy assumed by external senders of email being violated, as >you have neglected to inform the net (at least within the United >States, where such regulations hold) of your monitoring? I presume you are talking about ECPA. Those regulations were written so that service providers could snoop all they want. Service providers and their employees are specifically allowed to snoop, so long as [1] they do not disclose the information they learn, and [2] they found the information in the course of their duties. As I recall ECPA goes on to further allow that same group of people to disclose to law enforcement officials any evidence that might be involved in a criminal proceeding. Don't rely on ECPA. -- Eliot Lear [lear@turbo.bio.net]
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/25/91)
Where were you all month? People have been giving me grief about this for a long time. In answer to some of your questions and accusations: (1) By unauthorized use we mean knowing use of stolen or guessed passwords. Of course finger, anonftp, etc., are not "unauthorized"; don't be silly. (2) No email was intercepted. An intruder stored some files on disk without authorization. Since they did not belong to any known user, we looked at them to see what they were. One was a saved copy of the infamous email message. (By the way, we didn't blithely assume that the header on it was genuine; we checked it out.) (3) The suspension was imposed by the Student Judiciary after a hearing before a court of the student's peers. The whole process was monitored by professional counselors. It was _not_ a matter of some computer science prof saying "Suspend this student!" and them just doing it. (4) The student was suspended, not because of technical details, but because the court determined that his _intent_ was to endanger the whole computer system. He was given ample opportunity to explain and defend himself, and given trained help in doing so. (5) There is further evidence which I cannot reveal because of ongoing investigations of related incidents, and because of confidentiality. (6) Please do not post IMAGINARY SCENARIOS about how unreasonable the University MIGHT have been. We're talking about a _real_ incident here. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
lear@turbo.bio.net (Eliot) (06/26/91)
Greg Lindahl writes: >An ounce of prevention is worth 10 pounds of harrassment of the poor >users. And UNIX source is worth how much these days? Some bugs require source to figure out a fix. >Or, how about: "I'm about to type in a line to the shell, and you know >that no matter what I set out to type, I could accidentally fill up >the disk or something so you better review each line before I type it, >OK?" Are we talking logical conclusions or absolutism here? How about not going off the deep end? Just because I like a good sun tan doesn't mean I want a trip to the sun. The point is that you would be derelict in your duties if the hair on the back of your neck did not rise when someone ran COPS on your system. It means either they have your ethics or they're a cracker. If they stop with COPS, and if you've tightened your system up, then you have nothing to worry about. But what if they play more games? -- Eliot Lear [lear@turbo.bio.net]
learn@ddsw1.MCS.COM (William Vajk) (06/27/91)
In article <1991Jun22.234109.25051@athena.cs.uga.edu> Michael Covington writes: >Having good intentions is not enough; in a civilized society, >people actually obey the rules. Yep. Blindly following all the rules quickly, and rightly, garners the label 'good little German.' Try again, Michael ? Bill Vajk
learn@ddsw1.MCS.COM (William Vajk) (06/27/91)
In article <1991Jun23.010428.1440@athena.cs.uga.edu> Michael Covington writes: >In article <1991Jun22.232427.4643@ddsw1.MCS.COM> William Vajk writes: >>There must be a trail of evidence. The student in question stands convicted >>of a "crime" which has not been proven. >> 1) there must be a crime. >> 2) now you procede to case #2 which is aiding and abetting > by sending the file. > At this point I cannot give you the precise evidence. > However, it is _not_ necessary to convict the principal in a crime > before convicting an accessory. It is only necessary to prove that > the crime occurred and that the accessory knew he was assisting in > the crime. Excuse me for pointing this out. Are we experiencing an attention deficit her or what ? I just said there must be a crime. The crime must be proved. Have you indicated the crime was proved? Is there a trail of evidence that the individual who cracked athena (if indeed they did) was catually the same individual to whom your student sent the passwor file? If not, then the accessory wasn't an accessory to a "crime." Regarding that "crime" it appears that some number of states have laws on the books which are already sorely in need of revision as they were modeled on some ill advised precepts. I need only remind you of the 'back of the bus' laws of the past. No, laws aren't always right, they're just laws. A little civil disobedience, anyone? Bill Vajk