[comp.org.eff.talk] Allow students to run password guessers? Was: Re: Student suspen...

mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/24/91)

In article <1991Jun23.231749.25498@murdoch.acc.Virginia.EDU> gl8f@astsun8.astro.Virginia.EDU (Greg Lindahl) writes:
>In article <1991Jun22.234109.25051@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes:
>>Good point... a sysadmin cannot investigate "intent" every time an
>>alarm goes off.
>Especially when your idea of an alarm is:
>OH MY GOD! THEY'RE RUNNING COPS!
>
>I have yet to have an alarm go off, because I've tested the security
>of my system and I'm not paranoid.

This is getting ridiculous. Our policy is that students are *not* allowed
to obtain passwords without the consent of the password owner, by any means
whatever.

I do not buy the idea that easy-to-guess passwords "deserve" to be stolen,
nor that it is legitimate to run a password guesser "to see if the system
is secure." Other tests, possibly, but not something that will give you
direct access to someone else's password.

Even the Free Software Foundation notices if you call "crypt" more than a
few times (as when running a password guesser).

-- 
-------------------------------------------------------
Michael A. Covington | Artificial Intelligence Programs
The University of Georgia  |  Athens, GA 30602   U.S.A.
-------------------------------------------------------

gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) (06/24/91)

In article <1991Jun24.041435.5423@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes:

>This is getting ridiculous. Our policy is that students are *not* allowed
>to obtain passwords without the consent of the password owner, by any means
>whatever.

But that's not what you said earlier: you said you didn't allow
students to run COPS. Some password checkers don't tell you what
passwords are when they crack them: they come back and say: "Well, I
found 16 passwords in the dictionary, I would suggest that you avoid
this system like the plague."

Second, it seems to me (and I'm hardly a lawyer) that it's entirely
legal for anyone to obtain another's password, as long as they don't
intend to do anything nasty with it. It would be much more effective
for you to run shadow password files than to restrict your users in
arbitrary and silly ways.

>I do not buy the idea that easy-to-guess passwords "deserve" to be stolen,

Neither do I.

>nor that it is legitimate to run a password guesser "to see if the system
>is secure." Other tests, possibly, but not something that will give you
>direct access to someone else's password.

Running a password guesser doesn't necessarily give you direct access
to a password. Even if it did, it is not illegal.

>Even the Free Software Foundation notices if you call "crypt" more than a
>few times (as when running a password guesser).

Yup, because they're having security problems at the moment. But a
"professional" cracker doesn't use the system crypt() anyway, so this
policy isn't going to solve all your problems.

The only way for you to insure a minimum level of password security is
through user education, shadow password files, and administrator
testing --- not by burying your head in the sand.

wcs) (06/25/91)

In article <1991Jun24.151726.16361@murdoch.acc.Virginia.EDU> gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) writes:
GL> Second, it seems to me (and I'm hardly a lawyer) that it's entirely
GL> legal for anyone to obtain another's password, as long as they don't
GL> intend to do anything nasty with it. It would be much more effective

	The law that Bill Cook and gang have been playing with
	lately defines an "access device" as a list of things
	including passwords, and makes unauthorizedly possessing
	more than some number like 15 of them a Federal Crime.
	(I'm not a lawyer, but I play a politician on TV;
	I'm not sure if I've still got my notes of Bill Cook's talk.)

	I'm not sure if the law covers intent, but if they can
	raid you for explaining Kermit (a'la SJG), *I* wouldn't want
	to risk the MAJOR expense of having to defend myself
	against bogus charges.  Intent is in the eye of the beholder,
	and Big Brother's been getting this evil gleam in his ...

MC> I do not buy the idea that easy-to-guess passwords "deserve" to be stolen,
	No, but it's certainly worth upgrading your passwd program
	to insist on minimally hard-to-guess passwords.
	System V has had this for years, and it shouldn't be hard to
	write a public-domain version if you can't get your
	operating system vendor to do it for you.
	The only mildly ugly parts are the password-aging code
	(RTFM carefully), making sure you don't expose the new
	password in your argv's if you're doing a spell check,
	using the correct flavor of shadow password file for your system,
	and doing a better locking mechanism than the current one.

	A nice benefit would be to make the triviality-checking
	table-driven, if you can express the requirements cleanly,
	but publishing source will do.  That way, when COPS v3 or
	ROBBERS v2 comes out, you can update your standards.

]>Even the Free Software Foundation notices if you call "crypt" more than a
]"professional" cracker doesn't use the system crypt() anyway, so
	And the cracker version would be named "gnuemacs" or "chem321",
	or "irc_client" if it's trying to break systems across the net.
-- 
				Pray for peace;		  Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
# No, that's covered by the Drug Exception to the Fourth Amendment.
# You can read it here in the fine print.