jba@gorm.ruc.dk (Jan B. Andersen) (06/18/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >>(2) I stick to my guns. Running a password guesser is inappropriate >>behavior because it involves access to other people's confidential >>information. The encrypted password is world readable; the password >>itself is not; that's why it's encrypted! then bernie@metapro.DIALix.oz.au (Bernd Felsche) replies: >Running a guesser is not breaking confidentiality. If I guessed that >you had red hair, never having seen you, and found out that you did >indeed have red hair, then I would not be breaking confidentiality, >even if you do wear a hat all the time. >All I gain, upon verification, is that you have red hair, or don't. But the difference here, is that _I_ have every right to assume that my password is private and confidential. And if I was wearing a hat night and day because I was embarresed of my green hair, I would be very disturbed if I knew that you also knew it. >You can go and change the colour, that very day. Sure, but at my _expense_ and _inconveniency_. >You are assuming an intent to break confidentiality, by somebody >guessing passwords, yet they may be seeking to protect theirs, by >ensuring that nobody else has guessable passwords. You are punishing >them, for checking the level of security in their environment. >You allow students to run COPS. Do you _encourage_ them to do so? >Security only works if it is enforced at all levels. At this point I would like to make a suggestion. Several users have said, that they run COPS on a system before keeping any confidential information on it. This, as someone mentioned, caught the attention of the sysadmins which naturally (?) was worried about this. Now, if the purpose of running COPS is to get an idea of how secure the system is, why not ask the sysadmins of a edited copy of the report, which could include a note saying "We found 3 accounts which needs the password changed and have notified the owners". A copy of this report could even be posted to a local newsgroup every week. >-- >Bernd Felsche, _--_|\ #include <std/disclaimer.h> >Metapro Systems, / sold \ Fax: +61 9 472 3337 >328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 >Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au -- /| / Jan B. Andersen /^^^\ .----------------. / | / RUC, Hus 19,1 jba@dat.ruc.dk { o_o } | SIMULA does it | /--|/ Postbox 260 DG-passer@ruc.dk \ o / --> | with CLASS | `--' ' DK-4000 Roskilde Postmaster@ruc.dk --mm---mm-- `----------------'