vapspcx@prism.gatech.EDU (S. Keith Graham) (06/13/91)
Last I checked, having the ability to gain access to another users account is not a crime. Having the ability *with intent to defraud* is a crime. At one point, I had the ability to gain root access on our primary system here at gatech. Just because I know the 50 keystrokes doesn't make me a felon (I do hope. :) (And I did report this to the system administrators here.) (Incidentally, this almost certainly would have given me the ability to break into other systems, as a number of people have gatech's machines in their ".rhosts", probably including the system at UGA. Because I had the ability to violate their security, does this mean they should have had me suspended?.) In the same vein, possesion of access codes (passwords) is not a crime. (Nor is the ability to obtain these codes from existing information, i.e. COPS, nor is the knowledge of how to break security to gain access to accounts.) If it were, all of the best unix wizards would be in jail now. :) However, a friend of mine (who just got out of jail) will be happy to tell you all about the felony count "Posession of 10 or more access codes *WITH INTENT TO DEFRAUD*". In the case at UGA, it seems obvious that the student that was suspended was assisting someone with intent to defraud, and was aware of their motives. He should therefore be treated as harshly as the adminstrator would like (within the bounds of the law and university regulations.) The sticky question arises when someone is running COPS, and you have no idea how they intend to use the results. (Or otherwise "attempting to break security".) Then the question becomes "Are users/students innocent until proven guilty?" I hope everyone (at least in this country) can answer "yes" to that question. Keith Graham vapspcx@prism.gatech.edu
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/13/91)
I didn't say it was a CRIME for a non-sysadmin to run Cops and obtain passwords, I said that we do not PERMIT it, i.e., it's against system policy. There has been a whole series of messages here in which people talk about a fellow named "Michael Covington" whose opinions have little resemblance to mine. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
tighe@convex.com (Mike Tighe) (06/13/91)
In article <1991Jun13.152618.28383@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >I didn't say it was a CRIME for a non-sysadmin to run Cops and obtain >passwords, I said that we do not PERMIT it, i.e., it's against system >policy. I'd be interested to know what the policy is for the use of CPU time. Surely if every user fired up a copy of COPS every morning when they logged in, that would be a waste of resources. However, if users are billed for their usage, sysadms would be less inclined to worry about how users waste their time. I would also like to know how many sysadms have had security problems reported to them by users that have taken it upon themselves to find security holes. When I was in the systems group at a previous employer, I knew one person who took it upon himself to be the guardian of the system. He wouldn't hesitate to point things out to the sysadms (and hence 'prove' how smart he was). However, he often wouldn't tell them why it was a problem (after all the sysadms couldn't be trusted). He just told them how to fix. -- ------------------------------------------------------------- Mike Tighe, Internet: tighe@convex.com, Voice: (214) 497-4206 -------------------------------------------------------------
gl8f@astsun.astro.Virginia.EDU (Greg Lindahl) (06/14/91)
In article <1991Jun13.152618.28383@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >I didn't say it was a CRIME for a non-sysadmin to run Cops and obtain >passwords, I said that we do not PERMIT it, i.e., it's against system >policy. Why? Why is it against policy to do something that's entirely legal? Why is it against policy to do something that's entirely ethical? Aren't you just demonstrating total lack of trust in your users? Such an attitude is never good. Such policies can never be enforced. Such policies are just plain bad. Concentrate on the real problem, which is people doing things with malicious intent.