brendan@cs.widener.edu (Brendan Kehoe) (06/14/91)
tighe@convex.com wrote: >I would also like to know how many sysadms have had security problems >reported to them by users that have taken it upon themselves to find >security holes. We have one industrious user who, last fall, took it upon himself to find every old account on one of our systems, then gave the manager of that system the list of each account he was able to get into. Rare, yes. Unheard of, no. >When I was in the systems group at a previous employer, I knew one person >who took it upon himself to be the guardian of the system. He wouldn't >hesitate to point things out to the sysadms (and hence 'prove' how smart he >was). However, he often wouldn't tell them why it was a problem (after all >the sysadms couldn't be trusted). He just told them how to fix. That's kinda the way I am at work. (Widener's my "other" job. It has no hope of paying the rent.) We have some 3b2's networked, with pretty atrocious security (/usr/lib/uucp/Systems world-WRITABLE at one point). It's common to have people say, "Oh, yeah, we made our whole tree world-writable so everybody can work on each others' stuff." Over the past six months I've found a whole horde things that could've been exploited (over 14 accounts w/o passwords, another 42 accounts all with the same obvious password, just for starters). I just gave the sysadmins a report of my "independent" findings; I didn't lay out exactly how each and every piece could be exploited. (Tho I did explain enough so they realized why it qualified as a hole in their security.) Now our systems are relatively secure (I finally convinced them to use shadow passwd files last month), and everyone's happy. The sysadmins at work tend more often to be trainers and less systems administrators (as is usually the case anyway); independent auditing, so to speak, helped make the jobs easier. The only problem with such a seemingly beneficial arrangement is that if I were in any way dissatisfied with my work or the environment, I could easily withhold any choice tidbits I deemed valuable. It's a case of trust vs security. Which wins out? -- Brendan Kehoe - Widener Sun Network Manager - brendan@cs.widener.edu Widener University in Chester, PA A Bloody Sun-Dec War Zone Vanilla Ice == Richard VanWinkle .. hehe .. hohoho .. Hahahahahahahaha.