mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/13/91)
We would not penalize a student simply for running COPS even if it gave him other people's passwords. We would look at what he did with the passwords. But, technically, running a password guesser should be obviously against policy. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
ccastmg@prism.gatech.EDU (Michael G. Goldsman) (06/13/91)
In article <1991Jun12.170520.4152@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >We would not penalize a student simply for running COPS even if it gave >him other people's passwords. We would look at what he did with the >passwords. But, technically, running a password guesser should be obviously >against policy. And where have you written that policy down in simple terms? Most every policy I have seen comes off as being vague and ambiguous. The interpretation of those policies can be an inexact science. About you "rape" comparison... I feel that picking bad passwrods is not the user's fault at all but the sys admins fault. If I hear a sys admin complaining about how badly the user's actions, are comprimising security, he better have an intelligent password changing program in use for the users, else he loses all credibility to me. Shadow passwords are not really enough to do the job, users must be constrained as to how they can change the password. By simply using the heuristics from COPS (check for uid, lastname, and common words etc...) the feasibility of randomly guessing passwords, even with access to /etc/passwd degrades by a large factor. Back to the rape comparison, its more like the sys admin is a member of a fraternity which gets one of its female guests passed-out drunk at a frat party. Then he advertises this fact to his brothers. (This was a joke, guys.. no flames please) What the student did was definitely a stupid move, but its a move which should give you guys message: implement intelligent security measures. Georgia Tech's main computer system has 23,000 accounts, of which perhaps 5,000 are used. (this is just an estimate...). /etc/passwd is readible by a large enough sample size, such that many members of the cracker community will have direct access to /etc/passwd. No, they do not have an intelligent passwd program here either.. they are just asking for trouble to occur. The situation is irresposible and dangerous... So when tech complains about security and the need to restrict user's access to ftp and telnet, (there were some posting here about that about a month ago.. there's no further word on it yet.. the wheels of "progress" turn slowly) I quickly tune out. Yes all of this is off of the subject a bit, you guys at UGA are going to keep having problems like this until you start doing your jobs better... the student was a symtom and not the disease. -Mike -- ------------------------------------------------------------------------ Mike Goldsman 36004 Georgia Tech Station Atlanta Georgia, 30332, 404-872-5146
learn@piroska.uchicago.edu (William Vajk (igloo)) (06/13/91)
In article Michael A. Covington) writes: >We would not penalize a student simply for running COPS even if it gave >him other people's passwords. We would look at what he did with the >passwords. But, technically, running a password guesser should be obviously >against policy. I don't think there's quite so much a problem with running a password guesser as there is with permitting passwords to exist which are guessable by commonly available software. Responsibility for safeguarding is, after all, a two way street. Do you really expect that hundred dollar bill you left on the sidewalk in front of the Biltmore to be there when you need it tomorrow ? Bill Vajk