purdon@athena.mit.edu (James R. Purdon III) (06/28/91)
As you may all recall, recently there was an posting describing a student who was suspended for mailing the /etc/passwd file of athena.cs.uga.edu to another individual who was going to run a password guesser against it. In the posting, mention was made of the Georgial law against computer fraud and abuse, which was claimed to be strict and in the process of being made more strict. To me, the article seemed to indicate two things: a. Either email or terminal sessions were logged and read as a matter of course, without prior suspicion of wrong doing. b. The mention of Georgia law, rather than UGA policy, meant that UGA did not have a clearly stated policy regarding computer use. In response, I wrote a posting of a critical nature. In my opinion, the Georgia law is too broad to be good policy. In my posting, I printed the output of a "finger @athena.cs.uga.edu" and pointed out that because I had not been explicitly authorized by UGA to use their machine in this fashion, that I could be charged with a felony under Georgia law. After my posting, I received a private communication from a person at UGA asking that I reconsider my posting, because of certain statements that were made by the student at his hearing, which indicated the student's intent was not innocent. Well, I still think its wrong to routinely log and review the contents of terminal sessions and email without prior suspicion and without informing users that a policy of routine logging and review is in effect. Today I noticed that athena.cs.uga.edu is no longer responding to finger requests. While I know there are security issues regarding fingerd, I wonder if my posting had anything to do with it... Or maybe its just a temporary aberation. -- Jim Once I was a fetus. Now I am a person, and a married person as well.
marchany@vtserf.cc.vt.edu (Randy Marchany) (06/28/91)
In article <1991Jun27.183621.14667@athena.mit.edu> purdon@athena.mit.edu (James R. Purdon III) writes: >As you may all recall, recently there was an posting describing a student >who was suspended for mailing the /etc/passwd file of athena.cs.uga.edu >to another individual who was going to run a password guesser against it. >In the posting, mention was made of the Georgial law against computer >fraud and abuse, which was claimed to be strict and in the process of >being made more strict. >a. Either email or terminal sessions were logged and read as a matter of > course, without prior suspicion of wrong doing. >b. The mention of Georgia law, rather than UGA policy, meant that UGA > did not have a clearly stated policy regarding computer use. >In response, I wrote a posting of a critical nature. In my opinion, the >Georgia law is too broad to be good policy. In my posting, I printed >Well, I still think its wrong to routinely log and review the contents of >terminal sessions and email without prior suspicion and without informing >users that a policy of routine logging and review is in effect. Excerpt from the Georgia Computer Systems Protection Act, Title 16, Ch. 9, section 90. 16-9-93. Accessing of computers,etc. for fraudulent purposes; unauthorized access, alteration, destruction, etc., of computers, etc. a) Any person who knowingly and willfully, directly or indirectly, w/o authorization, accesses, causes to be accessed or attempts to access any computer, computer system or network ....is owned by state, county, or local govn't for the purpose of: 1) devising any scheme or artifice to defraud or; 2) obtaining money, property or services for themselves or another by means of false or fraudlulent pretenses, representations or promises, upon conviction thereof, shall be fined a sum of not more than 2.5 times the amount of the fraud or theft or imprisoned not more than 15 years or both. b) ANy person who intentionally and w/o authorization, directly or indirectly accesses, alters, damages, destroys or attempts to damges or destroy any computer, computer system or network or any computer software, program or data, upon conviction thereof, shall be fined not more than $50,000.00 or imprisoned not more than 15 years or both 16-9-95. Duty to report violations of this article; immunity from liability for making such report. It is the duty of every business; partnership; college, university; person; state, county or local governmental agency or dept. or branch thereof; corporation or other business entity which has reasonable grounds to believe that a violation of this article has been committed to report promptly the suspected violation to law enforcement authorities. (the rest of the article states that when done in good faith, the various entities are immune from any civil liability). As an old Doonesbury cartoon said, "it may or may not be wrong but it sure is against the law....". Machine readable text of computer crime statutes of at least 25 states are available via anonymous FTP from ftp.cs.widener.edu under the /pub/cud/law directory. -Randy Marchany
bagchi@eecs.umich.edu (Ranjan Bagchi) (06/28/91)
Michael Covington has at least once gone through the ways that
that /etc/passwd mailer was identified. They had an account which
they knew/suspected was pirated, for lack of a better word. They
searched the account, and found a copy of the message with /etc/passwd
in it. They verified the header, and had the person who mailed it.
It's not that I agree with the punishment, I've stated
repeatedly that I think suspension is much too harsh. But blind
speculation as to what happened just discredits you.
-rj
--
Ranjan Bagchi | cd /tmp; while (1)
bagchi@eecs.umich.edu | mkdir spam; cd spam
| endbirchall@pilot.njin.net (Official Random) (06/28/91)
Randy (at VT) : I fail to see how mailing /etc/passwd falls under any of the items you quoted in your post. Please explain which of those paragraphs would apply to it, and by what interpretation. -shag -- ------ If you want to know who I am, finger me. I enjoy it anyway. My opinions are no one's. ------
marchany@vtserf.cc.vt.edu (Randy Marchany) (06/28/91)
In article <Jun.27.17.26.15.1991.28699@pilot.njin.net> birchall@pilot.njin.net (Official Random) writes: >Randy (at VT) : > I fail to see how mailing /etc/passwd falls under any of the items >you quoted in your post. Please explain which of those paragraphs would >apply to it, and by what interpretation. > -shag I wasn't trying to interpret anything. The poster had mentioned the georgia law and I thought an excerpt of that law might help clarify the issue. As another posting mentioned, I believe the sysadmins suspected an account of being misused and looked at the mail for that account and that's how they traced it the /etc/passwd mail note back to the student. I don't think the actual mailing of /etc/passwd was the reason for the brouhaha, rather, it appears it was the misuse of an account that didn't belong to that student. I also presume that the valid owner of the account complained to the sysadmins although your guess is as good as mine. :-) I think a lot of this flame war could have been avoided if all of the facts of this particular case were known to the group. -Randy
mathew@mantis.co.uk (Industrial Poet) (06/28/91)
purdon@athena.mit.edu (James R. Purdon III) writes: > Well, I still think its wrong to routinely log and review the contents of > terminal sessions and email without prior suspicion and without informing > users that a policy of routine logging and review is in effect. I still think it's wrong even if you do inform the users that you do it, if there is no reason for prior suspicion. As to the question of whether denying someone access to his files by suspending his ID is a breach of copyright: it isn't. Copyright is the right to copy something. No more and no less. The user does indeed own the copyright on his files; but that does not mean that the system owner is in any way obliged to give the user access to copies of the file which he (the user) left on the system and which he (the user) no longer has access to. For example, copyright does not grant an author the right to enter my house in order to gain access to copies of his books which I may have been given; not even if the author himself gave them to me. At most, the suspended user could probably insist that all copies of his files be deleted from the system. For this reason, at college I always kept my own backups of everything I kept on the University's computer system. I heard rumours of a clause stating that stuff I put on the system became the property (and copyright) of the University, but I hadn't signed any contract to that effect so I was confident it wouldn't stand up in court. mathew [ Disclaimer: I'm not a lawyer. ]
purdon@athena.mit.edu (James R. Purdon III) (06/28/91)
In article <BAGCHI.91Jun27160817@hastings.eecs.umich.edu> bagchi@eecs.umich.edu (Ranjan Bagchi) writes: > > Michael Covington has at least once gone through the ways that >that /etc/passwd mailer was identified. They had an account which >they knew/suspected was pirated, for lack of a better word. They >searched the account, and found a copy of the message with /etc/passwd >in it. They verified the header, and had the person who mailed it. > > It's not that I agree with the punishment, I've stated >repeatedly that I think suspension is much too harsh. But blind >speculation as to what happened just discredits you. Perhaps I'm not making myself clear. I think its wrong to search accounts, read email, or log sessions without prior warning. If users are informed at the time they obtain their logins, or at login time that a policy of logging sessions / search on suspicion is in effect, then I have no problems with those sorts of actions. All it takes is the statement "All transactions are logged and may be reviewed at any time by system administration" in the motd or issue files and system administrators can search to their hearts content (though it might be nice to have such disclaimers on outging email as well). Otherwise, they are on shakey ethical ground. As for the Georgia law, my opinion is that its terribly broad and leaves too much for the authorities to define at their whim. For example, is fingerd a service? It certainly consumes cycles and impacts network bandwidth. Is authorization required for someone to connect to it? It seems to me that this is at the whim of the administrators. I can believe one could be charged with violating the law by running a finger against athena.cs.uga.edu. I don't think such laws should be used in place of policy. > > -rj >-- >Ranjan Bagchi | cd /tmp; while (1) >bagchi@eecs.umich.edu | mkdir spam; cd spam > | end -- Jim Once I was a fetus. Now I am a person, and a married person as well.
bagchi@eecs.umich.edu (Ranjan Bagchi) (06/30/91)
In article <1991Jun28.143520.11399@athena.mit.edu> purdon@athena.mit.edu (James R. Purdon III) writes: >In article <BAGCHI.91Jun27160817@hastings.eecs.umich.edu> bagchi@eecs.umich.edu (Ranjan Bagchi) writes: >> >> Michael Covington has at least once gone through the ways that >>that /etc/passwd mailer was identified. They had an account which >>they knew/suspected was pirated, for lack of a better word. They ^^^^ |--> not suspected, known. Don't know why I said the former. >>searched the account, and found a copy of the message with /etc/passwd >>in it. They verified the header, and had the person who mailed it. >> >> It's not that I agree with the punishment, I've stated >>repeatedly that I think suspension is much too harsh. But blind >>speculation as to what happened just discredits you. > >Perhaps I'm not making myself clear. I think its wrong to search accounts, >read email, or log sessions without prior warning. If users are informed >at the time they obtain their logins, or at login time that a policy of >logging sessions / search on suspicion is in effect, then I have no problems >with those sorts of actions. All it takes is the statement "All transactions >are logged and may be reviewed at any time by system administration" in the >motd or issue files and system administrators can search to their hearts >content (though it might be nice to have such disclaimers on outging email >as well). Otherwise, they are on shakey ethical ground. I agree with what you think. Searching accounts/reading email/logging sessions is a nasty bad thing. Everybody agrees. But that's not what happened. In a past article, M. Covington responded to this speculation that it was known that an account was not being used by the person to whom it was issued. So it was searched. And a copy of the mailed /etc/passwd was found (why it was there is a strange point...the infiltrator could get all the copies she needed). I don't think that the searching (find . -print | xargs cat?) of a known broken account is necessarily a bad thing. Sysadmins jobs are, after all, to try and prevent breakins and track down perpetrators if possible. > >As for the Georgia law, my opinion is that its terribly broad and leaves >too much for the authorities to define at their whim. For example, is >fingerd a service? It certainly consumes cycles and impacts network >bandwidth. Is authorization required for someone to connect to it? >It seems to me that this is at the whim of the administrators. I can >believe one could be charged with violating the law by running a finger >against athena.cs.uga.edu. I don't think such laws should be used in >place of policy. Agreed. Probably someone explained modern computing to a lawyer in about 15 minutes. A lawyer who believes "Wargames". > >-- > >Jim > >Once I was a fetus. Now I am a person, and a married person as well. -- Ranjan Bagchi | cd /tmp; while (1) bagchi@eecs.umich.edu | mkdir spam; cd spam | end