brendan@cs.widener.edu (Brendan Kehoe) (06/06/91)
Here's a question: how do other people deal with users that they *think*
are doing no-nos around the net? One of our users had the habit of
occasionally going net-surfing and doing the hit-and-run type of
attempts (trying 'guest' usually), but I didn't have any real proof--only
through other people. (He tended to come on about 2 hours before I'd
get up to go to work.)
After a lil chat with him, he calmed down. (He's since dropped out. <cough>)
What do other places do?
Brendan
--
Brendan Kehoe - Widener Sun Network Manager - brendan@cs.widener.edu
Widener University in Chester, PA A Bloody Sun-Dec War Zone
Vanilla Ice == Richard VanWinkle .. hehe .. hohoho .. Hahahahahahahaha.ehrlich@cs.psu.edu (Dan Ehrlich) (06/06/91)
In article <2D.-_.N@cs.widener.edu> brendan@cs.widener.edu (Brendan Kehoe) writes:
BK> Here's a question: how do other people deal with users that they *think*
BK> are doing no-nos around the net? One of our users had the habit of
BK> occasionally going net-surfing and doing the hit-and-run type of
BK> attempts (trying 'guest' usually), but I didn't have any real proof--only
BK> through other people. (He tended to come on about 2 hours before I'd
BK> get up to go to work.)
BK> After a lil chat with him, he calmed down. (He's since dropped out. <cough>)
BK> What do other places do?
As Penn State is still in the process of formulating an official policy this
is what we currently do in the Computer Science department. This is not
neccessarily the best approach, but it seems to work most of the time.
If we *think* that someone is engaging in abuses, either locally or
net-wide, as much information as possible is gathered and presented to the
department head. The department head will usually ask the individual to
drop by for a chat. If said individual does not heed the advise being
offered the department head will usually ask the we more closely monitor
unusual events of all kinds and gather more concrete eveidence of abuses.
With this information in hand a second meeting will usually get things under
control. If this does not work the department head always has the option of
refering the incident(s) to the Office of Student Conduct Standards.
Once Penn State's policy is formalized I will be posting a copy to this news
group.
--
Dan Ehrlich - Sr. Systems Programmer - Penn State Computer Science
<ehrlich@cs.psu.edu>/Voice: +1 814 863 1142/FAX: +1 814 865 3176jwp@chem.ucsd.edu (John Pierce) (06/07/91)
brendan@cs.widener.edu (Brendan Kehoe) writes: > > Here's a question: how do other people deal with users that they *think* > are doing no-nos around the net? One of our users .... After a lil chat > with him, he calmed down.... Well, if talking to them about what you *think* they're doing is sufficient, then there's no problem... If it turns out not to be.... One of the things one could do is hack things a little so one could turn session recording on/off for uids/gids of one's choosing. If one were to turn recording on, one would probably also quit throwing away accounting records... just save them someplace convenient. If one got assurance that one's suspicions had been correct, one might then go back through the official accounting records. One probably couldn't get *proof* from those, but one could generally find enough stuff to strongly implicate that the suspect was in fact being a bad guy. That could possibly be used to convince them to listen a little more closely to the word "stop". Of course, if one did that, it probably be a violation of the offender's right to Privacy and right to Due Process; and I personally would find such action morally repugnant; and the leadership of the Chemistry Department would certainly never condone such actions; and I strongly suspect that it would violate University Policy; and it would clearly violate the God-Given right of schmuck undergrads to break into and trash other people's accounts without punishment; and it would seriously damage the well-known article of the Constitution that allows jerk grad students to with impunity use a computer to sexually harass new workers in their labs.
rnewman@bbn.com (Ron Newman) (06/07/91)
In article <2D.-_.N@cs.widener.edu> brendan@cs.widener.edu (Brendan Kehoe) writes: > > Here's a question: how do other people deal with users that they *think* >are doing no-nos around the net? One of our users had the habit of >occasionally going net-surfing and doing the hit-and-run type of >attempts (trying 'guest' usually), but I didn't have any real proof--only This is a no-no? This is how many people I know first became acquainted with the Arpanet (as it was called back then). If someone has a 'guest' account it seems like this is an invitation for the outside world to look around; not much different from 'anonymous' ftp. (I like that term, 'net-surfing'. I'll have to pass it on to a friend of mine who first discovered the network while attending the University of California at Santa Barbara!) /Ron Newman rnewman@bbn.com
matth@progress.COM (Matthew J. Harper) (06/07/91)
Ron Newman <rnewman@bbn.com> writes: >In article <2D.-_.N@cs.widener.edu> brendan@cs.widener.edu (Brendan Kehoe) writes: >> >> Here's a question: how do other people deal with users that they *think* >>are doing no-nos around the net? One of our users had the habit of >>occasionally going net-surfing and doing the hit-and-run type of >>attempts (trying 'guest' usually), but I didn't have any real proof--only >This is a no-no? This is how many people I know first became >acquainted with the Arpanet (as it was called back then). If someone >has a 'guest' account it seems like this is an invitation for the >outside world to look around; not much different from 'anonymous' ftp. This is indeed a no-no. Not a whole lot is being done about it legally at the moment, but a few cases have come to trial and the accused have been found guilty of actions such as this. (Randomly banging on machines to try and gain access.) Just because a guest account exists does not mean that it is there for all in the world to log in and look around! Perhaps if we looked at a different situation from the same outlook: If you leave your car unlocked with the keys in the ignition, does this give anyone who walks by the right to take it for a spin? Even if they return it where they found it, nobody saw them do it, and there is really no proof that they were there? I think anyone would be pretty pissed if this happened. Is there really a difference? Matth -- Matthew J. Harper UUCP: mit-eddie!progress!matth Progress Software Corp. Internet: matth@progress.com 5 Oak Park Disclaimer: My words & ideas, That's all. Bedford, MA 01730
russotto@eng.umd.edu (Matthew T. Russotto) (06/08/91)
In article <1991Jun7.164102.672@progress.com> matth@progress.COM (Matthew J. Harper) writes: > >Just because a guest account exists does not mean that it is there for all in >the world to log in and look around! Perhaps if we looked at a different >situation from the same outlook: > > If you leave your car unlocked with the keys in the ignition, does this give >anyone who walks by the right to take it for a spin? Even if they return it >where they found it, nobody saw them do it, and there is really no proof that >they were there? > > I think anyone would be pretty pissed if this happened. > > Is there really a difference? Is there really a similarity? I see a guest account as an invitation. Oh, and if you made a habit of leaving your car unlocked with the keys in the ignition, and people came by and took it for a spin now and then, I suspect the cops would just laugh at you for being such an idiot if you tried to prosecute them. -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu .sig under construction, like the rest of this campus.
gln@cs.arizona.edu (GaRY NEweLl) (06/08/91)
In article <1991Jun7.164102.672@progress.com>, matth@progress.COM (Matthew J. Harper) writes: > This is indeed a no-no. Not a whole lot is being done about it legally at the > moment, but a few cases have come to trial and the accused have been found > guilty of actions such as this. (Randomly banging on machines to try and > gain access.) Could you point me towards some of these cases - I find it hard to believe that the only thing the accused did was try to log into a machine - I assume that there was some form of damage no?
brian@ucsd.Edu (Brian Kantor) (06/08/91)
I don't consider a single attempt to log on as "guest" to be a cracking attempt - but then, you see, I've been arpanauting since about 1971, when just about every system on the net HAD a guest account. Most don't nowadays, but it's no harm to ask. Think of it as ringing the doorbell. Trying anything else might be cause for concern. But "guest"? Naw, that's ok. BTW, UCSD hasn't got any guest accounts. But if you try to log on as guest, you'll politely be told that, then disconnected. According to our logs, two or three people a day do precisely that, and most of them don't try anything further. They're happy and so am I. - Brian
alden@shape.mps.ohio-state.edu (Dave Alden) (06/08/91)
In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >Oh, and if you made a habit of leaving your car unlocked with the keys in the >ignition, and people came by and took it for a spin now and then, I suspect >the cops would just laugh at you for being such an idiot if you tried to >prosecute them. At first I thought you were kidding, but then I read your other posts and I realized that you just don't have a clue. Rather than waste bandwidth I'll just point those with a similar opinion to the Internet worm case with Robert Morris(sp?) - he tried a similar line of reasoning and lost in court. ...dave
adrianho@barkley.berkeley.edu (Adrian J Ho) (06/08/91)
In article <1991Jun7.164102.672@progress.com> matth@progress.COM (Matthew J. Harper) writes: [ "net-surfing" stuff deleted ] >This is indeed a no-no. Not a whole lot is being done about it legally at the >moment, but a few cases have come to trial and the accused have been found >guilty of actions such as this. (Randomly banging on machines to try and >gain access.) How did they go about doing it? By trying for "guest" accounts, or sneakier means (password cracking, system bugs, etc.)? I'd say there's a _big_ difference -- in the latter case, you're trying to gain access *where no such access was ever provided for you in the first place.* If the perpetrators you refer to gained access via "guest" accounts, I'd bet that they're on trial for _misuse_ of the account (eg. password cracking), *not* unauthorized access. IMHO, unless a "guest" account user is notified somehow (eg. /etc/motd) that "this account is _only_ for use by faculty in Uni. of X", you don't have a case against anyone outside the U. using the same account, since the scope of "legal use" was not made known to him/her. >Just because a guest account exists does not mean that it is there for all in >the world to log in and look around! Perhaps, but _why_ do you have a guest account on your machine to begin with, knowing full well that the world _can_ log in and look around? Aren't you concerned with system security? > Perhaps if we looked at a different >situation from the same outlook: [ car-with-key-in-ignition analogy deleted] > I think anyone would be pretty pissed if this happened. Sure they would, but why did they leave their cars unlocked with the keys in the ignition to begin with? > Is there really a difference? Yeah, leaving your key in the ignition might be an honest mistake. I don't see creating a "guest" account as an honest mistake (if it was, you're not much of a sysadmin, are you?) Also, the car has an owner, and anyone . Who owns a guest account? [Now you know why I hate analogies. They almost never completely describe the situation at hand.] >Matth To answer the original posting: Brendan, if I suspected one of the users on our cluster of doing "no-no"s on the net, I'd ask him/her if s/he has been doing such a thing. Even if the person is guilty and denies it, my question may give him/her the impression that you're on to the, er, "proceedings", which may very well be enough to halt the casual net-surfer. I'd also watch out for any abnormal activity on the system (the nature of such activity would of course depend on what you suspect the perpetrator to be up to).
otto@fsu1.cc.fsu.edu (John Otto) (06/08/91)
In article <1991Jun7.164102.672@progress.com>, matth@progress.COM (Matthew J. Harper) writes... >Ron Newman <rnewman@bbn.com> writes: >>In article <2D.-_.N@cs.widener.edu> brendan@cs.widener.edu (Brendan Kehoe) writes: >>> Here's a question: how do other people deal with users that they *think* >>>are doing no-nos around the net? One of our users had the habit of >>>occasionally going net-surfing and doing the hit-and-run type of >>>attempts (trying 'guest' usually), but I didn't have any real proof--only >>This is a no-no? This is how many people I know first became >This is indeed a no-no. Not a whole lot is being done about it legally at the >moment, but a few cases have come to trial and the accused have been found >guilty of actions such as this. (Randomly banging on machines to try and >gain access.) >Just because a guest account exists does not mean that it is there for all in >the world to log in and look around! Perhaps if we looked at a different >situation from the same outlook: > If you leave your car unlocked with the keys in the ignition, does this give >anyone who walks by the right to take it for a spin? Even if they return it >where they found it, nobody saw them do it, and there is really no proof that >they were there? Mostly I'd be thinking how stupid I was to leave it that way. If you leave your systems unlocked; you deserve to have people access them.
dean@coplex.uucp (Dean Brooks) (06/08/91)
russotto@eng.umd.edu (Matthew T. Russotto) writes: >In article <1991Jun7.164102.672@progress.com> matth@progress.COM (Matthew J. Harper) writes: >> >>Just because a guest account exists does not mean that it is there for all in >>the world to log in and look around! Perhaps if we looked at a different >>situation from the same outlook: >> >> If you leave your car unlocked with the keys in the ignition, does this give >>anyone who walks by the right to take it for a spin? Even if they return it >>where they found it, nobody saw them do it, and there is really no proof that >>they were there? >> >> I think anyone would be pretty pissed if this happened. >> >> Is there really a difference? >Is there really a similarity? I see a guest account as an invitation. Of course there is. That is the current problem; many people see a guest account as an invitation. Simply because there is an account named with the letters "g", "u", "e", "s", "t" or "d", "e", "m", "o" that doesnt necessarily have a password, does *NOT* mean that it is legal for you to access the account. However, as you point out, a guest/demo account w/out a password is a very stupid idea. >Oh, and if you made a habit of leaving your car unlocked with the keys in the >ignition, and people came by and took it for a spin now and then, I suspect >the cops would just laugh at you for being such an idiot if you tried to >prosecute them. That doesn't change the fact that it would be illegal. -- dean@coplex.uucp (Dean Brooks) Copper Electronics, Inc. Louisville, Kentucky
abraham@iesd.auc.dk (Per Abrahamsen) (06/10/91)
>>>>> On 8 Jun 91 15:52:49 GMT, dean@coplex.uucp (Dean Brooks) said:
Dean> Of course there is. That is the current problem; many people see a
Dean> guest account as an invitation. Simply because there is an account
Dean> named with the letters "g", "u", "e", "s", "t" or "d", "e", "m", "o"
Dean> that doesnt necessarily have a password, does *NOT* mean that it is
Dean> legal for you to access the account.
How about a ftp account named "anonymous"? Is that an invitation?
What would you name an login account anyone could use?
FSF used to have a guest acoount which everybody was allowed to use.
It was named "guest". Was that a bad name choice?
(predictably, someone chose to misuse the account, it has been closed now)jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/10/91)
matth@progress.COM (Matthew J. Harper) writes: > This is indeed a no-no. Not a whole lot is being done about it legally at the > moment, but a few cases have come to trial and the accused have been found > guilty of actions such as this. (Randomly banging on machines to try and > gain access.) These cases, I would assume, are mainly people who were trying to access machines without guest accounts and a password of guest. (isn't that the standard?) In the case of user: guest passwd: guest, I'd say that the access was pretty much up to whomever wanted to use it. Now if they had a user: guest and password setup to specifically limit access, then that would be more in line with the trials I imagine you describing. > Just because a guest account exists does not mean that it is there for all in > the world to log in and look around! Perhaps if we looked at a different > situation from the same outlook: Depends - see above. > If you leave your car unlocked with the keys in the ignition, does this give > anyone who walks by the right to take it for a spin? Even if they return it > where they found it, nobody saw them do it, and there is really no proof that > they were there? > > I think anyone would be pretty pissed if this happened. > > Is there really a difference? Yes. By using your car, they are preventing you from doing the same. By using your guest account, however, they, in most situations, will not be depriving you of resources. Also, they may well damage your car by driving (a well-built, quality car still has the possiblity of the user breaking it); your guest account, if correctly installed, would not have the ability to damage the system. These seem like two important distinctions to me. ----------------------------------|++++++++++++++++++++++++++++++++++++++++ | "He divines remedies against injuries; | "Words are drugs." | | he knows how to turn serious accidents | -Antero Alli | | to his own advantage; whatever does not | | | kill him makes him stronger." | "Culture is for bacteria." | | - Friedrich Nietzsche | - Christopher Hyatt | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
leonard@qiclab.scn.rain.com (Leonard Erickson) (06/10/91)
adrianho@barkley.berkeley.edu (Adrian J Ho) writes: >IMHO, unless a "guest" account user is notified somehow (eg. >/etc/motd) that "this account is _only_ for use by faculty in Uni. of >X", you don't have a case against anyone outside the U. using the same >account, since the scope of "legal use" was not made known to him/her. No. The law is exactly the opposite. Unless *you* know that the account is for general access, you do not have the right to use it. There are legitmate reasons for having a "guest" account (with no password) on a system. But just as with an unlocked door, *you* are not the person it was left unlocked for. -- Leonard Erickson leonard@qiclab.uucp personal: CIS: [70465,203] 70465.203@compuserve.com business: CIS: [76376,1107] 76376.1107@compuserve.com
leonard@qiclab.scn.rain.com (Leonard Erickson) (06/10/91)
jb3o+@andrew.cmu.edu (Jon Allen Boone) writes: > Yes. By using your car, they are preventing you from doing the >same. By using your guest account, however, they, in most situations, >will not be depriving you of resources. Also, they may well damage >your car by driving (a well-built, quality car still has the >possiblity of the user breaking it); your guest account, if correctly >installed, would not have the ability to damage the system. These >seem like two important distinctions to me. Sorry, but it is *impossible* to use even a guest account and not be using *some* system resources. A socket, if nothing else. More likely one of a *limited* number of ports. Finally, the *correct* moral standard is "it's not yours!", not "But I'm not hurting anything." Property rights *do* exist in c-space. -- Leonard Erickson leonard@qiclab.uucp personal: CIS: [70465,203] 70465.203@compuserve.com business: CIS: [76376,1107] 76376.1107@compuserve.com
jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/10/91)
leonard@qiclab.scn.rain.com (Leonard Erickson) writes: > No. The law is exactly the opposite. Unless *you* know that the account > is for general access, you do not have the right to use it. There are > legitmate reasons for having a "guest" account (with no password) on a > system. But just as with an unlocked door, *you* are not the person > it was left unlocked for. As I understand it, this isn't a discussion of what the law says. Therefore, it should be regulated to where it belongs - in the law books. Certainly that's the way it is currently - that doesn't mean that it's the way it OUGHT to be, which, I understand, is what we're discussing (as usual). leonard@qiclab.scn.rain.com (Leonard Erickson) writes: > Sorry, but it is *impossible* to use even a guest account and not be > using *some* system resources. A socket, if nothing else. More likely > one of a *limited* number of ports. Perhaps on the systems you use - our the systems never have that sort of a problem - we always have enough resources (such as sockets, etc.) to allow someone to access them, if they want to. However, our department has decided that it's too much of a security risk to allow acccess via guest accounts or anonymous ftp. Now, if you eat up our disk space, then people might get upset - more likely, the problem would get forwarded to me and I'd kill your files. End of story. > Finally, the *correct* moral standard is "it's not yours!", not "But I'm > not hurting anything." Property rights *do* exist in c-space. Actually, the *correct* moral standard isn't "it's not yours!" - that's silly. Property rights *SHOULDN'T* exist in c-space. It's incredibly dumb to take up sectors and sectors of disk space just because you can - if we had a more open system, my files could exist on any machine - they could be so well distributed that the resulting drain on *ANY ONE PARTICULAR SYSTEM* would be negligible. Clearly, the extension of property rights to cyber-space will result in a less-than-optimal use of resources merely to satisfy stupid primate instincts is those who have the $$$ to buy disks, ethernet controllers, etc. BLECH! ----------------------------------|++++++++++++++++++++++++++++++++++++++++ | "He divines remedies against injuries; | "Words are drugs." | | he knows how to turn serious accidents | -Antero Alli | | to his own advantage; whatever does not | | | kill him makes him stronger." | "Culture is for bacteria." | | - Friedrich Nietzsche | - Christopher Hyatt | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
jstewart@rodan.acs.syr.edu (Ace Stewart) (06/10/91)
In article <1991Jun7.164102.672@progress.com> matth@progress.COM (Matthew J. Harper) writes: >This is indeed a no-no. Not a whole lot is being done about it legally at the >moment, but a few cases have come to trial and the accused have been found >guilty of actions such as this. (Randomly banging on machines to try and >gain access.) Wait a minute. If you have a userid GUEST on your system, _expect_ people all over the internet to try to use it. If you want a limited group of people to use it, I suggest creating a userid of another color (i.e. different than guest) Why? Because guest is a _standard_ on the Internet. Now, if the user is banging on the machine in other accounts, or has found out there is a guest account and beats on it using the normal passwords and still refuses to stop after some time...well heck, let the sysadmin know (please, lets not get back into sysadmin authority) on the other end of the connection and leave it to them. Or, stop allowing access from that site. >Just because a guest account exists does not mean that it is there for all in >the world to log in and look around! Perhaps if we looked at a different >situation from the same outlook: Well...why is it there then? Do you take-out users which try to use anonymous FTP on your system, and if it doesn't have it, want to make sure that they lose their account? The userid anonymous is a standard, just like guest is. Whether or not the "Internet" started off with the idea of this doesn't matter now. It's too late :) > If you leave your car unlocked with the keys in the ignition, does this give >anyone who walks by the right to take it for a spin? Even if they return it >where they found it, nobody saw them do it, and there is really no proof that >they were there? What the heck is it with car analogies? If you leave your car unlocked and with the keys in it, and it gets stolen...I bet you dimes to donuts if you tell your insurance company that and try to get insurance for your stolen car, they'll tell you you're out of your mind and suggest buying a few Yugos if you want to do it again. Were they there? Well, if no one saw them do it, how the hell do I even know that anything was done that I should or should not be pissed about? We're discussing things and making issues of things we're not even sure happened!!! --Ace -- Ace Stewart | Affiliation: Eastman Kodak Company, Rochester, New York jstewart@rodan.acs.syr.edu jstewart@sunrise.bitnet jstewart@mothra.cns.syr.edu jstewart@sunspot.cns.syr.edu ace@suvm.bitnet rsjns@suvm.bitnet
dave@jato.jpl.nasa.gov (Dave Hayes) (06/11/91)
leonard@qiclab.scn.rain.com (Leonard Erickson) writes: >>IMHO, unless a "guest" account user is notified somehow (eg. >>/etc/motd) that "this account is _only_ for use by faculty in Uni. of >>X", you don't have a case against anyone outside the U. using the same >>account, since the scope of "legal use" was not made known to him/her. >No. The law is exactly the opposite. Unless *you* know that the account >is for general access, you do not have the right to use it. There are >legitmate reasons for having a "guest" account (with no password) on a >system. But just as with an unlocked door, *you* are not the person >it was left unlocked for. Can you guys explain, then, the case where charges were dropped in an unauthorized entry prosecution because the system said: "Welcome to..."? -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh If your own vice happens to be the search for virtue, recognize that it is so.
ken@Control.COM (Ken Crater) (06/11/91)
jstewart@rodan.acs.syr.edu (Ace Stewart) writes: >In article <1991Jun7.164102.672@progress.com> matth@progress.COM (Matthew J. Harper) writes: >>(Randomly banging on machines to try and gain access.) >Wait a minute. If you have a userid GUEST on your system, _expect_ >people all over the internet to try to use it. If you want a limited >group of people to use it, I suggest creating a userid of another >color (i.e. different than guest) Why? Because guest is a _standard_ >on the Internet. I'm with Ace on this one. The login "guest" has evolved into a standard on the Internet signalling the intent to allow (non-destructive) use by otherwise uninvited individuals, much the same as anonymous ftp. Attempting once to log into a system as "guest" hardly rates as "random banging", hanging around to try every other login name you can think of *does* and crosses the threshold of acceptable behavior rather dramatically. The first implies acceding to the use of the system as intended by the sysadmin, the latter implies an attempt to circumvent that intention. To otherwise have a (non-passworded) userid "guest" on your system is really dumb, something akin to leaving your car unlocked, with the keys in it and a sign saying "please use me" (sorry, couldn't resist continuing the car bit :-). Seems to me that intent rules here. If a reasonable person would judge that the intent of the sysadmin was to allow public access, and acts in a responsible manner (with benign intent) in using that access, I think you'd have a hard time making a *legal* case, let alone a moral one, against such use. -- ** Ken Crater__________________________________________ken@control.com ** ** Chair, Bylaws Committee | President ** ** Industrial Computing Society | Control Technology Corporation **
john@mintaka.mlb.semi.harris.com (John M. Blasik) (06/12/91)
leonard@qiclab.scn.rain.com (Leonard Erickson) writes: > >No. The law is exactly the opposite. Unless *you* know that the account >is for general access, you do not have the right to use it. There are What law? and then dave@jato.jpl.nasa.gov writes: > >Can you guys explain, then, the case where charges were dropped in an >unauthorized entry prosecution because the system said: "Welcome to..."? Urban Legend. -- john
bagchi@eecs.umich.edu (Ranjan Bagchi) (06/13/91)
In article <1991Jun7.215349.11643@zaphod.mps.ohio-state.edu> alden@shape.mps.ohio-state.edu (Dave Alden) writes: >In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >>Oh, and if you made a habit of leaving your car unlocked with the keys in the >>ignition, and people came by and took it for a spin now and then, I suspect >>the cops would just laugh at you for being such an idiot if you tried to >>prosecute them. > >At first I thought you were kidding, but then I read your other posts and I >realized that you just don't have a clue. Rather than waste bandwidth I'll >just point those with a similar opinion to the Internet worm case with Robert >Morris(sp?) - he tried a similar line of reasoning and lost in court. > >...dave If we're agreeing that Morris' Worm was a Bad Thing, I'm still going to resist going with saying that the holes in the OpSys were just like leaving the door open in your car with keys in the ignition. It wasn't. It was more like picking locks, which everyone knows can work, but most people aren't going to devote the resources to go about it. Granted, that Everybody knew about the holes which Morris took advantage about it, but he did have to use at least a bit of sophistication to use them, and that's where the difference is. I really don't think there should be a whole lot of protection for people who insist on being stupid and having publicly accessible accounts called "guest". -- -------------------------------------------------------------------------------- Ranjan Bagchi - asleep...... | v,i,j,k,l,s,a[99]; bagchi@eecs.umich.edu | main() { ------------------------------- for(scanf("%d",&s);*a-s;v=a[j*=v]-a[i],k=i<s,j+=(v=j<s&&(!k&&!!printf(2+"\n\n%c"-(!l<<!j)," #Q"[l^v?(l^j)&1:2])&&++l||a[i]<s&&v&&v-i+j&&v+i-j))&&!(l%=s),v||(i==j?a[i+=k]=0:++a[i])>=s*k&&++a[--i]) ; } /* Osovlanski and Nissenbaum */ --------------------------------------------------------------------------------
russotto@eng.umd.edu (Matthew T. Russotto) (06/13/91)
In article <1991Jun7.215349.11643@zaphod.mps.ohio-state.edu> alden@shape.mps.ohio-state.edu (Dave Alden) writes: >In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >>Oh, and if you made a habit of leaving your car unlocked with the keys in the >>ignition, and people came by and took it for a spin now and then, I suspect >>the cops would just laugh at you for being such an idiot if you tried to >>prosecute them. > >At first I thought you were kidding, but then I read your other posts and I >realized that you just don't have a clue. Rather than waste bandwidth I'll >just point those with a similar opinion to the Internet worm case with Robert >Morris(sp?) - he tried a similar line of reasoning and lost in court. Robert Morris Jr. (the Jr. IS significant) did a hell of a lot more than access a dialup whose status (for restricted use or not) was unknown. What he did was write a program which would exploit known BUGS in systems and access them-- and tie them up, though I'm told that was a bug in his program. The proper analogy in this case is joyriding in all the Fiats I could find if I knew that a well placed blow on a Fiat would open the door, and sticking a screwdriver behind the dash would defeat the ignition lock. -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu .sig under construction, like the rest of this campus.
russotto@eng.umd.edu (Matthew T. Russotto) (06/13/91)
In article <1991Jun10.052806.4214@qiclab.scn.rain.com> 70465.203@compuserve.com writes: >adrianho@barkley.berkeley.edu (Adrian J Ho) writes: > > >>IMHO, unless a "guest" account user is notified somehow (eg. >>/etc/motd) that "this account is _only_ for use by faculty in Uni. of >>X", you don't have a case against anyone outside the U. using the same >>account, since the scope of "legal use" was not made known to him/her. > >No. The law is exactly the opposite. Unless *you* know that the account >is for general access, you do not have the right to use it. There are >legitmate reasons for having a "guest" account (with no password) on a >system. But just as with an unlocked door, *you* are not the person >it was left unlocked for. I don't suppose you can quote the law? (For computers, not for illegaly entry of a residence. BTW, it isn't illegal to enter an unlocked commercial office building....) Is it the Computer Fraud and Abuse Act of 198x (the one Morris was convicted on?) -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu .sig under construction, like the rest of this campus.
jstewart@rodan.acs.syr.edu (Ace Stewart) (06/13/91)
In article <1991Jun12.201850.2980@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >Robert Morris Jr. (the Jr. IS significant) did a hell of a lot more >than access a dialup whose status (for restricted use or not) was >unknown. What he did was write a program which would exploit known >BUGS in systems and access them--and tie them up, though I'm told that >was a bug in his program. I offer the following information and opinion tentatively, but feel it worthwhile considering. Folx, _someone_ was bound to do this, be thankful a bug in the program allowed thousands of systems admins to fix their machines to correct the leaks. R. Morris, Jr. is being viewed as a bad guy, and depending on your view of things, he is _all_ bad. Please remember that were he a different person, a whole other load of things could've happened to systems that didn't and quite frankly, I can imagine sites that would still be recovering from the disaster even up to and including today. And, for all of that, he'll probably get a very good job. :} --Ace -- Ace Stewart | Affiliation: Eastman Kodak Company, Rochester, New York jstewart@rodan.acs.syr.edu jstewart@sunrise.bitnet jstewart@mothra.cns.syr.edu jstewart@sunspot.cns.syr.edu ace@suvm.bitnet rsjns@suvm.bitnet
thornley@cs.umn.edu (David H. Thornley) (06/14/91)
In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >Oh, and if you made a habit of leaving your car unlocked with the keys in the >ignition, and people came by and took it for a spin now and then, I suspect >the cops would just laugh at you for being such an idiot if you tried to >prosecute them. Actually, they probably would laugh at you for an idiot, but they'd also be of some assistance. They would accept the report and let you know if your car turned up. Your insurance company will be equally sympathetic and a lot less helpful. DHT
kludge@grissom.larc.nasa.gov ( Scott Dorsey) (06/14/91)
In article <BAGCHI.91Jun12132001@snarf.eecs.umich.edu> bagchi@eecs.umich.edu (Ranjan Bagchi) writes: > I really don't think there should be a whole lot of protection >for people who insist on being stupid and having publicly accessible >accounts called "guest". Nothing stupid at all about having publically accessible guest accounts. If you have a guest account, you expect guests to use it. That's why it's called a "guest" account. Much like having an anonymous FTP set up, you have it there for people to use it. And if you have it there, you should have it protected somewhat. True, the net is a much less open and safe place than it was fifteen years ago. But if you make the point that you don't want people hacking on this account and that there isn't much on the machine that's worthwhile, you shouldn't have a problem. That's not to say that you don't keep a good eye on what's going on there to make sure that there aren't any problems, but that's what system administration is all about, folks. --scott
russotto@eng.umd.edu (Matthew T. Russotto) (06/14/91)
In article <1991Jun14.005425.25048@cs.umn.edu> thornley@cs.umn.edu (David H. Thornley) writes: >In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >>Oh, and if you made a habit of leaving your car unlocked with the keys in the >>ignition, and people came by and took it for a spin now and then, I suspect >>the cops would just laugh at you for being such an idiot if you tried to >>prosecute them. > >Actually, they probably would laugh at you for an idiot, but they'd also >be of some assistance. They would accept the report and let you know if >your car turned up. Your insurance company will be equally sympathetic >and a lot less helpful. The analogy was with joyriding, with the car always returned, not with theft. -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu .sig under construction, like the rest of this campus.
adrianho@barkley.berkeley.edu (Adrian J Ho) (06/15/91)
In article <1991Jun14.132933.4466@news.larc.nasa.gov> kludge@grissom.larc.nasa.gov ( Scott Dorsey) writes: > Nothing stupid at all about having publically accessible guest accounts. Read on. >If you have a guest account, you expect guests to use it. That's why it's >called a "guest" account. Much like having an anonymous FTP set up, you >have it there for people to use it. Shouldn't you know who your "guests" are? If so, why not create (temporary) accounts for them outright, instead of mucking around with a single account named "guest" that's just _asking_ to be messed with? The analogy with anonymous FTP breaks down when you consider that in the latter, your capabilities are strictly circumscribed by the FTP protocol, whereas with a "guest" account, the sky's the limit, once the user has circumvented any roadblocks you've thrown in his/her way. >But if you make the point that you don't want people hacking on this account >and that there isn't much on the machine that's worthwhile, you shouldn't >have a problem. Not true. Ever heard of "distributed password-cracking"? Access to your machine itself is a valuable resource to a sufficiently enlightened user, especially since distributed processing is all the rage now, in more ways than one..... > That's not to say that you don't keep a good eye on what's >going on there to make sure that there aren't any problems, but that's what >system administration is all about, folks. Well, there's enough problems to worry about without leaving my back door wide open, so I'll pass on "guest" accounts, thank you.
plutchak@pilsner.geo.brown.edu (Joel Plutchak) (06/18/91)
In article <1991Jun14.160002.295@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: |In article <1991Jun14.005425.25048@cs.umn.edu> thornley@cs.umn.edu (David H. Thornley) writes: ||In article <1991Jun7.184025.25010@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: |||Oh, and if you made a habit of leaving your car unlocked with the keys in the |||ignition, and people came by and took it for a spin now and then, I suspect |||the cops would just laugh at you for being such an idiot if you tried to |||prosecute them. ||Actually, they probably would laugh at you for an idiot, but they'd also ||be of some assistance. They would accept the report and let you know if ||your car turned up. Your insurance company will be equally sympathetic ||and a lot less helpful. |The analogy was with joyriding, with the car always returned, not with theft. Joyriding uses non-recoverable resources (gasoline, to name the most obvious), and thus has theft as a component. Even were the perpetrators to fill up my tank for me before returning the auto, it would still be illegal and still be their crime, not mine (and still piss me off). -- Joel Plutchak, Research Programmer/Analyst Brown University Planetary Geology Unix: plutchak@porter.geo.brown.edu VMS: plutchak@pggipl.geo.brown.edu -or- PGGIPL::PLUTCHAK (VMS: Just say NO!)
leonard@qiclab.scn.rain.com (Leonard Erickson) (06/25/91)
jb3o+@andrew.cmu.edu (Jon Allen Boone) writes: >leonard@qiclab.scn.rain.com (Leonard Erickson) writes: >> Sorry, but it is *impossible* to use even a guest account and not be >> using *some* system resources. A socket, if nothing else. More likely >> one of a *limited* number of ports. > Perhaps on the systems you use - our the systems never have that >sort of a problem - we always have enough resources (such as sockets, >etc.) to allow someone to access them, if they want to. However, our >department has decided that it's too much of a security risk to allow >acccess via guest accounts or anonymous ftp. Now, if you eat up our >disk space, then people might get upset - more likely, the problem >would get forwarded to me and I'd kill your files. End of story. Really? I'm amazed. We *only* have 250 ports on our main server. And we have had to take measures to be sure that they weren't being wasted. (things like users being logged in but just sitting at the system prompt for *hours*) I'd be rather surprised if *any* system has so many outdail ports that the use of on isn't at least a *potential problem. We get complaints when folks call us and say "Why can't I login?". And when we discovered that a user had been logging in from several machines at once to "multi-task" we had a talk with him. Usage increases to match available resources. And the folks that those resources were obtained for *should* have first crack at them. (yes, I know that you disagree with this, I'll get to that) >> Finally, the *correct* moral standard is "it's not yours!", not "But I'm >> not hurting anything." Property rights *do* exist in c-space. > Actually, the *correct* moral standard isn't "it's not yours!" - >that's silly. Property rights *SHOULDN'T* exist in c-space. It's >incredibly dumb to take up sectors and sectors of disk space just >because you can - if we had a more open system, my files could exist >on any machine - they could be so well distributed that the resulting >drain on *ANY ONE PARTICULAR SYSTEM* would be negligible. Clearly, >the extension of property rights to cyber-space will result in a >less-than-optimal use of resources merely to satisfy stupid primate >instincts is those who have the $$$ to buy disks, ethernet >controllers, etc. BLECH! Sorry, but as long as resources are *limited* this *will* be the case. Because the impact is *never* going to be "negligible". If your files are scattered that widely it'll take *extra* resources just for the "system" to find them. Extra traffic on the net looking for free space, etc. You are suffereing from innumeracy. Your argument assumes that adding up lots of little bites doesn't make one big mess. Even if *you* only take a sector on each of a large number of machines, that doesn't mean that the impact is negligible. What you forget is that everyone else would be doing the same thing! And that adds up fast. One persons "vital files" are another person's "junk". Under *your* system, it'd be "first come, first served". This is not practical. When someone has purchased a system for "X" they are going to * *justifiably* get pissed off if they can't use it for that when they want to. Your complaint is that the resource allocation is "less than optimal" *for you*! Fine, obtain your *own* resources. If the costs are as negligible as you make out, then this should not be a problem. Otherwise, you've just proven my point. It's not a practical way to allocate things. For an analogy, We think that you are making less than optimal use of your living space, so we are (all) going to borrow a little of it. We do *mot* care that you had that empty space set aside for something you are going to do next week. After all, you aren't using it *now*... -- Leonard Erickson leonard@qiclab.rain.com personal: CIS: [70524,2603] 70524.2603@compuserve.com business: CIS: [70376,1107] 76376.1107@compuserve.com
leonard@qiclab.scn.rain.com (Leonard Erickson) (06/25/91)
dave@jato.jpl.nasa.gov (Dave Hayes) writes: <leonard@qiclab.scn.rain.com (Leonard Erickson) writes: <>>IMHO, unless a "guest" account user is notified somehow (eg. <>>/etc/motd) that "this account is _only_ for use by faculty in Uni. of <>>X", you don't have a case against anyone outside the U. using the same <>>account, since the scope of "legal use" was not made known to him/her. <>No. The law is exactly the opposite. Unless *you* know that the account <>is for general access, you do not have the right to use it. There are <>legitmate reasons for having a "guest" account (with no password) on a <>system. But just as with an unlocked door, *you* are not the person <>it was left unlocked for. <Can you guys explain, then, the case where charges were dropped in an <unauthorized entry prosecution because the system said: "Welcome to..."? Sure. In *that* case they'd done the exact opposite. Rather than saying "keep out" or not saying anything, they said "Come on in!". BTW, I don't think a lot of that decision. But that *was* the logic. This is why our "remote" login gives a "Only authorized users..." message if an unauthorized ID tries to use it. If someone is using an authorized ID without actually being that user, it's illegal access anyway... -- Leonard Erickson leonard@qiclab.rain.com personal: CIS: [70524,2603] 70524.2603@compuserve.com business: CIS: [70376,1107] 76376.1107@compuserve.com
jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/26/91)
leonard@qiclab.scn.rain.com (Leonard Erickson) writes: > jb3o+@andrew.cmu.edu (Jon Allen Boone) writes: > > Really? I'm amazed. We *only* have 250 ports on our main server. And we > have had to take measures to be sure that they weren't being wasted. > (things like users being logged in but just sitting at the system > prompt for *hours*) I'm not sure of the number of ports (I don't work for the data communications department) but I can call up the system any time of the day or night - and if the number I traditionally use is busy (which is exteremely rare - MAYBE once a month, if that) there are three or four other numbers I can use. End result: it's not a problem. (Note: these aren't outdial ports - these are incoming ports for loggin in.) > I'd be rather surprised if *any* system has so many outdail ports that > the use of on isn't at least a *potential problem. What do you use outdial ports for? Our system may well have NO outdial ports that are accessible to public users (I've never used them). We do have as hundreds of workstations on the internet - providing you access to almost any place that you want to go on the internet. If you want to call up a local-area bulletin board system, the you should get your own modem! > We get complaints when folks call us and say "Why can't I login?". And > when we discovered that a user had been logging in from several > machines at once to "multi-task" we had a talk with him. Never happened here, as far as I know. I can log onto as many machines as I want - there are special exceptions (some administrative machines won't let you on at all, without special permission) - if you're telnetted in, and I log in on console - you lose. But, there's not a problem with me multi-tasking on multiple machines - in fact, we used to have a system setup to let you do exactly that! > Sorry, but as long as resources are *limited* this *will* be the case. > Because the impact is *never* going to be "negligible". If your files > are scattered that widely it'll take *extra* resources just for the > "system" to find them. Extra traffic on the net looking for free space, > etc. How the hell do you get "limited"? If your site has so many users that any one of them using a socket is a problem, then there should be a serious re-evaluation of your computing systems. Also, note that this attitude is the same one that keeps universities with a surplus of computing fascilities (like mine) from sharing them more openly and regularly with systems like yours. Too bad for you. :( > You are suffereing from innumeracy. Your argument assumes that adding > up lots of little bites doesn't make one big mess. Even if *you* only > take a sector on each of a large number of machines, that doesn't mean > that the impact is negligible. What you forget is that everyone else > would be doing the same thing! And that adds up fast. Not at all. I am perfectly capable of keeping my usage down. In terms of long-term storage, I think MORE people should have smaller quotas - there should be MUCH MORE temp space which is, after all, first come - first serve. With the advent of multiple-write/multiple-read cd's, and more and more cd devices in workstations, I think that this will be acceptable. After all, when you can carry 300meg with you, what the hell do you need a large quota for? (Note: this argument looks forward -> to the day when MOST systems have these cd's - it flagrantly ignores the way things are NOW -> but if you don't look forward and just sit here in the now, things pass you by. The fact that it MIGHT not be a good idea NOW doesn't mean it will be a bad idea in 4 years or 10 years or 25 years or 100 years.) > One persons "vital files" are another person's "junk". Under *your* > system, it'd be "first come, first served". This is not practical. > When someone has purchased a system for "X" they are going to * > *justifiably* get pissed off if they can't use it for that when they > want to. As prices fall, this will become less and less common. Quite right that there is a lot of work to be done - networking bandwidth expanded, more disks, more memory, etc. But, I never said that any of that was justification for being pissed. On the contrary - if I'm using temp space, I expect you to NOT get pissed and just blow my files away - regardless of your opinion of them. > Your complaint is that the resource allocation is "less than optimal" > *for you*! Fine, obtain your *own* resources. If the costs are as > negligible as you make out, then this should not be a problem. > Otherwise, you've just proven my point. It's not a practical way to > allocate things. I have my own resources - I have unlimited disk quota - at times I've used as much as 150megs, now I bob along at about 40megs. It's not a problem. Soon, I may well have 700megs of disk space in my house - yow! But, allocating quotas of disk space, for example, is a NON-optimal way of doing things (assuming the existence of high-capacity, portable media) - for now, you can get away with it - but if they ever work the kinks out of the floptical drives, forget it. Buy a machine - buy a gig of disk space - use 250megs for systems programs and make the rest TEMP space. > For an analogy, We think that you are making less than optimal use > of your living space, so we are (all) going to borrow a little of it. > We do *mot* care that you had that empty space set aside for something > you are going to do next week. After all, you aren't using it *now*... Fine. But as soon as I AM going to use it - I'm going to throw your junk away - unless I can find you and get you to remove it first. ----------------------------------|++++++++++++++++++++++++++++++++++++++++ | "He divines remedies against injuries; | "Words are drugs." | | he knows how to turn serious accidents | -Antero Alli | | to his own advantage; whatever does not | | | kill him makes him stronger." | "Culture is for bacteria." | | - Friedrich Nietzsche | - Christopher Hyatt | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-