[comp.admin.policy] SUSPEND SYSOPS, NOT STUDENTS

ropg@ooc.uva.nl (Rop Gonggrijp) (06/13/91)

crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes:

>> I didn't know that doing things with an /etc/passwd
>> would be considered unauthoprized use.

>> the file is readable by the world after all.
>> The uga student was not the one who broke in.

>Then you're the most naive person I've ever encountered.
>Read the following carefully:

>in /etc/passwd there are passwords.  Encrypted, I admit, but to a
>hacker with the general encryption mechanism on his box (any Unix)
>and a database of words (any Unix: see spell(1)), and some loose computer
>time on his hands, this is no great problem.  This means, that the hacker
>can find passwords for some or (heaven forbid) all userid's including root,
>just by matching encrypted words against the encrypted passwords,
>unless ALL the passwords are thoroughly difficult.  In practice there's
>always a simple password: the hacker can enter the system as someone
>he is not, namely a legitimate user.

If a password-guesser without a stadium full of supercomputers finds the root
password, something is very wrong with system security, and any user on the
system could become root. If however the system-operator runs something like
COPS every once in a while there is no problem, even if the password-file is
put on misc.misc, distribution world.

>In the mean time users have to be able to read /etc/passwd in order to
>get a home directory, a login shell, etcetera.

>/etc/passwd is a security risk, that has not been plugged, yet.


>I could have sympathised with them hanging him from the highest
>tree ;-) or something like that.  Giving /etc/passwd to anyone,
>including yourself, is in Unix terms the most heinous crime anyone
>can commit, because you (can) compromise the whole system.


Yeah, hang the hackers and even the students that just play around, hang all
those ugly 12 year olds that just walk through our 'heavy' security. Why not
hang kids that ring your bell and then run away (after all, they were trying
to get access, and if you had a door buzzer, you would maybe have opened the
door for them). 

>> What if a student runs cops on /etc/passwd... would this
>> be considered intent to break into a system and could he thus
>> be suspended?

>It could be, yes, because cops could be used to find passwords.
>However, you could write your own program that would do this.  If
>anyone would do this and uses or distributes the passwords, and it
>would come out (as it usually does) all bets are off: the person in
>question will be suspended and/or denied all access to computers.  YOU
>CAN GO TO JAIL even, nowadays, for such a stunt.

Not in democracies.

>Hope this has explained some of the finer points concerning the
>password file.  Do not access it directly: use finger(1), chsh(1) and
>the like if you want to know or change things.  Users have no business
>accessing /etc/passwd directly.

And kids, if you want to get a modem, get a license for it first, or the
on-line police will come and raid your house for conspiracy to overthrow
the government. Do NOT (I repeat NOT) try to learn something from the
structure of UNIX, in fact, give up C and program in COBOL only!

---
Rop Gonggrijp (ropg@ooc.uva.nl) is also editor of  Hack-Tic (hack/phreak mag.)
quote: "We don't care about freedom of the mind, | Postbus 22953    (in DUTCH)
        freedom of signature will do just fine"  | 1100 DL  AMSTERDAM
Any opinions in this posting are wasted on you   | tel: +31 20 6001480

birchall@pilot.njin.net (Official Random) (06/13/91)

I'm with the dutchman on this... it's not nice to go around taking other folk's
accounts, but if I do a grep :: /etc/passwd, and get ANYTHING back (other than
maybe a root or uucp), there are people using the machine that just plain should
not be allowed near anything more powerful than a Z-80 based CP/M machine.  The
fault is not to be solely lain on the "hackers."  As administrators, you (we?)
should have the intelligence to explain THOROUGHLY to users exactly how to set
a password that can't be easily compromised.  We should also have the common 
sense to occasionally DO a grep :: /etc/passwd and either notify those users
who don't have the sentience to set passwords, or set their shells and ~dirs
to /dev/nul or some such :)

[Note: I am not a true "Administrator."  I am, by most meanings, a "Hacker."
I tend to use resources that no one else needs or wants.  If I find a security
hole, I notify the appropriate authorities.]

		-sh

birchall@pilot.njin.net  birchall@njin.bitnet  shag@mercury.njit.edu
shag@mercury.bitnet  shag@gnu.ai.mit.edu  shag@glia.biostr.washington.edu
shag@nyx.cs.du.edu  shag@shadowfax.cs.utk.edu
-- 
-------------------
Shag is. Nuff said.
-------------------

crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) (06/13/91)

In article <20740@slice.ooc.uva.nl> ropg@ooc.uva.nl (Rop Gonggrijp) writes:

>crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes:
>>time on his hands, this is no great problem.  This means, that the hacker
>>can find passwords for some or (heaven forbid) all userid's including root,
>>just by matching encrypted words against the encrypted passwords,
>>unless ALL the passwords are thoroughly difficult.  In practice there's
>>always a simple password: the hacker can enter the system as someone
>>he is not, namely a legitimate user.

>If a password-guesser without a stadium full of supercomputers finds the root
>password, something is very wrong with system security, and any user on the
>system could become root. If however the system-operator runs something like
>COPS every once in a while there is no problem, even if the password-file is
>put on misc.misc, distribution world.

I fully agree with you here and I run COPS regularly.  Nevertheless,
putting a password file on the net compromises your system security,
because user accounts become open to attack.  1: all valid user names
are known to the readers of misc.misc and 2: on BSD their encrypted
passwords are known, too.  This makes it relatively easy to find a user
and password.  Remember: several strings can encrypt to the same result!

>>In the mean time users have to be able to read /etc/passwd in order to
>>get a home directory, a login shell, etcetera.

>>/etc/passwd is a security risk, that has not been plugged, yet.

I should have added: "on BSD systems.", as someone in another article
observed.

>>I could have sympathised with them hanging him from the highest
>>tree ;-) or something like that.  Giving /etc/passwd to anyone,
>>including yourself, is in Unix terms the most heinous crime anyone
>>can commit, because you (can) compromise the whole system.

>Yeah, hang the hackers and even the students that just play around, hang all
>those ugly 12 year olds that just walk through our 'heavy' security. Why not
>hang kids that ring your bell and then run away (after all, they were trying
>to get access, and if you had a door buzzer, you would maybe have opened the
>door for them). 

Has nobody explained the use of smiley's to you?

>>> What if a student runs cops on /etc/passwd... would this
>>> be considered intent to break into a system and could he thus
>>> be suspended?

>>It could be, yes, because cops could be used to find passwords.
>>However, you could write your own program that would do this.  If
>>anyone would do this and uses or distributes the passwords, and it
>>would come out (as it usually does) all bets are off: the person in
>>question will be suspended and/or denied all access to computers.  YOU
>>CAN GO TO JAIL even, nowadays, for such a stunt.

>Not in democracies.

I'm no lawyer, so this is the last I'm going to say about this: using
or distributing passwords you've cracked can be prosecuted in a court
of law, nowadays, and you can be punished for it (if the case holds,
of course).  Whether actual jail term can be the result, I don't know,
so I guess I shouldn't have specified that.

>>Hope this has explained some of the finer points concerning the
>>password file.  Do not access it directly: use finger(1), chsh(1) and
>>the like if you want to know or change things.  Users have no business
>>accessing /etc/passwd directly.

>And kids, if you want to get a modem, get a license for it first, or the
>on-line police will come and raid your house for conspiracy to overthrow
>the government. Do NOT (I repeat NOT) try to learn something from the
>structure of UNIX, in fact, give up C and program in COBOL only!

Come off it!  We're talking about the password file here.  If a user
executes a 'priviliged' program and mucks up the system, THEN I
can believe 'no harm intended', because it's not so clear what is
priviliged and what not.  But that was not what we were
talking about.  So get off of your high horse and dance to the tune
I was singing here, or sing your own without reference to me.

I will repeat: users have no business accessing /etcc/passwd directly.
However, they can, and they have to have read access.  So long as they
don't abuse it, fine.  As soon as they start cracking passwords: warn
them about the consequences.  As soon as they start using the passwords
they found: warn them severely that the next time their account will be pulled.
As soon as they distribute any password: pull their account and THEN talk,
if applicable.

At least that's how I see it.  Users are smart enough to know that
passwords are not to be played with.

>---
>Rop Gonggrijp (ropg@ooc.uva.nl) is also editor of  Hack-Tic (hack/phreak mag.)
>quote: "We don't care about freedom of the mind, | Postbus 22953    (in DUTCH)
>        freedom of signature will do just fine"  | 1100 DL  AMSTERDAM
>Any opinions in this posting are wasted on you   | tel: +31 20 6001480

Till we meet again,
Stefan.

Stefan M. Linnemann                    | The cutest .sig
System programmer                      | is not so big.
Leiden University, the Netherlands.    |
Email: crissl@rulcvx.LeidenUniv.nl     | SMiLe 1991

brendan@cs.widener.edu (Brendan Kehoe) (06/13/91)

ropg@ooc.uva.nl wrote:
>Yeah, hang the hackers and even the students that just play around,
>hang all those ugly 12 year olds that just walk through our 'heavy'
>security. Why not hang kids that ring your bell and then run away
>(after all, they were trying to get access, and if you had a door
>buzzer, you would maybe have opened the door for them).

 You just blew your credibility, Rop.  Had you not taken this
"screaming activist" stance, I'd probably read the rest of what you
have to say with a lot less bias and till.
 And just as a note, a user mailing a password file out so someone
else can hack on it is about as FAR from "playing around" as you can get.

>> If anyone would do this and uses or distributes the passwords, and
>>it would come out (as it usually does) all bets are off: the person
>>in question will be suspended and/or denied all access to computers.
>>YOU CAN GO TO JAIL even, nowadays, for such a stunt.
>
>Not in democracies.

 Do you think for a second that a large corporation wouldn't
completely demolish anyone that gave away company trade secrets or the
like, on the scale that giving away a system's passwd file is on?
(which could surrender the entire network to attack)

>And kids, if you want to get a modem, get a license for it first, or the
>on-line police will come and raid your house for conspiracy to overthrow
>the government. Do NOT (I repeat NOT) try to learn something from the
>structure of UNIX, in fact, give up C and program in COBOL only!

 My, anything can be taken to an absurd extreme, can't it?

 While I don't agree with the result of GA's actions (although I'm
glad to see the guy was only suspended, and not full-fledged expelled),
I have to back them up on their original premise---if one of my users
mailed my passwd file out to anyone, I wouldn't just pat him/her on
the hand and say that they'd been bad.  I wouldn't drive them onto a
cross either, though.

Brendan
-- 
     Brendan Kehoe - Widener Sun Network Manager - brendan@cs.widener.edu
  Widener University in Chester, PA                A Bloody Sun-Dec War Zone
    Vanilla Ice == Richard VanWinkle .. hehe .. hohoho .. Hahahahahahahaha.

birchall@pilot.njin.net (Official Random) (06/13/91)

While we're all ranting about how illegal it is to use or distribute cracked
passwords..... 

Did this student distribute a cracked password?  I thought s/he merely gave out
the site's /etc/passwd file.  There _is_ a difference.  From first glance at an
/etc/passwd file, anyone who's used Unix for more than a week can tell if other
users don't HAVE passwords... but that's not cracking.  That's just saying,
"Gee, those fools don't have the intelligence to set passwords."  There's no 
law against making your /etc/passwd file available to half the world, or we'd
have to lock up all the admins who haven't got the sense to make it non-readable
to anonymous FTP users.  (yes, kids, you can FTP /etc/passwd files from a lot of
places.)

So, if the guy broke the passwords and gave them out, lynch him.
But if all he did was a grep :: /etc/passwd, he's only demonstrating that he has
a few more points of IQ than the other users <and probably the admin>, and, as
insulting as it might be to you or me as an admin, we can't really do anything
to him, since, after all, he did find security holes, which is good.
And, if all he did was send out the /etc/passwd file to someone, unbroken, that
isn't by any means criminal, and, unless you've got it non-readable by FTP, you
are as much at fault as he is.....
 
		-shag
-- 
-------------------
Shag is. Nuff said.
-------------------

mstgil@sol.acs.unt.edu (Marc Ph. A. J. St.-Gil) (06/14/91)

ropg@ooc.uva.nl (Rop Gonggrijp) writes:

>crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes:

>>It could be, yes, because cops could be used to find passwords.
>>However, you could write your own program that would do this.  If
>>anyone would do this and uses or distributes the passwords, and it
>>would come out (as it usually does) all bets are off: the person in
>>question will be suspended and/or denied all access to computers.  YOU
>>CAN GO TO JAIL even, nowadays, for such a stunt.

>Not in democracies.

I assume you are not familiar with the fact that some states in this
democratic nation of ours have trespassing type laws against computer
intrusions of the type being discussed here.
--
Marc St.-Gil, UNIX Systems Administrator   mstgil@{sol,vaxa,vaxb}.acs.unt.edu
 University of North Texas  817/565-2324   mstgil@{ponder,solo}.csci.unt.edu
 Academic Computing Services   DISCLAIMER: My employers had no idea I was
 PO Box 13495, Denton TX, 76203            going to say that.
-- 

randy@m2xenix.psg.com (Randy Bush) (06/14/91)

> And just as a note, a user mailing a password file out so someone
> else can hack on it is about as FAR from "playing around" as you can get.

Sadly, it is nowhere near as far from playing around as today's net crackers
are willing to go.

But, I think the points of this story are simple.

    Knives are used for good and bad things, as are other readily available
    tools. 

    /etc/passwd, or copies thereof, can be used for good and bad things.

    We are told, in this case, that the student gave a knife to someone else
    knowing they intended to use it for bad things.

So, as you went on to say, the question is the punishment, not whether a crime
was committed.

-- 
randy@psg.com  ..!uunet!m2xenix!randy

jstewart@rodan.acs.syr.edu (Ace Stewart) (06/14/91)

>I'm no lawyer, so this is the last I'm going to say about this: using
>or distributing passwords you've cracked can be prosecuted in a court
>of law, nowadays, and you can be punished for it (if the case holds,
>of course).

Y'know, we seem to have a rash of "quoting the law without citing the
case" incidents. I have not seen, thus far, anything in the law that
says you may be prosecuted in court. I will happily admit ignorance,
if someone could just _show_ me where the court cases and precedents
were set here.

Simply put, if you vocalize the "law" then cite the case and where you
got your information. 


It would help me :)

--Ace
-- 
    Ace Stewart | Affiliation: Eastman Kodak Company, Rochester, New York
jstewart@rodan.acs.syr.edu jstewart@sunrise.bitnet jstewart@mothra.cns.syr.edu
   jstewart@sunspot.cns.syr.edu     ace@suvm.bitnet     rsjns@suvm.bitnet

ropg@ooc.uva.nl (Rop Gonggrijp) (06/17/91)

brendan@cs.widener.edu (Brendan Kehoe) writes:

>ropg@ooc.uva.nl wrote:
>>Yeah, hang the hackers and even the students that just play around,
>>hang all those ugly 12 year olds that just walk through our 'heavy'
>>security. Why not hang kids that ring your bell and then run away
>>(after all, they were trying to get access, and if you had a door
>>buzzer, you would maybe have opened the door for them).

> You just blew your credibility, Rop.  Had you not taken this
>"screaming activist" stance, I'd probably read the rest of what you
>have to say with a lot less bias and till.
> And just as a note, a user mailing a password file out so someone
>else can hack on it is about as FAR from "playing around" as you can get.

I regularly try to hack systems (sometimes with the permission of the sysop)
to see if the security is within reasonable limits. If my files are on a
system, I feel I have a right to see if it is safe. If a friend of mine happens
to have a very nice 486 at home that he can use to help me with this (by taking
a few guesses at the /etc/passwd) I will mail him (or her) the password file.
If I then find passwords, I will login as the found user and send him (or her)
some email originating from their own account informing them of their bad
password (you should see of the passwords I found).

I see nothing wrong, immoral, or even criminal in my behaviour. Sure, if I was
being well paid somewhere I would expect some critisism for spending so much
time "playing around" while I could be making the boss a lot of money. I truly
see no other harm.

>>> If anyone would do this and uses or distributes the passwords, and
>>>it would come out (as it usually does) all bets are off: the person
>>>in question will be suspended and/or denied all access to computers.
>>>YOU CAN GO TO JAIL even, nowadays, for such a stunt.
>>
>>Not in democracies.

> Do you think for a second that a large corporation wouldn't
>completely demolish anyone that gave away company trade secrets or the
>like, on the scale that giving away a system's passwd file is on?
>(which could surrender the entire network to attack)

Oh I bet. But that was not the point, We are (after all) still talking about
a student that mailed the /etc/passwd of a Univ. system to somebody else. If
the security of your system (or even the whole network) depends on hunderds
(thousands?) of people keeping their mouth shut, it SUCKS.

>>And kids, if you want to get a modem, get a license for it first, or the
>>on-line police will come and raid your house for conspiracy to overthrow
>>the government. Do NOT (I repeat NOT) try to learn something from the
>>structure of UNIX, in fact, give up C and program in COBOL only!

> My, anything can be taken to an absurd extreme, can't it?

Go look at what happened last summer in the States. What we're experiencing
here is system administrators telling horror stories to government agents that
are too thickheaded to know a joke from a terrorist action. anyway, UNIX was
never built to be a secure system   ;-)

> While I don't agree with the result of GA's actions (although I'm
>glad to see the guy was only suspended, and not full-fledged expelled),
>I have to back them up on their original premise---if one of my users
>mailed my passwd file out to anyone, I wouldn't just pat him/her on
>the hand and say that they'd been bad.  I wouldn't drive them onto a
>cross either, though.

Well, that's very nice of you, but there is too many people out there with NO
sense of humor and/or reality, and it's (sometimes) not funny.

jona@iscp.Bellcore.COM (Jon Alperin) (06/17/91)

Now let me see if I follow....

  1. You keep files on another system, therefore you have the right to insure
that there is proper security on your files on that system

Therefore:

  You break into someone else's account.....


hmm.... If you want to have privacy and security on your own files, you should 
respect the privacy and security of others. It may sound childish, but 
unless you own the system, everyone else is entitled to the same rights
of security and privacy as you. Unless, of course, you really aren't
interested in maintaining the privacy of your own files.... :-}


-- 
Jon Alperin
Bell Communications Research

---> Internet: jona@iscp.bellcore.com
---> Voicenet: (908) 699-8674
---> UUNET: uunet!bcr!jona

* All opinions and stupid questions are my own *

ckd@eff.org (Christopher Davis) (06/17/91)

 Jon> == Jon Alperin <jona@iscp.Bellcore.COM> 

 Jon> Now let me see if I follow....

 Jon>   1. You keep files on another system, therefore you have the
 Jon> right to insure that there is proper security on your files on
 Jon> that system

 Jon> Therefore:

 Jon>   You break into someone else's account.....

Who said anything about breaking in?  Let's take a hypothetical case
(NOT the Georgia case).

Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
there, that (while not horrendous top secret information) he'd rather
keep out of the way of J. Random Luser.

He runs COPS on the system (say, without the PW guesser, because that
takes too damned long).  He finds that /var/spool is world-writable.  He
reports this to the sysadmins, who fix it (hopefully ;-).

Has he done anything wrong?  If he did it here, I'd be glad to hear it
so I could fix it (though I run COPS, too...).

I know some sysadmins who would take a "shoot the messenger" stance on
this (and have).  There have been accounts suspended for running COPS
when the only way the sysadmin knew COPS was run was from the report
being mailed to him...

 Jon> hmm.... If you want to have privacy and security on your own
 Jon> files, you should respect the privacy and security of others. It
 Jon> may sound childish, but unless you own the system, everyone else
 Jon> is entitled to the same rights of security and privacy as you.
 Jon> Unless, of course, you really aren't interested in maintaining the
 Jon> privacy of your own files.... :-}

Perhaps the best way to respect the privacy and security of others is to
make sure that privacy and security is better maintained.
-- 
Christopher Davis - System Manager & Postmaster, Electronic Frontier Foundation
<ckd@eff.org> <{uunet,bu.edu,...}!world!eff!ckd> NeXT: <ckd@black-cube.eff.org>
155 Second Street, Cambridge, MA 02141 - +1 617 864 0665 - FAX: +1 617 864 0866
"Internet mail headers are not unlike giblets." - Paul Vixie <vixie@pa.dec.com>

chris@visionware.co.uk (Chris Davies) (06/17/91)

In article <20740@slice.ooc.uva.nl> ropg@ooc.uva.nl (Rop Gonggrijp) writes:
>If a password-guesser without a stadium full of supercomputers finds the root
>password, something is very wrong with system security, and any user on the
>system could become root. If however the system-operator runs something like
>COPS every once in a while there is no problem, even if the password-file is
>put on misc.misc, distribution world.

So I shouldn't let people even compile C programs (or use perl?) on
certain UNIX boxes, because of the bug(s) which allow Jane Public to
become root with a one-line program?

Chris
-- 
         VISIONWARE LTD, 57 Cardigan Lane, LEEDS LS4 2LE, England
    Tel +44 532 788858.  Fax +44 532 304676.  Email chris@visionware.co.uk
-------------- "VisionWare:   The home of DOS/UNIX/X integration" -------------

jona@iscp.Bellcore.COM (Jon Alperin) (06/17/91)

In article <CKD.91Jun17111320@eff.org>, ckd@eff.org (Christopher Davis) writes:
	<I said some stuff> 
|> 
|> Who said anything about breaking in?  Let's take a hypothetical case
|> (NOT the Georgia case).
|> 
|> Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
|> there, that (while not horrendous top secret information) he'd rather
|> keep out of the way of J. Random Luser.
|> 
|> He runs COPS on the system (say, without the PW guesser, because that
|> takes too damned long).  He finds that /var/spool is world-writable.  He
|> reports this to the sysadmins, who fix it (hopefully ;-).

	Um, why not just ask the system admins to insure that there
are no world-writable file systems...that's there job, and not his to go
snooping around. Besides, the orignal poster referenced copying /etc/passwd to
 another system, cracking the password, logging in as that user, and
then sending the user mail from their own account. This example is not even
 close...



|> Perhaps the best way to respect the privacy and security of others is to
|> make sure that privacy and security is better maintained.

  Yes, but breaking security is not the right way to insure that _privacy_
is maintained. If you want to break into your own account, be my guest. 
Just don't ever screw with someone elses for the simple reason of
_looking_ for security holes unless that is what your were specifically
hired to do.

|> -- 
|> Christopher Davis - System Manager & Postmaster, Electronic Frontier Foundation

-- 
Jon Alperin
Bell Communications Research

---> Internet: jona@iscp.bellcore.com
---> Voicenet: (908) 699-8674
---> UUNET: uunet!bcr!jona

* All opinions and stupid questions are my own *

ckd@eff.org (Christopher Davis) (06/18/91)

 Jon> == Jon Alperin <jona@iscp.Bellcore.COM> 
 ckd> == me

 ckd> Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some
 ckd> things there, that (while not horrendous top secret information)
 ckd> he'd rather keep out of the way of J. Random Luser.

 ckd> He runs COPS on the system (say, without the PW guesser, because
 ckd> that takes too damned long).  He finds that /var/spool is
 ckd> world-writable.  He reports this to the sysadmins, who fix it
 ckd> (hopefully ;-).

 Jon> 	Um, why not just ask the system admins to insure that there are
 Jon> no world-writable file systems...that's there job, and not his to
 Jon> go snooping around.

Well, if that's their job, then there shouldn't be any world-writable
critical directories, no?  And the best way to "ask the system admins to
insure there are no world-writable file systems [sic]" is probably to
point out any that ARE, so they can get fixed.

 Jon> Besides, the orignal poster referenced copying /etc/passwd to
 Jon> another system, cracking the password, logging in as that user,
 Jon> and then sending the user mail from their own account. This
 Jon> example is not even close...

No, it's not.  But it's being treated as the same level of incident, in
some places.

 Jon> [...] [B]reaking security is not the right way to insure that
 Jon> _privacy_ is maintained. If you want to break into your own
 Jon> account, be my guest.  Just don't ever screw with someone elses
 Jon> for the simple reason of _looking_ for security holes unless that
 Jon> is what your were specifically hired to do.

We seem to have a divergence of theory here.

I feel that it is possible to know about, detect, and fix security holes
without necessarily exploiting them in any way, or damaging anything in
any way.  Example: if I detected the /var/spool world-writable problem
on a machine I had an account (but not sysadm) on, I would have several
choices, including:

  (1) keep quiet and hope nobody uses it before it gets fixed;

  (2) exploit it, become root, and fix the problem myself;

  (3) exploit it, become root, and just go my merry cracker way;

  (4) report it to the appropriate people and let THEM fix it.

My view is that number 4 is the only appropriate response.  EVEN THOUGH
that hole would give me the power to become root, and EVEN THOUGH I
would "only" use root to fix the problem, THAT IS NOT MY JOB ON THAT
SYSTEM.  However, *reporting* any holes I find (or can find, as a
"normal user") is my job, as part of the cooperating "membership" of the
system.

Security is everyone's responsibility; users are often told "keep your
password safe" and "use a good password."  Why should their involvement
stop there?  I would rather have one technically-competent and involved
user who feels she has a stake in keeping the system running and secure
than 100 people who feel "in the dark" and treat me as "that evil
security ogre who keeps harping on password choices."
-- 
Christopher Davis - System Manager & Postmaster, Electronic Frontier Foundation
<ckd@eff.org> <{uunet,bu.edu,...}!world!eff!ckd> NeXT: <ckd@black-cube.eff.org>
155 Second Street, Cambridge, MA 02141 - +1 617 864 0665 - FAX: +1 617 864 0866
"Internet mail headers are not unlike giblets." - Paul Vixie <vixie@pa.dec.com>

dave@jato.jpl.nasa.gov (Dave Hayes) (06/18/91)

jstewart@rodan.acs.syr.edu (Ace Stewart) writes:
>Y'know, we seem to have a rash of "quoting the law without citing the
>case" incidents. I have not seen, thus far, anything in the law that
>says you may be prosecuted in court. I will happily admit ignorance,
>if someone could just _show_ me where the court cases and precedents
>were set here.

Sometimes that's pretty difficult...given that most of us citing aren't
lawyers and don't have access to all the court precedents. 

This also rings of those who must have everything proved before they
can even CONSIDER something to be true or not (note that I didn't 
say "regard"...just "consider"). If you are of that mind, then could
you prove to me that one can prove something?

>Simply put, if you vocalize the "law" then cite the case and where you
>got your information. 

If I can't, does that completely disprove the possibility of the existance
of the law?

-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave@elxr.jpl.nasa.gov       dave@jato.jpl.nasa.gov           ames!elroy!dxh

   When you have been your own teacher for a time, you may be ready
                                   to find someone else who can teach you.

fwp1@CC.MsState.Edu (Frank Peters) (06/18/91)

: On 17 Jun 91 18:13:20 GMT, ckd@eff.org (Christopher Davis) said:

> Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
> there, that (while not horrendous top secret information) he'd rather
> keep out of the way of J. Random Luser.

> He runs COPS on the system (say, without the PW guesser, because that
> takes too damned long).  He finds that /var/spool is world-writable.  He
> reports this to the sysadmins, who fix it (hopefully ;-).

> Has he done anything wrong?  If he did it here, I'd be glad to hear it
> so I could fix it (though I run COPS, too...).

I'd suggest that Mr. Foo ask his system administrator to run cops.  Or, if
the administrator refuses/claims not to have time, he should ask permission
to run cops before he does it.  

Often, if the user asks he/she will find that the administrator already
runs cops periodically.  I do but I doubt many of my users know that.

If both efforts fail then he should take the issue of security up with the
administrator's superior.  If all of these efforts fail then your post might
have relevance.

In my experience, most administrators don't mind security conscious users.
What they generally do mind is finding users who are 'evaluating' the system's
security without prior consultation.

This simple step (notifying the administrator of probing in advance) seems to
be one that is skipped by most hackers.  And IMHO it is the major source of
ill feeling.

Fwp
--
Frank Peters   Internet:  fwp1@CC.MsState.Edu         Bitnet:  FWP1@MsState
               Phone:     (601)325-2942               FAX:     (601)325-8921

jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) (06/18/91)

ropg@ooc.uva.nl (Rop Gonggrijp) writes:

>brendan@cs.widener.edu (Brendan Kehoe) writes:

>> And just as a note, a user mailing a password file out so someone
>>else can hack on it is about as FAR from "playing around" as you can get.

>I regularly try to hack systems (sometimes with the permission of the sysop)
>to see if the security is within reasonable limits. If my files are on a
>system, I feel I have a right to see if it is safe. If a friend of mine happens
>to have a very nice 486 at home that he can use to help me with this (by taking
>a few guesses at the /etc/passwd) I will mail him (or her) the password file.
>If I then find passwords, I will login as the found user and send him (or her)
>some email originating from their own account informing them of their bad
>password (you should see of the passwords I found).

>I see nothing wrong, immoral, or even criminal in my behaviour. Sure, if I was
>being well paid somewhere I would expect some critisism for spending so much
>time "playing around" while I could be making the boss a lot of money. I truly
>see no other harm.

Ok. ow about if I drive around and test out the security systems of houses ?
I check doors, see if I can open windows from the outside. I have a freind
who has a set of lockpicks help me out. If I succeed in breaking in, I leave 
a note letting you know that your security is poor. 
	What you advocate with computers is exactly analogous to the above. I
seriously doubt that you would condone such behaviour in my scenario. And if
you do, you are plain foolish. 

>Oh I bet. But that was not the point, We are (after all) still talking about
>a student that mailed the /etc/passwd of a Univ. system to somebody else. If
>the security of your system (or even the whole network) depends on hunderds
>(thousands?) of people keeping their mouth shut, it SUCKS.

So just because the security is bad, you (or anyone else) have the right to
exploit it ? If I find out that you have an open window on the second floor of 
your house, can I just break in eking and entering is morally wrong whether it
involves homes, public buildings or computers. Just because you know how 
doesn't give you the right. Or are you saying that any professional car thief 
can now lift any car since the security system SUCKS ?

>Well, that's very nice of you, but there is too many people out there with NO
>sense of humor and/or reality, and it's (sometimes) not funny.

Develop a sense of right and wrong.

jarober@aplcen.apl.jhu.edu

scs@iti.org (Steve Simmons) (06/18/91)

ckd@eff.org (Christopher Davis) writes:

>Who said anything about breaking in?  Let's take a hypothetical case
>(NOT the Georgia case).

>Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
>there, that (while not horrendous top secret information) he'd rather
>keep out of the way of J. Random Luser.

>He runs COPS on the system (say, without the PW guesser, because that
>takes too damned long).  He finds that /var/spool is world-writable.  He
>reports this to the sysadmins, who fix it (hopefully ;-).

>Has he done anything wrong?  If he did it here, I'd be glad to hear it
>so I could fix it (though I run COPS, too...).

Yes, he has done something wrong.  Analogy is always suspect, but this
situation is awfully like wondering about your apartment house security --
and checking it out by trying to open all the doors and windows in the
building.  "I was just trying to see if they were locked" might well
be true, and you might have been careful not to actually enter the
apartments, but nonetheless you've done something wrong.  You've cause
the manager (sysop) to worry and expend effort unnecessarily.  You may
have also done similar to the other residents (users).

A far better method is to approach the sysop, tell him your concerns,
and state what you'd like to do.  He might surprise you in a number of
ways, by telling you:

  o  it's already done on a regular basis
  o  he'd be pleased for the help if you did it
  o  it's site policy *not* to do it

Deciding on your own to "test" the security of anything without the
co-operation of those responsible is an inherently suspicious act and
will forever make you a suspect should somone actually break in.  It's
just a bad idea.
-- 
  "If we don't provide support to our users someone is bound to
   confuse us with Microsoft."
	-- Charles "Chip" Yamasaki

rjones@baby.dsd.es.com (Ray Jones - Perp) (06/19/91)

In article <1991Jun18.033333.27450@aplcen.apl.jhu.edu>, jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) writes:
>Ok. ow about if I drive around and test out the security systems of houses ?
>I check doors, see if I can open windows from the outside. I have a freind
>who has a set of lockpicks help me out. If I succeed in breaking in, I leave 
>a note letting you know that your security is poor. 
>	What you advocate with computers is exactly analogous to the above. I
>seriously doubt that you would condone such behaviour in my scenario. And if
>you do, you are plain foolish. 

	I'm afraid that they are not "exactly analogous"... A house
provides different things to the owner than a computer... Houses give
shelter and protection, both from the elements and from other
people, privacy and such... The problem when someone enters your house
sans permission is that if you had been at home you probably would
have suffered some physical harm, etc... (Assuming that the intruder
was doing it with malicious intent)...  A computer is a different
thing... It still provides privacy, etc... But someone breaking into
your system is not going to do you any physical harm...  The most you
lose is some data, and possibly cputime... It's what happens with that
data...

	If I wander around inside the building here, into a few
offices, etc.. Then I don't think I'm doing anything wrong (If I go
through someone's desk, then I am screwing up, since it is against
company policy...) If I give my badge (no keys here... Mag-strip
readers) to someone else on the outside... Who knows...

	If someone saw that we used badges here, and knew how to copy
them or forge them, did, and then went into the building and walked up
to security, and told them that they didn't really work there, and
explained what they had done, with an offer to show them how to fix it
so that it wouldn't happen again, I doubt the people at security would
pass up the help that person would be offering them... 

	Whether or not ANY analogy can even be applied to deciding
right or wrong in the case of password files, I think not... There
aren't enough things that match up... The effects, ideas are all
different than RL...
	
>Develop a sense of right and wrong.
>
>jarober@aplcen.apl.jhu.edu

	I have... I like mine, please don't give me yours... In my
opinion, yours is as useless to me as mine is to you... Please confine
your morals to yourself...

-- 
  "Don't do anything I wouldn't do.  And if you do, take pictures." -Al on QL
     "Zootlewurdle." -Marvin       "Sir, they're changing color." -Lt. Worf
			 "Not a problem." -Parker Lewis
     Ray Jones (Official Maintainer of Everything) rjones@dsd.es.com
	   Disclaimer : My employer doesn't know I post...

jona@iscp.Bellcore.COM (Jon Alperin) (06/19/91)

Well...'how about the attitude....


If I run a system, then it is my responsibility to maintain security.
if you don't like the way I maintain it, then don't use my system,
or report your concerns to my boss (NOTE: THIS IS ONLY AN EXAMPLE,
NOT MY OPINION....).

I still believe that "logging in to a users account and sending them
mail from their own account" is not the proper way to inform someone of a
security hole. This is akin to removing all files on a system to show someone
that all files can be removed. Furtermore, if you are not the sysadmin
on that system, it is not your responsibility to insure that another
user has a good password. All you are responsible for is maintaining
your own password as being safe. How do you think the sysadmin is
going to react when a user tells him/her that "someone broke into my
account"? 

-- 
Jon Alperin
Bell Communications Research

---> Internet: jona@iscp.bellcore.com
---> Voicenet: (908) 699-8674
---> UUNET: uunet!bcr!jona

* All opinions and stupid questions are my own *

sarima@tdatirv.UUCP (Stanley Friesen) (06/19/91)

In article <1991Jun17.200932.15889@jato.jpl.nasa.gov> dave@jato.jpl.nasa.gov writes:
>Sometimes that's pretty difficult...given that most of us citing aren't
>lawyers and don't have access to all the court precedents. 

Yes you do.  All court records are available on request to any US citizen.
This is what is meant by *public* records.

It just takes a little effort to go and get the appropriate records.

-- 
---------------
uunet!tdatirv!sarima				(Stanley Friesen)

gardner@ux1.cso.uiuc.edu (Mike Gardner) (06/19/91)

Try a different analogy.  You live in an apartment building with common
areas that are secured from the general public.  You have a right to be
in those common areas and to know that security is being enforced on
all entrances to those areas from the outside.   Your apartment and others
in the complex however are private.  In a multi-user computer system you
have much the same type of arrangement.  There are common areas that you
can both look into and make use of.  Each person also has private spaces.
Certainly you have valid concerns as to the security of the common areas
and of the complex as a whole.  The question is that while you are checking
the security of the commons, do you tread on the private areas of the
tenants and or of the people responsible for the system(apartment complex)?

If in the normal course of using the system, I am allowed to access
certain directories/files, then to say I should not be able to look at
the same directories/files for the purpose of evaluating the security of
the system is ludicrous.  I suspect that much of the reaction against
this sort of thing comes from sysadmins who are confusing the system commons
with their private space on the system.  If I don't belong looking at things,
then they don't belong where I can look at them.  

There is a difference here however when your looking adversely affects
the security of the system.  If you take information outside of the
system where others can get at it you are compromising system security.
You can't tell someone details about system security, pass around the
password file etc.  Checking to see if the outside doors are really locked
is pretty innoccuous(unless you set off the alarm in the process).  
Looking at file permissions causes no harm to the system.  Attempting to 
hack another's password does.  Looking for stupid passwords falls somewhere
in between because cracking the password in itself does no harm, but
there you sit with the key to someone's space.  You then are a security
risk.  If your program could just say "I found another stupid password"
it would be safer.  This is the analogy of trying other peoples doors to
see if they are locked.  It's a pretty dangerous thing to do.

Just ask your sysadmin you say?  They are human too.  Some might rather lie
than tell you that they don't know their job.  
mgg
  CCC   SS   OO  University of Illinois, Computing Services Office
 C     S    O  O Michael G. Gardner, Assistant Director, 1122 DCL
 C       S  O  O 1304 W Springfield, Urbana, Il 61801
  CCC  SS    OO (217)244-0914   FAX (217)244-7089  gardner@ux1.cso.uiuc.edu 

ckd@eff.org (Christopher Davis) (06/19/91)

 Jon> == Jon Alperin <jona@iscp.Bellcore.COM> 

 Jon> If I run a system, then it is my responsibility to maintain security.

The users have no responsibility?  They don't need to keep their
passwords secret?  They don't need to keep their .login from being
world-writable?

 Jon> I still believe that "logging in to a users account and sending
 Jon> them mail from their own account" is not the proper way to inform
 Jon> someone of a security hole.

Agreed.  Unless it's a 'they left their terminal logged in for six hours
in the public cluster' case, where 'send themselves mail reminding them
to log out, then log them out' is probably a good response.  (That isn't
*logging in* as them, though.)

 Jon> This is akin to removing all files on a system to show someone
 Jon> that all files can be removed. Furtermore, if you are not the
 Jon> sysadmin on that system, it is not your responsibility to insure
 Jon> that another user has a good password.

Agreed.  Password crunching without prior arrangement (for things like
research on 'how many dictionary passwords there are on an undergrad
machine') should get smashed down hard.  Of course, if you can run
shadowing, you should.  [Even the sysadmin shouldn't ever have to run a
cruncher on any passwords; replace the 'passwd' program with the one
from _Programming Perl_, and let it check them while they're still
in plaintext.]

 Jon> All you are responsible for is maintaining your own password as
 Jon> being safe. How do you think the sysadmin is going to react when a
 Jon> user tells him/her that "someone broke into my account"?

Probably pretty badly.  How do you think the sysadmin is going to react
when someone says "Hey, Jim just broke root and nuked your account
because he doesn't like you.  Maybe you shouldn't have left /var/spool
world-writable."?

Again, we're not quite communicating here.  Someone else had the analogy
of an apartment building (or dorm) with common areas for "residents
only" and individual apartments as well.  (I used to live in one of
these; we each had a front door key *and* a room key.)

Should a resident report a broken front door lock to someone?  Yes.
Should a resident report it when there's a set of keys sitting in the
lounge, clearly marked "Master Keys"?  Yes.

Should the resident TRY or USE those keys?  HELL NO.

If the building had computer door locks, and the master computer lock
box was unlocked, should they report that?  Yes.
Should they play with it to see if they could unlock their friend's
room?  HELL NO.

System administrators should run COPS.  They should encourage the users
to run COPS (without permission; do you folks REALLY think the cracker
is going to ask permission?  The first you'll know about it is when the
crontab for 'rm -rf /' goes off...).  If the sysadmins are running it,
especially often, it won't matter if the users do.

The users should then GIVE THE RESULTS TO THE SYSADMINS.  Very simple.
This doesn't require exploiting any holes, or doing anything like that.
Simple REPORTING will suffice.  I think most sysadmins will realize that
mail saying "Hey, here's a COPS run, you might want to fix that
/var/spool problem" is something they should deal with...

There is a middle ground between "Let the sysadmin take care of it" and
"They're not doing anything, so I should become root and fix it."  It's
the "I'll watch for stuff, and I'll let them fix it" point.

--Chris
-- 
Christopher Davis <ckd@eff.org>   | ELECTRONIC MAIL WORDS OF WISDOM #5:
System Manager & Postmaster       |      "Internet mail headers are
Electronic Frontier Foundation    |       not unlike giblets."
+1 617 864 0665                   |        -- Paul Vixie <vixie@pa.dec.com>

jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) (06/19/91)

rjones@baby.dsd.es.com (Ray Jones - Perp) writes:

>	I'm afraid that they are not "exactly analogous"... A house
>provides different things to the owner than a computer... Houses give
>shelter and protection, both from the elements and from other
>people, privacy and such... The problem when someone enters your house
>sans permission is that if you had been at home you probably would
>have suffered some physical harm, etc... (Assuming that the intruder
>was doing it with malicious intent)...  A computer is a different
>thing... It still provides privacy, etc... But someone breaking into
>your system is not going to do you any physical harm...  The most you
>lose is some data, and possibly cputime... It's what happens with that
>data...

	What if it's a hospital computer that monitors vital life signs ? 
Even if it's only a BBS system, you are still wasting someone elses CPU
time for no good reason. Time and system resources are MONEY. Your actions
are costing someone dollars.


>	If I wander around inside the building here, into a few
>offices, etc.. Then I don't think I'm doing anything wrong (If I go
>through someone's desk, then I am screwing up, since it is against
>company policy...) If I give my badge (no keys here... Mag-strip
>readers) to someone else on the outside... Who knows...

No company I know of would view such behavoiur as ok - most would view it as
improper at best. I consider it an invasion of privacy.

>	If someone saw that we used badges here, and knew how to copy
>them or forge them, did, and then went into the building and walked up
>to security, and told them that they didn't really work there, and
>explained what they had done, with an offer to show them how to fix it
>so that it wouldn't happen again, I doubt the people at security would
>pass up the help that person would be offering them... 

You obviously haven't dealt with security people before, or you would not
be making this statement. The above cource of action might well get you
arrested. Without valid permission to be on site, you are trespassing. Where
I work, you would be charged and prosecuted for it. 


>	
>>Develop a sense of right and wrong.
>>
>>jarober@aplcen.apl.jhu.edu

>	I have... I like mine, please don't give me yours... In my
>opinion, yours is as useless to me as mine is to you... Please confine
>your morals to yourself...

From what I have read, you are AMORAL. respassing and violating my right to
privacy is not an alternate morality, it is the absence of one. Just because
you know HOW to take an action does not make it ok.

jarober@aplcen.apl.jhu.edu

otto@fsu1.cc.fsu.edu (John Otto) (06/20/91)

In article <W2B-QAN@cs.widener.edu>, brendan@cs.widener.edu (Brendan Kehoe) writes...
>ropg@ooc.uva.nl wrote:
>>Yeah, hang the hackers and even the students that just play around,
>>hang all those ugly 12 year olds that just walk through our 'heavy'
>>security. Why not hang kids that ring your bell and then run away

>>the government. Do NOT (I repeat NOT) try to learn something from the
>>structure of UNIX, in fact, give up C and program in COBOL only!

> While I don't agree with the result of GA's actions (although I'm
>glad to see the guy was only suspended, and not full-fledged expelled),
>I have to back them up on their original premise---if one of my users
>mailed my passwd file out to anyone, I wouldn't just pat him/her on
>the hand and say that they'd been bad.  I wouldn't drive them onto a
>cross either, though.

I'd like to see equal penalties for administrators who release information 
amongst their "colleagues" within the U.  I.e. if a student is suspended 
for releasing confidential information to people who should not have access 
to it, the registrar (e.g.) should be suspended for a like period for releasing 
confidential information to members of the U staff who have no need for 
that exact information in order to do their work, nor should the fact that 
said registrar (e.g.) organized his records in such a way that un-needed 
information was integral with needed information be reason for acquittal.

If university "policies" (and corporate "policies") provided symmetry in 
application and enforcement, I think a lot of people would be a lot happier 
and cooperative in efforts to develop and enforce such policies.

otto@fsu1.cc.fsu.edu (John Otto) (06/20/91)

In article <1991Jun13.114433.22530@rulway.LeidenUniv.nl>, crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes...
>In article <20740@slice.ooc.uva.nl> ropg@ooc.uva.nl (Rop Gonggrijp) writes:

>>crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes:

>>>> What if a student runs cops on /etc/passwd... would this
>>>> be considered intent to break into a system and could he thus
>>>> be suspended?

>>>It could be, yes, because cops could be used to find passwords.
>>>However, you could write your own program that would do this.  If
>>>anyone would do this and uses or distributes the passwords, and it
>>>would come out (as it usually does) all bets are off: the person in
>>>question will be suspended and/or denied all access to computers.  YOU
>>>CAN GO TO JAIL even, nowadays, for such a stunt.

>I'm no lawyer, so this is the last I'm going to say about this: using
>or distributing passwords you've cracked can be prosecuted in a court
>of law, nowadays, and you can be punished for it (if the case holds,
>of course).  Whether actual jail term can be the result, I don't know,
>so I guess I shouldn't have specified that.

It's interesting that, in the Privacy Act of 1974 (not the Family Educ...)
the penalties for violation of a citizen's privacy by a govt agency 
(member) are merely very minor civil payments, and they can only be attained 
after all administrative remedies have been exhausted.  When the violating 
agency is the one setting its own administrative hearing processes (guided 
by the GSA), it's pretty plain to see that no one is going to have much of 
a chance to have his privacy respected by anyone in any government agency.

In my own experience, when I tried to go up the ladder within the U, I was 
greeted with more and more abusive examples of the same sorts of 
violations of my privacy which I had originally sought to bring to an end.
The attitude was that I was just a trouble-making cretin to bring up the 
matter and I should go back to good old (next person down in the 
hierarchy), lick his boots and ask for forgiveness.

jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/20/91)

jona@iscp.Bellcore.COM (Jon Alperin) writes:
> I still believe that "logging in to a users account and sending them
> mail from their own account" is not the proper way to inform someone of a
> security hole. This is akin to removing all files on a system to show someone
> that all files can be removed. 

  While no one here (that I know of) has "broken in" to an account to
show that it can be done (well, actually, I can think of ONE
exception!), generally, when people go away and leave themselves
logged in, the person who uses the workstation next will send them
mail, as well as copying to local bboard or two - so everyone knows!
The worst cases (thinks bordering on libel or slander, I would
imagine) are tracked down fairly easily.


----------------------------------|++++++++++++++++++++++++++++++++++++++++
| "He divines remedies against injuries;   | "Words are drugs."           |
|  he knows how to turn serious accidents  |     -Antero Alli             |
|  to his own advantage; whatever does not |                              |
|  kill him makes him stronger."           | "Culture is for bacteria."   |
|                   - Friedrich Nietzsche  |     - Christopher Hyatt      |
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/20/91)

jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) writes:
> From what I have read, you are AMORAL. respassing and violating my right to
> privacy is not an alternate morality, it is the absence of one. Just because
> you know HOW to take an action does not make it ok.

  While I agree that the poster was really naive, you, jarober, are
anything but a philosopher.  Certainly, AMORALITY is a sense of right
and wrong - in the sense that you have some ability (whether innate or
beaten into you by others) to verbally and physically state and act
upon a patter of right and wrong with consistency.  Now, in your case,
there are certain things which are right (you feel ok doing them) and
certain things which are wrong (you don't feel ok doing them).  If I
am AMORAL, then I too have a patter (everything is ok).  Now, this man
is not AMORAL, from what I have seen.  He just is a lot less uptight
than you.  It's like saying that it's ok to know how to rip off the
phone company (this means it's right) but it's not ok to rip off the
phone company (this means it's wrong).  See, obviously he has a sense
of right and wrong (assuming he subscribes to that belief).  

   Now, when I say "I have the right to check your doors and windows
to see if they will allow me to get in and not only that but I have a
right to get in and take things if I want and kill you if I want and
perhaps, if I feel like it, even drink all your Kool-Aid or
Coke-A-Cola or somesuch" THAT IS AMORALITY (a belief that there isn't
a valid line to draw in order to form the dialectic of right and
wrong).


----------------------------------|++++++++++++++++++++++++++++++++++++++++
| "He divines remedies against injuries;   | "Words are drugs."           |
|  he knows how to turn serious accidents  |     -Antero Alli             |
|  to his own advantage; whatever does not |                              |
|  kill him makes him stronger."           | "Culture is for bacteria."   |
|                   - Friedrich Nietzsche  |     - Christopher Hyatt      |
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) (06/20/91)

In article <wcLyktu00j5uI1oolE@andrew.cmu.edu> jb3o+@andrew.cmu.edu (Jon Allen Boone) writes:
>
>jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) writes:
>> From what I have read, you are AMORAL. respassing and violating my right to
>> privacy is not an alternate morality, it is the absence of one. Just because
>> you know HOW to take an action does not make it ok.
>
>  While I agree that the poster was really naive, you, jarober, are
>anything but a philosopher.  Certainly, AMORALITY is a sense of right
>and wrong - in the sense that you have some ability (whether innate or
>beaten into you by others) to verbally and physically state and act
>upon a patter of right and wrong with consistency.  Now, in your case,
>there are certain things which are right (you feel ok doing them) and
>certain things which are wrong (you don't feel ok doing them).  If I
>am AMORAL, then I too have a patter (everything is ok).  Now, this man
>is not AMORAL, from what I have seen.  He just is a lot less uptight
>than you.  It's like saying that it's ok to know how to rip off the

to say the least. I said amoral since he felt it was ok to go sniffing
around in other peoples property. Perhaps I flamed a bit too high, but I
do wonder where the original poster draws lines. 

jarober@aplcen.apl.jhu.edu

rjones@itchy.dsd.es.com (Ray Jones - Perp) (06/21/91)

In article <1991Jun20.050524.17458@aplcen.apl.jhu.edu>, jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) writes:
>In article <wcLyktu00j5uI1oolE@andrew.cmu.edu> jb3o+@andrew.cmu.edu (Jon Allen Boone) writes:
>>
>>jarober@aplcen.apl.jhu.edu (DE Robertson james an 740-9172) writes:
>>> From what I have read, you are AMORAL. respassing and violating my right to
>>> privacy is not an alternate morality, it is the absence of one.
>>>Just because 
>>> you know HOW to take an action does not make it ok.

	Like I said, this is your set of morals... In my set, if you
are not harming other people, then there is nothing wrong... Yes, it
does involve fairly complicated thinking sometimes, in order to decide
whether or not it is actually harming someone, but in many cases it is
easy to see that there is very little harm being done with a possibly
very large amount of harm being averted...  I don't believe in
tresspassing as a general rule... But I would rush to a house if it
was on fire... Computers involve some slightly different thinking...

	As to the two examples I gave (walking around the office and
the badge/door locks)... I probably shold of given some better ones...
For one thing, here there aren't always machines available in your
opwn office, so you just wander until you find one that has an
unoccupied one... The offices are all open (the cubicle type) and
there are no doors...

	And I have dealt with the security here before... That example
still holds, though for security types in general I have no idea... 

>>
>>  While I agree that the poster was really naive, [...]
	
	I think I jsut gave a bad example, but there is a possibility
that I am naive... What does that mean, anyway? :-)	


>I said amoral since he felt it was ok to go sniffing
>around in other peoples property. Perhaps I flamed a bit too high, but I
>do wonder where the original poster draws lines. 
	
	I never stated that at all...  I don't know where you got
that...  I stated it was ok to walk into the office... But here they
aren't exactly closed off from prying eyes... I can see over the
walls... So being in teh office only changes my POV a little... But I
said I wouldn't go through the desks... Against company policy, and
what good am I going to be doing?  If I needed some serial number and
I knew the paper was on a co-worker's desk, I would have no qualms
about going and getting it... And when I need access to a program that
someone else has written, but tehy left locked, I will su to root and
get it... I don't go browsing through their News directory or anything


	I draw the lines in a very simple method... Greater Good,
Pleasure principle...  Read Mill for a more in depth explanation...

-- 
  "Don't do anything I wouldn't do.  And if you do, take pictures." -Al on QL
     "Zootlewurdle." -Marvin       "Sir, they're changing color." -Lt. Worf
			 "Not a problem." -Parker Lewis
     Ray Jones (Official Maintainer of Everything) tjones@peruvian.utah.edu
	   Disclaimer : My employer doesn't know I post...

jbw@maverick.uswest.com (Joe Wells) (06/21/91)

In article <1991Jun17.164943.8153@bellcore.bellcore.com> jona@iscp.Bellcore.COM (Jon Alperin) writes:

   In article <CKD.91Jun17111320@eff.org>, ckd@eff.org (Christopher Davis) writes:

   |> He runs COPS on the system (say, without the PW guesser, because
   |> that takes too damned long).  He finds that /var/spool is
   |> world-writable.  He reports this to the sysadmins, who fix it
   |> (hopefully ;-).

	   Um, why not just ask the system admins to insure that there are
   no world-writable file systems...that's there job, and not his to go
   snooping around.

Because the sysadmins in question are incompetent and/or lazy, and Mr. Foo
would like to encourage the sysadmins to enhance the security of the files
he is keeping on the system.

   Besides, the orignal poster referenced copying /etc/passwd to another
   system, cracking the password, logging in as that user, and then
   sending the user mail from their own account. This example is not even
   close...

This paragraph is missing the point; Chris is explaining why it is not a
bad idea to inspect the system for security holes.  He is not attempting
to justify mailing /etc/passwd (with encrypted passwords) to an outside
party.

   |> Perhaps the best way to respect the privacy and security of others
   |> is to make sure that privacy and security is better maintained.

     Yes, but breaking security is not the right way to insure that
   _privacy_ is maintained. If you want to break into your own account, be
   my guest.  Just don't ever screw with someone elses for the simple
   reason of _looking_ for security holes unless that is what your were
   specifically hired to do.

Mr. Foo was not breaking security.  Knowing about security holes is not
the same as using them.  Knowing someone has left the payroll (in cash)
lying on their desk is not the same as taking it.

It is especially important to understand that COPS does not do anything
unauthorized (except when checking passwords against a dictionary) in
finding the security holes.  It is mostly just using the Unix stat system
call.  If the user were unauthorized to use this system call, then it
would fail returning no information.  (On Unix you do this by putting the
file to be kept completely private inside a closed directory.)

(BTW, I am speaking from personal experience.  I know the incident to
which Chris Davis is referring.  We were there together, we watched it
happen.  I was (still am) authorized as root on the machine in question,
although my responsibilities were not (in theory, if not in practice)
system administration.)

-- 
Joe Wells <jbw@uswest.com>

jbw@maverick.uswest.com (Joe Wells) (06/21/91)

In article <1991Jun18.182241.21895@bellcore.bellcore.com> jona@iscp.Bellcore.COM (Jon Alperin) writes:

   If I run a system, then it is my responsibility to maintain security.
   if you don't like the way I maintain it, then don't use my system,
   or report your concerns to my boss (NOTE: THIS IS ONLY AN EXAMPLE,
   NOT MY OPINION....).

Well, obviously, you would maintain a high level of security.  But what if
the sysadmin is incompetent and/or lazy.  What if the sysadmin's boss
isn't accountable?  What if the boss of the sysadmin's boss is not a
person but a position that has been vacant for about a year.  What if the
person in the next level up the hierarchy is widely regarded as uncaring,
but is a *very good friend* of his/her boss?  Is the user supposed to shut
up and hope no one else uses the security holes to nuke the system?  Or to
plant trojan horses or backdoors?

-- 
Joe Wells <jbw@uswest.com>

jbw@maverick.uswest.com (Joe Wells) (06/21/91)

In article <FWP1.91Jun17194213@Jester.CC.MsState.Edu> fwp1@CC.MsState.Edu (Frank Peters) writes:

   : On 17 Jun 91 18:13:20 GMT, ckd@eff.org (Christopher Davis) said:

   > He runs COPS on the system (say, without the PW guesser, because that
   > takes too damned long).  He finds that /var/spool is world-writable.  He
   > reports this to the sysadmins, who fix it (hopefully ;-).

   I'd suggest that Mr. Foo ask his system administrator to run cops.  Or, if
   the administrator refuses/claims not to have time, he should ask permission
   to run cops before he does it.  

   Often, if the user asks he/she will find that the administrator already
   runs cops periodically.  I do but I doubt many of my users know that.

COPS was being run on the system in question.  Its output was routinely
ignored.  I know because I received the report every day in the mail and
it didn't get any shorter, until I decided to do much more work than I was
being payed for and one by one closed the reported holes or verified that
they were harmless.

   If both efforts fail then he should take the issue of security up with the
   administrator's superior.  If all of these efforts fail then your post might
   have relevance.

Two possibilities here:

1) Mr. Foo goes to the sysadmin's superior without a COPS report in hand.
   The sysadmin's superior laughs at Mr. Foo because he/she has full
   confidence that the sysadmin has taken security well in hand.

2) Mr. Foo goes to the sysadmin's superior and demonstrates that there are
   serious security problems by displaying the COPS report.  Mr. Foo is
   then immediately kicked off the system as a "security threat".

Unfortunately, your suggestion doesn't work.

   In my experience, most administrators don't mind security conscious users.
   What they generally do mind is finding users who are 'evaluating' the system's
   security without prior consultation.

You mean they mind users embarrasing them by showing that they aren't
doing their job?

-- 
Joe Wells <jbw@uswest.com>

jbw@maverick.uswest.com (Joe Wells) (06/21/91)

In article <scs.677255384@wotan.iti.org> scs@iti.org (Steve Simmons) writes:

   ckd@eff.org (Christopher Davis) writes:

   >Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
   >there, that (while not horrendous top secret information) he'd rather
   >keep out of the way of J. Random Luser.

   >He runs COPS on the system (say, without the PW guesser, because that
   >takes too damned long).  He finds that /var/spool is world-writable.  He
   >reports this to the sysadmins, who fix it (hopefully ;-).

   >Has he done anything wrong?  If he did it here, I'd be glad to hear it
   >so I could fix it (though I run COPS, too...).

   Yes, he has done something wrong.  Analogy is always suspect, but this
   situation is awfully like wondering about your apartment house security --
   and checking it out by trying to open all the doors and windows in the
   building.

A much better analogy is using a telescope to do the inspection.

   "I was just trying to see if they were locked" might well
   be true, and you might have been careful not to actually enter the
   apartments, but nonetheless you've done something wrong.

In the Unix world, there is the equivalent of a big sign on each file that
either says "You have permission to access me" or "You do not have
permission to access me".  The sign is posted in full view for all to
read.  Mr. Foo has done the equivalent of reading this sign.

   You've cause the manager (sysop) to worry and expend effort
   unnecessarily.

Indeed, the sysadmin unnecessarily expended effort in disabling Mr. Foo's
account.  Unfortunately, the sysadmin did not expend the *necessary*
effort to close the holes revealed by the COPS report.

   A far better method is to approach the sysop, tell him your concerns,
   and state what you'd like to do.  He might surprise you in a number of
   ways, by telling you:

     o  it's already done on a regular basis

It was; the output was routinely ignored.

     o  he'd be pleased for the help if you did it

He/she wouldn't.  He/she doesn't like users showing him/her up.

     o  it's site policy *not* to do it

It was not a violation of site policy.  Here's the most relevant excerpt:

    You are also encouraged to report any information relating to a flaw
    in, or bypass of, computer facilities security.

   Deciding on your own to "test" the security of anything without the
   co-operation of those responsible is an inherently suspicious act and
                         ^^^^^^^^^^^

Or unresponsible?

   will forever make you a suspect should somone actually break in.

Which wouldn't be a problem if there was any real due process involved.

-- 
Joe Wells <jbw@uswest.com>

fwp1@CC.MsState.Edu (Frank Peters) (06/21/91)

: On 21 Jun 91 03:21:01 GMT, jbw@maverick.uswest.com (Joe Wells) said:

>    If both efforts fail then he should take the issue of security up with the
>    administrator's superior.  If all of these efforts fail then your post might
>    have relevance.

> Two possibilities here:

> 1) Mr. Foo goes to the sysadmin's superior without a COPS report in hand.
>    The sysadmin's superior laughs at Mr. Foo because he/she has full
>    confidence that the sysadmin has taken security well in hand.

> 2) Mr. Foo goes to the sysadmin's superior and demonstrates that there are
>    serious security problems by displaying the COPS report.  Mr. Foo is
>    then immediately kicked off the system as a "security threat".

> Unfortunately, your suggestion doesn't work.

Well, if nobody in the chain of responsibility is willing to discuss the 
issue rationally with you then you really don't have any choice but to 
accept the situation or find another system.  Any thing you do in this
direction becomes pointless in the face of an administration that won't 
be reasonable.

Any useful security effort requires the cooperation and tolerance of the
administrator (or his boss...or her boss...or SOMEBODY in the chain).  And
my comments were intended to encourage that cooperation where it can reasonably
be achieved.  If the cooperation of administration cannot be achieved then
ANY ideas are useless.

>    In my experience, most administrators don't mind security conscious users.
>    What they generally do mind is finding users who are 'evaluating' the system's
>    security without prior consultation.

> You mean they mind users embarrasing them by showing that they aren't
> doing their job?

How on earth did you reach that interpretation??

What they mind (the reasonable ones...the only ones worth discussing) is
finding people poking at their security without any way of knowing whether
they are innocently testing or cracking.  

No sane system administrator is convinced of the security of his or her
system no matter how much time s/he spends on it.  There is always the
possibility of that one missed hole.  So any sane administrator MUST
be concerned about all unauthorized prodding of the systems security.

So the only really rational choices are:

1.  Accept that the administrator knows how to manage security.

2.  Get permission to poke at security.  Go through as many levels
    as necessary to do so.

3.  Poke at security and accept the consequences if caught.

4.  Use the system but don't trust its security (don't put critical files
    on the system and so on).

5.  Abandon the system and find computing resources elsewhere.


I really cannot see any meaningful alternatives outside of these.  And
insulting administrators or users isn't going to create any.

Frank

jona@iscp.Bellcore.COM (Jon Alperin) (06/21/91)

Joe,

I just noticed your internet address (USWEST) so look at this security issue
in two other lights...


If you were joe average user, and provided computing resources to do your
job (which was in no way related to sysadmin), then there is no reason
for you to look for holes in the system. Since you are responsible for 
producing some amount of work, your security concerns should go to your boss
and the boss of the sysadmin. Friendship issues aside, I can think of no one
these days at a management level who does not take security seriously.

Second, from a telco point of view, you do not want other users tapping
into phone lines just to show that the telephone company has security
holes. One would hope (:-{) that a private network user would present their
concerns to the telco (who is being paid by this customer) rather than 
attempt to "break their system" (The ppsn, ss7 net, etc.) just to show the
telco that security holes exist. THIS "BREAK & SHOW" IS NOT A GOOD POLICY
IN ANY CASE. 
-- 
Jon Alperin
Bell Communications Research

---> Internet: jona@iscp.bellcore.com
---> Voicenet: (908) 699-8674
---> UUNET: uunet!bcr!jona

* All opinions and stupid questions are my own *

marchany@vtserf.cc.vt.edu (Randy Marchany) (06/21/91)

In article <JBW.91Jun20202101@maverick.uswest.com> jbw@maverick.uswest.com (Joe Wells) writes:
>
>   In my experience, most administrators don't mind security conscious users.
>   What they generally do mind is finding users who are 'evaluating' the system's
>   security without prior consultation.
>
>You mean they mind users embarrasing them by showing that they aren't
>doing their job?
>

Really now. This whole issue has gone far enough. There is NO problem
with users "checking" system security IF they advise the sysadmin BEFORE
they do it AND, I repeat, AND it is permissible under the site's
existing policy. In fact, most sites' policies will/should deal with
this scenario.  Sending a note IN ADVANCE to the sysadmin is 1) COMMON
COURTESY 2) CYA with the syadmin 3) PREVENTS misunderstandings.
To use an oft-quoted analogy, if someone comes up to me and says, "hey,
I'm going to check the security of this building" BEFORE they do it, I
would feel more comfortable. A good working environment requires GOOD
communication between sysadmin and users. 
The tone of a lot of the notes on this topic has been quite adversarial
(users vs. them (sysadmin, administrators, etc.). Come on, most syadmins
are not ogres, incompetent boobs or paranoid bozos. Most sysadmins
were "users" before they became sysadmins and were probably "hackers"
themselves.

The IETF working group on Site Security Policies specifically mentions
that individual sites need to make a decision on how to handle "tiger
teams" (after all, this is really what this particular discussion has
been about... a tiger team of 1). SO, if it's permitted under a site's
policy, then this discussion has reached its logical conclusion and
if it's not permitted under a site's policy then this discussion has
reached its logical conclusion.

	-Randy Marchany	

"my opinions are my own"

jbw@maverick.uswest.com (Joe Wells) (06/25/91)

In article <1991Jun21.124808.19830@bellcore.bellcore.com> jona@iscp.Bellcore.COM (Jon Alperin) writes:

   I just noticed your internet address (USWEST) so look at this security
   issue in two other lights...

Sorry, the incident I describe took place elsewhere.  To make things more
clear, I had root privelege on the machine in question, although who was
"in charge" of the machine can be seen several ways (not me in any case,
it is a matter of departmental struggle).

   If you were joe average user, and provided computing resources to do your
   job (which was in no way related to sysadmin), then there is no reason
   for you to look for holes in the system.

So you're saying the average user has no interest in improving the
security of the system?

   Since you are responsible for producing some amount of work, your
   security concerns should go to your boss and the boss of the sysadmin.
   Friendship issues aside, I can think of no one these days at a
   management level who does not take security seriously.

I agree with you in the case of a large company that takes security
seriously (as all do).  However, there seems to be an attempt (not just by
you but by others in this newsgroup) to categorically deny the possibility
that a user should do his own security investigations.  What if the
company is a start-up and things are chaotic because of intense pressure?
What if the system administrator(s) are too busy, or have many other
responsibilities in addition to system administration?  I do not make any
claim about whether these are likely scenarios, merely that they occur and
in such situations it is everyone's duty to worry about security (although
many will not have the time).

   Second, from a telco point of view, you do not want other users tapping
   into phone lines just to show that the telephone company has security
   holes.  One would hope (:-{) that a private network user would present
   their concerns to the telco (who is being paid by this customer) rather
   than attempt to "break their system" (The ppsn, ss7 net, etc.) just to
   show the telco that security holes exist.  THIS "BREAK & SHOW" IS NOT A
   GOOD POLICY IN ANY CASE.  -- Jon Alperin Bell Communications Research

This might be a good response to another post, but it bears little
relevance to mine.  The incident cited was not a "break & show" incident,
but instead solely a "show" incident.  The user in question did not do
anything unauthorized or in any way forbidden while running the program
which developed the list of problems, which was quickly sent to the system
administrators so they could correct the problems (which, incidentally,
they did not ...).

-- 
Joe Wells <jbw@uswest.com>