jack@cwi.nl (Jack Jansen) (06/13/91)
The thing that really bothers me in the discussion about suspending students that give away pasword files and the like is the shoot-the- messenger mentality that a lot of sys admins seem to have. This surfaced before in the Morris case, by the way, and is again very obvious in numerous articles on this case. True, students who mail out password files or write internet worms should receive some punishment, but the main part of the blame lies with the administrators. If I leave my bike unlocked and you nick it you are guilty, but so am I. Incidents like this are going to continue forever if the only answer the sysadmins can come up with is punishing the perpetrator. The *real* problem, imho, lies in the fact that a lot of people refuse to see that the internet is a potentially hostile place, and that you should take some measures to protect yourself. Failing to do so and punishing students only buys you a false sense of security. After all, don't expect the KGB (oops, outdated enemy.... uhm... well, whoever) to make the same dumb mistakes as your undergrads do. -- -- Een volk dat voor tirannen zwicht | Oral: Jack Jansen zal meer dan lijf en goed verliezen | Internet: jack@cwi.nl dan dooft het licht | Uucp: hp4nl!cwi.nl!jack
russell@ccu1.aukuni.ac.nz (Russell J Fulton;ccc032u) (06/14/91)
jack@cwi.nl (Jack Jansen) writes: >The thing that really bothers me in the discussion about suspending >students that give away pasword files and the like is the shoot-the- >messenger mentality that a lot of sys admins seem to have. This surfaced >before in the Morris case, by the way, and is again very obvious in >numerous articles on this case. >True, students who mail out password files or write internet worms >should receive some punishment, but the main part of the blame lies >with the administrators. If I leave my bike unlocked and you nick it >you are guilty, but so am I. It is not the sysadmin who is at fault here but the vendor who supplied the UNIX system. Many (maybe most?) UNIX systems still store the encrypted passwords in the /etc/passwd file regardless of the fact that with today's powerful processes and fast crypt functions that this is a well known problem, with an equally well known solution (shadow password file). From the sysadmin's point of view, s/he is stuck with trying to maintain an inherently insecure system. So you have to formulate a set of guidelines for your users to observe. These *should* be widely circulated. What we do is print them on the back of the user registration form. (By signing the form the user explicitly agrees to abide by the guidelines.) And you have to be prepared to enforce it. I also take issue with your analogy of the bicycle. The student is part of the University community. A better analogy is a child who steals from his/her parents (or in this case deliberately leaves a window open for a burglar). One thing that sysadmins can and should do is put pressure on vendors of UNIX systems to implement known fixes to known problems. Russell. -- Russell Fulton, Computer Center, University of Auckland, New Zealand. <rj_fulton@aukuni.ac.nz>
dave@jato.jpl.nasa.gov (Dave Hayes) (06/14/91)
jack@cwi.nl (Jack Jansen) writes: >Incidents like this are going to continue forever if the only answer >the sysadmins can come up with is punishing the perpetrator. I'd like to add to this that "punishment" should serve some sort of purpose other than to make the victims feel happy. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh A person was frighteningly ugly. Once he was asked how could he go on living with such a terrible face. "Why should I be unhappy?", answered the man. "I never see my own face; let others worry."
jet@karazm.math.uh.edu (J Eric Townsend) (06/15/91)
In article <3689@charon.cwi.nl> jack@cwi.nl (Jack Jansen) writes: >True, students who mail out password files or write internet worms >should receive some punishment, but the main part of the blame lies >with the administrators. If I leave my bike unlocked and you nick it >you are guilty, but so am I. Oh, bullshit. Guilty of what? What crime? You might not get much sympathy, but it's certainly not against the law. If a person sees your unlocked bike and tells their friend the bicycle thief, then both of them have committed a crime. You have not. >should take some measures to protect yourself. Failing to do so and I do. But I'm not omnipotent. I can only plug holes that I know about. -- J. Eric Townsend - jet@uh.edu - bitnet: jet@UHOU - vox: (713) 749-2126 Skate UNIX! (curb fault: skater dumped) -- If you're hacking PowerGloves and Amigas, drop me a line. --
spel@hippo.ru.ac.za (Dr. Eberhard W. Lisse) (06/15/91)
In <3689@charon.cwi.nl> jack@cwi.nl (Jack Jansen) writes: >The thing that really bothers me in the discussion about suspending >students that give away pasword files and the like is the shoot-the- >messenger mentality that a lot of sys admins seem to have. This surfaced >before in the Morris case, by the way, and is again very obvious in >numerous articles on this case. >True, students who mail out password files or write internet worms >should receive some punishment, but the main part of the blame lies >with the administrators. If I leave my bike unlocked and you nick it >you are guilty, but so am I. Wrong! He is guilty, you are plain stupid! :-)-O They won't send you to jail for it, just give the other guy extenuating circumstances. >Incidents like this are going to continue forever if the only answer >the sysadmins can come up with is punishing the perpetrator. The >*real* problem, imho, lies in the fact that a lot of people refuse >to see that the internet is a potentially hostile place, and that you >should take some measures to protect yourself. Failing to do so and >punishing students only buys you a false sense of security. After >all, don't expect the KGB (oops, outdated enemy.... uhm... well, whoever) >to make the same dumb mistakes as your undergrads do. Having followed this thread now for quite a while, I keep wondering, why are so many people whining? Even dumb medical students in a backwater (computer science wise [if they read that in Aachen ,they will kill me :-)-O]) German university five years ago knew exactly that you can play around as much as you like if you damage anything they will explain, if they catch you attacking the system they will read the riot act. If computer science majors or even post graduates in the USA tell me, sorry we didn't know, /etc/passwd can be cracked, nobody in his right mind should believed them. Similar things go for applying for acounts under false names and other things. They all whined AFTER they got caught doing something illegal or obnoxious. The idead is not to do anything the law, policy or the overworked system admins allow one to do and then claim due process. I have dealt with pretty stupid system administrators, one or two beeing downright obnoxious. But whatever happened, if you went there in person and bothered them long enough in their office they would stop giving you the runaround and fix it. Phoning, isn't good enough. Running a big box with something like 5000 active users would drive me crazy just form fixing honest mistakes 'Oops, here goes rm -rf!', 'mail to root: where are my files?, or what did this computer do to my files?' I run COPS occasionally and recently found /etc/passwd beeing world WRITEABLE. So of course I immediately reported this to our system adinistrators. (They are incredibly helpful. Me beeing 3000 km from this system have not even needed to use the phone if I had a problem) regards, el ps: comments on my use of English, vi, knowledge or experience to /dev/null (saves bandwidth), flames (please and be agressive :-)-O) by email to this address. -- Dr. Eberhard W. Lisse (spel@hippo.ru.ac.ZA) Katatura State Hospital (formerly extel@quagga.ru.ac.za) Private Bag 13215 (Real Soon Now ... el@lisse.NA) Windhoek, Namibia (no FTP yet. [This is Africa :-)-O])
jack@cwi.nl (Jack Jansen) (06/20/91)
Well, I should really have let this gone by, but I can't: jet@karazm.math.uh.edu (J Eric Townsend) writes: >In article <3689@charon.cwi.nl> jack@cwi.nl (Jack Jansen) writes: >>True, students who mail out password files or write internet worms >>should receive some punishment, but the main part of the blame lies >>with the administrators. If I leave my bike unlocked and you nick it >>you are guilty, but so am I. >Oh, bullshit. Guilty of what? What crime? You might not get much >sympathy, but it's certainly not against the law. Actually, here in Holland it is. I can't remember the exact reasoning, but it is something like 'failing to take the necessary precautions to protect your property'. -- -- Een volk dat voor tirannen zwicht | Oral: Jack Jansen zal meer dan lijf en goed verliezen | Internet: jack@cwi.nl dan dooft het licht | Uucp: hp4nl!cwi.nl!jack