db@argon.Eng.Sun.COM (David Brownell) (06/13/91)
In article <1991Jun12.141657.29238@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > A few people here have been advocating the strange idea that UNIX users > have a moral right to obtain each other's passwords using COPS. Actually, I didn't read their comments that way. I read them as criticisms of a prior restraint policy, which prejudged those users as "guilty" of some unspecified (but dire) crime. The subject line is curious ... it addresses "students" as if they are different from the "users" discussed in the rest of the note. A University official might be able to claim that she was acting in loco parentis for SOME students; not for all, and at many sites not even enough to support this as general rationale. If your site wants to make password guessing attacks difficult, it should use shadow (adjunct) password files, and require users to change their passwords relatively frequently. > (3) Do users of our computer have a basic civil right to run any software > they want to? Depends. If they entered a contract with your organization in which they explicitly gave up such a right, they may not have one. The only laws I know about pertain to actually causing damage. Your example is prior restraint of behaviour that in itself is not damaging. In educational environments I'm familiar with, there are multiple kinds of accounts on timesharing systems ... some have restrictions like "class work only", some have no restrictions, and some are for "educational" use. Only that "class work only" restriction precludes students running cryptanalysis programs; and if they were taking a cryptography course, not even then. I think it's quite appropriate that students explore social issues like "how do the social values and social costs of providing various kinds of security differ in this computer system?". They learn a lot when they notice that "security" means different things to different people, what the hot buttons are for different personality types, and that there's often an asymmetric cost/benefit matrix. If not in school, when are they allowed to start finding these things out? Also, it strikes me as counterproductive to claim (one side of the mouth) that your computer is secure, and also (other side of mouth) that your user community should not be able to evaluate those claims for itself. "Trust me, I'm from the government." No thanks. - Dave #include <std/disclaimer.h>