Xref: utzoo alt.security:1520 alt.bbs:2910 comp.unix.sysv386:311 Path: utzoo!utgpu!cs.utexas.edu!samsung!emory!rsiatl!jgd From: jgd@rsiatl.UUCP (John G. DeArmond) Newsgroups: alt.security,alt.bbs,comp.unix.sysv386 Subject: Re: Protecting against downloads Message-ID: <3979@rsiatl.UUCP> Date: 13 Sep 90 04:10:05 GMT References: <22@tdw205.ed.ray.com> Followup-To: alt.security Organization: Radiation Systems, Inc. (a thinktank, motorcycle, car and gun works facility) Lines: 55 heiser@sud509.ed.ray.com (Bill Heiser - Unix Sys Admin) writes: >A *ix sysop I communite with recently told me that he'd caught one of >his "shell-access" users downloading *ix binaries. >As far as I can see, we either have to trust the users that we give ^^^^^^^^^^^^^^^ >shell access to, or make kermit/sz, etc unavailable to them. The answer is in your post. We have none of that problem here. Of course, we choose our users fairly carefully and have in place a first-offense-termination rule. Even if you you removed all file transfer programs and the development tools, it would only take an experienced Unix programmer a little while to hack together an elementary transfer program using awk, sed, ed or any of a number of other tools. Technology will never solve problems of inferior ethics. A method of self-policing in regards to the quality of articles posted from this site might work for you. We have a pretty liberal posting policy and rely primarily on peer pressure for quality control. One mechanism is that we have a local newsgroup, rsi.postings, that receives a copy of all locally posted articles. The knowledge that everybody on the system sees all posts regardless of the original newsgroup is sufficient peer pressure that we've never had a problem. You could probably do something similiar by hacking the source to sz and kermit to post the name of the user and the name of the file transfered to a local newsgroup. One other thing we have is a custom-written getty that logs all keystrokes received during the login process to an external device via a physically one-way path. This is designed to alert us to users who would play around with password guessing and/or crackers who try the system. We make the existence of this system very public which serves as a deterrent. I firmly believe that if one removes the barriers to a system that represent challenges, the incentive to misbehave is removed for most people. And you simply eliminate the small subset that do misbehave. If you really wanted to try a technology solution, one would be to carefully restrict the permissions on binaries to execute-only. I say "carefully" because you may break a number of scripts that rely on being able to test the readability of files to verify their existence. John -- John De Armond, WD4OQC | We can no more blame our loss of freedom on congress Radiation Systems, Inc. | than we can prostitution on pimps. Both simply Atlanta, Ga | provide broker services for their customers. {emory,uunet}!rsiatl!jgd| - Dr. W Williams | **I am the NRA**