Xref: utzoo comp.org.eff.talk:2599 comp.admin.policy:414 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!munnari.oz.au!uniwa!DIALix!metapro!bernie From: bernie@metapro.DIALix.oz.au (Bernd Felsche) Newsgroups: comp.org.eff.talk,comp.admin.policy Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <1991Jun12.020800.25985@metapro.DIALix.oz.au> Date: 12 Jun 91 02:08:00 GMT References: <31124@hydra.gatech.EDU> Followup-To: comp.org.eff.talk Organization: MetaPro Systems, Perth, Western Australia Lines: 69 In <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: [ quoting from a ga newsgroup ] >Two points that everyone may need to be reminded of: >(1) Unauthorized computer use is a felony under Georgia law (which is >about to become even stricter, on this point, than it is already). >(2) We cannot presume that any intruder is harmless. To keep the machine >safe for everyone, we have to presume that every unauthorized user intends >something destructive. It's very common for an intruder to say "I meant no >harm" when in fact a transcript of his session shows that he was trying to >crash the machine or delete people's files. >---------------------------------------------------------------- [ end partially quoted quote ] >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? Is there reasonable proof that it was the particular _natural_ person who mailed the file? It is possible for a cracker to login as the accused and mail the passwd file. IMHO this leaves the situation wide open, in terms of "reasonable doubt". There is usually no _evidence_ which points the finger at the natural person, only his account. Is a student therefore guilty of the felony, simply because of a bad choice of password? The big-brother tactics of watching everything that everybody does would no doubt restrict creative experimentation. I'd say it's counter to the aims of an institution that calls itself a University. Also, how can one be sure that the logs used as "evidence" have not been fabricated or forged? How did they find out that /etc/passwd was being mailed? Do they routinely peek at e-mail? Are all the users aware that e-mail is not private? What springs to mind, regarding this is the issue of appropriate security. If you keep sensitive data on a machine/network which is accessible by students, then you're asking for trouble. There are students out there who are far more intelligent, experienced and creative than many system administrators. If students, using a machine, are made aware of the level of security which you expect of the machine and why this level has been chosen, then they will be more supportive in maintaining security. The primary objective is after all to protect _their_ work, not to create yet another ivory tower. I administer a public-access UNIX system with almost 200 registered users. Everybody is aware that it is _not_ secure, although every reasonable effort is taken to protect data. I have set the policy that I will only read the headers of mail messages, and only do so to determine appropriate actions. As far as I'm concerned, e-mail is private. Only under exceptional circumstances, and with the approval of the originator or designated recipient, do I ever look at the body of a message. -- Bernd Felsche, _--_|\ #include Metapro Systems, / sold \ Fax: +61 9 472 3337 328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au