Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!seismo!dimacs.rutgers.edu!aramis.rutgers.edu!paul.rutgers.edu!njin!birchall From: birchall@pilot.njin.net (Official Random) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Summary: A question... Message-ID: Date: 13 Jun 91 16:24:58 GMT References: <20740@slice.ooc.uva.nl> <1991Jun13.114433.22530@rulway.LeidenUniv.nl> Organization: New Jersey Intercampus Network Lines: 28 While we're all ranting about how illegal it is to use or distribute cracked passwords..... Did this student distribute a cracked password? I thought s/he merely gave out the site's /etc/passwd file. There _is_ a difference. From first glance at an /etc/passwd file, anyone who's used Unix for more than a week can tell if other users don't HAVE passwords... but that's not cracking. That's just saying, "Gee, those fools don't have the intelligence to set passwords." There's no law against making your /etc/passwd file available to half the world, or we'd have to lock up all the admins who haven't got the sense to make it non-readable to anonymous FTP users. (yes, kids, you can FTP /etc/passwd files from a lot of places.) So, if the guy broke the passwords and gave them out, lynch him. But if all he did was a grep :: /etc/passwd, he's only demonstrating that he has a few more points of IQ than the other users , and, as insulting as it might be to you or me as an admin, we can't really do anything to him, since, after all, he did find security holes, which is good. And, if all he did was send out the /etc/passwd file to someone, unbroken, that isn't by any means criminal, and, unless you've got it non-readable by FTP, you are as much at fault as he is..... -shag -- ------------------- Shag is. Nuff said. -------------------