Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!comp.vuw.ac.nz!waikato.ac.nz!aukuni.ac.nz!russell From: russell@ccu1.aukuni.ac.nz (Russell J Fulton;ccc032u) Newsgroups: comp.admin.policy Subject: Re: System admins looking for scapegoats Message-ID: <1991Jun13.211951.4325@ccu1.aukuni.ac.nz> Date: 13 Jun 91 21:19:51 GMT References: <20740@slice.ooc.uva.nl> <3689@charon.cwi.nl> Organization: University of Auckland, New Zealand. Lines: 38 jack@cwi.nl (Jack Jansen) writes: >The thing that really bothers me in the discussion about suspending >students that give away pasword files and the like is the shoot-the- >messenger mentality that a lot of sys admins seem to have. This surfaced >before in the Morris case, by the way, and is again very obvious in >numerous articles on this case. >True, students who mail out password files or write internet worms >should receive some punishment, but the main part of the blame lies >with the administrators. If I leave my bike unlocked and you nick it >you are guilty, but so am I. It is not the sysadmin who is at fault here but the vendor who supplied the UNIX system. Many (maybe most?) UNIX systems still store the encrypted passwords in the /etc/passwd file regardless of the fact that with today's powerful processes and fast crypt functions that this is a well known problem, with an equally well known solution (shadow password file). From the sysadmin's point of view, s/he is stuck with trying to maintain an inherently insecure system. So you have to formulate a set of guidelines for your users to observe. These *should* be widely circulated. What we do is print them on the back of the user registration form. (By signing the form the user explicitly agrees to abide by the guidelines.) And you have to be prepared to enforce it. I also take issue with your analogy of the bicycle. The student is part of the University community. A better analogy is a child who steals from his/her parents (or in this case deliberately leaves a window open for a burglar). One thing that sysadmins can and should do is put pressure on vendors of UNIX systems to implement known fixes to known problems. Russell. -- Russell Fulton, Computer Center, University of Auckland, New Zealand.