Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!Firewall!uunet!mcsun!ukc!dcl-cs!aber-cs!athene!pcg From: pcg@aber.ac.uk (Piercarlo Grandi) Newsgroups: comp.admin.policy Subject: Re: Student suspended for distributing /etc/passwd Message-ID: Date: 14 Jun 91 17:24:40 GMT Sender: pcg@aber-cs.UUCP Organization: Coleg Prifysgol Cymru Lines: 96 In-reply-to: crissl@rulcvx.LeidenUniv.nl's message of 12 Jun 91 11:26:33 GMT On 12 Jun 91 11:26:33 GMT, crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) said: crissl> In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU crissl> (Michael G. Goldsman) writes: ccastmg> What this student did was mail a copy of /etc/passwd from ccastmg> athena.cs.uga.edu to a "hacker" who had already penetrated ccastmg> another system, and who wanted to use a password-guessing ccastmg> program to break into athena. The student was fully aware that ccastmg> he was assisting in a break-in. The latter point is essential, I guess, if proven. ccastmg> I didn't know that doing things with an /etc/passwd would be ccastmg> considered unauthoprized use. ccastmg> the file is readable by the world after all. ccastmg> The uga student was not the one who broke in. This is immaterial. Waiting for somebody with your engine running is not in itself a crime, unless they are bank robbers on a getaway and you know it. crissl> Then you're the most naive person I've ever encountered. No. The point is: what the student did was not improper. There was a file readable to all. He took a copy of it, and gave it to somebody else. Had he had done so with /etc/motd, would that have been a breach of security? Clearly not. So this guy was suspended for having done something that was thoroughly harmless. Actually I think that he could get into trouble for aiding and abetting a penetrator, not for the mere act of giving somebody else a copy of a publicly readable file. Unless it is proven beyond reasonable doubt that the purpose of giving away this file was to aid and bet the perpetrator. The giving away of the contents of /etc/passwd is not *in itself* anything objectionable, and everything else has to be *proven*. crissl> Read the following carefully: crissl> [ ... /etc/passwd can be searched for obvious password ... ] crissl> /etc/passwd is a security risk, that has not been plugged, yet. This is only true for system administrators that are not that careful about security. There are at least two freely available /etc/shadow implementations. Kerberos is freely available too. If your /etc/passwd does contain the encryptions of actual password, you have *chosen* to do so, or you are very much behind the times, and you should not be a sysadmin. ccastmg> I have some serious problems with UGA supending him. I am a ccastmg> little too "exam-week-weary" to articulate my feelings well, ccastmg> but I thought that you guys should know about this. crissl> I could have sympathised with them hanging him from the highest crissl> tree ;-) or something like that. Giving /etc/passwd to anyone, crissl> including yourself, is in Unix terms the most heinous crime anyone crissl> can commit, because you (can) compromise the whole system. No, the most heinous security crime one can commit is employing a sysadmin that instead of knowing his system and how to fix obvious problems, yells and screams and creates ex-post rules to cover his inadequacy. ccastmg> What if a student runs cops on /etc/passwd... would this ccastmg> be considered intent to break into a system and could he thus ccastmg> be suspended? Only if there are a-priori fascistic rules that say *explicitly* that this is presumed to be, without need of proof, intent to commit a crime. crissl> It could be, yes, because cops could be used to find passwords. NO. You have to *prove* that intent. It cannot be *presumed* in the absence of suitably fascistic legislation. And the "crime" would be intent to break, not running cops. crissl> However, you could write your own program that would do this. crissl> If anyone would do this and uses or distributes the passwords, crissl> and it would come out (as it usually does) all bets are off: the crissl> person in question will be suspended and/or denied all access to crissl> computers. YOU CAN GO TO JAIL even, nowadays, for such a stunt. I would send to jail inadequate, opportunistic sysadmins. These cause a lot more damage than a few hackers. I have seen in some other country sysadmins that were unable to run a large mainframe with more than a dozen users, when it could support hundreds. These people were wasting millions of dollars of University money, and the damage was much greater than that could have been done by a determined hacker. It's not always true, but the shrillest screams about "hackers" often come from the sysadmins that know they are inadequate. -- Piercarlo Grandi | ARPA: pcg%uk.ac.aber@nsfnet-relay.ac.uk Dept of CS, UCW Aberystwyth | UUCP: ...!mcsun!ukc!aber-cs!pcg Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg@aber.ac.uk