Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!sei.cmu.edu!df From: df@sei.cmu.edu (Dan Farmer) Newsgroups: comp.org.eff.talk Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <26882@as0c.sei.cmu.edu> Date: 12 Jun 91 14:59:24 GMT References: <31124@hydra.gatech.EDU> <1991Jun11.221521.14402@athena.cs.uga.edu> <1991Jun12.122421.15562@ms.uky.edu> Sender: netnews@sei.cmu.edu Lines: 50 Lots of stuff by different people, so I'm just mashing three articles together instead of posting three times (hope I got all the names with their posting straight...): > In article ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > I didn't know that doing things with an /etc/passwd > would be considered unauthoprized use. > > the file is readable by the world after all. > The uga student was not the one who broke in. The file is world readable to anyone *who has an account on the system*. As I understand it, the person shipped it offsite -- and people off the system *do not* normally have access to the file. This was the problem. If there was some guest account, or something, that the system crackers could use, and then the student gave them the password, that's another question. But the password file is the traditional "first wall" of defence on a Unix system. >> In article mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >>>What if a student runs cops on /etc/passwd... would this >>be considered intent to break into a system and could he thus >>>be suspended? >> >>Yes. Obtaining other users' passwords without proper authorization >>is forbidden. Even if you do it by using a standard software tool >>rather than by breaking into their desks. Hmm. Perhaps this is a local policy. It appears that you are talking about cracking passwords -- what about the rest of the information cops gives? What if you have accounts without passwords? Can people even *look* at the file? Why not go to shadow passwords -- wouldn't this solve all of this? Seems it's a lot easier to remove the temptation and risk, then to hammer some student who does this. In article , sean@ms.uky.edu (Sean Casey) writes: > |Yes. Obtaining other users' passwords without proper authorization > |is forbidden. Even if you do it by using a standard software tool > |rather than by breaking into their desks. > Ah so COPS is now burglary tools. Interesting... Hurm. Hope not. I'm not really thrilled with the idea of being a supplier. Comes with the territory, I guess, though. Unfortunately, it seems that with most breakins that I deal with, when I ask them if they've run cops, then they say "oh, no, but we're running it now..." A little late, folks. Just my not-so-humble opinion, of course. -- dan