Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!sei.cmu.edu!df From: df@sei.cmu.edu (Dan Farmer) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <26888@as0c.sei.cmu.edu> Date: 12 Jun 91 15:48:37 GMT References: <1991Jun12.042513.20870@athena.cs.uga.edu> <1991Jun12.141657.29238@athena.cs.uga.edu> Sender: netnews@sei.cmu.edu Lines: 61 In article , mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > A few people here have been advocating the strange idea that UNIX users > have a moral right to obtain each other's passwords using COPS. I have a few > responses... Out of curiosity, do you mind users running COPS at all, or do you think it's too dangerous? > (1) Why is this any different from obtaining passwords by other forms of > snooping? (then later, you say:) > Come back to earth, folks. Obtaining other users' passwords is an obvious > breach of security, regardless of how you do it. There is a simple way of stopping a password cracker from working -- don't let it see the password file (shadow passwords, for instance.) Plus, running COPS on a system doesn't mean that you want to break into it; I run it on every new system I'm get on -- it gives me at least some idea of what I'm up against, and if I can feel at least a little safe with storing any "interesting" information on the system. If a student decides to run it, just to have some idea if their senior project is easily stolen or whatever, then I'm all for it, personally. Of course it's up to the individual's site policy, which might preclude this.... Snooping? Well, other forms of snooping. Like writing a trojan horse to grab passwords? Like looking over someone's shoulder while they type a password? Like packet snarfing to grab a password? These are all "active" attacks that usually entail some kind of mischief or malice behind them, although even with these it's not clear, depending on the situation. I wouldn't equate these with running a password cracker, although depending on motive, the distinction can be non-existant. Finally, someone having a password does not mean that your system will be broken into. Use proactive password checking, education, and other methods to ensure that the passwords on your system are secure. > (2) Are you saying "People with easy-to-guess passwords deserve to have their > accounts broken into"? Blame the victim, of course, folks! Do you say > the same thing about rape victims? Getting the password is not the same as breaking into the account. In addition, as was said in another post (muffy@remarque.berkeley.edu), there is no defense against rape (short of killing yourself.) There certainly is a defense against having your account broken into because you had a poor password. Like changing it. > (3) Do users of our computer have a basic civil right to run any software > they want to? Like maybe a program that writes to the disk until the disk > is full, deliberately crashing the machine? Or does the administration have > some right to control what the computer is used for? How do you propose to stop people from running such software? Are you saying that running COPS should be against policy? It does nothing very special, just looks at the system involved; it certainly doesn't break anything, it doesn't write to anyone else's files, or misuse the information. It's a tool that attempts to show you what's going on on your system -- security through obscurity does not work; and COPS merely tries to part the veil. -- dan