Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!caen!news.cs.indiana.edu!news.nd.edu!mentor.cc.purdue.edu!woodcock From: woodcock@mentor.cc.purdue.edu (Bruce Sterling Woodcock) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <13483@mentor.cc.purdue.edu> Date: 12 Jun 91 23:30:42 GMT References: <1991Jun12.140419.28896@athena.cs.uga.edu> <1991Jun12.141657.29238@athena.cs.uga.edu> <15013@exodus.Eng.Sun.COM> Organization: Purdue University Computing Center Lines: 55 In article <15013@exodus.Eng.Sun.COM> db@argon.Eng.Sun.COM (David Brownell) writes: >In article <1991Jun12.141657.29238@athena.cs.uga.edu> > mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >> A few people here have been advocating the strange idea that UNIX users >> have a moral right to obtain each other's passwords using COPS. > >[various deleted] > >Also, it strikes me as counterproductive to claim (one side of the >mouth) that your computer is secure, and also (other side of mouth) >that your user community should not be able to evaluate those claims >for itself. "Trust me, I'm from the government." No thanks. > >- Dave I just thought I'd throw in my thoughts on this. Being very security conscious lately, especially after the incidents from the FSF machines, I've begun running cops almost immediately after I get a new account someplace. I want to know just *how* much I can trust the machine, and whether or not there are any really major holes that I think the staff there should be warned about. Recently, I got my FSF account reinstated, and so what was one of the first things I did? I ran cops. About halfway through the process I received a talk request from one official, asking why I was running it. I assured them I was not a cracker and simply wanted to ensure how secure the systems were now... he told me (politely) that security was something that was their concern, not mine, and that they were also wary of users who felt they had some sort of obligation to enforce security on other users, do the staff members a favor (as well as their job). At this point, I had a choice. And while I still feel I had every right to determine the security of that system for myself (without exploiting any breahes, mind you, simply just looking for them), I also realized that they were understandably very paranoid and cautious about the whole thing and that I was simply a guest on their system. So I killed the process, and deleted the long report (without even reading it) and even removed all the programs. I also received email about a half-hour later from another admin there, noting that I had called crypt a suspiciously high number of times and that he hoped I wasn't a cracker. I referred him to the talk I had before and he replied understandingly, noting that security was something they still couldn't garauntee very well. So naturally I don't trust their own evaluation, especially when it is by their own admission not good. So I simple don't trust what I keep there to any great extent. Bruce -- | woodcock@mentor.cc.purdue.edu | "If I can sell explosives to IH, then | | sirbruce@gnu.ai.mit.edu | there's no reason you can't sell me a | | sterling@maxwell.physics.purdue.edu | box of condoms." - Jasper, in RL | | Bruce@Asylum/CaveMUCK/FurryMUCK | "I can't believe I'm doing this." - me|