Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!spool.mu.edu!munnari.oz.au!uniwa!DIALix!metapro!bernie From: bernie@metapro.DIALix.oz.au (Bernd Felsche) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <1991Jun14.053131.753@metapro.DIALix.oz.au> Date: 14 Jun 91 05:31:31 GMT Article-I.D.: metapro.1991Jun14.053131.753 References: <1991Jun12.140419.28896@athena.cs.uga.edu> <1991Jun12.141657.29238@athena.cs.uga.edu> <15013@exodus.Eng.Sun.COM> <1991Jun13.042115.16845@athena.cs.uga.edu> Organization: MetaPro Systems, Perth, Western Australia Lines: 30 In <1991Jun13.042115.16845@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >Whoa there, everybody. >(2) I stick to my guns. Running a password guesser is inappropriate >behavior because it involves access to other people's confidential >information. The encrypted password is world readable; the password >itself is not; that's why it's encrypted! Running a guesser is not breaking confidentiality. If I guessed that you had red hair, never having seen you, and found out that you did indeed have red hair, then I would not be breaking confidentiality, even if you do wear a hat all the time. All I gain, upon verification, is that you have red hair, or don't. You can go and change the colour, that very day. You are assuming an intent to break confidentiality, by somebody guessing passwords, yet they may be seeking to protect theirs, by ensuring that nobody else has guessable passwords. You are punishing them, for checking the level of security in their environment. You allow students to run COPS. Do you _encourage_ them to do so? Security only works if it is enforced at all levels. -- Bernd Felsche, _--_|\ #include Metapro Systems, / sold \ Fax: +61 9 472 3337 328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au