Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!mips!apple!netcomsv!mrs From: mrs@netcom.COM (Morgan Schweers) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <1991Jun15.085530.12420@netcom.COM> Date: 15 Jun 91 08:55:30 GMT References: <1991Jun12.141657.29238@athena.cs.uga.edu> <1991Jun12.211143.18803@murdoch.acc.Virginia.EDU> <1991Jun13.042534.16952@athena.cs.uga.edu> Organization: McAfee Associates Lines: 97 Some time ago mcovingt@athena.cs.uga.edu (Michael A. Covington) happily mumbled: >In article <1991Jun12.211143.18803@murdoch.acc.Virginia.EDU> gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: >>In article <1991Jun12.141657.29238@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >> >>>A few people here have been advocating the strange idea that UNIX users >>>have a moral right to obtain each other's passwords using COPS. I have a few >>>responses... >> >>I'd like to point out that this isn't my point at all; rather, I've >>been trying to say that the illegal act here is breaking into a >>system. Mr. Covington seems to have lost sight of this. > > -- Or facilitating a break-in by others. > True, however COPS is a TOOL, and does not signify a break-in. It signifies a user concerned (whether for good or for evil is unknown) about security on the system in question. >> >>I've also been saying that a responsible sysadmin should close obvious >>holes. > > -- I agree. > > -- What YOU have lost sight of is that no computer will ever > be perfectly free of security holes. > Very good, sir. However, if the system manager uses COPS and removes the holes listed, then the cracker *AND* the user will not find anything. >>Mister Covington seems to think this is a blame-the-victim >>mentality. > > -- Only when people take it to the extreme of saying that if > a system has holes, people shouldn't be punished for > exploiting those holes. And this is a very common attitude. No one (as far as I can tell) is saying that. They are saying that people should not be punished for DETERMINING that there are holes. > > -- My point is extremely simple: honest people don't even TRY to > break into other people's accounts or obtain passwords without > authorization. Security holes or not! This is bull$#!t, excuse my language. I was a student at a East coast college, and I developed a small package to test the security of the local VMS system. I did it because I wanted to learn how to use the library functions, as well as to evaluate how strong the security under VMS was. I handed the data I learned over to the system operators, and *THEY* didn't know what to do with the information. I proceeded to go up the chain of managers, until I managed to convince a Very Highly Placed Personage that with one command I could crash VMS V4.0. I also convinced them that the algorithm they were using to generate passwords was a VERY VERY VERY bad idea, and proceeded to demonstrate IN FRONT OF THEM that one could enter any one of 3000 accounts knowing *NOTHING* about the student in question. I had confirmed my knowledge with a fellow student, and *NOT* with anyone else's accounts before this. They quickly revamped security, and regened the entire set of passwords with random passwords. Sadly, this didn't work out too well either, but that's another story. In any case, they were grateful. I learned a great deal from this, and the knowledge gained STILL has application after I've long since migrated from VMS systems. Am I an honest person? Obviously I'll say yes. If you think that I'm lying, then you would say no. I dispute your claim that no user who is 'honest' is interested in obtaining passwords without authorization, in any case. I enjoy knowledge for knowledge's sake. If I can help someone out through it, I do so. (I was called by a user once who had forgotten his password. I wasn't the official person to call, but I was a friend of his and the campus was closed. (Yes, there *WERE* no system operators there at night.) I cracked his password, and told him it. Was this honest? Probably. Was this the 'right' thing to do? That's an ethical decision that *I* made, and that *YOU* would have to make too.) >------------------------------------------------------- >Michael A. Covington | Artificial Intelligence Programs >The University of Georgia | Athens, GA 30602 U.S.A. >------------------------------------------------------- -- Morgan Schweers -- mrs@netcom.com | Morgan Schweers | Good code, good food, good sex. Is ms@gnu.ai.mit.edu| These messages | anything else important? -- Freela Kilroy Balore | are not the +-------------------------------------- Freela | opinion of anyone.| I *AM* an AI. I'm not real...