Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!romp!auschs!awdprime!testsys.austin.ibm.com!mbrown
From: mbrown@testsys.austin.ibm.com (Mark Brown)
Newsgroups: comp.org.eff.talk
Subject: Re: Should we let students run COPS to get each other's passwords?
Message-ID: <8509@awdprime.UUCP>
Date: 15 Jun 91 16:23:01 GMT
References: <1991Jun15.085530.12420@netcom.COM> <1991Jun12.141657.29238@athena.cs.uga.edu> <1991Jun12.211143.18803@murdoch.acc.Virginia.EDU> <1991Jun13.042534.16952@athena.cs.uga.edu>
Sender: news@awdprime.UUCP
Reply-To: mbrown@testsys.austin.ibm.com (Mark Brown)
Organization: IBM Austin, TX
Lines: 47

Several Different people write Many Things:
| >>I'd like to point out that this isn't my point at all; rather, I've
| >>been trying to say that the illegal act here is breaking into a
| >>system. Mr. Covington seems to have lost sight of this.
| >
| >  -- Or facilitating a break-in by others.
| >
|     True, however COPS is a TOOL, and does not signify a break-in.  It
| signifies a user concerned (whether for good or for evil is unknown)
| about security on the system in question.

Yup. Thus, if I find out someone's using COPS on my system, I'm sure as hell
going to be concerned. 'cause I don't knwo the intent.

|     Very good, sir.  However, if the system manager uses COPS and removes
| the holes listed, then the cracker *AND* the user will not find anything.

If there are holes, though, exploiting them still isn't something I'm going
to condone or allow. If the intent is to harm or even to *explore*, I'm 
going to shut them down *hard*. "explore?" you say? 

Yes. Information is valuable.

|      No one (as far as I can tell) is saying that.  They are saying
| that people should not be punished for DETERMINING that there are
| holes.

Ah. Here's where intent (and determining intent) come in.
If *I* were the admin for a large system with 100s of users I didn't know
very well (any major university) *I'd* be viewing "probing for security
holes" with hostility, too.

I'm not about to waste my time trying to determine "truth of intent" for all
these students. I'm going to prohibit that behavior unles permission is 
granted in *advance*.

You are free to "test" my system all you want, provided I know what/why you
are doing it. If I don't know, I *have* to assume hostile intent to protect
my other users.

If you view this as "persecution", get your own system, or find out what
it's like to be responsible for one.

DISCLAIMER: My views may be, and often are, independent of IBM official policy.
Mark Brown       IBM PSP Austin, TX. |     Crazed Philosophy Student
(512) 823-3741   VNET: MBROWN@AUSVMQ |   Kills 15 In Existential Rage!
MAIL: mbrown@testsys.austin.ibm.com  |                      --tabloid headline