Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!sdd.hp.com!think.com!mintaka!bloom-beacon!eru!kth.se!sunic!mcsun!hp4nl!ooc.uva.nl!ropg From: ropg@ooc.uva.nl (Rop Gonggrijp) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: <20790@slice.ooc.uva.nl> Date: 16 Jun 91 18:07:25 GMT References: <20740@slice.ooc.uva.nl> Organization: Hack-Tic Lines: 67 brendan@cs.widener.edu (Brendan Kehoe) writes: >ropg@ooc.uva.nl wrote: >>Yeah, hang the hackers and even the students that just play around, >>hang all those ugly 12 year olds that just walk through our 'heavy' >>security. Why not hang kids that ring your bell and then run away >>(after all, they were trying to get access, and if you had a door >>buzzer, you would maybe have opened the door for them). > You just blew your credibility, Rop. Had you not taken this >"screaming activist" stance, I'd probably read the rest of what you >have to say with a lot less bias and till. > And just as a note, a user mailing a password file out so someone >else can hack on it is about as FAR from "playing around" as you can get. I regularly try to hack systems (sometimes with the permission of the sysop) to see if the security is within reasonable limits. If my files are on a system, I feel I have a right to see if it is safe. If a friend of mine happens to have a very nice 486 at home that he can use to help me with this (by taking a few guesses at the /etc/passwd) I will mail him (or her) the password file. If I then find passwords, I will login as the found user and send him (or her) some email originating from their own account informing them of their bad password (you should see of the passwords I found). I see nothing wrong, immoral, or even criminal in my behaviour. Sure, if I was being well paid somewhere I would expect some critisism for spending so much time "playing around" while I could be making the boss a lot of money. I truly see no other harm. >>> If anyone would do this and uses or distributes the passwords, and >>>it would come out (as it usually does) all bets are off: the person >>>in question will be suspended and/or denied all access to computers. >>>YOU CAN GO TO JAIL even, nowadays, for such a stunt. >> >>Not in democracies. > Do you think for a second that a large corporation wouldn't >completely demolish anyone that gave away company trade secrets or the >like, on the scale that giving away a system's passwd file is on? >(which could surrender the entire network to attack) Oh I bet. But that was not the point, We are (after all) still talking about a student that mailed the /etc/passwd of a Univ. system to somebody else. If the security of your system (or even the whole network) depends on hunderds (thousands?) of people keeping their mouth shut, it SUCKS. >>And kids, if you want to get a modem, get a license for it first, or the >>on-line police will come and raid your house for conspiracy to overthrow >>the government. Do NOT (I repeat NOT) try to learn something from the >>structure of UNIX, in fact, give up C and program in COBOL only! > My, anything can be taken to an absurd extreme, can't it? Go look at what happened last summer in the States. What we're experiencing here is system administrators telling horror stories to government agents that are too thickheaded to know a joke from a terrorist action. anyway, UNIX was never built to be a secure system ;-) > While I don't agree with the result of GA's actions (although I'm >glad to see the guy was only suspended, and not full-fledged expelled), >I have to back them up on their original premise---if one of my users >mailed my passwd file out to anyone, I wouldn't just pat him/her on >the hand and say that they'd been bad. I wouldn't drive them onto a >cross either, though. Well, that's very nice of you, but there is too many people out there with NO sense of humor and/or reality, and it's (sometimes) not funny.