Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!ox.com!hela!wotan.iti.org!scs
From: scs@iti.org (Steve Simmons)
Newsgroups: comp.admin.policy
Subject: Re: SUSPEND SYSOPS, NOT STUDENTS
Message-ID: <scs.677255384@wotan.iti.org>
Date: 18 Jun 91 14:29:44 GMT
References: <20740@slice.ooc.uva.nl> <W2B-QAN@cs.widener.edu> 	<20790@slice.ooc.uva.nl> <1991Jun17.110742.25947@bellcore.bellcore.com> <CKD.91Jun17111320@eff.org>
Sender: usenet@iti.org (Hela News Manager)
Organization: Industrial Technology Institute
Lines: 41
Nntp-Posting-Host: wotan.iti.org

ckd@eff.org (Christopher Davis) writes:

>Who said anything about breaking in?  Let's take a hypothetical case
>(NOT the Georgia case).

>Mr. Edward Foo has an account on vax99.big-u.edu.  He keeps some things
>there, that (while not horrendous top secret information) he'd rather
>keep out of the way of J. Random Luser.

>He runs COPS on the system (say, without the PW guesser, because that
>takes too damned long).  He finds that /var/spool is world-writable.  He
>reports this to the sysadmins, who fix it (hopefully ;-).

>Has he done anything wrong?  If he did it here, I'd be glad to hear it
>so I could fix it (though I run COPS, too...).

Yes, he has done something wrong.  Analogy is always suspect, but this
situation is awfully like wondering about your apartment house security --
and checking it out by trying to open all the doors and windows in the
building.  "I was just trying to see if they were locked" might well
be true, and you might have been careful not to actually enter the
apartments, but nonetheless you've done something wrong.  You've cause
the manager (sysop) to worry and expend effort unnecessarily.  You may
have also done similar to the other residents (users).

A far better method is to approach the sysop, tell him your concerns,
and state what you'd like to do.  He might surprise you in a number of
ways, by telling you:

  o  it's already done on a regular basis
  o  he'd be pleased for the help if you did it
  o  it's site policy *not* to do it

Deciding on your own to "test" the security of anything without the
co-operation of those responsible is an inherently suspicious act and
will forever make you a suspect should somone actually break in.  It's
just a bad idea.
-- 
  "If we don't provide support to our users someone is bound to
   confuse us with Microsoft."
	-- Charles "Chip" Yamasaki