Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!bellcore!iscp.Bellcore.COM!jona
From: jona@iscp.Bellcore.COM (Jon Alperin)
Newsgroups: comp.admin.policy
Subject: Re: SUSPEND SYSOPS, NOT STUDENTS
Message-ID: <1991Jun18.182241.21895@bellcore.bellcore.com>
Date: 18 Jun 91 18:22:41 GMT
References: <20740@slice.ooc.uva.nl> <W2B-QAN@cs.widener.edu> <CKD.91Jun17152311@eff.org>
Sender: usenet@bellcore.bellcore.com (Poster of News)
Reply-To: jona@iscp.Bellcore.COM (Jon Alperin)
Organization: Bell Communications Research (Bellcore)
Lines: 27

Well...'how about the attitude....


If I run a system, then it is my responsibility to maintain security.
if you don't like the way I maintain it, then don't use my system,
or report your concerns to my boss (NOTE: THIS IS ONLY AN EXAMPLE,
NOT MY OPINION....).

I still believe that "logging in to a users account and sending them
mail from their own account" is not the proper way to inform someone of a
security hole. This is akin to removing all files on a system to show someone
that all files can be removed. Furtermore, if you are not the sysadmin
on that system, it is not your responsibility to insure that another
user has a good password. All you are responsible for is maintaining
your own password as being safe. How do you think the sysadmin is
going to react when a user tells him/her that "someone broke into my
account"? 

-- 
Jon Alperin
Bell Communications Research

---> Internet: jona@iscp.bellcore.com
---> Voicenet: (908) 699-8674
---> UUNET: uunet!bcr!jona

* All opinions and stupid questions are my own *