Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!mips!news.cs.indiana.edu!ux1.cso.uiuc.edu!gardner From: gardner@ux1.cso.uiuc.edu (Mike Gardner) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: <1991Jun18.202732.10974@ux1.cso.uiuc.edu> Date: 18 Jun 91 20:27:32 GMT References: <20740@slice.ooc.uva.nl> <20790@slice.ooc.uva.nl> <1991Jun18.033333.27450@aplcen.apl.jhu.edu> <1991Jun18.174430.12050@dsd.es.com> Organization: University of Illinois at Urbana Lines: 41 Try a different analogy. You live in an apartment building with common areas that are secured from the general public. You have a right to be in those common areas and to know that security is being enforced on all entrances to those areas from the outside. Your apartment and others in the complex however are private. In a multi-user computer system you have much the same type of arrangement. There are common areas that you can both look into and make use of. Each person also has private spaces. Certainly you have valid concerns as to the security of the common areas and of the complex as a whole. The question is that while you are checking the security of the commons, do you tread on the private areas of the tenants and or of the people responsible for the system(apartment complex)? If in the normal course of using the system, I am allowed to access certain directories/files, then to say I should not be able to look at the same directories/files for the purpose of evaluating the security of the system is ludicrous. I suspect that much of the reaction against this sort of thing comes from sysadmins who are confusing the system commons with their private space on the system. If I don't belong looking at things, then they don't belong where I can look at them. There is a difference here however when your looking adversely affects the security of the system. If you take information outside of the system where others can get at it you are compromising system security. You can't tell someone details about system security, pass around the password file etc. Checking to see if the outside doors are really locked is pretty innoccuous(unless you set off the alarm in the process). Looking at file permissions causes no harm to the system. Attempting to hack another's password does. Looking for stupid passwords falls somewhere in between because cracking the password in itself does no harm, but there you sit with the key to someone's space. You then are a security risk. If your program could just say "I found another stupid password" it would be safer. This is the analogy of trying other peoples doors to see if they are locked. It's a pretty dangerous thing to do. Just ask your sysadmin you say? They are human too. Some might rather lie than tell you that they don't know their job. mgg CCC SS OO University of Illinois, Computing Services Office C S O O Michael G. Gardner, Assistant Director, 1122 DCL C S O O 1304 W Springfield, Urbana, Il 61801 CCC SS OO (217)244-0914 FAX (217)244-7089 gardner@ux1.cso.uiuc.edu