Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!ncar!csn!cherokee!newsat!jbw From: jbw@maverick.uswest.com (Joe Wells) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: Date: 21 Jun 91 03:32:16 GMT References: <20740@slice.ooc.uva.nl> <20790@slice.ooc.uva.nl> <1991Jun17.110742.25947@bellcore.bellcore.com> Sender: news@cherokee.uswest.com (Telegraph Row) Organization: /home/zeb1/jbw/.organization Lines: 69 In-Reply-To: scs@iti.org's message of 18 Jun 91 14: 29:44 GMT Nntp-Posting-Host: maverick.uswest.com In article scs@iti.org (Steve Simmons) writes: ckd@eff.org (Christopher Davis) writes: >Mr. Edward Foo has an account on vax99.big-u.edu. He keeps some things >there, that (while not horrendous top secret information) he'd rather >keep out of the way of J. Random Luser. >He runs COPS on the system (say, without the PW guesser, because that >takes too damned long). He finds that /var/spool is world-writable. He >reports this to the sysadmins, who fix it (hopefully ;-). >Has he done anything wrong? If he did it here, I'd be glad to hear it >so I could fix it (though I run COPS, too...). Yes, he has done something wrong. Analogy is always suspect, but this situation is awfully like wondering about your apartment house security -- and checking it out by trying to open all the doors and windows in the building. A much better analogy is using a telescope to do the inspection. "I was just trying to see if they were locked" might well be true, and you might have been careful not to actually enter the apartments, but nonetheless you've done something wrong. In the Unix world, there is the equivalent of a big sign on each file that either says "You have permission to access me" or "You do not have permission to access me". The sign is posted in full view for all to read. Mr. Foo has done the equivalent of reading this sign. You've cause the manager (sysop) to worry and expend effort unnecessarily. Indeed, the sysadmin unnecessarily expended effort in disabling Mr. Foo's account. Unfortunately, the sysadmin did not expend the *necessary* effort to close the holes revealed by the COPS report. A far better method is to approach the sysop, tell him your concerns, and state what you'd like to do. He might surprise you in a number of ways, by telling you: o it's already done on a regular basis It was; the output was routinely ignored. o he'd be pleased for the help if you did it He/she wouldn't. He/she doesn't like users showing him/her up. o it's site policy *not* to do it It was not a violation of site policy. Here's the most relevant excerpt: You are also encouraged to report any information relating to a flaw in, or bypass of, computer facilities security. Deciding on your own to "test" the security of anything without the co-operation of those responsible is an inherently suspicious act and ^^^^^^^^^^^ Or unresponsible? will forever make you a suspect should somone actually break in. Which wouldn't be a problem if there was any real due process involved. -- Joe Wells