Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!ra!Ra.MsState.Edu!fwp1 From: fwp1@CC.MsState.Edu (Frank Peters) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: Date: 21 Jun 91 03:49:45 GMT References: <20740@slice.ooc.uva.nl> <20790@slice.ooc.uva.nl> <1991Jun17.110742.25947@bellcore.bellcore.com> Sender: usenet@ra.MsState.Edu Organization: Computing Center, Mississippi State University Lines: 67 Nntp-Posting-Host: jester.cc.msstate.edu In-reply-to: jbw@maverick.uswest.com's message of 21 Jun 91 03:21:01 GMT : On 21 Jun 91 03:21:01 GMT, jbw@maverick.uswest.com (Joe Wells) said: > If both efforts fail then he should take the issue of security up with the > administrator's superior. If all of these efforts fail then your post might > have relevance. > Two possibilities here: > 1) Mr. Foo goes to the sysadmin's superior without a COPS report in hand. > The sysadmin's superior laughs at Mr. Foo because he/she has full > confidence that the sysadmin has taken security well in hand. > 2) Mr. Foo goes to the sysadmin's superior and demonstrates that there are > serious security problems by displaying the COPS report. Mr. Foo is > then immediately kicked off the system as a "security threat". > Unfortunately, your suggestion doesn't work. Well, if nobody in the chain of responsibility is willing to discuss the issue rationally with you then you really don't have any choice but to accept the situation or find another system. Any thing you do in this direction becomes pointless in the face of an administration that won't be reasonable. Any useful security effort requires the cooperation and tolerance of the administrator (or his boss...or her boss...or SOMEBODY in the chain). And my comments were intended to encourage that cooperation where it can reasonably be achieved. If the cooperation of administration cannot be achieved then ANY ideas are useless. > In my experience, most administrators don't mind security conscious users. > What they generally do mind is finding users who are 'evaluating' the system's > security without prior consultation. > You mean they mind users embarrasing them by showing that they aren't > doing their job? How on earth did you reach that interpretation?? What they mind (the reasonable ones...the only ones worth discussing) is finding people poking at their security without any way of knowing whether they are innocently testing or cracking. No sane system administrator is convinced of the security of his or her system no matter how much time s/he spends on it. There is always the possibility of that one missed hole. So any sane administrator MUST be concerned about all unauthorized prodding of the systems security. So the only really rational choices are: 1. Accept that the administrator knows how to manage security. 2. Get permission to poke at security. Go through as many levels as necessary to do so. 3. Poke at security and accept the consequences if caught. 4. Use the system but don't trust its security (don't put critical files on the system and so on). 5. Abandon the system and find computing resources elsewhere. I really cannot see any meaningful alternatives outside of these. And insulting administrators or users isn't going to create any. Frank