Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!elroy.jpl.nasa.gov!usc!isi.edu!woolf From: woolf@isi.edu (Suzanne Woolf) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <18278@venera.isi.edu> Date: 18 Jun 91 02:57:08 GMT References: <1991Jun12.055211.24457@murdoch.acc.Virginia.EDU> <1991Jun12.140419.28896@athena.cs.uga.edu> <1991Jun12.141657.29238@athena.cs.uga.edu> <1991Jun12.211143.18803@murdoch.acc.Virginia.EDU> Reply-To: woolf@venera.isi.edu (Suzanne Woolf) Organization: Information Sciences Institute, Univ. of So. California Lines: 52 In article <1991Jun12.211143.18803@murdoch.acc.Virginia.EDU> gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: >In article <1991Jun12.141657.29238@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >>A few people here have been advocating the strange idea that UNIX users >>have a moral right to obtain each other's passwords using COPS. I have a few >>responses... > >I'd like to point out that this isn't my point at all; rather, I've >been trying to say that the illegal act here is breaking into a >system. Mr. Covington seems to have lost sight of this. > >I've also been saying that a responsible sysadmin should close obvious >holes. Mister Covington seems to think this is a blame-the-victim >mentality. I think it's good professional practice. Sysadmins should >expect that users need to be educated about proper security >procedures; any sysadmin that doesn't should be fired no matter >whether a break-in is detected or not. This discussion of the responsibility of sysadmins for system security does bring up something I was wondering about: An aquaintance who recently served on a jury in a personal injury case tells me that the jury was instructed that, as a matter of law (this was in California, for any serious legal scholars out there), you cannot hold someone negligent for not foreseeing that someone else would commit an illegal act. In the particular case, the jury agreed that a motorcyclist hadn't done everything possible to avoid an accident (although he *had* done everything reasonable and prudent) but that he had no contributory negligence because the motorist who'd hit him had made an illegal U-turn to do it. Does this principle extend to system administrators and/or users? Should it?? Since breaking into other people's computers is already an illegal act, should the users of a system be able to hold administrators legally responsible for damage due to not preventing a break-in? Or maybe system administrators, as professionals with specific responsibilities, can commit malpractice?! Obviously we all have a certain degree of professional responsibility; if our employers think we screwed up, we can (and arguably should) lose our jobs. But legal responsibility? Are we negligent if we don't prevent users from using dictionary-based passwords, or for leaving well-known security holes unpatched? Hmmmm.... --Suzanne woolf@isi.edu