Newsgroups: comp.admin.policy Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!csn!cherokee!newsat!jbw From: jbw@maverick.uswest.com (Joe Wells) Subject: Re: SUSPEND SYSOPS, NOT STUDENTS In-Reply-To: jona@iscp.Bellcore.COM's message of 21 Jun 91 12: 48:08 GMT Message-ID: Sender: news@cherokee.uswest.com (Telegraph Row) Nntp-Posting-Host: maverick.uswest.com Organization: U S West Advanced Technologies References: <20740@slice.ooc.uva.nl> <1991Jun21.124808.19830@bellcore.bellcore.com> Date: Tue, 25 Jun 1991 04:27:37 GMT In article <1991Jun21.124808.19830@bellcore.bellcore.com> jona@iscp.Bellcore.COM (Jon Alperin) writes: I just noticed your internet address (USWEST) so look at this security issue in two other lights... Sorry, the incident I describe took place elsewhere. To make things more clear, I had root privelege on the machine in question, although who was "in charge" of the machine can be seen several ways (not me in any case, it is a matter of departmental struggle). If you were joe average user, and provided computing resources to do your job (which was in no way related to sysadmin), then there is no reason for you to look for holes in the system. So you're saying the average user has no interest in improving the security of the system? Since you are responsible for producing some amount of work, your security concerns should go to your boss and the boss of the sysadmin. Friendship issues aside, I can think of no one these days at a management level who does not take security seriously. I agree with you in the case of a large company that takes security seriously (as all do). However, there seems to be an attempt (not just by you but by others in this newsgroup) to categorically deny the possibility that a user should do his own security investigations. What if the company is a start-up and things are chaotic because of intense pressure? What if the system administrator(s) are too busy, or have many other responsibilities in addition to system administration? I do not make any claim about whether these are likely scenarios, merely that they occur and in such situations it is everyone's duty to worry about security (although many will not have the time). Second, from a telco point of view, you do not want other users tapping into phone lines just to show that the telephone company has security holes. One would hope (:-{) that a private network user would present their concerns to the telco (who is being paid by this customer) rather than attempt to "break their system" (The ppsn, ss7 net, etc.) just to show the telco that security holes exist. THIS "BREAK & SHOW" IS NOT A GOOD POLICY IN ANY CASE. -- Jon Alperin Bell Communications Research This might be a good response to another post, but it bears little relevance to mine. The incident cited was not a "break & show" incident, but instead solely a "show" incident. The user in question did not do anything unauthorized or in any way forbidden while running the program which developed the list of problems, which was quickly sent to the system administrators so they could correct the problems (which, incidentally, they did not ...). -- Joe Wells