Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!romp!auschs!awdprime!testsys.austin.ibm.com!mbrown From: mbrown@testsys.austin.ibm.com (Mark Brown) Newsgroups: comp.org.eff.talk Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <8723@awdprime.UUCP> Date: 24 Jun 91 17:07:46 GMT References: <1991Jun24.015950.27226@murdoch.acc.Virginia.EDU> <8589@awdprime.UUCP> <8670@awdprime.UUCP> <8711@awdprime.UUCP> Sender: news@awdprime.UUCP Reply-To: mbrown@testsys.austin.ibm.com (Mark Brown) Lines: 92 gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) writes: | mbrown@testsys.austin.ibm.com (Mark Brown) writes: | >I guess *I* wasn't clear. | > | >_Who_decides_evil_intent_? | >_Do_I_have_to_determine_intent_every_time_an_alarm_goes_off_? | | I guess we're batting 0 for 2 here. And *I'm* glad Greg and I have taken this to e-mail. Greg want to runs COPS unmolested. I wanted to expand this discussion to include "security probing" in general. We keep orbiting each other in our posts. | I don't need to decide intent very often. Because I have, I think, | fairly carefully checked security on my system, I don't care if the | COPS runner has evil intent or not, because odds are they aren't going | to find anything. I think I meet your criteria here. I believe in properly checking access lists, getting rid of setuid shell scripts, etc. | >I posit that it is labor-intensive and potentially harmful to users to be | >forced to question their "intent" all the time. | An ounce of prevention is worth 10 pounds of harrassment of the poor | users. I *still* maintain the if a "potential security tester" pounds on root's password 20 times (we log login attempts), I'm going to follow up. Call that harrassment, if you will. | >I posit that notification in advance, while not only GOOD MANNERS, also | >frees me to check on *real* attempts without wasting time (on my part, or | >on the students' when she is investigated for "attempting to crack the | >system"). | But why should I have to inform you about doing what I consider to be | routine things? "Oh, I'm testing a program that uses fork(), I just | wanted to warn you because there's a slight chance that I might have | reversed some tests and could accidentally crash the system. Want to | read my code just in case". | | The point I am attempting to illustrate is that on what I consider to | be a reasonably secure system, the admin does not need to worry about | users running COPS. COPS is one thing. I'm *still* trying to talk about the *GENERAL* case. I refer you to the Morris incident. Good intentions with bad results. | >| Which means you think it's OK to say "no" ? | > | >Yes, if I, as system admin, determine | > o your device is potentially destructive | > o your device is wasteful and you want to use it during peak time | | That's fine. These are the same criteria every admin uses to evaluate | anything, at least I do. Yow! We agree on something! | But the original thread was about a sysadmin who says "no one can run | COPS without my permission", and it was pretty clear that he would | deny permission on other grounds, like "well, I don't know you and I | don't trust you, so no, you can't." I tried to expand things to the *GENERAL* case, because COPS ISN"T THE ONLY THING USED to "probe" security. I agree, I agree, I agree, COPS IS SAFE. | Indeed, so one might wonder why you jumped into a thread about COPS. I | only brought up intent at all to show that it's silly to deny ALL | users the right to run COPS. That's all it was mentioned for. I wanted to explore restrictions of this type, in general. You want to stay mired in COPS. | If I run into an administrator who has big holes that can be spotted | by COPS, I don't want to use his machine. Period. I'm out of there. I | don't understand why I should spend any of my time telling any | sysadmin that I am about to do something that's totally ethical and | legal. Common courtesy, perhaps. Something that's still pretty rare out there in the Electronic Frontier. DISCLAIMER: My views may be, and often are, independent of IBM official policy. Mark Brown IBM PSP Austin, TX. | Crazed Philosophy Student (512) 823-3741 VNET: MBROWN@AUSVMQ | Kills 15 In Existential Rage! MAIL: mbrown@testsys.austin.ibm.com | --tabloid headline