Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!spool.mu.edu!snorkelwacker.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!purdon From: purdon@athena.mit.edu (James R. Purdon III) Newsgroups: comp.org.eff.talk Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <1991Jun24.214045.14965@athena.mit.edu> Date: 24 Jun 91 21:40:45 GMT Article-I.D.: athena.1991Jun24.214045.14965 References: <31124@hydra.gatech.EDU> Sender: news@athena.mit.edu (News system) Organization: Massachusetts Institute of Technology Lines: 145 In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > >I just read this on ga.general... >---------------------------------------------------------------- >---From: mcovingt@athena.cs.uga.edu (Michael A. Covington) >---Newsgroups: ga.general >---Subject: Student suspended for helping hackers >---Summary: Student deliberately compromised security of athena.cs.uga.edu >---Date: 11 Jun 91 04:21:01 GMT >---Organization: University of Georgia, Athens > >The University will soon be issuing a news release about this incident. >In the meantime, here is a summary: > >(1) A number of unauthorized users have been using various University >of Georgia computers. Most of them have left much more of a trail than >they realized and will be hearing from us. Here are the results of a "finger @athena.cs.uga.edu" command: [athena.cs.uga.edu] Login Name TTY Idle When Where dardis Anthony Dardis p0 Mon 16:11 uscn-gw.cc.uga.e fantz Todd Fantz p1 Mon 16:41 uscn-gw.cc.uga.e quelch Geoffrey E. Quelch p3 Mon 10:41 sheridan.ccqc.ug steele Frank Steele p4 Mon 16:46 128.192.24.30 greg Greg Whitlock *co Mon 16:54 ben Benjamin Jeyaretnam p0 Mon 16:57 uscn-gw.cc.uga.e lapena Chito Lapena p4 Mon 16:49 128.192.24.124 jalluri Ravi K. Jalluri p5 Mon 16:50 uscn-gw.cc.uga.e Does this constitute unathorized usage? Will I be hearing from UGA? If you claim that this is authorized usage on my part, please show me some policy statement indicating this. >(2) The first person actually caught as part of this incident has now >been sentenced to 2 quarters' suspension, plus a probated expulsion, >by the Student Judiciary. This was a U.Ga. student whose name cannot >be released due to confidentiality of educational records. > >What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu >to a "hacker" who had already penetrated another system, and who wanted >to use a password-guessing program to break into athena. The student was >fully aware that he was assisting in a break-in. Is UGA in the practice of monitoring its users' email? If so, does this include both outgoing and incoming messages? If it includes incoming messages, then is the reasonable expectation of privacy assumed by external senders of email being violated, as you have neglected to inform the net (at least within the United States, where such regulations hold) of your monitoring? In any case, should we assume that messages sent to our colleges at UGA are being read by other than their intended recipients? >Two points that everyone may need to be reminded of: > >(1) Unauthorized computer use is a felony under Georgia law (which is >about to become even stricter, on this point, than it is already). The Georgia law is so broad as to allow any sort of accusation to be made. Under Georgia law, my finger command can be labelled as unauthorized access, and I may be prosecuted. Under Georgia law, a bad login attempt due to a mistyped login name could be construed as unauthorized access. In any case, Georgia law makes for bad university policy. At the time I attended UGA there was not even a clearly formulated policy as to what constituted appropriate use - such use was decided in an entirely arbitrary fashion by the system administrators of OCIS. One would hope things have changed, but I doubt it. >(2) We cannot presume that any intruder is harmless. To keep the machine >safe for everyone, we have to presume that every unauthorized user intends >something destructive. It's very common for an intruder to say "I meant no >harm" when in fact a transcript of his session shows that he was trying to >crash the machine or delete people's files. Evidence, please. And from your statement you seem to be admitting that as a matter of course, UGA records the sessions of its authorized users. Have you informed your users of this fact? >The University of Georgia has no public-access UNIX machines. If anyone >gives you a password on one of our machines, please contact me. > >---------------------------------------------------------------- > >I didn't know that doing things with an /etc/passwd >would be considered unauthoprized use. Its your tough luck to live in Georgia, where horribly broad laws determine what constitutes unauthorized use. What's even worse, you don't actually have to use, just attempt to use. Ever try to list a file only to find it wasn't readable? If you have, you're a potential felon. >the file is readable by the world after all. It hardly matters what the access permissions were. All that matters is authorization, which is not well-defined (actually, not defined at all). >The uga student was not the one who broke in. As a matter of fact, there is no indication (from the article) that there was a break-in at all. >I have some serious problems with UGA supending him. At the very least, one wonders if there was a publicly-known policy stating that the export of /etc/passwd constituted unauthorized use. One wonders at the methods used to gain evidence. One wonders if UGA is persuing a felony conviction. Should we mention due process? >I am a little too "exam-week-weary" to articulate my feelings well, >but I thought that you guys should know about this. Given my experience at UGA, it does not surprise me in the least. Of course, You should be careful. Your use of Usenet, if not specifically authorized could be construed as unauthorized use. >What if a student runs cops on /etc/passwd... would this >be considered intent to break into a system and could he thus >be suspended? Under Georgia statute, a felony charge could be brought for "attempting to access a computer without authorization." Suspension certainly would be a possibility. >Well, you guys can mull it over today, I need some sleep. Its hard to sleep when you have badly written laws. > >-Mike Goldsman > > > >-- >------------------------------------------------------------------------ >Mike Goldsman >36004 Georgia Tech Station >Atlanta Georgia, 30332, 404-872-5146 -- Jim Once I was a fetus. Now I am a person, and a married person as well.