Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watmath!clyde!rutgers!sri-spam!mordor!styx!ptsfa!ihnp4!cuae2!ltuxa!we53!sw013b!dj3b1!killer!root From: root@killer.UUCP Newsgroups: news.misc,news.sysadmin Subject: Re: Foothead, Foothead, on the net/Who's the biggest liar yet? Message-ID: <784@killer.UUCP> Date: Tue, 21-Apr-87 08:35:41 EST Article-I.D.: killer.784 Posted: Tue Apr 21 08:35:41 1987 Date-Received: Sat, 25-Apr-87 08:21:26 EST References: <1128@cartan.Berkeley.EDU> <1065@epimass.UUCP> <5553@eddie.MIT.EDU> <5558@eddie.MIT.EDU> Organization: The Unix(tm) Connection, Dallas, Texas Lines: 88 Xref: utgpu news.misc:299 news.sysadmin:138 Summary: Protected ?? In article <5558@eddie.MIT.EDU>, ooblick@eddie.MIT.EDU (Mikki Barry) writes: > In article <5553@eddie.MIT.EDU> ambar@eddie.UUCP (Jean Marie Diaz) writes: > >In article <1065@epimass.UUCP> jbuck@epimass.UUCP (Joe Buck) writes: > > >>However, forging articles, breaking into > >>machines, altering others' articles, and changing .forward files > >>to redirect mail are grounds not only for being thrown off the net, > >>but possibly a criminal case can be made (for the prometheus > >>breakins). > > Yes, I heartily agree. But only if someone is actually doing these things, > and it can be proven. > > >Faking mail and/or news is not tolerated here. The shell scripts in > >Foothead's home directory for doing both are ample reason to pull his > >account. Whether or not he is the perpetrator of the fake > >arndt@prometheus articles is not relevant, although I would add that > >files in /usr/rlr on borax seem to bear this out, as they contain the > >tell-tale line: > > An important factor that everyone seems to have missed here is that > Foothead's home directory was PROTECTED. I have spoken to foothead on > this issue, and he told me that not only are his directories protected, > > Charging somebody with faking mail and news before you have proof, and while > the only evidence you have is obtained by using your root privs to read > other's protected directories is quite the case of the pot calling the kettle > black. This is a certain case of "jumping the gun" at best, and blatent > censorship at worst. > > And I do not like the fact that you appear to be using your root privs > to look through protected directories. I also don't like faked news and/or > mail articles. If it is proven that fh did it, great. Kick him off the > net forever. But trashing someone before you have proof is reprehensible. > > Mikki Barry Mikki, In all reasonableness, the "tracing" of the origin of the fake articles was being traced to mit-eddie as the most common point of apparent origin. Next, if, as you state, his directory was PROTECTED and contained the utilities to fake articles, alter .forward files, and whatever else they would do, then this is reasonable proof that either the owner of that directory or someone who had access to it were the perpetrator(s). If it is fact that two other people also had access to this directory, it is possible that one of those *could* have disclosed this information to a third party who *could* have been the person actually causing the problems. However, the fact remains that the scripts for creating these fakes and altering the files did exist (I have to assume they were, in fact, found there) in a "protected" login directory is ample reason to state that the articles originated from that login id. Perhaps the statement that the individual was the one who actually typed the articles could be inaccurate but that, also, would be virtually impossible to PROVE unless there was a witness. Even software to monitor the exchange between a terminal device and the system could not conclusively prove that a particular person was the one with the "fingers on the keys". The POSSESSION of the necessary scripts IS ample proof to remove the login and the directory. I would not hesitate to do exactly the same. I do not use root privs to "snoop" or for any other purpose than to keep up with the maintenance of my system and the software. I do monitor the system performance but that is neccessary to maintain the system and keep it available for use. However, if there is a question of where what you may call "snooping" may end and the security of the system and the net are concerned, I will not hesitate to use whatever means at my disposal to protect them. I also would not hesitate to remove a login that contained such scripts as to fake articles, alter them as the ones in question were, or to access another users files without authorization from that user. One other note. I would also not hesitate to give pooh, you, or the other person access to my system if access to the net was needed. I would, however, require only that nothing such as the faked articles be done and would guarantee that your files were secure from me as well as from the other users. I also must guarantee that if those types of actions were traced to my system. I would certainly be looking for the origin with whatever means at my disposal. Hopefully, you will not view this as a flame - it certainly is not meant to be. Charles Boykin {cuae2,ihnp4}!killer!root