Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!REAGAN.AI.MIT.EDU!CStacy From: CStacy@REAGAN.AI.MIT.EDU (Christopher C. Stacy) Newsgroups: comp.risks Subject: Reach Out and Spy on Someone Message-ID: <19890228083832.5.CSTACY@GAYE.AI.MIT.EDU> Date: 28 Feb 89 08:38:00 GMT References: Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 49 Approved: risks@csl.sri.com Date: Thu, 23 Feb 89 10:41:46 PST From: Peter Scott Subject: Reach Out and Spy on Someone To: RISKS-LIST@KL.SRI.COM An article in _Digital Review_, February 20, under the title "Reach Out And Help Someone" reviews a package for VAX/VMS called Video, from Performance Software. The subtitle says, "...system managers and training coordinators can keep an eye on user activity". Among other things, this package allows anyone with appropriate privileges to see what anyone else is typing and receiving on their terminal (passwords excepted, I suspect), or to "take over" another terminal and broadcast their own commands to it. You can also record terminal sessions and play them back at leisure. "With the Video Seer utility, system managers can monitor terminal sessions to detect system abuse or simply to identify performance drains on their systems." Oh joy. The ITS operating system (created about 15 years ago on PDP-10s, still in use today) allows users to spy on each others screens anonymously, and also to type on each others consoles. I believe that some other old systems (such as PLATO) may have had similar capabilities. On ITS, I found these features invaluable for assisting users who were having trouble, for observing students, and also for monitoring system intruders. ITS did not implement any system security, and anyone could Spy, read anyone's files, etc. Spying is similar to the capability on most systems of some privileged user(s) being able to access anyone's files and mailboxes without their knowledge. The information privacy issues and potential abuses are probably exactly the same. If access to someone's files is like access to their desk drawers or their locker, spying on them is like looking over their shoulder. There are clearly legitimate ways in which these capabilities can be used, notably in educational settings; it's all a matter of the involved parties understanding and agreeing to the situation. As a security tool, spying is only useful for monitoring the session of an intruder in action; having a security officer to sit around spying on users at random would be ridiculously ineffiecient, and would violate security principles. Monitoring the sessions of users on a keystroke basis is fairly obviously a pretty stupid way to conduct either a machine performance or operator productivity analysis. There may be some legislation somewhere about using these sorts of capabilities, and I imagine that the unions have an opnion on the matter.