Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rutgers!sri-spam!ames!ptsfa!ihnp4!occrsh!occrsh.ATT.COM!tiger.UUCP!authorplaceholder From: rjd@tiger.UUCP Newsgroups: comp.misc Subject: Re: Hacker Scholarship, Who really Message-ID: <140200005@tiger.UUCP> Date: Mon, 20-Jul-87 12:11:00 EDT Article-I.D.: tiger.140200005 Posted: Mon Jul 20 12:11:00 1987 Date-Received: Fri, 24-Jul-87 01:05:21 EDT References: <387@esunix.UUCP> Lines: 66 Nf-ID: #R:esunix.UUCP:-38700:tiger.UUCP:140200005:000:3344 Nf-From: tiger.UUCP!rjd Jul 20 11:11:00 1987 >> This makes your classifications of criminality pretty much a moot >> point, because you normally have to prove the act has taken place >> to prove me a criminal. >> >> Randy > >I hope you're not saying that if you don't get caught you didn't do >anything wrong. I may not be able to PROVE you committed a crime, but >breaking into a computer and rifling through someone's disk is the >same as breaking into their office and rifling through their file >cabinet. If you do it to help I'll admire your motives, but if you >get caught you COULD find yourself in BIG trouble. > >Don I was afraid someone was going to take this out of context and only reprint part of the article and sure enough..... The part of my article that you left out answers your questions, but let me reitereate: I DO NOT condone "rifling through someone's disk", on the contrary, that is how I got involved with system security, someone pointed out how easy it was to "rifle" through mine, so I took steps to prevent it, then realized how many holes there were. I did not say that not proving a crime made it not a crime, rather that it makes this debate rather pointless; the debate about people such as I performing audits being criminals. Those who are saying that this activity IN GENERAL is criminal have no idea what they are talking about. I am saying that, performed responsibly, it can be a great service. This is all in response to the "Hacker Scholarship", if you recall... As to being in Big trouble, I do not bother with someone else's computer, especially any outside the company (AT&T), as that is their business, thus it is impossible for me to be in Big Trouble, just minor trouble if I should piss off an upper management type, which is very unlikely as I have been encouraged in the work of improving the security of the AT&T Unix systems. I have been asked for help by customers, and have provided it when possible, as I believe that AT&T wants us to be as helpful as possible, and they have said it many times. AT&T can have no qualms with my work in this regard, as it takes negligable time and does not take me away from my work - in my job, I do not normally have direct- customer contact. Basic security is easy and is often botched by lazy or uninformed administrators: Your first line of defense: (against totally unauthorized users) 1) no unpasworded logins, 2) verification of users, 3) and very careful networking using only secure software. This is usually very basic and simple to do. I usually deal with: Your second line of defense, against authorized users gaining unauthorized priviledges: 1) no user-writeable root (or any other system login)-setuid-programs 2) a biggie: no system directories of mode less secure than 755 (include /. and /..) and while we are at it, make sure that no user owns a system directory. 3) no user-writable programs executed by root or ANY system login (such as programs run from cron) 3a) root path NEVER set to search current directory (user makes an ls command in his directory to trap a nosy root). Its easy enough to type ./command if you need to. etc.... Randy Davis UUCP: ...(ihnp4!)3b2fst!randy All opinions and/or advice stated above are MY OWN, not those of AT&T, though the company may or may not agree with them.