Newsgroups: comp.admin.policy
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!csn!cherokee!newsat!jbw
From: jbw@maverick.uswest.com (Joe Wells)
Subject: Re: SUSPEND SYSOPS, NOT STUDENTS
In-Reply-To: jona@iscp.Bellcore.COM's message of 21 Jun 91 12: 48:08 GMT
Message-ID: <JBW.91Jun24212737@maverick.uswest.com>
Sender: news@cherokee.uswest.com (Telegraph Row)
Nntp-Posting-Host: maverick.uswest.com
Organization: U S West Advanced Technologies
References: <20740@slice.ooc.uva.nl> <W2B-QAN@cs.widener.edu>
	<JBW.91Jun20200950@maverick.uswest.com>
	<1991Jun21.124808.19830@bellcore.bellcore.com>
Date: Tue, 25 Jun 1991 04:27:37 GMT

In article <1991Jun21.124808.19830@bellcore.bellcore.com> jona@iscp.Bellcore.COM (Jon Alperin) writes:

   I just noticed your internet address (USWEST) so look at this security
   issue in two other lights...

Sorry, the incident I describe took place elsewhere.  To make things more
clear, I had root privelege on the machine in question, although who was
"in charge" of the machine can be seen several ways (not me in any case,
it is a matter of departmental struggle).

   If you were joe average user, and provided computing resources to do your
   job (which was in no way related to sysadmin), then there is no reason
   for you to look for holes in the system.

So you're saying the average user has no interest in improving the
security of the system?

   Since you are responsible for producing some amount of work, your
   security concerns should go to your boss and the boss of the sysadmin.
   Friendship issues aside, I can think of no one these days at a
   management level who does not take security seriously.

I agree with you in the case of a large company that takes security
seriously (as all do).  However, there seems to be an attempt (not just by
you but by others in this newsgroup) to categorically deny the possibility
that a user should do his own security investigations.  What if the
company is a start-up and things are chaotic because of intense pressure?
What if the system administrator(s) are too busy, or have many other
responsibilities in addition to system administration?  I do not make any
claim about whether these are likely scenarios, merely that they occur and
in such situations it is everyone's duty to worry about security (although
many will not have the time).

   Second, from a telco point of view, you do not want other users tapping
   into phone lines just to show that the telephone company has security
   holes.  One would hope (:-{) that a private network user would present
   their concerns to the telco (who is being paid by this customer) rather
   than attempt to "break their system" (The ppsn, ss7 net, etc.) just to
   show the telco that security holes exist.  THIS "BREAK & SHOW" IS NOT A
   GOOD POLICY IN ANY CASE.  -- Jon Alperin Bell Communications Research

This might be a good response to another post, but it bears little
relevance to mine.  The incident cited was not a "break & show" incident,
but instead solely a "show" incident.  The user in question did not do
anything unauthorized or in any way forbidden while running the program
which developed the list of problems, which was quickly sent to the system
administrators so they could correct the problems (which, incidentally,
they did not ...).

-- 
Joe Wells <jbw@uswest.com>
