Re: tlug: telnet: different question + others

["Thomas O'Dowd" <tom@example.com>]

Interesting drinking material me thinks...

On Mon, May 29, 2000 at 10:05:07PM +0900, Stephen J. Turnbull wrote:
> >>>>> "Thomas" == Thomas O'Dowd <tom@example.com> writes:
> 
>     Thomas> All in the spirit of education... I think the post got so
>     Thomas> many responses because it was an interesting technical
>     Thomas> question about how to do something on a linix box. There
>     Thomas> was nothing malicious in any of the responses apart from
> 
> No, not malicious.  Just unthinking.  If you don't understand and
> describe the security implications, then you may very well be doing
> someone, possibly even the perpetrator, a severe disservice.

I agree with you here, but I still think it was an interesting problem
and would answer it the same way again and still make the same point that
I made at the end of my mail that he really should be attending class...
 
>     Thomas> the side effect that if they were successful it might lead
>     Thomas> to the attendance records going out of sync with reality.
> 
> False.  Some of the suggestions involved clear security breaches
> (.rhosts, ssh access without passphrase on a semi-public terminal)
> that could possibly be more broadly exploited.  (At the very least, an
> intruder with the intent to break the real security on the University
> net could almost surely exploit that script to mask their identity.
> Remember, on a public access box everyone is root, there's no good way
> to be sure that any file on it is secure.)

Letting any user login at all always opens up the possibility of this. The
best you can do is educate your users aswell as shutdown your system's
security and maintain a watchful eye on what's running on your system. If
a site choses to run .rhosts then at least they should be scanned for the
existance of the dreaded + and such lines removed, with an educational
email to the offending user. It is up to the site to try and provide
the security they need and the education to go with it.

For example, they had a policy at my old college whereby the system
imposed a limit on how long a process could run after which time it was
terminated. It didn't take long to figure out, that your program could
just set an alarm just before this timeout, fork and let the parent 
process die to get around this. Another one was where they didn't allow
print jobs above a certain size to get spooled. Another smart guy figured
this one out and pretty soon everyone was running an lpr script to split
big files into multiple print jobs. The point is that creative people
love to solve these problems and the SAs had better be smart to stay 
ahead. As long as it's friendly fire, then I don't see a problem as both
sides get to learn a lot from each other.

All said, if the lecturer is "smart" enough to take the lazy option of
taking attendance with the "w" command, then a student can be smart
enough to fake attendance with the "w" command. 

Cheers,

Tom.
-- 
Thomas O'Dowd
tom@example.com
--------------------------------------------------------------------
Next Nomikai Meeting: June 16 (Fri), 19:00   Tengu TokyoEkiMae
Next Technical Meeting: July 8 (Sat) 13:30   Topic: TBA
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan