HELP! Legal UNIX security question...
Matt Thomas
A good friend of mine has recently aquired an internet provider. After
setting up, he decided to take a look around. He ran across /etc/passwd and
typed it. Like any decent UNIX system it was encrypted. He thought nothing
of it and went on with his business. Along the way he gathered a few source
files from IRC. Two of them being "shadow.c" and "passwdrace.c". The system
admins at my friend's providor saw that he had typed the /etc/passwd file and
viewed his directory and saw these two infamous files. Their next course of
action was to call my friend and tell him he wad violated system integrity and
is possibly going to jail. They insist that the act of viewing /etc/passwd is
an ILLEGAL act. His account (prepaid subscription for 6 months) has been
suspended and he can no longer access his files.
My question is: Did my friend commit an illegal act?
It's my understanding that possession of information is not illegal, it's the
use of that info that constitutes an illegal act. (Apart from classified
government info and various pornography)
Please e-mail me your replies, I need some help on my side.
Thanks
Matt Thomas
mcth...@netcom.com
--
===============================================================================
| Matt Thomas | ...endowed by their Creator with certain unalienable |
| mcth...@netcom.com | rights: Life, Liberty and the pursuit of happiness. |
| Atlanta, GA | _\|/_ L E G A L I Z E M A R I J U A N A _\|/_ |
===============================================================================
Matt Thomas
MA
>From: mcth...@netcom.com (Matt Thomas)
>Subject: HELP! Legal UNIX security question...
>Date: Mon, 21 Nov 1994 00:38:30 GMT
oxen...@chaos.cs.umn.edu
>In article <mcthomasC...@netcom.com> mcth...@netcom.com (Matt Thomas) writes:
>>From: mcth...@netcom.com (Matt Thomas)
>>Subject: HELP! Legal UNIX security question...
>>Date: Mon, 21 Nov 1994 00:38:30 GMT
I am posting this as I can not tell who to respond to.
>>I have a legal question, I hope you can help...
Perhaps you should contact the EFF at in...@eff.org
>>A good friend of mine has recently aquired an internet provider. After
Did purchase the company or just an account?
>>setting up, he decided to take a look around. He ran across /etc/passwd and
>>typed it. Like any decent UNIX system it was encrypted. He thought nothing
Er, cat the tile.
>>of it and went on with his business. Along the way he gathered a few source
>>files from IRC. Two of them being "shadow.c" and "passwdrace.c". The system
>>admins at my friend's providor saw that he had typed the /etc/passwd file and
>>viewed his directory and saw these two infamous files. Their next course of
>>action was to call my friend and tell him he wad violated system integrity and
>>is possibly going to jail. They insist that the act of viewing /etc/passwd isI don't know of any state in the US that has such a law, and it would be
very interesting to know of any state or federal law making body that would
understand UNIX and make laws aginst such an act as looking at /etc/passwd.
Perhaps the provider needs to upgrade his UNIX to use /etc/shadow or
/etc/security/passwd to keep the encripted password files in.
>>an ILLEGAL act. His account (prepaid subscription for 6 months) has been
>>suspended and he can no longer access his files.
Again, contact the EFF, (Electronic Frontier Foundation) they will have
some better answers to this question. (also try e...@eff.org)
>>My question is: Did my friend commit an illegal act?
He may not have done any illegal act, (most likely) but he could have
violated system policy, which would allow the provider to suspend his
account and not refund the money.
>>It's my understanding that possession of information is not illegal, it's the
>>use of that info that constitutes an illegal act. (Apart from classified
Posetion of information is not a crime, but on a private system, they
may state that holding information which could comprimize system security
invaladates your privledges on that system. Keyword(s): Private system.
>>government info and various pornography)
>>Please e-mail me your replies, I need some help on my side.
>>Thanks
>>Matt Thomas
>>mcth...@netcom.com
Chris Oxenreider oxen...@skypoint.com oxen...@chaos.cs.umn.edu
Walter Roberson
>>In article <mcthomasC...@netcom.com> mcth...@netcom.com (Matt Thomas) writes:
>>>I have a legal question, I hope you can help...
>>>typed it. Like any decent UNIX system it was encrypted. He thought nothing
>>>is possibly going to jail. They insist that the act of viewing /etc/passwd is
>I don't know of any state in the US that has such a law, and it would be
>very interesting to know of any state or federal law making body that would
>understand UNIX and make laws aginst such an act as looking at /etc/passwd.
>Perhaps the provider needs to upgrade his UNIX to use /etc/shadow or
>/etc/security/passwd to keep the encripted password files in.
I do not know the exact laws in the United States, but I understand that
they are not altogether different than the law here in Canada. In Canada,
there is definitely a law against exceeding (or attempting to exceed) one's
authorized limits in using a computer system, even if no 'harm' was done.
It is enough for the purposes of the act that the action or attempted
action was not explicitly authorized. It is definitely not necessary for
a provider in Canada to use shadow passwords etc to be legally protected,
or even any passwords at all, any more than it is legally necessary to have
locked and deadbolted one's house doors to be legally protected in cases of
illegal entry to one's house.
>>>My question is: Did my friend commit an illegal act?
>He may not have done any illegal act, (most likely) but he could have
>violated system policy, which would allow the provider to suspend his
>account and not refund the money.
In Canada, a *proveable* claim of unauthorized access to /etc/passwd can
result in successful prosecution. Proving it can be very difficult, of
course.
>>>It's my understanding that possession of information is not illegal, it's
>>>the use of that info that constitutes an illegal act.
>Posetion of information is not a crime, but on a private system, they
>may state that holding information which could comprimize system security
>invaladates your privledges on that system. Keyword(s): Private system.
What has been missed here is that the act of -obtaining- the
information may have been illegal. Think Industrial Spying. If you
accidently leave your system wide open to tftp, and I go in and by some
detective work and good guessing manage to find some valuable
confidential information, are you going to laugh about the situation
and say, "Oh, you got me that time, it is my fault for not having
protected myself against tftp!", or are you going to shrug and say,
"Well, it isn't illegal for him to -possess- [non-military] information,
so there is nothing we can do!", -- or are you going to try to get me
charged with obtaining the information through illegal methods?
We do not know in this case what the exact terms of the contract were
between the provider and Matt's friend. The terms of that contract may
have implicitly authorized examining /etc/passwd ... but if they didn't,
and the incident had taken place in Canada, Matt's friend would definitely
be in trouble. I can think of some defence approaches in a case
like this, but they would be a matter of creating reasonable doubt about
the access having been unauthorized, and not a matter of saying that
the provider has no claim under law.
Walter Roberson robe...@ibd.nrc.ca
Charles Hedrick
>In Canada, a *proveable* claim of unauthorized access to /etc/passwd can
>result in successful prosecution. Proving it can be very difficult, of
>course.
/etc/passwd is where all user information is stored, such as names,
addresses, etc. It is used by "finger" and many other programs. It
is intended to be read by users. What the user is not allowed to do
is decrypt the encrypted password and login as someone else. Someone
running crack over /etc/passwd (which can be used to find out other
users' passwords) might be regarded as an unauthorized use of
/etc/passwd, but simply looking at it is a normal act. In the course
of normal Unix use, one looks at /etc/passwd (via library routines
such as getpwnam) many times. Looking at it manually is perfectly
reasonable as well.
I'm more interested in why the sysadmin thinks this guy has been
reading /etc/passwd. It can't be because they're just monitoring his
file accesses (even if such a thing were possible), because everybody
would show up as accessing /etc/passwd. They'd have to be watching
the commands he types. I think that's an invasion of privacy. It
also sounds to me like they are engaging in harrassment.
Nico Garcia
I'm more interested in why the sysadmin thinks this guy has been
reading /etc/passwd. It can't be because they're just monitoring his
file accesses (even if such a thing were possible), because everybody
would show up as accessing /etc/passwd. They'd have to be watching
the commands he types. I think that's an invasion of privacy. It
also sounds to me like they are engaging in harrassment.
Well, "ps -aux" could easily show "less /etc/passwd", or "find passwd"
on a UNIX system would show a copy of the file with that name in their
user account. But something seems missing: was he merely "looking" at
it, or was he also perhaps running Crack and mailing copies of it
offsiite? We don't really know that. Now *those* would be clear
grounds for censuring the user.
Nico Garcia
ra...@athena.mit.edu
Mike Zorn
aspects are. If it comes to trial, you could always hire an expert
witness to show that 1) /etc/passwd is meant to be read by anybody
on a UNIX system, 2) the passwords are encrypted. Therefore, no
harm was intended.
Also get a copy of the contract to see whether certain things are
considered unallowable (such as reading certain files).
On the minus side, the possession of /etc/passwd along with
password-cracking programs could easily be seen as an intent to do
something illegal. Also on the minus side, /passwd contains the
names (and sometimes address & phone numbers) of ALL the users on
the system, so this could (and probably should) be considered by the
owners as confidential company data.
It's far-fetched to imagine that the System Admin running 'ps'
could catch someone else running 'type /etc/passwd', on the other
hand, I've heard of some systems that try to log EVERY command
issued by either EVERY user or selected users.
There may be some appeal process.
Mike (Absolutely not a Lawyer) Zorn USA
Mike Zorn
these two passwordcracking.c files came to be in a publicly-readable
directory.
Is there any connection with the attractive nuisance doctrine (if
I leave my swimming pool unlocked, and you wander in and get hurt in
it, you can sue me)?
Martin Pittinger PTN x8588
Trying to help out someone else is great, but
your friend was "Doing a Bad Thing". Poking
around in Pasword files is a no-no! Take your
friend aside and give him the right advice,
Keep your nose out of places you're not
suppose to be. The punishment fits the crime !
Ask for forgiveness from the Sys rep and try
again.
Patrick '3l33t' Oonk
PI> First, Your Friend needs more friends like you.
PI> Trying to help out someone else is great, but
PI> your friend was "Doing a Bad Thing". Poking
PI> around in Pasword files is a no-no! Take your
If this is the case, the rights on the /etc/passwd
file should be -rw-rw----.
If a file is readable, you are allowed to read it.
PI> friend aside and give him the right advice,
PI> Keep your nose out of places you're not
PI> suppose to be. The punishment fits the crime !
!*(#%&@#!*&*&(!#!@# NO CARRIER
_______________________________________________________________________________
ka...@desert.xs4all.nl Cryptoanarchy, MDMA, Tekkkkno, SL-1200
<blink> <A HREF="http://xs4all.nl/~kafka">Kafka's home page</A>
_______________________________________________________________________________
Steven B. Thompson
: pi...@netnews.jhuapl.edu (Martin Pittinger PTN x8588) once said:
: PI> First, Your Friend needs more friends like you.
: PI> Trying to help out someone else is great, but
: PI> your friend was "Doing a Bad Thing". Poking
: PI> around in Pasword files is a no-no! Take your
: If this is the case, the rights on the /etc/passwd
: file should be -rw-rw----.
The permissions on /etc/password can not be set to -rw-rw----
for a number of reasons, which I won't go into since it's not
the topic of discussion. However, if I'm not mistaken, the
original article said something about the shadow file being
involved as well. This is an entirely different matter.
: If a file is readable, you are allowed to read it.
Read it, fine, but copy it to your working directory ??? Again,
a different matter.
-------------------------------------------------------------------------
Steve Thompson | The person who says it cannot be done
SysAdmin@Work:(@Play:) | should not interrupt the person who
sbth...@wrdis01.robins.af.mil | is doing it ;) -- Chinese Proverb
Richard L. Miller
Patrick '3l33t' Oonk <ka...@desert.xs4all.nl> wrote concerning the /etc/passwd
file:
>
>If a file is readable, you are allowed to read it.
>
If you can shoplift undetected, you are allowed to do so.
If you can rape someone and not wake them up, you are allowed to do no.
Not.
-- Rich Miller
Jeffrey C. Ollie
>>"R" == Richard L Miller <rmi...@pnw.net> writes:
R>
R> In article <121094153...@desert.xs4all.nl>,
R> Patrick '3l33t' Oonk <ka...@desert.xs4all.nl> wrote concerning the /etc/passwd
R> file:
R>>
R>> If a file is readable, you are allowed to read it.
R>
R> If you can shoplift undetected, you are allowed to do so.
R> If you can rape someone and not wake them up, you are allowed to do no.
I don't think that your analogies apply. IMHO, making a file on a multi-user
computer system readable to someone else is like putting up a sign on a
bulletin board.
In any case, how is reading /etc/passwd to expand home directories
(e.g. ~joeuser) any different than using more?
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBLu0qH5wkOQz8sbZFAQFLOwP+PqpW8qGqubXj8vWeFoGATcQqCqlvPg2/
rq5Q+qsPAQ1jrY7Dnv85XB0Yfg5HyCqriBK75hK5GXKdIn1ETu9yg9HV9THlhgHL
zVLRmuW4nySHVinuEZmIGJMHNmIqFEn9LXPMadWakMGFYmSG6jOB7TctQzkhp8Y/
47r36z4hhVg=
=tkFM
-----END PGP SIGNATURE-----
--
Jeffrey C. Ollie
E-Mail: jeffre...@uiowa.edu <URL:http://odie.weeg.uiowa.edu/~jollie/>
GCS d-- H s:+>s g+ !p au+ a- w+ v+ C++$ UA++ P++(+++) L+ 3 E+ N++ K- W--- M+
V- po- Y+ t++(+) 5+(+++) j R G? tv+ b+++(++) D+ B-- e++ u---(-) h f+ r++ n- y+
TIS/PEM Key: on request (preferred) PGP Key: finger jol...@odie.weeg.uiowa.edu
--
Jeffrey C. Ollie
E-Mail: jeffre...@uiowa.edu <URL:http://odie.weeg.uiowa.edu/~jollie/>
GCS d-- H s:+>s g+ !p au+ a- w+ v+ C++$ UA++ P++(+++) L+ 3 E+ N++ K- W--- M+
V- po- Y+ t++(+) 5+(+++) j R G? tv+ b+++(++) D+ B-- e++ u---(-) h f+ r++ n- y+
TIS/PEM Key: on request (preferred) PGP Key: finger jol...@odie.weeg.uiowa.edu
Walter Roberson
:pi...@netnews.jhuapl.edu (Martin Pittinger PTN x8588) once said:
:PI> Poking around in Pasword files is a no-no!
:
:If this is the case, the rights on the /etc/passwd
:file should be -rw-rw----.
:
:If a file is readable, you are allowed to read it.
That might be the case in The Netherlands [I don't know], but it is not
the case in Canada or the United States. A relevant section of the
United States Criminal Code is: [from ecpa.law from ftp.eff.org]
TITLE 18. CRIMES AND CRIMINAL PROCEDURE
CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL
RECORDS ACCESS
Sec. 2701. Unlawful access to stored communications
(a) Offense. Except as provided in subsection (c) of this section
whoever--
(1) intentionally accesses without authorization a facility through
which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and
thereby obtains, alters, or prevents authorized access to a wire or
electronic communication while it is in electronic storage in such system
shall be punished as provided in subsection (b) of this section.
At this point we get into the question of what it means to
"exceed an authorization to access that facility". This is not defined in
this chapter. We can get a clue from
gopher://thumper.acc.nccu.edu/00/Policies/computer.fraud.law
which excerpts from the "COMPUTER FRAUD AND ABUSE STATUTE"
1030. Fraud and related activity in connection with computers
(e) As used in this section:
(6) the term "exceeds authorized access" means to access a computer with
authorization and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or alter; and
If we apply this section, we resolve down to the question of what
the accesser is "entitled" to obtain. I would claim, and I think the courts
would agree, that a user is not *entitled* to obtain any file which the
user's contract with the provider does not clearly make available to the
user.
Walter Roberson robe...@ibd.nrc.ca
Roy M. Silvernail
sbth...@robins.af.mil (Steven B. Thompson ) writes:
> Patrick '3l33t' Oonk (ka...@desert.xs4all.nl) wrote:
> : If a file is readable, you are allowed to read it.
>
> Read it, fine, but copy it to your working directory ??? Again,
> a different matter.
Heh.
'cat /etc/passwd > ~/my.copy.of.passwd'
Any further questions?
- --
Roy M. Silvernail -- r...@cybrspc.mn.org
"I'm a family man, model citizen."
-- Warren Zevon
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBLu2gcRvikii9febJAQE4DgQAnkTqh1+ulsK+STUAyRCMv4N0bUY4grq3
Vhvuw93k8la8F5nEI94pwAto2r2yD02Se4NCCFguPtRNEfIiKMpDVi0mpeznAF2G
Xv1fpc9fWV+rmIa8ypcREie8FMLdfANfqujqWt82MbRfXW2bvfODFXkvidTgrIK/
7OBWsCkKMjA=
=+waf
-----END PGP SIGNATURE-----
DFRussell
This is what is politely referred to as a strawman argument.
|>
|> Not.
|>
|> -- Rich Miller
--
Disclaimer: I don't speak for Martin Marietta or the EPA.
----------------------------------------------------------
dfru...@unixmail.rtpnc.epa.gov, Martin Marietta TSI,
P.O. Box 14365, MD-4501-1B, Research Triangle Park, NC 27709
J. R. Valverde (4423)
Sorry, but that is a non-sense. What you are saying is one thing,
and the reality is quite another. And I don't think it applies to the
reality:
If you access any good, almost any judicial system in the
workd will understand that you are doing under assumptions of confidence
and fair relationship among human beings.
Of course, many legal systems say that not knowing a law does
not excuse you of not respecting it. But fair use tells you that if
someone is forbidden it should be stated somewhere. That's why you have
traffic signals, moral education, programs on TV, radio etc... telling you
what you are expected to do and what not.
Now if you come to a system and you know that the access
permissions to any object are stated somehow and that you can read them
so as to appropriately respect them, you can't be reasonably prosecuted
for following the rules you see. Of course it does not mean that if
some rule is not stated or if a bad ruler wants to involve you in a crime
and changes the rules without telling you, you can't be prosecuted. But
that's not fair. And it would not make a good ruler of the misdoer.
Unix has a set of access permissions that anyone can see, clearly
stated and defined. One of them is READ qhich means that you can READ
or copy or whatever operation that requires a read any object labeled as
such. If the /etc/passwd file has READ permissions for WORLD, it is
saying clearly that it can be READ or whatever etc...
If you don't want user to copy a file you only have two options,
either remove the permission to READ or change the system so that it
does not allow the WORLD read permission (like a shadow file) by using
special, privileged programs to access it, or that is more fine grained
and allows to specify READ BUT NOT COPY.
Any other approach, although could possibly supported by a law
is unfair to say the least. It is like a town hall deciding that each
day it is forbidden to park in a different street without telling people
or putting signals so as to raise their income from the unaware users.
Although it *IS* technically correct and perfectly legal under some
legal systems, no one would consider that *fair*.
So either you get your users sign or forced to read a note
before getting an account stating that they won't copy a detailed list
of files or you don't give them access or you use a better system. If
you are too lazy to enhance your system or are not willing to pay for
a better one, then you shouldn't complain about your users, but *about
yourself*.
Well, that's *my opinion*. As I said, I know that many legal
systems allow abuse by the ruler, but it is not fair in any case. And
of course there are libertary and fascist systems in the world too, so
both if them can exist.
jr
sohl,william h
Walter Roberson <robe...@hamer.ibd.nrc.ca> wrote:
>In article <121094153...@desert.xs4all.nl> ka...@desert.xs4all.nl (Patrick '3l33t' Oonk) writes:
>:pi...@netnews.jhuapl.edu (Martin Pittinger PTN x8588) once said:
>:PI> Poking around in Pasword files is a no-no!
>:
>:If this is the case, the rights on the /etc/passwd
>:file should be -rw-rw----.
>:
>:If a file is readable, you are allowed to read it.
>
>That might be the case in The Netherlands [I don't know], but it is not
>the case in Canada or the United States. A relevant section of the
>United States Criminal Code is: [from ecpa.law from ftp.eff.org]
Relavent law deleted for brevity.
>At this point we get into the question of what it means to
>"exceed an authorization to access that facility". This is not defined in
>this chapter. We can get a clue from
>gopher://thumper.acc.nccu.edu/00/Policies/computer.fraud.law
>which excerpts from the "COMPUTER FRAUD AND ABUSE STATUTE"
Is that a state or federal statute?
> 1030. Fraud and related activity in connection with computers
> (e) As used in this section:
> (6) the term "exceeds authorized access" means to access a computer with
> authorization and to use such access to obtain or alter information in the
> computer that the accesser is not entitled so to obtain or alter; and
>If we apply this section, we resolve down to the question of what
>the accesser is "entitled" to obtain. I would claim, and I think the courts
>would agree, that a user is not *entitled* to obtain any file which the
>user's contract with the provider does not clearly make available to the
>user.
How many users actually have a signed contract?
How many signed or unsigned contracts or agreements provide any
listing at all of what files a user can or can not access.
To presume that any files "which the user's contract with the
provider does not clearly make available to the user." to be the
determining criteria is highly simplistic as there are probably
hundreds of files that any provider makes available but doesn't
specifically identify. A
Additionally, the files made available are not a static list.
New files become available to all users on a routine basis.
Your logic that only "allowed" files should be accessed would
prohibit access to new files or require a new contract every time
new files, service or features are added. Frankly I doubt
any service provider wants to do that.
As another poster wrote before, if some files should be navailable
to users, then prohibit user access to those files. If not, then
the provider (IMHO) must identify specifically all the files
any user should not access. Presuming the alternative that users
should only access some predetermined list of authorized files is
not workable at all, nor would it (again IMHO) be sustainable in
a court case.
Obviously, if a user used fradulent access methods to gain access
to some files this would not be applicable. This discussion (at
least mine anyway) is limited to an authorized user who is simply
"browsing" the readily accessible directories and files that the
system does not prohibit (by technological means) his/her accessing.
--
Bill Sohl, Bellcore NISDN Hotline Technical Consultant (1-800-992-ISDN)
-----------------------------------------------------------------------
Bill Sohl (K2UNK) BELLCORE (Bell Communications Research, Inc.)
Morristown, NJ email via UUCP bcr!cc!whs70
201-829-2879 Weekdays email via Internet wh...@cc.bellcore.com
Barry Margolin
The service in question has a clause in the Terms and Conditions of
Services document that specifies that the user won't try to guess
passwords. They interpreted making a personal copy of /etc/passwd as
evidence that the user was trying to do so (even though the system uses
shadow password files). The question we should be asking (in this case) is
not whether it's OK to access files just because you have read permission,
but whether this was a reasonable interpretation by the system
administrators.
The law in the US (and many other countries, I presume) recognizes intent
as a factor -- there are often different penalties for premeditated murder
versus murder in the heat of the moment. Whether /etc/passwd can be
accessed depends on *why* you want to access it. Accessing /etc/passwd in
order to translate a uid to a username is OK, accessing it for the purpose
of guessing passwords is not. Since Unix doesn't provide a way to
distinguish these automatically (although shadow passwords can make
/etc/passwd useless for the second purpose), we can't use the permissions
on the file to indicate whether accessing it is OK in a particular context;
a subjective understanding of the context and its relationship to the terms
of service must be used.
--
Barry Margolin
BBN Internet Services Corp.
bar...@near.net
J. R. Valverde (4423)
In article <3co2js$o...@tools.near.net>, bar...@nic.near.net (Barry Margolin) writes:
>From: bar...@nic.near.net (Barry Margolin)
>Newsgroups: alt.security,de.comp.security,misc.security,comp.security.misc,sub.security,uwo.comp.security,comp.security.unix,misc.legal.computing
>Subject: Re: HELP! Legal UNIX security question...
>
>I think you're all looking at this the wrong way.
[snip]
>
>The law in the US (and many other countries, I presume) recognizes intent
>as a factor -- there are often different penalties for premeditated murder
>versus murder in the heat of the moment. Whether /etc/passwd can be
>accessed depends on *why* you want to access it. Accessing /etc/passwd in
>order to translate a uid to a username is OK, accessing it for the purpose
>of guessing passwords is not. Since Unix doesn't provide a way to
>distinguish these automatically (although shadow passwords can make
>/etc/passwd useless for the second purpose), we can't use the permissions
>on the file to indicate whether accessing it is OK in a particular context;
>a subjective understanding of the context and its relationship to the terms
>of service must be used.
>--
>
>Barry Margolin
>BBN Internet Services Corp.
>bar...@near.net
>
That's exactly the point. But you can't (as far as I know) we judged
culprit based only on circumstancial evidences. Having a copy of
/etc/passwd is just circumstancial.
Even having a copy of crack would be. So, how's it that someone takes
upon him/herself the role of omniscient ruler and decides that they
are evidence enough?
Even the catholic Pope gave up omniscience long ago. Are these managers
fundamentalists of some kind of computer religion?
Sorry for the tone, but it the Net was intended (and is sold many a
time) as a free forum, and it is hard to accept that you have less
rights and freedom here than in the Real World. And that your rights
are'n ruled even by people you freely elect or under rules you can
decide upon.
Are we losing democracy now? Justice perhaps? What would be next? Banning
users that develops programs that could compete with the provider's
products? Don't laugh: if you are banned for having a copy of say, a
PC virus on a unix account, how can you possibly build a new antivirus
program?
The point is: there are circumstancial evidences, but there are legal
reasons too. So taking a decission is not so easy, and in my opinion,
it should not be. They are sysadmins or service providers, not cops,
judges or executors.
jr
-----------
THe opinions expressed here are mine and only mine, they do not
constitute any statement from my employer.
Barry Margolin
>Are we losing democracy now? Justice perhaps? What would be next? Banning
>users that develops programs that could compete with the provider's
>products?
In fact, it's been done. Some Internet providers don't allow shell account
customers to use The Internet Adaptor (TIA). This is an inexpensive Unix
program that emulates a SLIP server, and competes against the providers'
real SLIP accounts (which often cost more than shell accounts).
The arrangement between a commercial service provider and the customer
isn't a democracy. The provider is making certain services available to
the customer, and can specify limits on those services. Sometimes these
limits can be enforced by technology (e.g. logging the user off for
inactivity), but sometimes they can't.
Of course, if the provider cuts off the customer's service without proper
justification (which should be specified in the contract), and the customer
incurs financial losses as a result, he may have cause to sue for those
losses. But I suspect that the provider isn't held to a very high standard
of proof; certainly not the kind of standard that's required for a criminal
prosecution.
In the incident that started this discussion, I think the provider did jump
the gun. And their claims that the user could be legally prosecuted for
possession of the files seems highly exaggerated, due to the standard of
proof required in a criminal case. I think they were just trying to scare
the user.
L. Adrian Griffis
|> First, Your Friend needs more friends like you.
|>
|> Trying to help out someone else is great, but
|>
|> your friend was "Doing a Bad Thing". Poking
|>
|> around in Pasword files is a no-no!
Poking around in the password file is harmless. Running a program
like 'crack' on the password file would be another matter. Just
looking at the "/etc/passwd" file is absolutely, positively, 100%,
harmless. Remember, people sometimes read these groups trying to
learn something. Please be careful not to spread this kind of
misinformation around.
--
-.. . -.- . -.... -.-. ... -..- -.-
L. Adrian Griffis
adr...@ada1.elan.af.mil
L. Adrian Griffis
|> It may be that in Canada, all bets are off as far as the legal
|> aspects are. If it comes to trial, you could always hire an expert
|> witness to show that 1) /etc/passwd is meant to be read by anybody
|> on a UNIX system,
In fact, every time you execute the 'ls' command, 'ls' refers to the
password file. The numeric UID is stored in the i-node for a file,
not the user's login name. 'ls' has to read the password file to
translate the number to a login name. The password file is read
by normal user applications and utilities far more than most users
realize. The password file was never intended (by Unix developers)
to be off-limits to the user.
|> 2) the passwords are encrypted. Therefore, no
|> harm was intended.
|> Also get a copy of the contract to see whether certain things are
|> considered unallowable (such as reading certain files).
This is quite relevant in determining if you can be kicked off the
machine. It's hard to imaging such a contract making criminal
prosecution possible.
|> On the minus side, the possession of /etc/passwd along with
|> password-cracking programs could easily be seen as an intent to do
|> something illegal. Also on the minus side, /passwd contains the
|> names (and sometimes address & phone numbers) of ALL the users on
|> the system, so this could (and probably should) be considered by the
|> owners as confidential company data.
If this information is to be kept confidential, it should kept out of
the password file. The 'gecos' field can simply contain another copy
of the account name. An administration stratigy that holds this
information confidential but still places it in the password file
is not well thought out.
|> It's far-fetched to imagine that the System Admin running 'ps'
|> could catch someone else running 'type /etc/passwd',
Quite true, since the type command on a Unix box (when it is
present at all) is a builtin command on some shells that tells
something about how the shell will process a command. The
command you (and the other posters in this thread) are thinking
of is the 'cat' command. Actually, as inept as your SA sounds,
it seems likely to me that he did discover it via 'ps'. The
other alternatives are probably beyond him.
|> on the other
|> hand, I've heard of some systems that try to log EVERY command
|> issued by either EVERY user or selected users.
|> There may be some appeal process.
|>
|> Mike (Absolutely not a Lawyer) Zorn USA
Suggest to your SA that he consult with an expert before he
embarrasses himself in court.
--
-.. . -.- . -.... -.-. ... -..- -.-
L. Adrian Griffis
(also not a lawyer)
adr...@ada1.elan.af.mil
L. Adrian Griffis
|> :pi...@netnews.jhuapl.edu (Martin Pittinger PTN x8588) once said:
|> :PI> Poking around in Pasword files is a no-no!
|> :
|> :If this is the case, the rights on the /etc/passwd
|> :file should be -rw-rw----.
|> :
|> :If a file is readable, you are allowed to read it.
|>
|> That might be the case in The Netherlands [I don't know], but it is not
|> the case in Canada or the United States. A relevant section of the
|> United States Criminal Code is: [from ecpa.law from ftp.eff.org]
|>
|> TITLE 18. CRIMES AND CRIMINAL PROCEDURE
|> CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL
|> RECORDS ACCESS
|> Sec. 2701. Unlawful access to stored communications
|> (a) Offense. Except as provided in subsection (c) of this section
|> whoever--
|> (1) intentionally accesses without authorization a facility through
|> which an electronic communication service is provided; or
|> (2) intentionally exceeds an authorization to access that facility; and
|> thereby obtains, alters, or prevents authorized access to a wire or
|> electronic communication while it is in electronic storage in such system
|> shall be punished as provided in subsection (b) of this section.
|>
I don't think this section applies to the "/etc/passwd" file, although
I think it is a relevant point to make on the question of whether a user
is entitled to access any file for which he has read permission. This
section looks like it is designed to apply to electronic mail and things
of that sort.
|>
|> At this point we get into the question of what it means to
|> "exceed an authorization to access that facility". This is not defined in
|> this chapter. We can get a clue from
|> gopher://thumper.acc.nccu.edu/00/Policies/computer.fraud.law
|> which excerpts from the "COMPUTER FRAUD AND ABUSE STATUTE"
|>
|> 1030. Fraud and related activity in connection with computers
|> (e) As used in this section:
|> (6) the term "exceeds authorized access" means to access a computer with
|> authorization and to use such access to obtain or alter information in the
|> computer that the accesser is not entitled so to obtain or alter; and
|>
|> If we apply this section, we resolve down to the question of what
|> the accesser is "entitled" to obtain. I would claim, and I think the courts
|> would agree, that a user is not *entitled* to obtain any file which the
|> user's contract with the provider does not clearly make available to the
|> user.
The problem I see here is that the "/etc/passwd" file is access routinely
by common utilities such as 'ls'. This happens without most users even
being aware of it. If the writers of the contract were sophisticated
enough to know this, they should also be sophisticated enough to know
that reading the password file is not, in itself, a harmful act.
Given the logic you've followed, and knowing that 'ls' accesses the
"/etc/passwd" file routinely, it occurs to me to wonder if your
logic implies that it is not legal to use the 'ls' command unless
the contract specifically states that it is okay to look at the
"/etc/passwd" file (and the "/etc/group" file).
I think anyone who tries to formulate the rules about accessing a
computer without having enough knowledge about it is asking for
trouble.
I'm delighted to see you quote the statutes that are relevant here,
and I think they are indeed relevant to the statement "If a file is
readable, you are allowed to read it" that you quoted above. I'm not
sure they are applicable to the original situation that prompted this
thread.
--
-.. . -.- . -.... -.-. ... -..- -.-
L. Adrian Griffis
Randal L. Schwartz
J(?)> That's exactly the point. But you can't (as far as I know) we judged
J(?)> culprit based only on circumstancial evidences. Having a copy of
J(?)> /etc/passwd is just circumstancial.
J(?)> Even having a copy of crack would be. So, how's it that someone takes
J(?)> upon him/herself the role of omniscient ruler and decides that they
J(?)> are evidence enough?
Well, this question is too very close to a situation with which I am
all too familiar for me to go into detail, but let me say that it is
not a question that is necessarily answered with common sense. In
fact, I've got cancelled checks for $35,000 (so far) that say that it
takes something very unlike common sense to answer it. Blah.
print "Just another Perl hacker," # but not what the media calls "hacker!" :-)
# legal fund: $2580.03 collected, $34879.50 spent; email fu...@stonehenge.com for details
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <mer...@stonehenge.com> Snail: (Call) PGP-Key: (finger mer...@ora.com)
Phrase: "Welcome to Portland, Oregon ... home of the California Raisins!"
DFRussell
|>
|> The service in question has a clause in the Terms and Conditions of
|> Services document that specifies that the user won't try to guess
|> passwords. They interpreted making a personal copy of /etc/passwd as
|> evidence that the user was trying to do so (even though the system uses
|> shadow password files). The question we should be asking (in this case) is
|> not whether it's OK to access files just because you have read permission,
|> but whether this was a reasonable interpretation by the system
|> administrators.
Key phrase: "They [the sysadm] interpreted..."
^^^^
Bottom line: the kid was screwing around, got caught and pitched. He
has no complaints.
|>
|> The law in the US (and many other countries, I presume) recognizes intent
|> as a factor -- there are often different penalties for premeditated murder
|> versus murder in the heat of the moment. Whether /etc/passwd can be
You have moved from system usage conditions to legalities.... big difference.
|> accessed depends on *why* you want to access it. Accessing /etc/passwd in
|> order to translate a uid to a username is OK, accessing it for the purpose
|> of guessing passwords is not. Since Unix doesn't provide a way to
|> distinguish these automatically (although shadow passwords can make
|> /etc/passwd useless for the second purpose), we can't use the permissions
|> on the file to indicate whether accessing it is OK in a particular context;
|> a subjective understanding of the context and its relationship to the terms
|> of service must be used.
Speculation: even if the person did manage to crack some of the passwords,
it's unlikely he could be convicted of anything unless he actively *used*
them -- and it could be *proven* that that was the case.
It's not illegal for someone to have passwords to your system...
|> --
|>
|> Barry Margolin
|> BBN Internet Services Corp.
|> bar...@near.net
--
Steven B. Thompson
: In article <3co2js$o...@tools.near.net>, bar...@nic.near.net (Barry Margolin) writes:
: >From: bar...@nic.near.net (Barry Margolin)
: >Newsgroups: alt.security,de.comp.security,misc.security,comp.security.misc,sub.security,uwo.comp.security,comp.security.unix,misc.legal.computing
: >Subject: Re: HELP! Legal UNIX security question...
: >
: >I think you're all looking at this the wrong way.
: [snip]
: >
: >The law in the US (and many other countries, I presume) recognizes intent
: >as a factor -- there are often different penalties for premeditated murder
: >versus murder in the heat of the moment. Whether /etc/passwd can be
: >accessed depends on *why* you want to access it. Accessing /etc/passwd in
: >order to translate a uid to a username is OK, accessing it for the purpose
: >of guessing passwords is not. Since Unix doesn't provide a way to
: >distinguish these automatically (although shadow passwords can make
: >/etc/passwd useless for the second purpose), we can't use the permissions
: >on the file to indicate whether accessing it is OK in a particular context;
: >a subjective understanding of the context and its relationship to the terms
: >of service must be used.
: >--
: >
: >Barry Margolin
: >BBN Internet Services Corp.
: >bar...@near.net
: >
: That's exactly the point. But you can't (as far as I know) we judged
: culprit based only on circumstancial evidences. Having a copy of
: /etc/passwd is just circumstancial.
Circumstancial ?? I think it's a tad more than that. ALso, as I
remarked in a previous post, I'm certain the original post stated that
he also had a copy of the shadow file, quite another matter that takes
it beyond circumstancial.
: Even having a copy of crack would be. So, how's it that someone takes
: upon him/herself the role of omniscient ruler and decides that they
: are evidence enough?
If that is the role he was placed in by the OWNERS of the system, then
it is his job to make a decision like that. If he assumes the
responsibilities on his/her own, thus stepping outside the scope of
the position, then I agree with you.
: Even the catholic Pope gave up omniscience long ago. Are these managers
: fundamentalists of some kind of computer religion?
What the hell does the pope got to do with it ??
: Sorry for the tone, but it the Net was intended (and is sold many a
: time) as a free forum, and it is hard to accept that you have less
: rights and freedom here than in the Real World. And that your rights
: are'n ruled even by people you freely elect or under rules you can
: decide upon.
: Are we losing democracy now? Justice perhaps? What would be next? Banning
: users that develops programs that could compete with the provider's
: products? Don't laugh: if you are banned for having a copy of say, a
: PC virus on a unix account, how can you possibly build a new antivirus
: program?
How do we know the user in question was a developer ?? If he was indeed
a developer, it might be different, depending on what he's suppose to be
developing. If he is assigned to build an anti-virus program, then sure,
no problem. If he is an application developer assigned to writing
programs that produce reports for a sales department, he has no business
having a PC virus on a Unix account unless getting permission first.
: The point is: there are circumstancial evidences, but there are legal
: reasons too. So taking a decission is not so easy, and in my opinion,
: it should not be. They are sysadmins or service providers, not cops,
: judges or executors.
Where do you get your definition of sysadmins ?? Again, if the OWNER
of the system (remember the OWNER???) assigns such duties to the
system administrator, then he is indeed a 'cop' of sorts, because
system security is HIS responsibility, and his ass if someone breaks
the system.
Users all to often forget that they do not own the system they have
an account on, and begin to take their account for granted and all
of a sudden think they have "rights" they do not in fact have.
They do have rights, within the frame of the rules of usage that
the owner of the system has given.
Gregg E Economou
> Read it, fine, but copy it to your working directory ??? Again,
> a different matter.
Um, copy priveleges are meaningles.s If you can read a file, you can just
as easily store wht it is you're reading somewhere. Thats what nice
things called pipes were invented for.
Just my $.02...
J. R. Valverde (4423)
In article <3csu1d$d...@wrdis02.robins.af.mil>, sbth...@robins.af.mil (Steven B. Thompson ) writes:
>From: sbth...@robins.af.mil (Steven B. Thompson )
>Newsgroups: alt.security,de.comp.security,misc.security,comp.security.misc,sub.security,uwo.comp.security,comp.security.unix,misc.legal.computing
>Subject: Re: HELP! Legal UNIX security question...
>
>J. R. Valverde (4423) (j...@ebi.ac.uk) wrote:
>
>: In article <3co2js$o...@tools.near.net>, bar...@nic.near.net (Barry Margolin) writes:
>: >From: bar...@nic.near.net (Barry Margolin)
>: >Newsgroups: alt.security,de.comp.security,misc.security,comp.security.misc,sub.security,uwo.comp.security,comp.security.unix,misc.legal.computing
>: >Subject: Re: HELP! Legal UNIX security question...
>: >
>: >I think you're all looking at this the wrong way.
>
[snip]
>
>: culprit based only on circumstancial evidences. Having a copy of
>: /etc/passwd is just circumstancial.
>
>Circumstancial ?? I think it's a tad more than that. ALso, as I
>remarked in a previous post, I'm certain the original post stated that
>he also had a copy of the shadow file, quite another matter that takes
>it beyond circumstancial.
>
I still believe there could be many reasons for that (e.g. plain
curiosity). However unlikely they may sound.
>: Even having a copy of crack would be. So, how's it that someone takes
>: upon him/herself the role of omniscient ruler and decides that they
>: are evidence enough?
>
>If that is the role he was placed in by the OWNERS of the system, then
>it is his job to make a decision like that. If he assumes the
>responsibilities on his/her own, thus stepping outside the scope of
>the position, then I agree with you.
>
Well, you have a point. But I still wonder whether the OWNERS of the
system have the _right_ to endow themselves with that power of
judgement. As I understand it any company can have security guards,
but none can send anyone to jail or execute people, nor even judge
criminals. My point is that if they thought this guy was doing something
wrong or illegal, it was not their right to *execute* or *judge*. There
are appropriate institutions for that.
>: Even the catholic Pope gave up omniscience long ago. Are these managers
>: fundamentalists of some kind of computer religion?
>
>What the hell does the pope got to do with it ??
>
Oh, I only wanted to say that everyone can make mistakes. The Pope was
endowed with the faculty of never being wrong until middle this
century. It would take a strong fundamentalist to believe one can't
be wrong more strongly that all the christian community. And remember,
these guys were the same that made the Inquisition.
>
>: Are we losing democracy now? Justice perhaps? What would be next? Banning
>: users that develops programs that could compete with the provider's
>: products? Don't laugh: if you are banned for having a copy of say, a
>: PC virus on a unix account, how can you possibly build a new antivirus
>: program?
>
>How do we know the user in question was a developer ?? If he was indeed
>a developer, it might be different, depending on what he's suppose to be
>developing. If he is assigned to build an anti-virus program, then sure,
>no problem. If he is an application developer assigned to writing
>programs that produce reports for a sales department, he has no business
>having a PC virus on a Unix account unless getting permission first.
>
Right. I completely agree with you. That's why I said it was so
difficult to decide, and why I think it should be let to those that
legally have to right to do so: judges.
>: The point is: there are circumstancial evidences, but there are legal
>: reasons too. So taking a decission is not so easy, and in my opinion,
>: it should not be. They are sysadmins or service providers, not cops,
>: judges or executors.
>
>Where do you get your definition of sysadmins ?? Again, if the OWNER
>of the system (remember the OWNER???) assigns such duties to the
>system administrator, then he is indeed a 'cop' of sorts, because
>system security is HIS responsibility, and his ass if someone breaks
>the system.
>
This is the point of disagreement: Whom does the OWNER get that power
from? Here I feel uncertain about law in the US. But I know for sure
that in may countries you are protected against abusive contracts: if
a contract is abusive it is automatically rendered illegal and null.
So, maybe this does not apply for US, but still, I don't see where
does an OWNER collect the power from. It would be like saying that a
landlord should be able to decide *by himself* if you must leave the
property whenever he suspects you are doing something he *does*not*
*like*. As far as I know, he can only do that with a court order. So,
where do computer OWNERS gain their *judicial* and *executive* power
from?
>Users all to often forget that they do not own the system they have
>an account on, and begin to take their account for granted and all
>of a sudden think they have "rights" they do not in fact have.
>They do have rights, within the frame of the rules of usage that
>the owner of the system has given.
Yes, as far as the owner has stated so in the contract very clearly,
and as the owner resorts to the appropriate means to enforce the
contract or the law. Any other thing is taking the justice on your
hands, and -again as far as I know- that's a no-no.
BTW, I agree that any person that does something illegal should
be indicted and punished *according to the law*. But tha *law* must
be the same for everybody, and it can only be so if it is a *conventional*
*law*inside*the*legal*frame*of*the*country*.
As you say, there are rules. But the only social contract we sign and
which rules everything is the *Constitution* which people swear to
respect. And only rules derived from it are legal and enforceable.
Any other rule is a small dictatorship attempted by a -maybe well
intentioned- non authorized person.
jr
----
These opinions are mine and only mine. They do not need to reflect in any
case my employers' ones.
Barry Margolin
>This is the point of disagreement: Whom does the OWNER get that power
>from? Here I feel uncertain about law in the US. But I know for sure
>that in may countries you are protected against abusive contracts: if
>a contract is abusive it is automatically rendered illegal and null.
>So, maybe this does not apply for US, but still, I don't see where
>does an OWNER collect the power from. It would be like saying that a
>landlord should be able to decide *by himself* if you must leave the
>property whenever he suspects you are doing something he *does*not*
>*like*. As far as I know, he can only do that with a court order. So,
>where do computer OWNERS gain their *judicial* and *executive* power
>from?
I don't think it's appropriate to compare computer providers with
landlords. The limits on landlords exist because housing is considered a
right, and the government has an interest in protecting those rights (I had
a friend who had a hard time expelling a tenant who was dealing drugs out
of the apartment). Computing and Internet access are not (yet) considered
a right; it's just an ordinary business arrangement, so the provider has
more leeway in specifying the terms. Furthermore, if one provider kicks
you off his system, there are plenty of others willing to give you an
account (even C&S never seem to have any problem getting new accounts).
And I doubt that you would get a court to declare that a contract
specifying that you won't use the account to try to break passwords is an
abusive contract.