In a message dated: Wed, 21 Jun 2000 12:09:20 EDT
"Jerry Feldman" said:
>There are a bunch of very good issues raised. In an engineering
>environment, the engineer frequently needs to test on his/her own
>system. Many times there is a need for the engineer to have thew ability
>reconfigure the system as necessary without bothering the system
>admin people. Outside of this environment, there is usually no need for
>users to have special priviledges. The issue should be "if you modify a
>system, you must take responsibility for that".
True, but who gets the responsibility when the untrusted, non-secure host is
used to access confidential data which was only accessible because of the
inadequate security imposed by the existance of that host? The sysadmin,
whose resonsibility it is to secure the network environment and therefore the
data, or the star engineer who won the battle with management to get root
access to the machine?
I can tell you, the sysadmin would get the blame *and* the boot, the engineer
would retain his root password, the network would remain vulnerable, and it
would happen again.
Kevin Mitnick supposedly caused DEC (supposedly) huge monetary damages. He
would not have been able to do so had the network been properly secured. Now,
I'm not maintaining that some engineer requiring root access is to blame, but
I am trying to show an example of how easily networks are compromised.
Also, I find it interesting that an individuals personal needs seem to always
over-ride the greated good of the company. Does no one ever think about
what's more important in the long run anymore? Do people just not care?
I'm really curious about this. In a day and age when our personal privacy is
constantly being invaded and stripped away, I find it amazing that people are
more concerned with things that inconvenience them than what is the "right"
thing to do for everyone or how can they change the way they do things to make
they're life a little more secure.
DEC (or Compaq) I'm sure is like any other company out there, where
time-to-market is the most important thing above all else. However, what
would have happened had Sun gotten a hold of the plans for Alpha early on and
copied the designs? Would that have cost as much as securing the network
environment?
Or, on a personal note, how would any of you feel knowing that anyone in the
entire company could read all your e-mail, incoming and outgoing, access all
the files in your home directories without you knowing about it? Do you keep
any personal information on you system you'd rather others not know about?
Anyone have a Palm Pilot they sync with their system at work? It's simple for
root to access those files, copy them somewhere else and install them on
another pilot elsewhere. Hope you don't store any banking information on your
pilot, or social security numbers. :)
Hmm, not using ssh? tcpdump or ethereal on any Linux laptop is great for
accessing passwords across the network.
I'm not trying to be the BOFH, rather, I'm trying to point out that security
does matter. Even if the likelihood of someone maliciously attacking your
internal network may seem slim, there are those who are untrustworthy, and you
never know who they are. Derek and I take our jobs as sysadmins quite
seriously, and, additionally, we take our users personal privacy just as
seriously. As much as I don't want the security of my company violated, I
want even less for the security and privacy of my users violated. Root access
to any machine constitutes a threat to both, and *that* is what we're trying
to eliminate. We may not be successful, but at least we're trying, and at
least someone out there is concerned about it.
By the way, we as sysadmins have a job to do too. And let me tell you,
securing a network is a major P.I.T.A, and a huge inconvenience too, but we do
it because it's the right thing to do and because we care more about the
greater good than our own personal inconvenience.
I'd much rather be playing with neat things like Linux clustering than making
sure my network is secure :)
--
Seeya,
Paul
----
"I always explain our company via interpretive dance.
I meet lots of interesting people that way."
Niall Kavanagh, 10 April, 2000
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
