Hmm, seems like that "Junior Sys Admin" independent study doesn't get very good
grades, does it?
I have some questions, especially regards Jeff's comments, see below...
Jeffry Smith wrote:
> On Tue, 3 Oct 2000, Mjo wrote:
> [...snip...]
> > KSC has traditionally had a Linux server that held student accounts for mail
> > and web pages. "Junior Sys Admin" was an independent study for running this
> > box. This summer it was used by a couple of people to break into places such as
> > Bell Atlantic. The college administration has in absolutely no uncertain terms
> > decreed that we may only have a Linux box if it is NOT attached to the outside
> > world. This is unfortunately not up for any debate. Linux in a vacum makes
> > very little practical sense, but that's what we have to work with. Because
> > this makes the "Junior Sys Admin" role almost entirely moot, it will be
> > WONDERFUL to keep Linux possibilities here through the LUG.
> >
>
> OK, what will help in convincing the administration that ANY system
> connected to the outside world can be used to crack? It's unfortunate
> that this happened, and I realize their reaction is to try and prevent
> future problems, but the reality is that the crackers will now use
> other available computers.
One thing that was unclear was whether the crackers were legitimate users of the Linux
box or if it had been cracked originally? If it was cracked first, the college
administration could have a legitimate reason to view Linux as a liability, especially
if they have not seen other systems cracked and used as attack relays. It is also not
clear to me that other available computers would be equally good platforms for
mounting attacks, depending on the tool sets and o/s environments.
> My concern here is not to get a Linux box in (much as I would like
> it), but to ensure the Keene State admininstration understands that
> it's not technology, it's attitude, that creates crackers, and that
> their actions have done NOTHING to protect themselves, merely created
> an illusion of security. In the long run, it will bite them bigtime
> when one of these incidents happens using a "secure" machine (and I
> mean when, not if - even if they booted the crackers out, there will
> be others). Even worse, unless they take a proactive attitude (which
> is not retribution, but education and understanding), they will
> themselves get cracked, most likely from the inside. This is a
> reality based on real-world statistics - most computer breakins /
> crimes happen from the inside, not the outside.
I mostly agree, but strongly disagree with that statement about proactive attitude.
I agree that education and understanding are important. I feel very strongly that
everyone must be held accountable for their actions, and that means that punishment
must be meted out when it is deserved. Doing otherwise is condoning misbehavior. A
proactive attitude must include monitoring and response to observed events, and that
response should include retribution.
My concern is that the KSC administration is taking an easy knee-jerk response that
creates the illusion of security, rather than dealing with the real problem. It's a
lot easier and more palatable to blame technology rather than people, but the truth is
that this kind of thing can only happen when individuals misbehave and the
organizational environment lets them. It's correct, there should be clear consistent
policy against misuse of systems, measures to implement the policy, and actions to
enforce it.
> In the long run, they are best served with clear, consistent policy,
> systems that implement that policy, and an understanding of what
> technology can and can't do (especially with crackers going to the
> outside - the only way to prevent it is to cut Keene State off of the
> internet and disable all modems, something I doubt they want to do).
Yes, but if we get rid of that nasty anarchistic open source Linux box we'll be safe
and secure in the care of Big Brother Microsoft, right?
:-)
--Bruce McCulley
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
