[plug] Computer insecurity

Bret Busby bret at clearsol.iinet.net.au
Tue Aug 7 14:11:06 WST 2001 

On Mon, 06 Aug 2001, Matt Kemner wrote:
> On Mon, 6 Aug 2001, Bret Busby wrote:
> 
> > I have grave concerns about the imposition of the new student email system,
> > which uses student numbers of students, instead of student names, for email
> > account names.
> 
> What new changes?
> 
> I bitched about this back in '95 when I got my first email address:
> 950783c at babbage.cs.murdoch.edu.au
> 
> Nobody listened to me then either..
> 
> Still, I fail to see the relevance of this to Linux in Perth in any way.
> 
> Send it to bushcourt at cleo.murdoch.edu.au (is that list still operational?)

I have not heard of that one. I have sent my concerns to various people of
significance at Murdoch (spelling okay, Christian? ;); it is now a matter of
waiting and seeing whether the breach in security and privacy, is intentional,
or, gets fixed.

> 
>  - Matt

Regarding the relevance to Linux, I believ that it is relevant to the original
posted message about the "Linux Security Paper".

The original message, about security, was

"I am doing a research project as part of my Dip IT and seeing as i have been
converted from MS to Linux, my lecturer has deceided in his wisdom that i
should do a research paper on Linux Security as a final assessment piece. I
have deceided to narrow it down to internet security and issues, and any
guidance (ie: reference material etc..) on this would be greatly appreciated
and acknowledgments would be included. "

The point to be made (I did not explicitly state the point), is that,
regardless of the provisions for security, that are inherent in a particular
operating system, when the system administrators lack common sense, and,
implement a system, without regard for security, and, without proper systems
analysis, what could and should be a secure system, can be significantly
compromised, by either the incompetence, or, malfeisance, of the system
administrators. I prefer to give the benefit of the doubt, in this case, and,
regard it as sheer incompetence.

Then, also, regarding the security of a system, also, regardless of the
provisions for security that are inherent in an operating system, there is also
the problem, as mentioned in another posting that I have made today, about
misrepresentation of a security problem, by technical staff.

"Results are no longer posted anywhere.  
There is no way for a person to findout anything but your name, from your
student number (and vice versa)." - From the IT Helpdesk response. But, the
results were displayed long after the changes to the user names were
implemented, and, as far as I know, are still displyed to the public.

Once again, I prefer to give the benefit of the doubt, here, and, regard it as
sheer incompetence. After receiving that message from the IT Helpdesk, I
telnetted to my library account, as previously described.

It is a matter of concealing a problem (No, our chips do not transmit anything
like serial numbers; no, our operating system/email application does not have
any security problems; no, mitsubishi cars have not had any safety problems,
etc).

Therefore, in the context of the original posting about the security paper; the
provisions for security that are inherent in an operating system, are
irrelevant, and, redundant, unless the computer system/network is properly
administered, and, that includes using common sense, and, not using
passwords as user names, when those passwords are set by the institution and
connot be changed by the user, and, when those passwords/user names are used to
obtain, by themselves only, confidential user information, and, proper support
for users must be implemented, so that users are not misled, by
misrepresentations by helpdesk staff who conceal a security problem instead of
doing what they should be doing - taking action to eliminate the security
problem.

So, while my posting of the security compromise at Murdoch (hello, again,
Christian ;) ), may not have been directly realted to Linux itself, it is
relevant to both the original request regarding the Linux Security Paper, and,
subsequent security postings on the mailing list, as, it is not only the
operating system, that comprises the system/network security, but, also,
equally importantly, the administration of the system/network.

And, I suggest that the writer of the paper take that into account, in his
writing of the paper.

Bret Busby
............

More information about the plug mailing list