interesting behaviour. (followup)

[Alex S. Crain]

In article <598 at happym.UUCP> kent at happym.UUCP (Kent Forschmiedt) writes:
>In article <1437 at umbc3.UMD.EDU> alex at umbc3.UMD.EDU (Alex S. Crain) writes:
>>	3) I wasn't running any of the obvious security holes with the 
>>exception of no root password.
>
>When I read this, I laughed so hard I almost fell off of my chair...

	As I put things back in order, I've decided that I probably toasted
myself, as opposed to sabatoge, and at this point I really don't care, but
the above comment disturbes me.

	Since I have no untrusted users, and no dialins, I will maintain that
I have no use for a root password. root exists so that I am protected from
accidentaly hosing myself, and to keep the unskilled users out of the system
areas (aka, my wife, etc). I *will not* be afraid of hackers, even if I did
get wasted by one, simply because there is no reason why anyone would want
to hurt me, and no excuse for it. Its not really a question of being security,
but of being afraid.

	I have cracked systems before, and part of my job is system security
on the university systems. I believe that it is simply impossible to prevent
intrusion, and that the best way to combat it is to remove the need. Ie: at
school I advocate an open system, making sources and utilities available as
much as possible. If everyone gets what they want from the system, there is
no reason to circumvent security.

	If someone cracked my system, they did it over uucp, and knew what
they were doing. Since they had no way of knowing if I had a root password,
they probably assumed that I did, and used some other hole. If they did that,
then they know more about my system then I do, so a root password wouldn't
help.

	Some would argue that this attitude will cost me someday, but I don't
think so, and life without fear is worth the risk.

-- 
					:alex
Alex Crain
Systems Programmer			alex at umbc3.umd.edu
Univ Md Baltimore County		nerwin!alex at umbc3.umd.edu