Re: Ethics. (and liability)

From: Peter Ajamian (pajamian@cheapsam.com)
Date: 02/01/00


Tony Maro wrote:

<snip>

Okay, now to get my 2 cents in (again).  When someone's password is
compromised they are not the only person who will suffer the
consequences, allow me to give a pracital example.

Joe is helping Jeff with some issues in setting up his buisiness web
site and Jeff has given Joe (whom he trusts very much) a lot of leeway
in Joe's access to the server.

Joe happens to play a MUD where password logging has been implemented
(unknown to Joe), and since Joe does not like having to remember a lot
of passwords, he uses the same password on the MUD that he uses on the
server account.

The Implementors who foolishly implemented the password logging in the
MUD, were not responsible enough to even remove world read privledges
from the password log (note they could have and there are still ways to
get the log).

Luke, who runs another MUD on the same server and has a grudge against
the first MUD gets the password log and uses it to (1) wreak havok on
the MUD itself by loggin gin as implementor and completely trashing
everything he can, and (2) he now has a neccessary password to log into
Jeffs server and trash it also if he wants.

Jeff's server gets broken into and trashed and he ends up loosing a lot
of business revenue.  Note that Jeff did nothing to bring this about
except to trust someone who seems to be a responsible as anyone else he
knows. and even the person he trusted was not the one who caused the
major security breach.

Now, will Joe's answering 'Y' to a disclaimer relieve the MUD
implementors from liability to Jeff's server and business?  I think not.

Back to the ethical side, I will repeat what I have said in the past,
there is no good reason to log passwords, period.  The ONLY reason to do
so is with malicious intent and I would personally blacklist any MUD
that logged passwords in any kind of unencrypted form.  You can go
areound all day saying that passwords are not private and that MUD
implementors are not responsible for thier irresponsible acts, that does
not make it true.

To summarize, do NOT log passwords, it is bad for your MUD, it is bad
for your players and it is bad for you.

Regards, Peter


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     |  http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html  |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 04/10/01 PDT