cross
|
|
Discussion of staff viewing user data.
| 
Dec 10 23:28 UTC 2010 |
This item is for discussion about protocol for Grex staff looking at user's
data, specifically data that is protected from viewing by normal users. What
are the circumstances under which staff should look at things? Sometimes it's
legitimate; ie, if the user asks you to look at something, possibly even edit
one of his or her files (say, a shell startup file, if the user is having
problems with it). On the other hand, reading someone's personal email is
clearly not all right under all but the most extreme circumstances (e.g.,
under court order or something like that).
The policy right now is vague; what should it be?
|
cross
|
|
response 6 of 18:
|
Dec 11 21:03 UTC 2010 |
resp:4 This is another useful thing about asking for an email address in
newuser; that information goes into a log that can be viewed by staff
without looking at the users' files.
The process that the board adopted several years ago was straight
forward and didn't involve any reading of any files at all (except one's
personal email). It works as follows:
1. The user sends email to "porters@grex.org." That email goes into a
ticket tracking queue managed by the "RT" software.
2. One of grex's porters "takes" that ticket in RT and sends an email to
the user asking, "How did you hear about Grex?" 3. The user responds
with, really, whatever he or she wants. 4. The porter runs "validate
user" at the Grex command line. 5. The porter "resolves" the ticket.
That's it. No where in there does it talk about looking at users' files
or anything else. No where does it talk about proactively contacting
users. If people want to change this process, that's the type of thing
that needs to be discussed publicly, especially if any of those changes
involve looking at files that are protected by the user: even the .plan
file (granted, newuser does say that staff can see that information, but
staff still shouldn't be poking around in people's directories without
their permission. I'd say that even running "finger user" as root is
qualitatively different). Then again, none of porters on Grex who are
not also staff members with root access have the ability to do that.
Speaking of directories, I don't think that staff should be "checking
up" on users with unfamiliar login names, either. There was an incident
last week where I ran "w" and saw a staff member reading an unusually
named file that I happened to know was a temporary file created by the
"pico" editor. Thinking that was odd, I ran "ps auxwwe" and looked for
the staffer's "more" process, then saw that the PWD environment variable
in ps's output showed that the file was in another user's home
directory. The file was world readable, but a quick scan showed that it
contained email messages the user had composed to someone else. At
that point, I stopped reading, but the other staffer did not.
When I confronted him about it, I was accused of alternately running a
key logger on his sessions (not true) or somehow snooping on his tty
(also not true). The other staff member then went on to say that he had
seen this user with an unfamiliar - to him - login name and wanted to
see who he was, so he looked in his home directory, saw these strangely
named files, and became curious as to what they were, so he read them.
There are many things wrong with this scenario, in my mind.
First, despite the fact that these files were world-readable, they
clearly contained personal communications: this was obvious upon the
most cursory inspection. At that point, regardless of how curious
someone is as to *why* those files were there, they should have stopped
reading them. Unless there's some compelling reason to be reading those
files, or unless specifically asked by the user, I claim that personal
communications like that should be strictly *off-limits* for staff
members, even if root access is not required to view them. It's one
thing to stumble on them, but once you determine what they are, stop.
Second, being a system administrator on a large timesharing system
brings with it certain privileges: having root access basically gives
you access to anything on the machine. However, that also brings
greater responsibility. Because one has that access, one needs to be
even more careful than a non-system administrator about respecting the
privacy of users. There needs not only to be good judgment, but also an
air of responsibility when it comes to user data. Reading people's
files when you're on staff, unless you've got a real reason to, gives
the air of being cavalier about privacy. This is a good way to get the
users not to trust the staff (particularly when it was so obvious that
that's what was happening), and right now, we need to get more people
interested in Grex.
For a long time, the staff has had an almost paternalistic attitude
towards the system and users. This was okay, in the sense that it was
meant to protect the community, but that time is past. It's not 1991
anymore; we're swimming in the resources we once so lacked. Snooping
around looking for abuse is going to drive users away and isn't going to
help anybody. Let's not do it.
Finally, that's just not an appropriate way to learn. If a staff member
has a question about Unix, they can ask one of the more knowledgeable
staffers. They can do a web search. They can post in the systems
conference. They can email the staff mailing list. But reading user's
email (by the way, by my cursory glance, there was nothing in those
files that would give any indication as to why they had funny names; I
knew the answer, because I know how text editors work) is not an
acceptable way to learn.
|
jep
|
|
response 13 of 18:
|
Dec 20 03:13 UTC 2010 |
re resp:11: Dan, it's not that bad a suggestion. It's not practical but
that is not completely obvious.
Richard, encryption of all of a person's data means it would be fully
inaccessible to anyone who didn't know that person's password. If
someone forgot his password, he couldn't get his data and neither could
anyone else. Say you tie it to his login password, and he then changed
his login password. He'd have to keep track of his original password
for all of the data he wanted to access, plus the new password. Or he'd
have to decrypt and re-encrypt all of his original data.
If he forgets any of his passwords, the data encrypted with it can
*never* be read, by anyone, short of extremely unreasonable efforts.
So what data are we talking about? The .plan information which is
optionally created, and optionally made public when you first log in?
What's the point in creating that at all if it's encrypted? Every file
which he saves? In his home directory, or in system directories too?
Conference data which is temporary? Responses and items? Does the user
enter a password *every* time he wants to view or change *any* data file?
E-mail? Outbound mail which is encrypted is un-readable. Inbound mail?
*Which* inbound e-mail? That which enters the system? Except for the
headers, which are necessary to deliver it? That which is stored in the
person's mailbox? You'd have to rewrite the mail system for that? Mail
stored in the user's home directory? You'd also have to rewrite *all*
of the mail clients for that.
Keep in mind you're doing all of this in order to satisfy someone who
doesn't trust the roots. No one else can read most of this data anyway.
re resp:12: No, veek, even root cannot read what your login password is
on a Unix system, let alone any encryption key you come up with on the
fly. A system admin can see the saved encrypted string in the
/etc/security file, but seeing that is quite a lot different from
knowing the unencrypted string.
|