How secure is UNIX?

Dan KoGai dankg at tornado.Berkeley.EDU
Sat Jun 9 01:45:23 AEST 1990


In article <1990Jun7.161215.27328 at chinet.chi.il.us> les at chinet.chi.il.us (Leslie Mikesell) writes:

>The usual protection against losing files either due to accidents or
>malicious removal is to keep backups.  Doesn't your site maintain
>some reasonably current tape copies of everything?  I also try to keep
>copies of files that are personally valuable on PC floppies which at the
>moment are the ultimate in portable media.  All you really need is access
>to a PC, modem, and dial-up port to tranfer to/from just about anything.

	One of my accounts did:  Not this OCF account.  But losing files
are rather small problems.  What if your root password is illegally changed
by someone else?  If so unless you can replace /etc/passwd or yp, you can't
get back to root again (replace whole disk with carbon-copy image of previous
backup?).  Of course you can do it by replacing whole disk but it's a hardware
solution and not very efficient.  My case is not just accident.  The moron
showed me capability of doing even nastier things.  So backup is not
a solution of cracker and never intended to be:  cracker is not an accident
and we are not supposed to confuse accident and felony.
	As long as we depend on crypt() to encrypt password and password file
is open to public, unix can never be secure enough--I wrote a 10-line C code
to crack it and successfully found my own password (Thank god this method
doesn't apply on Apollo where my OCF account resides but works any with
/etc/passwd.  And easily extendable to yp).  It took horrible time but this
kind of time is nothing compared to the prize it guarantees).
	I'm not at all UNIX guru but all I needed was how password protection
was implemented and decent C knowledge--both accessible.  We should at very
least separate encrypted password from finger entries.  And if possible,
replace dummy crypt() with something else--we don't need much speed for
login process, do we?

----------------
____  __  __    + Dan The "Hackn' Scared" Man
    ||__||__|   + E-mail:	dankg at ocf.berkeley.edu
____| ______ 	+ Voice:	+1 415-549-6111
|     |__|__|	+ USnail:	1730 Laloma Berkeley, CA 94709 U.S.A
|___  |__|__|	+	
    |____|____	+ if (!strcmp(cryptpass, crypt(pass, cryptpass))) 	
  \_|    |      + 	You_Are_Toast();



More information about the Comp.unix.questions mailing list