How secure is UNIX?

Greg A. Woods woods at robohack.UUCP
Wed Jun 6 23:59:36 AEST 1990


In article <1990Jun5.152004.15873 at agate.berkeley.edu> dankg at volcano.Berkeley.EDU (Dan KoGai) writes:
> 	Unix is at very least insecure enough to make me sleep in nightmare.
> I got several mails and some of them are raped even harder.  And this applies
> to computer in general--My Mac is infected by virus 4 times (but last 2 was
> not serious at all, thanx to Disinfectant).

Your first sentence is wrong, as I will attempt to show.  I don't
quite understand your second sentence.  As to your final point
however, you should realize the susceptibility of a PC (any PC, or
home computer, including Apple's Macintosh) to a virus is several
orders of magnitude greater than the average UNIX system.  Certainly a
true UNIX virus is possible, and given the sloppiness of the average
vendor these days, one could easily get out.  However, I'd suggest
that it would be rare that such a virus would be contagious.  Binaries
just aren't often moved or shared between UNIX systems, and the
software distribution hierarchy is entirely different.  This is
changing with the increasing use of workstations on networks
though...and you can't really blame the network for this "flaw".

> 	I do not think my accounts were nuked due to network flaw:  Very
> unfortunately, there are several cracker activities reported to be originated
> at OCF.  And my password was secure enough for your standard, the string as
> complicated as intercal syntax!

I don't know how your site is related to OCF, but if they share a
network cable, then yes, you can indeed blame the network....

> 	It's not that hard today to obtain a UNIX account.  And if you can
> crack one site, it's likely the site includes users with other remote accounts,
> which is exactly my case, and crack others--chain reaction also appeard in
> "Cockoo's Egg".  I don't like NORAD-like security but very unfortunately human
> nature is evil and it takes evil to secure from evil.

Yes, but first you'll have to crack the passwords of the people at the
"breached" site.  Then you'll have to hope they use the same passwords
on the target sites.  Then you repeat the loop.  Fortunately it is
likely you'll be discovered before the second iteration, since there
is still a significant lag required to break the passwords the hard
way.  (You'll also have to get through any "external" security the
target sites may have, such as call-back or dialup passwords.)  Again,
the network makes this so much easier!

> In article <1752 at necisa.ho.necisa.oz> boyd at necisa.ho.necisa.oz (Boyd Roberts) writes:
> >The bottom line is that password security works.  Most systems aren't broken
> >into.  The ones that are broken are usually compromised by some sloppy
> >(ie. networking) utility or a flawed UNIX port.
> 
> 	But it's far more common than your wallet is stolen.  Look, I'm not
> the only victim and I heard of many cases on this Berkeley alone.   And UNIX
> is still not common enough to attract people's attention--Internet virus
> case and Cockoo's Egg case attracted people because it was military security
> related, not because of fame of UNIX.  I think I have seen too many cases
> of insecurity considering still small size of UNIX community.  And this will
> get but more serious as UNIX gains its popularity.  We'd better be prepared
> before it gets even messier.

Berkeley is on a network.  If it were possible that the network be
secure, or not exist, the breakins would be as common as those to Fort
Knox.

Most breaches of commercial UNIX systems are due entirely to sloppy,
or non-existant, system administration.

What does the "fame" of UNIX have to do with anything?  Do you think
it will be a more common target if it becomes more famous?  I doubt
anything would raise the ratio of UNIX breakins to those of other
types of systems.  I would imagine the ratio is already quite high.
UNIX is already quite famous in the cracker community.

UNIX is fundamentaly quite "secure" (in the common definition).  It
does not, however, have mandatory security by default.  UNIX makes it
easy for you to disable any security features, sometimes by accident.

Networks are fundamentaly quite insecure.  They are designed to
provide open and easy access to "remote" resources.
-- 
						Greg A. Woods

woods@{robohack,gate,eci386,tmsoft,ontmoh}.UUCP
+1 416 443-1734 [h]   +1 416 595-5425 [w]   VE3-TCP   Toronto, Ontario; CANADA



More information about the Comp.unix.questions mailing list