How secure is UNIX?

Dan KoGai dankg at volcano.Berkeley.EDU
Wed Jun 6 01:20:04 AEST 1990


In article <1752 at necisa.ho.necisa.oz> boyd at necisa.ho.necisa.oz (Boyd Roberts) writes:

>Dan, my man you seem to have jumped to the conclusion that UNIX isn't
>secure because someone broke into your account and blew away your files.
>How this was done would appear to be attributable to stupidity, and
>not to underlying flaws in UNIX password security.

	Unix is at very least insecure enough to make me sleep in nightmare.
I got several mails and some of them are raped even harder.  And this applies
to computer in general--My Mac is infected by virus 4 times (but last 2 was
not serious at all, thanx to Disinfectant).

>At this point I'd like to make the distinction between UNIX password security
>and the various `security' of IP based networking utilities.  With those,
>there is _no_ security.  I think RTM and various others have proved this
>beyond a shadow of a doubt.  UNIX password security is secure, provided you
>have chosen a reasonable password.

	I do not think my accounts were nuked due to network flaw:  Very
unfortunately, there are several cracker activities reported to be originated
at OCF.  And my password was secure enough for your standard, the string as
complicated as intercal syntax!

>Sure, you can snarf /etc/passwd and try a dictionary attack.  But, you have
>to get access to the machine first.  Without access to the machine it's
>near impossible to break. Shadow password files nullify this method of attack,
>although I don't like this password file dichotomy.

	It's not that hard today to obtain a UNIX account.  And if you can
crack one site, it's likely the site includes users with other remote accounts,
which is exactly my case, and crack others--chain reaction also appeard in
"Cockoo's Egg".  I don't like NORAD-like security but very unfortunately human
nature is evil and it takes evil to secure from evil.

>The bottom line is that password security works.  Most systems aren't broken
>into.  The ones that are broken are usually compromised by some sloppy
>(ie. networking) utility or a flawed UNIX port.

	But it's far more common than your wallet is stolen.  Look, I'm not
the only victim and I heard of many cases on this Berkeley alone.   And UNIX
is still not common enough to attract people's attention--Internet virus
case and Cockoo's Egg case attracted people because it was military security
related, not because of fame of UNIX.  I think I have seen too many cases
of insecurity considering still small size of UNIX community.  And this will
get but more serious as UNIX gains its popularity.  We'd better be prepared
before it gets even messier.

>So Dan, a piece of advice:
>
>    $@$*$H$7$^$((J $@$*(J $@$D$1$F(J!
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ESC is dropped, yet another fraw of
     netnews sytem

	I wish I could.  And now here's my advice:

	Living UNIX world is like an orgy: full of joy but riskier these days.

----------------
____  __  __    + Dan The "insecured" Man
    ||__||__|   + E-mail:	dankg at ocf.berkeley.edu
____| ______ 	+ Voice:	+1 415-549-6111
|     |__|__|	+ USnail:	1730 Laloma Berkeley, CA 94709 U.S.A
|___  |__|__|	+	
    |____|____	+ "What's the biggest U.S. export to Japan?" 	
  \_|    |      + "Bullshit.  It makes the best fertilizer for their rice"



More information about the Comp.unix.questions mailing list