How to stop future viruses.

Dennis L. Mumaugh dlm at cuuxb.ATT.COM
Fri Nov 11 04:47:56 AEST 1988


In article <17828 at glacier.STANFORD.EDU> jbn at glacier.UUCP (John B. Nagle) writes:
>       Bear in mind that Dennis Mumaugh works for NSA.  He's telling us
>that the UNIX password encryption system is fundamentally insecure.  Pay
>attention, people. 
>
>					John Nagle

John is a bit out of date:  I used to work  for  NSA.  I  changed
employment in 1984 and I now work for ATT, Data Systems Group, in
their top tier UNIX  System  software  support  group.  Hence  my
knowledge on UNIX security can be out of date with respect to the
US Government.  Also much of the tiger team was done in 1976  and
my security work was done in 1978-81 and then some later in 1983.

As far as the ATT UNIX System V I am not authorized to comment on
security aspects except to mention that System V Release 3.2 does
use shadow passwords so brute force decrytpion is  possible  only
through  administratoir  error.  3.2  also  prevents shells being
executed by setuid programs (e.g. using the system(3) feature).

When I  WAS  working  for  NSA  we  started  re-eingineering  the
password  system to allow pass phrases and a rather strict censor
for determining whether a pass-phrase  would  be  accepted.  Even
the  current  System  V  does have some criteria and it also does
password ageing.  BUT most Berkely derived systems  haven't  kept
pace.
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm at arpa.att.com



More information about the Comp.unix.wizards mailing list