How secure is UNIX?

Jonathan I. Kamens jik at athena.mit.edu
Tue Jun 12 11:23:39 AEST 1990 

In article <1990Jun10.183417.6226 at agate.berkeley.edu>,
dankg at tornado.Berkeley.EDU (Dan KoGai) writes:
|> 	All I know is I became victim and there are a lot others.  And it's
|> not that hard to overcome crypt().  I admit I know too little to become
|> a security expert.  But it doesn't take a wizard to know every single file
|> I had were brutally deleted.  Are you still saying I am just flaming?
|> if you stop me or people like me from what you call flaming, Give us secure
|> system for first place so I don't have to post something like this anymore,
|> period!

  As I, and several other people, have already pointed out, it *is*
sufficiently hard to overcome crypt() if your password is well chosen. 
One of the reasons I said in a previous posting that I don't think you
know what you're talking about is that you keep on claiming that crypt()
is easy to break, when in fact it isn't.

  Your files were removed because you had a .netrc file with a plaintext
password in it.  That has nothing to do with crypt().  As someone else
has already pointed out, it is incredibly stupid to put any password
which you don't want other people to know into your .netrc file.  The
fact that you did so has nothing at all to do with whether or not
crypt() is secure.

|> 	I think my password was well-chosen:  It is hardly English or
|> any other language, with Uppercase and Numbers.  My previous one was very
|> random also.  Yet my 10-line (now 20 and can handle even more complex cases)
|> successfully found it:  I didn't use /usr/dict/words or any sort at all.

  Your password may very well have been well-chosen.  That's completely
irrelevant to the argument of whether or not crypt() is adequate, since
the way your account was broken into was by someone who read your .netrc
file, not by someone who cracked your password by encryption.

|> 	Provided it's secure enough.  UNIX is not.  I'm not very exceptionally
|> rare victims.  I know a lot of even severe cases broken harder, which are
|> protected with UNIX experts.  How many victims do we need to convince you
|> guys that today's UNIX needs major upgrade of secirity?  Well, even after
|> Stockton Masscare, this country allows us to have guns without any lisence.
|> maybe asking Americans for secirity is never secure enough for 1st place.

  I am fully in agreement with the claim that Unix security needs to be
enhanced in many areas.  I just don't think that what happened to you is
any sort of good example of why this is so, and I still think that what
happened to you is more your fault than it is the fault of Unix.  Or, at
most, the fault of Unix documentation and of the people who run your
site for not telling you not to put important passwords in the .netrc file.

  Finally, I think your argument about guns is bogus and irrelevant. 
Even after a guy with a can of gasoline burned down a nightclub and
killed something like 80 people (someone feel free to correct me if I'm
wrong), many more people than were killed and injured at Stockton, this
country allows us to have gasoline without any license.  Figure that out.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik at Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710

More information about the Comp.unix.questions mailing list