a thought about UNIX login security

rcj at burl.UUCP rcj at burl.UUCP
Mon Jun 20 07:56:34 AEST 1983 

As one of the more guilty parties (re: Ed's article about not
discussing security in net.unix-wizards), I feel obligated to
relate a real-life example of a system break-in (the only really
major one that I have first-hand experience with), and the
consequences thereof:

I went to school at a major Southern university.  We primarily
used a DEC-10 running the TOPS-10 operating system, although we
switched to Unix on a PDP-11/34 for the upper-level courses later.
The school of pharmacy made great use of the DEC-10 for research
purposes, and there was one grad student in pharmacy who was the
guru for the whole pharmacy school.  This grad student was liked
by EVERYONE, taught two computer courses for the computer science
dept. every term, and had won several awards from the University.

If any of the pharmacy faculty (or anyone else he knew) forgot their
password, they just went to Jim (not his real name) and he would pull
out a little printout that he had and tell them.  This went on for
some time until someone as the Computing Center found out about it
and hit the ceiling.  Apparently, (and remember, this is not Unix),
someone had the password file VERY well protected, but the binary
copy that was actually read by the system was readable by everyone.
Jim found this out, got a dump of the binary, and used a sliding
window technique to find out the password field and then decoded the
simple ASCII.

Even though it was demonstrated to everyone's satisfaction that Jim
did not take advantage of this information in ANY way whatsoever,
and even taking into account his very high standing with the University,
and even though both the Computer Science dept. of the School of
Engineering and the Dean of Pharmacy School came to bat for him,
he still came within one vote of losing his job.  And this information
was just lying around for anyone to look at -- all he had to do was
a very simple decoding.  Imagine what would have happened had he
really had to break a lot of stuff to get in!!!

Because I worked on our Unix installation, I had privileged access
(read:  root password).  One day, I was trying to find something for
one of my professors when I catted a file that came up:

Second Semester Final for CSCI xxx

I immediately hit delete, and went to my professor later to tell him
exactly what had happened in case he had some sort of accounting daemon
running that I didn't know about.  He smiled, said it was ok, and that
he had three bogus copies of that final on disk just to catch anyone
who might break in.  He told me further that the real exam was always
typed in by his assistant on the night before the exam, or even the
morning thereof.  Computer Science professors (and, increasingly, those
in other areas) know that students will try to break in -- and those
possible access methods are usually not totally booby-trap-free.

It ain't worth it, when there's so much money to be made so easy in
computer-related fields,
-- 

The MAD Programmer -- 919-228-3814 (Cornet 291)
alias: Curtis Jackson	...![ floyd sb1 mhuxv ]!burl!rcj

More information about the Comp.unix.wizards mailing list