How to stop future viruses.
Dennis L. Mumaugh
dlm at cuuxb.ATT.COM
Fri Nov 11 04:47:56 AEST 1988
In article <17828 at glacier.STANFORD.EDU> jbn at glacier.UUCP (John B. Nagle) writes:
> Bear in mind that Dennis Mumaugh works for NSA. He's telling us
>that the UNIX password encryption system is fundamentally insecure. Pay
>attention, people.
>
> John Nagle
John is a bit out of date: I used to work for NSA. I changed
employment in 1984 and I now work for ATT, Data Systems Group, in
their top tier UNIX System software support group. Hence my
knowledge on UNIX security can be out of date with respect to the
US Government. Also much of the tiger team was done in 1976 and
my security work was done in 1978-81 and then some later in 1983.
As far as the ATT UNIX System V I am not authorized to comment on
security aspects except to mention that System V Release 3.2 does
use shadow passwords so brute force decrytpion is possible only
through administratoir error. 3.2 also prevents shells being
executed by setuid programs (e.g. using the system(3) feature).
When I WAS working for NSA we started re-eingineering the
password system to allow pass phrases and a rather strict censor
for determining whether a pass-phrase would be accepted. Even
the current System V does have some criteria and it also does
password ageing. BUT most Berkely derived systems haven't kept
pace.
--
=Dennis L. Mumaugh
Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm at arpa.att.com
More information about the Comp.unix.wizards
mailing list