Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!apple!vsi1!altos86!dtynan From: dtynan@altos86.Altos.COM (Dermot Tynan) Newsgroups: comp.os.minix Subject: Re: Default passwords (long reply) Message-ID: <3533@altos86.Altos.COM> Date: 14 Jul 89 23:37:37 GMT References: <187@loligo.cc.fsu.edu> Organization: Altos Computer Systems, San Jose, CA Lines: 63 In article <187@loligo.cc.fsu.edu>, nall@nu.cs.fsu.edu (John Nall) writes: > > 1. KNOWLEDGEABLE PEOPLE KNOW HOW TO BREAK IT ANYWAY. > 2. YOU CAN BUY THE SOURCE BUT NOT GET ANY DOCUMENTATION. > 3. THE BOOK SAYS YOU CAN MAKE A LIMITED NUMBER OF COPIES FOR FRIENDS. > > The first one has interesting implications ("Dear Mr. Bank President: Let > me explain to you why you should publish the combination to your vault...") > but I don't buy it. This is an unfair analogy. What if said president left the vault out on the street, with no rear wall. Is it worth his time to mess around with combinations? The point here, is it's not that hard to leave out the /usr disk, and get a shell. I could give you quite a few references to good articles on some security mailing lists of the form "Security by Obscurity is no solution." Furthermore, when Andy gave a lecture at Computer Literacy here, in Sunnyvale (I wasn't there - this is second-hand), someone asked why the *only* documentation on the "disks-only" package, was a little note about three inches by four inches, stuck to the boot disk. Andy smiled, and replied that he wanted to sell books (any comment, Andy??). I'm not criticizing that perspective, I think it's rather amusing. However, parlaying that into "secret password fascism" is something else. While I can't speak for Mr Tanenbaum, I'm sure that wasn't his intention. > On the second one: Really? Places sell the source, but do not have any > documentation? I know a place like that in Miami, which sells MicroSoft C > for $20 if you bring your own disks. Are these authorized dealers? If so, > please enlighten the rest of us with names, address, prices. Perhaps it > offers an alternative to P-H. In point of fact, P-H does (or at least used to) sell the disks only. When I first heard of Minix, the ad said buy the disks by themselves for ~$80.00 or with an "OS" book for ~$120. Seeing as I have an overabundance of OS books, and one more might result in a divorce, I sent an official PO from my client at the time, to Prentice Hall. I received a parcel from P-H (not some fly-by-night disk-copy place), which had nothing more than nine disks in a cute plastic box. That's it! At the time, I didn't know Comp-Lit were selling the package and the book, and was thus infuriated by the idea of waiting another three-four weeks for the book, so I donned by hackers hat... > The third one is not a bad argument, but why not get the password and other > information from the person from whom you received the software? It would > seem to me this is the very privilege we want to keep from being abused. I think the argument here, is that copy-protection (or in this case, password/copy-protection) is rather misplaced, on a product that has such a refreshing view of the end-user market. > (But out of curiousity -- where are the people who got > after me when I sent out the password???) > > John Nall I would suggest that you dig through your mail archives, find their names, and send them "mail from Hell". Feel free to quote me. - Der -- dtynan@altos86.Altos.COM (408) 946-6700 x4237 Dermot Tynan, Altos Computer Systems, San Jose, CA 95134 "Far and few, far and few, are the lands where the Jumblies live..."