Path: utzoo!attcan!uunet!samsung!usc!ucsd!ucbvax!world.std.com!bzs
From: bzs@world.std.com (Barry Shein)
Newsgroups: comp.protocols.tcp-ip
Subject: anonymous ftp, and the dangers thereof
Message-ID: <9006070151.AA03928@world.std.com>
Date: 7 Jun 90 01:51:22 GMT
References: <789@sixhub.UUCP>
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 55


>  I don't know that I have any objections to shadow password. WHy give
>the show away? It's like having L.sys or Systems world readable. I
>accept that I can't keep the encryption a secret, so why give the
>encrypted passwords away. I don't see what this has to do with
>security-through-obscurity here.

The objection to shadow password files is that it's an admission that
hiding the file contents is critical to the entire system's security
(if not, why hide them?) Don't argue that it merely "improves" the
existant security, fine, you obviously decide for yourself so you can
believe whatever you like. Multiplicative probabilities aren't
compelling arguments.

If for any reason you suspect that someone has obtained a copy of that
file you have to accept that your system's security has been broached.

You have to view this more in the light of a person with authority
coming to you, asking you what your security relies on, and deciding
that it's critical you now prove that no one has ever walked out of
your center with a copy of the shadow password file, a dump tape, etc.
You've opened yourself up to that (valid) criticism.

The original scheme, keeping it publicly readable, removed a target
for attack (capturing the mere contents.) It relied on good encryption
and good password management. Where either or both of those is lacking
the method is not sufficient.

My tendency would be to improve the encryption methods and password
management and leave it publicly readable.

For better encryption, I've suggested schemes, such as per-site
perturbation of the algorithms. At least that makes it (nearly)
impossible for someone to walk away with a copy of your password file
and crack it on another system.

For password management, password-changers that are continuously being
improved (sources are critical!) to disallow "simple" passwords, and
of course education. If you don't educate users then what's the point?
They'll just hand their passwords out or write them on their white
boards, etc.

L.sys is a problem, but less so because most uucp connections only
allow mail and/or news transport even if someone uses it to break in.

I'm not making light of that, but they really don't get a lot more
with that password file than anyone has who telnets to an SMTP port
(without any password.)  Obviously if it's broached passwords must be
changed, but the potential for real damage via uucp logins is fairly
limited.

        -Barry Shein

Software Tool & Die    | {xylogics,uunet}!world!bzs | bzs@world.std.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD