Xref: utzoo comp.unix.questions:22643 alt.security:744 Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!umich!yale!cs.utexas.edu!uwm.edu!bionet!agate!tornado.Berkeley.EDU!dankg From: dankg@tornado.Berkeley.EDU (Dan KoGai) Newsgroups: comp.unix.questions,alt.security Subject: Re: How secure is UNIX? Summary: As secure as multitasking in MS-DOS Keywords: Security, ftp Message-ID: <1990Jun4.102422.12896@agate.berkeley.edu> Date: 4 Jun 90 10:24:22 GMT References: <100928@<1990May23> <9000030@m.cs.uiuc.edu> <1990May28.102235.10021@agate.berkeley.edu> <6365@amelia.nas.nasa.gov> <1990May29.022854.22733@smsc.sony.com> <6368@amelia.nas.nasa.gov> <36584@ucbvax.BERKELEY.EDU> Sender: usenet@agate.berkeley.edu (USENET Administrator;;;;ZU44) Reply-To: dankg@tornado.Berkeley.EDU (Dan KoGai) Organization: ucb Lines: 37 In article <36584@ucbvax.BERKELEY.EDU> lauther@janus.Berkeley.EDU.UUCP (Ulrich Lauther) writes: >In article <6368@amelia.nas.nasa.gov> samlb@pioneer.arc.nasa.gov.UUCP (Sam Bassett RCS) writes: >> >> I agree -- the documentation should be more straightforward about >>the dangers of the .netrc, and for d**n sure, whoever is teaching kids > >I just wonder why not the same technique is used with .netrc as with >/etc/passwd: have the file readable, but sensitive parts encrypted? I don't think so: I don't think /etc/passwd was a good idea: It's encrypted. So what? That means you can take time to feed random string to encryptor, which is available, then find the matching string. Maybe you can feed it from dict file--people's name makes big candidate for considerably many people choose their password from thier (boy|girl)friends' or spouses' names. What I don't understand is that my password is not a kind of string found on dict but it's still feasible to use "power" rather than "tech" to break secirity in UNIX. I admit my .netrc was not a good idea. But still I think it's possible for that moron to kill at least OCF account: Some others suggested that some of UNIX has a serious problem in user switching. One of my friends witnessed that he was accidentally su'd to somebody else. At very least finger info and passwd file must be saparated. If possible, it might be a good idea to hard-code secirity part of UNIX, that is, implement seciryty by hardware than software. On current system encrypted or not, precious password info is visible. How about ATM card way (I don't think it's valid idea--How about dialin?)--No one but card knows your password. there remains the problem in case of loss of cards or "keys" but it's at very least far more secure than current UNIX implementation of password. ---------------- ____ __ __ + Dan The "Raped" Man ||__||__| + E-mail: dankg@ocf.berkeley.edu ____| ______ + Voice: +1 415-549-6111 | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A |___ |__|__| + |____|____ + "What's the biggest U.S. export to Japan?" \_| | + "Bullshit. It makes the best fertilizer for their rice"