Xref: utzoo comp.unix.questions:22700 alt.security:764 Path: utzoo!mnetor!geac!torsqnt!hybrid!robohack!woods From: woods@robohack.UUCP (Greg A. Woods) Newsgroups: comp.unix.questions,alt.security Subject: Re: How secure is UNIX? Summary: quite, within its defined limits... Keywords: Security, ftp Message-ID: <1990Jun6.135936.18109@robohack.UUCP> Date: 6 Jun 90 13:59:36 GMT References: <100928@<1990May23> <9000030@m.cs.uiuc.edu> <1990May28.102235.10021@agate.berkeley.edu> <6365@amelia.nas.nasa.gov> <1990May29.022854.22733@smsc.sony.com> <6368@amelia.nas.nasa.gov> <36584@ucbvax.BERKELEY.EDU> <1990Jun4.102422.12896@agate.berke <1752@necis Organization: R. H. Lathwell Associates: Elegant Communications, Inc. Lines: 80 In article <1990Jun5.152004.15873@agate.berkeley.edu> dankg@volcano.Berkeley.EDU (Dan KoGai) writes: > Unix is at very least insecure enough to make me sleep in nightmare. > I got several mails and some of them are raped even harder. And this applies > to computer in general--My Mac is infected by virus 4 times (but last 2 was > not serious at all, thanx to Disinfectant). Your first sentence is wrong, as I will attempt to show. I don't quite understand your second sentence. As to your final point however, you should realize the susceptibility of a PC (any PC, or home computer, including Apple's Macintosh) to a virus is several orders of magnitude greater than the average UNIX system. Certainly a true UNIX virus is possible, and given the sloppiness of the average vendor these days, one could easily get out. However, I'd suggest that it would be rare that such a virus would be contagious. Binaries just aren't often moved or shared between UNIX systems, and the software distribution hierarchy is entirely different. This is changing with the increasing use of workstations on networks though...and you can't really blame the network for this "flaw". > I do not think my accounts were nuked due to network flaw: Very > unfortunately, there are several cracker activities reported to be originated > at OCF. And my password was secure enough for your standard, the string as > complicated as intercal syntax! I don't know how your site is related to OCF, but if they share a network cable, then yes, you can indeed blame the network.... > It's not that hard today to obtain a UNIX account. And if you can > crack one site, it's likely the site includes users with other remote accounts, > which is exactly my case, and crack others--chain reaction also appeard in > "Cockoo's Egg". I don't like NORAD-like security but very unfortunately human > nature is evil and it takes evil to secure from evil. Yes, but first you'll have to crack the passwords of the people at the "breached" site. Then you'll have to hope they use the same passwords on the target sites. Then you repeat the loop. Fortunately it is likely you'll be discovered before the second iteration, since there is still a significant lag required to break the passwords the hard way. (You'll also have to get through any "external" security the target sites may have, such as call-back or dialup passwords.) Again, the network makes this so much easier! > In article <1752@necisa.ho.necisa.oz> boyd@necisa.ho.necisa.oz (Boyd Roberts) writes: > >The bottom line is that password security works. Most systems aren't broken > >into. The ones that are broken are usually compromised by some sloppy > >(ie. networking) utility or a flawed UNIX port. > > But it's far more common than your wallet is stolen. Look, I'm not > the only victim and I heard of many cases on this Berkeley alone. And UNIX > is still not common enough to attract people's attention--Internet virus > case and Cockoo's Egg case attracted people because it was military security > related, not because of fame of UNIX. I think I have seen too many cases > of insecurity considering still small size of UNIX community. And this will > get but more serious as UNIX gains its popularity. We'd better be prepared > before it gets even messier. Berkeley is on a network. If it were possible that the network be secure, or not exist, the breakins would be as common as those to Fort Knox. Most breaches of commercial UNIX systems are due entirely to sloppy, or non-existant, system administration. What does the "fame" of UNIX have to do with anything? Do you think it will be a more common target if it becomes more famous? I doubt anything would raise the ratio of UNIX breakins to those of other types of systems. I would imagine the ratio is already quite high. UNIX is already quite famous in the cracker community. UNIX is fundamentaly quite "secure" (in the common definition). It does not, however, have mandatory security by default. UNIX makes it easy for you to disable any security features, sometimes by accident. Networks are fundamentaly quite insecure. They are designed to provide open and easy access to "remote" resources. -- Greg A. Woods woods@{robohack,gate,eci386,tmsoft,ontmoh}.UUCP +1 416 443-1734 [h] +1 416 595-5425 [w] VE3-TCP Toronto, Ontario; CANADA