Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!udel!princeton!njin!rutgers!cmcl2!adm!smoke!gwyn
From: gwyn@smoke.brl.mil (Doug Gwyn)
Newsgroups: comp.unix.wizards
Subject: Re: new password idea
Message-ID: <15990@smoke.brl.mil>
Date: 26 Apr 91 21:18:20 GMT
References: <1991Apr24.004539.3881@mp.cs.niu.edu> <14655@ulysses.att.com> <1991Apr26.171549.10502@escom.com>
Organization: U.S. Army Ballistic Research Laboratory (BRL), APG, MD.
Lines: 15

In article <1991Apr26.171549.10502@escom.com>, al@escom.com (Al Donaldson) writes:
> After a small number of tries (less than 10), it made me root.

Then there was the (Sixth Edition?) bug which would allow one to log in as
the superuser merely by typing 100 zeroes at the password prompt.  (Lack
of a buffer overflow check.)

I must by now have seen around a hundred distinct security loopholes in
various UNIX implementations.  I don't conclude that UNIX has more
problems in this regard than do other operating systems, however; I have
much more experience with UNIX security, and whenever I've looked for
ways to break into other operating systems I've found them.

I don't know what the solution to this category of problem is.  None of
the proposed security methodologies strikes me as quite right..