Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site kobold.UUCP Path: utzoo!linus!security!genrad!grkermit!masscomp!kobold!tjt From: tjt@kobold.UUCP (T.J.Teixeira) Newsgroups: net.unix-wizards Subject: Re: A Program To Allow ANYONE... (Not again!) Message-ID: <201@kobold.UUCP> Date: Fri, 25-Nov-83 09:32:49 EST Article-I.D.: kobold.201 Posted: Fri Nov 25 09:32:49 1983 Date-Received: Sat, 26-Nov-83 06:23:15 EST References: <527@sbcs.UUCP> <156@cae780.UUCP> Organization: Masscomp, Westford, MA Lines: 29 I don't see any substantial difference between posting a program to read device queues to the network and including a paper on cracking passwords in the system documentation (Robert Morris, Ken Thompson, "Password Security: A Case History" in Volume 2B of the Seventh Edition UNIX Programmer's Manual). Perry's style of presentation is certainly flamboyant, to say the least. If you filter out this flamboyancy, his article simply states: An accessible kmem is non-secure. If you wanted to pretend your system has "security through obscurity", you will now have to take positive steps to fix your system. You should have done this a year ago the last time a crack program was posted. AT&T systems are configured this way (non-readable /dev/kmem) by default, at least in System III and System V. I haven't looked closely at our 4.2BSD tape, but if /dev/kmem and /dev/mem are readable on the 4.2BSD distribution tape, Perry is right: this should be fixed. Perry also seems to be right in that it requires something as sensationalistic as posting a cracking program to cause administrators to change their systems and to get Berkeley to change their distribution. A list of programs which need to be changed can be found in the article <13795@sri-arpa.UUCP> from Jay Leprau . -- Tom Teixeira, Massachusetts Computer Corporation. Westford MA ...!{ihnp4,harpo,decvax,ucbcad,tektronix}!masscomp!tjt (617) 692-6200