Xref: utzoo news.sysadmin:1297 comp.unix.wizards:12278
Path: utzoo!utgpu!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!udel!rochester!rutgers!mit-eddie!bu-cs!purdue!decwrl!labrea!glacier!jbn
From: jbn@glacier.STANFORD.EDU (John B. Nagle)
Newsgroups: news.sysadmin,comp.unix.wizards
Subject: Re: How to stop future viruses.
Message-ID: <17828@glacier.STANFORD.EDU>
Date: 10 Nov 88 03:32:44 GMT
References: <16722@agate.BERKELEY.EDU> <2178@cuuxb.ATT.COM> <16768@agate.BERKELEY.EDU>
Reply-To: jbn@glacier.UUCP (John B. Nagle)
Followup-To: news.sysadmin
Organization: Stanford University
Lines: 21

In article <16768@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes:
>In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes:
>Firstly, there is no way that a virus would beam all passwords to
>one central computer to be processed there.  

       No reason that can't be done.  Richey did it that way.

>Secondly, your approach will no longer work with the advent of the
>salt, the 12 random bits stored in the clear with the encrypted
>password.  You would have to encrypt the dictionary 4096 times, or be
>content with cracking a much smaller portion of the password file.  It
>would be good to expand the salt to 36 bits, just to make sure that you
>can't preencrypt even a small dictionary.

       It's not clear that the "salt" trick helps all that much.

       Bear in mind that Dennis Mumaugh works for NSA.  He's telling us
that the UNIX password encryption system is fundamentally insecure.  Pay
attention, people. 

					John Nagle