Xref: utzoo news.sysadmin:1328 comp.unix.wizards:12298
Path: utzoo!attcan!uunet!husc6!bloom-beacon!tut.cis.ohio-state.edu!osu-cis!att!cuuxb!dlm
From: dlm@cuuxb.ATT.COM (Dennis L. Mumaugh)
Newsgroups: news.sysadmin,comp.unix.wizards
Subject: Re: How to stop future viruses.
Summary: Change of work
Message-ID: <2182@cuuxb.ATT.COM>
Date: 10 Nov 88 18:47:56 GMT
References: <16722@agate.BERKELEY.EDU> <2178@cuuxb.ATT.COM> <16768@agate.BERKELEY.EDU> <17828@glacier.STANFORD.EDU>
Reply-To: dlm@cuuxb.UUCP (Dennis L. Mumaugh)
Organization: ATT Data Systems Group, Lisle, Ill.
Lines: 29

In article <17828@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes:
>       Bear in mind that Dennis Mumaugh works for NSA.  He's telling us
>that the UNIX password encryption system is fundamentally insecure.  Pay
>attention, people. 
>
>					John Nagle

John is a bit out of date:  I used to work  for  NSA.  I  changed
employment in 1984 and I now work for ATT, Data Systems Group, in
their top tier UNIX  System  software  support  group.  Hence  my
knowledge on UNIX security can be out of date with respect to the
US Government.  Also much of the tiger team was done in 1976  and
my security work was done in 1978-81 and then some later in 1983.

As far as the ATT UNIX System V I am not authorized to comment on
security aspects except to mention that System V Release 3.2 does
use shadow passwords so brute force decrytpion is  possible  only
through  administratoir  error.  3.2  also  prevents shells being
executed by setuid programs (e.g. using the system(3) feature).

When I  WAS  working  for  NSA  we  started  re-eingineering  the
password  system to allow pass phrases and a rather strict censor
for determining whether a pass-phrase  would  be  accepted.  Even
the  current  System  V  does have some criteria and it also does
password ageing.  BUT most Berkely derived systems  haven't  kept
pace.
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm@arpa.att.com