Path: utzoo!attcan!uunet!lll-winken!ames!pasteur!agate!bionet!csd4.milw.wisc.edu!mailrus!purdue!bu-cs!mirror!ima!minya!jc From: jc@minya.UUCP (John Chambers) Newsgroups: comp.unix.wizards Subject: Re: UNIX security and passwords Message-ID: <14@minya.UUCP> Date: 16 Jan 89 13:06:49 GMT References: <23731@pprg.unm.edu> Organization: (none) Lines: 42 In article <23731@pprg.unm.edu>, kurt@pprg.unm.edu (Kurt Zeilenga) writes: > Until we educate our SYSTEM ADMINS what the hell is the point of > educating our USERS! Once again, it is pertinent to point out that we haven't been failing to educate our system admins; rather we have been intentionally keeping them ignorant. Over and over, people say "If I tell the world about this security problem I just found, then all the Evil Hackers will read it and attack your systems, so I won't tell you." The effect is to keep the problems secret from system admins and software developers, so they never learn how to protect themselves. I've written lots of code, some of which may be incorporated into the system you're now using. I'm sure that I've built in lots of security problems, out of ignorance. As long as you turkeys keep me ignorant, I will continue to do this. Security problems are often subtle, and it is totally unreasonable of you to expect me to figure them out all by myself. If I am to build better code, you have to tell me where the problems are. I've also been system admin for lots of machines, and exactly the same argument applies. For a simple example, I've demonstrated for lots of other Unix administrators why they shouldn't have a blank line in their /etc/passwd file. Why the #@$^% aren't problems like this clearly and readably documented in the manuals that come with Unix systems? I don't mean just a vague, unspecific warning that /etc/passwd shouldn't contain blank lines. That would pass right by almost everyone. There should be an explicit example showing how to exploit this bug. True, many system admins would still not protect their systems. Sometimes it's not a concern. (After all, look at all the MS/DOS systems out there, despite its total lack of security. :-) But many would, if only someone would warn them of the problems. -- John Chambers <{adelie,ima,mit-eddie}!minya!{jc,root}> (617/484-6393) [Any errors in the above are due to failures in the logic of the keyboard, not in the fingers that did the typing.]