UNIX security and passwords

Mon Jan 16 23:06:49 AEST 1989

In article <23731 at pprg.unm.edu>, kurt at pprg.unm.edu (Kurt Zeilenga) writes:

> Until we educate our SYSTEM ADMINS what the hell is the point of
> educating our USERS!

Once again, it is pertinent to point out that we haven't been failing
to educate our system admins; rather we have been intentionally keeping
them ignorant.

Over and over, people say "If I tell the world about this security
problem I just found, then all the Evil Hackers will read it and
attack your systems, so I won't tell you."  The effect is to keep
the problems secret from system admins and software developers, so
they never learn how to protect themselves.

I've written lots of code, some of which may be incorporated into the
system you're now using.  I'm sure that I've built in lots of security
problems, out of ignorance.  As long as you turkeys keep me ignorant,
I will continue to do this.  Security problems are often subtle, and
it is totally unreasonable of you to expect me to figure them out all
by myself.  If I am to build better code, you have to tell me where
the problems are.

I've also been system admin for lots of machines, and exactly the same
argument applies.  For a simple example, I've demonstrated for lots of
other Unix administrators why they shouldn't have a blank line in their
/etc/passwd file.  Why the #@$^% aren't problems like this clearly and
readably documented in the manuals that come with Unix systems?  I don't
mean just a vague, unspecific warning that /etc/passwd shouldn't contain
blank lines.  That would pass right by almost everyone.  There should be
an explicit example showing how to exploit this bug.

True, many system admins would still not protect their systems.  Sometimes
it's not a concern.  (After all, look at all the MS/DOS systems out there,
despite its total lack of security.  :-)  But many would, if only someone
would warn them of the problems.

-- 
John Chambers <{adelie,ima,mit-eddie}!minya!{jc,root}> (617/484-6393)

[Any errors in the above are due to failures in the logic of the keyboard,
not in the fingers that did the typing.]