From owner-freebsd-hackers Sun Dec 15 15:30:50 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA14628 for hackers-outgoing; Sun, 15 Dec 1996 15:30:50 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA14623; Sun, 15 Dec 1996 15:30:47 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id QAA00303; Sun, 15 Dec 1996 16:25:42 -0700 From: Terry Lambert Message-Id: <199612152325.QAA00303@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: dreamer@garrison.inetcan.net (Digital Dreamer) Date: Sun, 15 Dec 1996 16:25:42 -0700 (MST) Cc: terry@lambert.org, rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: from "Digital Dreamer" at Dec 15, 96 05:10:04 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Just my opinion about anal passwd programs... > > The idea, from what I understand, is to act as if you don't have shadow > passwords, and therefore not rely on them. Security through obscurity > and all that. > > For example, let's say someone breaks root on your machine. Ok, you're > in a lot of trouble. But let's attempt to minimize the damage by not > giving them 6e12 accounts to log on as in the future when/if they're > discovered by handing over the passwords for them on a silver plate. It > takes a lot longer to get all your users to change passwords than it > takes to fix a backdoored /bin/login. A backdoored /bin/login can be nothing more than a program that mails account/password pairs. Be that as it may, by logical extension, we should act as if we didn't have passwords, and therefore not rely on them. Didn't know you were a radical Stallmanite... 8-) 8-). The reductio-ad-absurdum of this is wondering if someone has bribed the person who digs the rocks that are used to manufacture the nitric acid that is used for soaking the gun cotton at the ammunition plant that supplies the bullets to the Government you got your Marine guards from so their guns don't go off when the person who did the bribing comes to break in to the 10M drive on your PC-XT. You could also worry that someone would fake an accident so that while delivering the pick to the store where the guy who digs the rocks boss'es purchasing agent got his pick, they could substitute a different pick so that the rocks it was used on would fail to make good nitric acid. Not to mention the guy who planted the tree 120 years ago, which was milled into the handle for that pick... after all, this could be a wide-ranging conspiricy which has been in planning for centuries. ...like they wouldn't just send masked ninjas to get your disk. 8-P. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.