Re: Plain truth is that unix/linux is NOT secure!

In article <46957dFa07h8U1@xxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <0Vlnvu2C1VEY@xxxxxxxxxxxxxxxxxxxxxxxx>,
Kilgallen@xxxxxxxxxxx (Larry Kilgallen) writes:

So I gather no Unix has a callable entrypoint to set the password.

If you mean an entry point in the kernel, of course not. It's not a
kernel function. The password is contained in a file, you change a
password by changing the entry in the file. thus, there is nothing
to stop a sysadmin from writing his own password changing program
implementing whatever additional policies he sees fit. It's part of
the flexibility of the Unix paradigm. :-)

AU-2 of 800-53 does allow the organization the flexibility to choose
what is an auditable event, but expecting local password change programs
to do their own file access greatly increases the chance they will fail
to do the auditing, just as they will likely fail to honor the password
history, etc.

word history you wanted. But, like most things, if no one wants it
no one is going to put forth the effort to implement it.

Well, the US Government wants it. Search for "password reuse" in

And yet while NSA spent all that time and research securing Linux
they never even bothered doing something as trivial as password
history. Go figure.

I did not realize you were such a Linux fan, but my interpretation of
their Secure Linux effort was that they saw Linux security was so far
behind other operating systems that they had to do something.

http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf

FIPS 200 is scheduled to make that mandatory for all federal systems
when signed by the Secretary of Commerce later this month, implementing
the 2002 Federal Information Security Management Act (FISMA).

And we al know what "mandatory" means in government.


The public draft of FIPS 200 says:

11. Waivers.

No provision is provided under FISMA for waivers to the
Federal Information Processing Standards made mandatory
by the Secretary of Commerce.

Just out of curiosity, define for me what you consider a proper pass-
word history scheme. Maybe I'll implement it in my spare time and
release it to the world. Then we can watch and see if anyone really
cares. :-)

A proper password history scheme handles users who try to overload
the history space with some method other than minimum password lifetimes.
The Microsoft approach of minimum password lifetimes leaves one open
to an attack whereby a user is observed changing their password and
upon discovering they were observed is unable to change the password
again until the minimum lifetime has expired.

How about one that let's you change your password as many times
as you want whenever you want but keeps track of the last time
you used a cetain password and won't let you reuse it for either
a cetain calendar period or possibly forever. Include in this
the usual variant checking. The biggest drawback to this is the
space to save all the old passwords, but that's not much of a
drawback today.

Counting on the inability of a rulebreaker to mount a massive effort
(to include automating it) is not wise. That is the whole issue
being discussed - how to prevent such an attack without using infinite
storage. Even Microsoft understands the bit about infinite storage.

By the way, the solution to your theoretical danger above is called
the sysadmin who can either change your password or allow you to
change it if a threat is identified.

That certainly counts on the attacker being slow to exploit their
knowledge.
.

Relevant Pages

  • Re: Another mouse problem in X...
    ... I'm doing (I'm fairly new to linux and know enough to be a little ... The 2.6 kernel doesn't have /dev/psaux by default IIRC. ... I don't think using the entry in /.dev/ will cause any serious problems, but I doubt it's a good idea to keep using it - that's just me being cautious though. ... I've the same problem with '/dev/input/mice' - it's not there in the 2.6 installation; the only file in that directory is a 'events0'. ...
    (Debian-User)
  • Re: Python beginner, unicode encode/decode Q
    ... under Linux when I tried to run the code from a file in Linux Python, ... UTF-8 before saving it to a file or stringIO object. ... history 1 works and here is the screen copy of interactive ... # this code is run from within idle on win98 and inside a python file. ...
    (comp.lang.python)
  • Re: reusing "code entities" without oop
    ... is to create re-useable Tk components, then I'd recommend using Snit ... entry widget with a history feature. ...
    (comp.lang.tcl)
  • Re: Plain truth is that unix/linux is NOT secure!
    ... history, etc. ... install whatever password changing program I wish. ... And yet while NSA spent all that time and research securing Linux ... Even Microsoft understands the bit about infinite storage. ...
    (comp.os.vms)
  • Re: Equivalent cleaning program in Linux?
    ... history, delete spyware, malware etc in Windows XP. ... I wish to know if there is any equivalent for Linux too. ... which can be used to clear history, cookies, cache ...
    (alt.os.linux)