On Tue, 18 Aug 1998 [EMAIL PROTECTED] wrote: : I was having a discussion with my ISP about Linux. He said he uses : Windows NT because it is much more secure than Linux. He stated that : since the source code was available that it was very unsecure. He : mentioned something about attaining root access by downloading : /etc/passwd and de-crypting the passwords. He bases this on a source : called cicia.org. He said it reflected several cases of insecurity : regarding Linux. I would like to know from a more qualified source : as to how to respond to this. I have been using Debian for a few : months now and thoroughly enjoy it. Not only as an operating system, : but for the documentation and the learning experience. Thank you for : your time and attention.
Uh ... boy, I sure do like NT administrators. They make me worth more money :) I am by no means a Linux guru, but here's what I know: First, the /etc/passwd file can not be "decrypted". First reason: on modern unices, the actual crytped passwords are kept in /etc/shadow, not /etc/passwd. Of course, you can disable shadow passwords, but if you do not you now have file permissions protecting your crypted passwords. However, let's assume someone grabs a copy of your /etc/passwd file, and you aren't using shadow passwords. All is not lost (yet). See, you can't decrypt the information stored on disk - your plaintext password is encrypted using a one-way hash (the crypt function), and every time you are prompted for your password your INPUT is again encrypted, and compared to the already encrypted version stored on disk. Given today's machines, it is possible to mount a brute force dictionary attack against crypted passwords - I take every word I can think of and crypt it using all 4096 salts. If I can produce a match against one of the password fields in your /etc/passwd file I have guessed the password! However, you can eliminate the success of a dictionary attack by employing triviality checks against proposed passwords. The Debian password suite does implement some of these checks, though it will allow the root user to assign any user a weak password. The makepasswd command can also be used to produce hard to guess passwords. I've seen quite a few programs that will attack the Windows Registry anbd retrieve passwords for you. Some security. As a non-trivial OS, Linux does of course have bugs. So does NT. Since the Linux source code is readily available, it can be perused for bugs at your leisure. Of course, some people will use this information for harm. Others will use it to produce a fix, and more often then not they propagate the fix throughout the community. Soon, most machines are no longer vulnerable to that security hole! Contrast this to NT, where source code is not available. In time, someone will discover some scheme where NT can be crashed, or its security m,odel compromised (remember OOB data?). However, even if the person discovering the bug is a conscientious person, tehy cannot fix the bug, even for themselves! No, you must go to Microsoft and either retrieve a patch or hgope they write one soon (this is my gripe with commercial unices as well). In the meantime, you are insecure! Not a great option for an ISP especially. <opinion+rant> Even if NT and Linux had similar security features and availability of source code were not an issue, I still choose Linux because of cost of ownership issues. Never mind the software license costs: have you priced an NT based news server lately? Or an NT based webserver? Or even an Exchange server? NT places gross demands on the hardware, often with no immediate benefit to the user (other than a pretty face). Linux, on the other hand, can extend the life of a 486, and if given enough RAM and disk can outperform many higher horsepower boxes running proprietary OSes. </opinion+rant> Having said all that, I use NT on my desktop at work - I need Lotus Notes and I couldn't deal with Win95 crashing 3 times a day. NT crashes about every ten days, so that's not too bad (compared to 95). All of my servers do run Linux, and with the exception of two machines (one with flaky hardware; the other with a hodge-podge of add-on software anbd kludged scripts) they are rock solid - they never crash. Hmm - I just noticed you asked for a qualified source - that's not me :) Point him to on of the O'Reilly books on Internet security. -- Nathan Norman MidcoNet 410 South Phillips Avenue Sioux Falls, SD mailto:[EMAIL PROTECTED] http://www.midco.net finger [EMAIL PROTECTED] for PGP Key: (0xA33B86E9)
