Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site sask.UUCP Path: utzoo!watmath!clyde!cbosgd!ihnp4!alberta!sask!derek From: derek@sask.UUCP (Derek Andrew) Newsgroups: net.unix-wizards,net.rumor Subject: Unix (In)Security Message-ID: <141@sask.UUCP> Date: Thu, 29-Nov-84 23:14:38 EST Article-I.D.: sask.141 Posted: Thu Nov 29 23:14:38 1984 Date-Received: Sat, 1-Dec-84 20:18:10 EST Organization: U of Saskatchewan, Canada Lines: 35 I have just returned from a security seminar. The speaker made some comments about Unix and security. It seems that the last two issues of Unix Review carried some comments from someone at Purdue. Purdue had been working on a secure kernel implementation of Unix. A spokes- person had stated that: using an ordinary guest account, a member of their team could obtain superuser status within 5 minutes. On their secure system, it would take at least 40 minutes. This comment bothers me a little. I would really like to speak with someone at Purdue about this. Would some kind soul that receives Unix Review kindly send me the name of the person at Purdue that made that statement? Of course, I won't post the results of my conversation if it is indeed true until we move to VMS :-). Another comment made by the speaker was that there have been 5 attempts at generating secure Unix kernels. All attempts have not been successful and 4 have been aborted. If anyone knows about any of these attempts, please send me the details. I will post a summary. So what kind of flaw exist in Unix? I am not talking about things that can be done on other operating systems, like stealing backup tapes, mounting Unix disks on systems which you know the root password, running a program to simulate the login procedure or using micros for an exhaustive search for the root password. Are there any flaws which have no way to be plugged? Maybe this is not the place to discuss such security issues, but as the speaker said, "having no security on a system is better than thinking that your system is secure". -- Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0 {ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek 306-966-4820 0900-1630 CST "I ain't afraid o' no bugs." - Bugbusters