On Tue, Aug 18, 1998 at 11:46:43AM -0500, [EMAIL PROTECTED] wrote: > I was having a discussion with my ISP about Linux. He said he uses > Windows NT because it is much more secure than Linux. He stated that > since the source code was available that it was very unsecure. He mentioned > something about attaining root access by downloading /etc/passwd and > de-crypting the passwords. He bases this on a source called cicia.org. > He said it reflected several cases of insecurity regarding Linux. > I would like to know from a more qualified source as to how to respond > to this. I have been using Debian for a few months now and thoroughly > enjoy it. Not only as an operating system, but for the documentation > and the learning experience. Thank you for your time and attention. >
I am no security expert but...I have been reading BUGTRAQ and have some
understanding of security issues....but here is what I have to say.
First "The only computer system that is truely secure is one whith all
of the cords pulled out (ESPECIALLY POWER) locked in a thick steel safe
and dropped to the bottom of the ocean"
The opion I have seen expressed form most security experts is that
opensource tends to make thing sMORE SECURE. The reason is that people
are able to read the source and find the problems...this allows them
to be identified and fixed.
NT not having open source meerly hides its vulnerabilities...and a hidden
vulnerability is a ticking time bomb!
ALso...personal experiance...
At work we are a Microsoft shop...we had an NT machine where the admin password
was lost. We were able to "brute force" the admin password in about 2 hours!
In fact...the entire keyspace of the NT passwords can be searched
in under 3 days on a modest desktop computer.
This was with physical acess...to prove th epoint a co-worker then used
his system to brute force another persons password...by pasively grabbing the
password hash then brute forcing it...with NO physical acess to the NT machine
wa sjust "on the network"
As for his claims about Unix passwords...
1) Unix passwords are hashed NOT encrypted. This means that there is no "magic"
that can give you the password if you know the right "keys"
To get a unix password this way you must take "possible" passwords
and hash them and test the hash against the original hash...
this can be a dictionary attack (using a word list for "weak" word-based
passwords) or brute force (trying every possible password from
a to ZZZZZZZZ ) This WILL takew you allot longer than 3 days ;)
2) With "shadow passwords" the password hashes are hidden...only root can read
them. Here is the difference:
old style:
root:JKzdgcbnwej:0:0:Info Field:/bin/bash
^^^^^^^^^^^ password hash used in cracking
shadow (this is actually from the password file on MY system..cut and paste:
root:x:0:0:root:/root:/bin/bash ^
The hash is stored in /etc/shadow...which is NOT readable by anyone but root.
This is a fairly standard security setup.
To get back to open source...
Often on Bugtraq I will see someone with a report saying
"There is a <insert hole type> in <insert program name>. The following is
the source code for how to exploit it...<insert exploit code> and here
is a patch to fix the problem: <insert patch>"
and with NT vulnerabilities...
"There is an exploit in this...here is how to exploit it"
(14 days later)
"Microsoft has releaces a patch..."
See a difference? see the advantage of Open Source?
Note: i mean "Open SOurce" not free software... any program where source is
available a patch like this can be made... even if its not free ..this is
completely impossible with NT (unless you are into disassembly)
-Steve
--
/* -- Stephen Carpenter <[EMAIL PROTECTED]> --- <[EMAIL PROTECTED]>------------
*/
E-mail "Bumper Stickers":
"A FREE America or a Drug-Free America: You can't have both!"
"honk if you Love Linux"
pgpDf44rVN3OJ.pgp
Description: PGP signature
