bbh@whizz.uucp (Bud Hovell) (11/28/88)
John Hough (jfh@rpp386) is building a drop-in replacement login, and this posting is to inquire for some wizard who is willing to assist on the beta testing by providing feedback on mods and suggestions for enabling it to run on the UNIXPC. This package fully implements the ATT /etc/shadow strategy (recently described in postings on the net) including administrative utilities, password checking, and so on. Given the critical nature of the functions this package will provide, it would be desireable to have as many knowledgeable contributors as possible. ^^^^^^^^^^^^^ If you would be willing to contribute your insight and experience to this effort, please send mail to John at: ...rpp386!jfh, or ...jfh@rpp386.dallas.tx.us If for some reason you cannot get mail to John, send it to me, and I will forward it. OVERTURE SYSTEMS CORP. Bud Hovell Operations Specialists Lake Oswego, Oregon :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : USENET: {attmail! | tektronix!tessi!bucket! | pacbell!safari!} whizz!bbh : : TELEX: 152258436 (Whizz/Bud Hovell) VOICE: 503-636-3000 : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: "Follow your bliss" - Joseph Campbell
clb@loci.UUCP (Charles Brunow) (11/29/88)
In article <519@whizz.uucp>, bbh@whizz.uucp (Bud Hovell) writes: > > John Hough (jfh@rpp386) is building a drop-in replacement login, and this > posting is to inquire for some wizard who is willing to assist on the beta > testing by providing feedback on mods and suggestions for enabling it to run > on the UNIXPC. > I know this guy and his software and I wouldn't touch it with a stick. This stuff is developed (loosely interpreted) on a xenix box and I recommend that you go through it very carefully before you put on real Unix. -- CLBrunow - KA5SOF clb@loci.uucp, loci@csccat.uucp, loci@killer.dallas.tx.us Loci Products, POB 833846-131, Richardson, Texas 75083
hjespersen@trillium.waterloo.edu (Hans Jespersen) (11/30/88)
In article <185@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: > I know this guy and his software and I wouldn't touch it with > a stick. This stuff is developed (loosely interpreted) on a > xenix box and I recommend that you go through it very carefully > before you put on real Unix. I would hope that most people would go through code they pull off the net regardless of who wrote it. The easiest way to spread a worm/virus is by having others carry it for you. I would insist on source code and go through it carefully. I don't think this is paranoid, in fact, one can learn alot from looking at the junk that other people write ;-). --------------------------------------------------------------------------- Hans Jespersen | uunet!watmath!trillium!hjespersen University of Waterloo | " C language combines the power of assembly language Waterloo, Ontario | with the ease-of-use of assembly language."
karl@ddsw1.MCS.COM (Karl Denninger) (11/30/88)
In article <185@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: >In article <519@whizz.uucp>, bbh@whizz.uucp (Bud Hovell) writes: >> John Hough (jfh@rpp386) is building a drop-in replacement login, and this >> posting is to inquire for some wizard who is willing to assist on the beta >> testing by providing feedback on mods and suggestions for enabling it to run >> on the UNIXPC. > > I know this guy and his software and I wouldn't touch it with > a stick. This stuff is developed (loosely interpreted) on a > xenix box and I recommend that you go through it very carefully > before you put on real Unix. Charles, that's not nice at all. I have looked at jfh's login replacement, and it looks ok to me. I do remember the two of you getting into a rather nasty spat over the net a while back regarding your connections to each other's systems. To despise John is ok, and your right. To disparge his code without even _looking_ at it is nasty, rude, and uncalled for. John is attempting to provide a real service for the Usenet community -- this shadow code is something I had been meaning to write for a long, long time, but I have to eat too and work that pays must get done before work that is done for love and the benefit of the public at large. John DID take the time, DID produce the code, and while it's not quite good enough for us here at the moment, it DOES work and he is continuing development. As for the gratuitous slam at Xenix, that was uncalled for too, especially when you consider that John HAS taken the time to #ifdef the appropriate options for his login replacement, and that current Xenix systems are nearly up to SVR3 standards. (Before you flame me on the Xenix point - be careful: we have code that runs interchangably, same source, on Xenix and the UNIXPC; it's AKCS, one of our major products) I think you owe jfh@rpp386 an apology. -- Karl Denninger (karl@ddsw1.MCS.COM, ddsw1!karl) Data: [+1 312 566-8912], Voice: [+1 312 566-8910] Macro Computer Solutions, Inc. "Quality solutions at a fair price"
lee@uhccux.uhcc.hawaii.edu (Greg Lee) (11/30/88)
From article <185@loci.UUCP>, by clb@loci.UUCP (Charles Brunow):
" In article <519@whizz.uucp>, bbh@whizz.uucp (Bud Hovell) writes:
" >
" > John Hough (jfh@rpp386) is building a drop-in replacement login, and this
"...
" I know this guy and his software and I wouldn't touch it with
" a stick. This stuff is developed (loosely interpreted) on a
" xenix box and I recommend that you go through it very carefully
" before you put on real Unix.
I compiled his beta version on an Ultrix 2.2 system -- haven't
tried it on my unixpc. There were calls to functions manipulating
utmp that are not in the Ultrix library, which I commented out for
the time being. Other than that, it seemed to work ok.
Greg, lee@uhccux.uhcc.hawaii.edu
bbh@whizz.uucp (Bud Hovell) (12/01/88)
In article <10062@watdragon.waterloo.edu>, hjespersen@trillium.waterloo.edu (Hans Jespersen) writes: > In article <185@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: > > I know this guy and his software and I wouldn't touch it with > > a stick. This stuff is developed (loosely interpreted) on a > > xenix box and I recommend that you go through it very carefully > > before you put on real Unix. > > I would hope that most people would go through code they pull off the net > regardless of who wrote it. The easiest way to spread a worm/virus is > by having others carry it for you. I would insist on source code and > go through it carefully. I don't think this is paranoid, in fact, one > can learn alot from looking at the junk that other people write ;-). Understood. Acknowledged. Confirmed. I may be entirely wrong here, but it seems to me that there are a couple of problems with the current spin of these responses to the original posting. First, let me make it clear that I am no unix guru. (If there is any doubt on this point, a significant number of qualified people would eagerly certify that it is so :-) However... While the recent unpleasantries have generated much heat (and a modicum of light) regarding the dangers of worms, viruses, and Trojan horses, it seems to me that we should not overlook Pogo's rightly famous words: "We have met the enemy, and he is US!". Quite. The primary threat to security is simple ignorance or indifference. Period. Most security breaches (physical or electronic) are successful because of the many opportunities generated consequent to these human frailties. This primary threat (unlike RTM, et al) can be addressed in one of three ways: 1. Ignore it (join forces with the cause of the threat). 2. Bitch alot about how stupid and ignorant people really are. (This one has enjoyed great recent popularity on the net, though it is hardly news to any but the newborn). 3. Do something to alter the mechanics of the process so that ignorant or indifferent people must at least exercise some moderate level of creativity in order to bungle minimum security. For the most part, many systems have been strategically conceived and created by people who are fond of choice two... And are often administered by people who rely on choice one. This is often driven by their realization that they don't have access to choice three, since the owner of the code is exercising choice one, and recommending that the administrator exercise choice two. Which is tiresome after awhile, so the long-term default is (there you are) choice one. The continuing crisis. The 'login' package includes /etc/shadow concealment of the encrypted passwords, denial of "obvious" passwords (or passwords that are too similar to their predecessors), and forcing of periodic change of passwords. It is intended to better provide the option to enjoy choice three, above cited. It will not be recognized as potentially valuable to any who are stuck on one or two. First, I have in no way attempted to certify the work of John Haugh, nor to condemn it. If I *were* a wizard with the knowledge to carry forward with review/correction/conversion of this code for use on the UNIXPC, then there would have been little reason for making the original posting seeking same. I simply report the fact that he (and others) are producing such a package. I learn more recently that it is completed and will be sent to Rich $alz for posting to the archives. If this is a fact, as I believe it to be, it may be of more than academic interest whether it is or is not a *good* package. Why? Well, to begin with, no one else has stepped forward to do this PD job, so far as I know. I also do not know that it is, in this particular instance, a lousy job on the part of its creators. ^^^^^^^^^^^^^^^^^^^^^^^^^^^ If it is, then it can be dismissed and advertised as such on the net. If it has only those flaws which can be expected in any first-cut programming effort - and quickly identified and corrected by others - then that's a step forward, I would think, toward some meaningful choices that are not vendor- dependent. Which is different than the present case for the vast majority of us. Either way, it seems to me that the community at large will have been well served. And, after some personal experience with the stuff that has been written by aces at ATT, I must offer the observation that even skilled programmers have been known to produce code with the occasional bug or faulty concept. Some- times more often than occasionally! :-) And with no malicious intent. Human frailty, unfortunately, exists in moderate degree even amongst programmers. While one should not confuse expenditure of energy with the obtaining of good results, it is also important to continue to encourage those who are willing to make these efforts - even if they are imperfect people who did not emerge from the womb fully gifted with the all the knowledge and experience possessed by others after a lifetime of experience. And without willing creators, how could critics perform their equally-valuable function of bringing us all to a final state of perfection? OVERTURE SYSTEMS CORP. Bud Hovell Operations Specialists Lake Oswego, Oregon :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : USENET: {attmail! | tektronix!tessi!bucket! | pacbell!safari!} whizz!bbh : : TELEX: 152258436 (Whizz/Bud Hovell) VOICE: 503-636-3000 : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: "Follow your bliss" - Joseph Campbell
clb@loci.UUCP (Charles Brunow) (12/01/88)
In article <2284@ddsw1.MCS.COM>, karl@ddsw1.MCS.COM (Karl Denninger) writes: + In article <185@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: + >In article <519@whizz.uucp>, bbh@whizz.uucp (Bud Hovell) writes: + >> John Hough (jfh@rpp386) is building a drop-in replacement login, and this + >> posting is to inquire for some wizard who is willing to assist on the beta + >> testing by providing feedback on mods and suggestions for enabling it to run + >> on the UNIXPC. + > + > I know this guy and his software and I wouldn't touch it with + > a stick. This stuff is developed (loosely interpreted) on a + > xenix box and I recommend that you go through it very carefully + > before you put on real Unix. + + Charles, that's not nice at all. + ... + I think you owe jfh@rpp386 an apology. An apology! Ha, don't hold your breath. If you like his stuff then use it but "I recommend that you go through it very carefully" and "I wouldn't touch it with YOUR stick." -- -- #_\_@\\/\_@\\/\_@\ Charles Brunow Loci Products # /--u// --u// --o/ clb@loci.UUCP POB 833846-131 # _ __ _ _ __ __ __ ..!uunet!texbell!loci!clb Richardson, Texas 75083
alex@umbc3.UMD.EDU (Alex S. Crain) (12/02/88)
In article <189@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: >+ I think you owe jfh@rpp386 an apology. > > An apology! Ha, don't hold your breath. If you like his stuff > then use it but "I recommend that you go through it very carefully" > and "I wouldn't touch it with YOUR stick." Are you a walking attitude problem, or what? If you don't like this guys software, don't use it. Better yet, write a replacement yourself and post it. I'm sure we can find some impartial judges and compare the two systems. In the mean time, your behaviour is arrogant and rude, and out of place in this newsgroup. I don't think that I am alone in requesting you to vent your problems elsewhere. The rule of thumb in freeware is that you get what you pay for, so if it doesn't work, don't be surprised. I've never spent a dime for anything outside of the utilities and development set for this machine, and I'm doing reasearch and development in several languages (Common Lisp, Prolog, and C) using some outstanding tools (emacs, bison, less, etc). Almost every piece of code I've ever put on this machine needed some work, but nearly every piece has been worth the effort because someone bothered to write and post the original program. BTW: I don't recall seeing your name on any free software recently.... -- :alex. Systems Programmer nerwin!alex@umbc3.umd.edu UMBC alex@umbc3.umd.edu
clb@loci.UUCP (Charles Brunow) (12/04/88)
In article <1390@umbc3.UMD.EDU>, alex@umbc3.UMD.EDU (Alex S. Crain) writes: > > Are you a walking attitude problem, or what? If you don't like > this guys software, don't use it. Better yet, write a replacement yourself > and post it. Alex, you're a funny guy. In your tantrum you manage to be pompous, arrogant, and superior, as if you had some unspecified right to dictate how I should think and what I should say, all without shedding any light on the subject. But the best part is the counter-point between what you say and what you do. > > In the mean time, your behaviour is arrogant and rude, and out of > place in this newsgroup. I don't think that I am alone in requesting you > to vent your problems elsewhere. "In the mean time ..."; what? You mean until YOU have evaluated the software, or written your own, or until you grow up? If you could read then you'd know I responded to a request and that I stated legitimate concerns. You don't like it? Move to Russia. > The rule of thumb in freeware is that you get what you pay for, so > if it doesn't work, don't be surprised. I've never spent a dime for anything > outside of the utilities and development set for this machine, and I'm doing > reasearch and development in several languages (Common Lisp, Prolog, and C) > ... I really love these arbitrary "rules of thumb"; Who elected you to be the net conscience anyway. I happen to believe that you're a light-weight, and your list of toys sews it. So what? There is another net rule of thumb which says "If you don't like it, don't read it." But in your case, it should be "...don't read into it." Have you got enough thumbs? > BTW: I don't recall seeing your name on any free software recently.... I bet you think that means that I haven't done any, right, because you don't recall. Ha, what a funny guy. > :alex. > Systems Programmer > nerwin!alex@umbc3.umd.edu UMBC > alex@umbc3.umd.edu -- -- #_\_@\\/\_@\\/\_@\ Charles Brunow Loci Products # /--u// --u// --o/ clb@loci.UUCP POB 833846-131 # _ __ _ _ __ __ __ ..!uunet!texbell!loci!clb Richardson, Texas 75083
brant@manta.pha.pa.us (Brant Cheikes) (12/05/88)
A flame war looms on the horizon. Please, folks, I'll say it again: the unix-pc groups must not be allowed to degenerate to the level of the rest of the Usenet stream. If you must flame, do so in private e-mail. Alex, your contributions speak for themselves; your reputation needs no defense. Mr. Brunow, your Oh, forget it. To those on the sidelines: please be reasonable. If you've already thrown in your $0.02 flame, consider sending out a cancel NOW. [foulups to /dev/null] -- Brant Cheikes University of Pennsylvania Department of Computer and Information Science brant@manta.pha.pa.us, brant@linc.cis.upenn.edu, bpa!manta!brant
andy@rbdc.UUCP (Andy Pitts) (12/05/88)
There's nothing like a good flame war. And this is nothing like a good flame war. -- Andy Pitts andy@rbdc.UUCP : "The giant Gorf was hit in one eye by a stone, bakerst!rbdc!andy : and that eye turned inward so that it looked kd4nc!gladys!rbdc!andy : into his mind and he died of what he saw there." pacbell!gladys!rbdc!andy : --_The Forgotten Beast of Eld_, McKillip--