Everhart,Glenn From: kilgallen@eisner.decus.org Sent: Tuesday, April 07, 1998 7:05 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: VMS vs UNIX (not trolling) In article <6gb6gn$1oo$1@aquila.mdx.ac.uk>, david20@alpha2.mdx.ac.uk (D.Webb) writes: > In article <6g3dd0$g2c$2@flotsam.uits.indiana.edu>, bdwheele@indiana.edu (Brian Wheeler) writes: >>> You need a good >>> Unix system admin who knows exactly what to do for his version of Unix to turn >>> them on. 1) This means that Unix is not Unix is not Unix since it differs from version to version. 2) It also lays the groundwork for excusing all failures on any Unix system with the catchall excuse that the system administrator was not "good enough". If I am the human then it is the computer which should adapt to me, not vice-versa. I don't need those who built the computer telling me it failed to protect my data because I am unworthy. > Any secure operating system needs at least :- > Password history And it needs a reasonable strategy for dealing with a user who attempts to circumvent password history by filling the history. I have yet to hear of any system which deals with this as elegantly as VMS (throwing the user into a "generated password" state). Of course there are lots of operating systems with which I am not familiar, and I would welcome news of other reasonable approaches. A typical lame-brained approach (from those operating systems which bother to consider the problem at all) is to declare a "minimum password lifetime" which can have the effect of preventing a user from changing a password EVEN WHEN THEY KNOW IT HAS JUST BEEN COMPROMISED (such as by having a videotape being made of their keyboard as they logged it). > These should all be available as part of the operating system not bought in > as extras - they should work together to provide a secure environment. > They should also be already enabled when the system is installed with > reasonable default values. Who cares what the defaults are ? What system would ever run with defaults ? The answer is, that system which has the least experienced administrator. Thus the level of security set by the defaults is the level of security chosen by the manufacturer for sites with the least experienced system administrators. Take a look at your operating system and see what security level they have chosen for these people. Larry Kilgallen