Advice the Government of Canada Gives About GNU/Linux

“Basic Security Recommendations
Identification and Authentication “ Current implementations of Linux are vulnerable through user passwords. Passwords are stored in clear text, meaning they are easily understood by any user that knows the password file location, and the default encryption tool for information does not meet the Government of Canada recommended encryption requirements. “

see Overview of Operating Systems Security Features – LINUX.

Well, it’s pretty clear they got that wrong:

  • $ cat /etc/shadow
    cat: /etc/shadow: Permission denied
  • “/etc/shadow” contains the following.


    user1:$1$Xop0FYH9$IfxyQwBe9b8tiyIkt2P4F/:
    13262:0:99999:7:::
    user2:$1$vXGZLVbS$ElyErNf/agUDsm1DehJMS/:
    13261:0:99999:7:::

    As explained in shadow(5), each “:” separated entry of this file means the following.

    Login name

    Encrypted password (The initial “$1$” indicates use of the MD5 encryption. The “*” indicates no login.)

    Days since Jan 1, 1970 that password was last changed

    Days before password may be changed

    Days after which password must be changed

    Days before password is to expire that user is warned

    see Chapter 4. Authentication (Debian)

So, quite wrong on the first point and the second partly true. MD5 is old and creaky but if your password is “sdfkui7y23,$@&&&xvhut3r” and the user/malware doesn’t have access to the password MD5 hashed, not encrypted, how are they to find any possible strings coming to that hash before being spotted? There’s also a “salt” added to the string before hashing so the job gets harder.

The usual standard in GNU/Linux is MD5:
“mkpasswd -S “frog37r3” -m md5
Password:
$1$frog37r3$ezKGT9XmudHKS9ua3WjDx1

but SHA512 is available:
“mkpasswd -S “frog37r3″ -m sha-512
Password:
$6$frog37r3$dG/hS4PrlCRVn3SSP/ccIHVmzimdN5nNF0
js9WNKyM9ASro2dZZQ/8XUgW4Q8Kuu0xlRelRLDz7Z2DiOokJOF.”

so, good luck cracking that mess without being noticed for failures. Really, trial and error would be just as good as getting the shadow password which is out of sight.

Indeed, Debian changed to SHA512 default hashing back in 2009:
“[ Kees Cook ]
* debian/local/common-password, debian/pam-configs/unix: switch from “md5”
to “sha512” as password crypt default.

So, the strength of the password is likely much more critical than the hashing of them. Debian tells us how to strengthen passwords, too.

I think this shows the Government of Canada is a little behind the curve in GNU/Linux and needs to open up to the standards of some European governments like Germany. Germany created their own GNU/Linux desktop for government use back in 2006. Germany isn’t spreading FUD about security of GNU/Linux. TFA from Canada was produced in 2010 using M$’s office suite and Adobe’s Distiller on that other OS.

Wake up Canada!

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , . Bookmark the permalink.

18 Responses to Advice the Government of Canada Gives About GNU/Linux

  1. Sada M says:

    “Get over it Pog, its an operating system not a religion!”

    Not when they piss away my tax dollars

  2. That Exploit Guy says:

    Oiaohm the wordsmith is teaching us English.

    I feel so privileged!

  3. oiaohm says:

    oldman –The common use of the word blasphemy is religious in nature.–

    Judaism, Islam, Hindu, Judaism and Buddhists use define of blaspheme that can cover parents and non religion things.

    That is the problem Christian is the only one that does not use the second context commonly. That is also regional. What you are saying Oldman shows lack of cultural knowledge. You are presuming Christian and you are presuming Christian of particular religions groups on how you say Blaspheme is used.

    Note Blaspheme is use that way. Not the word Blasphemy.

    Robert Pogson oldman did not use the word Blasphemy. You have just proven you are stupid about the use of language. You have merged words and are presuming usage on one word based on a related word.

    I know its only 1 letter difference. The usage between those two words is major-ally different.

  4. oldman says:

    “Oldman your believe of how blaspheme is used is because you have grown up in a country dominated by Christians.

    This is culture awareness.”

    Nope Its Hamster bushwah. The common use of the word blasphemy is religious in nature. Pog most likely being some form of christian used it in that context.

    End of story.

  5. oiaohm says:

    Chris Weig funny enough most of my stuff is not rewrite from scratch. Most of what I write remains. Some where I have glitch and repeated deleted. Somewhere I have missed words given back to me to fix. Some is the odd out of order problem.

    You call what I write gibberish. Funny enough its not.

    Calling it gibberish is just an excuse to lack the knowledge to read some of the stuff I write.

  6. Chris Weig says:

    Oiaohm, you write documentation? Then by proof-reading you probably mean that other unfortunate beings have to rewrite your gibberish from scratch while making educated guesses about its contents.

  7. oiaohm says:

    That Exploit Guy because the wrong brackets stuff only happens when I am writing documentation. That gets proof read. Name a scripting language that uses html ampersand code.

    Its not python its not ruby its not perl.

    http://php.net/manual/en/function.htmlspecialchars.php
    Yes PHP you use conversion function.

    I know of ampersand code 1 remember to use it is one thing. 2 have todo it is another. Reality I never have todo it normally. This is what what you see is what you get editors is for. Its simple for me to target stop using the wrong brackets and use like [] that I am mean to for Unix and Posix style man pages.

    That Exploit Guy that I am a code maker is why my response is what it is.

    If you are a mad bugger using it all the time that is your problem.

    Really it would be nice if this site had http://wordpress.org/extend/plugins/fckeditor-for-wordpress-plugin/ then I would not have to remember todo it. fckeditor would do the conversion to ampersand code for me.

  8. That Exploit Guy says:

    ‘That is typing 3 chars’

    It’s 4, including the ampersand and the semi-colon.

    Seriously, how do you manage to write scripts without being able to remember something this simple?

  9. oiaohm says:

    –Never heard of ampersand code, my SELinux expert?–
    ampersand code I know it. But having brain to remember to use it is another matter.

    That is typing 3 chars instead of one. I need to use () or [] more. < and > around stuff I picked up from the time of dos. I need to stop using it. Fine before XML and HTML.

  10. That Exploit Guy says:

    @oiaohm

    Never heard of ampersand code, my SELinux expert?

  11. oiaohm says:

    –blaspheme against and–
    should be
    -blaspheme against (insert name of religion) and-

    I have to stop using triangle brackets.

  12. oiaohm says:

    oldman this is not hair splitting. It common to be used as meaning 2 by people with particular belief systems. Atheists use the word blaspheme in this style. Along with other belief systems.

    Its really you being narrow minded oldman. I don’t think Robert Pogson has mentioned his faith. Use of blaspheme is normally directly linked to your belief system. Its a multi culture thing that you were not aware of oldman just because they use the word blaspheme does not mean they even believe in a god.

    People from particular religions backgrounds (Christian) common believe the meaning of blaspheme is religious. Not noting that most other religions use blaspheme against and most of the other religions groups of them use it for blaspheme against parents and so on.

    Oldman your believe of how blaspheme is used is because you have grown up in a country dominated by Christians.

    This is culture awareness.

  13. oldman says:

    “Most people have limited understanding of particular words.”

    HAmster, You know full well the common context of the world. Please spare us your usual hair splitting bushwah.

  14. oiaohm says:

    oldman
    http://dictionary.reference.com/browse/blaspheme

    blaspheme refer to meaning two. Does not require to be about religion.

    What Chris Weig did falls exactly under meaning 2 of blaspheme so he is a blasphemer.

    Most people have limited understanding of particular words.

  15. oldman says:

    Don’t blaspheme.

    Get over it Pog, its an operating system not a religion!

  16. Chris Weig wrote, “And, gosh, there never was a successor!”

    Don’t blaspheme. They now recommend Ubuntu GNU/Linux hardened with Anoubis. No need to roll their own when so many GNU/Linux distributions make a good platform.

  17. Chris Weig says:

    TFA from Canada was produced in 2010 using M$’s office suite and Adobe’s Distiller on that other OS.

    Good for them!

    Wake up Canada!

    They already have!

    Maybe you should relocate to Germany or some other FLOSS country. Chuckle.

  18. Chris Weig says:

    Don’t spread FUD, Pogson. What do you know about Germany’s government and Linux? Not much. It shows because you link to an age-old ERPOSS4 press release. Here, I help you out:

    Das Projekt “Behördendesktop ERPOSS4” ist veraltet und wird vom BSI nicht mehr unterstützt.

    (The project “Behördendesktop ERPOSS4” is deprecated and isn’t supported by BSI any longer.)

    And, gosh, there never was a successor!

Leave a Reply