ccel@chance.uucp (CCEL) (01/05/90)
*I* wrote: >Funny you should mention this, my roommate ran a program that does >just this on our college's Ultrix machine (i'll leave out the names). >Just as a test, he wanted to find all the users whose passwords were >the same as their login names. He "cracked" about 35 passwords on the >first pass, including about 25 faculty accounts (kind of disturbing >that CS faculty members would be so careless with their passwords). >The University ended up charging him about $2800.00, something about >misuse of computer time... Kind of irresponsible (bad nettiquite) to quote my own message, sorry. Incidentally, I have the source to the program that he used, if anyone is interested. I asked him if I could distribute it to the net and he said he didn't mind... in fact, he said he might enjoy the free "publicity". If anyone is interested, please drop me a line. To be responsible, I would be reluctant to distribute the source to anyone who is NOT a system administrator on their machine. Randy Tidd rtidd@mwsun@mitre.org #define DISCLAIM TRUE
daveb@i88.isc.com (Dave Burton) (01/09/90)
In article <85606@linus.UUCP> rtidd@mwunix.mitre.org writes: |[rtidd@mwunix.mitre.org] wrote: |>Just as a test, he wanted to find all the users whose passwords were |>the same as their login names. He "cracked" about 35 passwords on the |>first pass, including about 25 faculty accounts ... | |Incidentally, I have the source to the program that he used, if anyone |is interested. I asked him if I could distribute it to the net and he |said he didn't mind... in fact, he said he might enjoy the free |"publicity". If anyone is interested, please drop me a line. | |To be responsible, I would be reluctant to distribute the source to |anyone who is NOT a system administrator on their machine. Oh, yes, *I'm* the sysadm for my machine. Really. Could you send me a copy? That is not being responsible - you have no way of verifying this truth of this statement. Besides, I may be the sysadm from my posting machine, but use the program on another which I'm not. Further, of what use would such a program be to a sysadm (other than informing his users that their accounts are less secure than they could be)? As for your friend's ego: this is a trivial program to write - what "publicity" does it merit? |Randy Tidd -- Dave Burton -- Dave Burton uunet!ism780c!laidbak!daveb
andy@syma.sussex.ac.uk (Andy Clews) (01/11/90)
From article <85606@linus.UUCP>, by ccel@chance.uucp (CCEL): > To be responsible, I would be reluctant to distribute the source to > anyone who is NOT a system administrator on their machine. Hmm, so how do you propose to check this? Will you believe anyone who just says "I am a system administrator" in their message? -- Andy Clews, Computing Service, Univ. of Sussex, Brighton BN1 9QN, ENGLAND JANET: andy@syma.sussex.ac.uk BITNET: andy%syma.sussex.ac.uk@uk.ac Voice: +44 273 606755 ext.2129
andre@targon.UUCP (andre) (01/11/90)
In article <1990Jan8.232650.6615@i88.isc.com> daveb@i88.isc.com (Dave Burton) writes: >Oh, yes, *I'm* the sysadm for my machine. Really. Could you send me a copy? > >That is not being responsible - you have no way of verifying this truth of >this statement. Besides, I may be the sysadm from my posting machine, but >use the program on another which I'm not. Oh yes you can! If you want to check this, just ask the person in question to re-mail the request as root from his machine and then mail the sources to the same root. This way even if he succeeds in faking a uucp header, his administrator will catch him. Also to fix the 'sysadm of a tiny machine (xenix on your home pc)' problem, you can restrict redistribution to sysadms of the bigger machines owned by universities and companies, and trust that being a sysadm gave the person some responsible behaviour. -- The mail| AAA DDDD It's not the kill, but the thrill of the chase. demon...| AA AAvv vvDD DD Ketchup is a vegetable. hits!.@&| AAAAAAAvv vvDD DD {nixbur|nixtor}!adalen.via --more--| AAA AAAvvvDDDDDD Andre van Dalen, uunet!hp4nl!targon!andre
ccel@chance.uucp (CCEL) (01/11/90)
In article <1974@syma.sussex.ac.uk> andy@syma.sussex.ac.uk (Andy Clews) writes: >From article <85606@linus.UUCP>, by rtidd@mwunix.mitre.org (Randy Tidd): >> To be responsible, I would be reluctant to distribute the source to >> anyone who is NOT a system administrator on their machine. > >Hmm, so how do you propose to check this? Will you believe anyone who just >says "I am a system administrator" in their message? A couple other people pointed this out, but in this case the code was so simple that it didn't warrant too much "security"... it's not like it was a fantabulous cracking algorithm developed in the bowels of MIT or something. If I wanted to be sure to send it to a system admin, I could just ask that the people send me mail as root. But even this isn't failsafe. Ah well... Randy Tidd rtidd@mwunix.mitre.org #define DISCLAIM TRUE
kmont@hpindda.HP.COM (Kevin Montgomery) (01/12/90)
|>Just as a test, he wanted to find all the users whose passwords were |>the same as their login names. He "cracked" about 35 passwords on the |>first pass, including about 25 faculty accounts ... even more, it's not that imaginative! Me old roomie used to break passwords by selecting one, taking the crypt salt, then looking for matches of the crypt of the salt and the user's login and a few other "usual" passwords and, upon this not working, tried it on all the words on the online dictionary. now THAT's classy...
jik@athena.mit.edu (Jonathan I. Kamens) (01/15/90)
In article <943@targon.UUCP>, andre@targon.UUCP (andre) writes: > In article <1990Jan8.232650.6615@i88.isc.com> daveb@i88.isc.com (Dave Burton) > writes: > >That is not being responsible - you have no way of verifying this truth of > >this statement. Besides, I may be the sysadm from my posting machine, but > >use the program on another which I'm not. > > Oh yes you can! If you want to check this, just ask the person in question > to re-mail the request as root from his machine and then mail the sources > to the same root. This way even if he succeeds in faking a uucp header, his > administrator will catch him. Excuse me, but how does mailing the code to root on one machine prevent the recipient of the code from copying the code to another machine and compiling and executing it there? Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710
cgh018@tijc02.UUCP (Calvin Hayden ) (01/15/90)
From article <1974@syma.sussex.ac.uk>, by andy@syma.sussex.ac.uk (Andy Clews): > From article <85606@linus.UUCP>, by ccel@chance.uucp (CCEL): >> To be responsible, I would be reluctant to distribute the source to >> anyone who is NOT a system administrator on their machine. > > Hmm, so how do you propose to check this? Will you believe anyone who just > says "I am a system administrator" in their message? > Good point. If <85606@linus.UUCP> is set on doing this then the least he can do is to only send to a root (or superuser equivalent) address. Still doesn't insure true security, and that superuser may abuse this on some other system, it not now then later. I also agree with an earlier posting - that this is a fairly trivial program to write. Cal
andre@targon.UUCP (andre) (01/17/90)
In article <1990Jan15.030347.16562@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: > Excuse me, but how does mailing the code to root on one machine prevent the >recipient of the code from copying the code to another machine and compiling >and executing it there? It will not, however one should think that being root on one machine will result in more responsible behaviour on other machines. You can always make sure only to mail something to root's of sufficiently 'big' machines (being sysadm on a company or university machine with > 20 users results in more sysadm-ier behaviour than being sysadm of your own xenix AT :-). -- The mail| AAA DDDD It's not the kill, but the thrill of the chase. demon...| AA AAvv vvDD DD Ketchup is a vegetable. hits!.@&| AAAAAAAvv vvDD DD {nixbur|nixtor}!adalen.via --more--| AAA AAAvvvDDDDDD Andre van Dalen, uunet!hp4nl!targon!andre