dankg@tornado.Berkeley.EDU (Dan KoGai) (06/04/90)
In article <36584@ucbvax.BERKELEY.EDU> lauther@janus.Berkeley.EDU.UUCP (Ulrich Lauther) writes: >In article <6368@amelia.nas.nasa.gov> samlb@pioneer.arc.nasa.gov.UUCP (Sam Bassett RCS) writes: >> >> I agree -- the documentation should be more straightforward about >>the dangers of the .netrc, and for d**n sure, whoever is teaching kids > >I just wonder why not the same technique is used with .netrc as with >/etc/passwd: have the file readable, but sensitive parts encrypted? I don't think so: I don't think /etc/passwd was a good idea: It's encrypted. So what? That means you can take time to feed random string to encryptor, which is available, then find the matching string. Maybe you can feed it from dict file--people's name makes big candidate for considerably many people choose their password from thier (boy|girl)friends' or spouses' names. What I don't understand is that my password is not a kind of string found on dict but it's still feasible to use "power" rather than "tech" to break secirity in UNIX. I admit my .netrc was not a good idea. But still I think it's possible for that moron to kill at least OCF account: Some others suggested that some of UNIX has a serious problem in user switching. One of my friends witnessed that he was accidentally su'd to somebody else. At very least finger info and passwd file must be saparated. If possible, it might be a good idea to hard-code secirity part of UNIX, that is, implement seciryty by hardware than software. On current system encrypted or not, precious password info is visible. How about ATM card way (I don't think it's valid idea--How about dialin?)--No one but card knows your password. there remains the problem in case of loss of cards or "keys" but it's at very least far more secure than current UNIX implementation of password. ---------------- ____ __ __ + Dan The "Raped" Man ||__||__| + E-mail: dankg@ocf.berkeley.edu ____| ______ + Voice: +1 415-549-6111 | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A |___ |__|__| + |____|____ + "What's the biggest U.S. export to Japan?" \_| | + "Bullshit. It makes the best fertilizer for their rice"
boyd@necisa.ho.necisa.oz (Boyd Roberts) (06/05/90)
In article <1990Jun4.102422.12896@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai) writes: > > I don't think so: I don't think /etc/passwd was a good idea: It's >encrypted. So what? That means you can take time to feed random string to >encryptor, which is available, then find the matching string. > Dan, my man you seem to have jumped to the conclusion that UNIX isn't secure because someone broke into your account and blew away your files. How this was done would appear to be attributable to stupidity, and not to underlying flaws in UNIX password security. At this point I'd like to make the distinction between UNIX password security and the various `security' of IP based networking utilities. With those, there is _no_ security. I think RTM and various others have proved this beyond a shadow of a doubt. UNIX password security is secure, provided you have chosen a reasonable password. Sure, you can snarf /etc/passwd and try a dictionary attack. But, you have to get access to the machine first. Without access to the machine it's near impossible to break. Shadow password files nullify this method of attack, although I don't like this password file dichotomy. The bottom line is that password security works. Most systems aren't broken into. The ones that are broken are usually compromised by some sloppy (ie. networking) utility or a flawed UNIX port. So Dan, a piece of advice: $@$*$H$7$^$((J $@$*(J $@$D$1$F(J! Boyd Roberts boyd@necisa.ho.necisa.oz.au ``When the going gets wierd, the weird turn pro...''
dankg@volcano.Berkeley.EDU (Dan KoGai) (06/05/90)
In article <1752@necisa.ho.necisa.oz> boyd@necisa.ho.necisa.oz (Boyd Roberts) writes: >Dan, my man you seem to have jumped to the conclusion that UNIX isn't >secure because someone broke into your account and blew away your files. >How this was done would appear to be attributable to stupidity, and >not to underlying flaws in UNIX password security. Unix is at very least insecure enough to make me sleep in nightmare. I got several mails and some of them are raped even harder. And this applies to computer in general--My Mac is infected by virus 4 times (but last 2 was not serious at all, thanx to Disinfectant). >At this point I'd like to make the distinction between UNIX password security >and the various `security' of IP based networking utilities. With those, >there is _no_ security. I think RTM and various others have proved this >beyond a shadow of a doubt. UNIX password security is secure, provided you >have chosen a reasonable password. I do not think my accounts were nuked due to network flaw: Very unfortunately, there are several cracker activities reported to be originated at OCF. And my password was secure enough for your standard, the string as complicated as intercal syntax! >Sure, you can snarf /etc/passwd and try a dictionary attack. But, you have >to get access to the machine first. Without access to the machine it's >near impossible to break. Shadow password files nullify this method of attack, >although I don't like this password file dichotomy. It's not that hard today to obtain a UNIX account. And if you can crack one site, it's likely the site includes users with other remote accounts, which is exactly my case, and crack others--chain reaction also appeard in "Cockoo's Egg". I don't like NORAD-like security but very unfortunately human nature is evil and it takes evil to secure from evil. >The bottom line is that password security works. Most systems aren't broken >into. The ones that are broken are usually compromised by some sloppy >(ie. networking) utility or a flawed UNIX port. But it's far more common than your wallet is stolen. Look, I'm not the only victim and I heard of many cases on this Berkeley alone. And UNIX is still not common enough to attract people's attention--Internet virus case and Cockoo's Egg case attracted people because it was military security related, not because of fame of UNIX. I think I have seen too many cases of insecurity considering still small size of UNIX community. And this will get but more serious as UNIX gains its popularity. We'd better be prepared before it gets even messier. >So Dan, a piece of advice: > > $@$*$H$7$^$((J $@$*(J $@$D$1$F(J! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ESC is dropped, yet another fraw of netnews sytem I wish I could. And now here's my advice: Living UNIX world is like an orgy: full of joy but riskier these days. ---------------- ____ __ __ + Dan The "insecured" Man ||__||__| + E-mail: dankg@ocf.berkeley.edu ____| ______ + Voice: +1 415-549-6111 | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A |___ |__|__| + |____|____ + "What's the biggest U.S. export to Japan?" \_| | + "Bullshit. It makes the best fertilizer for their rice"
woods@robohack.UUCP (Greg A. Woods) (06/06/90)
In article <1990Jun5.152004.15873@agate.berkeley.edu> dankg@volcano.Berkeley.EDU (Dan KoGai) writes: > Unix is at very least insecure enough to make me sleep in nightmare. > I got several mails and some of them are raped even harder. And this applies > to computer in general--My Mac is infected by virus 4 times (but last 2 was > not serious at all, thanx to Disinfectant). Your first sentence is wrong, as I will attempt to show. I don't quite understand your second sentence. As to your final point however, you should realize the susceptibility of a PC (any PC, or home computer, including Apple's Macintosh) to a virus is several orders of magnitude greater than the average UNIX system. Certainly a true UNIX virus is possible, and given the sloppiness of the average vendor these days, one could easily get out. However, I'd suggest that it would be rare that such a virus would be contagious. Binaries just aren't often moved or shared between UNIX systems, and the software distribution hierarchy is entirely different. This is changing with the increasing use of workstations on networks though...and you can't really blame the network for this "flaw". > I do not think my accounts were nuked due to network flaw: Very > unfortunately, there are several cracker activities reported to be originated > at OCF. And my password was secure enough for your standard, the string as > complicated as intercal syntax! I don't know how your site is related to OCF, but if they share a network cable, then yes, you can indeed blame the network.... > It's not that hard today to obtain a UNIX account. And if you can > crack one site, it's likely the site includes users with other remote accounts, > which is exactly my case, and crack others--chain reaction also appeard in > "Cockoo's Egg". I don't like NORAD-like security but very unfortunately human > nature is evil and it takes evil to secure from evil. Yes, but first you'll have to crack the passwords of the people at the "breached" site. Then you'll have to hope they use the same passwords on the target sites. Then you repeat the loop. Fortunately it is likely you'll be discovered before the second iteration, since there is still a significant lag required to break the passwords the hard way. (You'll also have to get through any "external" security the target sites may have, such as call-back or dialup passwords.) Again, the network makes this so much easier! > In article <1752@necisa.ho.necisa.oz> boyd@necisa.ho.necisa.oz (Boyd Roberts) writes: > >The bottom line is that password security works. Most systems aren't broken > >into. The ones that are broken are usually compromised by some sloppy > >(ie. networking) utility or a flawed UNIX port. > > But it's far more common than your wallet is stolen. Look, I'm not > the only victim and I heard of many cases on this Berkeley alone. And UNIX > is still not common enough to attract people's attention--Internet virus > case and Cockoo's Egg case attracted people because it was military security > related, not because of fame of UNIX. I think I have seen too many cases > of insecurity considering still small size of UNIX community. And this will > get but more serious as UNIX gains its popularity. We'd better be prepared > before it gets even messier. Berkeley is on a network. If it were possible that the network be secure, or not exist, the breakins would be as common as those to Fort Knox. Most breaches of commercial UNIX systems are due entirely to sloppy, or non-existant, system administration. What does the "fame" of UNIX have to do with anything? Do you think it will be a more common target if it becomes more famous? I doubt anything would raise the ratio of UNIX breakins to those of other types of systems. I would imagine the ratio is already quite high. UNIX is already quite famous in the cracker community. UNIX is fundamentaly quite "secure" (in the common definition). It does not, however, have mandatory security by default. UNIX makes it easy for you to disable any security features, sometimes by accident. Networks are fundamentaly quite insecure. They are designed to provide open and easy access to "remote" resources. -- Greg A. Woods woods@{robohack,gate,eci386,tmsoft,ontmoh}.UUCP +1 416 443-1734 [h] +1 416 595-5425 [w] VE3-TCP Toronto, Ontario; CANADA
les@chinet.chi.il.us (Leslie Mikesell) (06/07/90)
In article <1990Jun5.152004.15873@agate.berkeley.edu> dankg@volcano.Berkeley.EDU (Dan KoGai) writes: >>Dan, my man you seem to have jumped to the conclusion that UNIX isn't >>secure because someone broke into your account and blew away your files. > Unix is at very least insecure enough to make me sleep in nightmare. >I got several mails and some of them are raped even harder. The usual protection against losing files either due to accidents or malicious removal is to keep backups. Doesn't your site maintain some reasonably current tape copies of everything? I also try to keep copies of files that are personally valuable on PC floppies which at the moment are the ultimate in portable media. All you really need is access to a PC, modem, and dial-up port to tranfer to/from just about anything. Les Mikesell les@chinet.chi.il.us
boyd@necisa.ho.necisa.oz (Boyd Roberts) (06/08/90)
In article <1990Jun5.152004.15873@agate.berkeley.edu>, dankg@volcano.Berkeley.EDU (Dan KoGai) writes: > In article <1752@necisa.ho.necisa.oz> boyd@necisa.ho.necisa.oz (Boyd Roberts) writes: > > >So Dan, a piece of advice: > > > > $@$*$H$7$^$((J $@$*(J $@$D$1$F(J! > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ESC is dropped, yet another fraw of > netnews sytem > No, guess again. Iie chigaimasu, ESC ga arimasen deshita. Boyd Roberts boyd@necisa.ho.necisa.oz.au ``When the going gets wierd, the weird turn pro...''
dankg@tornado.Berkeley.EDU (Dan KoGai) (06/08/90)
In article <1990Jun7.161215.27328@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: >The usual protection against losing files either due to accidents or >malicious removal is to keep backups. Doesn't your site maintain >some reasonably current tape copies of everything? I also try to keep >copies of files that are personally valuable on PC floppies which at the >moment are the ultimate in portable media. All you really need is access >to a PC, modem, and dial-up port to tranfer to/from just about anything. One of my accounts did: Not this OCF account. But losing files are rather small problems. What if your root password is illegally changed by someone else? If so unless you can replace /etc/passwd or yp, you can't get back to root again (replace whole disk with carbon-copy image of previous backup?). Of course you can do it by replacing whole disk but it's a hardware solution and not very efficient. My case is not just accident. The moron showed me capability of doing even nastier things. So backup is not a solution of cracker and never intended to be: cracker is not an accident and we are not supposed to confuse accident and felony. As long as we depend on crypt() to encrypt password and password file is open to public, unix can never be secure enough--I wrote a 10-line C code to crack it and successfully found my own password (Thank god this method doesn't apply on Apollo where my OCF account resides but works any with /etc/passwd. And easily extendable to yp). It took horrible time but this kind of time is nothing compared to the prize it guarantees). I'm not at all UNIX guru but all I needed was how password protection was implemented and decent C knowledge--both accessible. We should at very least separate encrypted password from finger entries. And if possible, replace dummy crypt() with something else--we don't need much speed for login process, do we? ---------------- ____ __ __ + Dan The "Hackn' Scared" Man ||__||__| + E-mail: dankg@ocf.berkeley.edu ____| ______ + Voice: +1 415-549-6111 | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A |___ |__|__| + |____|____ + if (!strcmp(cryptpass, crypt(pass, cryptpass))) \_| | + You_Are_Toast();
jik@athena.mit.edu (Jonathan I. Kamens) (06/09/90)
In article <1990Jun8.154523.5102@agate.berkeley.edu>, dankg@tornado.Berkeley.EDU (Dan KoGai) writes: |> One of my accounts did: Not this OCF account. But losing files |> are rather small problems. What if your root password is illegally changed |> by someone else? If so unless you can replace /etc/passwd or yp, you can't |> get back to root again (replace whole disk with carbon-copy image of previous |> backup?). Please do not try to post authoritatively about things concerning which you are not an authority. There are very few Unix systems on which a system administrator with the necessary access can't log on as the superuser, even if he doesn't know the root password, as long as the machine is intact enough to boot into single-user mode. |> As long as we depend on crypt() to encrypt password and password file |> is open to public, unix can never be secure enough--I wrote a 10-line C code |> to crack it and successfully found my own password (Thank god this method |> doesn't apply on Apollo where my OCF account resides but works any with |> /etc/passwd. And easily extendable to yp). It took horrible time but this |> kind of time is nothing compared to the prize it guarantees). I am becoming more and more convinced that you're flaming without much justification about something about which you know little, and frankly, it's getting a little irritating. Well-chosen passwords *are* secure enough in almost all situations, even when the /etc/passwd file is world-readable. The fact that you wrote a C program to crack passwords and it successfully found yours just means that your password was not well-chosen. You can't blame Unix for that. |> I'm not at all UNIX guru but all I needed was how password protection |> was implemented and decent C knowledge--both accessible. We should at very |> least separate encrypted password from finger entries. And if possible, |> replace dummy crypt() with something else--we don't need much speed for |> login process, do we? Actually, I consider fast log-in time to be one of the most important features in any given system. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710
dankg@tornado.Berkeley.EDU (Dan KoGai) (06/11/90)
In article <1990Jun8.175747.18776@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: > I am becoming more and more convinced that you're flaming without much >justification about something about which you know little, and frankly, >it's getting a little irritating. All I know is I became victim and there are a lot others. And it's not that hard to overcome crypt(). I admit I know too little to become a security expert. But it doesn't take a wizard to know every single file I had were brutally deleted. Are you still saying I am just flaming? if you stop me or people like me from what you call flaming, Give us secure system for first place so I don't have to post something like this anymore, period! > Well-chosen passwords *are* secure enough in almost all situations, >even when the /etc/passwd file is world-readable. The fact that you >wrote a C program to crack passwords and it successfully found yours >just means that your password was not well-chosen. You can't blame Unix >for that. I think my password was well-chosen: It is hardly English or any other language, with Uppercase and Numbers. My previous one was very random also. Yet my 10-line (now 20 and can handle even more complex cases) successfully found it: I didn't use /usr/dict/words or any sort at all. > Actually, I consider fast log-in time to be one of the most important >features in any given system. Provided it's secure enough. UNIX is not. I'm not very exceptionally rare victims. I know a lot of even severe cases broken harder, which are protected with UNIX experts. How many victims do we need to convince you guys that today's UNIX needs major upgrade of secirity? Well, even after Stockton Masscare, this country allows us to have guns without any lisence. maybe asking Americans for secirity is never secure enough for 1st place. ---------------- ____ __ __ + Dan The "Just one of many victims" Man ||__||__| + E-mail: dankg@ocf.berkeley.edu ____| ______ + Voice: +1 415-549-6111 | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A |___ |__|__| + |____|____ + if (!strcmp(cryptpass, crypt(pass, cryptpass))) \_| | + You_Are_Toast();
jrh@mustang.dell.com (James Howard) (06/11/90)
Dan KoGai writes: > All I know is I became victim and there are a lot others. [ much whining deleted ] > How many victims do we need to convince you > guys that today's UNIX needs major upgrade of secirity? Well, even after > Stockton Masscare, this country allows us to have guns without any lisence. > maybe asking Americans for secirity is never secure enough for 1st place. > > ---------------- > ____ __ __ + Dan The "Just one of many victims" Man > ||__||__| + E-mail: dankg@ocf.berkeley.edu > ____| ______ + Voice: +1 415-549-6111 > | |__|__| + USnail: 1730 Laloma Berkeley, CA 94709 U.S.A > |___ |__|__| + > |____|____ + if (!strcmp(cryptpass, crypt(pass, cryptpass))) > \_| | + You_Are_Toast(); Here is a quote that seems appropriate, although I do not remember the source: Even the truly paranoid have real enemies. flames > /dev/null --------------------------------------------------------- James Howard Dell Computer Corp. jrh@mustang.dell.com The opinions expressed are my own, and not necessarily those of my employer. ---------------------------------------------------------
jik@athena.mit.edu (Jonathan I. Kamens) (06/12/90)
In article <1990Jun10.183417.6226@agate.berkeley.edu>, dankg@tornado.Berkeley.EDU (Dan KoGai) writes: |> All I know is I became victim and there are a lot others. And it's |> not that hard to overcome crypt(). I admit I know too little to become |> a security expert. But it doesn't take a wizard to know every single file |> I had were brutally deleted. Are you still saying I am just flaming? |> if you stop me or people like me from what you call flaming, Give us secure |> system for first place so I don't have to post something like this anymore, |> period! As I, and several other people, have already pointed out, it *is* sufficiently hard to overcome crypt() if your password is well chosen. One of the reasons I said in a previous posting that I don't think you know what you're talking about is that you keep on claiming that crypt() is easy to break, when in fact it isn't. Your files were removed because you had a .netrc file with a plaintext password in it. That has nothing to do with crypt(). As someone else has already pointed out, it is incredibly stupid to put any password which you don't want other people to know into your .netrc file. The fact that you did so has nothing at all to do with whether or not crypt() is secure. |> I think my password was well-chosen: It is hardly English or |> any other language, with Uppercase and Numbers. My previous one was very |> random also. Yet my 10-line (now 20 and can handle even more complex cases) |> successfully found it: I didn't use /usr/dict/words or any sort at all. Your password may very well have been well-chosen. That's completely irrelevant to the argument of whether or not crypt() is adequate, since the way your account was broken into was by someone who read your .netrc file, not by someone who cracked your password by encryption. |> Provided it's secure enough. UNIX is not. I'm not very exceptionally |> rare victims. I know a lot of even severe cases broken harder, which are |> protected with UNIX experts. How many victims do we need to convince you |> guys that today's UNIX needs major upgrade of secirity? Well, even after |> Stockton Masscare, this country allows us to have guns without any lisence. |> maybe asking Americans for secirity is never secure enough for 1st place. I am fully in agreement with the claim that Unix security needs to be enhanced in many areas. I just don't think that what happened to you is any sort of good example of why this is so, and I still think that what happened to you is more your fault than it is the fault of Unix. Or, at most, the fault of Unix documentation and of the people who run your site for not telling you not to put important passwords in the .netrc file. Finally, I think your argument about guns is bogus and irrelevant. Even after a guy with a can of gasoline burned down a nightclub and killed something like 80 people (someone feel free to correct me if I'm wrong), many more people than were killed and injured at Stockton, this country allows us to have gasoline without any license. Figure that out. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710
woods@robohack.UUCP (Greg A. Woods) (06/12/90)
In article <1990Jun10.183417.6226@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai) writes: > In article <1990Jun8.175747.18776@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: > > > I am becoming more and more convinced that you're flaming without much > >justification about something about which you know little, and frankly, > >it's getting a little irritating. > >[....] Are you still saying I am just flaming? > if you stop me or people like me from what you call flaming, Give us secure > system for first place so I don't have to post something like this anymore, > period! Whoa! Jonathan is absolutely right! You aren't just flaming though, you're whining, and beginning to annoy at least me.... If you were to have a system secure enough not to have to worry again, you'd never be posting from it, nor reading and/or sending mail on it. The only truly secure system is a physically isolated system, with properly administered physical security policies. I would even go so far as to suggest that you would not be running news on an even moderately secure UNIX system. Mail is a bit safer. Networking (eg. with things such as NFS, or even SMTP) is much more more dangerous. > I think my password was well-chosen: It is hardly English or > any other language, with Uppercase and Numbers. My previous one was very > random also. Yet my 10-line (now 20 and can handle even more complex cases) > successfully found it: I didn't use /usr/dict/words or any sort at all. OK, I'll believe you. However, you did mention that it took quite a bit of horsepower to crack. Mind telling us just how much? Was your algorithm tainted towards the pattern employed in your password? Was your programme actually used by an outside party to crack your own password? Meanwhile, do you have proof your password was compromised? If not, have you considered again that it may have been a security violation through the network, or perhaps in a poorly designed application which allowed the compromise. It may even have been an "inside" job by some other "authorized" user of your system. Again, I must also resurrect the question of why your files weren't on backup media, ready to be restored in event of disaster. (I apologize if they were, but in that case, what are you crying about?) > > Actually, I consider fast log-in time to be one of the most important > >features in any given system. > > Provided it's secure enough. UNIX is not. I'm not very exceptionally > rare victims. I know a lot of even severe cases broken harder, which are > protected with UNIX experts. How many victims do we need to convince you > guys that today's UNIX needs major upgrade of secirity? [....] And how many times do we have to tell you that the responsibility for UNIX security lies with the administrator. UNIX, in and of itself, can be made quite secure. I believe the official rating of a carefully maintained and only slightly modified system can reach C2 (per "the Orange Book"). Certainly the "objects" deemed important by a commercial user can indeed be monitored easily enough to maintain a C2 rating. Personally I do not see a great philosophical gain in the efforts by such vendors as AT&T to create an even more secure UNIX system (i.e. B2). [Yes, "today's UNIX" is, and has been for quite some time, getting a major security upgrade.] I don't feel the implementation of B2-secure UNIX systems maintains either the spirit of UNIX, or even the spirit of POSIX. Such things are only done to attract those who are already entrapped by the red tape of the existing security establishment. The great majority of both industry and government applications do not require such measures, and would not require them even if the threat of crackers was much greater than it really is. Proper administration of these systems, which is even more critical with the added security features of these systems, will provide adequate security in most cases. No system can be considered secure unless there is a security policy that is enforced outside of the system itself. The system can be no more secure than the environment in which it operates. The proper administration of a sufficient security policy to maintain a B2 level system is far beyond the capabilities of most "users" of UNIX. -- Greg A. Woods woods@{robohack,gate,eci386,tmsoft,ontmoh}.UUCP +1 416 443-1734 [h] +1 416 595-5425 [w] VE3-TCP Toronto, Ontario; CANADA
dennis@bailey.cpac.washington.edu (Dennis Gentry) (06/12/90)
In article <1990Jun10.183417.6226@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai) writes:
It's not that hard to overcome crypt().
There are no published easy methods of overcoming crypt(). If
you have found one, I would like to help you co-author a paper.
I think my password was well-chosen: It is hardly English or any
other language, with Uppercase and Numbers. My previous one was
very random also. Yet my 10-line (now 20 and can handle even
more complex cases) successfully found it: I didn't use
/usr/dict/words or any sort at all.
Again, I would be extremely surprised if your 20 line program
can successfully find well chosen passwords at any reasonable
rate (say one per year on a fast workstation). Also, it is easy
for a good system administrator to change the original string
being encrypted so that remote password attacks are much more
difficult. Dan, would you be willing to mail me your 20 line
program for analysis? If you are not, I'd still believe you if
you can you find my password. Here is my password entry. (If
any of you besides Dan crack my password, please let me know by
sending e-mail.)
dennis:H3MsMYv9Jed8Y:100:10:Dennis Gentry:/u/dennis:/bin/csh
Thanks,
Dennis
dennis@cs.washington.eduvolpe@underdog.crd.ge.com (Christopher R Volpe) (06/12/90)
In article <1990Jun12.012339.12779@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: > >In article <1990Jun10.183417.6226@agate.berkeley.edu>, >dankg@tornado.Berkeley.EDU (Dan KoGai) writes: > >|> I think my password was well-chosen: It is hardly English or >|> any other language, with Uppercase and Numbers. My previous one was very >|> random also. Yet my 10-line (now 20 and can handle even more complex cases) >|> successfully found it: I didn't use /usr/dict/words or any sort at all. > > Your password may very well have been well-chosen. That's completely >irrelevant to the argument of whether or not crypt() is adequate, since >the way your account was broken into was by someone who read your .netrc >file, not by someone who cracked your password by encryption. > Wait a minute. It sounds to me like Dan is claiming that with a 10 (or 20) line C program, he was able to find an arbitrary password (with uppercase and numerals) via encryption. Yes, it's true, that his account was broken into by someone who read the password from the .netrc file, but that has nothing to do with his claim. He says he didn't use /usr/dict/words or any sort of [word list] at all, which implies something along the lines of an exhaustive search. I find that highly unlikely, considering that the password encryption mechanism is an implementation of DES, which uses a 56 bit key. A brute force search of the keyspace is pretty unfeasable. Perhaps I misunderstood the claim. ============================ Chris Volpe Computer Scientist G.E. Corporate Research and Development volpecr@crd.ge.com
boyd@necisa.ho.necisa.oz (Boyd Roberts) (06/13/90)
In article <1990Jun10.183417.6226@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai) writes: > > All I know is I became victim and there are a lot others. And it's >not that hard to overcome crypt(). I admit I know too little to become >a security expert. Exactly. Dan, this is comp.unix.questions, not comp.unix.bitching. Move the discussion to alt.flame and give this group a rest. It is obvious from your postings that paranoia is the driving force behind them. Enough! Boyd Roberts boyd@necisa.ho.necisa.oz.au ``When the going gets wierd, the weird turn pro...''
edp@east.sun.com (Ed Pendzik {Prof Services} Sun Rochester) (06/13/90)
In article <1990Jun10.183417.6226@agate.berkeley.edu> dankg@tornado.Berkeley.EDU (Dan KoGai)
How many victims do we need to convince you
guys that today's UNIX needs major upgrade of secirity? Well, even after
Stockton Masscare, this country allows us to have guns without any lisence.
maybe asking Americans for secirity is never secure enough for 1st place.
please show how a lunatic in CA has anything to do with computer security.
despite his criminal record and tough CA gun laws he had no problems legally
buying firearms. this was a breakdown of the CA legal system.
Ed Pendzikkdq@demott.COM (Kevin D. Quitt) (06/14/90)
In article <EDP.90Jun13093936@pertsovka.east.sun.com> edp@east.sun.com (Ed Pendzik {Prof Services} Sun Rochester) writes: > >please show how a lunatic in CA has anything to do with computer security. OOH! OOH! I KNOW! Somebody broke into his account, and deleted all his files, and he didn't have a backup, so... 8-{)} -- _ Kevin D. Quitt Manager, Software Development 34 12 N 118 27 W DeMott Electronics Co. 14707 Keswick St. Van Nuys, CA 91405-1266 VOICE (818) 988-4975 FAX (818) 997-1190 MODEM (818) 997-4496 Telebit PEP last demott!kdq kdq@demott.com 96.37% of the statistics used in arguments are made up.