Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!boingo.med.jhu.edu!haven.umd.edu!mimsy!prometheus!media!ka3ovk!barn!hoptoad!fidogate!f111.n125.z1.FIDONET.ORG!tom.jennings From: tom.jennings@f111.n125.z1.FIDONET.ORG (tom jennings) Newsgroups: comp.org.eff.talk Subject: stealing passwords is easy! Message-ID: <14715.2845348B@fidogate.FIDONET.ORG> Date: 29 May 91 21:41:30 GMT Sender: ufgate@fidogate.FIDONET.ORG (newsout1.26) Organization: FidoNet node 1:125/111 - Fido Software, San Francisco CA Lines: 52 Getting lists of high-privilege passwords to systems is all too easy. Here's one method that was used a few years ago in the BBS world. It doesn't reply on technics so it will still work today. It's 1985. The hint that something was wrong was hearing of bizarre behavior from otherwise rational, well known people. Stolen software, crashing systems, etc. The kind of thing when you here it, you doubt the teller of the story. The stories persisted however, over a period of a few months. Finally after a series of incidents (I forget particulars -- but it involved crashed/formatted drives, that sort of maliciousness) as frequently happens the perpetrator did one-too-many and their scam collapsed. The unravelling was convoluted and I don't remember it so I'll tell it unravelled: This person set up a BBS, advertised it well on other BBSs, enticing them with the usual attractions. A few months later the BBS dissapeared, a very common occurrance. Some interval after that is when the trouble began. When his BBS was up, as is customary each caller entered their name, password, other info. Relying on the fact that most people are lazy and use very few different passwords on the systems they call, he looked through his caller file and picked out the names of other sysops and well-known & respected callers. He then called other BBSs and tried to login as some of them. Some fraction of them worked. It was and is typical for sysops to give other sysops very high privileges on their own systems. I do this now with one or two people. It's a common practice. So he hit the occasional jackpot -- full system privileges on one or two (maybe more) other systems. Then he downloaded *those* caller files. (The beginning of the end was a sysop finding a caller-file download in a log.) Using the same method of calling other BBSs he was able to get a very strong cross-list of sysop names and hi-priv passwords. MOST IMPORTANTLY -- if he hadn't been so stupid, he could have had a powerful source of information probably for years, undetectable until someone looked, and he could have even edited log files. Lucky for us he got greedy and stupid and caught. You can draw your own conclusions! -- tom jennings - via FidoNet node 1:125/777 UUCP: ...!uunet!hoptoad!fidogate!111!tom.jennings INTERNET: tom.jennings@f111.n125.z1.FIDONET.ORG