Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!msuinfo!midway!clout!chinet!patrick From: patrick@chinet.chi.il.us (Patrick A. Townson) Newsgroups: comp.org.eff.talk Subject: Re: stealing passwords is easy! Message-ID: <1991Jun02.215724.25764@chinet.chi.il.us> Date: 2 Jun 91 21:57:24 GMT References: <14715.2845348B@fidogate.FIDONET.ORG> Organization: Chinet - Chicago Public Access UNIX Lines: 143 In article <14715.2845348B@fidogate.FIDONET.ORG> tom.jennings@f111. n125.z1.FIDONET.ORG (tom jennings) writes: > Getting lists of high-privilege passwords to systems is all too easy. > Here's one method that was used a few years ago in the BBS world. It > doesn't reply on technics so it will still work today. > It's 1985. The hint that something was wrong was hearing of bizarre > behavior from otherwise rational, well known people. Stolen software, > crashing systems, etc. The kind of thing when you here it, you doubt > the teller of the story. The stories persisted however, over a period > of a few months. The keyword here is the year, 1985. You must remember that the BBS world was just starting to come out of its infancy. A lot of the guys who started systems in the early 1980's were very naive in their assumptions and expectations about their fellow users. Many were/had been ham radio operators, a good-neighbor type of person willing to share his knowledge and ability freely with others. People were just getting into 'home computers'. I've been into BBS'ing and home computers since 1979, and 1977 respectively, but most folks were not in it that early. My first regular use of a terminal connected to a computer mainframe was 1968, when it was still relatively unheard of. The BBS' were originally a way to share tech information among users, and everyone was friendly and eager to help the new people, ala ham radio, other hobbyist groups with a technical bent to them. Passwords and a lot of security were considered unfriendly. Requiring a user to register in advance, be verified, and *then* start using the BBS was unheard of ... after all, everyone's just trying to help out, no one was on line to cause harm, etc. Then the discussion boards came along. Bill Blue, with his PMS (People's Message System) software was a good example of this. In the license to use PMS, he *flatly forbade* the use of passwords and pre-registration to get on line. The software did have a file of regular users, but this was to mark where they had been reading and to automatically configure the software for them each time they called as a convenience. Bill Blue's one concession to the real world was that 'unregistered users', i.e. the ones not in the aforementioned file, had their messages run through an obscenity checker prior to posting. And I don't mean to single him out ... his package was quite sophisticated and one of the best BBS packages of the era. But his mentality was so common, so prevalent in those days: come one, come all; everyone welcome cause we are all giving a helping hand; we don't question your motives in being here, etc. I helped sysop a PMS board for awhile and suggested that users should register their name, address and phone number in *private* records at the site so that they could be contacted in the event of a problem, a special event, etc ... and to prevent the possibility of an abusive message going out under their name. I caught hell for even thinking about it! All the usual excuses were presented including the all time great one: "This would chill their freedom of speech if they had to make themselves known, etc ..." Some users even thought the sysop had no right knowing who they were or how to contact them!! The sysop might not be trusted, etc. Well, you old-timers know the routine, all the stories, the mentality which pervaded that whole period ... And that is the attitude we were just starting to get weened away from by the middle 1980's ... I operated a BBS on an Apple 2+ for three years (1983-85) and had the same bunch of clowns trying to break in, pleading ignorance and copping an attitude when you caught them ... It took a lot of sysops getting burned badly; a lot of users getting defrauded by other users, etc before finally the consensus by most responsible sysops was to begin closing the doors and requiring passwords and verification, etc. And it took awhile before users began to realize that having one password on every system was no different than having all your locks keyed to one master key ... lose it and everything is up for grabs. > When his BBS was up, as is customary each caller entered their name, > password, other info. Relying on the fact that most people are lazy > and use very few different passwords on the systems they call, he > looked through his caller file and picked out the names of other > sysops and well-known & respected callers. He then called other BBSs > and tried to login as some of them. Some fraction of them worked. Yeah, well if he had tried this about 1980-82, a much larger fraction would have worked ... in those days everyone had only one password for the few systems which required them at all. > It was and is typical for sysops to give other sysops very high > privileges on their own systems. I do this now with one or two people. > It's a common practice. There is no reason under the sun to give anyone privileges *that high*. Consider TBBS, with the various degrees of authority ... regular users having 10 or 15, assistant sysops and managers of the individual SIGS getting around 25 or so ... and the sysop getting 255. You can give your friends 'very high privileges' on TBBS and still give them less than 255. And at unix sites where I have an account, I would not want such privileges given to me, mainly to avoid the possibility of accusations being made later. A couple of sites I frequent (other than chinet and eecs) have offered to give me root privileges on a 'need to use it' basis, to deal with a problem on line in the middle of the night, etc ... but then some fraud/vandalism would occur and I would get blamed! Or do you give your close friends keys to your house and your bank deposit box as well? > So he hit the occasional jackpot -- full system privileges on one or > two (maybe more) other systems. Then he downloaded *those* caller > files. (The beginning of the end was a sysop finding a caller-file > download in a log.) Using the same method of calling other BBSs he was > able to get a very strong cross-list of sysop names and hi-priv > passwords. Well again, in *those days*, sysops were considered something special and different, only trying to be a good neighbor, etc ad nauseum. Some sysops are as rotten to the core as many users, although there are more of the latter. The vast majority of both categories are decent, fine people. > You can draw your own conclusions. Yes you can. It cannot be stressed enough that passwords need to be changed frequently, and be difficult to guess or force. It is also important that the sysop keep accurate records of users, and have recourse to each one. Nothing cuts through the hacking and cracking as fast as a sysop knowing who is on line. A user identified is a user who does not make trouble. Anytime a sysop can pick up the phone and call a user to ask "why would you have posted the message you did when you were on line today", the sysop has one less user to worry about. -- Patrick Townson patrick@chinet.chi.il.us / ptownson@eecs.nwu.edu / US Mail: 60690-1570 FIDO: 115/743 / AT&T Mail: 529-6378 (!ptownson) / MCI Mail: 222-4956