Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!rphroy!teemc!ka3ovk!barn!hoptoad!fidogate!f111.n125.z1.FIDONET.ORG!tom.jennings From: tom.jennings@f111.n125.z1.FIDONET.ORG (tom jennings) Newsgroups: comp.org.eff.talk Subject: Re: stealing passwords is easy! Message-ID: <14885.284ECCAC@fidogate.FIDONET.ORG> Date: 6 Jun 91 08:41:43 GMT Sender: ufgate@fidogate.FIDONET.ORG (newsout1.26) Organization: FidoNet node 1:125/111 - Fido Software, San Francisco CA Lines: 74 r In article <14715.2845348B@fidogate.FIDONET.ORG> tom.jennings@f111. n125.z1.FIDONET.ORG (tom jennings) writes: >>> Getting lists of high-privilege passwords to systems is all too easy. >>> Here's one method that was used a few years ago in the BBS world. It >>> doesn't reply on technics so it will still work today. > The keyword here is the year, 1985. You must remember that the BBS world ... > Passwords and a lot of security were considered unfriendly. Requiring a ... > Some users even thought the sysop had no right knowing who they were or > how to contact them!! The sysop might not be trusted, etc. I have no arguments with this. The scam would still work, was my only point. Today, in 1991, to implement the scam, I'd simply do what other sysops do -- verify! The end result -- I'd still have their passwords! All I meant by "Draw your won conclusions" was simply that using the same password on all or many systems is a bad idea. >>> It was and is typical for sysops to give other sysops very high >>> privileges on their own systems. I do this now with one or two people. >>> It's a common practice. > There is no reason under the sun to give anyone privileges *that high*. A rather broad statement ... as a matter of fact I can think of lots of reasons. Doesnt matter, it was merely to illustrate the kinda goodies you could get via this scam. > Or do you give your close friends keys to your house and your bank deposit > box as well? Yes, as a matter of fact. (Not the bank box though! :-) There are 6 of us in our semi-cooperative household, and at least 20 other people have keys, and are welcome to come in at any time even if we are not here and make themselves welcome. (Possible realities == one per second per human at least. :-) >>> You can draw your own conclusions. > Yes you can. It cannot be stressed enough that passwords need to be > changed frequently, and be difficult to guess or force. It is also I totally agree. I still cheat once in a while. :-) > A user identified is a user who does not make trouble. Anytime a sysop can > pick up the phone and call a user to ask "why would you have posted the > message you did when you were on line today", the sysop has one less user > to worry about. Yeeow! Thought police! Do I have to pee in a jar? Will you hold it? -- tom jennings - via FidoNet node 1:125/777 UUCP: ...!uunet!hoptoad!fidogate!111!tom.jennings INTERNET: tom.jennings@f111.n125.z1.FIDONET.ORG