Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!sei.cmu.edu!df From: df@sei.cmu.edu (Dan Farmer) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <27137@as0c.sei.cmu.edu> Date: 17 Jun 91 15:36:51 GMT References: <27111@as0c.sei.cmu.edu> <1991Jun17.045200.31773@wpi.WPI.EDU> Sender: netnews@sei.cmu.edu Lines: 38 In article , ear@wpi.WPI.EDU (Eric A Rasmussen) writes: > In article df@sei.cmu.edu (Dan Farmer) writes: > >In article , mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > >> OK then, if passwords aren't secret, give me yours!!! > > Sure: > >df:T8oOksRWnnA8Y:3271:20:Dan:/usr/users/df:/usr/local/bin/tcsh > > Break it if you can. > By distributing your password in encrypted form and encouraging others to > crack it, are you guilty of the same 'crime' as that student who distributed > his system's /etc/passwd file to a known cracker? Should any action be taken > against you for possibly compromising the security of your system, and if so > what? Well, since the password is for a machine that is not on the internet, I don't think there's much of a problem (yeah, I know, I cheated). But it *is* an interesting point. I'm not sure if it matters, but since I make my living on computer security and how secure passwords are, and I know that that password is pretty much uncrackable by "normal" means -- e.g. unless you did an exhaustive search, you'd be out of luck unless you got "lucky" with a random statistical guess. I suppose you could certainly make a case for it, I don't know -- perhaps since I'm an administrator for the machine the password is from, then I'm exempt, since I would handle any breakin problems? I suppose if my machine was somehow broken into because of my post, I might get into trouble, although if they would need physical access to the machine, and then passwords would be the last of my problems. One last point -- I haven't heard of anyone getting prosecuted (in a legal/judicial sense) for the act of distributing password files, *unless* some misfortune happened as a result from this, although if you were from a classified site, you might get into serious trouble, and you could probably get fired or suspended for distributing passwords or password files, depending on what your site policy was. And even though Michael Covington says that "stealing passwords is a violation of Georgia law", I'd be suprised if this was actually true; more likely that if you use stolen passwords to break into a system, you can get in trouble. -- dan