Newsgroups: comp.org.eff.talk Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!infonode!ingr!b11!b11.ingr.com!craig From: craig@b11.ingr.com (Craig Presson) Subject: Re: Allow students to run password guessers? Message-ID: <1991Jun24.195854.10334@b11.ingr.com> Sender: @b11.ingr.com Organization: Unix System Management Tools, Intergraph Corp. References: <1991Jun24.041435.5423@athena.cs.uga.edu> <44260@fmsrl7.UUCP> <1991Jun24.173743.11003@Firewall.Nielsen.Com> Date: Mon, 24 Jun 91 19:58:54 GMT Lines: 104 In article <1991Jun24.173743.11003@Firewall.Nielsen.Com>, kdenning@genesis.Naitc.Com (Karl Denninger) writes: |> In article <44260@fmsrl7.UUCP> wreck@fmsrl7.UUCP (Ron Carter) writes: |> >In article <1991Jun24.041435.5423@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: |> >>This is getting ridiculous. Our policy is that students are *not* allowed |> >>to obtain passwords without the consent of the password owner, by any means |> >>whatever. |> |> Note, however, that COPS does NOT give you the "guessed" password. It only |> tells you that the password was easily compromised, not WHAT it is. |> |> Therefore, it would be OK for me to run COPS on your systems. But you have |> said that it isn't. Why? |> |> -- |> Karl Denninger - AC Nielsen, Bannockburn IL (708) 317-3285 |> kdenning@nis.naitc.com |> |> "The most dangerous command on any computer is the carriage return." |> Disclaimer: The opinions here are solely mine and may or may not reflect |> those of the company. Below is the header from the relevant source file (this is not from the most current COPS), the last line: * -p: print the password when guessed tells a story. One can't condemn the authors for this, since it would be easy to modify the program to do it, or just run it under an interactive debugger (after all, a good one can execute a "macro" at a conditional breakpoint, which accomplishes the same thing without source). In principle, with more trouble, one could do the same thing to a stripped executable. In any case, it seems we must assume the curious/careful user under discussion has brought his own password guesser. Why would he trust yours if he's trying to audit your system for security? [Intergraph hat on] I don't know what the final answer is here, but Intergraph and many other vendors distribute COPS (possibly adapted and augmented for the environment) and encourage sysdamins to run it. We have it embedded in our Distributed System Manager (DSM) which expects to be run by uid 0, so by implication we are not encouraging non-privileged users to run it. My own opinion [Intergraph hat off] is that sysadmins would do well to run COPS, or their favorite equivalent, periodically and post a summary (full output may contain sensitive stuff!) for all users to read, making it clear that security auditing is an administrative function. I'm thinking mainly of production and commercial sites here -- a system that serves, say, CS researchers, might expect less of its admin. quote from COPS src (pass.c): /* * Warning: this program burns a lot of cpu. */ Many thanks for the refreshing honesty :-) /* * Insecure - find accounts with poor passwords Date: Tue, 29 Nov 83 18:19:32 pst From: leres%ucbarpa@Berkeley (Craig Leres) Modified by Seth Alford, Roger Southwick, Steve Dum, and Rick Lindsley for Tektronix */ /* [source control noise ...] * * * By default, this program only checks for accounts with passwords the same * as the login name. The following options add more extensive checking. (The * tradeoff is cpu time -- with all options enabled it can run into the 100's * of MINUTES.) Any argument that does not begin with a "-" is assumed to be * a file name. (A single '-' means stdin.) If no file name is given, * /etc/passwd is used. * * Options: * * -v: verbose -- list all guesses on stdout * -u: output the username on the line of the password file * currently being checked. If the program stops * abruptly you will then know how far it got. * -w file: use the list of words contained in "file" as likely * passwords. Words in the file are one to a line. * -b: check all guesses backwards too * -g: use the Full Name portion of the gecos field to * generate more guesses * -s: check the single letters a-z, A-Z, 0-9 as passwords * -c: with each guess, check for all-lowercase and * all-uppercase versions too. * -n: complain about null passwords (default is to keep quiet) * -p: print the password when guessed */ -- ****************************************************** ** Craig Presson pressonc@ingr.com ** ** Intergraph Corporation MS CR1104 ** ** Huntsville, AL 35894-0001 (205) 730-6176 ** ** FAX: (205) 730-6011 ** ******************************************************