Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnewsh!wcs From: wcs@cbnewsh.att.com (Bill Stewart 908-949-0705 erebus.att.com!wcs) Newsgroups: comp.org.eff.talk Subject: Re: Allow students to run password guessers? Was: Re: Student suspen... Message-ID: <1991Jun24.215653.20646@cbnewsh.att.com> Date: 24 Jun 91 21:56:53 GMT References: <1991Jun23.231749.25498@murdoch.acc.Virginia.EDU> <1991Jun24.041435.5423@athena.cs.uga.edu> <1991Jun24.151726.16361@murdoch.acc.Virginia.EDU> Organization: AT&T Bell Labs Special Services Division Lines: 44 In article <1991Jun24.151726.16361@murdoch.acc.Virginia.EDU> gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) writes: GL> Second, it seems to me (and I'm hardly a lawyer) that it's entirely GL> legal for anyone to obtain another's password, as long as they don't GL> intend to do anything nasty with it. It would be much more effective The law that Bill Cook and gang have been playing with lately defines an "access device" as a list of things including passwords, and makes unauthorizedly possessing more than some number like 15 of them a Federal Crime. (I'm not a lawyer, but I play a politician on TV; I'm not sure if I've still got my notes of Bill Cook's talk.) I'm not sure if the law covers intent, but if they can raid you for explaining Kermit (a'la SJG), *I* wouldn't want to risk the MAJOR expense of having to defend myself against bogus charges. Intent is in the eye of the beholder, and Big Brother's been getting this evil gleam in his ... MC> I do not buy the idea that easy-to-guess passwords "deserve" to be stolen, No, but it's certainly worth upgrading your passwd program to insist on minimally hard-to-guess passwords. System V has had this for years, and it shouldn't be hard to write a public-domain version if you can't get your operating system vendor to do it for you. The only mildly ugly parts are the password-aging code (RTFM carefully), making sure you don't expose the new password in your argv's if you're doing a spell check, using the correct flavor of shadow password file for your system, and doing a better locking mechanism than the current one. A nice benefit would be to make the triviality-checking table-driven, if you can express the requirements cleanly, but publishing source will do. That way, when COPS v3 or ROBBERS v2 comes out, you can update your standards. ]>Even the Free Software Foundation notices if you call "crypt" more than a ]"professional" cracker doesn't use the system crypt() anyway, so And the cracker version would be named "gnuemacs" or "chem321", or "irc_client" if it's trying to break systems across the net. -- Pray for peace; Bill # Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ # No, that's covered by the Drug Exception to the Fourth Amendment. # You can read it here in the fine print.