Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!qt.cs.utexas.edu!zaphod.mps.ohio-state.edu!mips!pacbell.com!tandem!zorch!ditka!mcdchg!ddsw1!karl
From: karl@ddsw1.MCS.COM (Karl Denninger)
Newsgroups: comp.org.eff.talk
Subject: Re: Allow students to run password guessers?
Summary: Password guessers
Message-ID: <1991Jun28.034132.10736@ddsw1.MCS.COM>
Date: 28 Jun 91 03:41:32 GMT
References: <1991Jun23.231749.25498@murdoch.acc.Virginia.EDU> <1991Jun24.041435.5423@athena.cs.uga.edu> <1991Jun28.033536.10048@ddsw1.MCS.COM>
Organization: Macro Computer Solutions, Inc., Wheeling, IL
Lines: 35

In article <1991Jun28.033536.10048@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William Vajk) writes:
>
>If the system administrator does his job and runs cops, or more advanced
>renditions of the theme, then the problem is no longer a problem.

Correct.  You'll find COPS is not only online here, but in the local binary
area where ANYONE can run it -- and be quite sure how secure the system is
(hint: I'm good!  You ain't getting in via any of the COPS-detected paths)

>If the system administrator installs the shadow password software, then
>the problem no longer exists at all.

True as well.  Anyone running WITHOUT shadow passwords these days deserves
whatever they get (flames on this to /dev/null, there ARE PD login programs
out there for those without source, most of which support shadow
passwords).

If you were at the Winter Usenix you would have heard the speech about
easily-built hardware ($2k or so) that could guess a password in something
like a few hours.  That makes the ONLY defense against this kind of hackery
hiding the file where people can't read it!

>It seems as though you're willing to stand there and defend that /etc/passwd
>file with a pick handle (shades of Lester Maddox, dontcha know) instead of 
>closing that hole as a prudent man would do.

Of course!  To close the hole would require that the admin do his or her
job!  

What a concept -- doing one's job.

--
Karl Denninger (karl@ddsw1.MCS.COM, <well-connected>!ddsw1!karl)
Public Access Data Line: [+1 708 808-7300], Voice: [+1 708 808-7200]
Anon. arch. (nuucp) 00:00-06:00 C[SD]T, req: /u/public/sources/DIRECTORY/README