Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/17/84; site think.ARPA
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxn!ihnp4!think!ejb
From: ejb@think.ARPA (Erik Bailey)
Newsgroups: net.micro
Subject: Re: Trojan Horse Programs
Message-ID: <4154@think.ARPA>
Date: Sat, 1-Feb-86 23:19:34 EST
Article-I.D.: think.4154
Posted: Sat Feb  1 23:19:34 1986
Date-Received: Mon, 3-Feb-86 04:54:21 EST
References: <1136@ecsvax.UUCP> <404@ism780c.UUCP>
Reply-To: ejb@think.UUCP (Erik Bailey)
Distribution: net
Organization: Thinking Machines, Cambridge, MA
Lines: 29
Summary: 

In article <404@ism780c.UUCP> tim@ism780c.UUCP (Tim Smith) writes:
>>6. STRIPES.EXE. Ddraws an American flag but copies the remote BBS configuration
>>	to another file (STRIPES.BQS) so the uploader can call back and down-
>>	load all the passwords.  Clever!
>
>Why aren't the passwords encrypted?

The way RBBS-PC works is that it sets up a file (RBBS-PC.DEF)
which contains the various information the sysop used to configue
his system (the name, security levels for various functions,
and conferences, etc.). One of the things in here is the sysop's
password for signing on remotely. Rather than giving 'first name/
last name', he gives 'password 1/password 2', and it recognizes
him as sysop. If someone downloads this file (RBBS-PC normally
protects the file RBBS-PC.DEF but if it is renames or copied...)
they get THAT password, log on as sysop, look at the other passwords,
and wreak havoc.

Why are the not encrypted? Trust, probably. Ask Tom Mack (author
of RBBS-PC)... --Erik
-- 
Erik Bailey
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Erik Bailey        -- 7 Oak Knoll                 (USENET courtesy of
ihnp4!godot!ejb       Arlington, MA  02174        Thinking Machines Corp.
ejb@think.com.arpa    (617) 643-0732              Cambridge, MA)

"I once met a subliminal advertising man, just for a second." --S. Wright