Path: utzoo!mnetor!uunet!husc6!rutgers!iuvax!bsu-cs!cfchiesa From: cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa) Newsgroups: comp.os.vms Subject: Re: 'security holes' Message-ID: <1746@bsu-cs.UUCP> Date: 29 Dec 87 06:41:51 GMT References: <8712262324.AA10045@ucbvax.Berkeley.EDU> <1743@bsu-cs.UUCP> Organization: CS Dept, Ball St U, Muncie, Indiana Lines: 68 Summary: Clarification... In article <1743@bsu-cs.UUCP>, jdh@bsu-cs.UUCP (John Hiday) writes: > In article <8712262324.AA10045@ucbvax.Berkeley.EDU> BORDEN@YALEMED.BITNET (jonathan) writes: > }In article <1740@bsu-cs.UUCP> cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa) writes: > }} > }} [load of bull about his hacking buddy's latest triumph deleted...] ^^^^^^^^^^^^ Oh, really? Do you mean to imply that I was inflating the tale? I assure you, the entire episode occurred exactly as related... > }} Sort of > }}"reverse engineering," but there is some evidence lately (mysterious > }}breakins to user accounts) that it works... [...] > > Are you confessing? :-) No, just keeping you (seeing as how you're one of our system admin'ers!) informed as to the things that get discussed in the public terminal rooms on occasion... :-) > > } The question is: given an arbitrary hashed password can you easily > }derive the origional? No. But the point is, you don't HAVE to derive THE original password - just any ONE of the (numerous) combinations that happens to hash out to the same encryption result as the original password... > } [Stuff deleted...] > Just having a user's hashed password value poses no threat if the user > has picked an intelligent password. It would take mounds of CPU time > to find it via the pick a word, hash it, compare hashed values method. ... so you mean to tell me that the only thing keeping our passwords safe are a) the ethics of student hackers NOT to write a "pick word, hash it, compare hashed values" program, and b) CPU time limits and statistical reas- surance that the job will take too long to be useful to the hacker ? Sounds to me like someone is overestimating the ethics, and underestimating the persistence, of some of the minds "out there"... not that they're necessarily "evil," but password-finding could be considered quite a "challenge!" > Even though having the hashed value of a person's password doesn't give > you a lot, it does give you more information that you could have gotten > without $GETUAI. Exactly! It seems to be enough, coupled with other available VMS opera- tions, to get a real big start on the password-finding process. > Ever since $GETUAI came out in V4.4 I have always > wondered why DEC made it a non-privileged routine. I know that with > privs you can only get info on yourself,... I think you mean "WITHOUT privs...," John... > ... but it does pose trojan horse > problems. Darn right. A program can pull UAF data for whatever UIC happens to EXECUTE it, NOT just the one that OWNS it. > [...other stuff deleted...] Chris Chiesa CS Student Ball State University, Muncie, Indiana ..!rutgers!iuvax!bsu-cs!cfchiesa