Path: utzoo!mnetor!uunet!husc6!bloom-beacon!gatech!purdue!i.cc.purdue.edu!j.cc.purdue.edu!pur-ee!iuvax!bsu-cs!cfchiesa
From: cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa)
Newsgroups: comp.os.vms
Subject: Re: USER ID PASS VALIDATION ON VMS
Message-ID: <1810@bsu-cs.UUCP>
Date: 8 Jan 88 23:34:40 GMT
References: <8712192213.AA27374@ucbvax.Berkeley.EDU> <13592@beta.UUCP> <13920@beta.UUCP>
Organization: CS Dept, Ball St U, Muncie, Indiana
Lines: 35
Summary: Comments on comments

In article <13920@beta.UUCP>, mbr@beta.UUCP (Mike Rose) writes:
> In article <1740@bsu-cs.UUCP> cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa) writes:
> >Oh, really?  A college sophomore here at BSU sent me a mail message one day
> >saying "run such-and-such program in my area..." - I ran it and was shown the
> >binary string representing the hashed version of my password.  
> 
>                                 (btw, running a college sophomore's
> program without knowing exactly what it does is probably not a real
> good idea, unless done from a username with no privs, no files you
> aren't willing to have destroyed, etc. or unless you really trust
> the sophomore.)

Nobody here, except the system manager(s), has any priv other than TMPMBX.  I
couldn't mess up any file but my own (or those of someone who's deliberately
granting me access) even if I wanted to, which I don't.  And it's SOP for stu-
dents to consult with each other a la "How do I ..." and "here's how I..."
matters, such as using system services (this kid and I are among only a hand-
ful of people I'm aware of who even know what a system service IS...), so I 
trust him to a certain degree.

> >this soph and I verified that I obtained the SAME bit-pattern
> >from TWO slightly-different passwords, and that EITHER password would allow
> >access to my account after using SET PASSWORD to set EITHER of them as my
> >"real" password.  Hole, hole, HOLE!!!
> 
> I'm real curious about this.  Would you send me details?

I'll try, but first I'll have to rewrite the program the soph was using; he
got rid of it due to fears (justified, I might add) that the system admini-
strators might vent their wrath on him for daring to use $GETUAI ...

    Chris Chiesa
    Senior, CS Dept.
    Ball State University
    Muncie, IN