Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!umd5!brl-adm!adm!PAAAAAR%CALSTATE.BITNET@cunyvm.cuny.edu From: PAAAAAR%CALSTATE.BITNET@cunyvm.cuny.edu Newsgroups: comp.unix.questions Subject: RE: Password choices Message-ID: <16582@brl-adm.ARPA> Date: 21 Jul 88 03:32:19 GMT Sender: news@brl-adm.ARPA Lines: 72 (Root Boy) Jim Cottrell writes >Note: DO NOT log the attempted password! At least not to a file...... >..... Yes - if its in a file, and the system is cracked it can be be removed, and (if the cracker is clever) all trace of the breakin lost. The place for this info is a permanent WOM (Write Only Memory) - I prefer a priniting console type device, with TWO copies, locked up in the machine room, Because if anyone gets physically to the powerswitch you are wide open any way, soo leaving a paper record there makes littl difference. I have detected and analysed three attempts at cracking our system. We could prove that it was a local hischooler who had once taken a BASIC class on Campus...using the console log. >? [...what to do with multiple login attempts...] >A more fiendish approach is to set a flag after three attempts... In May 1986 I published an article in the Communications of The Association for Computing Machinary (vol 29, No 5, pp416-417) on "Novel Security Techniques for Online Systems". In this I suggested the deliberate creation of a "Negative Security Zone" which is easy to get into, impossible to get out of (except by logging out) and provably secure. It has two main purposes: (1) Advertising (2) A Hacker Trap for repeated login attempts. The Unix implementation was carried out by an intern (John where are you??) and myself. I hacked up a /usr/contrib/sys/login.c program and John wrote the FREindly SHell (fresh). All guests run under 'fresh' - which is VERY easy to use (but with NO UNIX functionallity other than mail and local 'cat'). After three attempts the 'user' is logged in as an 'accidental guest' with user name 'a', read/write access to /usr/guest (ONLY) running under /bin/fresh. Consequence - the naive think they have broken in - and can do know harm. Users who have forgotten their passwords can mail the system administrator and beg for help. Wandering Gurus can make contact and be turned into friends rather than criminals. Local crackers/hackers with learn are fed advertising slogans as they play with the system. When the port selection hardware forgets things (we get lots of power outages) the system helps people who are talking to the wrong machine to get to the right one. Other refinements - 'root' can not log in. In fact the word 'root' is never visible to guests. Any attempt to login as root, whether even with the right password(!) is recorded on paper and rejected. Access to superuser powers is via 'su' and this has been hacked to report all 'su's to 'root' - good and bad. WE therefore have a continuous log of all the times that the system is open to abuse and who asked to abuse it - again on PAPER. Another - any 'login' that starts 'login' is spotted, 'help' gives help, 'where' prints out a description of the system and a map, 'when' runs 'data' as a shell, 'who' runs 'who', 'why' runs 'why' (why not?)... also we have 'status' as a pseudo login which does a UCB 'w'.... All these 'pseudo-users' are logged in as 'anon' and have a single (SIMPLE) command as a login shell. Consequence - No breakins for 2 years - and the number has been published (714-887-7365) nationally and locally for the most of that time... Hum -- I diddn't plan to say all that.... Dick Botting PAAAAAR@CCS.CSUSCC.CALSTATE(doc-dick) paaaaar@calstate.bitnet PAAAAAR%CALSTATE.BITNET@{depends on the phase of the moon}.EDU Dept Comp Sci., CSUSB, 5500 State Univ Pkway, San Bernardino CA 92407 Disclaimer: I am an only an egg