|
|
| Author |
Message |
| 25 new of 222 responses total. |
tpryan
|
|
response 150 of 222:
| 
Jun 9 11:26 UTC 2000 |
Why would machines allow hundreds of attempts on an account
without shutting down the connection? Anything beyond 5 attempts is
reason to disconnect.
|
keesan
|
|
response 151 of 222:
|
Jun 9 14:46 UTC 2000 |
Grex accepted a common Bulgarian word (in BGN transcription). I have not
tried it yet on Albanian or Latvian or Finnish or even Romanian. How long
would it take someone to find my password if they were told it was in a
language of Europe, even one that does not need to be transliterated?
English, German, Dutch, Swedish, Norwegian, Danish, Icelandic, French, Basque,
Romansh (sp?), Portuguese, Spanish, Italian, Romanian, ten Slavic languages,
Finnish, Hungarian, Latvian, Lithuanian, Latin, modern and ancient Greek,
Albanian, Turkish, Welsh, Scots Gaelic, Irish Gaelic - and let's not forget
every possible verbal ending (I used a verb with an ending in some other
account) and plurals and adjective endings. Grex does accept combinations
of English words with numbers. Like tpryan says, if you only give someone
5 guesses, there is no need to worry about other languages.
|
krj
|
|
response 152 of 222:
|
Jun 9 15:33 UTC 2000 |
In a sophisticated attack, the encrypted password file would be taken
off of Grex so the thief could play with it as long as he wanted.
|
jmsaul
|
|
response 153 of 222:
|
Jun 9 16:09 UTC 2000 |
WHat he said. If you care about the security of your account, do not use
words in other languages.
|
keesan
|
|
response 154 of 222:
|
Jun 9 17:33 UTC 2000 |
So why would anyone want to waste time feeding every dictionary in the library
into their scanner so as to be able to read my email? After that, theywould
need several dictionaries to read the email (and grammar books).
|
jmsaul
|
|
response 155 of 222:
|
Jun 9 17:39 UTC 2000 |
They don't necessarily care about you personally. They may just want an
account to work from so some other sucker gets the blame for what they're
doing. They'd use other dictionaries simply because more dictionaries will
bag them more passwords.
As for whether they could read your email if they wanted to, keep in mind that
the US does not have a monopoly on computer access or skills. The intruder
who hits you might be a native speaker of whatever language your email is in.
There are a heck of a lot of Russian script-kiddies out there, and there are
even some working out of other slavic-speaking countries as well.
|
drew
|
|
response 156 of 222:
|
Jun 9 19:11 UTC 2000 |
'sides which, they'd already have the dictionaries they need - they used them
in the crack program.
|
omni
|
|
response 157 of 222:
|
Jun 9 19:31 UTC 2000 |
re 154 There are things called scanners which can enter dictionaries without
too much effort.
|
keesan
|
|
response 158 of 222:
|
Jun 9 19:36 UTC 2000 |
Re 157, I mentioned scanners in 154. :]
For what it is worth, i am not currently using a Bulgarian password.
|
mdw
|
|
response 159 of 222:
|
Jun 9 23:57 UTC 2000 |
Most vandals would not care about keesan in particular. They would
merely be trying the largest collection of words they can acquire
against what they hope are the hashed passwords from grex. If they
acquire the password to a real account, they hope to be able to log in,
read through your e-mail to see where else you might have an account, or
who your friends are, and they may then try to leverage your access to
also gain access themselves to that machine. This is, in fact, how
gryps was initially compromised - a site elsewhere was compromised, a
grex staff member happened to have access at that site, and the vandal
discovered the grex staff person's password was the same on gryps.
Obviously, this is now fixed, but this is a good illustration of the
line of attack many vandals pursue.
|
keesan
|
|
response 160 of 222:
|
Jun 10 01:23 UTC 2000 |
Does this mean we should not use the same passwords on grex and elsewhere?
(How does one keep straight all ones passwords if they are different?)
|
mdw
|
|
response 161 of 222:
|
Jun 10 02:13 UTC 2000 |
(1) yes. (2) don't use a system that would be obvious to a vandal. Ie,
"this is my grex password" would probably pass the grex password test,
but a vandal might well guess that your nether.net password is something
along the lines of "this is my nether.net password".
|
void
|
|
response 162 of 222:
|
Jun 10 02:39 UTC 2000 |
one way to keep track of passwords is to make them out of phrases
which are meaningful to you, but which others, especially complete
strangers, are not likely to guess. for instance, if your great-aunt
from poughkeepsie always called you her little pink snickerdoodle, or
something equally silly, you could easily turn that into a password
along the lines of "ltpnksnrdl," assuming a system allowed passwords
that long. you'd also have a built-in mnemonic for remembering the
password. or, if for some reason you had managed to strongly associate
grex with, say, fast-food restaurants, you could turn "would you like
fries with that?" into "wylfwt?" and have another sort of built-in
mnemonic for remembering the password.
|
gull
|
|
response 163 of 222:
|
Jun 10 03:03 UTC 2000 |
I suspect neither of those examples would be accepted by most real password
programs, since they consist entirely of lowercase letters.
|
jmsaul
|
|
response 164 of 222:
|
Jun 10 04:13 UTC 2000 |
Re #160: Don't use the same password on more than one system.
|
void
|
|
response 165 of 222:
|
Jun 10 05:26 UTC 2000 |
re resp:163: well, yeah, but they're not supposed to be real
passwords.
|
mdw
|
|
response 166 of 222:
|
Jun 10 06:06 UTC 2000 |
Grex will accept all lower-case, if it's long enough. Generally
speaking, length is more important than the number of classes of
characters used for increasing the size of the key search space.
|
jor
|
|
response 167 of 222:
|
Jun 10 11:06 UTC 2000 |
Can't telnet in. Here via web.
Stuggling with the controls.
|
jor
|
|
response 168 of 222:
|
Jun 10 11:07 UTC 2000 |
Is this pistachio. Over.
|
scott
|
|
response 169 of 222:
|
Jun 10 12:51 UTC 2000 |
<chsssch> Roger we read you 5x5 <chsssch>
inetd had died. I restarted it.
|
aruba
|
|
response 170 of 222:
|
Jun 10 18:39 UTC 2000 |
Since the reboot the terminal server doesn't say "It may take a few moments
to connect". It does take a while, though, but it just sits there appearing
to have hung.
|
janc
|
|
response 171 of 222:
|
Jun 11 00:04 UTC 2000 |
The terminal server downloads its half it's brain from gryps when it powers
up. Gryps is gone, so the terminal server is running on half a brain. I
am pleased to believe that some of the other staff people are working on a
replacement for gryps.
|
wwallace
|
|
response 172 of 222:
|
Jun 12 05:12 UTC 2000 |
does anybody know how the recent hack on the system was done? what hole they
found? what process they used to exploit it?
|
mdw
|
|
response 173 of 222:
|
Jun 12 05:43 UTC 2000 |
We don't know the whole story, but we know enough to prevent a
repetition. Short version: a grex staffer had the same password on
grex/gryps, as well as at another well-respected "serious" site. The
local site got hacked, this staffer's password was stolen (probably
sniffed off the wire), and the hacker proceeded to exploit all the
systems the staffer was using. Gryps was one of them. Gryps was
running a very old version of freebsd. It was probably well enough
hardened against an attack from "outside", but it wasn't at all hardened
from an attack on the "inside". So, the vandal was able to get root on
gryps.
The vandal then proceeded to install a "rootkit", which was apparently
designed to protect the vandal against unintended discovery.
Unfortunately for the vandal, gryps was probably running a much older
version of freebsd than what the rootkit was designed to run on, so it
became obvious that something was broken (the "ls" command, of all
things, had an obvious "off-by-4" error reading directories.) The vandal
had also copied over a rather bad network sniffer. It appears to have
been designed to steal passwords, but would *probably* have been very
tedious to use in practice. We ran the sniffer long enough (after
taking appropriate precautions) to satisfy ourselves that it *could* be
used to steal passwords. The evidence suggests that the vandal was
rather stupid, and we don't know that he ever actually got around to
running the sniffer. So, we can *hope* he didn't have the time.
Nevertheless, we don't have any proof this is so, and it's conceivable
he could have stolen any # of passwords (perhaps even using another
better tool) before we noticed.
Gryps is down for the moment. It will probably be replaced by much
better hardware running openbsd, so hopefully we won't ever need to know
more about all the exact details of how the vandal compromised gryps.
Also, the staff member who unluckly got compromised claims to now be
using different passwords everywhere, so hopefully that will not be a
problem as well.
|
steve
|
|
response 174 of 222:
|
Jun 13 22:45 UTC 2000 |
A delightful soul in Labanon filled up /c with millions and millions
of "y"'s today, courtesy of the yes program. I found it just after the
last bit of disk had been eaten and got rid of it all.
|
