|
|
| Author |
Message |
| 25 new of 226 responses total. |
ajax
|
|
response 25 of 226:
| 
Apr 8 08:57 UTC 1995 |
Yeah. I may be naive, but I believe if I really didn't send the death
threat, then the feds wouldn't be able to prove beyond a reasonable doubt
that I did, so whatever trouble I got into would ultimately just be an
interesting learning experience about misguided law enforcement efforts.
|
adbarr
|
|
response 26 of 226:
|
Apr 8 11:19 UTC 1995 |
Re - jep at #20 - good to see you still have your sense of humor, John.
There is always hope if you do. BTW I, too, have changed my password,
and I am so proud of myself!
Re - #25 ajax - "Interesting learning experience" has, for some
poor souls, meant confiscation and damage to equipment, arrest,
time spent in places-you-would-rather-not-be with persons-you-would-
rather-not-know, financial ruin, social ruin, and more. The problem
is by the time you vindicate your self (The judge says, "Gee, we
sure are sorry!"), there is not much leff to worry about. And some
innocents are never vindicated. Once the legal mechanism starts
turning with you enmeshed in the gears, it is often not easy to
convince anyone of your complete innocence. The bureacracy is more
interested (some of the bureacracy) in "processing" you to a
conclusion that "closes the file". That ain't always in your
best interests, believe me. I do not mean to be sarcastic,
I just want you to know "Truth and Justice" are ideals, often
difficult to realize in the real scene of "law enforcement".
|
mdw
|
|
response 27 of 226:
|
Apr 8 14:49 UTC 1995 |
If we wanted, we could have made the password change mandatory. We
could have "expired" everyone's password, and forced them to change it
upon logging in. So, however strongly worded the motd message might
seem, it is purely advisory, and it's perfectly ok for janc to ignore
it, but a good thing adbarr and jep did change theirs. How could we
better word the message in motd to (a) convey the special risk due to
the stolen shadow file, without (b) rewarding the vandal, so that (c)
people can make an intelligent decision as to whether they should change
their password?
[BTW: the well, when they had a similar incident (mitnick) went to a
forced mandatory scheme. Unfortunately, their password change program
was a lot less efficient, so they were forced to implement a weird
queuing system, which had the surprise property of dropping mail for
people until they changed their password! Needless to say, it was a
major embarrasement for them. I believe we're in much better shape
here; so don't worry, be happy!]
|
jep
|
|
response 28 of 226:
|
Apr 8 15:02 UTC 1995 |
How about:
Someone broke root and downloaded the password file. Change your
password if you care at all about security. Note: You are responsible for
anything which occurs under your account.
|
steve
|
|
response 29 of 226:
|
Apr 8 15:20 UTC 1995 |
Because thats not entirely true. There isn't the legal precedent
for that, either way.
|
janc
|
|
response 30 of 226:
|
Apr 8 17:47 UTC 1995 |
It also gives the impression to most users that they downloaded the
passwords, not just the encrypted passwords.
|
ajax
|
|
response 31 of 226:
|
Apr 8 18:02 UTC 1995 |
I think the original motd announcement briefly explained both why
and how to change ones password, but it was pared down to a half line.
It's now re-expanded to include how again, but not why.
|
steve
|
|
response 32 of 226:
|
Apr 8 18:04 UTC 1995 |
Jan, considering the quality of most passwords, downloading the
shadowed passwords is the same thing as the passwords themselves.
|
ajax
|
|
response 33 of 226:
|
Apr 8 18:13 UTC 1995 |
Don't Grex's newuser and passwd programs rejected easy-to-crack passwords?
|
janc
|
|
response 34 of 226:
|
Apr 9 00:34 UTC 1995 |
They do. But if someone has taken the trouble to steal the password file,
we can presume they care enough to try a fairly energetic attack, and could
be expected to pick up a few accounts. The risk certainly exists. If the
idea of someone getting on your account bothers you, by all means change
your password. It isn't much effort.
|
mdw
|
|
response 35 of 226:
|
Apr 9 00:37 UTC 1995 |
Yes. Although, passwd, in the best Unix tradition, does allow trivial
passwords if you're sufficiently bull-headed.
|
davel
|
|
response 36 of 226:
|
Apr 9 01:12 UTC 1995 |
To #27, also add "(d) without being so complicated or longwinded that most
people just stop reading" or words to that effect. I think I saw Valerie's
version, which was good (but not very emphatic). I think *some* explanation
is preferable to a simple "please change your password", in any case.
|
lilmo
|
|
response 37 of 226:
|
Apr 9 22:20 UTC 1995 |
Without SOME "why", there is no incentive, and rumors are liable to start.
I find even the current motd lines disturbing for that reason.
|
steve
|
|
response 38 of 226:
|
Apr 10 03:09 UTC 1995 |
What would you suggest then, Mark? I don't quite understand what
you're saying. How can we better phrase it?
|
jep
|
|
response 39 of 226:
|
Apr 10 05:04 UTC 1995 |
Grex is more gentle and civilized on passwords than it needs to be.
Given the facts about passwords -- that most people's are pretty easy to
crack -- you could appropriately say "Every password on Grex is guaranteed
to be broken as a result of a root break-in. If you haven't changed your
password, people are sending mail and doing other things with your
account" without exaggerating much at all.
|
selena
|
|
response 40 of 226:
|
Apr 10 06:13 UTC 1995 |
gregc- I would be a paying member, if some people would think,
along WITH following the rules!! Silencing me, or trying to, bub, is
NOT a good idea, 'cause you will only make me louder! Capeche?
I object to the password change being mandatory, as it feels very
high-handed. that's alll there is to it, and your bringing up my membership
status only points out YOUR petty attempt to humiliate me into being
quiet.
IUf you don't care for these kiunds of public rsponses, do yourself
a favor next time, and take it to mail, instead of shooting your mouth
off where I feel obligated to defend myself!
|
ajax
|
|
response 41 of 226:
|
Apr 10 08:58 UTC 1995 |
John, *every* password is cracked, *every* time root is cracked?
Sorry, that does sound like at least a tiny exaggeration! :)
|
popcorn
|
|
response 42 of 226:
|
Apr 10 12:17 UTC 1995 |
Selena, Greg had a point. It seems to me that you're constantly carping
and complaining about the system, always utterly upset and miserable by
all the horrible ways you seem to think you're being mistreated.
If you're as upset as you come across sounding, I don't understand why
you stay around here: it sounds like spending time on Grex makes you
miserable. If that's true, why do it?
|
steve
|
|
response 43 of 226:
|
Apr 10 12:53 UTC 1995 |
Once someone has root they can change all the other passwords at
will, so while getting root isn't exactly the same as anothers password,
effectively it is the same.
|
ajax
|
|
response 44 of 226:
|
Apr 10 16:27 UTC 1995 |
True, but #39 seems to be talking about literally cracking every password.
|
steve
|
|
response 45 of 226:
|
Apr 10 17:57 UTC 1995 |
OK. Well, if someone gets root they can squeeze all the other
passwords. Hows that for technical accuracy?
|
lilmo
|
|
response 46 of 226:
|
Apr 10 18:33 UTC 1995 |
Re #38: How about something like, "There was a virtual break-in at Grex,
and some passwords were broken. For your own protection, please change
your password by blahblahblah..."?? My proposed "why" took up less than
one line, tells the user everything s/he needs to know, and tells the
hacker no more than s/he already knows.
|
jep
|
|
response 47 of 226:
|
Apr 11 02:49 UTC 1995 |
I didn't say I wasn't exaggerating, I said I wasn't exaggerating
much. Sometimes it's better to lie a little. My message inspires in
people the kind of terror they should feel when they learn there might be
a security problem with passwords and the root password.
I will bet you a bagel from your favorite bagel creation place that
every root on Grex changed their password immediately. Why is that
significant, you ask? These are the experts. When you don't know,
emulate an expert as closely as you can.
|
steve
|
|
response 48 of 226:
|
Apr 11 02:55 UTC 1995 |
You get a bagel. When we found out about this last breakin I
immediately changed all the root pws.
|
popcorn
|
|
response 49 of 226:
|
Apr 11 03:08 UTC 1995 |
And I betcha most the roots changed the password on their personal
accounts right away, too. I know I did.
|