|
|
| Author |
Message |
| 25 new of 222 responses total. |
cmcgee
|
|
response 88 of 222:
| 
Jun 6 00:15 UTC 2000 |
Still unable to dial in to Grex.
|
scg
|
|
response 89 of 222:
|
Jun 6 01:45 UTC 2000 |
The terminal server was down. I just rebooted it.
|
janc
|
|
response 90 of 222:
|
Jun 6 03:05 UTC 2000 |
Resp:87 - I took the liberty of making "join M-Net" work instead of editing
the motd.
|
steve
|
|
response 91 of 222:
|
Jun 6 06:06 UTC 2000 |
Grex had a root breakin on another machine we use for things,
in which the vandal MAY have tried grabbing passwords from users
as they typed them in.
Grex itself was NOT affected. The machine that was, gryps, is
used for some functions like teaching the terminal server what to
do when it boots up, and some other things. This machine was running
an an older copy of the FreeBSD operating system, and apparently,
a vandal saw this, and applied some exploit to it, and got in. We
see clearly that the vandal installed some software to steal passwords
(called a network sniffer), but we do not know how much time the
vandal had to run this and harvest passwords. It doesn't look like
they (it?) had much time, but we can't tell for sure.
It is for this reason that we strongly suggest that anyone who
logged in between June 3rd and June 6th to change their passwords
now. We know that whatever damaged this cyberslime did will be
minimized by folks changing their passwords. IF YOU USE YOUR GREX
PASSWORD ON SOME OTHER MACHINE, CHANGE THAT TOO!
Grex was down today as we looked at it, and there is no evidence
that the vandal did anything to Grex. The vandal was not terribly
sophisticated, left tracks, and in general did not display either
the intelligence or panache needed to harm Grex itself.
The FreeBSD machine is currently powered down. We have another
machine waiting to be used which runs the OpenBSD operating system
which will be the new Gryps within a day or two.
We do not think that anything else on the system has been
damaged, but of course there is the possibility that we have missed
something, so if you see something weird, please tell staff right
away (mail to staff).
|
tpryan
|
|
response 92 of 222:
|
Jun 6 11:21 UTC 2000 |
Please make the password change program less agrumentative.
|
cyklone
|
|
response 93 of 222:
|
Jun 6 12:33 UTC 2000 |
The dial-ins work intermittently
|
tpryan
|
|
response 94 of 222:
|
Jun 6 15:51 UTC 2000 |
and the dial-in server no longer has the 'it may take a momnet
message'.
|
rcurl
|
|
response 95 of 222:
|
Jun 6 16:53 UTC 2000 |
I just used !change from here to change my password, and wondered what
tpryan meant by it being "agrumentative", unless he really was referring
to all the extra words that have *grown* there.
|
janc
|
|
response 96 of 222:
|
Jun 6 16:59 UTC 2000 |
He means the "your password is too obvious" thing. Grex is really picky
about passwords.
|
rcurl
|
|
response 97 of 222:
|
Jun 6 17:41 UTC 2000 |
OK...I've never had that problem, so didn't think of that.
|
mooncat
|
|
response 98 of 222:
|
Jun 6 17:42 UTC 2000 |
Or it tells you if you new password is too similar to the old one, and
tells you to be more creative. (paraphrasing)
|
rcurl
|
|
response 99 of 222:
|
Jun 6 17:56 UTC 2000 |
I use a password generating scheme that easily creates new ones based
on old ones, but so different that algorithm can't detect the relation.
|
jmsaul
|
|
response 100 of 222:
|
Jun 6 18:38 UTC 2000 |
Cool! What is it?
(Just kidding. ;-)
|
gull
|
|
response 101 of 222:
|
Jun 6 18:56 UTC 2000 |
Grex's isn't too bad. I've been unable to change the password on my
Michigan Tech account, though, because I can't come up with one that
satisfies *their* password program. Sigh.
|
mcnally
|
|
response 102 of 222:
|
Jun 6 19:09 UTC 2000 |
re #98: That would be quite a trick.. The system shouldn't know what
your old password was..
|
cconroy
|
|
response 103 of 222:
|
Jun 6 19:58 UTC 2000 |
And then there's NT, which won't let you reuse any previous password
(which is understandable to maintain tighter security, but gets really
annoying when the system is configured to make you change passwords
every three months whether you like it or not).
|
rcurl
|
|
response 104 of 222:
|
Jun 6 21:03 UTC 2000 |
Re #102 re #98: it knows it at the time you are trying to change it.
|
ryan
|
|
response 105 of 222:
|
Jun 6 21:30 UTC 2000 |
This response has been erased.
|
scg
|
|
response 106 of 222:
|
Jun 6 22:15 UTC 2000 |
passwd asks first for your old password, to verify that you aren't just some
random person who walked up to an already logged in terminal, and then for
the new password. I assume it does its comparison from what you tell it your
old password was (which it then verifies), rather than by pulling it out of
a database somewhere.
|
drew
|
|
response 107 of 222:
|
Jun 6 22:26 UTC 2000 |
As I recall, passwords are not stored plaintext anywhere on the system.
Rather, a hashing algorithm is used, that's supposed to be one-way. When it
needs to check your password for any reason, whatever program is doing the
checking takes what you type in and calls the hashing routine, and compares
the result to what's in the shadow file (formerly in /etc/passwd). Thus it
can convert 'foobar' to $%H8@feJK&^, but given the string $%H8@feJK&^, there
is no way to derive the plaintext 'foobar'.
I would guess that on today's faster machines, given the list of hashed
passwords, it might be possible to write a program to try every possible
plaintext password starting with the letter ^A until it finds one that
matches; and that's why shadow files were implimented. Or is this feasible?
|
steve
|
|
response 108 of 222:
|
Jun 6 23:38 UTC 2000 |
Drew's explaination of how passwords are stored is right.
As for trying to guess passwords, thats what the "crack" program
does, only it uses dictionaries of words along with some other algorithms,
and for people who choose "bad" passwords, can be *very* effective.
*That* is why Grex;s passwd program is so very picky. I don't
normally like the idea of software being so grumpy about human
behavior, but all too many people choose HORRIBLE passwords if
left to their own devices.
|
bruin
|
|
response 109 of 222:
|
Jun 6 23:45 UTC 2000 |
BTW, as I use Backtalk to access Grex, what would be the procedure for
changing a password?
|
other
|
|
response 110 of 222:
|
Jun 6 23:48 UTC 2000 |
I just sometimes use words from human languages for which no dictionaries
exist. (Transliterated, of course.)
|
mary
|
|
response 111 of 222:
|
Jun 7 00:35 UTC 2000 |
Grex's password program isn't picky. I've had the same one for
the past 8 years. When it prompts for a change I give it one
then immediately run the set password program and change it back
to the one I had. I'm not worried about my password being abused.
I'd bet whomever got ahold of it would be nicer than I am. ;-)
Some people are concerned about such things and it's nice the system
allows them a higher level of security.
|
steve
|
|
response 112 of 222:
|
Jun 7 01:59 UTC 2000 |
Yes Mary but they might do something using your account that would
be *less* than pleasent. A prof in a college to the west of us just
recently had his pw stolen, and guess what? The little vandal sent a
death threat to Al Gore apparently. Said prof had some explaining to
do, etc.
Not changing your pw is 8 years is just plain risky. I hope that
pw is not used on anything that ever has any form of value flowing
through it.
|
