[Prev][Next][Index][Thread]

Re: Tim O'Reilly on Randal Schwartz Prosecution

In <42sh2o$erb@shell1.best.com> jeffrey@best.com (Jeffrey Kegler) writes:

[ About Tim O'Reilly and Randal cracking ORA's password file ]

I believe the system I was running at the time had the "honor" of being
the first system Randal cracked.

I had been running System V boxes and was used to shadow password files.
The Sun box was a replacement for (awful) Esix System V Release 4 and I
wasn't used to BSD.  My reading of the manual led me to believe that 
shadow password files could only be enabled if all of the C2 security
stuff was turned on.  I didn't want to do that so we ran with passwords
in the clear.

Randal and I were talking about security and shortly afterwards he
ftp'd the password file and ran crack on it.  He sent me a list of 40
or so accounts with passwords that he cracked - he blanked out the
passwords when he emailed them - a couple of days later.

I've tried to come up with analogies to explain the situation to
non-computing people but it's difficult.  One way I've tried to explain
it is that say that you're in the habit of leaving your door unlocked
and a friend is convinced that it's dangerous.  To prove that to you
they take your TV and hide it, then call and tell you to "turn on your
TV right now" ...  After giving you a scare the friend hauls your TV
back into the house.

As I say, analogies don't work in this situation very well.  I wasn't 
exactly thrilled about what Randal did back then.  I knew I had a
problem - I stressed as best I could to users that picking good
passwords was important but let them pick their own - and 10% was
actually lower than I thought the results would be.  I felt that the
problem was mine to figure out and solve and Randal sticking his oar in
was not all that appreciated.

But there was never any doubt in my mind that Randal was trying to help.
And by letting me know the weakest links I was able to contact them and
get them to change their passwords.

Something that bothers me about the case is that Randal should never had 
the opportunity to crack Intel's password files - shadow password files 
are not exactly new.  I was tech support, billing, admin, etc. for the
company then.  I didn't know how to enable shadow passwords and didn't 
have time to learn.  (I never have - but I ended up partnering a couple
of months later with somebody who <did> know how to add shadow passwords 
without turning on all of C2 security.)

I'm a bit surprised that Intel chose to go public with the situation -
my understanding is that often companies do things quietly so they avoid
lawsuits from shareholders.  Yeah, the prospect of ending up a convicted 
felon doesn't thrill people.  But if Randal <had> been of malicious 
intent <what> could he have gotten away with?  What would the CAD files
for the Pentium or P6 or whatever be worth ... ?  What would it do to
Intel's stock price if someone were able to slice 6 months off their
design cycle and come out with a clone chip that much faster?  

And the thing that really bothers me is that I honestly believe that
while there was some hubris involved the main motivation Randal had was
to <help> Intel.  That after 5 years of working for them (even as a
contractor) that he had some loyalty to them and was trying to make them
aware that their security wasn't all that it might be ...

-- 
jamesd@teleport.com                   "12,104 newsgroups & nothing on ..."  
Full internet since 1992.  Portland: 220-1016        Voice: (503) 223-0076
Vancouver: 260-0330  Roseburg: 672-5078  Salem: 364-2028  Eugene: 302-0939
Longview: 577-8448   Newport: 867-6652   Bend: 387-1700  Medford: 734-2480
Follow-Ups: References: