Hacker's Archive of Password Files

• Subject: Hacker's Archive of Password Files
• From: jeffrey@algor2.algorists.com (Jeffrey Kegler)
• Date: 10 Dec 1995 21:34:37 GMT
• Distribution: world
• Newsgroups: cowp.sys.intel, comp.org.eff.talk, comp.security.unix, comp.security.misc, misc.legal.computing
• Organization: Algorists, Inc.
• Reply-To: jeffrey@algorists.com
• Xref: newsstand.cit.cornell.edu comp.org.eff.talk:69224 comp.security.unix:23540 comp.security.misc:24822 misc.legal.computing:18620

An Intel password file I mentioned earlier as available on the Internet
forms part of a hacker's archive of password files.  This archive,
apparently intended for sharing among hackers, contains dozens of
password files from many companies.  It probably forms an immediate
threat to the security of a wide array of Internet sites.

Unfortunately the URL for this archive may not get into the hands of
anyone able to shut down this archive.  Those who do have the URL are
afraid of legal action or have promised confidentiality to those who
are.

This is not to say those who discovered the archive have done anything
illicit, or feel guilt over their actions.  Rather they feel that the
likelihood is that the bearer of bad news will be targeted, while the
actual hackers go unpunished.

I find this concern of theirs well founded.  Less technical types, who
form the majority of computer crime law enforcement and even of
corporate network security, find the pursuit of hackers almost or
completely beyond their abilities.  Well-meaning informants are much
easier to convict, given laws that make nearly all network accesses
potential crimes, and technically naive judges and juries.

Given this situation, I cannot say what might permit the holders of this
data to come forward, but I would hope immunity from prosecution would
be offered as a minimum.  I believe all my sources to be totally
guiltless in any reasonable moral sense.

I am indebted for the above to Charles Mann of the _Atlantic Monthly_.
Much of this material was unearthed by him and his co-author David
Freedman for a forthcoming _Atlantic_ article.  Charles has recognized
the important public policy and security purpose in rapid dissemination
of these selected facts from that article, and been very generous in
allowing me to "scoop" him.

Given that this message reveals an apparently on-going and current
security threat a copy will go to CERT.

---
Jeffrey Kegler, Algorists, Inc.
jeffrey@algorists.com, http://www.best.com/~jeffrey
743 East El Camino Real #338, Sunnyvale CA 94087
[ See home page for PGP public key ]

• Re: Hacker's Archive of Password Files
• From: books@rtssec1.dms.state.fl.us (Roger Books)
• Re: Hacker's Archive of Password Files
• From: unruh@physics.ubc.ca (William Unruh)

• Prev: Intel Password File Available on Internet
• Next: Re: Hacker's Archive of Password Files
• Index: Mail Index
• Thread: Mail Thread Index