Newsgroups: comp.org.eff.talk
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!infonode!ingr!b11!b11.ingr.com!craig
From: craig@b11.ingr.com (Craig Presson)
Subject: Re: Allow students to run password guessers?
Message-ID: <1991Jun24.195854.10334@b11.ingr.com>
Sender: @b11.ingr.com
Organization: Unix System Management Tools, Intergraph Corp.
References: <1991Jun24.041435.5423@athena.cs.uga.edu> <44260@fmsrl7.UUCP> <1991Jun24.173743.11003@Firewall.Nielsen.Com>
Date: Mon, 24 Jun 91 19:58:54 GMT
Lines: 104

In article <1991Jun24.173743.11003@Firewall.Nielsen.Com>, kdenning@genesis.Naitc.Com (Karl Denninger) writes:
|> In article <44260@fmsrl7.UUCP> wreck@fmsrl7.UUCP (Ron Carter) writes:
|> >In article <1991Jun24.041435.5423@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes:
|> >>This is getting ridiculous. Our policy is that students are *not* allowed
|> >>to obtain passwords without the consent of the password owner, by any means
|> >>whatever.
|> 
|> Note, however, that COPS does NOT give you the "guessed" password.  It only
|> tells you that the password was easily compromised, not WHAT it is.
|> 
|> Therefore, it would be OK for me to run COPS on your systems.  But you have
|> said that it isn't.  Why?
|> 
|> --
|> Karl Denninger - AC Nielsen, Bannockburn IL (708) 317-3285
|> kdenning@nis.naitc.com
|> 
|> "The most dangerous command on any computer is the carriage return."
|> Disclaimer:  The opinions here are solely mine and may or may not reflect
|>   	     those of the company.


Below is the header from the relevant source file (this is not from the
most current COPS), the last line:
 *		-p:	print the password when guessed
tells a story.

One can't condemn the authors for this, since it would be easy to modify
the program to do it, or just run it under an interactive debugger (after
all, a good one can execute a "macro" at a conditional breakpoint, which
accomplishes the same thing without source). In principle, with
more trouble, one could do the same thing to a stripped executable. In
any case, it seems we must assume the curious/careful user under discussion
has brought his own password guesser. Why would he trust yours if he's
trying to audit your system for security?

[Intergraph hat on]
I don't know what the final answer is here, but Intergraph and many
other vendors distribute COPS (possibly adapted and augmented for
the environment) and encourage sysdamins to run it. We have it embedded
in our Distributed System Manager (DSM) which expects to be run by
uid 0, so by implication we are not encouraging non-privileged users
to run it.

My own opinion [Intergraph hat off] is that sysadmins would do well
to run COPS, or their favorite equivalent, periodically and post a
summary (full output may contain sensitive stuff!) for all users to read,
making it clear that security auditing is an administrative function.

I'm thinking mainly of production and commercial sites here -- a 
system that serves, say, CS researchers, might expect less of its
admin.

quote from COPS src (pass.c):
/*
 * Warning: this program burns a lot of cpu.
 */
Many thanks for the refreshing honesty :-)
/*
 * Insecure - find accounts with poor passwords
	Date: Tue, 29 Nov 83 18:19:32 pst
	From: leres%ucbarpa@Berkeley (Craig Leres)
	    Modified by Seth Alford, Roger Southwick, Steve Dum, and
	    Rick Lindsley for Tektronix
 */

/*
 [source control noise ...]
 *	
 *
 * By default, this program only checks for accounts with passwords the same
 * as the login name. The following options add more extensive checking. (The
 * tradeoff is cpu time -- with all options enabled it can run into the 100's
 * of MINUTES.) Any argument that does not begin with a "-" is assumed to be
 * a file name. (A single '-' means stdin.) If no file name is given,
 * /etc/passwd is used.
 *
 * Options:
 *
 *		-v:	verbose -- list all guesses on stdout
 *		-u:	output the username on the line of the password file
 *			currently being checked. If the program stops
 *			abruptly you will then know how far it got.
 *		-w file: use the list of words contained in "file" as likely
 *			passwords. Words in the file are one to a line.
 *		-b: 	check all guesses backwards too
 *		-g:	use the Full Name portion of the gecos field to
 *			generate more guesses
 *		-s:	check the single letters a-z, A-Z, 0-9 as passwords
 *		-c:	with each guess, check for all-lowercase and
 *			all-uppercase versions too.
 *		-n:	complain about null passwords (default is to keep quiet)
 *		-p:	print the password when guessed
 */


--  ******************************************************
    ** Craig Presson              pressonc@ingr.com     **
    ** Intergraph Corporation             MS CR1104     **
    ** Huntsville, AL 35894-0001     (205) 730-6176     **
    **                       FAX:    (205) 730-6011     **
    ******************************************************


