What happened to Crack 3.1?
Dan Ehrlich
never actually saw the postings. Would someone tell me where I can find a
copy of Crack 3.1? Is there an archive site for alt.sources?
Thanks.
--
Dan Ehrlich - Sr. Systems Programmer - Penn State Computer Science
<ehr...@cs.psu.edu>/Voice: +1 814 863 1142/FAX: +1 814 865 3176
Edward C. Otto III
Dan (and all others that would use this program!!)
Please be advised that using the results of this program on ANT Internet
machine may be construable as a Federal Offense, punishable by 2 to 5
years in a Federal Pen.
I have looked at this code, and the output of this program can be used
to violate security on ANY system that it's run on.
The other problem with it is that it will degrade any system it runs on.
To all system managers: Look for the code on your machine and delete
it! It's dangerous!!
--
Email flames to: edo...@uipsuxb.ps.uiuc.edu or call 217/333-9422 to talk
Ed Otto : University of Illinois : Printing Services Office
54A E. Gregory Drive : Champaign, IL : 61820
/std/disclaimer | more >/dev/null
dan
In article <edotto.6...@uipsuxb.ps.uiuc.edu> edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III) writes:
> ehr...@cs.psu.edu (Dan Ehrlich) writes:
>>Would someone tell me where I can find a copy of Crack 3.1?
> Please be advised that using the results of this program on ANT Internet
> machine may be construable as a Federal Offense, punishable by 2 to 5
> years in a Federal Pen.
Says who?
> I have looked at this code, and the output of this program can be used
> to violate security on ANY system that it's run on.
Boy, howdy. Have you ever seen COPS? "ANY" system? This program can't
be used to compromise systems that don't use crypt(3) as a password
encryption technique, and having shadow password files, different salts, or
just good (e.g. hard to guess) password files will eliminate the
effectiveness of a mere password cracker. The idea here, I believe, is
to share tools that will help secure a system, not to help people break
into them.
> The other problem with it is that it will degrade any system it runs on.
No kidding. That's really insightful. What do you think it will do --
improve performance?
> To all system managers: Look for the code on your machine and delete
> it! It's dangerous!!
Get real. In fact, as I recall, the version of cops at uxc.cso.uiuc.edu
(your own school) has a speeded up crypt engine that was put together by
paul pomes (a SA at your school.)
-- d
Rob Knauerhase
In article <edotto.6...@uipsuxb.ps.uiuc.edu> you write:
>Please be advised that using the results of this program on ANT Internet
>machine may be construable as a Federal Offense, punishable by 2 to 5
>years in a Federal Pen.
Is there some citation of law to back this up? Why in that case would it
apply only to Internet-connected machines? I'm not necessarily doubting that
such a law exists, but a concrete citation would be nice.
>I have looked at this code, and the output of this program can be used
>to violate security on ANY system that it's run on.
If by "to violate security" you mean that it can deduce the passwords of people
silly enough to choose passwords that it can deduce, you're right. That's
the whole point of it!
>The other problem with it is that it will degrade any system it runs on.
Assuming you mean degrade response time, sure. So does modelling every
molecule in a thunderstorm cloud. So does compiling Emacs. This in itself is
not a bad thing.
[In fact, if you're worried about response time, post an fcrypt patch so people
won't have to run it for such long periods! :) ]
>To all system managers: Look for the code on your machine and delete
>it! It's dangerous!!
Anyone who reads your post probably read the README file posted on alt.sources
as well, since if I remember correctly that post had "cracking passwords" or
something similar in the title line.
Aside from that, issues of "...delete it! It's dangerous!!" should be taken
to the Computers and Academic Freedom mailing list/newsgroups. While I can't
encourage "illegal" (more properly, unethical) behavior, I'd be pretty annoyed
if anyone with root could delete whatever he liked from my directories on a
whim.
Rob
--
Rob Knauerhase
kna...@robk.intel.com Intel Development Tools Operation (for the summer)
kna...@cs.uiuc.edu Univ. of Illinois, Dept. of CS, Gigabit Study Group
"If Berkeley didn't exist, there'd be no market for used VW parts."
-- cih...@cory.berkeley.edu
Kirk Hays
Oh, jeez, here we go again.
Edward: hiding these things *does not* enhance security - any third year student
of Computer Science should be able to write such a program. My university
*required* writing such a program, to illustrate the falsehood of password
security.
Having them out in the open, on the other hand, allows people to test their
security *to a small degree* before a cracker does.
|> Please be advised that using the results of this program on ANT Internet
|> machine may be construable as a Federal Offense, punishable by 2 to 5
|> years in a Federal Pen.
Are you a lawyer? I'm not, and I say possessing this program is not a crime,
running it is not a crime, but using the results to break security *might* be, in
some jurisdictions.
I don't believe in prior restraint.
|> I have looked at this code, and the output of this program can be used
|> to violate security on ANY system that it's run on.
So? No protection scheme is unbreakable, and UNIX login passwords are laughable.
|> The other problem with it is that it will degrade any system it runs on.
So? The cycles were there, anyway.
|> To all system managers: Look for the code on your machine and delete
|> it! It's dangerous!!
Pshaw! Hysterics and chicken-little-ism. Crackers use more powerful programs
daily, and will no doubt be cruising into your machine in the near future, since
you choose to cover up the lax security at your site, rather than fixing the
problem.
I have a copy of the original posting, and I'll mail it to anyone who wants it.
Followups to alt.sources.d
--
Kirk Hays - NRA Life.
"History shows that it has always been a mistake to allow the subject
races to possess arms." - A. Hitler
Christopher Davis
alt.sources in the first place.]
Ed> == Edward C. Otto III <edo...@uipsuxb.ps.uiuc.edu>
Ed> Please be advised that using the results of this program on ANT
Ed> Internet machine may be construable as a Federal Offense,
Ed> punishable by 2 to 5 years in a Federal Pen.
Depends on what you use them for, doesn't it? After all, I might use it
to check the passwords on my system to make sure they're more secure!
*Gasp!* 5 years in the slammer for cracking a password I could change
myself in a minute:
eff% /bin/su
Password:
eff# passwd someuser
Changing password for someuser on eff.
New password:
Ed> I have looked at this code, and the output of this program can be
Ed> used to violate security on ANY system that it's run on.
This man apparently doesn't know what the term "shadow password" means.
Ed> The other problem with it is that it will degrade any system it
Ed> runs on.
So does X11R4. Or emacs. Or netnews :-). So what? Nice it down. Run
it on your workstation, if you're lucky enough to have one to yourself.
Buy a cheap 386 box and dedicate it.
Ed> To all system managers: Look for the code on your machine and
Ed> delete it! It's dangerous!!
To all people hiring system administrators: Look for this bozo and
don't hire him! He's dangerous!!
Insecure passwords are insecure, pure and simple. Even shadow
passwording isn't a cure-all for dumb password choices. (That's what
fascist passwd programs are for :-).
Crack, the COPS equivalent, and the like allow you to find and change
any dumb passwords on your system. They also allow crackers with no
creativity to find and abuse any dumb passwords on your system.
"It's a poor atom blaster that doesn't point both ways." These programs
are trivial to write (I could probably do one from scratch in C or perl
in under a half hour); may as well have the best one possible freely
obtainable for the system administrators who need it, and don't have
time to tune a fastcrypt.
Code is not dangerous. Information is not dangerous. Enforced
ignorance *is* dangerous.
--
Christopher Davis <c...@eff.org> | ELECTRONIC MAIL WORDS OF WISDOM #5:
System Manager & Postmaster | "Internet mail headers are
Electronic Frontier Foundation | not unlike giblets."
+1 617 864 0665 | -- Brian Reid <re...@decwrl.dec.com>
Kent Landfield
>
>To all system managers: Look for the code on your machine and delete
>it! It's dangerous!!
TO ALL SYSTEM MANAGERS: Get this code, compile it, add local dictionaries
to it and *RUN IT*. It found things for us that the checking in COPS didn't.
Thanks from here go out to Alec Muffett (a...@aber.ac.uk) for posting such
a *useful* tool. Now my users are doing a much better job of selecting
passwords since they don't like me coming into their offices saying
"Guess what we cracked last night..." :-) Now the next thing I need to
locate is the largest dictionary on the Internet... :-) Any ideas for
FTP locations ? Thanks!
-Kent+
--
Kent Landfield INTERNET: ke...@sparky.IMD.Sterling.COM
Sterling Software, IMD UUCP: uunet!sparky!kent
Phone: (402) 291-8300 FAX: (402) 291-4362
Please send comp.sources.misc-related mail to ke...@uunet.uu.net.
Ranjan Bagchi
>>TO ALL SYSTEM MANAGERS: Get this code, compile it, add local dictionaries
>>to it and *RUN IT*. It found things for us that the checking in COPS didn't.
>
>
>DANGEROUS tool to have in the hands of the users. QUITE a difference.
It's only dangerous if the sysadmin doesn't run it
herself. Jesus...it's not that difficult to figure out.
-rj
--
Ranjan Bagchi | All I need to know I learned in the Marines:
bag...@eecs.umich.edu | Eat all your vegetables; Make your bed
------------------------+ every day; warm moist footware leads to
severe problems with fungus; When someone tells you to, run full
speed at another person and stab them with a bayonet.
Joern Lubkoll
>To all system managers: Look for the code on your machine and delete
>it! It's dangerous!!
what is about the people getting the passwd-files and running crack or
a simmilar program on their systems at home ?
What about the idiots chosing simple passwords for their accounts ?
What about the system managers not trying to teach their users to use
passwords, not easyly breakable ?
a lot of questions - but your suggestion is surely useless !
jl
--
Heaven: lu...@dobag.in-berlin.de Earth: lu...@methan.chemie.fu-berlin.de
lub...@opal.cs.tu-berlin.de
Delcina McMillan
code to a particular program. In all the responses I have seen, I have yet to
see one which guides the individual to the source code he requested.
The pros and cons of using this program was not the question, but various
people have made this a debate area for that purpose. I really don't care if
whomever requested it used it to crack Pentagon systems, I just really would
like to see the answer to his/her query which was made.
So I guess the question of the day (without dissertation) is the location of
CRACK 3.1.
--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Kim C. Callis +
869883 Olsen Kurt_Consultant
>So I guess the question of the day (without dissertation) is the location of
>CRACK 3.1.
wuarchive.wustl.edu
in packages/
Kent Landfield
>>>it! It's dangerous!!
>
>>TO ALL SYSTEM MANAGERS: Get this code, compile it, add local dictionaries
>>to it and *RUN IT*. It found things for us that the checking in COPS didn't.
>
>DANGEROUS tool to have in the hands of the users. QUITE a difference.
Sorry that I did not look where I was posting... Time to move this to a
discussion group of which alt.sources is not.
I was serious before when I requested information where to locate large
dictionaries. If anyone knows where to get a 200,000+ word dictionary
please let me know.
What follows is alt.sources.monitor fodder. :-) :-)
This is a small utility I put together to give the general user population
the ability to access the CD-ROM drives on Sun workstations without having
to be root. It was done over lunch so take a good look at it to assure that
there is no problems for your site. It has only been tested on Suns at
this point..
-Kent+
#! /bin/sh
# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".
# The tool that generated this appeared in the comp.sources.unix newsgroup;
# send mail to comp-sou...@uunet.uu.net if you want that tool.
# Contents: README Makefile cdmount.1 cdmount.c cdumount.1
# Wrapped by kent@sparky on Mon Aug 12 01:35:08 1991
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
echo If this archive is complete, you will see the following message:
echo ' "shar: End of archive 1 (of 1)."'
if test -f 'README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'README'\"
else
echo shar: Extracting \"'README'\" \(1186 characters\)
sed "s/^X//" >'README' <<'END_OF_FILE'
X
XThis directory contains sources for the administrator to allow general
Xusers to mount and access CD-ROMs without having to know the root
Xpassword. Mount is limited to root so the cdmount and cdumount commands
Xare needed to insure greater usability of the cdplayers and better overall
Xsecurity.
X
XThis software is Copyright (c) 1991 by Kent Landfield.
X
XPermission is hereby granted to copy, distribute or otherwise
Xuse any part of this package as long as you do not try to make
Xmoney from it or pretend that you wrote it. This copyright
Xnotice must be maintained in any copy made.
X
XUse of this software constitutes acceptance for use in an AS IS
Xcondition. There are NO warranties with regard to this software.
XIn no event shall the author be liable for any damages whatsoever
Xarising out of or in connection with the use or performance of this
Xsoftware. Any use of this software is at the user's own risk.
X
X If you make modifications to this software that you feel
X increases it usefulness for the rest of the community, please
X email the changes, enhancements, bug fixes as well as any and
X all ideas to me.
X
X Kent Landfield
X ke...@sparky.imd.sterling.com
X
END_OF_FILE
if test 1186 -ne `wc -c <'README'`; then
echo shar: \"'README'\" unpacked with wrong size!
fi
# end of 'README'
fi
if test -f 'Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Makefile'\"
else
echo shar: Extracting \"'Makefile'\" \(724 characters\)
sed "s/^X//" >'Makefile' <<'END_OF_FILE'
XDESTDIR=/usr/local/bin
XMANDIR=/usr/man/manl
X
Xall: cdmount cdumount
X
Xcdmount:
X $(CC) $(CFLAGS) -o cdmount cdmount.c
X
Xcdumount: cdmount.c
X chown root cdmount
X chgrp bin cdmount
X chmod u+s cdmount
X rm -f cdumount
X ln cdmount cdumount
X
Xinstall: all
X @echo "install according to local conventions"
X install -c -s -o root -g bin -m 6755 cdmount $(DESTDIR)
X rm -f $(DESTDIR)/cdumount
X ln $(DESTDIR)/cdmount $(DESTDIR)/cdumount
X install -c -o bin -g bin -m 0644 cdmount.1 $(MANDIR)/cdmount.l
X install -c -o bin -g bin -m 0644 cdumount.1 $(MANDIR)/cdumount.l
X
Xclean:
X rm -f cdmount cdumount
X
Xprint:
X cprint Makefile | lpr -Plw
X cprint README | lpr -Plw
X cprint cdmount.c | lpr -Plw
X psroff -man cdmount.1
X psroff -man cdumount.1
END_OF_FILE
if test 724 -ne `wc -c <'Makefile'`; then
echo shar: \"'Makefile'\" unpacked with wrong size!
fi
# end of 'Makefile'
fi
if test -f 'cdmount.1' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'cdmount.1'\"
else
echo shar: Extracting \"'cdmount.1'\" \(748 characters\)
sed "s/^X//" >'cdmount.1' <<'END_OF_FILE'
X.TH CDMOUNT 1 LOCAL
X.SH NAME
Xcdmount \- Mount a CD-ROM without being superuser
X.SH SYNOPSIS
X.B cdmount
X[
X.B \-dhnv
X] [
X.B \-m
X.I mountpoint
X]
X.SH DESCRIPTION
X.B cdmount
Xallows a user who is not the superuser to mount a CD-ROM. By default the
XCD is mounted on the directory /cdrom.
X.SH OPTIONS
X.IP "-d" 6
XDebugging, shows the mount command without executing it.
X.IP "-h"
XMount an ISO 9660 Standard or High Sierra Standard CD_ROM Filesystem.
X.IP "-n"
XDisallow setuid application execution allowed.
X.IP "-v"
XVerbose, show the mount command and execute it.
X.IP "-m mountpoint"
Xmount the cd at another location than the default
Xlocation of /cdrom
X.SH AUTHOR
XKent Landfield <ke...@sparky.imd.sterling.com>
X.SH "SEE ALSO"
Xcdumount(1), fstab(5), mount(8)
END_OF_FILE
if test 748 -ne `wc -c <'cdmount.1'`; then
echo shar: \"'cdmount.1'\" unpacked with wrong size!
fi
# end of 'cdmount.1'
fi
if test -f 'cdmount.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'cdmount.c'\"
else
echo shar: Extracting \"'cdmount.c'\" \(3854 characters\)
sed "s/^X//" >'cdmount.c' <<'END_OF_FILE'
X#include <stdio.h>
X#include <sys/types.h>
X#include <sys/stat.h>
X
Xvoid usage(progname)
Xchar *progname;
X{
X (void) fprintf(stderr, "\nusage: %s [ -dhnv ] [ -m mountpoint ]\n\
X\n\
Xoptions:\n\
X -d show the mount command without executing it\n\
X -h mount an ISO 9660 or High Sierra CD_ROM Filesystem\n\
X -n no setuid execution allowed\n\
X -v show the mount command and execute it\n\
X\n\
X -m mountpoint\n\
X mount the cd at another location than the default\n\
X location of /cdrom\n\
X\n", progname);
X}
X
Xint main(argc, argv)
Xint argc;
Xchar **argv;
X{
X int getopt();
X char *strrchr();
X
X extern char *optarg;
X extern int optind;
X extern int opterr;
X
X char *cp;
X char *mntpoint;
X char cmd[256];
X int rc;
X int debug;
X int nosuid;
X int iso9660;
X struct stat stb;
X
X if ((cp = strrchr(argv[0],'/')) != NULL)
X ++cp;
X else
X cp = argv[0];
X
X /*
X ** Setup IFS for system() protection...
X */
X if (putenv("IFS= \t\n") != 0) {
X (void) fprintf(stderr,"%s: putenv failed...\n", cp);
X return(1);
X }
X
X /*
X ** If the user is requesting to mount a CD..
X */
X if (strcmp(cp, "cdmount") == 0) {
X mntpoint = "/cdrom";
X nosuid = 0;
X iso9660 = 0;
X opterr = 0;
X debug = 0;
X
X if (argc > 1) {
X while ((rc = getopt(argc, argv, "dnhvm:")) != EOF) {
X switch (rc) {
X case 'd': /* debugging - does not run command. */
X debug = 1;
X break;
X case 'v': /* verbose - runs command. */
X debug = 2;
X break;
X case 'n':
X /*
X ** No setuid executables
X */
X nosuid++;
X break;
X case 'h':
X /*
X ** mount an ISO 9660 Standard or High
X ** Sierra Standard CD-ROM filesystem.
X */
X iso9660++;
X break;
X case 'm':
X /*
X ** get the optional mount point with
X ** minimual checking for sanity..
X */
X mntpoint = optarg;
X if (stat(mntpoint, &stb) != 0) {
X (void) fprintf(stderr, "%s: mount point missing\n",
X mntpoint);
X return(1);
X }
X if ((stb.st_mode & S_IFMT) != S_IFDIR) {
X (void) fprintf(stderr, "%s: invalid mount point\n",
X mntpoint);
X return(1);
X }
X break;
X default:
X usage(cp);
X return(1);
X }
X }
X }
X
X /* build the command line.. */
X
X (void) sprintf(cmd, "/etc/mount -r %s %s /dev/sr0 %s",
X iso9660 ? "-t hsfs" : "",
X nosuid ? "-o nosuid" : "",
X mntpoint);
X if (debug)
X (void) fprintf(stderr, "%s\n", cmd);
X if (debug != 1)
X rc = system(cmd);
X }
X
X /*
X ** The user is requesting to dismount a CD...
X */
X else if (strcmp(cp, "cdumount") == 0) {
X rc = system("/etc/umount /dev/sr0 && /usr/bin/eject /dev/sr0 2>/dev/null");
X }
X
X /*
X ** Improperly named/linked executables, I'm confused...
X */
X else {
X (void) fprintf(stderr, "%s: I don't know who I am... ? \n", cp);
X rc = 1;
X }
X return(rc >> 8);
X}
END_OF_FILE
if test 3854 -ne `wc -c <'cdmount.c'`; then
echo shar: \"'cdmount.c'\" unpacked with wrong size!
fi
# end of 'cdmount.c'
fi
if test -f 'cdumount.1' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'cdumount.1'\"
else
echo shar: Extracting \"'cdumount.1'\" \(354 characters\)
sed "s/^X//" >'cdumount.1' <<'END_OF_FILE'
X.TH CDUMOUNT 1 LOCAL
X.SH NAME
Xcdumount \- Unount a CD-ROM without being superuser
X.SH SYNOPSIS
X.B cdumount
X.SH DESCRIPTION
X.I cdumount
Xallows a user who is not the superuser to unmount a CD-ROM. The CD is
Xejected after it is successfully unmounted.
X.SH AUTHOR
XKent Landfield <ke...@sparky.imd.sterling.com>
X.SH "SEE ALSO"
Xcdmount(1), fstab(5), mount(8)
END_OF_FILE
if test 354 -ne `wc -c <'cdumount.1'`; then
echo shar: \"'cdumount.1'\" unpacked with wrong size!
fi
# end of 'cdumount.1'
fi
echo shar: End of archive 1 \(of 1\).
cp /dev/null ark1isdone
MISSING=""
for I in 1 ; do
if test ! -f ark${I}isdone ; then
MISSING="${MISSING} ${I}"
fi
done
if test "${MISSING}" = "" ; then
echo You have the archive.
rm -f ark[1-9]isdone
else
echo You still must unpack the following archives:
echo " " ${MISSING}
fi
exit 0
Edward C. Otto III
>According to edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III):
>>I did NOT say that this was not a useful tool - I said that it is a
>>DANGEROUS tool to have in the hands of the users. QUITE a difference.
>So's a chainsaw. I suppose we should keep them away from users, too.
Yes - if they are capable of using the tool to carve your system into
little chunks, it would be a good idea.
Would you give a chainsaw to a 6 year old? Not me - but I'd love to be
your lawyer to collect the hefty fees when you do.
Crack does not belong in the hands of the general user population
because I do know that there are people out there that waste systems -
mine was one 4 weeks ago.
Charles Hannum
As far as CRACK31 being a cpu hog ... I think that was a **big**
understatement. I ran it over 3 days on our Apollo DN10000 which is no slouch
machine :-)
99.73% of all statistics are made up. All statistics are lies. Etc.
For that statistic to be more useful, you also need to state the size
of the dictionary, and the size of the password file. As it stands,
the statistic is utterly useless, except to propagandists.
--
Chip Salzenberg
>I did NOT say that this was not a useful tool - I said that it is a
>DANGEROUS tool to have in the hands of the users. QUITE a difference.
So's a chainsaw. I suppose we should keep them away from users, too.
--
Chip Salzenberg at Teltronics/TCT <ch...@tct.com>, <uunet!pdn!tct!chip>
If you meet Ken Thompson on the road, kill him.
Ranjan Bagchi
Followups have been redirected:
In article <edotto.6...@uipsuxb.ps.uiuc.edu> edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III) writes:
>ch...@tct.com (Chip Salzenberg) writes:
>>So's a chainsaw. I suppose we should keep them away from users, too.
>
>Yes - if they are capable of using the tool to carve your system into
>little chunks, it would be a good idea.
Chainsaws can carve most anything into little chunks.
>
>Would you give a chainsaw to a 6 year old? Not me - but I'd love to be
>your lawyer to collect the hefty fees when you do.
>
Extending dumb anologies: Users are presumed to to be of the
non 6 year old contingent. It's a dumb anology.
>Crack does not belong in the hands of the general user population
>because I do know that there are people out there that waste systems -
>mine was one 4 weeks ago.
What kind of sysadmin are you? Have you run crack? Have you
fixed the holes it's told you about? Why do you care if your users
run a program that tells them you've got a bulletproof system (to the
eyes of crack)
If I were on your system, I'd keep a copy lying around just so
I'd have a way of knowing if my sysadmin likes going through my files.
Not something a sysadmin would want to get caught doing...
--
Ranjan Bagchi | All I need to know I learned in the Marines:
bag...@eecs.umich.edu | Eat all your vegetables; Make your bed
------------------------+ every day; warm moist footware leads to
severe problems with fungus; When someone tells you to, run full
speed at another person and stab them with a bayonet. (stolen quote)
Ian Hoyle
edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III) writes:
>I have looked at this code, and the output of this program can be used
>to violate security on ANY system that it's run on.
>The other problem with it is that it will degrade any system it runs on.
>To all system managers: Look for the code on your machine and delete
>it! It's dangerous!!
Bullshit.
I have been involved in system admin here for some time. I *welcomed* seeing
CRACK31 in alt.sources. I have run it on all our systems here with local
additions to the dictionaries used in the lookups and found a disturbing
number of 'crackable' passwords. You can try and set local password policy
as stringently as possible, but if you use the standard 'passwd' utility
on machines to set users passwords, _someone_ will always try to use something
that is simple for them to remember, but which can easily compromise your
system security.
Having caught a bunch of people out after using CRACK31 I have shown them the
error of their ways and as a consequence I hope our system security here is
the tighter for the minimal effort involved.
As far as CRACK31 being a cpu hog ... I think that was a **big**
understatement. I ran it over 3 days on our Apollo DN10000 which is no slouch
machine :-)
ian
--
Dr Ian Hoyle : Senior Research Scientist
: Image Processing & Data Analysis Group
/\/\ : BHP Research - Melbourne Laboratories
/ / /\ : 245 Wellington Rd, Mulgrave, 3170, AUSTRALIA
/ / / \ : Phone +61-3-560-7066
/ / / /\ \ : FAX +61-3-561-6709
\ \/ / / / : E-mail ia...@resmel.bhp.com.au
\ / / / :
\/\/\/ : "Now I've got the bead on you with MY disintegrating gun.
: And when it disintegrates, it disintegrates. (pulls trigger)
: Well, what you do know, it disintegrated."
: -- Duck Dodgers in the 24th and a half century
Andrew Mowbray
>In article <edotto.6...@uipsuxb.ps.uiuc.edu> edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III) writes:
>> ehr...@cs.psu.edu (Dan Ehrlich) writes:
>>>Would someone tell me where I can find a copy of Crack 3.1?
>> Dan (and all others that would use this program!!)
>> Please be advised that using the results of this program on ANT Internet
>> machine may be construable as a Federal Offense, punishable by 2 to 5
>> years in a Federal Pen.
> Says who?
Alhthough the use of "Crack'd" passwords to obtain unathorised access might
amount to a Federal offence under US law, I doubt that the creation, use or
distribution of such programs would. I am also not sure how far you can
take the fact that a machine is on the Internet as a basis for Federal US
jurisdiction ...
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(a)
1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) knowingly accesses a computer without authorization or
exceeds authorized access, and by means of such conduct obtains
information that has been determined by the United States Government
pursuant to an Executive order or statute to require protection against
unauthorized disclosure for reasons of national defense or foreign
relations, or any restricted data, as defined in paragraph r. of
section 11 of the Atomic Energy Act of 1954, with the intent or reason to
believe that such information so obtained is to be used to the injury of
the United States, or to the advantage of any foreign nation;
(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains information contained in a financial
record of a financial institution, or of a card issuer as defined in
section 1602(n) of title 15, or contained in a file of a consumer reporting
agency on a consumer, as such terms are defined in the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.);
(3) intentionally, without authorization to access any computer of a
department or agency of the United States, accesses such a computer of
that department or agency that is exclusively for the use of the
Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United
States and such conduct affects the use of the Government's operation of
such computer;
(4) knowingly and with intent to defraud, accesses a Federal interest computer
without authorization, or exceeds authorized access, and by means
of such conduct furthers the intended fraud and obtains anything of value,
unless the object of the fraud and the thing obtained consists only of the
use of the computer;
(5) intentionally accesses a Federal interest computer without authorization
and by means of one or more instances of such conduct alters, damages, or
destroys information in any such Federal interest computer, or prevents
authorized use of any such computer or information, and thereby--
(A) causes loss to one or more others of a value aggregating $1,000 or
more during any one year period; or
(B) modifies or impairs, or potentially modifies or impairs the medical
examination, medical diagnosis, medical treatment, or medical care of
one or more individuals; or
(6) knowingly and with intent to defraud traffics (as defined in section 1029)
in any password or similar information through which a computer may be
accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
shall be punished as provided in subsection (c) of this section.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(b)
(b) Whoever attempts to commit an offense under subsection (a) of this section
shall be punished as provided in subsection (c) of this section.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(c)
(c) The punishment for an offense under subsection (a) or (b) of this
section is -
(1)(A) a fine under this title or imprisonment for not more than ten years or
both, in the case of an offense under subsection (a)(1) of this section
which does not occur after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years,
or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and
(2)(A) a fine under this title or imprisonment for not more than one year, or
both, in the case of an offense under subsection (a)(2), (a)(3) or
(a)(6) of this section which does not occur after a conviction for
another offense under such subsection, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(2), (a)(3) or
(a)(6) of this section which occurs after a conviction for another
offense under such subsection, or an attempt to commit an offense
punishable under this subparagraph; and
(3)(A) a fine under this title or imprisonment for not more than five years or
both, in the case of an offense under subsection (a)(4) or (a)(5) of
this section which does not occur after a conviction for another
offense under such subsection, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or
both, in the case of an offense under subsection (a)(4) or (a)(5) of
this section which occurs after a conviction for another offense under
such subsection, or an attempt to commit an offense punishable under
this subparagraph.
.....
-----
Andrew Mowbray Internet: and...@lexsun.law.uts.edu.au
Faculty of Law Phone: +61 2 218 9709
University of Technology, Sydney Fax: +61 2 281 6994
P.O. Box 123 BROADWAY NSW 2007
--
Andrew Mowbray Internet: and...@lexsun.law.uts.edu.au
Faculty of Law Phone: +61 2 218 9709
University of Technology, Sydney Fax: +61 2 281 6994
P.O. Box 123 BROADWAY NSW 2007
Alec David Muffett
>So I guess the question of the day (without dissertation) is the location of
>CRACK 3.1.
Crack v3.1 is available for anonymous ftp:-
Site: wuarchive.wustl.edu [128.252.135.4]
File: ~/packages/crack3.1.tar.Z
Crack v3.2 is being worked on and will be posted to USENET with fcrypt()
as standard (real soon now...)
alec
--
INET: a...@aber.ac.uk JANET: a...@uk.ac.aber BITNET: aem%aber@ukacrl
UUCP: ...!mcsun!ukc!aber!aem ARPA: aem%uk.ac...@nsfnet-relay.ac.uk
SNAIL: Alec Muffett, Computer Unit, Llandinam UCW, Aberystwyth, UK, SY23 3DB
Bill Fenner
Gosh, Chuck Hannum shows up again, and he's still a dweenis. What a surprise.
--
Bill Fenner fen...@jazz.psu.edu ..psuvax1!hogbbs!wcfpc!wcf
w...@hogbbs.scol.pa.us (+1 814 238-9633 2400MNP5)
Matthew Farwell
>z...@death.corp (dan) writes:
>>In article <edotto.6...@uipsuxb.ps.uiuc.edu> edo...@uipsuxb.ps.uiuc.edu (Edward C. Otto III) writes:
>>> ehr...@cs.psu.edu (Dan Ehrlich) writes:
>>>>Would someone tell me where I can find a copy of Crack 3.1?
>>> Dan (and all others that would use this program!!)
>>> Please be advised that using the results of this program on ANT Internet
>>> machine may be construable as a Federal Offense, punishable by 2 to 5
>>> years in a Federal Pen.
>> Says who?
>Alhthough the use of "Crack'd" passwords to obtain unathorised access might
>amount to a Federal offence under US law, I doubt that the creation, use or
>distribution of such programs would. I am also not sure how far you can
>take the fact that a machine is on the Internet as a basis for Federal US
>jurisdiction ...
Added to the fact that the machine from which the source was posted
(aber.ac.uk) is not (as far as I know) yet on the Internet, the person
who posted it is British, I shouldn't imagine that any agency is the US
has any jurisdiction at all.
Dylan.
--
Matthew J Farwell: dy...@ibmpcug.co.uk || ...!uunet!ukc!ibmpcug!dylan
"Romana, Meglos is near!!" "How do you know Doctor?"
"I just get this prickly feeling all over"
Kevin D. Quitt
>In article <MYCROFT.91...@geech.gnu.ai.mit.edu> myc...@geech.gnu.ai.mit.edu (Charles Hannum) writes:
>|
>|99.73% of all statistics are made up. All statistics are lies. Etc.
>
Yeah, and what's even worse is he misquoted my .sig!
--
_
Kevin D. Quitt srhqla!venus!kdq kdq%ve...@sr.com
3D systems, inc. 26081 Avenue Hall Valencia, CA 91355
VOICE (805) 295-5600 x430 FAX (805) 257-1200
96.37% of all statistics are made up.
Bill Perry
You know I am amazed at the number of people that are concerning themselves
with this issue. If a SYSADM is really concerned about loosing control
over passwords, he needs a new version of the passwd command.
All you have to do is just disallow the simple password to be entered in the
first place. The code is very trivial and you could extract much of it
from crack if you are extremely lazy.
Just keep in mind that any system that allows all users to read a passwd
file that actually contains passwords is subect to password cracking.
Also keep in mind the the technology exists today that a person can
take the crypt() algorthm and put in into silicon and guess passwords
'instantly'. Programable gate arrays are now large enough to be able to
do this so resorting to custom silicon is not necessary.
Anybody that is worried about people guessing passwords is extremely naive.
People that are intrested in guessing passwords are probably technical
enough to write their own password cracker. The code is quit trivial.
Bill Perry
uunet!iphase!bap
Andrew Phillips
>... Now the next thing I need to
>locate is the largest dictionary on the Internet... :-) Any ideas for
>FTP locations ? Thanks!
What I really need now is a file of names, particularly women's
names. (I believe they are commonly used for passwords.) Anyone
have one?
Followups to a.s.d.
Thanks in advance.
Andrew.
--
Andrew Phillips (and...@teslab.lab.oz.au) Phone +61 (Aust) 2 (Sydney) 287 6551