Crack5: ANNOUNCE: Daily Telegraph Article
Alec Muffett
I gather (from the journalist concerned) that next week's (tuesday?)
Daily Telegraph Computing Section will carry an article regarding the
release of Crack5, in which "most security experts" are "highly
critical" of "gifted amateurs" (!) such as myself, who "irresponsibly"
release software such as Crack, SATAN, COPS, etc, onto the net.
I've chatted with the fellow quite extensively, and also gather that he
was unable (in the midst of the christmas break) to find any "security experts"
who could find a good word to say about Crack; undeterred, I've had a go at
putting a positive spin on the matter, and can only but hope that between
his hands and the final print that I don't wind up looking a villan
- I suspect I shan't, but you never know...
Regardless, I must admit that I look forward to the almost inevitable
furore with some enthusiasm. 8-)
Followups set to comp.security.unix.
- alec
--
alec muffett, oxford, england
please reply to: "alecm" at "crypto.dircon.co.uk"
http://www.users.dircon.co.uk/~crypto/
Andy Dingley
The moving finger of Alec Muffett <al...@crypto.dircon.co.uk%antispam>
having written:
>release of Crack5, in which "most security experts" are "highly
>critical" of "gifted amateurs"
>I've had a go at putting a positive spin on the matter,
Spin ? Spin ? Where do I know that word from.....
Eureka ! How about asking what would have happened if the New Labour
website's sysadmins had been a little more clued up on the use of
Crack ?
--
Analyst Programmer: A grunt coder who wouldn't
think of taking a job described as "grunt coder".
Alec Muffett
(followups set to comp.security.unix)
> I gather (from the journalist concerned) that next week's (tuesday?)
> Daily Telegraph Computing Section will carry an article regarding the
> release of Crack5, in which "most security experts" are "highly
> critical" of "gifted amateurs" (!) such as myself, who "irresponsibly"
> release software such as Crack, SATAN, COPS, etc, onto the net.
Said article has now been published, and is available from:
...in the "Connected" section; you have to go through their
"registration" process in order to read the full text, the byline of
which reads:
Hacker 'crowbar' released on Net
Security professionals have condemned the release of a
powerful 'password cracker', reports Michael McCormack
THE WORLD's most powerful password cracker was released over
the Internet this Christmas, bringing the wrath of Britain's
computer security professionals down on the head of its
Oxford-based author.
- far be it from me to repost the entire text of the article here.
If you go read it, comments can be directed to
conn...@telegraph.co.uk
and/or: dtle...@telegraph.co.uk
The latter is the editor's address, for which phone numbers are
apparently requested.
What I find most amusing is to ponder the credentials of the "security
experts" they cite, who say things like:
Muffett's solution has not gone down well with computer
security advisors, who say they will now be forced to devote
resources to stopping Crack-assisted attacks.
- as if the job of a security consultant or manager was to do as
little as possible; and as if they haven't been doing this already.
If not, then they've been being sevely lax for the past 5 years or so.
Apparently one of the security consultants (I don't know which) that
the journalist interviewed was so ignorant of the existence of "Crack"
for the past 6 years, that he started deriding me for (to paraphrase)
"obviously trying to whip up hysteria in order to sell a new product",
before being thunderstruck to find out that Crack was freeware.
<sigh> - makes you wonder how useful his advice is to the real world.
William Unruh
In <m3916f5...@crypto.dircon.co.uk> Alec Muffett <al...@crypto.dircon.co.uk%antispam> writes:
*>Said article has now been published, and is available from:
*> http://www.telegraph.co.uk/
*>...in the "Connected" section; you have to go through their
*>"registration" process in order to read the full text, the byline of
What are the laws in the UK regarding the Misuse of data. It seems that
the Telegraph is collecting a huge amount of data which is none of their
business in this "registration", and they give no opportunity to "bow
out" either. I thought the UK laws were stronger than this.
--
Bill Unruh
un...@physics.ubc.ca
Christian Kuehnke
Alec Muffett <al...@crypto.dircon.co.uk%antispam> writes:
>(...)
> THE WORLD's most powerful password cracker was released over
> the Internet this Christmas, bringing the wrath of Britain's
> computer security professionals down on the head of its
> Oxford-based author.
>
> - far be it from me to repost the entire text of the article here.
And I once thought the Telegraph was a reputable paper. Of course, the
Times never would have published such nonsense... ;-) ;-)
Completely off-topic,
Christian
--
Christia...@Informatik.Uni-Oldenburg.DE|Tel.: +49 441 592 652 (private)
...sweeping the dropped |Tel.: +49 441 798 2978 (work)
packets off the floor... |Fax : +49 441 798 2980 (work)
David Hopwood
In message <5ac2r2$q...@nntp.ucs.ubc.ca>
un...@physics.ubc.ca (William Unruh) writes:
> *> http://www.telegraph.co.uk/
You're probably thinking of the Data Protection Act 1984, which requires the
database owner to be registered with a central agency, to allow people to
look at the data that is stored about them, and allow them to get it changed,
if it is inaccurate.
The act doesn't stop anyone who is registered under it from collecting data.
Also, in this case the user does have an opportunity to bow out, simply by
not submitting the form.
[Disclaimer: I'm not a lawyer.]
In any case, giving out personal details just to get access to public data
does annoy me, so I normally use something like 'anon' as username and password
(feel free to do the same), and fill in just enough junk for the address, etc.
to fool the validation routines. From the number of times there is an existing
user called 'foo' or 'bar', I suspect a lot of other people do this as well.
David Hopwood
david....@lmh.ox.ac.uk, hop...@zetnet.co.uk
Jim Reid
un...@physics.ubc.ca (William Unruh) writes:
> What are the laws in the UK regarding the Misuse of data. It seems that
> the Telegraph is collecting a huge amount of data which is none of their
> business in this "registration", and they give no opportunity to "bow
> out" either. I thought the UK laws were stronger than this.
The UK has a Data Protection Act, but it's essentially useless. I
don't think there have been any prosecutions. The Registrar's office
is more concerned with getting organisations to register their use of
personal data rather than pursue them for processing personal data in
a way which they've not registered. [Personal data means anything
which identifies a living person and the processing may well include
non-computer systems such as card indexes and microfiche.] The
registration procedures and usage classifications are so vague, they
are meaningless. If the Telegraph registers the fact that they process
personal data for marketing purposes, that's good enough under the
Act. There's no need to explicitly define what personal data is being
processed, what is actually being done with it or what those marketing
purposes actually are.
Gus
Alec Muffett (al...@crypto.dircon.co.uk%antispam) wrote:
: I gather (from the journalist concerned) that next week's (tuesday?)
: Daily Telegraph Computing Section will carry an article regarding the
: release of Crack5, in which "most security experts" are "highly
: critical" of "gifted amateurs" (!) such as myself, who "irresponsibly"
: release software such as Crack, SATAN, COPS, etc, onto the net.
The article was indeed in the Tuesday editon, and once again provided an
opportunity for Michael McCormack to make an abject fool of himself.
The usual analogies were all present and correct, comparisons to handguns
being given out etc.
Headline:
HACKER 'CROWBAR' RELEASED ON NET
Security proffesionals have condemned the release of a powerful 'password
cracker', reports Michael McCormack
Quoteable Quotes:
"What he's done is irresponsable. This is like a gun control advocate
arming half the criminal population to highlight the dangers of guns"
-- Peter Verreck, Computer Forensics Ltd.
"Security advisers have been severly critical...comparing his action
to 'handing out guns at the exit gate of a prison'"
-- Unattributed
"The people who gain the most by applying Crack aren't the big
companies who have security budgets; they're the small Internet-connected
companies or laboratories who need something simple and free to keep
themselves secure"
-- Alec Muffet
Followups set to comp.security.unix
--
- an...@intasys.com -
= http://www.thepulse.co.uk/angus =
-= 82 AA 4D 7F D8 45 58 05 6D 1B 1A 72 1E DB 31 B5 =-
The gods have gone. Now is the time of men.
Gus
Kevin Kealy
Andy Dingley (din...@codesmth.demon.co.uk) wrote:
: Eureka ! How about asking what would have happened if the New Labour
: website's sysadmins had been a little more clued up on the use of
: Crack ?
Looks like Xara have a little learning to do... :-) They appear to host
the pages...
--
Kevin
--Fishing for crap in a sea of good sense
Bennett Todd
Alec Muffett <al...@crypto.dircon.co.uk> wrote:
>Said article has now been published, and is available from:
>
>
>...in the "Connected" section [...]
Well, I read it, and wrote a reply:
From: b...@interactive.net (Bennett Todd)
Subject: Re: Hacker 'crowbar' released on Net
To: et.le...@telegraph.co.uk, conn...@telegraph.co.uk
Date: Thu, 2 Jan 1997 09:17:01 -0500 (EST)
In the connected column "Hacker 'crowbar' released on Net" many mistakes were
made. For a few examples:
__Security professionals have condemned the release of a powerful
'password cracker', reports _Michael McCormack_
Michael McCormack couldn't have found any "Security professionals" to ask;
what was his procedure for attempting to find some? Security professionals
rejoice the availability of good tools to help them improve security. The only
people who criticise the availability of tools like Crack are those who don't
understand the basics of computer security, and of course computer criminals
who would prefer that our systems remain vulnerable.
THE [...] password cracker was released over the Internet this Christmas,
bringing the wrath of Britain's computer security professionals down on the
head of its Oxford-based author.
Again, if Britain's computer security professionals are feeling wroth, Britain
urgently needs to trade in their current crop on a fresh batch --- they've
gone stale. However, I don't think that's the case; Alec Muffett, for example,
is one of the world's leading computer security professionals.
There follows some discussion, including comments from Alec Muffett himself.
To Michael McCormack's credit, these appear to be reasonable and balanced
comments; a careful reader, who examines the whole article, can see that the
"computer professionals" surveyed by the author of this column must be
completely incompetant and horribly unprofessional. But should a reader be
required to work so hard?
Peter Verreck, of Computer Forensics Ltd, said: "What he's done is
extremely irresponsible.
Peter Verreck, presumably, would rather remain ignorant of the problem.
Providing Crack5 to the internet didn't make it become possible to do this
kind of attacking: it has been possible since before Alec first turned his
attentions to this problem. Rather, it made it much easier to competant and
concerned security professionals to take effective action to protect their
systems.
A systems administrator at one of Britain's largest universities said:
"[...] Gifted amateurs come up with very useful and innovative programs but
release them to anyone who shows an interest.
It's easy to find ignorant systems administrators at large universities;
that's where most systems administrators get their start, and nobody is born
knowlegeable about systems administration. If the author had quoted perhaps a
senior systems administrator at a large financial institution, he would have
gotten a different answer. As it is, anyone who calls Alec Muffett a ``gifted
amateur'' is evidently not qualified to comment on computer security issues.
-Bennett
Alec Muffett
b...@nospam.interactive.net (Bennett Todd) writes:
> Well, I read it, and wrote a reply:
Well, I want to say "thanks" to you and to everyone else who wrote in;
I just had a (very nice, polite) e-mail from the editor of the
"Connected" section, thanking me for the official reply which I sent
ot the Editor, as well as querying whether I thought the article was
fair "in general?"
The short version of my reply is that there's nothing I can argue
with, but I think the article's content is biased to whip up a "story"
(or should that be a "***!STORY!***") where one doesn't really exist.
(At least, this was the conclusion me and the guy from the Sunday Times
came up with...)
Some consolation might be gathered in that the number of hits on the
website has doubled since the article came out, though how much of
this is attributable to the end of xmas holidays I can't guess.
> Again, if Britain's computer security professionals are feeling wroth, Britain
> urgently needs to trade in their current crop on a fresh batch
That's the amusing bit - I have heard not a peep of wroth about Crack
since 1991, apart from that which McCormack reports. Perhaps I just
mix with the wrong crowd. 8-)
> Peter Verreck, of Computer Forensics Ltd, said: "What he's done is
> extremely irresponsible.
>
> Peter Verreck, presumably, would rather remain ignorant of the problem.
An anonymous but trustworthy source informs me that Verreck is
actually quite a nice, competent, guy who is as a computer security
consultant for some very big UK "establishment" organisations. I'm
willing to take this on trust, so I presume therfore that Verreck must
be one of the NSA-style old-school of computer security, who hasn't
yet run into us Internetted full-disclosure-types yet.
Ah, we are such rebels, aren't we? Only been around ~10 years, since
the approximate release of "COPS"... 8-)
- thanks again,
- alec
--
# If you e-mail a reply to this message, please modify the "To:" address.
# alec muffett, oxford, uk - http://www.users.dircon.co.uk/~crypto/
# below: password cracker in one line of perl; echo guess | perl [args]
perl -nle 'setpwent;crypt($_,$c)eq$c&&print"$u=$_"while($u,$c)=getpwent'
Tim Kramer
I responded directly to the Telegraph. I tried to point out the
misconceptions in the article.
The one that irked me the most was:
Muffett's solution has not gone down well with computer
security advisors, who say they will now be forced to
devote resources to stopping Crack-assisted attacks.
and
"He might have given copies to security professionals and
let them circulate the program amongst themselves. It is
a race to see if we can get it installed before anyone uses
it against us."
Duh! If the so-called "security advisors" haven't already been
"devoting resources to stopping Crack-assisted attacks" they should
be fired (or even shot) for incompetance. This is VERSION 5.0
(sorry for the shouting) of a program that has been available for
years!
"It's a race to see if we can get it installed...." Huh? You're
having Crack installed on your system will prevent anyone else from
using it to cause damage?
Does anyone else here pick up on the point: a hacker needs a copy of
your system's passwd file to be able to use Crack. If he already
has that, you already have a problem that banning Crack won't correct.
My closing comment was that Mr. McCormick indulged in a little
sensationalism to write his article (along with improperly researching
his topic).
--
-- Linux User Support Team: http://www.ch4549.org/lust/ --
*What to do if you find the monkey that can tap out the Declaration *
*of independence on his typewriter: Refer to him as Mr. President and*
*immediately contact the sectret service! *
Alex Bligh
Kevin Kealy wrote:
>
> Andy Dingley (din...@codesmth.demon.co.uk) wrote:
>
> : Eureka ! How about asking what would have happened if the New Labour
> : website's sysadmins had been a little more clued up on the use of
> : Crack ?
>
> Looks like Xara have a little learning to do... :-) They appear to host
> the pages...
Xara provide Internet connectivity, physical space, power etc. for
colocated
servers. We don't (in general) even have logins. This particular server
isn't
even a colocated server, it is hosted by one of our customers. I don't
know whether they have a login or not. We were neither told about any
attack
nor asked to trace it, though we would have been happy to cooperate
(obviously).
Hint: Before you start throwing wild accusations about, get the facts
right (or
go work for a newspaper) :-)
diamond[amb].172$ nslookup www.labour.org.uk
Server: ns2.xara.net
Address: 194.143.161.107
Name: www.labour.org.uk
Address: 195.224.50.28
diamond[amb].173$ whois -h whois.ripe.net 195.224.50.28
inetnum: 195.224.50.0 - 195.224.51.255
netname: POPTEL
descr: Internet Service Provider
descr: Soft Solution Ltd
descr: Rutherford House
descr: Manchester Science Park
descr: Pencroft Way
descr: Manchester M15 6GG
country: GB
admin-c: CW53-RIPE
tech-c: DA36-RIPE
rev-srv: ns1.poptel.org.uk
rev-srv: ns2.xara.net
rev-srv: ns3.xara.net
status: ASSIGNED PA
notify: ni...@xara.net
mnt-by: AS5413-MNT
changed: ru...@xara.net 960906
changed: r...@xara.net 960926
source: RIPE
Alex Bligh
Xara Networks
John Todd
As a slight diversion from the topic, is anyone surprised that the article
appeared in the Telegraph? I find it fascinating that a broadsheet should
have a weekly computer/net supplement, but be so rabidly anti-net in the
body of the paper. In the past year, I can't put mind to a single pro-net
or neutral story, but no chance is missed to rubbish the net: the Demon
Internet 'controversy' is a good example. The Telegraph's writers are
particularly adept at emphasising the use of e-mail by paedophiles and pron
fans; attention is invariably drawn in the headline to any net involvement.
JT
--
All your dreams will come true. All my dreams came true.
Now I have a bunch of other dreams.
Sonic Youth
lam...@nospam.washington.edu
b...@nospam.interactive.net (Bennett Todd) writes:
> Peter Verreck, of Computer Forensics Ltd, said: "What he's done is
> extremely irresponsible.
>
>Peter Verreck, presumably, would rather remain ignorant of the problem.
>kind of attacking: it has been possible since before Alec first turned his
>attentions to this problem. Rather, it made it much easier to competant and
>concerned security professionals to take effective action to protect their
>systems.
As a system adminstrator, I have better things to do with my time than to
figure out every possible ruleset crackers could run against my passwd
file -- and i'm quite appreciative that Alec has done a much better job for
me than I could have done.
And in case anyone hasn't already noticed the "Daily Telegraph" is compleat
crap -- they love publishing these kinds of stories...
--
Lamont Granquist (lamontg @ u.washington.edu) ICBM: 47 39'23"N 122 18'19"W
"First consider a spherical chicken..."
unsolicited commercial e-mail->contacting your ISP to remove your net.access
Randal Schwartz
>>>>> "lamontg" == lamontg <lam...@nospam.washington.edu> writes:
lamontg> As a system adminstrator, I have better things to do with my
lamontg> time than to figure out every possible ruleset crackers could
lamontg> run against my passwd file -- and i'm quite appreciative that
lamontg> Alec has done a much better job for me than I could have
lamontg> done.
Indeed, the use of $ as "s" (as in "pre$ident", the now famous
password that forms the kingpin of the case against me) was something
added between crack3 and crack4. This was a pleasant
surprise... although the "pleasant" rapidly disappeared when the cops
showed up. :-(
For more information about a particularly famous real-life use of
crack that made me appear to be conducting felonious activity, visit
http://www.lightlink.com/fors/, or send a blank message to
fu...@stonehenge.com.
print "Just another Perl hacker," # but not what the media calls "hacker!" :-)
## legal fund: $20,495.69 collected, $182,159.85 spent; just 596 more days
## before I go to *prison* for 90 days; email fu...@stonehenge.com for details
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <mer...@stonehenge.com> Snail: (Call) PGP-Key: (finger mer...@ora.com)
Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A>
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Alun Jones
In article <5acmv3$h...@news.Informatik.Uni-Oldenburg.DE>, "Christian Kuehnke" <Christia...@arbi.Informatik.Uni-Oldenburg.DE> wrote:
>
>Alec Muffett <al...@crypto.dircon.co.uk%antispam> writes:
>>(...)
>> the Internet this Christmas, bringing the wrath of Britain's
>> computer security professionals down on the head of its
>> Oxford-based author.
>>
>
>And I once thought the Telegraph was a reputable paper. Of course, the
>Times never would have published such nonsense... ;-) ;-)
To the editor:
Dear Sir,
I believe I heard the first cuckoo of spring today. Sadly, he was being
quoted in your "Connected" section.
Yours,
Major Bill "Tufty" Rumpington-Smythe.