Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!rochester!pt!ius2.cs.cmu.edu!edw
From: edw@ius2.cs.cmu.edu (Eddie Wyatt)
Newsgroups: misc.headlines,comp.misc
Subject: Re: Re: Hacker Scholarship
Message-ID: <1211@ius2.cs.cmu.edu>
Date: Sun, 21-Jun-87 17:06:20 EDT
Article-I.D.: ius2.1211
Posted: Sun Jun 21 17:06:20 1987
Date-Received: Sun, 5-Jul-87 09:39:38 EDT
References: <532@houxa.UUCP> <183@dana.UUCP>
Organization: Carnegie-Mellon University, CS/RI
Lines: 82
Xref: mnetor misc.headlines:854 comp.misc:793



  Mel Hass seems to advocate the philosophy similiar to if you don't
protect yourself then you deserve what you get.  I don't think most people
would say that just because you make yourself vulnerable you deserve to
become a victim.

  There are measures one can take to prevent becoming a victim however, and
this is the stand I believe Wozniak is taking.  As an example - just because
you leave you car unlock doesn't mean that are asking someone the steal 
your car, but also you should realize that the chances of it getting
stolen are greater.  If you install a alarm system or steering wheel
lock then the chances of it getting stolen are less.

  To install an alarm system, so to speak, in a computer system
you must first understand how the thief is breaking the existing
security features.  As others have pointed out, the problem of
hackers breaking your systems won't go away with a wave of legislation's
magic wand.

  The computer science community should do everything posible to improve
security. The first step in this process is to find the loop holes
in existing systems.  Second fix  these loop holes.  And finally
incorperate these changes in new systems.

   This method of course has some practicle throw backs, such as
in finding loop holes in a system, any other company that owns
such a system in now vulnerable if such knowledge is made publicly
availible.

  Let me share three case of security problems I know of.


	case 1. (Source OS class)  Linear password decomposition algorithm.

	Two very interesting utilities in a certain unknown OS combined to
	provide a technique of decoding any password in linear time respective
	of the length of the password.  The utilities were a facility
	for determining when a page fault occurred in a application
	program so that the user could finely tune a program preformance
	and the other happened to be the password untility and the way
	in which it was coded.  The password function read in a character
	at a time and compared it to the system password.  If the given
	character didn't match, the password function would jump to another
 	place in the program causing a page fault, then continue reading the
	rest of the password.  One can obviously see how the method
	works.  Type in a character, see if there is a page fault.
	If so, start again with new character else look for next 
	character in password.  The fix to the problem is also obvious,
	that is read the whole password before testing to see if it
	matches the system password.


	case 2. (Source the University I use to attend) Reduced
	search space algorithm.

	At the university I use to attend, they use to issue the
	initial passwords to the user's birthday.  Well, this made a
	brute force attempt at decoding passwords feasible, I need
	not say more.  The fix here was to initialize the passwords
	to some 7 digit random number.

	case 3. (Source the University I use to attend and a high
	school near where I lived - 2 different systems) 

	I don't know what the actual bug in each system was, but
	I do know of the results.  Someone, had access to the grade
	accounts and for a small fee, would change that D or F to 
	a B or A.  As I understand this may have been going on
	for years.  At the high school the person that committed
	the act was caught and was only expelled for a year.
	At the university, as far as I know no-one was caught for
	grade changing.  The person that pointed out the problem,
	by actually committing the act for the administration to
	see, caught an unreasonable amount a flack and may have
	had charges brought against him/her.
-- 
					Eddie Wyatt

e-mail: edw@ius2.cs.cmu.edu

terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.