Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!rochester!pt!ius2.cs.cmu.edu!edw From: edw@ius2.cs.cmu.edu (Eddie Wyatt) Newsgroups: misc.headlines,comp.misc Subject: Re: Re: Hacker Scholarship Message-ID: <1211@ius2.cs.cmu.edu> Date: Sun, 21-Jun-87 17:06:20 EDT Article-I.D.: ius2.1211 Posted: Sun Jun 21 17:06:20 1987 Date-Received: Sun, 5-Jul-87 09:39:38 EDT References: <532@houxa.UUCP> <183@dana.UUCP> Organization: Carnegie-Mellon University, CS/RI Lines: 82 Xref: mnetor misc.headlines:854 comp.misc:793 Mel Hass seems to advocate the philosophy similiar to if you don't protect yourself then you deserve what you get. I don't think most people would say that just because you make yourself vulnerable you deserve to become a victim. There are measures one can take to prevent becoming a victim however, and this is the stand I believe Wozniak is taking. As an example - just because you leave you car unlock doesn't mean that are asking someone the steal your car, but also you should realize that the chances of it getting stolen are greater. If you install a alarm system or steering wheel lock then the chances of it getting stolen are less. To install an alarm system, so to speak, in a computer system you must first understand how the thief is breaking the existing security features. As others have pointed out, the problem of hackers breaking your systems won't go away with a wave of legislation's magic wand. The computer science community should do everything posible to improve security. The first step in this process is to find the loop holes in existing systems. Second fix these loop holes. And finally incorperate these changes in new systems. This method of course has some practicle throw backs, such as in finding loop holes in a system, any other company that owns such a system in now vulnerable if such knowledge is made publicly availible. Let me share three case of security problems I know of. case 1. (Source OS class) Linear password decomposition algorithm. Two very interesting utilities in a certain unknown OS combined to provide a technique of decoding any password in linear time respective of the length of the password. The utilities were a facility for determining when a page fault occurred in a application program so that the user could finely tune a program preformance and the other happened to be the password untility and the way in which it was coded. The password function read in a character at a time and compared it to the system password. If the given character didn't match, the password function would jump to another place in the program causing a page fault, then continue reading the rest of the password. One can obviously see how the method works. Type in a character, see if there is a page fault. If so, start again with new character else look for next character in password. The fix to the problem is also obvious, that is read the whole password before testing to see if it matches the system password. case 2. (Source the University I use to attend) Reduced search space algorithm. At the university I use to attend, they use to issue the initial passwords to the user's birthday. Well, this made a brute force attempt at decoding passwords feasible, I need not say more. The fix here was to initialize the passwords to some 7 digit random number. case 3. (Source the University I use to attend and a high school near where I lived - 2 different systems) I don't know what the actual bug in each system was, but I do know of the results. Someone, had access to the grade accounts and for a small fee, would change that D or F to a B or A. As I understand this may have been going on for years. At the high school the person that committed the act was caught and was only expelled for a year. At the university, as far as I know no-one was caught for grade changing. The person that pointed out the problem, by actually committing the act for the administration to see, caught an unreasonable amount a flack and may have had charges brought against him/her. -- Eddie Wyatt e-mail: edw@ius2.cs.cmu.edu terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.