Path: utzoo!mnetor!lsuc!dave
From: dave@lsuc.uucp (David Sherman)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <1987Dec14.235717.5565@lsuc.uucp>
Date: 15 Dec 87 04:57:14 GMT
References: <459@gtx.com> <4810@spool.wisc.edu>
Reply-To: dave@lsuc.UUCP (David Sherman)
Organization: Law Society of Upper Canada, Toronto
Lines: 22
Summary: I've done it (password grabbing)

It's certainly not a myth.  Back in my, um, pre-lawyer
days I did a number of things on UNIX systems along the
lines of setting up a fake login to grab passwords, modifying
the real login to grab passwords, etc.  (People who
were around U of Toronto years ago may remember some of
my, um, exploits.)  Of course, at the time such actions
weren't offences under the Criminal Code, as they are now.

One particular incident which got some people upset (it's
OK, Geoff, it's been long enough now, hasn't it?) was my
keeping a buried ".." directory with a setUID-root shell
on a system, using that to modify login to grab the password
of a sysadmin, confirming it was the same password on another,
"secure", system, and using his GID to modify a 664 crontab
and become root...

David Sherman (reformed now, honest!)
The Law Society of Upper Canada
Toronto
-- 
{ uunet!mnetor  pyramid!utai  decvax!utcsri  ihnp4!utzoo } !lsuc!dave
Pronounce it ell-ess-you-see, please...