home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ogicse!reed!nelson
- From: nelson@reed.edu (Nelson Minar)
- Newsgroups: comp.security.misc
- Subject: Re: unhappy about overloading finger
- Message-ID: <1992Jul23.032058.3292@reed.edu>
- Date: 23 Jul 92 03:20:58 GMT
- Article-I.D.: reed.1992Jul23.032058.3292
- References: <ggm.711690458@brolga> <199207230140.AA18677@fnord.wang.com>
- Organization: Reed College, Portland, OR
- Lines: 32
-
- In article <199207230140.AA18677@fnord.wang.com> fitz@wang.com (Tom Fitzgerald ) writes:
- >The advantages of finger to crackers is it lets them find login names,
- >identify accounts that haven't been used for a while, and get the human
- >name for the account so they can try looking up spousal names and such in
- >the phone book, as potential passwords.
-
- I think the "spousal name" thing is apocryphal, at least in the case
- of UNIX machines on the Internet. It looked great on Wargames, and it
- might work for your friend Joe, but if I'm hacking blegga.cac.washington.edu
- I'm not going to go to a Seattle phonebook.
-
- A far more common way for accounts to be cracked is for someone to
- steal your YP password file (not too hard to do if you're running yp
- and are on the internet) and run a fine cracking tool like Crack 4.1
- with a fast crypt().
-
- How do you, as a sysadmin, prevent this? Crack your password file
- yourself. Don't let users have crackable passwords.
-
- If you want to be butch try to fix yp, or use a shadow scheme that
- works. That's a lot of trouble, and the best you'll probably do is
- security through obscurity.
-
- >I'm wondering what to do about the person who ran "finger
- >\*@das.wang.com" from an outside site today. Anybody know if there
- >are finger daemons that screw up on user "*"?
-
- Dunno, but Ultrix finger joyfully screws up on user "@". Try "finger
- @@some.ultrix.machine.army.mil" - it's quite fun.
- --
- __
- nelson@reed.edu \/ Before the cream sits out too long, you must whip it
-
