=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = F.U.C.K. - Fucked Up College Kids - Born Jan. 24th, 1993 - F.U.C.K. = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Security is Obscure ~~~~~~~~~~~~~~~~~~~ "Obscure (adj.): [...] 4. Not famous or well-known. 5. Difficult to understand." -- _The American Heritage Dictionary_, 2nd ed., 1983. Okay, so it's an old dictionary. But the meaning of the word "obscure" really hasn't changed much in the last decade. I wanted to write this file as a word of encouragement to beginning hackers who think everything has already been done and security everywhere is tighter than the pope's ass (but not the alterboy's, ha ha). I intend to illustrate the base ignorance of many system administrators who know less about unix than the average hobo does. Security is obscure in the sense of the first meaning I quoted; most *.edu systems have admins who haven't got the slightest clue as to how they can secure their system, as well as letting their users (recall that the weakest link in any "secure" system is usually the people who use it) choose poor passwords. Thus, if Joe Admin sets up a system and restricts access to dial-up and computer labs, Joe Hacker will still be able to get in using Joe User's password ("sex") and a modem. One case I wanted to mention specifically in this file happened over the course of the past few weeks. I requested and received a copy of an unnamed school's passwd file from an unnamed source (you know who you are. Thanks again!) after he told me that it was unshadowed and world readable. I ran jack on it using a few wordlists before I found out that the passwd binary forced users to use non-dictionary passwords. Then, because I was bored and needed to brush up on my C knowledge (very little, actually), I whipped up a program to output all possible 8-character printable password combinations. After some quick calculations, I discovered that I would need at least 6,500 9-gig Seagate drives and several decades to store all the combinations and use them with jack. Discouraged, I dropped the matter for a while. Then a co-worker asked me to step her through the "reading email" process on her account, which happened to be on the system in question. An account she had never used. One with the default password still in place. I helped her log in and incidentally discovered that default student passwords on this particular system were the first 8 digits of the social security number. I also found that the .login script *didn't force first-time users to change their password*! I guided her through the "changing your password" stage and was astounded to find that this poor-security system forced users to use non-dictionary passwords but wasn't set up to force an initial password change. I let it sit for about a week before I got around to modifying my program to output combinations of 8-digit numeric combinations. After further trimming it down to output only the combinations beginning with 521, 522, 523, 524, and 525 (CO-issued SSNs) (the "full" output would take about 110 megs), I had a 5-meg wordlist file that has netted me over 60 accounts from this system. These accounts were snagged over a total period of about 10 hours or so, and I used my very limited SSN list. Imagine how many I would have if I used the "full" SSN output and gave jack a few weeks. The second definition of "obscurity" that I quoted does not seem to apply at first; most people who work with computers have some understanding of security, and admins should be especially aware of security issues. Yet I have found and continue to find just the opposite, nearly every day. This is why you should use PGP and SSH; why should you trust your admin to secure his system? If you have faith in his sysadmin skills but I have reason to believe otherwise, then you'll be the one who loses when I start hanging out in your home directory. As an addendum to this file, I'm including "Things overheard while scanning cell frequencies". I started it as a separate file, but I don't have nearly enough: "Oh shit, I just ran a red light." "People can listen to cellular conversations with one of them hand-held walkie-talkies." -Legion =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Questions, Comments, Bitches, Ideas, Rants, Death Threats, Submissions = = Mail: jericho@dimensional.com (Mail is welcomed) = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = To receive new issues through mail, mail jericho@dimensional.com with = = "subscribe fuck". If you do not have FTP access and would like back = = issues, send a list of any missing issues and they will be mailed. = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Files through AnonFTP FTP.DIMENSIONAL.COM/users/jericho/FUCK = = FTP.SEKURITY.ORG/pub/zines/fucked.up.college.kids = = FTP.PRISM.NET/pub/users/mercuri/zines/fuck = = FTP.WINTERNET.COM/users/craigb/fuck = = FTP.GIGA.OR.AT/pub/hackers/zines/FUCK = = ETEXT.ARCHIVE.UMICH.EDU/pub/Zines/FUCK = = Files through WWW: http://www.dimensional.com/~jericho = = http://www.prism.net/zineworld/fuck/ = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = (c) Copyright. All files copyright by the original author. = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=