Re: [ADMIN]Firewalls....

From: Richard McKay (rmckay@execpc.com)
Date: 09/19/96


At 07:10 PM 9/18/96 -0400, you wrote:
>> and UNIX passwords are _IMPOSSIBLE_ to crack. (I know, you have heard the
same
>> bullshit I have about someone claiming they can crack them)i. A person would
>> have a greater chance guessing a passwd than cracking it. (not the same BTW)
>
>You HAVE to be joking. Ever heard of the program Crack, freely available
>anywhere on the internet? Take your /etc/passwd file and run it under
>crack one time my friend. Wher eI work we have 3000 users. Dude, it broke 
>300 passwords. Weve sinced moved to shadow passwords, and randomly chosen
>garbage passwords, but still.
>
>Uncrakable? I think not.

I have crack.  As a sys admin, I have to look out for possible security
breeches.  Since my posting of my original message to the circle list, I
have migrated to Solaris 2.5 (SunOS 5.5.1) on all boxes talking to the
Internet and that will be running the mud code.  Solaris by nature uses
password shadowing.  What's to say the new generation of crack won't use a
combination of /etc/passwd and /etc/shadow file.  This would net be very
difficult.  I'm not even going to go into the security arena.  That thread
would last a long time.

>> Of course, if some asshole uses a password that is in any language
dictionary,
>> you can't do anything about that. I require 8 char passwd's with at least
>> 2 numbers, 2 upper case letters, and one shift key (excliuding & % @). I then
>> run a 4 hr dic-o-cracker(simply runs through dictionaries and nickname files
>> trying to guess the passwd)
>
>> I would say you have nothing to worry about.
>
>As long as the mud code has no backdoors put into it by a malicious coder
>you hire, and that you dont start the mud in /etc/rc.local where it starts
>as root, thus giving any backdoor root acces to your whole computers files
>........

All programmers are trusted friends and the mud is run by a limited user
named mudbot.  I do not run to much from the /etc/rc.d/<startup files> area.
This is a bad thing for Internet computers.  The CERN httpd daemon is run by
it's own user and the mud will be ran by it's own user (as stated earlier).

>Nothing is totally secure and nothing to worry about. However, yes Circle
>is good code, no backdoors in the distributed version.
>

Thanks for all your input on this!  Happy Mudding!

Later,
Richard W. McKay - rmckay@execpc.com
**** SYSTEM FAILURE!
cpu panic
Segmentaion fault (core dumped)
Dumping 15985 pages to disk at offset 0x2fff
Automatic reboot in progess...

+-----------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
|   http://cspo.queensu.ca/~fletcher/Circle/list_faq.html   |
+-----------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/18/00 PST