NETCOM News

I'm curious Karl. How bad is this?

--
NEW ADDRESS: tw...@ccnet.com

tw...@ccnet.com tw...@tweekco.ness.com WW4Net-1@11551 DoD #MCMLX N6QYA
**** Regarding the Internet><WWIVNet gateway and other assorted stuff: ****
http://io.com/user/tweek/homepage.html tw...@io.com IM: Michael D. Maxfield

I can steal any password file (including the encrypted password, natch,
which are the entire point) served over NIS in about 30 seconds. At worst
I need a login account on the system I want to compromise. At best I can
do it remotely using ypx.

Then its just a session with Crack to find out whether or not I can manage
to get in. With the number of accounts Netcom has it should be trivial to
find a few hundred you can break into.

Anyone running NIS on a machine accessible from the Internet is, IMHO, an
absolute idiot.

There are versions of NIS (such as NIS+ which is shipped with Solaris) which
are more secure, but the majority of that may just be that it is new and the
hackers haven't gotten around to finding the holes yet.

Straight NIS is, from a security perspective, a joke.

--
--
Karl Denninger (ka...@MCS.Net)| MCSNet - The Finest Internet Connectivity
Modem: [+1 312 248-0900] | (shell, PPP, SLIP, leased) in Chicagoland
Voice: [+1 312 248-8649] | 6 POPs throughout the area, all 28.8 equipped
Fax: [+1 312 248-9865] | Email to "in...@mcs.net" for more information
ISDN: Surf at Smokin' Speed | WWW: http://www.mcs.net, gopher: gopher.mcs.net

By any, do you mean to include the shadow password file? Maybe they
are just using buzzwords instead of communicating what they actually
mean, but it sure doesn't make me feel secure there...

Well, I hope that Bruce was just spouting off without thinking...???

NEW ADDRESS: tw...@ccnet.com
--
tw...@io.com tw...@tweekco.ness.com WW4Net-1@11551 DoD #MCMLX N6QYA

http://io.com/user/tweek/homepage.html IM: Michael D. Maxfield

Yes. NIS by itself does not support shadow password files. You need to
understand how this works to see where the problems lie; NIS is an RPC
mechanism for retrieving password (and other) records, which happen to
include the encrypted password in the proper place!

NIS was *never* intended to be secure. It was intended to be used in a
relatively non-hostile environment where one could at least trust the other
users on the local network.

There is a "secure" varient of this which uses DES encryption, but the
problem is the root keys - they are stored on the disk. So if you hack
root on one machine, you're hosed again. This limitation makes for some
severe problems in an Internet environment.

We designed our own network password system due to exactly these reasons.
Running NIS on the Internet is, IMHO, asking to be hacked.

He wasn't. Attempting to crack passwords as a company to discover weak
ones is just about your *only* defense against a hacker doing the same
in a straight NIS environment.

Well, I'm glad everyone is speculating about this, but without any facts.
Karl, did you try your ypx hack? Did it work? No? Hmm, that's too bad.

Netcom does run NIS, but with SunOS C2 shadow password security, and a few
other modifications. It's still possibly subject to some as-yet-unknown
NIS/RPC holes, but then I didn't choose NIS in the first place.

Bruce

--
Bruce Sterling Woodcock --- Systems Analyst / Admin --- ster...@netcom.com
The views and opinions expressed in this post | Power is being able
are not necessarily those of my employer, | to sneak into your
NETCOM On-line Communication Services. | house over a wire.

Yes, yes, I said I might need an account on Netcom.

And why would I want to do something which is, in fact, breaking the law?

Now, if you want to press this issue, I could always toss the gauntlet down
in front of you. Put some specifics to the challenge, as it were, and see
what you think.

SunOS C2 security is not really rated "C2" if you use NIS. I have extensive
experience with this "security" system; I designed AC Nielsen's Internet
firewall and campus Unix security system a few years ago using these specific
tools. Their firewall system still runs the C2 code, but NOT using NIS.
I wasn't quite that insane.

Then again, Nielsen had real no-bullshit corporate data behind their
firewall and couldn't afford to be hacked. Among other things, if they got
hacked it would have been the end of my job. After all, I *did* tell them
I could put them (and keep them) safely on the net. That was part of my
job responsibility.

"Secure" NIS isn't. You and I both know this, and you also know (if you're
really as good an admin as some people make you out to be) that nobody in
their right mind runs NIS on an Internet accessible site.

As further proof, if you REALLY are so sure Netcom's password file is safe,
why are you busily trying to crack user's passwords? Without the encrypted
string to check against the "crackability" of a password IS OF NO VALUE TO A
CRACKER. You and I both know this to be true, Bruce.

So why are you doing it?

The fact that Netcom is now checking for "guessable" passwords means only
one thing to me -- that the encrypted strings are NOT considered secure by
the company. Why don't you just admit the truth and get on with life?

1) Nothing is absolute.
2) Even assuming that the encrypted passwords were 150% secure,
viewable only by those that should, someone could always try some
really stupid ones via login. Sure there's all kinds of logs and
possibly an account lock out, but if:
login: root
password: secret
works, then to paraphase Blazing Saddles, "WE DON'T NEED NO STEENKIN'
ENCRYPTED PASSWORDS."

--
Cameron Perkins - Lunatic, Visionary, and Future Student at Georgia Tech
<wa...@gate.net>

Fine, Karl. I will give you an account at Netcom and allow you to "break
the law" to demonstrate it to me. Are you game?

There ya go.

Yawn. Same old bullshit argument... "I'm right, and the fact that you
don't agree with me only further shows that I *must* be right, because
that means your stupid!" Now, I'm not a fan of NIS, Karl. And I'm not
saying it's foolproof. Nothing is. But I am saying that I don't think
you can access those shadow passwords via any currenly known NIS hole,
especially using the likes of ypx, ypsnarf, and whatever other WaReZ
programs you want to use.

Okay, now it's my turn to play superior sysadmin. If you truly think that
having a good password is not necessary if the encrypted fields are
inaccessible, then you have truly learned very little about security indeed.
I suggest you spend some time away from the literature of theorists and
spend some time in the real world.

And there are dozens of other possible explanations. Perhaps the password
file is safe, but wasn't safe in the past due to some old NIS hole. Or
perhaps root access was gained at some point, and thus while NIS is just
fine, the password file was obtained through other means. Be honest, Karl...
you really *don't know* do you? You're making guesses, and hypothetical
accusations, but you really *don't know* the truth. And thus, you could be
wrong. And thus, you should stop commenting on things you really don't
know enough about to make a good judgement... okay?

This actually does bring up a good question. Whether or not we would say
something if we did have a breakin isn't up to me. But I ask you, Karl...
if root was compromised on some of your systems, or security of passwords
breached in some way, *would* you tell your customers? What if doing so
meant you would lose money? What if your stockholders told you not to
tell them, because *they* didn't want to lose money? You said before you
do what's best for them, and what if that meant sacrificing honesty? I
guess this isn't really that much of an ethical dillema for you at all...
after all, you did it for net99....

> If you truly think that having a good password is not necessary if the

I have nothing of substance to contribute, but I can point out that the
paraphrase is inaccurate. K did not say a good password is not needed.
K clearly wants to get one. What K indicates is that the only good way
to crack them is to make guesses, encrypt the guesses, and compare the
results against a known encrypted password. Any other technique, such as
repeated logins, either takes too long or gets you caught. No expert I,
farbeit from me to endorse this information, but my reading comprehension
is fairly reliable.
--
-Z-
ntionally left blank. This signature intentionally left blank. This s
ignature intentionally left bank. This signature intentionally west ba

If he believes that, then he is wrong. It is also a logical conclusion
that if he believes that, he therefore doesn't see the need in having a
good password, since no one would attempt to break it because it would take
too long, or they would get caught. And if he truly thinks that, then he
has truly learned very little about security indeed.

> If he believes that, then he is wrong. It is also a logical conclusion

Polly wanna cracker? Bruce, you must be short on sleep. "Truly learned
very little [blah blah]" is very low on information content. The only
logical conclusion is that he believes that the encrypted passwords CAN
be obtained. If you simply argue that they cannot, it is meaningless to
conclude anything else from following his line of reasoning.

Now Bruce... Karl... be nice... Let's not start up another flame war
like the Karl/Ross one that just won't seem to die... and then have
j...@mcs.com start calling everyone a pedophile to spice things up.

--
"Mum's the word" - Justin Petersen || cc: Kennie G. McGuire, SA, FBI, LA CA
"Did you use SAS?" - Terry Atchley || Kathleen "Hottub" Carson, SA, FBI
"I am not a crook" - Richard Nixon || Behave - or I'll tell Janet Reno!

Karl, once again I want to apologize on Bruce's behalf. I didn't realize
he had made this post. Bruce - I suggest you stop harassing Karl unless
you want him to cut off Netcom's packets. Karl - please rest assured
that Bruce was not trying to associate any of your misdeeds with the
operation of Net99. Now, alias each other's systems, and move on...

Hello? McFly? Is there anyone in there? Are you reading the same posts
I am?

password IS OF NO VALUE TO A CRACKER. Therefore, if an encrypted string
is secure, it takes too long to guess a weak password, or you'll get caught
doing it. So no matter what the password is (i.e. "password"), it's
secure so longs as the encrypted string is secure. Therefore, there is
no need to attempt to "crack" such a password for security reasons, unless
your encrypted strings are *not* secure.

And I say:

Therefore, you are an idiot. You truly have learned very little about
security indeed.

Please, Mike, don't enter into this discussion unless you can follow the
logic involved. Karl understands my points; he just doesn't agree with
them.

Btw, as a hint, SunOS PatchID #100482-05 implements access control lists
on your NIS servers.

NIS *is* evil, but it's not necessarily a big gaping hole waiting for a
truck to be driven through it.

Deliver to me the following:
A notarized and signed statement from the President of the company
authorizing me to (1) break in if I can, and (2) format the disks
if I succeed. Include a standard shell login ID and password
valid for the next year.

Either I fail, in which case I will publically admit same, and you're
right, or I succeed, in which case everyone knows in a few minutes of the
time that I manage to do so. This'll get my "free time" budget, as I'm a
busy guy and aren't going to take time from my primary duties to enjoy
myself in this fashion.

You like high stakes poker, eh? How's this Bruce?

Remember, if I get root via *any* means I win -- because I can then write a
10 line "C" program to get the passwords. "ypx" doesn't have to enter into
the equation here.

See above.

Yeah, right. The most common "easily guessed" passwords will not be found
by a dictionary search. Besides, if your login program is reasonably
intelligent it takes steps to prevent this kind of "guess the password"
game. BSD's, for example, stock out of the box, starts doing an
exponential delay when you miss three times. The fourth time waits 2
seconds, the 5th 4, the sixth 8, etc, and you start getting logged on
top of i. You can't guess many times in this environment without setting
off the alarms.

If my password is "biteme" that only helps you if you *know* what it is.
If you want to guess then you can go ahead, but no password checker in the
world is going to save you much. You're dealing with single-digit
percentage improvements here.

Ah, but instead of forcing everyone to change their password (oops - I
forgot that aging is BROKEN in SunOS if you're running NIS, I guess that's
not an option) you try to crack them? Why Bruce?

Doesn't matter. Hacked is hacked right?

I have been told in email by a number of people the last few days that
Netcom's root is *still* compromised. Hell, there's a goddamn mailing list
out there on your security problems! Now I can't *prove* that you're
compromised without breaking in myself and testing the theorem, but I do
know where to look to see if the traces are still around.

Accusations? Nope. NIS is not secure enough for *my* taste on ANY
Internet connected site. Period. That's not a guess or an accusation.
Its a statement of fact. I understand how it works, which is enough for
me to make an analysis. You can believe that it is secure, or you can
really not believe it and say it is for political reasons. That's your
call. I am honest enough to say "no damn way" on my hardware.

Sorry, Bruce, but my professional opinion as a security analyst is that
NIS is NOT SUITABLE for serving passwords on any Internet connected site.
Period.

NIS+, as shipped with Solaris, is not well-enough understood by me at this
time to have an opinion which I am willing to stake my reputation on.

Yep. We have had people's passwords sniffed, and have notified them. We
had people try the "write a .rhosts file" game on people's accounts that
they had unwittingly opened up to be world-writable. That one didn't work,
becuase we don't honor "+" in .rhosts files. So what? We lock down the
account, call the customer, tell them what happened, suggest strongly that
they change their password from a direct dial-in immediately, and take it
from there. Its called being responsive to our customer base.

What if not doing so and being caught as a liar later meant I would lose
more money?

Ah, now we get to the rub, don't we?

Heh, I'll never say that any system, other than one in a faraday cage
running on batteries with an armed guard outside the door, is completely
secure. I'm not stupid. If we get hacked, then we get hacked. You find
the reason, tell the affected people, and fix it. Has happened before to
systems under my control, and people have gone to *prison* as a result.
I make a hobby of catching assholes who like to break into systems, and set
all kinds of traps for them to trip over and fall into.

Did what for Net99? More innuendo Bruce?

Does this 'exponential delay' thingy work for ftp as well?

(followups redirected to comp.security.unix)

RA

ro...@ccs.neu.edu (Rogue Agent/SoD!/TOS/KoX/ACT Kha Khan) - pgp key on request
------------------------------------------------------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

I have no such evidence, and I said that I can't prove anything. I am not
on the named mailing list, but I have been told of its existance and where
it is. And no, I am not interested in being on it, or in hacking other
systems, including Netcom. In fact, I deleted the mail sent to me
regarding same.

That doesn't change the fact that I *did* receive mail from one of the
people purporting to have such information, or that they claimed that root
was compromised. As I said, the veracity of that is unknown, but I did
give the sender a couple of things to look at to verify whether or not
there really was a problem.

And yes, the mail making the claim did come from a Netcom account.

>If you have serious concerns, I strongly suggest you take it to private
>email. Bruce, allow me to extend the same suggestion to you; I mean
>this in a friendly way in both cases. Cause frankly, I don't think
>public mud-battles do anyone involved any good.

I've tried to talk to Netcom's NOC on multiple occasions, and frequently get
either bad answers or no answers. My last request, for them to look up a
sendmail ID of a forged message sent to some of our subscribers, drew TWO
responses:

1) One correctly identifying the source of the message. We are now
chasing this through the real source (which, not surprisingly, is
nih.gov, a source of lots of trouble in the past).

2) A second, sent this AM, claiming that the source was *MCSNET* even
though the message ID was CLEARLY from Netcom's systems. The second
response was from the generic "NOC" account and the sender was
not identified clearly enough to be able to tell who it was.

This says to me, in plain english, that at least one of their technical staff
is incompetent as hell -- the header was staring this guy RIGHT IN THE FACE
when he replied to me.

>--
>Bryant Durrell dur...@netcom.com
>------------------------------------------------------------------------------
> ABSCOND, v.i. To "move in a mysterious way," commonly with the property of
> another. -- Ambrose Bierce

---------

From netcom.com!durrell Tue Dec 27 12:23:04 1994
Return-Path: <dur...@netcom.com>
Received: by mercury.mcs.com (/\==/\ Smail3.1.28.1 #28.5)
id <m0rMgY3...@mercury.mcs.com>; Tue, 27 Dec 94 12:23 CST
Received: by netcom20.netcom.com (8.6.9/Netcom)
id KAA26915; Tue, 27 Dec 1994 10:22:29 -0800
Date: Tue, 27 Dec 1994 10:22:29 -0800
From: dur...@netcom.com (Bryant Durrell)
Message-Id: <1994122718...@netcom20.netcom.com>
To: sheep-...@pft.com
Subject: One-Time
Status: OR

Just to prove it. <wry grin>

-- Bryant

--------

Is mail forgery a violation of your user agreement with Netcom?

> Without the encrypted string to check against the "crackability" of a

That's what I said. I agree with you that the conclusion doesn't follow,
and furthermore, it's wrong. The facts presented so far aren't enough to
say whether or not the encrypted passwords are easily obtained.

And I say: that's not information. If all you mean is, easy passwords
are likely to be guessed and used by someone else, that's trivial. I'd
hope you could get KD to agree to that. What he wants to talk about is,
what a pro could do systematically. I agree with you that that isn't the
only legitimate concern.

Sure. I'm gone. As I said, I don't have enough background to add to the
discussion. No, I've had no trouble with the logic. We have unsupported
claims on one side, and ad hominem attacks on the other. What could be
simpler than that?

Unlike what you've said before, that is informative. My point is, what
you know but cannot divulge, is of no real help to you in an argument.

I'm happy that Netcom is trying to crack weak passwords and encouraging
its customers to protect themselves. Even if they have no private data,
their account is, in effect, their *identity*. I'd be surprised if my
password were cracked (it could be sniffed, of course). I'd be annoyed
at Netcom for the inconvenience if they locked my account. I'd still
rather learn a lesson from my ISP than from a criminal.

Wait a sec, why the HELL are you sending mail to NOC regarding forged messages?

Yep. Karl says exactly what you quoted.

My password can be "X", and unless you have some REASON to try "X" you will
NEVER guess it.

Now it is true that you *should* use a relatively long password, just to
eliminate people trying letters of the alphabet. So we require at least
four characters. Some people require 6.

Now start with "a" and get to "zzzz". Just alpha, mind you. And try this
*without* encrypted strings to check against. While you're at it, do so in
a fashion that doesn't set off my "hack attack" alarm due to too many
invalid login attempts.

Good luck. I'll see you in prison. If you even get off a small fraction of
the 456,976 attempts required, and that just includes the lower case alpha
character set, you'll be caught. End of discussion and theory.

As a hint, it is *far* better for a person to use a password they can
*remember* than a random string that they have the write down. The
second leaves open all kinds of possibilities for game playing.

Doesn't matter; if I'm on your system when I make the request then I'm a
valid machine in the ACL and the request will be served.

All the ACL patch does is prevent me from running YPX *here*.

Thank you Bruce. You admit its evil, eh? So why run it at all?

<boggle>

If you have serious concerns, I strongly suggest you take it to private

--

Because our SMTP daemon identified the source of the connection as Netcom,
and therefore, Netcom knows the next hop (or it was the site which originated
the message itself).

Therefore, you contact the NOC asking them to look at the logs and determine
where the message came from, and please tell you so you can chase the
responsible party(s).

Hell is for those who believe in it. Frankly, I think its firmly rooted
behind the technical support desk of a company in California :-)

Pretty good, but no dice. I can authorize you an account and an attempt
to get encrypted passwords, but not to "break root" or do anything as root.
Also, the President doesn't authorize this... I do. It's nice to work in
a progressive company. :)

Welp, sorry, that wasn't the deal. You said you could get the passwords
via NIS security problems. Any who has root on a machine can get them.
So your job is to live up to your word of getting the encrypted passwords...
not get root. Two very different thinks, there.

Then you're using the wrong dictionary.

You are naive if you think this is both A) The only method for testing,
and B) too slow/annoying/dangerous for crackers to use.

One account is enough when you're talking an alt.2600 spam...

The details of system administration on a site you know nothing about
should be beyond your scrutiny, Karl. There are reasons, just as I in turn
accept there are reasons MCS is doing primary DNS for some NET99 customers.

Wrong. Certain kinds of hacking may not mean that the encrypted passwords
are currently compromised, which was your assertion. I am pleased that you
are retracting that now.

Ooooh. And that constitutes proof?

Fine. This is your opinion. However, you stated as fact that this meant
you could gain access via the encrypted fields either remotely, or if you
had an account on the system, due to NIS security flaws. You didn't state
this as "Hypothetically, given what I know of NIS, there probably *is* such
a hole... NIS is really ugly and problematical like that" but rather as a
definite fact. So now, either put your money where your mouth is, or admit
that you know of no such security hole, and merely suspect them. Hell, I
suspect them myself... I hate NIS. But your specfic accusations in this case
are totally unfounded.

I think this is the right approach to take. I agree with you totally.

Great! What I'm asking, tho, is what if your *stockholders* disagree...
what if they say, "Karl, you can't admit to a breakin because the stock
will go down and we'll lose money... all of our customers will flee to
more secure competitors. I know, *you* think that's not the case and we
are better off being honest, but *we* feel otherwise."? What do you do
then? Do you go ahead and go against the stockholder wishes, or do you
concede? What if in doing so you turn out you were wrong, and you *do*
lose a large chunk of money over a security incident. Do you then resign?

I'm not trying to imply anything bad here. Just in the past, you seemed
to indicate you would do what the stockholders wanted, even if the action
was unpopular with some customers. Now you seem to be favoring the customers
over the stockholders. I'm trying to determine if you really have a hard
and fast rule, or if the lines get blurry at some point.

Didn't you claim Net99 was a multi-peering, multiply-connected backbone
when in fact it was only connected via MAE-East, and then quietly hushed
up when people fouund that out? I know that Net99 has such a backbone as
it's *goal* (it might even be there now; I haven't kept track) but certainly
it was *not* such a backbone when you were making claims that it *was*...

I agree 100%. The last three or four times I've tried to contact Netcom
about security matters, their "NOC" hasn't been bothered to answer the
telephone. First it's rung busy for a Long Time, and then it's rung -- just
rung -- for a long time.

Nice bunch of lazy incompetent administrators you've got there, Bruce.

What I particularly like is that they don't answer email sent to either
sup...@netcom.com or ro...@netcom.com, when you *do* actually get them on
the telephone they just tell you to send mail to sup...@netcom.com -- and
never have an answer when you tell them that you're calling because they
ignored your email -- and that when, with a reasonably urgent problem,
despairing of ever getting an answer from their ring-ring-ring telephone
line or their black-hole email "support", one is so bold to send a talk
request or a piece of email to an *individual* Netcom staff member -- like,
say, Mr. Sterling Woodcock, the noted NIS and security expert -- what one
gets back is usually a nasty note telling one not to send email to said
staff member's "personal" account.

Of course, it's got to be a nice system they have set up there with their
"NOC" account and their other pseudononymous accounts -- they can provide
no, inept, or contradictory service, and never have a stitch of accountability.

I love that line of BS they try to feed the world about keeping their security
problems secret because they're accountable to their stockholders and afraid
of scaring their users. You want my best guess as to why they keep their
security problems so secret? They do it because they're afraid that they'll
get held liable at some point for failing to deal with known security problems
that then went and stomped on other people's feet, data, or machines.

Care to know what made "Cracker Buster" (fsim...@netcom.com) go away? I can
tell you, because I happened to be monitoring his traffic when he got nailed.

After having all the relevant information -- including days and days of
repeated warnings from me that the "fsimpson" account on Netcom, among others,
was being used as a convenient stepping-stone to try to break into other
people's systems, at least one warning that the fsimpson account was being
used for something (I didn't have enough data to tell what) to do with
"Cracker Buster", and *the information that a number of accounts on netcom
had the identical password "thief*****" and appeared to be being used by
multiple individuals for various bad purposes*, and failing to do anything,
before Netcom got to "Cracker Buster", some other pissed-off sysadmin did.

*Hours* before Netcom sent out a vague, confusing form letter to all the
administrators who had anything to do with this "Cracker Buster" mess, I
sat there and had one of the best belly laughs of my life as I watched a
tcpdump log of fsimpson getting kicked out of his electronic house-and-home by
someone who he and Netcom had evidently managed to piss off to the point of
willingness to break the law.

So you want to know where Hell is? Hell is where they sit around and do
nothing and have to wait for some kind of avenging angel to come carry off
the sinners, because you can't tell them from the house staff.

--
Thor Lancelot Simon t...@cloud9.net

Somewhere they're meeting on a pinhead, calling you an angel.

Come on, Karl. That's very weak, and you know it. Reporting
unsupported claims concerning system security is crying wolf. I have
customers who've told me awful terrible things about how bad your
service is, and I'm sure you have the same with respect to us, and I
know -- because I am a professional -- that this can probably be
chalked up to the inevitable malcontents and even in cases where it
can't, it is *not* our job to call down the wolves on our fellow
professionals. If you have evidence, let us know about it, and if
you don't, you have no reason to air imaginary dirty laundry on
Usenet. (Although I can't think of a better place to air it.)

So? What's Bruce got to do with NOC? (I know, you don't know what
he has to do with NOC, you're assuming that a) he works in that
department and b) that department handles security issues. Sigh.)

>Is mail forgery a violation of your user agreement with Netcom?

Why, yes, it is. What's your point? If you check your log files,
you'll find it went through pft.com, and as per the second message I
sent to that list, I deleted it immediately thereafter. It was only
there to make a brief, sarcastic point.

Hm... pft.com didn't put in any Received: headers, did it? (He said,
after a quick check.) And I guess mercury.mcs.com doesn't list the
sending machine in its Received: header, judging from what you've
posted. So I can see where you might have made a misassumption. I
certainly appreciate the (unintended) bug report. <grin>

I'm going to take my own advice at this point. If you still feel that
it's appropriate to sling mud about a competitor in public, that's your
business, and I'm not going to convince you otherwise. I somehow
suspect this is the case, but that's life, isn't it? I have better
things to do.

Alternatively, the strings are *now* secure, but weren't at some time
in the past, so they need to get rid of all the ones that were
possibly compromised before they secured things.

--
Jeff Hayward

And if I get the passwords via root?

Not really. If I get root then the game is over, Bruce, and you know it.
That's the ultimate goal, because with root I can make my own accounts. Or
do any one of a number of things, including making sure that you don't find
me later if I come back on.

Again, you're assuming I have encrypted strings to match against.

>You are naive if you think this is both A) The only method for testing,

It is (B) -- too slow/annoying/dangerous for crackers to use. At least it
is here. The other means of testing here, such as "su" are also suitably
instrumented. If you try it from the net at large I know where you're
coming from, and if necessary will block the IP number(s) involved.

Yep. It sure is, and if you start with 30000 accounts you can hack a few
hundred and use one at a time. The odds of stopping *that* short of
changing everyone's password, once the shadow file is compromised, are zero.

Oh, but I do know that Netcom has been both the source and pathway for some
forged communications purporting to have come from me, which have been sent
to our users. And I do know that Netcom has responded to one such inquiry
as recently as this morning with an assertion that the message originated
here -- which, by the way, was with the header containing a Netcom
Message-ID *staring the NOC operator right in the face* at the time the
statement was made.

Hacking which leaves you with root access typically leaves a 10 minute,
at most, window to gaining the encrypted password strings.

Nope, as I said, I have no proof and in fact don't want it, which you
conveniently deleted.

I am aware of a number of methods of compromising NIS to gain the password
list. There are also a number of patches to address some of these
concerns. Now, the question is which list of each do you know about and
have loaded?

Good....

Well, that would be interesting, considering that I'm somewhat difficult
to vote against here right now......

The lines get blurry only when they can. When you own the place there is
little blurring available.

Sorry, Bruce, but Net99 is not connected only at MAE-East, and in fact
that was *never* the case. Your "facts" are wrong.

Net99 came up multiply-peered and multiply connected on *DAY 1*. That's
a fact, Bruce, and in fact we have connectivity throughout the Net99
backbone even if the MAE equipment fails.

I know this for a fact because I'm the guy who sets up the router peering
on the Net99 core, and I know where we're attached, to who, and under what
set of pathings.

The header in question was a whole half-dozen lines from your comment that
it wasn't your problem and that the message originated here. My point was
not that you made a mistake, it was that you didn't bother to *LOOK* before
placing blame in the *wrong place*.

I don't send messages to a provider's staff without reason; I darn well
know how busy people are, as I'm one of them. I certainly don't pick on
Netcom's staff without reason, especially considering that I have, in the
past, had trouble even drawing a response *of any kind* asking for what
I consider to be normal provider-type things (ie: customer wants to change
over without loss of service; you typically ask for DNS to be picked up
from the new provider until the NIC can get around to switching things and
zones time out. This is called professional courtesy, and has been harder
than hell to get you folks to do for us in the past.) This particular
incident was both serious enough to warrant immediate mail (forged email
appearing to come from me personally and alleging wrong-doing sent to
customers of ours) and needed to be traced from your end as that was
where the smoke led on this one.

You bounced the message back to me saying "not our problem", when in fact
it was. Fortunately someone else had already replied with the *correct*
log info, but that made even more curious -- why did you get a copy if
someone else had already taken care of it?

Thus, it obviously *did* get to the right person, did it not?

All providers are, to an extent, cooperative on the Internet even when
they're direct competitors. If you want to invite the Feds in to regulate
this entire game then start being uncooperative and you'll get your wish
right quick -- "restraint of trade" sounds nasty in a nascent industry like
this, and the first ones to feel the heat will be the national firms. Nobody
wants that -- it is not in your, or our, best interest to invite that kind
of intrusion.

Gee, I remember Brucie saying something likes this to me when I stated that
some netcom systems were insecure a few months back.
Then I supplied sufficient proof.

Then they kicked me off . . . .

Go figure

I suppose the *incredible* increase in volume of trouble coming from, or
passing through, Netcom in the last two to three weeks doesn't add an air
of credibility to this?

The alt.2600 spams and cancel wars? The forged email to me, and my users,
for posting in alt.2600 -- purportedly from Netcom, and some of it actually
traced to Netcom? The hacked accounts, which I assume really were hacked,
otherwise you'd have someone to hold up in public as the source of the spam,
natch. The forged email to our customers which was funneled through Netcom,
and the absolutely incompetent response from the NOC I received this morning?
The fact that I got *two* responses to the same inquiry from the NOC, with
two different answers, nearly 24 hours apart?

Uh, one company, Bryant.... one company, one responsibility. If you come
to me with a request for a log lookup we will do what we can to provide
*competent* assitance. Not spout at the mouth without knowing what the
hell we are talking about, or worse, misrepresenting what is staring us
in the face!

I don't think someone being a competitor has anything to do with this at
all. Give up trying to frame this as a competitive issue; it isn't. It
has to do with Netcom being a pain in the neck right now, primarily due to
what appear, to me, to be serious internal issues within the systems there
and the *absolute* lack of communication coming from the company. That's
a corporate choice which Netcom is entitled to make, and one which we are
entitled to respond to.

I don't *have* a competitive opinion of Netcom. I've never had a Netcom
account, and to be honest, I don't have much use for one.

Thought: when you throw shit, even if you hit the person you're aiming at,
some of it sticks to your own hands...

Followup set.

--
Disclaimer: I don't speak for Martin Marietta or the EPA.
----------------------------------------------------------
dfru...@unixmail.rtpnc.epa.gov, Martin Marietta TSI,
P.O. Box 14365, MD-4501-1B, Research Triangle Park, NC 27709

That's weird. They're just issuing a prospectus for their IPO now.
----
Glenn Fleishman * Point of Presence Company <http://www.popco.com>
"Trend Watch" columnist, Adobe Magazine
Moderator, Internet marketing list (finger in...@wolfe.popco.com)
For public key, finger p...@wolfe.popco.com

No, they did their IPO several days -- maybe a week and change now --
ago. Stock went up for a few days after it hit the market, too.

Since when does NETWORK operations keep track of mail logs or track down
security incidents dealing with other sites? It seems to be that you wrote
the wrong department.

I decline the offer to sling mud. Thanks anyway.

Not quite. I bought some stock two weeks ago.

But they were privately held up till then, so they couldn't have used
their stockholders as an excuse.

--

********** DAVE HATUNEN (hat...@netcom.com) **********
* Daly City California: *
* where San Francisco meets The Peninsula *
* and the San Andreas Fault meets the Sea *
*******************************************************

Who does that make you, then? Stalin, Lenin, or perhaps Trotsky?

Oh, I've got it. You must be "Iron Feliks". You seem to have a similar
track record with respect to security.

Hey, didn't I just _say_ something about "Iron Feliks"?

:-)

>breached in some way, *would* you tell your customers? What if doing so
>meant you would lose money? What if your stockholders told you not to
>tell them, because *they* didn't want to lose money? You said before you
>do what's best for them, and what if that meant sacrificing honesty?

Another factor enters here. The first of this series of
incidents occurred while the IPO was hatching.

The SEC looks askew at concealing relevant information, _especially_
negative information, from potential stockholders. Of such are born
stockholder suits & SEC investigations.

The rules a privately held firm & a public company must live by
are far different.

This doesn't work on "enlightened" operating systems (like ours :-)) that
require you to already HAVE root for that function to return the strings.

Since the last time I mailed the postmaster and got told to talk to the

-

I'll admit that I read the message too quickly yet does that make me

"Wookin pa 'nub in aw da wong paces"
IN: Letters to Cleo, Offspring, Star Trek II, Elysium, Matt's groovy tape.
OUT: Colds, Ex-Girlfriends, Togos/Raviolis/RocknTacos, working for Netkom.
---------------------------------------------------------------------------

Well, if they are indeed so unresponsive, maybe they should be cut off by
their feed sites. I believe those are decwrl and kwandl.kwi.com.

Let them explain THAT to their stockholders.

Bill

I don't know what series of incidents you are referring to... we aren't
talking about any specific series of incidents as far as I'm aware. I'm
asking Karl what he would do as CEO of his company if root were compromised.

True. But that only goes so far. I don't think Netcom revealed *everything*
about it's operation to the SEC, and there may have been things important
left out. How about a list of known hackers on the system? Surely Netcom
suspects some, and they are dangerous to keep around, but on the other hand,
Netcom may not want to violate their privacy. Another possibility is that
there is some accounting data that indicates that a certain percentage of
netcom users are from Seattle. And I, as a investor, might *hate* Seattle,
and knowing that Netcom caters to so much swine it might mean I wouldn't
want to invest in their company. Etc.

It's hard for the SEC to draw a good line between relevant financial data,
and those details they find not relevant. But at some point they do draw
that line.

In any case, I don't want to get sidetracked on IPO issues, because that's
really not relevant, and I'm not trying to argue an IPO information case.
I'm asked Karl a question about his position, in his normal everyday
business.

Just remind them of the Intel Pentium incident. Intel got very little
flack over the fact that the bug existed. All the flames were over the
delay in making it public (i.e. they didn't say anything until it was
disclosed by an independent party) and their subsequent handling (claiming
that the bug isn't serious, and their initial reticence over trade-ins).
--

Barry Margolin
BBN Internet Services Corp.
bar...@near.net or bar...@netcom.com

But these are only useful if the passwords are available via NIS. As far
as I can tell, netcom's use of shadow passwords takes the encrypted
passwords out of the NIS map and moves them into root-only files that are
replicated on every netcom user login system.

Then they are not serving passwords over NIS. That's not what others have
indicated here. I don't have a Netcom account, so I can't verify this.

[almost endless quote cascade deleted]

This "progressive company" is also a publicly held progressive company. A
publicly held business has a fiduciary responsibility to the
shareholders, not the customers. This fiduciary responsibility includes
maximizing profits at a reasonable risk level for those shareholders.
However, these profits are to be found in the customers wallets. To keep
the shareholders happy, the customers must be happy. I like to think
going public means you've sold your soul in little chunks to millions of
little devils.

Netcom has a large customer base with thousands of accounts. The
traditional tools of system management have some flaws when it comes to
system security (3l33t RDIST scripts anyone?) but I see no easy
alternative to using them. Static database files take a large effort to
keep current on systems with POPs spread all over the country. Errors in
maintaining a labor-intensive database of users, passwords, hosts, etc,
can cause the account holders (customers) some dissatisfaction. This can
cause reduced profits as they elect to give their wallets to another
service provider. This can lead to unhappy shareholders.

If there are pertinent suggestions on improving the systems and profits
at Netcom, I'm sure the Netcom employees will love to hear about them. If
they are not, the shareholders may want to hear about these suggestions
anyway.

Bruce went on to say:

If you cross the shareholders, there is a day of reckoning called the
Annual Meeting. If you cross the customers, there is a day of judgement
each quarter when the quarterly results are announced and the
shareholders realize that you've crossed them as well. This is a fine
line to balance and many talented executives fail in their balancing
efforts. The lines are indeed blurry.....

But:
As a shareholder in a certain recently-gone-public networking and service
provider company, I feel odd reading about these Troubles in netnews,
especially in at.2600!! I can't say I have ever seen the like. Is this
good or bad? Only time and profit margins will tell.

And now back to the previously scheduled Karl and Bruce discussion of NIS
and finer points of sysadmining.....
--
------------------------------------------------------------------------
Kevin Martinez Warning: Intel Inside
l...@rahul.net I owe all my success to Roly Poly Fish Heads!
------------------------------------------------------------------------

Have you tested this yourself? Compile and run this code snippet
to test this for certain. Don't confuse pwdauth() with getpwent().
(Apologies for talking to you like you are an idiot)

#define MAXLOGIN 8
#define MAXPASS 8

main()
{

char login[MAXLOGIN];
char password[MAXPASS];

printf("login: ");
scanf("%s", login);

printf("password: ");
scanf("%s", password);


if (pwdauth(login,password) == 0 )
printf("Correct!\n");
else printf("Wrong!\n");

Yep. One of the problems with being involved in a public company as an
employee, natch.

The traditional tools have alternatives. You build your own tools and
security systems.

MCSNet has done this, for good reason -- we do not like the flaws in the
traditional methods. Therefore, we did our own tools, our own security
system, and our own accounting system.

Of course, you must have source to major parts of the operating system, or
rip out major chunks of the supplied software that comes with some machines,
to make this work. In some cases it can't be easily done at all, and that
may affect your choice of hardware and platform. It is no mistake and no
happenstance that we went the way we did for OS and hardware environment.

BTW, MCSNet is engineered for 60,000 user accounts, even though we have only
a fraction of that online now. The reason for that decision should be
obvious; the idea of changing basic tools at, oh, the 10,000 user level
frightens most people a *lot*. It ain't going to happen *here*.

The devil you choose in both hardware and software sometimes comes with
baggage. Nothing you can do about that one, so my advice is to choose that
devil carefully. You have to sleep with him, like it or not, and that damn
tail can get REALLY pointy at 3:00 AM!

Yep.

IPOs are damn tricky things. I'm *not* a stockholder, nor do I have any
interest in having either a long or short position here. Having been
involved in a company that went public (VideOcart, if anyone cares) I'm
quite aware of what happens to these firms and how much of it is not under
anyone's control. Basically, from my point of view, the market is just
legalized gambling ;-)

:-)