Copy Link
Add to Bookmark
Report

Fucked Up College Kids File 291

eZine's profile picture
Published in 
Fucked Up College Kids
 · 5 years ago

  

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= F.U.C.K. - Fucked Up College Kids - Born Jan. 24th, 1993 - F.U.C.K. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Security is Obscure
~~~~~~~~~~~~~~~~~~~

"Obscure (adj.): [...] 4. Not famous or well-known. 5. Difficult to
understand." -- _The American Heritage Dictionary_, 2nd ed., 1983.

Okay, so it's an old dictionary. But the meaning of the word "obscure"
really hasn't changed much in the last decade.

I wanted to write this file as a word of encouragement to beginning
hackers who think everything has already been done and security
everywhere is tighter than the pope's ass (but not the alterboy's, ha
ha). I intend to illustrate the base ignorance of many system
administrators who know less about unix than the average hobo does.

Security is obscure in the sense of the first meaning I quoted; most
*.edu systems have admins who haven't got the slightest clue as to how
they can secure their system, as well as letting their users (recall that
the weakest link in any "secure" system is usually the people who use it)
choose poor passwords. Thus, if Joe Admin sets up a system and restricts
access to dial-up and computer labs, Joe Hacker will still be able to get
in using Joe User's password ("sex") and a modem.

One case I wanted to mention specifically in this file happened over the
course of the past few weeks. I requested and received a copy of an
unnamed school's passwd file from an unnamed source (you know who you
are. Thanks again!) after he told me that it was unshadowed and
world readable. I ran jack on it using a few wordlists before I
found out that the passwd binary forced users to use non-dictionary
passwords. Then, because I was bored and needed to brush up on my C
knowledge (very little, actually), I whipped up a program to output all
possible 8-character printable password combinations. After some quick
calculations, I discovered that I would need at least 6,500 9-gig Seagate
drives and several decades to store all the combinations and use them
with jack. Discouraged, I dropped the matter for a while.

Then a co-worker asked me to step her through the "reading email"
process on her account, which happened to be on the system in question. An
account she had never used. One with the default password still in place.

I helped her log in and incidentally discovered that default student
passwords on this particular system were the first 8 digits of the
social security number. I also found that the .login script *didn't
force first-time users to change their password*! I guided her through
the "changing your password" stage and was astounded to find that this
poor-security system forced users to use non-dictionary passwords but
wasn't set up to force an initial password change.

I let it sit for about a week before I got around to modifying my
program to output combinations of 8-digit numeric combinations. After
further trimming it down to output only the combinations beginning with
521, 522, 523, 524, and 525 (CO-issued SSNs) (the "full" output would
take about 110 megs), I had a 5-meg wordlist file that has netted me
over 60 accounts from this system. These accounts were snagged over a
total period of about 10 hours or so, and I used my very limited SSN
list. Imagine how many I would have if I used the "full" SSN output and
gave jack a few weeks.

The second definition of "obscurity" that I quoted does not seem to
apply at first; most people who work with computers have some
understanding of security, and admins should be especially aware of
security issues. Yet I have found and continue to find just the opposite,
nearly every day. This is why you should use PGP and SSH; why should you
trust your admin to secure his system? If you have faith in his sysadmin
skills but I have reason to believe otherwise, then you'll be the one
who loses when I start hanging out in your home directory.

As an addendum to this file, I'm including "Things overheard while scanning
cell frequencies". I started it as a separate file, but I don't have nearly
enough:

"Oh shit, I just ran a red light."
"People can listen to cellular conversations with one of them hand-held
walkie-talkies."

-Legion

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Questions, Comments, Bitches, Ideas, Rants, Death Threats, Submissions =
= Mail: jericho@dimensional.com (Mail is welcomed) =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= To receive new issues through mail, mail jericho@dimensional.com with =
= "subscribe fuck". If you do not have FTP access and would like back =
= issues, send a list of any missing issues and they will be mailed. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Files through AnonFTP FTP.DIMENSIONAL.COM/users/jericho/FUCK =
= FTP.SEKURITY.ORG/pub/zines/fucked.up.college.kids =
= FTP.PRISM.NET/pub/users/mercuri/zines/fuck =
= FTP.WINTERNET.COM/users/craigb/fuck =
= FTP.GIGA.OR.AT/pub/hackers/zines/FUCK =
= ETEXT.ARCHIVE.UMICH.EDU/pub/Zines/FUCK =
= Files through WWW: http://www.dimensional.com/~jericho =
= http://www.prism.net/zineworld/fuck/ =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= (c) Copyright. All files copyright by the original author. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
12 Nov 2024
It is very remarkable that the period of Atlantis’s destruction, which occurred due to earthquakes and cataclysms, coincides with what is co ...

guest's profile picture
@guest
12 Nov 2024
Plato learned the legend through his older cousin named Critias, who, in turn, had acquired information about the mythical lost continent fr ...

guest's profile picture
@guest
10 Nov 2024
الاسم : جابر حسين الناصح - السن :٤٢سنه - الموقف من التجنيد : ادي الخدمه - خبره عشرين سنه منهم عشر سنوات في كبرى الشركات بالسعوديه وعشر سنوات ...

lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
6 Nov 2024
Thank you! I've corrected the date in the article. However, some websites list January 1980 as the date of death.

guest's profile picture
@guest
5 Nov 2024
Crespi died i april 1982, not january 1980.

guest's profile picture
@guest
4 Nov 2024
In 1955, the explorer Thor Heyerdahl managed to erect a Moai in eighteen days, with the help of twelve natives and using only logs and stone ...

guest's profile picture
@guest
4 Nov 2024
For what unknown reason did our distant ancestors dot much of the surface of the then-known lands with those large stones? Why are such cons ...

guest's profile picture
@guest
4 Nov 2024
The real pyramid mania exploded in 1830. A certain John Taylor, who had never visited them but relied on some measurements made by Colonel H ...

guest's profile picture
@guest
4 Nov 2024
Even with all the modern technologies available to us, structures like the Great Pyramid of Cheops could only be built today with immense di ...

lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
2 Nov 2024
In Sardinia, there is a legend known as the Legend of Tirrenide. Thousands of years ago, there was a continent called Tirrenide. It was a l ...
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT