RE: CRIME EarthLink Password Security Story

From: Phil Hochstetler (Phil.Hochstetler@private)
Date: Fri Jun 21 2002 - 09:55:02 PDT

  • Next message: brvarin@private: "CRIME Counterpane Security Vulnerability Alert, Apache Data Chunking Stack Overflow, V-20020620-001"

    |On Wed, Jun 19, 2002 at 03:42:09AM -0700, Lyle Leavitt wrote:
    |> I selected several email addresses from the results. I then tried 
    |> logging into their email with password as the password. Sure enough I
    
    |> got in 2 out of the 8 that I tried.
    |
    |Lyle, I'd like to discourage doing this in the future; you've actually
    accessed several accounts without proper |authorization. Lets not forget
    that Randal Schwartz did several years of community service for simply
    _finding_ passwords |on intel machines -- he didn't even try any of
    them. _I_ know your intentions are good, _you_ know your intentions are
    |good, but proving that to a jury might be difficult or pointless or
    both.
    |
    |Cheers
    
    I don't know how people on this list feel about the Randal Schwartz
    trial, but I think the facts are a bit different than "he didn't even
    try any of them".   He did use them and his intent was to bypass the
    system administrators attempts to enforce their policy.  You can read
    more lots of places.  For example:
    
    http://www.cs.uidaho.edu/~frincke/research/security/articles/schwartz3.t
    xt
    
    BTW, I knew randal in the early 80's when he worked at Sequent.
    --phil
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 10:19:06 PDT