Re: Attack on DES paper and CRACK

[rgm3 () is chrysler com (Robert Moskowitz)]

At 10:36 PM 1/19/95 +0000, Karl Strickland wrote:
> > I got CRACKERJACK, and once I did, I did not give it to the original
> > requester, rather to our security people for a tool for them.  Too
> > dangerous, I can't trust that person to restrict who gets it.
>
> What exactly does this mean?

If you get CRACKERJACK, you will see how skilled it can be at obtaining UNIX
system passwords.  In any organization, there tend to be key systems with
some bad passwords.  An angry employee or contractor in a momentary fit or
rage might do something ill-considered with such a tool.  Such things do
happen.  Thus if they have to work at getting the tool, they might cool off.
Anyone that really wants to do damage can always do that, even without such
a tool.

The person that asked for CRACK is netorious at showing off what she can do.
Been doing it here for 8 years.  In this person's hands, CRACKERJACK would
be all over the company in maybe a month.

Now some might argue that this is good, as it will force everyone to clean
up their passwords.  This is like the disclouser arguement.  It turns out
that our UNIX heavies are getting the security religion and system holes are
being closed.  Rushing it would be nice, but then the job will get done
sloppily.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212