Hacker News new | past | comments | ask | show | jobs | submit login

30 years ago I cracked everyone’s Unix password on an old Sun computer.

It didn’t take long because everyone had a password that was in the dictionary.

Needless to say, people were not happy with the messenger.

Inherited a system at current (for a few more weeks) employer (recently written so no excuse) that had used a weak hash for the password, I pointed out to my boss how bad it was and that it shouldn't have happened, he didn't pay a great deal of attention.

So I threw the OpenMP variant of John the Ripper at it (I'd just built a 8C/16T Ryzen machine and was curious) it broke ~80% of the passwords in under an hour and all of them over an afternoon of not been in use.

Went to see the boss and gave him the list of passwords including his (which was one of the weaker ones) - he gave me the time to fix it and some other glaring security issues.

The more things change the more they stay the same.

I know enough about security to know that I really don't know about security.

Reminds me of a security issue we had on our linux servers at a former employer. Short of it is, one could run any command as another non-root user without having sudo access or knowing the user's password. rsh access was inadvertently left wide open on thousands of servers.

A coworker and I stumbled into this one morning when I was helping him figure out how to remotely invoke a linux command from a windows gui. I don't recall why we were using rsh as we'd normally ssh into our servers. As we sat there trying to figure out how to enter the password, we decided to just try and run the command w/o a password. We were shocked when it just worked - we were never prompted for a password. When I reported this to my director, he asked me how bad it was. I was like, watch this: I sent an email as the CEO to him saying "you're fired.". He immediately went to our infrastructure team to get it fixed. Fun times...

> I know enough about security to know that I really don't know about security.

I'm not sure anyone ever gets past this point. There's way too much for any person to know and not enough hours in a day or days in a year or years in a lifetime to master everything. Even when it comes to computers in general at some level it just becomes magic to me. I might be able to point to a chip and say "that's the sound chip" or "that's a math co-processor", and even write software for it, but I have no idea what goes on inside and I wouldn't know where to even start trying to build one from scratch.

That’s my feeling as well, I try to follow best practices at the level I work at and hope everyone on the levels below me did the same.

Had I done this to any of my bosses I'd have been fired

That's funny - I was going to post that I was first exposed to this thirty years ago when my password was cracked on an old Sun computer! I didn't complain, it was a wake up call. (You weren't at OUCS were you?)

Ah, I remember doing that. Not quite 30 years ago, but jeez, getting close. Funny, it helped me remember some of the professor's wives names, and for some reason I can remember the husband-hunting Italian lady's password (amici) while I've forgotten both her name, her thesis project and everything else about her.

It was actually decently well received by the department head; he sent out a memo to the staff to not use their wives names for emails and looked like an early computer security innovator in the physics department.

30 years ago you could just sniff the passwords on the local subnet because everyone was using telnet and ftp in the clear.

20 years ago you could also sniff passwords for all Windows users in the same subnet as you. Windows used the NTLM scheme which was known to be weak even back then. An AMD K6 running overnight cracked almost all of them at my university's lab, including the Active Directory domain admin.

An NT hash can be used as a credential all by itself, no need to crack those ;)

You can't really blame them... it was called a pass "word".

I got myself and my best friend in high school fired from a fairly good gig because I cracked some dumb passwords and a CEO took it the wrong way. I still don't think he fully forgave me for it.

No good deed goes unpunished.

More specifically, pointing out someone else's stupidity is rarely welcome.

I had both experiences in high school. One situation -> bad result. The other I was made a quasi IT fixer - they put me to work (Novel Netware and other stuff). I would be called out of class to fix things. Since I was naturally super interested in how everything worked together and all the features and the librarians or VP or teachers were not it worked out. At the time I took it reasonably seriously.

In hindsight some teacher must have spoken up for me to come up with the solution when they were trying to come up with an appropriate response.

Novell Netware - blast from the past.

I had to go apologise to IT (who could barely keep a straight face) at college for sending a message from 'God' saying "I saw what you did last night and it disgusted me".

I thought it was going to just the lab but since I was poking around in something I really didn't understand I manage to send it out site wide.

Fortunately they saw the funny side.

I sent more than one message from God by telnet to <mail server> 25. Good times!

Around the same time, someone at my school made a much, much worse semi-accidental prank. Semi-accidental because he didn't think it would work. See, the campus list serve was setup to only allow certain senders to send messages. Makes sense, only a few top administrators should be able to do that. This person theorized that a simple <smtp: from> hack, using an authorized person's email, might circumvent the restriction. He was right! Unfortunately, rather than "test 1 2 3" or something, he sent a message, from the president, that all classes had been cancelled. Had he stopped there, maybe it would have been chalked up to a prank. But he went further: The president would be using this free time to, um, entertain amorous visitors at their leisure. So, yeah, expelled. His excuse, when interviewed by the student newspaper, was "I didn't think it would work."

I send unauthenticated email on port 25, every semester, in front of my students, as part of a discussion on internet application protocols. I can't use "God", because the addresses are validated, but I do send "from" the school's IT director. I even give them the commands to do it themselves (along with a strict talking to about how it's not truly anonymous because their network access is authenticated).

I've been able to do it at every university I've studied or worked at.

Many, many years ago when I was in college at the University of Rochester, I found a paper in the computing lab with the root passwords for about twelve machines at Stanford. I emailed them and told them I'd destroyed it but that they should be much more careful. I got yelled at.

Just curious, did you get yelled at because you destroyed the only copy of their password memory aid? ;)

If they were keeping their only copy at an unrelated University thousands of miles away, they had more problems than I thought ;)

I'm actually not sure anymore what the details of their return email was, as it was over 25 years ago. But it was basically, "We will report you to law enforcement if you contact us again."

They must've been really embarrassed to send that kind of response.

This must have been a popular pastime in the 90s as I did the same thing for my university's security on their new, centralized student accounts server. This effort was further aided by there being a predictable salt used for the password hashes that indicated which passwords were still set to the (again, predictable) default pattern. They were kind not to kick me out and not fire me as I was both a student and part time employee in their networking services department.

25 years ago I didn't need to crack anyone's unix passwords- they were all broadcasting them in cleartext every few minutes because they were using eudora or some other mail client, and I had converted an old sun workstation I found into a packet sniffer.

I remember in middle school using "arena" as a password.

"No one will ever guess this!"

At my middle school the default password for all accounts was "linux". The school was Windows (Win2k) only ;) it was around 2006/2007) I had access to a dozent Teacher accounts from oder ones who never used a Computer.

Actually that was the first time that i heard the word Linux and learned the meaning just few years later.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact