The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #229 [[no subject; call it DES issues...]] (1 message, 1110 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/229.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Mark W. Eichin <eichin@ATHENA.MIT.EDU>
To: phage
Date: Thu 06:46:40 10/11/1988 EST
Subject: [no subject; call it DES issues...]
References: [Thread Prev: 224] [Thread Next: 400] [Message Prev: 228] [Message Next: 225]

>From: der Mouse  <mouse@larry.mcrcim.mcgill.edu>
>The login program, which is shipped with every UNIX system in
>existence, also contains (indeed, *must* contain) the same algorithm.
Not strictly true (see 2 below)...
>Thus the target system can be presumed to already have exactly that
>code on it.
A few things, here:
	1) Then why did he include the code, rather than linking
against it on the target system?
	2) DEC (for the Ultrix product, I believe) is one company
which takes these regulations seriously; I have heard that they
install the crypt routines at the other end. A group here went through
some difficulty setting up a system for a demo in Germany; /lib/libc.a
couldn't contain crypt.o, and we couldn't ship the fast DES library we
include with Kerberos... I don't recall exactly what they did at the
other end, I think we tested the system with a null crypt just in
case.
	3) If the remote system *was* using a `different' crypt, his
password attacks would fail unless he linked with it...

In summary, we're not sure why he[1] bothered. But then, he walks arrays
with indices rather than pointers, and at one point uses an if-goto
loop rather than a for or while...[2]

				Mark Eichin
			<eichin@athena.mit.edu>
		SIPB Member & Project Athena ``Watchmaker''

[1] I use "he" as the English neuter pronoun, rather than some more
clumsy alternative, NOT to indicate any knowledge of the gender of the
perpetrator.
[2] Many different combinations of for, while, and do-while loops,
with continues and breaks, would NOT produce the exact code in
othersleep, while an if-goto does.
					_Mark_

END OF DOCUMENT