in reply to Reaped: So merlyn why did you hack the password file?

This node falls below the community's minimum standard of quality and will not be displayed.
  • Comment on Re: So merlyn why did you hack the password file?

Replies are listed 'Best First'.
Re: Re: So merlyn why did you hack the password file?
by merlyn (Sage) on Dec 26, 2001 at 08:40 UTC
    The context of many of your questions suggest that you were never a system admin in the 80's. The space here is too small to recreate that environment, where we all help each other out when we see the need, and we didn't care about nametags or "who's job is it"... we just all did what we could when we could, and sorted out the details later.

    And although I don't owe an answer to each question, here it is:

    Obvious question number 1: how did you "discover" that someone else pick a dictionary word?
    I ran crack against the password file.
    Obvious question number 2: even though you were previously an admin there, you weren't at the time of your discovery... what were you doing on that machine? What were you doing there that led to your discovery of the dictionary password?
    The trial transcript goes into that. I had access to that machine to maintain Perl on the SGI platform. It was not "overlooked", except that they didn't realize I had been given that charter.

    As for "why", I think I've answered that above. I was a sys admin for Intel. I was noticing a problem. I was investigating, to help out the people who had paid my bills for five years.

    Yes, in retrospect, I could have gotten more permissions or more declarations earlier in the process. But I've been told by dozens of people through the years (usually also old-school sysadmins) "I would have done it exactly the same way" and sometimes even "I did do that, migawd, I could be a felon!".

    Obvious question number 3: as a sysadmin who supposedly is so concerned about security, I would think you would have emailed the new admin to have your account deleted as it is an obvious breach of security to have dormant accounts laying around. Why didn't you email someone to have this account closed as soon as your term there finished? If you were concerned about restarting activities here, then they could archive your files until your possible return, but it is without question a breach of security to leave this account open and a second breach to re-access this computer even though your duties there were finished ... mind telling us why these breaches were not sealed up?
    My duties weren't finished. So, assumes fact not in evidence. {grin}
    Obvious question number 4: instead of playing mother Teresa for the current sysadmin why did you not simply report this breach to the relevant authorities?
    This is the group that left plus in the hosts-equiv file on a firewall machine (permitting an actual firewall breach from some German hackers), and SunOS 4.1.3 FTPD in place a year after it was CERT-bugged (which was used by the guy in the book "@large" to get the very same password file I was accused of stealing). I wanted to get as complete a report I could get before I went to their managers to show that they were indeed continuing to be incompetent.
    Obvious question number 5: you mean to tell me that you did not immediately report the first breach? Instead you decided, in a job that you no longer held, to continue to look for other breaches?
    Again, if you've held a sysadmin job in the 80's, you'd know that I followed SOP. Get all the details, solve the problem if you can, and then tell the overworked sysadmin who failed to notice it. I was in the middle of the "get all the details" phase.
    Obvious question number 6: didn't you have important work to do for intel on a particular project? Why did you devote your time and energy to an un-announced and un-paid-for project?
    I was on a part-time project: about 20 hours a week. And this took no more than about a half hour of my time, to transfer a copy of the password files and to start crack. Small investment for what I thought would be a big payoff for the company.
    Obvious question number 7: yes you did make a number of boneheaded mistakes. So, if that is the case, why don't you work to get the Oregon computer law rewritten so that boneheaded security breaches like the ones you clearly made do result in punishment because they do deserve punishment. It is scary to think that the law is so poorly written that when someone does something that is boneheaded and potentially injurious to a company that they might get away on a mere technicality like you are trying to do.
    I am doing that. Unfortunately, it was a mostly Republican Oregon congress for the last few years, and the terrorism stuff won't make it any easier. If you want to help, I can put you on the mailing list where we discuss such activities.
    And it escapes me why you Mr. Juerd would think that someone with an old account on a machine that he was no longer sysadmin for would be "doing his job". This is insanity. He was doing someone else's job unless someone assigned him back to this machine to do his job here.
    As I said, it's clear to me that you weren't a sysadmin in the 80's. Anyone who had been understands my actions perfectly.
    And if he was so security-minded, why didn't he install a program which prevented easily-cracked passwords during his reign as sysadmin there?
    I did. The guys who took over, took it offline. Or else there wouldn't have been 48 guessable passwords after 600. And I wouldn't be a felon.

    -- Randal L. Schwartz, Perl hacker

[reply]
That was uncalled for.
by jynx (Priest) on Dec 26, 2001 at 05:39 UTC

    Setting aside merlyn's actions,

    Who are you to judge? Don't you think that he has been asked these "obvious questions" time and time again in public and private, by friends and enemies alike? What makes your asking these questions any different? Why should he report more about his private life to you than others?

    The monastery is supposed to be a place for monks to come together and work in peace and harmony. Brother merlyn is a monk in good standing and should be allowed a reprieve from questions about his private life in coming here, just as we don't ask you all the details of your life. If you care to share them with us, that is of your own accord, but it is not our place to pry so vehemently as you have just done.

    Merlyn was gracious enough to tell us as much as he did, he could have not told us at all. He was hoping for a little support from his fellow monks in coming here, whether we approve of his actions or not. He has been given some support, and hopefully his worries will be all the lighter for it.

    Maybe i have too idealistic a vision of what the monastery is, but time and again i log in and find peace within these (virtual) walls. My fellow brethren are adept at giving comfort and peace to the weary souls that travel here, and i am very grateful for it. Since you come back here as well surely you must be grateful for it too. Should we deny merlyn the same hiatus from the Real World? For that is what these questions seem to do. It is highly unfair treatment. He has answered these questions already, if his answers were not good enough for you, than fine, they weren't, but there was no reason to post questions that he has already answered.

    jynx

[reply]

In Section Meditations