LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2001, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2001, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: webserver on the 3k
From:	Ken Hirsch <[log in to unmask]>
Reply To:	Ken Hirsch <[log in to unmask]>
Date:	Thu, 5 Jul 2001 15:08:45 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

Wirt Atmar <[log in to unmask]>:
> However, if we were to allow Bruce's numbers, 100,000 attempts per hour,
> working against a password composed of only 8 letters, a dictionary attack
> would still require, on average, 110 years to break the first password.
And
> if the password were composed of 8 characters, made of both letters and
> numbers, the time would grow to 1490 years.

You're assuming here that people choose passwords out of a set of 26^8
elements, but this is just not so.  The actual set of passwords is rather
small in most cases.  If you can check 100,000 passwords an hour, chances
are you'll get it in an hour or two.
>
> >  - Security is not as good for FTP access as it is for logons.  Where
are
> >  unsuccessful FTP logons logged?  Do you have VESOFT security on FTP?
>
> But that's not the way FTP was implemented on the HP3000. You have to get
> both passwords right at the same time or you're disconnected, simply
because
> you enter them as one long string, separated by a comma. What that means
is
> that if you were using two 8-character (number and letter) passwords for
your
> MPE groups and accounts, the average time to break through the FTP
password
> challenge, using Bruce's 30 attempts/sec numbers, would be 4.2 million
> billion years (or 20,000 lifetimes of the universe, discounting of course
the
> fact that at the occurrence of each "Big Crunch", all information from the
> previous universe's existence is lost) [36^16 possibilities / (30 attempts
> per second * 86400 sec/day * 365 days/yr) = 4.2 x 10^15 years].

Now people have choose and remember TWO passwords out of a set of  36^8.
How many people do that?

[...]
>
> The preventive mechanism on computers similar to genetic diverstiy would
be
> for each organization to completely independently write the various
network
> protocols and services from only the specifications, without seeing anyone
> else's code. While each independently written service would undoubtedly
have
> its own vulnerabilities, the chances that they would be discovered,
> especially on the rarer platforms, drops dramatically. Even more
importantly,
> if such vulnerabilities were discovered, they would likely only affect one
> platform.

While using popular operating systems and protocol implementations certainly
makes one more vulnerable than using unpopular ones, you can't be serious
about each organization rewriting its own.  Clearly, that is not going to
happen.  Perhaps in the meantime you might want the help of some external
security software (firewalls, IDS, etc.) to help overcome any shortcomings
in the software.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU