<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Re:
<blockquote type="cite">
<pre wrap="">Date: Wed, 18 Apr 2018 19:03:37 -0700
From: Phillip Hallam-Baker <a class="moz-txt-link-rfc2396E" href="mailto:phill@hallambaker.com"><phill@hallambaker.com></a>
To: "Shawn K. Quinn" <a class="moz-txt-link-rfc2396E" href="mailto:skquinn@rushpost.com"><skquinn@rushpost.com></a>
Cc: Cryptography Mailing List <a class="moz-txt-link-rfc2396E" href="mailto:cryptography@metzdowd.com"><cryptography@metzdowd.com></a>
Subject: Re: [Cryptography] Will We Ever Learn?
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:CAMm+LwjYTHXr6G6_rw29OTWudaAaXKQ1id3cDJa71zVQPMqKsg@mail.gmail.com"><CAMm+LwjYTHXr6G6_rw29OTWudaAaXKQ1id3cDJa71zVQPMqKsg@mail.gmail.com></a>
Content-Type: text/plain; charset="utf-8"
On Mon, Apr 16, 2018 at 5:00 AM, Shawn K. Quinn <a class="moz-txt-link-rfc2396E" href="mailto:skquinn@rushpost.com"><skquinn@rushpost.com></a>
wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap="">On 04/13/2018 08:01 PM, Ryan Carboni wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap="">The Morris worm was in 1988. That's all you need to know about what is
really going on with internet security.
A worm crashed the internet, and everyone's response is to do nothing.
That wasn't 2017, that was 1988.
</pre>
</blockquote>
<pre wrap="">Notice how you had to call it the Morris worm?
Before Microsoft Windows was internet capable, it was simply called The
Internet Worm. As in, the one, singular. Now, you have to call it the
Morris worm to differentiate it from all the Windows worms that have
come since.
</pre>
</blockquote>
<pre wrap="">Not because it was the only one to be launched, because it was the one
that brought the Internet down. There was also the Wang Worm and we had
numerous breaches of Internet facing machines due to Sendmail
vulnerabilities.
For years, UNIX systems eschewed shadow password files as 'security
through obscurity' until Crack appeared and suddenly having a world
readable password file was a bad idea.
Windows was not conceived as a multi-user or a network OS. So it is hardly
surprising that the effect of adding it to a network was interesting.
Windows NT was designed as a network OS but it was only when the Vista
switchover occurred that the desktop OS moved to a fully NT based security
scheme and that transition was resisted by many lazy admins who found the
security got in the way of their work and it was easier to tell users they
didn't want Vista than deploy it.
What has changed since is that the Internet is no longer just one network,
it is all networks.
-------------- next part --------------</pre>
</blockquote>
In case we forget it, that worm had three "methods" for trying to
break into the next machine, once it was established on one. And one
of those was just trying a surprisingly short list of passwords.
"Back in the day" there were studies showing that on what there was
of the net so far, a list of about 30 (it might even have been a
little less) "words" would include a valid password on most (I
remember numbers like 75%) of the systems that were connected. Such
a list would include "Spock" and "password", and words from the game
Adventure, and others that I hope would now bring more laughter than
login success. From then on, for a while, every so often we would
hear that a new survey showed that some small list would still work.
Are there any data on how small a list would include a password
working for some user on X% of all our systems these days? That
might be a weak measure of how far our preaching about security
practices has reached.<br>
Bob Wilson<br>
</body>
</html>