|
QNX Crypt Cracked
|
Login/Create an Account
| Top
| 167 comments
|
Search Discussion
|
|
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
hm. could they have used the unix passwd()? (Score:1)
by Miriku chan (liquidspin.dhs.org) on Sunday April 16, @08:27AM (#1129244)
(User #168612 Info | http://liquidspin.dhs.org)
|
could they have used the unix passwd without there being a copyright violation?
as in, while still remaining closed source and propriatery?
legally anyways :)
|
Yikes (Score:2)
by Greyjack on Sunday April 16, @08:29AM (#1129245)
(User #24290 Info | http://greyjack.com)
|
|
"Quick, Lawyerboy, to the Lawsuitmobile! There's motions to be filed!" Man--given how heated DeCSS has gotten, I cringe at the thought of how, uh, unhappy some huge organizations are going to be with this one. Bah, on second though, we're only talking about ATM machines, no big deal.
--
|
Good work... (Score:1)
by affegott on Sunday April 16, @08:29AM (#1129246)
(User #104661 Info)
|
|
I hate it when people stary from the norm... and use their own stuff. It kinda has a microsoft like mentality to it. :-) Now if only I could think of the "neat" uses of this new found info. :-) Peace out.
|
wow? (Score:1)
by xavii on Sunday April 16, @08:29AM (#1129247)
(User #92017 Info)
|
Well, which big pocketed corporation is going to file the first lawsuit? In lew of the "code is free speech" are these cases going to be harder to attack the coders?
I can't wait for all the legal follow up articles to this.
xavii aka bob
|
Implications? (Score:1)
by joe52 on Sunday April 16, @08:31AM (#1129248)
(User #74496 Info | http://EasternSkiing.com)
|
Is there more information available?
What are the implications of this?
|
They could use one from the BSD variant. (Score:2)
by mavpion (mavpion@NO_SPAM.csua.ucla.edu) on Sunday April 16, @08:31AM (#1129249)
(User #5416 Info | http://www.fire.csua.ucla.edu/~mavpion)
|
|
First, copyrights only apply to implementations, not to algorythms. That's why Solaris, *BSD, and Linux can all use the same algorythm. But, if the QNX people were really lazy, they could have just grabbed crypt function from one of the BSD source trees and used it. (remember, the BSD license doesn't not dissallow the use of their code in a closed-source system like the GPL does.)
|
Was this ethical? (Score:2)
by luckykaa (squigly@maxmail.co.uk) on Sunday April 16, @08:33AM (#1129250)
(User #134517 Info)
|
|
Surely it would have been nicer to have let the QNX people know first so that they could let their customers know the problem.
|
For those who are interested... (Score:5)
by z4ce on Sunday April 16, @08:33AM (#1129251)
(User #67861 Info)
|
|
Kuro5hin has a write-up on this here and Advogato has one here. They've had these articles for most of today they have some interesting posts already.
|
Not Fair to Punish... (Score:1)
by affegott on Sunday April 16, @08:33AM (#1129252)
(User #104661 Info)
|
|
I don't see how it is fair to punish anyone about this. I mean, it just keeps the bussinesses on their toes... so now it is bad to outsmart a company?
|
Whoops! (Score:3)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @08:34AM (#1129253)
(User #17295 Info | http://technopagan.dhs.org)
|
It's even got a modest execution time... (largest loop -- while (rot--){...} -- rot is max 127 -- rot=(...)%128;) nothin too complex there...
Why not blowfish or some other BSD licensed stuff???
|
*never* encrypt passwords! (Score:4)
by pb (pdbaylie@eos.ncsu.edu) on Sunday April 16, @08:34AM (#1129254)
(User #1020 Info | http://www4.ncsu.edu/~pdbaylie)
|
Don't encrypt passwords, hash them! Make sure there's enough information to identify a correct password, but not enough to reproduce it!
That having been said, I don't know enough to write a secure crypto algorithm without following in someone else's footsteps. (I know the basics of public-key cryptography, I could probably code that) But you know what? I wouldn't try to reinvent the wheel here, not unless I proved it mathematically first. :)
...and if that decryption algorithm works, this'll be really embarrassing for them. (because it's *so* computationally simple, it should run in no time at all. I just don't have any random QNX "encrypted" data lying around to try it with...)
---
pb Reply or e-mail; don't vaguely moderate.
|
mmm...clustering (Score:5)
by vsync64 (vsync@quadium.net) on Sunday April 16, @08:34AM (#1129255)
(User #155958 Info | http://quadium.net/)
|
|
Just think... Now we can turn every appliance in the world into a node in our giant Beowulf cluster... - The Unaware ATM Beowulf Cluster...
- The Unaware iOpener SETI@home Team...
- The distributed.net Wristwatch Team...
The possibilities are truly endless.
|
*Ducks the wave of "open source" posts* (Score:1)
by zCyl on Sunday April 16, @08:36AM (#1129256)
(User #14362 Info)
|
Before there are a ton of "If only they had used open source, this wouldn't have happened" posts, I'd like to post a counterpoint. Certainly, using open source has security benefits, and this is one of its strong points. But couldn't they at least have used a hash algorithm of respected difficulty by the mathematical community at large? That really has nothing to do with open or closed source, it just sounds like a competency issue to me.
There are tons of good algorithms they could have used. For example, they could have simply hashed all passwords with "Competing open source realtime operating systems are for weenies!!"
|
Question (Score:1)
by Datafage on Sunday April 16, @08:36AM (#1129257)
(User #75835 Info | http://www.angelfire.com/ct/datafage)
|
The real question right now is how long each company will take to resecure their servers. Will they do it at all, since the average consumer won't even be aware of this? Knowing which companies are secure would be very valuable knowledge for those of us who understand this type of thing.
-----------------------
|
Use of Proprietary Encryption - Bad once again (Score:4)
by CmndrKrypto (alphabetagamma@hotmail.com) on Sunday April 16, @08:36AM (#1129258)
(User #175418 Info)
|
|
Yet again a company thinks that Jim the guy down the hall who "knows some crypto" can design a critical algorithm. After all, it looked kinda mashed up in testing, so how could anyone break that? :) Really, people, there are enough freely available one-way hash algorithms, which you can, and always could, export... Good crypto is hard to do, so if somebody has already done the work for you, take advantage of it! Don't waste time making up your own. You'll get shot in the foot later, like the QNX people did here.
|
Hidden message... (Score:5)
by |guillaume| (germai01NO@SPAMgel.ulaval.ca) on Sunday April 16, @08:37AM (#1129259)
(User #151395 Info)
|
|
It seems theres a secret obfuscated message in the binary when you compile the code... seineew era sreenigne XNQ ---
guillaume
|
ATMs (Score:4)
by Signal 11 on Sunday April 16, @08:38AM (#1129260)
(User #7608 Info)
|
|
DON'T PANIC. Okay, with that out of the way, even if you stole an ATM and decrypted everything in it, here's what you'd find: Nothing. The network is specifically designed to avoid silly things like that - the ATM stores no persistent information beyond who used it, some accounting information, and when it was used. *that* information *may* be compromised, but a) it wouldn't do you any good and b) it's unlikely they're using anything less than 3DES. Give these people some credit, ok? Now, if somebody was able to do realtime decoding of the ATM network itself... that would do several things a) panic people who normally don't panic, b) increase the local population drastically after the influx of federal agents, c) make international headlines and d) would not be submitted by an anonymous coward. Guys.. I know people who work/have worked for financial institutions. I'd estimate the security to be B2 or above (if it was government certified). Unlike the DoD's "NIPR" net which was /supposed/ to be physically disconnected from any/every other network, the financial institutions just plain don't transfer important info over networks. The data is too valuable. For example, credit bureaus will not accept an update to anybody's credit report electronically - it is done by hand with tape drives. Makes the movie "Hackers" seem more than alittle unrealistic. =) In short, DON'T PANIC. This crack means nothing to the financial industry. Now, if you want to be worried... you should note some of them run Windows 95..................
|
Not serious (Score:3)
by retep (peteNO@SPAMpetertodd.ca) on Sunday April 16, @08:40AM (#1129261)
(User #108840 Info | http://www.petertodd.ca)
|
|
This isn't as serious as you might think. Sure the "encryption" of crypt on QNX was cracked. But good security assumes that the crypt function returns the plain text anyway. All crypt is used for is to encrypt the passwords in /etc/passwd This was all fine and dandy 20 years ago when it took lots of time to decrypt passwords. But these days you can break through the passwords with brute force in a week or less. Good systems use shadow passwords. So the real passwords go in /etc/shadow, which is unreadable by anyone but root and anyone but root can't even look at the encrypted passwords.
|
No one to blame but QNX (Score:1)
by Rob Kaper (cPASCALap@capsi.com minus language) on Sunday April 16, @08:40AM (#1129262)
(User #5960 Info | http://capsi.com/)
|
|
From the source code of reverse.c: I'd like to thank the morons at QNX for writing their own crypt function, and thus making this program possible. There are plenty of good crypt implementations available. I can imagine wanting to write your own, but I don't understand why they wanted/chose/allowed a reversable encryption method? When the source is out there, reversable is doomed: anyone can find the algorithm and apply it backwards, which is the reason why fetchmail uses plain text password storage (encrypting them would not at all improve security). But even without source reversable encryption is doomed: there are very neat decompilers that explain the complete bit and byte shifting stuff that's going on. And probably there are plenty more methods of cracking the code, hence this article.
|
Re:Was this ethical? (Score:2)
by kevin805 (kevin805@hotmail.com) on Sunday April 16, @08:40AM (#1129263)
(User #84623 Info)
|
Given the simplicity of the decryption code, they should have known from the start. Besides, it's not like they are posting the passwords to any sites -- you need access to the password file (or equiv) to crack anything.
Note an important thing about the code: it doesn't do any "try this, then see if it worked" type tests like an irreversable hash would. It's not a encryption, it's just a reversible transformation.
Maybe next time they should higher a cryptographer.
--Kevin
|
Is this wise? (Score:1)
by stx23 on Sunday April 16, @08:44AM (#1129264)
(User #14942 Info)
|
The Crypt algorithm for the QNX operating system was just cracked. QNX runs on banks computers, ATM's, Medical Equipment, and the almighty i-opener. Source code is there if you're interested. Bank Computers, ATMS & Medical Equipment? I would like to think that all the customers affected by an insecurity have been contacted and have had the opportunity to fix the code, or install a more secure version of crypt, but I doubt it.
The crack was posted 4 days ago and I doubt any hospitals that might be running QNX will have updated their systems.
A webserver security hole might be something we can all laugh about, and write ponderous essays if we feel that way inclined, but to post an exploit that potentially threatens lives is irresponsible to say the least.
If that link wasn't posted, perhaps the Hospital I.T. department could have ensured that the dialysis machine wouldn't have been rooted.
|
Re:Use of Proprietary Encryption - Bad once again (Score:1)
by Anonymous Coward on Sunday April 16, @08:46AM (#1129265)
|
|
What do you expect from big corporation idiots who don't know shit about security? -"Hey, let's make up a new encryption algorithm using Rot 13 and Shamir 3 pass... The name... well QNX sounds cool. Let's call it that." Instead of hiring competent people who KNOW that there are free algorithms & free sourcecode at sites, they hire these schmucks and everyone "marvels" at their security expertise, which is shot down to the ground when Joe Hacker, 3 years old breaks it using the calculator on his wrist watch! SECURITY IS AN ARTFORM. HIRE COMPETENT PEOPLE, PEOPLE!
|
This begs the question.... (Score:1)
by san on Sunday April 16, @08:47AM (#1129266)
(User #6716 Info)
|
Is the /etc/passwd (or equivalent) file world-readable in QNX? (While i'm at it, what exactly is QNX and why is it so special?)
Sander
|
Re:Was this ethical? (Score:2)
by pyxl (pyxl@jerrell.com) on Sunday April 16, @08:49AM (#1129267)
(User #7689 Info)
|
Just about as ethical as it was for QNX to put a non-secure encryption algorithm into their products.
And don't even bother giving me crap about "Well, what if they didn't know??" - that doesn't matter, because there are straightforward ways of knowing - hello, if you don't have the expertise on staff, hire an expert, make sure they're a certified engineer so that if they're either an idiot or lie to you about the security of the algorithm, you can sue them for malpractice.
And what makes you sooooooo sure that QNX WOULD have told their customers about the breach??
Besides. They know about it *now*....and if someone has a business that depends on the security of a particular piece of encryption, they're STU-STU-STOOPID if they don't monitor cryptography journals/newletters/news/bug sites for up-to-the-nanosecond info on it.
Oy.
|
WinCE (Score:3)
by Anonymous Coward on Sunday April 16, @08:49AM (#1129268)
|
|
Anyone remember the first try Microsoft had at passwords in WinCE? IIRC, they just did a XOR of the password with the work "pegasus" spelled backwords! The original Win95 password hash was equally silly but I don't remember the algorithm right now. I guess some people never learn.
|
QNX Conference soon (Score:1)
by ry4an (ry4an-slashdot AT ry4an DOT org) on Sunday April 16, @08:50AM (#1129269)
(User #1568 Info | http://ry4an.org/ | Last Journal: Sunday September 09, @01:01AM)
|
|
It will be very interesting to see how (if at all) this development is addressed at the QNX Conference 2000 in May (14-17). It would be great in a Vancouver Open Crypto advocate could hand out some flyers letting those in attendence who hadn't heard know about the crack.
|
Yes, this is offtopic (Score:1)
by p3d0 on Sunday April 16, @08:51AM (#1129270)
(User #42270 Info | http://www.eecg.toronto.edu/~doylep)
|
Sorry, but I can't stand it...
The word you want is "lieu". The phrase "in lieu of" means "instead of". People use the former to make them sound smarter.
I think the phrase you really wanted might be "in light of". As it stands, your post says the opposite of what I think you meant.
Ok, I have no life.
--
Patrick Doyle
|
Does this mean (Score:1)
by maniack on Sunday April 16, @08:52AM (#1129271)
(User #146532 Info)
|
|
that I can break into an ATM's software and take all the bank's money? Cool.
|
Hack is QNX version specific. (Score:2)
by SomeNewbie on Sunday April 16, @08:53AM (#1129272)
(User #33205 Info)
|
|
QNX 4.25 uses shadow passwords. The crack still works on the shadow passwords, but at least it's one step removed from the world-readable /etc/passwd file.
|
Re:Is this wise? (Score:1)
by shiftaling (root@x-in.com) on Sunday April 16, @08:56AM (#1129273)
(User #112731 Info | http://www.x-in.com)
|
uhm... well see... last time i checked, medical machines did not spontaneously shut down with the all permeating knowledge that some crazy unused crypto algo within them had been cracked.
last time i checked there werent any major conspiracies to "hack the life support"
and last time i ran around a hospital and wreaked havoc i didnt really have to root any machines to say oh... turn them off or any thing....
then again... i havent done much looting, rampaging and killing lately... hmm...
anybody else with recent experience? (sarcasm)
|
fire that moderator! Re:reverse.c (Score:1)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @08:57AM (#1129274)
(User #17295 Info | http://technopagan.dhs.org)
|
more like Score:2, Informative
i hate moderators who don't read the details
|
QUICKLY! MIRROR! NOW! (Score:1)
by Zipo Bibrox 5x10^8 (slashtrap@sep-virginia.8m.com) on Sunday April 16, @08:57AM (#1129275)
(User #82846 Info)
|
We don't know whether or not QNX will fight this! Mirror this now! If we start early enough, this will be more intractably entrenched in the net than DeCSS or CPHack!
--
|
Exactly... (Score:1)
by worth on Sunday April 16, @09:00AM (#1129276)
(User #132011 Info)
|
The QNX operating system crypt algorithm was cracked a while ago in order to get the root password for the I-opener. This is certainly nothing new. You can grab the program and the source here.
|
reverse.c source listing (Score:2)
by Anonymous Coward on Sunday April 16, @09:01AM (#1129277)
|
/* I'd like to thank the morons at QNX for writing their own crypt
function,
and thus making this program possible.
-sean
See LICENSE for licensing information...yes..its gpl
*/
#include
#include
static ascii2bin(short x)
{
if (x>='0' && x='A' && x='Z')
return (x-'A')+9;
return (x-'a')+26+9;
}
char bits[77];
char *quncrypt(char *pw)
{
static char newpw[14];
int i;
int j,rot;
int bit,ofs;
char salt[2];
int temp;
salt[0]=*pw++;
salt[1]=*pw++;
for (i=0;i72;i++)
bits[i]=0;
for (i=0;i12;i++)
newpw[i]=ascii2bin(pw[i]);
newpw[13]=0;
rot=(salt[1]*4-salt[0])%128;
for (i=0;i12;i++)
{
for (j=0;j6;j++)
{
bit=newpw[i]&(1j);
bits[i*6+j]=bit?1:0;
}
}
bits[66]=1;
bits[67]=0;
while (rot--)
{
bits[66]=bits[0];
for (i=0;i=65;i++)
bits[i]=bits[i+1];
}
for (i=0;i8;i++)
{
newpw[i]=0;
for (j=0;j7;j++)
{
bit=bits[i+j*8];
newpw[i]|=(bitj);
}
}
newpw[8]=0;
return newpw;
}
int main(int argc, char *argv[])
{
char *cr;
if (argc!=2)
{
printf("QNX Crypt Defeater.. by Sean\n");
printf("reverse [hashcode]\n");
exit(0);
}
printf("Uncrypting...booya!\n");
cr=quncrypt(argv[1]);
printf("Cleartext:%s\n",cr);
}
|
ATM charged, and found guilty.. (Score:1)
by caveman (jimhowes@THIS-BIT-IS-WRONG.notout.demon.co.uk) on Sunday April 16, @09:02AM (#1129278)
(User #7893 Info)
|
Over here in the UK, the banks have been getting hugely bad press recently for charging for use of ATM's. Back in the good old days, i.e. last year, it used to be virtually free, and the customer benefited hugely. However, this wasn't making even more money for the enormously wealthy banks, so they slap a charge of typically UK1.50 on any cash transaction if you don't use their cash machine.
The transaction actually costs the banks roughly UK0.30 to process, which leaves 1.20 unaccounted for.
The question is, when are the banks going to start charging more because 'our encryption algorithm is better than their encryption algorythm'. (It wouldn't suprise me at all to find that my bank account security is worth about 30p)
|
Re:Whoops! (Score:2)
by kaphka (matthew.s.keitz@bigfoot.com) on Sunday April 16, @09:02AM (#1129279)
(User #50736 Info)
|
It's even got a modest execution time... (largest loop -- while (rot--){...} -- rot is max 127 -- rot=(...)%128;) nothin too complex there... Of course, {...} includes a loop that iterates 65 times, which ups the running time somewhat. You're right, though, it does look quite simple.
I still don't quite get what it does, though, and I accidentally hit "refresh" after the site was /.ed, so I won't get to look at it again for a while now.
Is decoding password hashes really a big deal? I never thought they were supposed to be that airtight.
|
Re:Is this wise? (Score:1)
by Microlith (wmarone|com|hotmail) on Sunday April 16, @09:02AM (#1129280)
(User #54737 Info)
|
If that link wasn't posted, perhaps the Hospital I.T. department could have ensured that the dialysis machine wouldn't have been rooted.
What, do you think EVERYONE wants to know the concentration of uric acid in your blood?
I do hope you are joking :P
Said device should not even be accessible by anyone who would root it. In fact, they probably don't even run QNX. Probably 160k of code on some EEPROM inside the thing.
|
Re:Less Hacker, More Cracker (Score:1)
by ClayJar (junkmail@PutSlashdotNameHere.com) on Sunday April 16, @09:02AM (#1129281)
(User #126217 Info | http://ss.ClayJar.com/)
|
Perhaps it is more like a cracker to crack the QNX crypt function... but let me take the counterpoint.
If this one person was able to crack the QNX crypt function, publicizing the information is unfortunately probably the right thing to do. It would only be honorable to alert the QNX people before releasing the information, but if one person cracked it, who's to say it hasn't been cracked yet.
Humans have a tendency to ignore things they don't want to deal with, companies much more so; it sometimes takes a bit of unpleasant shock to wake us up to our faults. I suppose I consider these things somewhat like chemotherapy: sure it's very, very bad for you, but the alternative (leaving the bad code alone) could cause significantly more damage.
So, in my humble opinion, I personally believe that these exploits should be announced, but with the stipulation that common courtesy requires you to tell the company and let them fix the bug and announce the bad news themselves before you release it independantly.
|
Re:ATMs (Score:2)
by spotter on Sunday April 16, @09:03AM (#1129282)
(User #5662 Info)
|
|
The Military's NIPRnet is not supposed to be disconnected from every other network. That's the job of the SIPRnet. the NIPRnet is for normal unclassified, not sensitive traffic. Even running crypto over the NIPRnet isn't considered secure enough. Heck, they run crypto over the SIPRnet for some forms of communication. DoD came up with the idea of the airgap for security, and believe me, they still follow it.
|
Lawsuit Scmawsuit (Score:1)
by Anonymous Coward on Sunday April 16, @09:05AM (#1129283)
|
|
Why don't companies just get used to the fact that everything is going to be cracked, copied, reverse engineered, and stop all the goofy lawsuits? The corporate world would be much better off learning to adapt to this environment as quickly as possible, and respond to compromised code with new and better code instead of litigation. As a bonus, it's really in the public interest for software security flaws to published far and wide, and in detail. It's a good incentive for the publisher of the piece to jump on the problem and solve it quickly, rather than leave the problem be and try to cover it up. Business is obsessed with the sanctity of economic competition but totally against the kind of evolutionary competition that makes software stronger.
|
Source code and binary available (Score:1)
by worth on Sunday April 16, @09:11AM (#1129284)
(User #132011 Info)
|
You can get the source code and binaries here.
|
Lawmakers are idiots, not QNX engineers (Score:2)
by GGardner on Sunday April 16, @09:12AM (#1129285)
(User #97375 Info)
|
|
I'd don't know positively why QNX used such a terrible algorithm for the passwd file, but I have a pretty good guess. QNX is a small company, with superb engineers. They aren't idiots. They certainly know about *BSD and friends, and from the looks of it have certainly reused code from many other places. It probably would be less work to take the DES encryption from BSD, or wherever, than to come up with ones own. The reason, I suspect, that they didn't use DES is that they were afraid of legal issues - I'm sure that QNX is sold all over the world, and they didn't want to make a diferent non-DES release for idiotic contries (France, US) with restrictive crypto laws. Even if an expensive legal effort would determine what's exportable where, laws change all the time. This way, there is no "export controlled" code that they need to worry about.
|
Re:Slashdot Effect [Humor] (Score:4)
by Anonymous Coward on Sunday April 16, @09:14AM (#1129286)
|
[slashcode parser sucks ass. what part of "plain text" don't you understand?]
<DJ-Pyro> JESUS CHRIST
<DJ-Pyro> im getting dos'd
<DJ-Pyro> ddos'd
<DJ-Pyro> like from all over the world
<lfilipoz> DJ-Pyro: wow... you can still IRC, tho?
<DJ-Pyro> not me
<DJ-Pyro> my server
<DJ-Pyro> colo at digitalNATION
<lfilipoz> is it just your box or all of digitalNation?
<DJ-Pyro> my box
<lfilipoz> and what's the url, so i can try to ping :)
<DJ-Pyro> we just shutdown apache
<DJ-Pyro> and now all of the clients are doing a CLOSE on tcp
<DJ-Pyro> netstat > netstat made a 30k log file
<DJ-Pyro> DAMN
<DJ-Pyro> they are back!
* jeff looks at DJ-Pyro
<DJ-Pyro> this is bigger than last time
<jeff> DJ-Pyro, you don't by chance host i-opener-linux.net, do you?
<lfilipoz> last time?
<DJ-Pyro> yes :)
<DJ-Pyro> why?
<lfilipoz> slashdot post
<DJ-Pyro> SHIT!
* lfilipoz already posted to that story and got the source code
<lfilipoz> bwahahaha
* jeff laughs
<jeff> source is here: http://slashdot.org/comments.pl?sid=00/04/16/1324233&cid=56
<DJ-Pyro> oh jesus fscking christ!
|
Re:ATMs (Score:1)
by Anonymous Coward on Sunday April 16, @09:15AM (#1129287)
|
But the computer on-board the ATM is what controls all of those little motors and things that spit out the cash.
Granted, it's still totally illegal and immoral in more ways than one to do so.
Also, I have no idea how to even get to a login prompt on an ATM in the first place (or if it's even possible without physically opening the machine.)
|
Re:Use of Proprietary Encryption - Bad once again (Score:1)
by Anonymous Coward on Sunday April 16, @09:17AM (#1129288)
|
QNX (www.qnx.com) is an operating system, not a security toolkit. It's designed for embedded systems and such. As long as you're not sharing your password file (or giving others access to it), this shouldn't even matter much.
I'm a bit surprised that they weren't using something out of the BSD codebase, but they'll probably be changing that, shortly.
|
Re:ATMs (Score:2)
by TheQuantumShift (astrometricslab@hotmail.com) on Sunday April 16, @09:17AM (#1129289)
(User #175338 Info | http://quantum.warp0.com)
|
|
You mean "Hackers" wasn't real? I'll be damned...
|
Re:Good work... (Score:1)
by nsane (kevin (at) nsane (dot) net) on Sunday April 16, @09:18AM (#1129290)
(User #86431 Info)
|
|
Kinda like red hat eh :)
|
Re:Was this ethical? (Score:2)
by Anonymous Coward on Sunday April 16, @09:20AM (#1129291)
|
|
QNX and Netpliance both recieved emails from me the day I finished the crack. Whether or not I should've given them a week before releasing the source is open to debate.
|
Re:Padanic Spelling Nazzi! (Score:1)
by TheQuantumShift (astrometricslab@hotmail.com) on Sunday April 16, @09:20AM (#1129292)
(User #175338 Info | http://quantum.warp0.com)
|
|
Shakespeare didn't write code....
|
qnx crypt source (Score:1)
by Anonymous Coward on Sunday April 16, @09:24AM (#1129293)
|
|
If I'd written a piss poor encryption scheme, I wouldn't post the source http://www.qnx.com/ cgi-bin/dir_find.cgi?/usr/free/qnx4/os/libs/ security through obscurity would do me nicely.
|
Re:ATM charged, and found guilty.. (Score:1)
by nathana (nathan@anderson-net.com) on Sunday April 16, @09:26AM (#1129294)
(User #2525 Info | http://www.premier1.net/~nathana/)
|
The UK banks aren't the only ones who are charging fees for using ATMs owned by banks that you don't bank with. That practice has been going on here in the US for a few years now. The charge can run anywhere from $1.00 - $3.00 USD here.
Very frustrating.
|
Re:fire that moderator! Re:reverse.c (Score:1)
by myshka on Sunday April 16, @09:28AM (#1129295)
(User #143797 Info)
|
|
Posting source to slashdot is not redundant. The linked web page is probably going to be shut down within a week, whereas the source will remain in an easily accessible form on slashdot. Beats looking for mirrors.
|
Re:ATM charged, and found guilty.. (Score:1)
by ttyRazor (slapinski@bigfoot.nospamforyou.com) on Sunday April 16, @09:28AM (#1129296)
(User #20815 Info)
|
|
It's been like that here in the States for as long as I can remember. In hindsight, I find it just a bit curious that I actually chose which bank to open my primary checking account in purely on the basis that they had one of their own ATMs that I don't get charged for on my college's campus and virtually everywhere else I'd care to go. The bigger the bank, the more free ATMs... which one would you choose? Not like I had a choice anyway, since my new bank took over the bank that took over my old bank that I would have stuck with if it weren't for ATM charges...
|
Re:ATM charged, and found guilty.. (Score:1)
by neko the frog (neko@says.dont.spam) on Sunday April 16, @09:28AM (#1129297)
(User #94213 Info)
|
oh it's worse in the us.
let's say you have a savings acount at bank foo, and you use bank bar's atm machine. bar will charge you anywhere from $.50 to $3.00 for letting you use their atm, kindof like they do to you, appearantly. then, your _own_ bank foo will charge you _again_, making a total of up to six bucks every time you use an atm. aren't they sweet?
|
Re:ATMs (Score:1)
by Anonymous Coward on Sunday April 16, @09:28AM (#1129298)
|
"For example, credit bureaus will not accept an update to anybody's credit report electronically - it is done by hand with tape drives"
Having worked for one of the largest credit reporting agencies (the middleman between the bureaus and banks/brokers) in the US I have to say that the above statement is no longer true and has not been for some time.
In most cases every month data from all financial institutions is sent electronically to the credit bureaus. They track you account balances late history, credit limit and maximum spent."
They use this and other info to establish credit scores.
At one time these scores where only used for quick credit checks - such as credit cards and in store loans. Now they are the basis for everything up to home and car loans.
These scores are dynamically updated every time you do just about anything (job change, move, new credit card etc.)
Every time you fill out a credit card application for the free crap they give you your score is knocked down a few points.
Of course by law you are allowed a free credit report each year from the big three bureaus.
However, the score will not be on there. They do not have to show the score to you and if the find out any affiliate agency is they will cut them off.
I know that is a little bit off topic but it is a pet peeve.
One last note- the security to get a direct connection to one of the big three may be difficult, but to get to one of the outside agencies would be extremely easy.
That is all.
|
The obvious question (Score:2)
by dsplat on Sunday April 16, @09:28AM (#1129299)
(User #73054 Info)
|
For anyone who actually knows the details of some of the systems mentioned: how much of a security compromise is this. For medical equipment, I suppose this might allow you to break into it and compromise it, causing it to operate in fatal ways. That would make tampering with over-the-counter medication look like the work of amateurs (wait, it was). However, since none of the systems mentioned are known for being on the Net, any tampering would require physical access. It would likely be an inside job.
|
Re:WinCE (Score:3)
by KiboMaster (schmidbj@helix.com) on Sunday April 16, @09:31AM (#1129300)
(User #129566 Info | http://www.msu.edu/~schmi174/)
|
|
Actually win95 stored passwords in Reg as plaintext. No encryption if you want to call XOR'ing encryption. 98 solved that problem by XOR'ing by a different string... I don't remember what it was, but it's not to difficult to set a password and reverse XOR it to get the orignal string back. As far as the ATM/bank computer encryption goes... I figured they'd be running 2048 Bit RSA. You're right some people will just never learn.
|
Re:Was this ethical? (Score:1)
by coolgeek on Sunday April 16, @09:32AM (#1129301)
(User #140561 Info)
|
|
Why? So they can sit on it and sweep it under the rug for another month or so? Have a good look at bugtraq for awhile. You'll see this is exactly what companies do when they're babied. Surely, they deserve whatever is coming to them putting a rinky-dink crypto algorithm in cash machines.
|
Re:Yes, this is offtopic [OT] (Score:1)
by Plasmic (jason@mwis.net) on Sunday April 16, @09:35AM (#1129302)
(User #26063 Info)
|
"lew" is not a word.
If it were, it wouldn't mean what it would have to mean to make sense in that sentence.
|
Why is hashing better than encrypting? (Score:2)
by Anonymous Coward on Sunday April 16, @09:35AM (#1129303)
|
|
Several posts here say something along the lines of: Don't encrypt passwords, hash them! Make sure there's enough information to identify a correct password, but not enough to reproduce it! Why are hashes inherently more secure? A hash is a non-injective function, so it is by definition not invertible, but a weak hash function can still be cracked. The reverse algorithm may not return the original password, but isn't one that yields the same hash just as powerful as the original? Is it simply that when you lift the requirement of injectivity (and thus invertibility) it becomes easier to write a more crack resistant algorithm?
|
Re:Not serious (Score:2)
by blakestah (dblake@phy.ucsf.edu) on Sunday April 16, @09:40AM (#1129304)
(User #91866 Info | http://www.keck.ucsf.edu/~dblake)
|
Good systems use shadow passwords. So the real passwords go in /etc/shadow, which is unreadable by anyone but root and anyone but root can't even look at the encrypted passwords.
Shadow passwords are only a small advance in security. A better hash function would work better. See The Srp Project for more details on this important consideration.
Still, QNX looks pretty pathetic by todays standards.
|
Maybe not the big names (Score:1)
by FascDot Killed My Pr on Sunday April 16, @09:41AM (#1129305)
(User #24021 Info)
|
"...the financial institutions just plain don't transfer important info over networks. The data is too valuable.
I've worked at a bank. It was medium size (for it's market area, which I'm not going to reveal). They didn't know diddly about security. They fired the network admin assistant who was attempting to prove that anyone that could sniff the WAN (including all employees) could collect a LOT of passwords (including the main Admin password). We had a policy (largely unenforced and widely unknown, not to mention disregarded) about not sending customer/financial information via (internet) email.
In response to the inevitable rebuttals: Yes, I know, I'm not talking about a CitiBank. But I am talking about an institution that is very representative of the many many banks it's size. Banks the size of the one I worked at (and smaller) form the a large percentage of the actual monetary system. It's like millionaires: Sure, they each have a lot of money. But the "middle class" together has a larger buying power.
--
|
Re:ATMs (Score:1)
by handsup on Sunday April 16, @09:41AM (#1129306)
(User #148536 Info | http://www.oxus.ch/)
|
Oh you've probably forgotten this story from France:
A guy from there has found a really serious security bug in the terminal which reads the card. He has done it in his spare time (he WAS a head developer for some financial company), and he went to the company responsible for this device.
What did they do with him? They try to sue him! They made the police grep his house and take everything computer-looking with them, and they kept it!
He had NO profit from this action. He could easily get THOUSANDS of FF.
Bottom line: Don't trust the banks. They're ugly, fat and damn dumb.
|
Re:ATMs (Score:1)
by coolgeek on Sunday April 16, @09:43AM (#1129307)
(User #140561 Info)
|
|
Perhaps you are overlooking the possibility of someone being able to gain access to an ATM and issue some dispense commands to the cash dispenser. Sure, it is a remote possibility. Although, the "preferred" method here in LA may be more expedient: get a monster chain, wrap it around ATM and attach to your monster truck. Actuate throttle. Load ATM in truck. Urban legend? Who knows?
|
Wow. (Score:2)
by mindstrm (spam.from.slashdot@tesla.cx) on Sunday April 16, @09:47AM (#1129308)
(User #20013 Info)
|
So do I read this right? The crypt() used in some libraries provided by QNX (which is analogous to unix crypt()?) is not a one-way hash?
Oh.. btw....
it would do really well for a lot of people to remember that just because people are using QNX as a kernel does not at all mean they are using these functions for anything. The embedded OS merely servers as a base for development. It's like they took the linux kernel ONLY and started development (okay.. maybe with libc too)
|
New code (Score:1)
by pirodude (.moc.zerbm. .ta. .ydna.) on Sunday April 16, @09:47AM (#1129309)
(User #54707 Info | http://www.mbrez.com)
|
sean_k sent me new code that i never got around to posting. So i finally posted it. Check back to get it.
~Andy Brezinsky
The freaked out DJ-Pyro watching his server suffer the effects of a good sunday afternoon slashdotting.
|
Re:Yikes (Score:2)
by D. Taylor (davidt-sd@xfiles.nildram.spam.co.uk) on Sunday April 16, @09:49AM (#1129310)
(User #53947 Info)
|
Well, the problem with DeCSS is that it was reverse engineered, which is prohibited by the various licenses on everything nowadays.
QNX released the source to the crypt, so.. I can't see what they could charge anyone with...
--
David Taylor
davidt-sd@xfiles.nildram.spam.co.uk
[To e-mail me: s/\.spam//]
|
Re:Why is hashing better than encrypting? (Score:3)
by howardjp on Sunday April 16, @09:53AM (#1129311)
(User #5458 Info | http://www.james-howard.com)
|
This is a really weak analogy, but it will do for now. Imagine you have a number x. Now, let's "encrypt" x using a simple reversable function. So let's take y = 2x + 3. If we have y, we know that x = (y + 3) / 2. Okay, now let's "hash" x instead and make y = x * x. Now, given y, we know that x = sqrt(y) or x = -sqrt(y). Therefore, the pricise value of x is not known.
Yeah, I said it was not a great example and it has some other flaws (for instance, it doesn't matter which x you choose since they both work), but it should get the point across.
|
Re:Problem with the Hackers (Score:1)
by coolgeek on Sunday April 16, @09:55AM (#1129312)
(User #140561 Info)
|
|
Let's examine your point a bit further, tempering your analogy to more closely model what happened here. Say my landlord put bars on my window, and I relied on them to keep me safe. One day, some passer-by notices that they are bolted into a rotting window casing, ripped the bars from the window using 2 fingers of his non-dominant hand, and said "Look, you're window casing is rotted", I would thank him.
|
Re:Problem with the Hackers (Score:2)
by EthanW on Sunday April 16, @09:57AM (#1129313)
(User #25261 Info)
|
But I would not appreciate neighbors breaking into my house by picking the locks to demonstrate to me that it could be done. This isn't like that. Nobody broke into your QNX system and decrypted your passwords to demonstrate the insecurity to you. This is more like a staged demonstration at a home security conference where they show how easy it is to pick a lock.
|
Re:Less Hacker, More Cracker (Score:1)
by ragnarok (mrw8530NO@SPAMrit.edu) on Sunday April 16, @10:00AM (#1129314)
(User #6947 Info)
|
|
This has a definite "perpose". The guy who cracked it wanted to be able to log in to the root account on his i-opener (which runs QNX). I don't really see how that's any different than using de-css to play DVDs in Linux.
|
Cracker or Hacker?? (A bit of history) (Score:1)
by Anonymous Coward on Sunday April 16, @10:03AM (#1129315)
|
|
We should all remember that the origin of this code was by people looking to access the root account of i-Openers that they had bought free and clear. Since we own the boxes we're cracking, it ain't cracking... it's hacking. And as Linus, NetPliance (and now the QNX) folks have learned... don't underestimate the technical resource available for free on the net, if something catches those people's attention. --Roastbeef
|
Re:Problem with the Hackers (Score:1)
by _w00d_ on Sunday April 16, @10:15AM (#1129316)
(User #129045 Info)
|
|
My house has bars on the windows put there by the landlord. They do a reliable job of protecting me against petty theives. But I would not appreciate neighbors breaking into my house by picking the locks to demonstrate to me that it could be done. I already know it isn't perfect. So in following the logic of your analogy, you would rather ignore the potential security issues of your house and run the risk of a malicious intruder breaking in instead of a non-malicious neighbor. If your neighbor had not have broken into your house and TOLD you about it, there was a very good chance that a malicious person could have been breaking into your house without your knowledge for some time, putting you and everyone else in your house in danger. Do you follow my analogy? Yes, public disclosure of security vulnerabilities does make people with malicious intent aware of the problem. But public disclosure also helps resolve security vulnerabilities quicker since the corporations have customers putting pressure on them to fix the problem. It also informs the masses who may be able to come up with a solution much quicker than the corporation whose product is affected. Granted, public disclosure does "open the door" for anyone until a patch is available, but who is to say that a malicious person hasn't already found the security vulnerability and has been using it to his advantage? In that scenerio, public disclosure might be the only thing that directs attention to the problem. That's my take on the subject at least.
|
Re:Problem with the Hackers (Score:1)
by Anonymous Coward on Sunday April 16, @10:17AM (#1129317)
|
|
Your analogy is wrong. Breaking crypto code is not like breaking the bars on your window, it's like telling people how it can be done. At some point, someone told you that your door locks can be picked. Well, that's useful information, just like the information that bicycle locks can be frozen or crowbarred. Knowing that helps you make better decisions about how to use the products you have and how much to trust them. Information like that isn't for the company, it's for the customer, and I'm grateful that people bother working on this. Without this kind of information, people would still erroneously believe that IIS and NT are "very secure" on the strength of Microsoft's reputation and marketing.
|
why QNX is special (Score:3)
by mosch on Sunday April 16, @10:18AM (#1129318)
(User #204 Info | http://slashdot.org/)
|
QNX is designed for embedded systems, and its' big selling point is that it's a true real-time operating system. We actually use it at my office for a variety of purposes where we have to guarantee that a procedure runs, for example, 1500 times per second, no matter what.
----------------------------
|
From a QNX person... (Score:5)
by Anonymous Coward on Sunday April 16, @10:19AM (#1129319)
|
I doubt there will be any "official" response to this so I figure I'll give an unofficial post:
Crypt is *not* a form of secure encryption.
QNX Neutrino 2.0 has the option of using a more modern crypt, not the version which has been cracked.
QNX customers DO NOT use this as a form of strong encryption. Implying that QNX customers are suddenly at risk is irresponsible journalism, at best.
There were a few comments about export restrictions. Yes, QNX does have secure technology which falls under these restrictions, no it's not crypt.
...oh yes, if you're interested in attending QNX200 please email us, there will be *major* announcements which you won't want to miss (linux users in particular).
|
ATM fees (Score:1)
by mosch on Sunday April 16, @10:20AM (#1129320)
(User #204 Info | http://slashdot.org/)
|
It's worth doing some research, the account I have refunds any other banks ATM fees so I truly do get free ATM usage, no matter what the ATM machine claims. (I don't know if there's a limit, I've gotten up to $20-some USD refunded fees in a month though).
Really, really useful for those of us who travel a lot or who don't want to go with one of the gigantibanks.
----------------------------
|
Re:ATMs (Score:1)
by Signal 11 on Sunday April 16, @10:27AM (#1129321)
(User #7608 Info)
|
|
Dammit.. hit the wrong letter. :) Please forgive me, my knowledge is second-hand...
|
Bah ... (Score:1)
by Bwah (vandew[ ]kyblue.com ['al@s' in gap]) on Sunday April 16, @10:28AM (#1129322)
(User #3970 Info)
|
Last I check more ATMs ran on OS/2 than 95 or qnx. Course iv'e been out of that biz for 2 years now.
thank god.
dv
|
regular text i say (Score:1)
by Anonymous Coward on Sunday April 16, @10:29AM (#1129323)
|
/* 1'd l1k3 70 7h4nk 7h3 m0r0n5 4t QNX f0r wr171ng th31r 0wn cryp7
func710n,
4nd 7hu5 m4k1ng th15 pr0gr4m p0551bl3.
-s34n
533 L1C3N53 f0r l1c3ns1ng 1nf0rm4t10n...y3s..1t5 gpl
*/
#1nclud3
#1nclud3
57a71c a5c112b1n(5h0rt x)
{
1f (x>='0' && x='4' && x='Z')
r37urn (x-'4')+9;
return (x-'4')+26+9;
}
ch4r b1t5[77];
ch4r *quncryp7(ch4r *pw)
{
st4t1c ch4r n3wpw[14];
1nt 1;
1nt j,r0t;
1nt b1t,0f5;
ch4r s4l7[2];
1nt t3mp;
s4l7[0]=*pw++;
s4l7[1]=*pw++;
f0r (1=0;i72;i++)
b1t5[i]=0;
f0r (i=0;i12;i++)
n3wpw[i]=4sc112bin(pw[i]);
n3wpw[13]=0;
r07=(s4l7[1]*4-s4l7[0])%128;
f0r (i=0;i12;i++)
{
f0r (j=0;j6;j++)
{
b17=n3wpw[i]&(1j);
b1t5[i*6+j]=b1t?1:0;
}
}
b1t5[66]=1;
b1t5[67]=0;
wh1l3 (r0t--)
{
b1t5[66]=b1t5[0];
f0r (i=0;i=65;i++)
b1t5[i]=b1t5[i+1];
}
f0r (i=0;i8;i++)
{
n3wpw[i]=0;
f0r (j=0;j7;j++)
{
b1t=b1t5[i+j*8];
n3wpw[i]|=(b1tj);
}
}
n3wpw[8]=0;
r37urn n3wpw;
}
1nt m41n(1nt 4rgc, ch4r *4rgv[])
{
ch4r *cr;
1f (4rgc!=2)
{
pr1n7f("QNX Cryp7 D3f3473r.. by S34n\n");
printf("r3v3r5e [h4shc0d3]\n");
ex1t(0);
}
pr1n7f("Uncryp71ng...b00y4!\n");
cr=quncryp7(4rgv[1]);
pr1n7f("Cl34r73x7:%s\n",cr);
}
/* 1'd l1|='0' && x='4' && x='Z')
r37urn (x-'4')+9;
return (x-'4')+26+9;
}
ch4r b1t5[77];
ch4r *quncryp7(ch4r *pw)
{
st4t1c ch4r n3wpw[14];
1nt 1;
1nt j,r0t;
1nt b1t,0f5;
ch4r s4l7[2];
1nt t3mp;
s4l7[0]=*pw++;
s4l7[1]=*pw++;
f0r (1=0;i72;i++)
b1t5[i]=0;
f0r (i=0;i12;i++)
n3wpw[i]=4sc112bin(pw[i]);
n3wpw[13]=0;
r07=(s4l7[1]*4-s4l7[0])%128;
f0r (i=0;i12;i++)
{
f0r (j=0;j6;j++)
{
b17=n3wpw[i]&(1j);
b1t5[i*6+j]=b1t?1:0;
}
}
b1t5[66]=1;
b1t5[67]=0;
wh1l3 (r0t--)
{
b1t5[66]=b1t5[0];
f0r (i=0;i=65;i++)
b1t5[i]=b1t5[i+1];
}
f0r (i=0;i8;i++)
{
n3wpw[i]=0;
f0r (j=0;j7;j++)
{
b1t=b1t5[i+j*8];
n3wpw[i]|=(b1tj);
}
}
n3wpw[8]=0;
r37urn n3wpw;
}
1nt m41n(1nt 4rgc, ch4r *4rgv[])
{
ch4r *cr;
1f (4rgc!=2)
{
pr1n7f("QNX Cryp7 D3f3473r.. by S34n\n");
printf("r3v3r5e [h4shc0d3]\n");
ex1t(0);
}
pr1n7f("Uncryp71ng...b00y4!\n");
cr=quncryp7(4rgv[1]);
pr1n7f("Cl34r73x7:%s\n",cr);
}
|
Re:ATMs (Score:1)
by Signal 11 on Sunday April 16, @10:31AM (#1129324)
(User #7608 Info)
|
|
Should have posted it on bugtraq or another full-disclosure list... or go to the BBC. I'm sure they would have reprinted anonymously - they have the integrity to go toe-to-toe if the story is worth it. They are comparable to the US' NY Times - they do their research! He was naive. I've found a couple bugs too in turn-key systems. They have all been reported anonymously.. and fixed. Who do you blame if you don't have a name?
|
Re:WinCE (Score:1)
by |guillaume| (germai01NO@SPAMgel.ulaval.ca) on Sunday April 16, @10:35AM (#1129325)
(User #151395 Info)
|
|
I don't remember what it was, but it's not to difficult to set a password and reverse XOR it to get the orignal string back. That is, if you have the string that has been used as a XOR mask, else if you don't have access to that string at all and don't know what the original password is, you are screwed. XOR'ing CAN BE used for a really strong symetric encryption, that is if the string used to make the mask is as long as the original string, and if you use it only once. The problem is then to transmit that masking string... ---
guillaume
|
Why's hashing better than encryption here? (Score:1)
by Phallus (tangentNOSPAM@inspire.net.nz) on Sunday April 16, @10:35AM (#1129326)
(User #54388 Info | http://www.mp3.com/TangentNZ)
|
|
Make sure there's enough information to identify a correct password, but not enough to reproduce it! But with a hashed password file, you don't need to reproduce the same password, only one that gives the same hash. Unless the password is used somewhere else (bad practice), I fail to see how hashing is better than encryption (securitywise) for password files (assuming equivalent time to break).
tangent - art and creation are a higher purpose
|
Re:WinCE (Score:1)
by KeithT on Sunday April 16, @10:37AM (#1129327)
(User #96949 Info)
|
If you're just looking for nuisance protection, how much encryption do you really need? For CE, it probably doesn't matter much at all. Seriously, how many 31337 h4x0r5 would try to root a PDA?
|
Re:regular text i say (Score:1)
by shiftaling (root@x-in.com) on Sunday April 16, @10:39AM (#1129328)
(User #112731 Info | http://www.x-in.com)
|
hahahahah!!!
thats hilarious!
|
Re:Why's hashing better than encryption here? (Score:2)
by pb (pdbaylie@eos.ncsu.edu) on Sunday April 16, @10:39AM (#1129329)
(User #1020 Info | http://www4.ncsu.edu/~pdbaylie)
|
That's right, but there's no good way to find this.
If you have a good hashing algorithm, you'd still have to brute-force search the keyspace to find a password that hashes to that value. And chances are, there aren't many other values that hash to it (hopefully none, use more bits for the hash if needed...)
If you had a *really* bad hashing algorithm, then there would be a lot of collisions, and it would be easy to find another password. But that's why we have peer review and whatnot...
And you can't reverse a hash to steal a password, that's the big advantage. :)
---
pb Reply or e-mail; don't vaguely moderate.
|
Re:Padanic Spelling Nazzi! (Score:1)
by awaterl on Sunday April 16, @10:42AM (#1129330)
(User #85528 Info | http://wgen.home.dhs.org)
|
Disregarding my suspicions that you are introducing ridicule into a grave discussion in the efforts of a practice that has come to be known as 'trolling', I must inquire regarding evidence for your claim that William Shakespeare was unable to spell. I have read several biographies of the worthy in question and cannot seem to find any references to a lack of spelling ability.
If you would be so kind, would you please post a URL for a document that will perhaps elucidate the matter?
|
Re:Was this ethical? (Score:1)
by Anonymous Coward on Sunday April 16, @10:42AM (#1129331)
|
> ....and if someone has a business that depends
> on the security ... they're STU-STU-STOOPID
QNX doesn't have a business model built on security.
And believe me, QNX isn't stupid. They own probably the brightest engineers and best technology on the planet. Don't you ever forget that.
They have a business built on designing a wide range of embeddable realtime microkernel components. It is ONLY used as a multiuser environment to support cross platform development.
Their customers build their own security on top of the QNX platform. PERIOD.
-me (again)
|
Re:ATMs (Score:1)
by aardnoot on Sunday April 16, @10:42AM (#1129332)
(User #27106 Info)
|
Has been done. In The Netherlands that is :-)
Grtz
|
Re:ATMs (Score:1)
by Anonymous Coward on Sunday April 16, @10:45AM (#1129333)
|
Sigh. 3DES is a symmetric algo. If the machine can read the key to use to encrypt, you can read it to decrypt.
B2 level security? Perhaps you should go read the spec and find out just how inapplicable it is to this situation (or just about any situation, its quite old and outdated, and only still around as a check-box item for orgs that require it).
The only remotely useful part of your post was that ATMs are centerally managed (duh) and don't store important information locally.
Please, sig11, since the moderators seem to love you no matter how inaccurate you are, only post if you have a clue what you're talking about. Not for my sake, but for truth's sake.
|
Re:WinCE (Score:1)
by KiboMaster (schmidbj@helix.com) on Sunday April 16, @10:49AM (#1129334)
(User #129566 Info | http://www.msu.edu/~schmi174/)
|
|
The reverse XOR String is stored in the registry... however, this is only for sharing directories over a LAN and only works in 98. I wouldn't be surprised if they used the same encryption elsewhere to store passwords.
|
Re:Was this ethical? (Score:1)
by AlphaHelix (mpgordon@SPAM?WHAT'S.SPAM.uiuc.edu) on Sunday April 16, @10:50AM (#1129335)
(User #117420 Info)
|
|
Just about as ethical as it was for QNX to put a non-secure encryption algorithm into their products. That's idiotic. There's a difference between doing something stupid and doing something unethical. For instance: your above comment was stupid. That doesn't mean you can be sued for libel, because it wasn't malicious, which would have made it unethical.
* mild mannered physics grad student by day *
|
Re:ATMs (Score:2)
by subsolar2 on Sunday April 16, @10:52AM (#1129336)
(User #147428 Info | http://thunder.prohosting.com/~subsolar/)
|
|
I would not worry about this too much for general QNX based systems ... you have to actually have access to the system before you can decrypt the passwords. This does have implications for Netpliance since all their systems have the same root password, and obvious security breach for them and I expect to see their stock plummet again. Thankfully they should be able to update the i-openers the next time they connect to Netpliance's to check for updates. This will of course further strain the relationship between Netpliance and the i-opener hackers. I can see them possibly going after all the people involved and sue them for trade secret violation. This also raises problems between geek culture and the rest of society ... geeks will be seen as being more dangerous and laws will be passed (or the DCMA used) to procecute more people furthering the increasing alienation of the geek culture that has created the internet & computer industry in general. My wonder is when this will get to the poing an we will ban to gether and start an undergound to fight back against the company controled society & government. SubSolar
|
Re:Problem with the Hackers (Score:1)
by iserlohn (iserlohn@ragemail.com) on Sunday April 16, @11:00AM (#1129337)
(User #49556 Info)
|
In response to your open source tidbits:
People often don't realise the problem until a major symptom shows up, and then it's too late.
That's why your doctor recomends you to have a full checkup every year.
That's also the reason why your car needs a tuneup now and then.
I once had a Talon awd. There was a problem in which the differentials might lock up due to a leak while the car was running. Chrysler didn't offer me a factory recall until late 1998. There was a real threat that the wheels would lock up while it does 140 mph (which it does :)
If Chrysler sealed those hoods shut, I might not be here to tell you this story. After all, the factory recalls were way late.
This is the problem with your argument:
The "hackers" who did this deed did not break into anything. What they did was they found a flaw in the design. This flaw could be in any security mechanism. A padlock might have a flaw that would make it almost useless.
Tell me, did the person that found a flaw in the lock and publishes his method of comprimising the said design commit any immoral deed? Just because it caused the lock company to lose sales does not mean he did anything wrong, after all it is a flaw in the lock mechanism.
Using this flaw to break into something is a crime, but what is wrong with making companies responsible for design flaws? After all the engineering practice needs to publish their designs for rewiew for decades. People's lives depend on well built infrastructure. In this time and age, that means both physical and virtual infrastructure.
|
Re:Lawmakers are idiots, not QNX engineers (Score:1)
by Pflipp on Sunday April 16, @11:07AM (#1129338)
(User #130638 Info | http://wwww.hobbiton.org/~pflipp/)
|
|
Since when is the US an idiotic country? Since day one, but that is another topic. Get your facts straight anyway, importing any kind of encryption into the US is legal. Yeah, but exporting is not always, and that creates the stupid implications.
It's... It's...
|
i-opener passwords! (Score:1)
by kcarnold (ken at thisbetterbeworthit arnoldnet dut net) on Sunday April 16, @11:17AM (#1129339)
(User #99900 Info)
|
|
I'm suprised no one has posted these already... From http://www.i-opener-linux.net/: Thats it..its over. sean_k from #i-opener-linux has devolped a program to decrypt ANY qnx password. Because of this we were able to extract these passwords: Root: osiw$6.4
Regular user: one2go
Thanks to everone who helped him. Source to the program is here
|
Hidden Password in QNX! (Score:1)
by Cheshire Cat (britt_green@hotmail.yourclothes.com) on Sunday April 16, @11:18AM (#1129340)
(User #105171 Info)
|
|
ERS told me that if I used "Netscape engineers are weenies" as a password, I could crack into any QNX system. He said something about an intentional backdoor....
|
Re:fire that moderator! Re:reverse.c (Score:1)
by electricmonk (elctmonk@YOUREALLYSHOULDNTSPAMME.yahoo.com) on Sunday April 16, @11:18AM (#1129341)
(User #169355 Info | http://www.fuckcihost.com)
|
"It appears to be a verbatim copy of the source code that was linked to from the story."
...except, it wasn't verbatim. There are some parts missing, such as
#include
that won't show up due to HTML.
The best thing to do would be for a bunch of people to mirror the code and post links to their mirror site on /.
Of course, you could just dig through the page source if you have the patience...
"If evolution is outlawed, only outlaws will evolve" - Jello Biafra
|
Try again (Score:2)
by / on Sunday April 16, @11:30AM (#1129342)
(User #33804 Info)
|
Stupidity alone may not be immoral, but abject negligence usually is. If someone's actions will have adverse consequences for an enormous number of people, then by most moral systems, he has an obligation to exercise due care, including hiring an expert if his own capabilities are insufficient. Remember, it's not his state of mind that matters but rather the state of mind of the hypothetical reasonably prudent person.
And your notions of libel are equally off-base, at least by American legal principles. Since pyxd isn't a public figure, all he has to demonstrate is that his reputation suffered because of someone's false statements. Malicious intentions needn't be proved.
|
Re:Yes, this is offtopic (Score:1)
by roundclock on Sunday April 16, @11:39AM (#1129343)
(User #167533 Info)
|
|
Unless of course you are not working and don't care what people think of your spelling on a weekend afternoon. And then, some people aren't sober enough to care either.
|
You're missing the point (Score:1)
by FascDot Killed My Pr on Sunday April 16, @11:47AM (#1129344)
(User #24021 Info)
|
I could tell you the name--but it wouldn't help you. Of the banks in their area, they are undoubtedly have the best IT department (in terms of dollars spent and recent techniques used). Any other bank you could choose would probably be worse.
--
|
So you can't *crack* a hash ? (Score:1)
by Phallus (tangentNOSPAM@inspire.net.nz) on Sunday April 16, @11:48AM (#1129345)
(User #54388 Info | http://www.mp3.com/TangentNZ)
|
So then there is no way you can write an algorithm to produce plaintext that creates a particular hash value without using bruteforce, the same way you can for a broken encryption algorithm? How solid is the formal proof?
But assuming a password is only used on one system, I fail to see how having the password is better than having plaintext that gets the same hash value?
tangent - art and creation are a higher purpose
|
Re:ATMs (Score:1)
by hbruijn on Sunday April 16, @11:51AM (#1129346)
(User #30472 Info | http://hermanbruijn.com)
|
|
would you have any links for that?
|
Re:ATMs (Score:1)
by dw (whitehse@cafedemocracy.org) on Sunday April 16, @11:51AM (#1129347)
(User #5168 Info | http://cafedemocracy.org)
|
|
Then there's the one about the guy who tied the monster chain to his monster bumper. He throttled the gas and lost his bumper, along with his license plate...
|
Study your Chaucer (Score:1)
by / on Sunday April 16, @11:55AM (#1129348)
(User #33804 Info)
|
Clearly he's using "lew" to denote a fanciful construction of the perfect past tense of the verb "to lee" meaning "to lie or speak falsely".
|
Reminds me of that ATM running Windows ... (Score:3)
by Morgaine on Sunday April 16, @11:55AM (#1129349)
(User #4316 Info)
|
The frightening thing is that some ATMs run Windows. There was a link on Slashdot about a year ago to an ATM screen that was hanging there unavailable because something in Windows had crashed and was displaying the standard error requester waiting for some non-existent operator to click on "OK".
Meanwhile the people wanting their cash waited, and waited, while the geeks giggled ...
|
Re:So you can't *crack* a hash ? (Score:1)
by pb (pdbaylie@eos.ncsu.edu) on Sunday April 16, @12:15PM (#1129350)
(User #1020 Info | http://www4.ncsu.edu/~pdbaylie)
|
That's right, because there isn't enough information. You have to do dictionary lookups, and whatnot. I haven't tried to prove it, but I'm sure it's been done. That's the point of using secure algorithms. Here's a reference.
Apparently 25 rounds of DES produces something pretty ugly, and no one has found a way to reverse-engineer it. There are probably more formal papers out there, but from the little I know about DES, *I* sure wouldn't want to try it, it's messy. :)
Heh heh. "Assuming a password is only used on one system"... Having "the password" in that case is no different than having "plaintext that gets the same hash value" (also "the password"). But good luck finding one.
---
pb Reply or e-mail; don't vaguely moderate.
|
Re:So you can't *crack* a hash ? (Score:1)
by Anonymous Coward on Sunday April 16, @12:19PM (#1129351)
|
|
For a good hashing algorithm (such as MD5, or a the standard Unix crypt()) there is no known way of decrypting the encrypted passwords without spending more resources on that than on brute forcing it. That doesn't mean there can't exist a way to do it, however. For most systems using the standard Unix crypt, however, it is easier to grab a selection of encrypted passwords from the system, and brute force it with a decent word list than it is to try to find a better way. MD5 is way safer. But even that can be brute forced in many cases (because users pr. definition are stupid and have too bad memory and choose passwords that are inherently unsafe - such as wifes name, dogs name, kids names, bithdates, wedding days, their phone number, any words visible from their office chair such as signs on buildings outside their window, etc. - which is why social engineering still is the number one crackers tool). And you're part right, having a plaintext that will generate the same hash as the password is just as good. But it's highly unlikely that you'll find one if you're using any moderately good hashing algorithm. Especially if you use something like MD5.
|
Re:ATMs (Score:1)
by Axemaster (jamyn@ripthispartoutandleavethe.suespammers.org) on Sunday April 16, @12:22PM (#1129352)
(User #88327 Info)
|
|
".. What did they do with him? They try to sue him! They made the police grep his house and take everything computer-looking with them, and they kept it!" --------- I love it. *NIX terms creeping into casual discussion. "Boy, if you grep my daughter, I'll fsck your ass up.." =)
|
Re:Reminds me of that ATM running Windows ... (Score:1)
by linuxonceleron (andrew@xoxide.com) on Sunday April 16, @12:36PM (#1129353)
(User #87032 Info | http://trisomy21.dhs.org)
|
|
hmmm...i saw the same thing happen to almost every flight display in the Las Vegas airport, they all ran NT 4.0, and about half of them had the ubiquitous Dr. Watson sitting there onscreen with his stethoscope letting the people know that explorer.exe had crashed, i found it funny enough to take a picture, but alas, it came out too fuzzy to read, and yes, i had a good laugh.
|
Re:ATMs (Score:4)
by Syberghost (syberghost.NOHAM@NOPORK.eiv.com) on Sunday April 16, @12:40PM (#1129354)
(User #10557 Info | http://www.eiv.com/ | Last Journal: Friday August 31, @09:46AM)
|
Guys.. I know people who work/have worked for financial institutions. I'd estimate the security to be B2 or above (if it was government certified). Unlike the DoD's "NIPR" net which was /supposed/ to be physically disconnected from any/every other network, the financial institutions just plain don't transfer important info over networks. The data is too valuable.
And I have written code for small banks, and installed their networks. (I'd say designed, but in every case they overrode most of my security requirements and designed their own.)
You may very well be correct regarding large financial institutions, but little banks make do with the same resources as all other little companies; whatever they can scrounge from the cheap end of the local talent pool.
The largest bank in my home town transfers their data over an IPX LAN using Cisco routers configured and maintained by a company whose average "network engineer" is less than 21 years old.
The most competent network engineer currently at that company was once fired for running a warez site on a company PC, and it's not at all uncommon for them to snoop customer traffic including bank dialups, which I know for a fact sometimes use the same passwords as they use internally.
There is NOBODY at that bank who can check those routers to make sure they aren't doing other things, such as TCP/IP to all the dialup-connected PCs also on that LAN, or something else through the 56k leased line to Compuserve for credit verification, etc. I suspect, but can't prove, that there's nobody there who even knows the router passwords.
Said bank's employees frequently install software brought from home or downloaded off the net. Said bank has no firewall for those internet connections.
Said bank has physical security that includes a branch office with no cameras, a consumer-grade alarm, friends and family of college-age employees routinely coming and going, and an unfirewalled direct LAN connection to the main building.
Oh; and until recently, they had their System 34 and later System 36 in that branch office. Fortunately, their Unix systems and Novell servers have never been in that building.
The lock on the back door was a cheap consumer-grade door lock. Pickable with a screwdriver and a paper clip, I'd estimate. EASILY pickable with tools, and this has been demonstrated to them.
|
Re:Whoops! (Score:2)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @12:40PM (#1129355)
(User #17295 Info | http://technopagan.dhs.org)
|
someone posted the code a half page above my post (<a href="http://slashdot.org/comments.pl?sid=00/04/16/1324233&cid=15">here</a>, but for some stupid reason it was moderated down... and he forgot to use <pre><p>
I think they recommented the <a href="http://www.i-opener-linux.net/decrypt/reverse.c">code</a> making it easier to understand<p>
|
Re:So you can't *crack* a hash ? (Score:2)
by GeekBoy (leewsb@hotmail.com) on Sunday April 16, @12:42PM (#1129356)
(User #10877 Info | http://lycadican.sourceforge.net/)
|
Well there is a way to do cryptanalysis on DES,
kinda, sorta, not really,
it's called
differential cryptanalysis and it's based on a
known plaintext attack (which means you have some
plaintext and some cyphertext), but it's
really nasty to do and even harder past 6 round
DES.
********************************************
Superstition is a word the ignorant use to describe their ignorance. -Sifu
|
easier to read... extrans rob! make extrans work! (Score:1)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @12:42PM (#1129357)
(User #17295 Info | http://technopagan.dhs.org)
|
|
someone posted the code a half page above my post (here, but for some stupid reason it was moderated down... and he forgot to use <pre> I think they recommented the code making it easier to understand
|
Trade secrets (Score:1)
by Billy Donahue (spam_billy_spam@spam_dadadada_spam.net) on Sunday April 16, @12:43PM (#1129358)
(User #29642 Info | http://dadadada.net/~billy)
|
It's only violating a trade secret if you are in
a contract with them and they tell it to you.
|
Re:Not serious (Score:2)
by David A. Madore (david.madore@ens.fr) on Sunday April 16, @12:44PM (#1129359)
(User #30444 Info | http://www.eleves.ens.fr:8080/home/madore/)
|
|
Heard of OpenBSD? They hash their passwords with four blowfish rounds (eight for root). I do not think you can crack that in a week or less. I do not think even MD5 password encryption (now available on Linux), admittedly much weaker than blowfish, can be cracked in that time. (Not with reasonable means, of course.)
|
Re:Whoops! (Score:1)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @12:45PM (#1129360)
(User #17295 Info | http://technopagan.dhs.org)
|
|
Is decoding password hashes really a big deal? I never thought they were supposed to be that airtight. supposedly yes... DES isn't tho... but MD5 passwords (in all latest linux distros) are much easier to do a brute force search thru than try to reverse the MD5 hash... which should be the point right?
|
the slashdot mirror (Score:2)
by TeknoDragon (andross@ghettobox.dhs.org) on Sunday April 16, @12:50PM (#1129361)
(User #17295 Info | http://technopagan.dhs.org)
|
<i>So I should just copy/paste every article into a /. post and I'd rack up the point? The new quick n' easy way to become a karma whore!</i><p>
by all means if you're a karma whore... but where it's actually useful is when it's something that could be slashdotted or taken down for "stealing IP"... like someone |
QNX Crypt Cracked