Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Ken Thompson's Unix Password, Microsoft Spying on Everything for 'Security', Cross Site Scripting Fix

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7).

  • Ken Thompson's Unix password

    Somewhere around 2014 I found an /etc/passwd file in some dumps of the BSD 3 source tree, containing passwords of all the old timers such as Dennis Ritchie, Ken Thompson, Brian W. Kernighan, Steve Bourne and Bill Joy.

    Since the DES-based crypt(3) algorithm used for these hashes is well known to be weak (and limited to at most 8 characters), I thought it would be an easy target to just crack these passwords for fun.

    Well known tools for this are john and hashcat.

    Quickly, I had cracked a fair deal of these passwords, many of which were very weak. (Curiously, bwk used /.,/.,, which is easy to type on a QWERTY keyboard.)

    However, kens password eluded my cracking endeavor. Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result. Since the algorithm was developed by Ken Thompson and Robert Morris, I wondered what’s up there. I also realized, that, compared to other password hashing schemes (such as NTLM), crypt(3) turns out to be quite a bit slower to crack (and perhaps was also less optimized).

    Did he really use uppercase letters or even special chars? (A 7-bit exhaustive search would still take over 2 years on a modern GPU.)

    The topic came up again earlier this month on The Unix Heritage Society mailing list, and I shared my results and frustration of not being able to break kens password.

  • How my application ran away and called home from Redmond

    I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.

    I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!

    [...]

    I researched a bit more and made educated guesses about why this happened. I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature.

    [...]

    Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.

  • Enrico Zini: Fixed XSS issue on debtags.debian.org

    Thanks to Moritz Naumann who found the issues and wrote a very useful report, I fixed a number of Cross Site Scripting vulnerabilities on https://debtags.debian.org.

Father of Unix Ken Thompson checkmated as his old password...

  • Father of Unix Ken Thompson checkmated as his old password has finally been cracked

    Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.

    As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.

    When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that's she'd broken five years ago. Five hashed passwords, however, remained elusive, including Thompson's.

Computer historians crack passwords of Unix's early pioneers

  • Computer historians crack passwords of Unix's early pioneers

    Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman.

    Leah Neukirchen recovered an BSD version 3 source tree and posted about it on the Unix Heritage Society mailing list, revealing that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.

UNIX Co-Founder Ken Thompson's BSD Password Finally Cracked

  • UNIX Co-Founder Ken Thompson’s BSD Password Finally Cracked

    Ken Thompson, who co-created the popular operating system Unix along with Dennis Ritchie, remains a revered figure in the field of computer science. In 2014, famous open-source developer Leah Neukirchen got her hands on a /etc/password file from a BSD 3 source tree. It contained hashed passwords of some big names like Dennis Ritchie, Steve Bourne, Ken Thompson, Brian W. Kernighan in the computer science field.

    Neukirchen tried cracking the passwords out of curiosity as the passwords were sealed with a DES-based crypt(3) algorithm, which is now considered easy to crack.

UNIX Co-Founder Ken Thompson's BSD Password

  • UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

    A 39-year-old password of Ken Thompson, the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers.
    In 2014, developer Leah Neukirchen spotted an interesting "/etc/passwd" file in a publicly available source tree of historian BSD version 3, which includes hashed passwords belonging to more than two dozens Unix luminaries who worked on UNIX development, including Dennis Ritchie, Stephen R. Bourne, Ken Thompson, Eric Schmidt, Stuart Feldman, and Brian W. Kernighan.
    Since all passwords in that list are protected using now-depreciated DES-based crypt(3) algorithm and limited to at most 8 characters, Neukirchen decided to brute-force them for fun and successfully cracked passwords (listed below) for almost everyone using password cracking tools like John the Ripper and hashcat.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Laravel Programming

  • Send Emails in Laravel Using SMTP

    Sending an email is a common requirement for any web application. Some general uses of sending emails include verifying user registration, getting feedback from users, providing options to contact the site administrator, etc. The Laravel framework contains several packages to send emails from the Laravel project. SMTP, Mailgun, Postmark, and Amazon SES are used in Laravel for sending simple, transactional, and bulk emails. Laravel has an email-sending library named SwiftMailer to send an email with an email template. This tutorial shows you how to send a simple email using SMTP.

  • Laravel Facade

    The Laravel service container allows the user to initiate classes by alias. The way to access the Laravel service container is called a facade. Laravel contains many built-in facades to access different Laravel features. The facade is used in Laravel to make the application more testable, flexible, and simpler. All built-in facades are defined in the namespace Illuminate\Support\Facades. This tutorial shows how to create and use Laravel built-in facades.

  • Laravel Pagination

    Pagination is used to display many records at once by dividing the data into multiple pages to make it readable. Using pagination in Laravel is very simple because this feature is integrated with Eloquent ORM and a query builder. The limit and offset of the paginations are calculated automatically in Laravel. The paginate() and link() methods are used to implement pagination in Laravel. This tutorial shows you how to apply pagination in Laravel projects.

  • Laravel Route

    The route is used to create a request URL for the Laravel application. The URL is defined in the route file in a human-readable format. In Laravel 7, all types of route information are stored in two files, web.php and api.php. These files are located in the routes folder of the Laravel project. All web application-related routes are defined in web.php and all API-related routes are defined in api.php. This tutorial covers different types of routing methods and how the get() method can be used for defining the different routes for Laravel projects.

  • Laravel Resource Controllers

    A resource controller is used in Laravel to perform CRUD operations easily. When you will create a resource controller using artisan command from the terminal then it will create all necessary methods inside the controller related to CRUD operations. It handles all HTTP requests for the application and requires a single line of code for CRUD routes. How you can create a resource controller and perform CRUD operations in Laravel are shown in this tutorial.

openSUSE Tumbleweed vs. Leap 15.2 vs. Jump Alpha Benchmarks

Following the recent alpha debut of the openSUSE Jump distribution for testing that is working to synchronize SUSE Linux Enterprise with openSUSE Leap, there was an inquiry made about the performance of it. So for addressing that premium member's question, here are some benchmarks carried out recently of the latest openSUSE Leap 15.2 against the openSUSE Jump in its early state against the rolling-release openSUSE Tumbleweed. Read more

today's howtos

Ubuntu Touch OTA-13 Released With More Phones Supported, UI Improvements

The UBports community has announced the release of Ubuntu Touch OTA-13 as their newest over-the-air update to this Ubuntu mobile operating system. With Ubuntu Touch OTA-13 now supported are the Sony Xperia X/XZ/Performance and OnePlus 3/3T devices. This is on top of around one dozen other devices from the LG Nexus 4/5 to earlier OnePlus devices, FairPhone 2, Nexus 7, and different Meizu and BQ devices from the early days of the Ubuntu Touch effort at Canonical. Read more Direct: Ubuntu Touch OTA-13 release Also: Ubuntu Weekly Newsletter Issue 649