- To: firstname.lastname@example.org
- Subject: Public Passwords
- From: email@example.com (Geert Jan de Groot)
- Date: Thu, 7 Feb 91 10:24:27 +0100
I used to hack W0RLI software, and have added a password scheme in the past.
The scheme I used looked a bit like NET/ROM, except that I made 3 challanges
instead of one:
5 18 27 57 98
71 6 57 32 25
69 38 12 9 72
The supposed-be sysop transcripted one of these lines to a string of characters
using a key table, and sent that back as reply.
Only one line (first, second, or third) has to be sent back, and the sysop
had to pick one of them randomly.
Using that scheme, John pirate was unable to re-build the key table using
the challanges and the answers, because he didn't know which line the answer
referred to. With each correct character-index key set, he got two false
character-key sets and needs a lot of data and statistics to rebuild the
Why I needed to hack that in? Some time ago, there was somebody on our
region that used other people's callsign to crack a BBS and delete everything.
While this guy has been identified now, it took some time and the BBS involved
didn't want to re-load the BBS from backup media every day..
I haven't checked with the latest W0RLI, but know of a security hole in all
versions up to at least up to 10.x. These days, I don't login to a BBS anymore
(can't afford spending half a day waiting for the data to arrive..), but
I think the problem is still there.
Hint: if you start the BBS with an empty user database, check the first
user that is added to the database. He has some privileges WHICH MUST
BE SWITCHED OFF. Unfortunately, the BBS is a whole lot less usable
when you do. I think this is clear enough.
Back then, in the Glory Days of the TNC, a scheme like this seemed the only
possibility. Nowadays, one can imagine much more advanced possibilities
using TCP/IP, things have improved.
The legal side of this is quite different. Dutch hams, too, are not allowed
to encrypt information. I talked about this with the authorities, and
said I'm not sending information, so there's nothing to encrypt.
The data was to be considered as noise.
The opinion I got (non-official), was that while this usage was questionable,
they guessed it was OK as long as I could explain what I did.
The scheme is still in use in PE1CHL's version of NET.
(speaking of which: Rob included the microsat protocol stack, and now uses
NET to tune into the microsats. Bob N4HY, interested?)
73, Geert Jan PE1HZG