Install Wizard 'Looks Too Complicated'

John Moser john.r.moser at gmail.com
Mon Nov 30 19:46:35 UTC 2009 

On Mon, Nov 30, 2009 at 2:36 PM, Shentino <shentino at gmail.com> wrote:
> With regards to cracking tools being bad, I imagine they do come in handy
> during security audits.
> If there's going to be hacking tools out there anyway, the good guys may as
> well have them too, since you can't really take them away from the bad guys.
>

Yeah, but the issue here seems to be centered around the concept of
actively cracking passwords (locally, without reporting to anyone
anywhere, and possibly not even displaying the password to the user or
storing it plaintext anywhere) during the install process-- or more
basically, including something like that on the default install CD.

Again, for my part, I don't really see a problem with breaking what
can be broken and informing the user, "We could import these passwords
because they were insecure and could be broken by dictionary attack."
The effort in testing this, then actually doing the crack is roughly
twice as much as just doing the crack with the right tools first.

> On Mon, Nov 30, 2009 at 10:47 AM, John Moser <john.r.moser at gmail.com> wrote:
>>
>> On Mon, Nov 30, 2009 at 12:55 PM, Matt Wheeler <m at funkyhat.org> wrote:
>> > 2009/11/30 Jan Claeys <lists at janc.be>:
>> >> Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John
>> >> McCabe-Dansted:
>> >>> There are also algorithms for extracting the password from XP as
>> >>> well...
>> >>
>> >> XP passwords are compared to hashes, and you can't extract the password
>> >> from a hash.
>> >
>> > There are brute-force password cracking methods, but including
>> > something like that as
>> > part of the Ubuntu installation would be a bad idea for several
>> > reasons.
>> >
>>
>> List some not-silly reasons.  "Because people could use it for
>> theoretical/practicable attacks" is not a reason, because 1) you could
>> decline to reveal the password (but allow verification); and 2) there
>> are other tools for this that are just as accessable.
>>
>> I guess I can give a longer example here, but I'd rather not get into
>> the specifics of this discussion:
>>
>> In the state of the art, I can pop in a BackTrack CD, fix 1 line in
>> Kismet's config (is this automatic now?  It could be), run one
>> command, and drop keys for all the WEP networks around me.  There are
>> tools included that find "hidden" SSIDs and you can even find MAC
>> addresses in use to get around all the maze-like non-security.
>>
>> I have made the argument that Ubuntu could contain a version of
>> Network-Manager (I prefer by default, but it could be an additional
>> package) that automatically does all the hidden SSID detection in the
>> background, and does some monitoring and WEP cracking, marking off
>> "Secured, broken" networks.
>>
>> This usually brings up arguments that this is somehow "bad," but
>> doesn't explain exactly how it's bad.  It doesn't decrease security,
>> because well... if you want to "steal internet," you're a mostly
>> harmless leech; if you want to do something serious, you're going to
>> have the skills anyway.  I figure it would probably make it extremely
>> visible to the owners of 6 (of 7) WiFi networks reachable from my
>> apartment that their @*#$ is not secure when it becomes common
>> knowledge that most of that stuff is flat-out ignored and
>> automatically bypassed by some operating systems.
>>
>> Cost-benefit arguments aside, it seems that the above extreme case
>> doesn't actually de-securify anything (it is, however, a good way to
>> make fun at hilariously bad security devices that actually got
>> released to market).  A quick and painless password cracking mechanism
>> (background, started as soon as the CD can see a partition with a SAM,
>> and time-restricted) doesn't seem like an issue to me.
>>
>> Of course, I'm a very coarse person and have no desire to play nice.
>> Sure, I definitely advocate NOT flashing the cracked passwords in
>> peoples' faces, and keeping them in secured RAM (i.e. XOR'd with a
>> canary, in locked memory, until needed; or better, hash them out for
>> storage in shadow and clear the originals out of RAM).  But I see no
>> reason to care about the difference between "we could easily crack
>> these passwords" and "we have cracked these passwords," unless you're
>> uploading the passwords (hashed?) to Canonical for further use.
>>
>> > --
>> > Matt Wheeler
>> > m at funkyHat.org
>> >
>> > --
>> > Ubuntu-devel-discuss mailing list
>> > Ubuntu-devel-discuss at lists.ubuntu.com
>> > Modify settings or unsubscribe at:
>> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>> >
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>

More information about the Ubuntu-devel-discuss mailing list