Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Ken Thompson's Unix Password, Microsoft Spying on Everything for 'Security', Cross Site Scripting Fix

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7).

  • Ken Thompson's Unix password

    Somewhere around 2014 I found an /etc/passwd file in some dumps of the BSD 3 source tree, containing passwords of all the old timers such as Dennis Ritchie, Ken Thompson, Brian W. Kernighan, Steve Bourne and Bill Joy.

    Since the DES-based crypt(3) algorithm used for these hashes is well known to be weak (and limited to at most 8 characters), I thought it would be an easy target to just crack these passwords for fun.

    Well known tools for this are john and hashcat.

    Quickly, I had cracked a fair deal of these passwords, many of which were very weak. (Curiously, bwk used /.,/.,, which is easy to type on a QWERTY keyboard.)

    However, kens password eluded my cracking endeavor. Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result. Since the algorithm was developed by Ken Thompson and Robert Morris, I wondered what’s up there. I also realized, that, compared to other password hashing schemes (such as NTLM), crypt(3) turns out to be quite a bit slower to crack (and perhaps was also less optimized).

    Did he really use uppercase letters or even special chars? (A 7-bit exhaustive search would still take over 2 years on a modern GPU.)

    The topic came up again earlier this month on The Unix Heritage Society mailing list, and I shared my results and frustration of not being able to break kens password.

  • How my application ran away and called home from Redmond

    I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.

    I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!

    [...]

    I researched a bit more and made educated guesses about why this happened. I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature.

    [...]

    Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.

  • Enrico Zini: Fixed XSS issue on debtags.debian.org

    Thanks to Moritz Naumann who found the issues and wrote a very useful report, I fixed a number of Cross Site Scripting vulnerabilities on https://debtags.debian.org.

Father of Unix Ken Thompson checkmated as his old password...

  • Father of Unix Ken Thompson checkmated as his old password has finally been cracked

    Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.

    As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.

    When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that's she'd broken five years ago. Five hashed passwords, however, remained elusive, including Thompson's.

Computer historians crack passwords of Unix's early pioneers

  • Computer historians crack passwords of Unix's early pioneers

    Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman.

    Leah Neukirchen recovered an BSD version 3 source tree and posted about it on the Unix Heritage Society mailing list, revealing that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.

UNIX Co-Founder Ken Thompson's BSD Password Finally Cracked

  • UNIX Co-Founder Ken Thompson’s BSD Password Finally Cracked

    Ken Thompson, who co-created the popular operating system Unix along with Dennis Ritchie, remains a revered figure in the field of computer science. In 2014, famous open-source developer Leah Neukirchen got her hands on a /etc/password file from a BSD 3 source tree. It contained hashed passwords of some big names like Dennis Ritchie, Steve Bourne, Ken Thompson, Brian W. Kernighan in the computer science field.

    Neukirchen tried cracking the passwords out of curiosity as the passwords were sealed with a DES-based crypt(3) algorithm, which is now considered easy to crack.

UNIX Co-Founder Ken Thompson's BSD Password

  • UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

    A 39-year-old password of Ken Thompson, the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers.
    In 2014, developer Leah Neukirchen spotted an interesting "/etc/passwd" file in a publicly available source tree of historian BSD version 3, which includes hashed passwords belonging to more than two dozens Unix luminaries who worked on UNIX development, including Dennis Ritchie, Stephen R. Bourne, Ken Thompson, Eric Schmidt, Stuart Feldman, and Brian W. Kernighan.
    Since all passwords in that list are protected using now-depreciated DES-based crypt(3) algorithm and limited to at most 8 characters, Neukirchen decided to brute-force them for fun and successfully cracked passwords (listed below) for almost everyone using password cracking tools like John the Ripper and hashcat.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Kernel: Linux Plumbers and New in Linux 5.9

  • Linux Plumbers currently sold out

    Linux Plumbers is currently sold out of regular registration tickets. Although the conference is virtual this year our virtual platform cannot support an unlimited number of attendees, hence the cap on registration. We are currently reviewing our capacity limits to see if we can allow more people to attend without over burdening the virtual platform and potentially preventing discussion. We will make another announcement next week regarding registration.

  • Linux 5.9 Supports A Lot Of New Audio Hardware, Intel Silent Stream Added

    The Linux kernel continues supporting a lot more audio devices and much more punctual than a decade or two ago.

  • Linux 5.9 Networking Changes Are As Active As Ever

    Each kernel cycle the networking subsystem sees a lot of churn given the importance of network interconnect performance and reliability especially in high performance computing environments where Linux dominates.

5 of the Best Linux Laptops in 2020

If you’re shopping for a laptop and know you’re planning to run Linux, you can either get any laptop, reformat the hard drive and install your favorite Linux distro on it or just get a laptop that is running Linux right out of the box. Here are some of the best Linux laptops you can get in 2020. [...] These all come preloaded with Ubuntu 20.04 LTS, which is a solid base for any of the various flavors or just vanilla Ubuntu. Many of the drivers have been contributed upstream by Dell, so many distros that use newer kernels should be able to take full advantage of the Killer Wi-Fi cards and Intel Iris Plus Graphics. [...] Pine64 has been in the news often for its Pinephone, but the Pinebook Pro is another great product from them. It’s a 14” ARM laptop that weighs less than 3 lbs/1.5 KG and sips power. It’s a great little machine that helps to push Linux forward on the ARM platform and comes in just under $200. Read more

Richard Stallman: A Discussion on Freedom, Privacy & Cryptocurrencies

Dr. Richard Stallman is well-known for his free software movement activism. His speeches and work revolve around a term: freedom. And it is precisely that word that prompted Stallman to launch the GNU Project, founding the Free Software Foundation and releasing the GNU General Public License, among other projects, to promote the free software concept. RMS, as Dr. Stallman is also known, has some opinions regarding the concept of cryptocurrencies that have been widely discussed within the crypto community. Read more