Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Jan 2007 12:56:49 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: is it allowed to ask help to crack 1 or 2 HASH in this list ?

On Thu, Dec 28, 2006 at 06:48:40PM -0700, Olivier Meyer wrote:
> I agree with the fact that if someone cracks a hash, they probably
> will not return the password. However, if people are allowed to submit
> hashes, it should be on another mailing list, so people who want to
> use their cpu cycles to crack someone else's hash can do so, and so
> people who do not want to read about this do not have to.

This makes sense.  However, I don't feel like hosting a mailing list
specifically for that purpose.  Maybe someone else will.

On Fri, Dec 29, 2006 at 11:14:31AM +1300, Russell Fulton wrote:
> The posting of hashes for others to crack is obviously open to abuse.  I
> don't have strong feelings about whether or no the list should allow
> such posts bit admit that the feelings that I do have lean towards
> saying  no.  My main reason for this is that I really don't see what use
> these posts are to anyone

Well, there are some uses for password hash and file format samples.

> and I certainly agree with the poster who said
> that if they ever cracked any hash posted here they would never return
> the result.

And that's fine!

> I do feel (quite strongly) that if the list does accept hashes then we
> should accept all hashes.  As Solar says the moderators won't always
> have time to check that hashes posted are indeed difficult to crack.  If
> we start screening hashes then an expectation is established that
> screening will take place -- this could theoretically have legal
> implications if some trivial stolen hashes were posted here, not checked
> by the moderators and subsequently broken and then used.  It could be
> argued that the moderators where negligent.

Right.  Moreover, "difficult" hashes might get broken and used, too.

To summarize, there's little value (but not no value) in hash cracking
help requests (although cracked passwords should not be posted, except
maybe with explanation on how they illustrate a certain point).  I am
still not sure whether we should be allowing such postings.  If we did
not have to make this list pre-moderated, then I would not mind these
postings as long as their volume is low compared to other list traffic.
However, since we did, there's the responsibility issue that Russell has
mentioned.

Besides the help requests, there may be other postings containing
hashes.  Danett song's posting is an example.  I think that these should
be allowed regardless of whether or not the hashes look like they're
real.  So we will be allowing hashes to be posted in these cases.

Now, should we make "cracking help request" the criterion for (not)
accepting a posting with hashes?  I'm not sure.  In some cases, it may be
difficult to determine whether a posting is in fact a "cracking help
request" or rather JtR support request or sharing of information on a
particular operating system or something else.  If we start rejecting
obvious "cracking help requests", but not subtle ones, then the
negligence issue might arise.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ