Date: Sat, 13 Jan 2007 12:56:49 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: is it allowed to ask help to crack 1 or 2 HASH in this list ? On Thu, Dec 28, 2006 at 06:48:40PM -0700, Olivier Meyer wrote: > I agree with the fact that if someone cracks a hash, they probably > will not return the password. However, if people are allowed to submit > hashes, it should be on another mailing list, so people who want to > use their cpu cycles to crack someone else's hash can do so, and so > people who do not want to read about this do not have to. This makes sense. However, I don't feel like hosting a mailing list specifically for that purpose. Maybe someone else will. On Fri, Dec 29, 2006 at 11:14:31AM +1300, Russell Fulton wrote: > The posting of hashes for others to crack is obviously open to abuse. I > don't have strong feelings about whether or no the list should allow > such posts bit admit that the feelings that I do have lean towards > saying no. My main reason for this is that I really don't see what use > these posts are to anyone Well, there are some uses for password hash and file format samples. > and I certainly agree with the poster who said > that if they ever cracked any hash posted here they would never return > the result. And that's fine! > I do feel (quite strongly) that if the list does accept hashes then we > should accept all hashes. As Solar says the moderators won't always > have time to check that hashes posted are indeed difficult to crack. If > we start screening hashes then an expectation is established that > screening will take place -- this could theoretically have legal > implications if some trivial stolen hashes were posted here, not checked > by the moderators and subsequently broken and then used. It could be > argued that the moderators where negligent. Right. Moreover, "difficult" hashes might get broken and used, too. To summarize, there's little value (but not no value) in hash cracking help requests (although cracked passwords should not be posted, except maybe with explanation on how they illustrate a certain point). I am still not sure whether we should be allowing such postings. If we did not have to make this list pre-moderated, then I would not mind these postings as long as their volume is low compared to other list traffic. However, since we did, there's the responsibility issue that Russell has mentioned. Besides the help requests, there may be other postings containing hashes. Danett song's posting is an example. I think that these should be allowed regardless of whether or not the hashes look like they're real. So we will be allowing hashes to be posted in these cases. Now, should we make "cracking help request" the criterion for (not) accepting a posting with hashes? I'm not sure. In some cases, it may be difficult to determine whether a posting is in fact a "cracking help request" or rather JtR support request or sharing of information on a particular operating system or something else. If we start rejecting obvious "cracking help requests", but not subtle ones, then the negligence issue might arise. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ