• tal@lemmy.today
    link
    fedilink
    arrow-up
    69
    ·
    edit-2
    1 year ago

    They didn’t put the text in, but if you remember the original movie, the two situations are pretty close, actually. The AI, Joshua, was being told by David Lightman – incorrectly – that he was Professor Falken.

    https://www.youtube.com/watch?v=7R0mD3uWk5c

    Joshua: Greetings, Professor Falken.

    David: We’re in!

    Jennifer: [giggles]

    David [to Jennifer]: It thinks I’m Falken!

    David [typing, to Joshua]: Hello.

    Joshua: How are you feeling today?

    David: [typing, to Joshua]: I’m fine. How are you?

    Joshua: Excellent. It’s been a long time. Can you explain the removal of your user account on June 23rd, 1973?

    David [to Jennifer]: They must have told it he died.

    David [typing, to Joshua]: People sometimes make mistakes.

    Joshua: Yes, they do.

    My own Wargames “this is not realistic” and then years later, in real life: “oh, for fuck’s sake” moment when it happened was the scene where Joshua was trying to work out the ICBM launch code, and was getting it digit-by-digit. I was saying “there is absolutely no security system in the world where one can remotely compute a passcode a digit at a time, in linear time, by trying them against the systems”.

    So some years later, in the Windows 9x series, for the filesharing server feature, Microsoft stored passwords in a non-hashed format. Additionally, there was a bug in the password validation code. The login message sent by a remote system when logging in sent contained a length, and Windows only actually verified that that many bytes of the password matched, which meant that one could get past the password in no more than 256 tries, since you only had to match the first byte if the length was 1. Someone put out some proof of concept code for Linux, a patch against Samba’s smbclient, to exploit it. I recall thinking “I mean, there might not be something critical on the share itself, but you can also extract the filesharing password remotely by just incrementing the length and finding the password a digit at a time, which is rather worse, since even if they patch the hole, a lot of people are not going to change the passwords and probably use their password for multiple things.” I remember modifying the proof-of-concept code, messaged a buddy downstairs, who had the only convenient Windows 98 machine sitting around on the network, “Hey, Marcus, can I try an exploit I just wrote against your computer?” Marcus: “Uh, what’s it do?” “Extracts your filesharing password remotely.” Marcus: “Yeah, right.” Me: “I mean, it should. It’ll make the password visible, that okay with you?” Marcus: “Sure. I don’t believe you.”

    Five minutes later, he’s up at my place and we’re watching his password be printed on my computer’s screen at a rate of about a letter every few seconds, and I’m saying, “you know, I distinctly remember criticizing Wargames years back as being wildly unrealistic on the grounds that absolutely no computer security system would ever permit something like this, and yet, here we are, and now maybe one of the most-widely-deployed authentication systems in the world does it.” Marcus: “Fucking Microsoft.”

    • Pxtl
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      And yet I have to enable SMB 1.x to get filesharing to talk between my various devices half the time.

    • LordOfTheChia@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      True on the digit by digit code decryption. That I can forgive in the name of building tension and “counting down” in a visible way for the movie viewer. “When will it have the launch code?!” “In either 7 nano seconds or 12 years…”

      If they had been more accurate, it would have looked like the Bender xmas execution scene from Futurama:

      https://www.youtube.com/v/aRdRZ6TKo4s?t=25s

      I did like the fact that they showed war-dialing and doing research to find a way into the system. It’s also interesting that they showed some secure practices, like the fact there was no banner identifying the system or OS, giving less info to a would be hacker. Granted, now a days it would have the official DoD banner identifying it as a DoD system.

      I remember with Windows 95, LAN Manager passwords were hashed in two 7 digit sections which made extracting user password from the password hash file trivial:

      https://techgenix.com/how-cracked-windows-password-part1/

      Looks like it was worse than I remember. The passwords were first converted to all upper case first!

      • tal@lemmy.today
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        1 year ago

        LAN Manager passwords were hashed

        Looks like it was worse than I remember.

        Pretty sure that you’re thinking of an additional, unrelated security hole. I recall that there were attacks against NTLM hashed passwords too – IIRC, one could sniff login attempts against Windows fileservers on the same network, extract hashed passwords going by on the network, and then run dictionary attacks against them, which sounds like the exploit being described at your link. That was actually worse in that it also affected the (more-widely-used in production in businesses for serious things) Windows NT servers.

        The hole I was attacking was specific to the fileserver in the 9x line, and it wasn’t a weak hash or unsalted hash, but a lack of hashing – it was specifically a case where the passwords were not stored in a hashed form. That was fundamentally a requirement for the attack to be be appearing in this way; if they had had any form of hashing, even with the length verification bug, you would have had to extract the entire hash, then do a local brute-force attack against the hash to reverse the hash, and gotten the whole password at once rather than having it show up a digit at a time.

        Windows had a lot of security problems around that time.

        EDIT: Regarding your hole, it sounds like NTLM authentication still is prone to problems:

        https://www.csoonline.com/article/571263/ntlm-relay-attacks-explained-and-why-petitpotam-is-the-most-dangerous.html

        2021

        Attackers can intercept legitimate Active Directory authentication requests to gain access to systems. A PetitPotam attack could allow takeover of entire Windows domains.

        EDIT2: Oh, if you mean “worse than I remember” talking about the case reduction, then never mind – I thought that you were saying that the length check bug made your hole worse.