The current title ("It was Bill Joy's password, not Ken Thompson") I assume is in reference to Ken's password being cracked two weeks ago. The title is not correct. Ken's password was cracked. Bill Joy's password has now also been cracked, but not disclosed w/o getting permission from Joy to do so first.
I thought it was referring to the fact the author found his expectation was the opposite of reality -- he first assumed it would have been Ken, not Bill Joy, to have a control character in his password. But Bill was the one.
Could be simplified to "Bill Joy's password had a control character", since no one had announced a thought that Ken's password had one, so the misdirection is pointless distraction.
I suppose you could construct a sentence like "it was bill joys password, not Ken Thompson, which unlocked the safe" in response to a (exaggerated) story about Ken picking a lock.
Does anyone else find it a bit off-color to crack a password at all without permission? It seems to me like taking a photograph of a person in the shower then saying "yeah but we'll only publish the nude photo with permission." Yeah the password is no longer secure and bad people do bad things like this ilegally all the time - so don't be one of them, it's just yuk. Have some respect for privacy and don't invade it without permission FIRST.
Maybe a correct title is creeps crack Bill Joy's password without permission - or did they get permission first?
Apparently it's off-color to dare suggest password cracking without permission is an invasion of privacy(!) I don't recall anyone suggesting private passwords have no expectation of privacy myself but clearly people here think it to be so. So that's weird and just a bit creepy.
In what way is cracking a password hash an invasion of privacy? The act itself is completely harmless and legal; it is only a problem if you use said password to actually access the person's systems.
It is also part of the hacker culture to test other people's security in a white-hat manner. This is a good thing.
If my password were weak enough to be cracked in this way, I'd certainly prefer someone do it and tell me to change my password rather than use it for their own gain.
As for off-color, name-calling is generally frowned upon even if you have a point. If you disagree, it's best to keep your tone neutral
Breaching someone's privacy where they have the reasonable expectation of having privacy is a problem always in all circumstances. Does the benefit outweigh it? Not in this case.
You crack and you know what kind of thing that person uses for a pass phrase. If they created their pass phrase with the belief that it was private it could very well be something they don't wan't published. something like "I like big butts and I cannot lie" is the least embarrassing thing. Do they love Sir Mixalot? Are they mysognist? Was it somethign they just overheard and used with zero thought? There should be no such speculation because we shouldn't even know. You shouldn't have to explain what you've used or justify it because you have the complete expectation of privacy. It's a private thought with private context - "get the hell out of my mind - I didn't ask you in here", I don't want you to form opinions about a private thought. I don't want you or anyone anywhere near my private thoughts.
Creep is a generally farily well accepted pejoritive term for someone who wilfully invades privacy for their own amusement. I do mean it to be pejoritive. It is reasonable to form the view that being pejorative in this case has merits. But sure, disagree all you like, make the case, no doubt the NSA would agree the privacy invasion is ok.
This is not security testing. This is straight up curiousity & giggles of "what did $famous_person use for a pass phrase?" It's nobody's business. If you want to know, ask. If the person has forgotten and gives you permission, then you crack like a well mannered and respectful human being.
I think that is an entirely reasonable point of view. If it stung some people then that's worthwhile.
For everyone who finds this story confusing, I'll try a recap:
The password file on UNIX systems from 1969 right up till the 1990s were readable by everyone on the system. However, the passwords were one-way encrypted or "hashed". For the password a user typed such as "p/q2-q4!", the password file contained a hash such as "ZghOT0eRm4U9s". It used to be a rite of passage of every aspiring UNIX systems programmer to write a cracking program to discover some of the passwords on their system -- typically by encrypting a dictionary of words to see if any matched up with the hashed values in password file. If everyone picked good passwords, this was futile. But on any large UNIX system, many users selected dictionary words so this attack was often successful.
Recently someone unearthed the password file from one of the original systems on which UNIX and C were developed. Naturally it's great fun to discover the original passwords of all the UNIX luminaries such as Ken Thompson (his strong password being a chess move "p/q2-q4!"), Dennis Ritchie (password "dmac" -- anyone know what that might mean?), Brian Kernighan (an easy to type keyboard pattern "/.,/.,"), Steve Bourne, inventor of the Bourne shell, didn't seem to care and chose obvious password "bourne", and more here https://news.ycombinator.com/item?id=21209594.
One lone password from the original list, Bill Joy's password, was still uncracked. Bill Joy is the co-founder of Sun Microsystems, author of vi, and a key developer of BSD UNIX. He apparently picked the best password. This latest news says that Bill Joy's password has now been cracked, that it uses a control character in place of a letter, it is otherwise all lowercase letters, and is a chess related term (as Ken Thompson's was also chess related). An an example, his password could be chess-related word "c^Astlng", where the ^A is control-A (but it isn't -- I checked). But the actual password has not been revealed "because of the outpouring of negativity about these disclosures, [the discoverer is] reluctant to post the actual password without [Bill Joy's] consent".
Pretty interesting that those guys took what are essentially joke passwords. Seems like they probably didn't expect anyone to bother trying to crack them.
If you read on in the thread there's this fun story[1]:
> John P. Linderman jpl.jpl at gmail.com
> Sat Oct 19 23:11:10 AEST 2019
> Related story. A user came to us with a problem while we were in our computer room. We asked him to log in at the VAX console, so we could look into the problem. Moments later, dozens of users flooded in, asking what had happened. Seems the first user had a CTRL-P in his password, which, when entered at the console, triggered the VAX to pause.
I do this all the time with bash. I run a python script, and try to ctrl+c the output of it while it's still running. My brain refuses to learn right click.
Second attempt was lower-case with control characters, and succeeded in
around 40 minutes.
There's a control character in it ;)
Because of the outpouring of negativity about these disclosures, I am
reluctant to post the actual password without the user's consent, since
he's still alive. If anyone knows Bill, and can contact him, please ask
for permission.
Plato terminals had a custom keyboard* which included buttons for super and subscripts. The administrator for our school district's account had special privileges including the ability to create new users, give others the right to create lessons, more disk space and was highly coveted. It didn't take too long for someone to figure out Mrs. Kennedy's password was <SUPER>man. Of course my password instantly became yellow<SUB>marine.
I inadvertently had this on a Sun. I was entering a new password from a remote terminal and accidentally hit a lower case letter where I wanted an upper case one. Reflexively I hit backspace, and the Sun used DEL, so it stored a ^H in the password. I was then unable to change it because while getty or login could handle it, passwd wouldn’t accept it as my existing password.
I hear you. The very first system Unix system I had root to ended up with two etc directories. It took a really long time to figure out I hadn't corrupted the filesystem but instead had created one directory named /etc<DEL> which was an unprintable character.
If anyone would like to try their own hand at discovering Bill Joy's 1970s-era password, here's how to get started with the hashcat tool. First check if everything is working by trying a known result, e.g., Dennis Ritchie's password which we know was "dmac":
If see you a message that says, "gfVwhuAMF0Trw:dmac" and "Status: Cracked", it's working. Now put in Bill Joy's hash ".2xvLVqGHJm8M" in place of "gfVwhuAMF0Trw" and a list of guesses, one per line, in the guesses file, and run hashcat again.
We've been told that the password is a chess-related word, all lowercase letters except that one letter is a matching control character, such as in "b^Ishop" where the "i" is actually a control-I.
Might as well add a disclaimer: back in the days, in order to find the gold nuggets on the web, you had to shift through shit. A lot of shit. But then once in a while, you find those little nuggets that made the whole shit-shifting worthwhile. Useful exercise in patience for beginner webbers maybe.
And what decides if a article is "legit and important"? If some other legit and important article links to it, of course!
And so we continue, until only the bottom-feeding "high quality" is left at the top of the search result, which is generally boring but "correct" content.
If that were true there wouldn't be so much bullshit on the first few pages. Try doing a Google search that gets lots of low-effort ad-stuffed "top x" or "best x of 2019" lists or similar garbage and changing the date range to limit results to before 2008 or thereabouts. It's incredible how much more useful, and easier to quickly evaluate, the results often are.
Sorry, I misunderstood and thought you were trying to correct me! Thanks anyway :)
I would agree, but I think the difference nowadays (had to look up I got "nowadays" right, seems I did!) is that people usually want a quality filter in front of them (like upvotes, likes, retweets or some other metric) rather than just having to judge by themselves.
In good ol' email threads, you always had to judge by yourself. In social media today, many assume quality because of metrics.
Both could be correct. Here I think "day" could make more sense. An example of the other case: "Back in the days of Fortran programming..."
If you leave out anything after "days" by just saying "back in the days" then it is like you are pausing. As in when you reminisce, "Oh, back in the days!" Maybe that is what the intention was.
In any case, the commentor was actually just saying that he thinks nothing has changed.
You need an email account in order to join a mailing list, so get one of those. Your ISP probably gives you one, but you can also use one of the more obscure email providers like yahoo or gmail if you want. I'm a fan of fastmail on my own domain.
Once you have an email address, this content is now available to you! Most mailing lists are free and easy to subscribe to.
I understand where you coming from, but I don't think this "modern web-user" is unfamiliar with what email is, so the sarcastic tone is a bit over the top and usually not appreciated on HN.
Instead you could have spent time explaining a better way of browsing the content, or what to consider when reading. Instead of assuming this person doesn't know what a email address is.
Sorry, the title and I were wrong. now, I read the full story and a better correct title is: "Bill Joy's Unix password had a control character". @dang, please edit the title.
From memory setting a UID to 0 was a way to effectively have multiple root accounts on a system. sudo is a much better solution to the same problem so using uid 0 in this manner is not something I expect to see on any modern unix/linux system.
"shutdown" or "reboot" as a UID=0 user with shell set to "/sbin/shutdown" or "/sbin/reboot" and a specific password is still occasionally found. Log in as that to shut down or reboot system.
A guy I worked with did this once, but on an esxi machine through the web interface. Took a very long time of figuring out what characters to press on an ssh connection from a mac to get the same, then to translate that to windows keyboard. Password changes often warn (or flat-out deny) if your password is too short, similar to username, etc.; maybe they should do so for control characters.
Discussion from two weeks ago - https://news.ycombinator.com/item?id=21202905
Message posting /etc/password entries - https://minnie.tuhs.org/pipermail/tuhs/2019-October/018854.h...
Message showing Ken's cracked password - https://minnie.tuhs.org/pipermail/tuhs/2019-October/018917.h...
Message showing Bill Joy's hashed password - https://minnie.tuhs.org/pipermail/tuhs/2019-October/018955.h...
A correct title would be "Bill Joy's password has now also been cracked."