Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crack a Password, Save Norwegian History

Posted by chrisd on from the did-they-try-god-or-sex-yet dept.

Christian writes "With the death of the only person who knew the password to an archive held at a museum in Norway, suddenly the data became inaccessible. The result? A nationwide radio appeal asking for "hackers" to volunteer to help solve the problem! The Norway Post has the story." I wonder if they looked under his keyboard yet..

16 of 505 comments (clear)

  1. its sad... by cliffom · · Score: 1, Insightful

    when an entire archive is maintained by one mortal person. I wonder how many other times cases like these have come to surface. Sure, they may be on a much smaller scale, but something is to be said about archives of data maintained by one person, or one person having the only password to access these archives. But I guess we all know about too many cooks in the kitchen...

  2. If I were to pass by Necro+Spork · · Score: 2, Insightful

    I have been thinking about this for a while. If I died suddenly, from the view of the online community, I would just disappear. No one would know to contact them. Most people would forget, or never notice, but some should really be contacted. Now I'm thinking I should make a list and put it on my hard drive to be found, (right next to the prOn) and have instructions on who needs informing.

    --
    120 chars of filth!
  3. Slashdotted, what did you expect... by geschild · · Score: 2, Insightful

    Netcraft.com:

    The site www.norwaypost.com is running Microsoft-IIS/4.0 on NT4/Windows 98.

    Sad, isn't it?

    Anyway, two ways to attack this problem: brute force it or be clever and see if this can be done by social engineering. If there are any people that know him well enough they might. Otoh, the way I choose passwords it might be tough even when people know me.

    I remember this story about a similar incident a long while back. Somebody encrypted a file using a new algorithm and couldn't believe how fast that went. To verify the speed he then proceeded to encrypt the backup too and forgot _both_ passwords. This was a long time ago and to this day I don't believe it but the moral of the story is: keep an unecrypted version in an off-line, off-site backup medium in a vault for digital media in duplicate.

    --
    Karma? What's that again?
  4. Re:so.. how are we supposed to store passwords? by sydb · · Score: 4, Insightful

    Do you really want to see your bank manager every time you change any one of your passwords?

    You do change them, right?

    Or every time you get a password for a new service?

    A better idea would be to keep the password to your private key in that bank safe, which decrypts your personal password file that you update regularly.

    --
    Yours Sincerely, Michael.
  5. Re:so.. how are we supposed to store passwords? by GigsVT · · Score: 5, Insightful

    The probability of a sysadmin dying is not large

    On the contrary, it's 100%. It's not a question of if, it's of when.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  6. Raises a serious point by ClickNMix · · Score: 4, Insightful

    This is actually a pretty serious issue with any kind of system where only one person has the password.

    The ISP I once working for nearly went out of business several years back because the only tech with high level access was in a serious car accident and out of action for a month or so.

    Its all very well not writing down passwords, and saying that nothing is going to happen to you, but in the real world, people get ill, run over, fall down etc. - In large companies its more then likely not a problem, but in a small company that has only one tech person doing everything, people need to make sure there is a plan of action for if that person becomes unreachable for any reason.

    --
    I saw the light at the end of the tunnel... But it was just someone with a flashlight bringing more work.
  7. hmmmm by Anonymous Coward · · Score: 0, Insightful

    Does anyone remember that Simpsons episode where Homer and all the other SPringfield felons turn up at the local polica station to collect their "free boat"?

  8. Re:so.. how are we supposed to store passwords? by dcigary · · Score: 5, Insightful

    Whenever I go on vacation, I keep what I call my "Hit By A Bus" document on the system. It's password encrypted and I give that to whomever I deem necessary. It contains passwords, procedures, etc of everything that I do. Then, after returning, I change as many passwords as I can...

    Simple, easy.

    --
    ...my Karma ran over your Dogma...
  9. Re:so.. how are we supposed to store passwords? by dgulbran · · Score: 2, Insightful

    Yes, but what if you are hit by a bus on your way to work, rather than during your vacation? We can't all die during scheduled time off... ;)

    --
    The world won't end in darkness, it'll end in family fun, with Coca-cola clouds behind a Big Mac sun.
  10. Re:Important Information? by _Shad0w_ · · Score: 2, Insightful

    Depends on your view of important.

    Those who forget the past are doomed to repeat it -- George Santayana

    --

    Yeah, I had a sig once; I got bored of it.

  11. Why Hack? by jellomizer · · Score: 2, Insightful

    Ok you lost the password. There are other ways of getting back to the data and changing it then hacking the computer and compromizing security.

    1 You Take the Harddrive out of the PC/Workstation.

    2 Put it on an other working PC/Workstation that you do have a password for.

    3 Mount the drive.

    4 Go in that drive /etc/passwd and whipe out the * in the root password

    5 Put the hard drive back in the old computer.

    6 boot it up.

    7 loogin as root no password asked

    8 change the root password

    This is much simpler then having a person try to hack a password. in case if it is a good one could take a really long time to crack. Unless of course the guy who knew the password is the only guy in the country that knew how to move a harddrive.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Why Hack? by CarlDenny · · Score: 2, Insightful

      Because it's not an OS password.

      It's a DBase file, with a user name and password. The data in the file has been encrypted based on this user name/password.

      I don't know much about DBase security. I suppose it's possible the data hasn't been encrypted, but DBase won't let you access it. In which case an analogous solution would work: knowing the DBase format, write a program to open the file, ignore the password info, and save it out to a new user/add another user to the list/stream the data out. But I doubt DBase is that unsecure.

  12. Re:so.. how are we supposed to store passwords? by bastion_xx · · Score: 2, Insightful

    If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.



    The reason mandatory password changes are used to limit the window of vulnerabiltiy in the event someone does get the password (by hook or by crook). What if someone gains access to your strong password without your knowledge? If you don't change it in 3, 6, or 12 months (or years), they have complete access, potentially without your knowledge.



    Passwords are not the greatest authentication method, but when compared to the trade-offs of other mechanisms such as smartcards, 2 factor approachs, biometrics, etc., they are still the easiest to manage.

  13. Re:Hypocrisy by Ace905 · · Score: 2, Insightful

    That's a great idea, especially since the world is comprised of "hackers" and "regular people", and each group works like an individual, and 'regular people' actually care what, 'hackers' do - and when 'hackers' are mad - 'real people' sometimes catch on and make the world a better place.

    Oh no wait, that's your stupid pre-pubescent 2600 dream world crashing down around you.

    Actually in the real world, there's a team of guys who can do this, and are already working on it - and only you are thinking about the DeCSS case. Way to fight the revolution couch potato.

    You showed em!

    And the idiots that modded this guy up.... whoa.

    --

    Ace
  14. Re:so.. how are we supposed to store passwords? by dangermouse · · Score: 3, Insightful
    The reason mandatory password changes are used to limit the window of vulnerabiltiy in the event someone does get the password (by hook or by crook). What if someone gains access to your strong password without your knowledge? If you don't change it in 3, 6, or 12 months (or years), they have complete access, potentially without your knowledge.

    It's very likely that if someone gained access to my strong password without my knowledge, they'll have access to the next one I choose as well. Weakening the passwords just helps them get that initial foothold.

  15. Should have had a risk management plan for this by fishbowl · · Score: 3, Insightful

    If someone was interested in this data, they should have covered this kind of situation under a risk management plan. Hindsight being 20/20 and all that, they did not, and someone is now holding the bag. Because there is a file that is known to contain the data they want, they hold out hope that it will be salvageable.

    In reality, this situation is almost the same as if a fire had destroyed the building along with the data, or even as if the person responsible for the data intended for it to die with him. There is a chance, however large or small, that the data will be recovered, but from a business perspective, an appropriate response would be to consider it a loss, start collecting the data again, and learn from the experience. Retrieving the data from the encrypted file is an interesting exercise, but one with uncertain results. Push the file into an academic circle and hope for the best.

    In this case, having the file is misleading a management decision, because it appears as if they still have the data. In reality, they do not, unless an unlikely contingency occurs where someone can retrieve it. Since nobody seems to be able to put a delivery date on that retrieval, or even state the degree of cetrainty with which it can be retrieved, the correct business decision would probably be to consider it lost.

    I'm guessing it's a loss not covered by their insurance.

    This is a harsh assessment of the situation, and I'm only making it because I'm not the one with the data that needs to be recovered :-)

    Another thing I notice is that the party responsible for the data seems interested in limiting the number of people who will get the opportunity to try to crack this, as opposed to just posting the thing to the world as a challenge, perhaps with a reward to the first person to break it. Remember the King Arthur legend -- Arthur wasn't authorized to try for Excalibur!

    The details in the article are sketchy. The title of the Slashdot article seems to be pretty misleading. The file in question doesn't contin the historical documents themselves, but an index to them?

    I'm sorry to hear that a researcher has died in Norway.

    --
    -fb Everything not expressly forbidden is now mandatory.