Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crack a Password, Save Norwegian History

Posted by chrisd on from the did-they-try-god-or-sex-yet dept.

Christian writes "With the death of the only person who knew the password to an archive held at a museum in Norway, suddenly the data became inaccessible. The result? A nationwide radio appeal asking for "hackers" to volunteer to help solve the problem! The Norway Post has the story." I wonder if they looked under his keyboard yet..

128 of 505 comments (clear)

  1. Love all round... by Anonymous Coward · · Score: 2, Funny

    Mesenger: John is Dead!
    Meseum: (in sync) Ahhh, he was a lovely fellow, never bothered a soul... wonderful guy... absolutely great...
    Mesenger 2: He was the only one who knew the password to the history archive!
    Mesuem: That F&%cker! How dare he die... mother f%#cking asshole!
    Messenger 2: Hey... don't kill the messenger!

  2. Slashdoted Text by Technician · · Score: 5, Informative

    5. Juni 2002

    Hackers respond to password challenge

    Hackers have responded in large numbers to an appeal from the director of a culture center and literary museum on the west coast of Norway.

    The password to one of their library archive systems is missing.

    The museum built in honour of the famous Norwegian linguist Ivar Aasen received a gift of more than 1600 books and documents which had been catalogued and registered in a national data bank, which researchers and interested people may access.

    Only trouble was that the expert who had helped the donor with the archiving work had died, and had failed to pass on the password.

    In order to get access to the data base, Director Ottar Grepstad appealed on nationwide radio for help to solve the problem.
    The response was above expectations, and the director is now busy chosing the expert most likely to solve the problem.

    (NRK)

    (this loaded very slow, but I got it.)

    --
    The truth shall set you free!
    1. Re:Slashdoted Text by ObviousGuy · · Score: 5, Funny

      Ottar Grepstad

      Heh. The director's got two Unix utilities in his name and he *still* can't hack the system.

      I'm sure there's a joke in there somewhere.

      --
      I have been pwned because my /. password was too easy to guess.
    2. Re:Slashdoted Text by Jeppe+Salvesen · · Score: 2, Interesting

      I dunno about the history of the name of "ottar", though I know it's widely used in the germanic world. Think Otto.

      However, 'Grepstad' is a surname derived from the name of a farm. 'stad' means place, so his last name would mean something like 'place of grep'. 'Grep' means several things in norwegian. I believe some farming implement goes by 'grep', but also it could mean to grasp (physically, mainly). Besides, those farm names stem from archaic norwegian, so 'grep' might have meant something else in the past.

      --

      Stop the brainwash

    3. Re:Slashdoted Text by Hiro+Antagonist · · Score: 5, Funny

      *sigh*

      If only his name was John Libcrypt...

      --

      --
      I Hit the Karma Cap, and All I Got Was This Lousy .sig.
    4. Re:Slashdoted Text by VivianC · · Score: 3, Funny

      [The] Only trouble was that the expert who had helped the donor with the archiving work had died, and had failed to pass on the password.

      Sounds like a job for John Edward, master hacker!

      --
      Viv

      Gmail invites for ip
  3. Don't worry, I've already cracked it by Henry+V+.009 · · Score: 4, Funny

    I've already cracked it. Got the archives open right here. Let's see:

    In the year 1005, the 1337 v1k0rs raided the English coast for raping and pillaging...

    1. Re:Don't worry, I've already cracked it by Anne_Nonymous · · Score: 2, Funny

      In case people care to see the rest of the database:

      Username: navne
      Password: passord

  4. If I were to pass by Necro+Spork · · Score: 2, Insightful

    I have been thinking about this for a while. If I died suddenly, from the view of the online community, I would just disappear. No one would know to contact them. Most people would forget, or never notice, but some should really be contacted. Now I'm thinking I should make a list and put it on my hard drive to be found, (right next to the prOn) and have instructions on who needs informing.

    --
    120 chars of filth!
    1. Re:If I were to pass by spudnic · · Score: 2

      I'd be afraid (or happy, actually) that I would outlive the service. At $29.95 a year I'd rather just print out all this information, put it a safety deposit box, and give a key to someone I could trust.

      --
      load "linux",8,1
    2. Re:If I were to pass by ninewands · · Score: 2

      At $29.95 a year I'd rather just print out all this information, put it a safety deposit box, and give a key to someone I could trust.

      Only problem with your plan is that, in MOST states, safe deposit boxes owned by a deceased person are SEALED at death and cannot be opened until their estate is probated. Because of this, you should NEVER put your original will into your OWN safety deposit box.

      A better plan, if you trust this individual that much, is put your printed list (suitably privacy-sealed, of course) into his or her safe-deposit box.

      Likewise, leave the original of your will on file in the office of the lawyer who drew it up for you.

      --
      utter rubbish
  5. As a Swede, all I can say is... by weird+mehgny · · Score: 5, Funny

    ...this only happens in Norway :)

    1. Re:As a Swede, all I can say is... by kilogram · · Score: 3, Funny

      ... and Norwegians make fun of Swedes... Somehow it does not complete the circle... :)

    2. Re:As a Swede, all I can say is... by fallacy · · Score: 4, Funny

      Which are invariably themselves...

    3. Re:As a Swede, all I can say is... by Anonymous Coward · · Score: 5, Funny

      ...just wait till you get computers, then we'll the laughs will be ours.

    4. Re:As a Swede, all I can say is... by iphayd · · Score: 3, Funny

      I guess that would be because you are all blond, and the password would be "password"?

    5. Re:As a Swede, all I can say is... by jahalme · · Score: 5, Funny

      Yes, and while the swedes and norwegians are attemtping to grok complicated concepts, such as passwords, we finns write our own operating systems. ;)

    6. Re:As a Swede, all I can say is... by Dr.+Cody · · Score: 5, Funny

      But, when it comes down to it, what could they possibly hope to learn by recovering this archive of Norwegian history? How Norwegian troops threw grenades at the Swedes, and, consequentially, how the Swedes pulled out the pins and threw them back?

    7. Re:As a Swede, all I can say is... by Jeppe+Salvesen · · Score: 2

      Lutefisk is for wussies. The hard eat-their-own-shorts-for-breakfast type of norwegian eat Smalahovud for dinner every day.

      Take one sheep's head. Stick it in the oven, roast it until the wool is singed, take it out, and eat it. Preferably, start with the eyeballs. Extra bonus tough-guy points for sucking them out of their sockets.

      Slightly exaggerated, it's not far from the truth. They do stick sheep's heads in the oven to bake them, and eat brains, cheeks and eyes indistrimatingly. We are your allies. Be very afraid.

      --

      Stop the brainwash

    8. Re:As a Swede, all I can say is... by Skevin · · Score: 2

      Well, you can learn a lot. I'll bet the (pirated) Director's Cut of Monty Python's Erik the Viking and Michael Crichton's Eaters of the Dead are in there... The article did say *most* of Norwegian history, right?

      Solomon

      --
      "Twice half-assed makes an ass whole." --Solomon K. Chang
  6. Re:I wonder.... by viffer · · Score: 2, Informative

    Norwegian for "password" is "passord".

    I wonder if they've tried that already...

    --
    -- /Viffer "I'd rather be riding my VTR"
  7. so.. how are we supposed to store passwords? by dikappa · · Score: 5, Interesting

    This is an interesting issue. Any -minimally skilled- IT operator knows he should never tell passes to other people. But, what if this person dies? How can we safely store passwords so that those can be retrieved if "shit happens"? Probably we cannot use encription (you need a pass to decrypt stuff), so what? Probably for most of us, a piece of paper in a safe place at home is enough, hackers *usually* do not break-in to get passwords. But I guess there is people around protecting *really* important data, and they do not trust anyone... what can they do to make passwords "undiscoverable" until "death" or sudden amnesy?

    --
    :dikappa
    1. Re:so.. how are we supposed to store passwords? by Ted+Maul · · Score: 2, Interesting

      A technique I've seen is to get two people to type in the first and second parts of the password (without telling each other what they are). That way you need both people to get in. As a backup measure, they both write down their password bits and these get sealed in separate envelopes in separate safes just in case. Oh, and in case a manger might need to get in you can number them 1 and 2.

      --

      The Day Today - Game Warden to the Events Rhino
    2. Re:so.. how are we supposed to store passwords? by bryan1945 · · Score: 2

      You could put a list of passwords in a safety deposit box in a bank, with instructions in your will as to who gets the contents of said box upon your death.

      The only other thing I can think of is to pick one other person whom you trust totally.

      --
      Vote monkeys into Congress. They are cheaper and more trustworthy.
    3. Re:so.. how are we supposed to store passwords? by Rui+del-Negro · · Score: 5, Funny

      Tattoo the password inside their body. Or inside their pants; IT operators' pants are never removed near / by other people anyway.

      RMN
      ~~~

    4. Re:so.. how are we supposed to store passwords? by sydb · · Score: 4, Insightful

      Do you really want to see your bank manager every time you change any one of your passwords?

      You do change them, right?

      Or every time you get a password for a new service?

      A better idea would be to keep the password to your private key in that bank safe, which decrypts your personal password file that you update regularly.

      --
      Yours Sincerely, Michael.
    5. Re:so.. how are we supposed to store passwords? by sydb · · Score: 2

      Seriously, most 'minimally skilled IT operators' write passwords to important systems on bits of paper (or in files) that their colleagues know about.

      That's the accepted practice. If you're sensible you keep those bits of paper in a safe and keep an eye on who opens it.

      --
      Yours Sincerely, Michael.
    6. Re:so.. how are we supposed to store passwords? by GigsVT · · Score: 5, Insightful

      The probability of a sysadmin dying is not large

      On the contrary, it's 100%. It's not a question of if, it's of when.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    7. Re:so.. how are we supposed to store passwords? by CoolVibe · · Score: 2
      Quoteth the poster:

      > Oh, and in case a manger might need to get in you can number them 1 and 2.

      Uhmmm yeah right... If you want that password to appear on a post-it note on a screen in the office, you should do that. And before y'all spout off that there are also competent managers out there: Most manglement type people I worked with are pointy-haired. Yes most. I''ve only known 2 managers in my carreer that were competent hackers (not crackers, mind you)

      Escrowing your keys/passwords is a good idea, but please escrow your keys to people who you trust and from which you know that they are competent and can bear the responsibility of knowing that password/passphrase/whatever.

      It's good that this is brought up. I need to escrow my keys to some people too before I kick the proverbial bucket. If I decide to leave life as it is and go for the after-life, my sucessor/replacement should be able to administer it.

    8. Re:so.. how are we supposed to store passwords? by CoolVibe · · Score: 2
      *urgh*

      Damn preview button :P

      s/administer it/administer my systems/

    9. Re:so.. how are we supposed to store passwords? by Anonymous Coward · · Score: 3, Interesting

      Maybe i'm missing the obvious but....

      Lawyers are bound to non-disclosure of an individual's last will and testament, if I am not mistaken. (until death, at which time it is revealed to those individuals referenced therein)

      It seems, therefore, that the password (or some part of it at least) should be kept in the will, which should only be accessible once you die. Although this will rely on confidence in the lawyer you choose, their firm, etc.
      But generally, seems like it should work.
      If necessary, tell the other half to one or two other big-wigs, or stored in a safe. So both your death and the aforementioned access are necessary.

    10. Re:so.. how are we supposed to store passwords? by GodHead · · Score: 2

      Like I do. In my desk there is a sealed envelop marked PASSWORDS. Since I'm in a secure office (24hr security, passcard doors) no problem.

      --
      Just wait till some crappy band steals your nic.
    11. Re:so.. how are we supposed to store passwords? by ObviousGuy · · Score: 2

      Couldn't they just sneak in through the air ducts and use the standard industry password "PASSWORD"?

      --
      I have been pwned because my /. password was too easy to guess.
    12. Re:so.. how are we supposed to store passwords? by cowbutt · · Score: 5, Informative
      Any -minimally skilled- IT operator knows he should never tell passes to other people. But, what if this person dies? How can we safely store passwords so that those can be retrieved if "shit happens"?

      Google for "secret sharing" and you'll find plenty of references. Essentially, the secret (i.e. the password) is converted into a value that intercepts an axis of a n-dimensional graph. m points in n-dimensional space are then generated such that they lie in a straight line on a single plane. You can then distribute the values of the m points safe in the knowledge that you need at least n of them in order to calculate the point of interception of the secret.

      AFAIK, this is how things like launch codes for nukes are stored and distributed (to counter the twin threats of elimination of keyholders preventing nukes from being launched, and to prevent a single rogue keyholder launching without appropriate authorisation).

      Apologies to the maths/crypto purists out there if my description is fuzzy, over-simplified, or plain wrong, but it's been a while... ;-)

      Better explanations can be found on RSA's site and in Ross Anderson's book "Security Engineering"

      --

    13. Re:so.. how are we supposed to store passwords? by say · · Score: 3, Funny
      No. When you retire from work, you are no longer a sysadmin. Then you are a human being. It's true! Although you have the infinite power of sysadmining now, it will disappear overnight when you retire.

      So.. hah!

      --
      Roses are #FF0000, violets are #0000FF, all my base are belong to you
    14. Re:so.. how are we supposed to store passwords? by 4of12 · · Score: 2

      most 'minimally skilled IT operators' write passwords to important systems on bits of paper

      Yes, I do that, too.

      But I can see it now: the social engineering crackers show up to look for a word written down on a piece of paper - in an archive (aka library) with probably O(1e5) volumes!

      If I wanted to hide a piece of paper, that's exactly where I'd hide it.

      As a youngster, I once hid some paper money in an obscure text in the library and was able to retrieve it a month later.

      --
      "Provided by the management for your protection."
    15. Re:so.. how are we supposed to store passwords? by dangermouse · · Score: 5, Interesting
      You do change them, right?

      Hell no.

      That is the single most hare-brained bit of common security "wisdom" in the world.

      Years ago, I picked a password that's random as hell and was very difficult to remember. No password cracker-- dictionary *or* brute force-- has broken it yet. I use this password on about ten systems.

      If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.

      I keep running into admins who-- by hook or by crook-- make their users change passwords periodically. The result? Passwords on Post-It notes; passwords that are the names of pets or wives or firstborn children; sets of passwords that are absurdly simple and that get cycled through.

      If they had just let the users keep their original passwords and run a cracker against the shadow file to turn up the overly simple ones, their systems would be a lot more secure. But somebody told them changing passwords frequently was a good idea, and by god their users are going to change passwords frequently.

    16. Re:so.. how are we supposed to store passwords? by dcigary · · Score: 5, Insightful

      Whenever I go on vacation, I keep what I call my "Hit By A Bus" document on the system. It's password encrypted and I give that to whomever I deem necessary. It contains passwords, procedures, etc of everything that I do. Then, after returning, I change as many passwords as I can...

      Simple, easy.

      --
      ...my Karma ran over your Dogma...
    17. Re:so.. how are we supposed to store passwords? by bryan1945 · · Score: 2

      Yup, I agree. My main password is an 11 alphanumeric pseudo-random combo (pseudo because I made it up in my head, so who knows how random it really is, but it looks damn random). 36^11 is roughly 10^18, so good luck brute forcing that in your lifetime.

      At work we have to change one of our passwords every 6 months, and we can not re-use them. So I have had to come up with 9 passwords (oh, and they can only have 6-8 characters. Thanks for flexibility) that I can remember yet are fairly secure. I've been reduced to creating full numerics based on a stupid algorithm I made. Totally sucks.

      --
      Vote monkeys into Congress. They are cheaper and more trustworthy.
    18. Re:so.. how are we supposed to store passwords? by dgulbran · · Score: 2, Insightful

      Yes, but what if you are hit by a bus on your way to work, rather than during your vacation? We can't all die during scheduled time off... ;)

      --
      The world won't end in darkness, it'll end in family fun, with Coca-cola clouds behind a Big Mac sun.
    19. Re:so.. how are we supposed to store passwords? by edp · · Score: 5, Informative

      Er, I'm not sure what you're getting at. For example, any set of points (in a space of more than two dimensions) that "lie in a straight line" are necessarily also in a plane and are in fact in infinitely many planes.

      Shamir's secret sharing is easy to describe: Any polynomial of degree k-1 can be completely figured out from k points on it but not from k-1 points. So to share a secret among any number of people so that any k of them can figure out the secret and any k-1 of them cannot, you make up a polynomial whose value at x=0 is the secret and you tell each person the value of the polynomial at other points (at x=1, x=2,...).

      For example, any 2 points define a line (a polynomial of degree 1). If you tell me where the line is at x=1 and x=2, I can figure out where the line is at x=0. But if you only tell me where the line is at x=1, I haven't got a clue where it is at x=0, because it could still be anywhere. If you gave a million people different values for x=1, x=2,... x=1000000, no one of them would know the value of the line at x=0, but any two of them could figure it out.

    20. Re:so.. how are we supposed to store passwords? by 4of12 · · Score: 2

      O(1e5)=O(1)

      Depends.

      In most computer languages

      a = 1e5;
      is tantamount to saying that a=100000 (base 10).

      I couldn't get a 5 superscript to render or I would have done a "10<sup>5</sup> to get the best rendition of something on the order of a hundred thousand.

      Besides, most pure math types would consider my specification of the "1" to be needless and figure that the "e5" would come out to about 13.59... and wonder if there was a partial volume in the library of irrational size.

      --
      "Provided by the management for your protection."
    21. Re:so.. how are we supposed to store passwords? by gregfortune · · Score: 4, Funny

      Sounds like a good way to get into bed too. The only way for the "bad guys" to get your password is to send a really hot girl over to your house. Ya know, this is probably the last hope for most ./ readers.

    22. Re:so.. how are we supposed to store passwords? by bastion_xx · · Score: 2, Insightful

      If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.



      The reason mandatory password changes are used to limit the window of vulnerabiltiy in the event someone does get the password (by hook or by crook). What if someone gains access to your strong password without your knowledge? If you don't change it in 3, 6, or 12 months (or years), they have complete access, potentially without your knowledge.



      Passwords are not the greatest authentication method, but when compared to the trade-offs of other mechanisms such as smartcards, 2 factor approachs, biometrics, etc., they are still the easiest to manage.

    23. Re:so.. how are we supposed to store passwords? by leshert · · Score: 2

      This is a well-known problem. Do a search on "secret sharing". Ideally, you want to make sure that no single (or more) key holder who goes rogue can use the information on his own, but if one (or more) key holders cease to exist, the secret can be recovered.

    24. Re:so.. how are we supposed to store passwords? by dangermouse · · Score: 3, Insightful
      The reason mandatory password changes are used to limit the window of vulnerabiltiy in the event someone does get the password (by hook or by crook). What if someone gains access to your strong password without your knowledge? If you don't change it in 3, 6, or 12 months (or years), they have complete access, potentially without your knowledge.

      It's very likely that if someone gained access to my strong password without my knowledge, they'll have access to the next one I choose as well. Weakening the passwords just helps them get that initial foothold.

    25. Re:so.. how are we supposed to store passwords? by PCM2 · · Score: 2
      Years ago, I picked a password that's random as hell and was very difficult to remember. No password cracker-- dictionary *or* brute force-- has broken it yet. I use this password on about ten systems.
      I was with you up until the part about the ten systems. Being so cocky that you assume that your password will never be brute-forced is one thing. You might be right. But betting the future of every system you administer on that assumption is another thing altogether.

      Saying a password is "hard" to brute-force is just a measure of statistical probability. Stranger things have happened than a person getting hit by lightning, or winning the lottery.

      --
      Breakfast served all day!
    26. Re:so.. how are we supposed to store passwords? by dangermouse · · Score: 2
      Also, YOU USE THE SAME PASSWORD ON TEN SYSTEMS?!?! So, now instead of cracking one box, anyone who breaks into any one of the 10 systems immediately has access to them all. Awesome.

      Sure. But let's bear in mind that I have *active* accounts on upward of thirty systems, nevermind random web crap and so forth. Sure, I can pick thirty weaker passwords to remember than the four or five I actually use, but does that make me more secure?

      Let's think about this... If I have thirty weak passwords on thirty systems, someone has thirty points of vulnerability to work with. We're operating on the assumption that I won't know if a password is cracked, because otherwise this is a moot issue... so let's say one of those thirty passwords is compromised. At this point, my passwords fall like dominos because the intruder has a very good shot at watching me log into various systems from the one he cracked.

      It depends on where you want the barrier... harder initial entry followed by easier penetration of other systems, or easier initial entry followed by slightly more difficult penetration of other systems. I choose the former, because (A) it makes my life easier, and (B) it's worked quite well for me.

      As for your weak password arguement, that should be taken care of when the user changes the password. If you ensure that they have atleast 6 characters: one capitalized letter, one lower case letter, and one number that's a minimum 1.6*10^10 combinations. Not bad.

      The very first thing your users will do is write that password down. You can probably enforce that once or twice... on the systems I administer, I enforce it when the user chooses to change his password. But people run out of memorable 6-character partially-capitalized partially-numeric strings pretty rapidly, and the more frequently you make them replace those passwords, the more you aggravate the problem.

    27. Re:so.. how are we supposed to store passwords? by spudnic · · Score: 2

      Each month we had a meeting that brought together our company's Sr. SysAdmins from all of the remote locations so we could discuss plans in person (but mainly as an excuse for a day to relax). We would always joke about what a mess the company would be in if the van we packed into after each meeting to go get Chinese were to plummet off of a bridge.

      Fortunately, it never happened to us, but I'm sure it's happened somewhere.

      Like George from Seinfeld saying that we were due for a whole baseball team to be killed in a plane crash.

      --
      load "linux",8,1
    28. Re:so.. how are we supposed to store passwords? by spudnic · · Score: 2

      You could even change your password with this scheme. Give the lawyer "A53vP" and give the other half to a coworker, or several even, each time you change it.

      vmFJ3A53vp
      3jadmA53vp
      erMIeA53vp
      MMKkeA53vp

      --
      load "linux",8,1
    29. Re:so.. how are we supposed to store passwords? by cowbutt · · Score: 2
      Essentially, the secret (i.e. the password) is converted into a value that intercepts an axis of a n-dimensional graph. m points in n-dimensional space are then generated such that they lie in a straight line on a single plane. You can then distribute the values of the m points safe in the knowledge that you need at least n of them in order to calculate the point of interception of the secret.

      So, m > n, and m is the number of people to whom you give the secret, n is the number of people which will be required to reconstruct the secret.

      That plane must be a hyper-plane, with n-1 dimensions.

      n dimensions, by my reckoning (think of a 2-dimensional graph - you'll need two points to determine the line and therefore the point of interception).

      What exactly is the secret? Point of interception with what?

      Um, with a chosen axis where all but one of the variables=0. For example, with a 2-dimensional graph, you might choose the y-axis.

      Read Eric's explanation above; he does a better job of it than me. Failing that, read Shamir's paper. ;-)

      --

    30. Re:so.. how are we supposed to store passwords? by anotherone · · Score: 2

      Retina Scans work by detecting blood vessels in the eye. If the eye has been removed, there will be no blood in the eye and the vessels will be invisible.

      --
      Username taken, please choose another one.
    31. Re:so.. how are we supposed to store passwords? by bugg · · Score: 2
      6--8 characters as a hard password length requirement is just plain worthless, but then you seem to know that. Too bad whoever programmed your system didn't. However, using only numbers greatly reduces the search space. Throw in some letters just for fun.

      (This is a serious question) do many cracking programs check all of the numeric-only possibilities early on in the process? It would seem to me that if the cracker did not know that the password was numbers only, they could not take much advantage of it. If I wasn't checking all alphanumeric sequentially, I would certainly check alpha-only before I checked numeric-only!

      --
      -bugg
    32. Re:so.. how are we supposed to store passwords? by fleeb_fantastique · · Score: 2

      Y'know, you don't necessarily need to put together a password full of random noise to have something secure. Sometimes, something algorythmically determined to come up with a 'sounding' word without actually using a dictionary (with the occasional number or special character) can work very effectively, yet allow a user to remember the password (cutting down on post-it note insecurities).

      One such program that does this sort of thing is agp, available at http://www.adel.nursat.kz/apg.

      You'd be surprised the sort of research that goes into coming up with something like this, too. Not just the program, but the specifications for what makes a safe kind of password (y'know, taking into account stuff like the likelihood of someone writing the text down somewhere, or choosing a lame password, or whatever).

      --
      And so it goes.
    33. Re:so.. how are we supposed to store passwords? by Pseudonym · · Score: 2

      I think the original poster confused two different techniques to accomplish the same ends.

      In the following discussion, let M be the number of people who get partial keys and K be the number of partial keys required to reconstruct the secret key.

      The first technique (I forget who came up with it) was to consider a key as a point in K-dimensional space. You randomly generate M hyperplanes of dimension (K-1), each of which contain the secret key, and give one to each person. When M partial keys are presented, you have enough information to find the secret key by solving the linear equations.

      The problem with this technique is that if you have some partial keys but not enough to generate the secret key, you still have some information which could be used to speed up a brute-force attack. Shamir's technique is superior in this respect, since having some partial keys gives you no information about the secret key, all other things being equal (i.e. assuming the fake coefficients were chosen truly randomly). As you said, "it could be anywhere".

      This actually makes Shamir's secret sharing algorithm one of the very few provably secure cryptographic algorithms in existence, which is quite a remarkable thing when you think about it. Of course that doesn't automatically make your protocol or your secure, but you can't have everything.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    34. Re:so.. how are we supposed to store passwords? by gad_zuki! · · Score: 2

      Actually, the point behind mass-changing passwords is more about damage control than securing the system itself. Over time the chances of having passwords sniffed or somehow come up in the wrong hands approaches YES very quickly, so you change everything to make your hax0rs list obselete. Sure, the dumbasses may leave their post-it notes on their keyboards, but intra-office security violations are probably more manageable than an outsider coming in.

      Oh course it would be easy to make it office policy to punish those who keep leaving passwords out in the open, so that's a no-brainer. You don't always need a technological answer to a social problem.

      Whether or not changing the p/w on a server is worth the effort is debatable. If you've only logged in locally, then I wouldn't worry about it and I can see where you're coming from, but anything going over any network in any form should be considered untrusted for security's sake.

    35. Re:so.. how are we supposed to store passwords? by Kanasta · · Score: 2

      If I was hit by a bus, I think the last thing I'd care about was whether ppl at work knew my passwords...

    36. Re:so.. how are we supposed to store passwords? by kubrick · · Score: 2

      Yeah, but that might not be the last thing they cared about. Depends how considerate your workmates are, I guess, and how much it's costing them not to be able to change things. :)

      --
      deus does not exist but if he does
  8. I see 5: by Confuse+Ed · · Score: 5, Interesting

    common utilities

    1) tar
    2) ar
    3) grep
    4) ps

    and not so common
    5) rep (well its installed on my system, but I'd never heard of it, further investigation reveals it to be a standalone lisp interpretter from the librep package (see "info librep", I am indeed learning something new every day))

    1. Re:I see 5: by garett_spencley · · Score: 2

      OT and I have way too much time on my hand ;^)

      5) ed
      6) sed
      7) tr
      8) as & gas
      9) toe
      10) grops
      11) read
      12) esd
      13) date

      --
      Garett

  9. More info by Man+Eating+Duck · · Score: 5, Informative

    A little info:

    The database is from Dbase 4, I don't know how the security is on that format. It contains data about the norwegian linguist Ivar Aasen. For those interested in giving it a try, just search on norwegian pages to find the directors email address (name in another post). He's received quite a few emails already... (No, won't give the address here, pity the one who gets his email published on Slashdot).

    Please excuse crappy english, save your grammatic flames.

    --
    Are you a grammar Nazi? I'm trying to improve my English; please correct my errors! :)
  10. Slashdotted, what did you expect... by geschild · · Score: 2, Insightful

    Netcraft.com:

    The site www.norwaypost.com is running Microsoft-IIS/4.0 on NT4/Windows 98.

    Sad, isn't it?

    Anyway, two ways to attack this problem: brute force it or be clever and see if this can be done by social engineering. If there are any people that know him well enough they might. Otoh, the way I choose passwords it might be tough even when people know me.

    I remember this story about a similar incident a long while back. Somebody encrypted a file using a new algorithm and couldn't believe how fast that went. To verify the speed he then proceeded to encrypt the backup too and forgot _both_ passwords. This was a long time ago and to this day I don't believe it but the moral of the story is: keep an unecrypted version in an off-line, off-site backup medium in a vault for digital media in duplicate.

    --
    Karma? What's that again?
  11. History? You mean "last week"...? by Rui+del-Negro · · Score: 2

    If it was american history, it would probably be shorter than the password.

    RMN
    ~~~

    1. Re:History? You mean "last week"...? by Rui+del-Negro · · Score: 2

      If it happened less than 500 years ago, it's not proper History.

      RMN
      ~~~

  12. Sorry, can't help... by juliao · · Score: 5, Funny

    I wish I could help, but I do intend to travel to the US at some later time in my life, and I don't want to be arrested for circumventig a protection device or something... Boy, do you americans have stupid laws...

    --

    free the mallocs!

    1. Re:Sorry, can't help... by Zoop · · Score: 2

      Boy, do you americans have stupid laws...

      Agreed, but you'd have to crack an American password system to fall prey to those laws. While we are the world's policeman, our laws can only be extended so far beyond our borders before right-minded people start ignoring them.

      Hell, some of us do it inside the borders.

    2. Re:Sorry, can't help... by hublan · · Score: 2, Interesting
      While we are the world's policeman, our laws can only be extended so far beyond our borders before right-minded people start ignoring them.

      Tell that to Jon Johansen. Maybe it'll save his day.

      --
      My spoon is too big.
    3. Re:Sorry, can't help... by juliao · · Score: 2

      Hmmm... would any kind of password system in, say, Unix, Linux, Windows, MVS, etc. count as an "american password system"? My guess is "yes", regardless of where the system itself is installed (Norway, for instance) and of who owns the information inside... Sklyarov was arrestes at the request of Adobe, not any e-book "copyright holder"...

      --

      free the mallocs!

    4. Re:Sorry, can't help... by Zoop · · Score: 2
      Tell that to Jon Johansen [eff.org]. Maybe it'll save his day.


      From the link you gave:

      under Norwegian Criminal Code 145(2)


      If your parliament can't avoid being a lemming, you can always boot them out of office.
  13. Posting links by Rui+del-Negro · · Score: 2

    Use HTML and make sure the posting mode is set to "Plain text" or "HTML formatted":

    <A HREF="http://slashdot.org/">this is a link</A>

    ...becomes

    this is a link

    RMN
    ~~~

  14. What's needed is a "dead man's 'bot" by Raetsel · · Score: 5, Interesting

    A simple program... something to send that important email, decrypt the data that you honestly don't have to safeguard anymore, etc. A program to take action when you haven't proven (password | biometric | whatever...) your continued existance on a pre-arranged schedule.

    And wouldn't you know it, one exists!

    I caught this discussion at Ars Technica last month. It refers to a cool-sounding program called "Dead Man's Switch (DMS)", which caught the attention of the New York Times.

    Just a few issues...

    • Don't go on vacation for a longer period of time than you have the 'bot set for
      (see either link, "If you're reading this, I'm dead!" type goofs have happened!)

    • What happens when you actually do pass on to the great unknown, don't manage to pay your bills, and your (ISP | power company | shell host) kills your service?

    • Or, more simply, what if your next of kin just tag the 'ol power switch?
    Oh well... no person (or thing!) is perfect. Norway is keenly aware of this right now.

    --

    "...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
    1. Re:What's needed is a "dead man's 'bot" by jhines0042 · · Score: 3, Interesting

      Seems like this would be an ideal hosted service. On its regular schedule it sends you an email to remind you to go to the web site. If you don't go to the web site within a certain (configurable) amount of time to "reset" the switch then the action is taken. The action is most likely an email release of some data to certain folks.

      But for a fee it could be something more complicated.

      Of course, keeping this site secure would be most interesting once people started using it for self protection blackmail "you'd better not kill me" purposes like what always happens in the movies.

      --
      42 - So long and thanks for all the fish.
    2. Re:What's needed is a "dead man's 'bot" by epsalon · · Score: 2

      Therefore, you must use at least two (prefreably more) of these services, and secret-share it between them. Then, your correspondants will be the only ones to have all shares.

      --

      Make even shorter URLs - 8LN.org

    3. Re:What's needed is a "dead man's 'bot" by kaladorn · · Score: 2

      Interestingly, you could then wire it to installed software which "reset" it automatically when you logged into a system (sending something encrypted with your personal PGP or GPG key or something like that). Thus the resetting does not have to be as onerous as getting regular e-mail. Just "doing business". The only time you'd have a problem is if you went outside of access unexpectedly for more than (some threshold) number of days.

      Even then, a hosted service could use a war dialer to call up your contact numbers and verify your lack of contactability (hence possible demise) before undertaking the "in case of death" instructions.

      These would mostly be notifications of the "we can't find X and our service is setup to notify people of X's possible demise... but we cannot confirm his demise, just his lack of contactability over (some period)." This is better than saying "If you read this, I am dead."

      A managed service like this could be called something like the OmegaOption(c.2002 me) and be a service usable by individuals and corporations providing various service levels depending on how much you wanted to spend (from auto mail outs to more complex legal arrangements and multiple verification levels).

      Damn! If only it were 2 years ago, this weak (but possibly maybe sometime valuable) business idea could have launched 100M in VC funding and a flurry of exciting reviews in trade periodicals!

      Story of my life, good idea, wrong time... ;)

      --
      -- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
  15. Actually, we need more challenges like this by jukal · · Score: 2

    After seeing the interest in for example the RC5-56 challenge and others, it is a fact that there is a huge amount of people interested in participating in things like this. Maybe a distributed computing project, willing and open to take any (non criminal) tasks would not be that bad idea afterall. If there would be volunteers for building the crunching code using API provided, it would be possible to run projects with quite short lifecycle. I don't see SETI and RC5-56 and similar projects very interesting anymore. The task should be clear, reasonable and the estimated brute forcing time should be reasonable (like in 3 months maximum.) A dozen of little tasks per year, might prove more interesting.

    Anyway, in this particular case, and 99% of others, the password is "IAmGod" :) and in this case probably no distributed brute forcing is needed - just the plain old crackerjack should do. :) .

    1. Re:Actually, we need more challenges like this by jukal · · Score: 2

      > I don't see SETI [berkeley.edu] and RC5-56 [distributed.net] and similar projects very interesting anymore

      Ahem, I meant RC5-64 ofcourse. I quess I am stuck in a time continuum :)

  16. Re:this dosn't make sense. by hyoo · · Score: 5, Funny

    Crack a password, save history.
    Get a cable modem, go to jail. [slashdot.org].

    What kind of crazy backwards world are we living in?

    Ladies and Gentlemen of slashdot it does not make sense. If Chewbacca lives on Endor you must acquit.

  17. A common problem by FatOldGoth · · Score: 2

    Twice in recent years I've had the unhappy task of attempting to recover password protected personal files created by friends who have died. In each case the files contained financial information that the next of kin needed.

    While password security is undoubtedly a good thing, it goes a bit beyond its remit if it locks out the wrong people. In most jobs I've had it has been common practice to keep hardcopies of passwords in sealed and signed envelopes placed in safes. While this is probably overkill for home users it's worth considering doing something like this for your family or friends and letting them know about it. Especially if you're someone I know. I really, really don't want to have to go through this again.

    --

    I would be a paid subscriber if Taco and Hemos weren't such cunts
  18. Someone Should Be Sure To Remind Them... by Lethyos · · Score: 2

    ...if the European version of the DMCA is passed, this would be an illegal act, likely to get the participant thrown in jail. Just to generalize, if the system is used commercially as a copy protection scheme by anyone, it would immediately fall under the category of "circumventing a copy protection device" by "cracking" it.

    Of course, I am sure those in charge would happily my exceptions to this rule when it suits them. Still, this could be a great opportunity to speak out against such legislature.

    --
    Why bother.
    1. Re:Someone Should Be Sure To Remind Them... by geekoid · · Score: 2

      actually, if you are hired by the company to crack property that company owns, you are not in violation of the DMCA, because you are authorized to do so.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    2. Re:Someone Should Be Sure To Remind Them... by Lethyos · · Score: 2

      actually, if you are hired by the company to crack property that company owns, you are not in violation of the DMCA, because you are authorized to do so.

      Normally, I would agree with you. However, it seems that the possibility the party that requested the hacking might change their minds and decide to give you a hassle.

      --
      Why bother.
  19. Irony of Ironies by LittleGuy · · Score: 2, Interesting

    When they do crack the files, they'll just find his grocery lists.

    --
    Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
  20. Public access? by ciryon · · Score: 5, Funny

    Well? What's the URL so we can all try it? They gotta trust me, I'm swedish! ;-)

  21. Re:What I've been saying all along by Dman33 · · Score: 2

    A-ha! I knew that was you Mr. Ashcroft!!

  22. Typhoon rips through cemetery; hundreds dead by I+am+Jack's+username · · Score: 2, Informative

    I've put the contact details of who should take over the stuff I run (and the required passwords) in my testament. The only hassle is updating it regularly.

  23. They are lucky! by frits · · Score: 2, Interesting

    They are lucky that this unfortunate employee was not using biometrics to protect the archive.

    1. Re:They are lucky! by phil+reed · · Score: 2

      Biometrics are simply a way of generating a key based on some physical attributes. Cracking the database will likely mean recovering the key via other means. The possibility that biometrics could have been used to generate the key is irrelevant.

      --

      ...phil
      "For a list of the ways which technology has failed to improve our quality of life, press 3."
    2. Re:They are lucky! by Peyna · · Score: 2

      Making a cast of his hand would probably be the way to go. Accurate enough and the family probably won't object to it.

      --
      What?
  24. Raises a serious point by ClickNMix · · Score: 4, Insightful

    This is actually a pretty serious issue with any kind of system where only one person has the password.

    The ISP I once working for nearly went out of business several years back because the only tech with high level access was in a serious car accident and out of action for a month or so.

    Its all very well not writing down passwords, and saying that nothing is going to happen to you, but in the real world, people get ill, run over, fall down etc. - In large companies its more then likely not a problem, but in a small company that has only one tech person doing everything, people need to make sure there is a plan of action for if that person becomes unreachable for any reason.

    --
    I saw the light at the end of the tunnel... But it was just someone with a flashlight bringing more work.
  25. Heard in Court by NiftyNews · · Score: 2

    "But Your Honor, I had to load all that pirated software on my machine. Norweigan history was at stake!"

    --
    ------
    Today's Top Deals
  26. Information on Aasen, the Aasen museum and nynorsk by say · · Score: 4, Informative
    Here is some information gathered from the Ivar Aasen museum.

    The National Centre of the New Norwegian Language and Culture

    • Opened June 2000, as a centre for adventure and information on language and cultural matters.
    • Designed by the architect Sverre Fehn, who has received the most outstanding international awards of architecture. Mr Fehn has also designed the Norwegian Glacier Museum at Fjærland.
    • The most modern and sophisticated building in Norway, and a traditional Norwegian country courtyard with four old buildings.
    • Presents a modern exhibition on language throughout the world (you may even find your own language there), the New Norwegian language, Norwegian culture, and an Ivar Aasen Museum, using modern electronic facilities as well as traditional, elegant presentation.
    • All information in the exhibitions will be in Norwegian and English.
    • An in-door concert hall with 110 seats; an outdoor amphitheatre with 300 seats.
    • Concerts, readings, theatre, library, art gallery, conferences, the annual New
    • Norwegian Festival of Literature and Music.
    • In our cafeteria with 50 seats, we plan to serve traditional food and sophisticated new dishes created especially for the Ivar Aasen Centre by some of the best Norwegian cooks.
    • A place for surprises, a nice meal, relaxing walks on easy paths into the nearby woods with glimpses of the Norwegian fjords.

    The New Norwegian Language

    • Norwegian consists of two written languages, Norwegian Bokmål (Dano-Norwegian) and Norwegian Nynorsk (New Norwegian), which are mutually understandable, but based on very different historical traditions.
    • A long union with Denmark (1380-1814) made Danish the only written language for all Norwegians, but in the dialects the old Norwegian language lived on as an oral language.
    • About 1850 Ivar Aasen published a dictionary and a grammar which set the standards for a new written language, The New Norwegian, as a common denominator for the dialects. Improving the cultural and social status of the lower classes; this language played a major role in the development of democracy in Norway.
    • Today, New Norwegian is the main language of 20 % of the inhabitants, mainly in rural districts. Although it is a lesser used language than Dano-Norwegian in general, it is the main language of Western Norway and is used daily in mass media, at schools, churches and in public administration all over the country. 25 % of the Norwegian newspapers are published in New Norwegian, and some of the major theatres and publishing houses use only this language.
    • Some of the best authors write in New Norwegian, e.g. Jon Fosse, whose plays were performed in 14 European countries in the 1990's.

    Ivar Aasen

    • Born at Aasen, close to the Hovden airport, as a son of a poor farmer in 1813. Died in Oslo 1896 as a highly respected intellectual, also abroad. Poet, linguist and founder of the New Norwegian language.
    • Collected words and expressions from the living dialects by walking throughout most of Norway, altogether about 5000 km - more than 3100 miles.
    • Knew more about Norwegian customs, traditions and everyday life in the 19th century than anyone else.
    • Even today, some of his poems and songs are among the most popular.
    • An eager botanist; his collection of 500 flowers and plants is in a very good condition.
    • His linguistic methods are today used in several countries in both Africa and Asia.
    --
    Roses are #FF0000, violets are #0000FF, all my base are belong to you
  27. Simple! by GMontag · · Score: 2

    But I bet he had a dog, it just died during his Viking funeral and can't tell us it's name any more.

    If dogs name does not work use "Override".

    --
    Eve Fairbanks says I drive a hybrid!LOL
  28. oh-oh by new+death+barbie · · Score: 2, Informative

    Guess who's become the latest poster child for password escrow?

    --

    It's supposed to be completely automatic, but actually you have to press this button.

  29. Give them to the CEO, CTO, etc.... by Gorbie · · Score: 2

    ...with explicit instructions to ignore the porn, anti-company propaganda, and other contraband they find in your accounts ;)

  30. Good thing it wasn't the US.... by Dark+Nexus · · Score: 2

    I can see it now... "Hacker saves museum database, is charged under DCMA"

    Of course, then the RIAA would sue them, just because they can.

    --
    Dark Nexus
    "Sanity is calming, but madness is more interesting."
  31. Quick! by GodHead · · Score: 2


    What's norwegian for "password"?

    blahblah Lameness filter is itself lame... ironic...

    --
    Just wait till some crappy band steals your nic.
  32. How about the spaceballs approach by WebMasterJoe · · Score: 2

    Did they try "1,2,3,4,5"?

    "That's the combination for my luggage!"

    --
    I really hate signatures, but go to my website.
  33. And in other news.... by Ooblek · · Score: 4, Funny

    Days ago, Ottar Grepstad, director of the culture center and literary museum on the west coast of Norway, was busy selecting his expert of choice to hack a password known only by a dead man. It has been revealed that only minutes after his public appeal for a skiller hax0r to recover this password, his archive was ow3nd by Kevin Mitnick. The notorious hacker released information found in the archive that seems to indicate that Britney Spears was concieved by using frozen sperm from non other than Mike Tyson himself. The egg donor was only referred to in the archive as "Camilla" and it is suspected she is the same woman that Prince Charles is dating.

  34. How to avoid the problem? by Bodrius · · Score: 2

    I'll rant a bit (it's Slashdot, after all) trying to figure out a way to avoid this in the first place:

    My first instinct is the really low-tech alternative: hire a lawyer to deal with your confidential information when you die. Just like any other "unsolved business" with your state, your passwords,etc. would be given to someone you deem capable of dealing with the issue...

    But almost no one prepares for death that way either, so what are the technical alternatives?

    - A cron job of sorts? Would depend on the server running indefinitely until some stipulated date when it would release the information... if it used some distributed system, it could avoid the vulnerabilities that come to mind at first sight. But a system that requires you to identify yourself and register would require almost as much preparation as the lawyer, and an anonymous system would be too open to abuse (heck, the first too).

    - Some kind of "degrading cryptography"?

    It may seem like defeating the purpose of cryptography in the first place, but assume that we don't want to keep the information secret forever, just for some years... not only do we not care if the information is revealed then, we DEMAND it is revealed at a particular point in time.

    Is there some way to encrypt data such that it can demonstrably be decrypted only after X amount of time?

    I imagine it would be extremely hard to figure out something like that, but maybe someone already has. I can only think of three approaches to not-depend on processor power, both perhaps impossible:

    i) A method that collects information from some constant (data is reliable and at a constant rate) source of information (solar flares?) and needs to collect X amount of information before decrypting the key and revealing it.
    The problem is that in order to ensure this information will make the decryption possible you have to be able to anticipate it. Then anyone can simulate the information at an accelerated pace and get to the key...
    Maybe if we can use the key to select which information to process, and use a source of massive amounts of data, we can make unfeasible to accurately simulate all the data. But that would be trusting our current technical limitations to hold, wouldn't it? Unless we can prove simulating the source is an NP problem...

    ii) Having a system that creates a unique algorithm for the key that needs to be run for X time in order to "degrade" to the key. The idea would be to escape the dependence on external information of the first problem. But even if it's possible, we would need to depend on an external source for a trusted "beacon" or "ticker" that tells how much time has passed.

    iii) Perhaps the only sensible solution (and the last I thought of, obviously): Would it be useful to have digitally signed time measurement on the Internet? An atomic clock owned some trusted government or international entity that officially tells you "today is time X"?
    You encrypt the key to be decrypted only when a message digitally signed by agency Y confirms a certain date has been reached. When agency Y makes the message "today is time X" public on the Internet, your boss gives that message to the system and the system pops out the password you need. "time X" and "agency Y" could (and would) be made public to all interested parties, but unless "agency Y" cheats, no one can do much about it.
    This could also provide an automated means to publish confidential material whose confidentiality has an expiration date. Declassification would then not require too much work on the part of agencies that have no great interest in declassifying in the first place: once the time is reached, the keys are available and people can decrypt it.

    --
    Freedom is the freedom to say 2+2=4, everything else follows...
    1. Re:How to avoid the problem? by C0vardeAn0nim0 · · Score: 2

      degrading cryptography already exists. it's better know by the term "moore's law".

      as the computational power doubles every 18 months, every 18 months teh price and effort required to break older cryptography halves.

      tell me, would you trust enigma to safeguard your information ? or 48 bit cyphers ?

      enigma was unbreakable by the technology existent (paper and pencil) when it was invented, but the british came with a primitive computer that done the job. 48 bit cyphers probably were incredibly safe 15/20 years ago, now any script kidie with a 1 GHz+ athlon can break it.

      call this "cypher rotting" if you want.

      --
      What ? Me, worry ?
    2. Re:How to avoid the problem? by Bodrius · · Score: 2

      The problem with "that" degrading cryptography is:

      - You cannot predict "when" is your cryptography going to be broken, unless you make it breakable (for someone with enough horsepower) in the present.
      Since your original purpose was to make it unbreakable in the present, you're not going to do that.
      But if you make it strong enough to be confident it's presently secure, you lose the certainty it will be crackable in, say, 20 years or less. Sure, quantum computing may prove to be practical and available... or not. Maybe Moore's Law will allow traditional computing to break it... if the factor suddenly increases by 10.
      Enigma was considered "improbable to be broken", not "unbreakable". The same can be said of 48-bit ciphers. We know better than that now.

      We can have confidence, based on mathematical theorems, that a particular code cannot be broken unless we try all the alternatives... and that will be a fact until either the theorem is disproved, or something makes it incredibly cheap to compute the alternatives. By increasing the key's length, we can make the second factor irrelevant taking into account the Moore's Law (we're still vulnerable to breakthroughs like quantum computing, but they cannot be predicted... and yes, we can make algorithms hard to break for quantum computing). Then the system rests on the theorem's security, and mathematics is notoriously slow in developing revolutions.

      So no, I'm afraid trusting the "no encryption is secure, someone will be able to break it in the future" doesn't work. It's as blind as the "no system is completely secure" and has the same problem: they only apply if the system/algorithm was designed or used under ignorant and unrealistic expectations of what "secure" is. Both are trivially true for most cases, but fail to understand the problem and are false for the important cases.

      We would have more success trusting the bug rate than Moore's Law for this case. Most vulnerabilities in properply designed, analyzed and tested algorithms are in the implementation.
      Maybe if we calculate some statistics on the bug rate of encryption software, we can predict that some vulnerability will probably be found in X program by Y time that will allow the recovery of the key, and trust the statistics.

      --
      Freedom is the freedom to say 2+2=4, everything else follows...
    3. Re:How to avoid the problem? by geekoid · · Score: 2

      "but assume that we don't want to keep the information secret forever, just for some years"
      myth, you could die tomorrow. That means they will need it tomorrow, not after it has degraded in a few years.
      What you do is simple, you keep your passwords in a book next to your computer. really, how many people are breaking into your house to see whats on your computer?

      For your important passwords, put them in an envelope, mail them to your self, then put that envelope in a fire safe. either a)put that it is there in your will, or tell a few people its there, they can have a locksmith get in when you die, and you WILL die.

      If your dealing in corp/gov secrets, you need to follow the companyies prcedures for this, most have one even if they are not using it.
      Tell your boss they need to get something like this in place. If they don't follow your advice, what do you care? you'll be dead when the it hits the fan.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  35. The password is BOSCO by SloppyElvis · · Score: 2

    Castanza, you killed my mother.

    This is not troll, I am a human and make funny jokes, haha.

  36. Re:It's probably just ... by LinuxHam · · Score: 2

    trustno1

    lol. literally. caught me off guard. we used that for a domain admin pwd at a former employer during one rotation period.

    --
    Intelligent Life on Earth
  37. As a Dane, all I can say is... by MadFarmAnimalz · · Score: 2

    I knew we shouldn't have let thore Norsemen have their own king and all. This is what happens; they lose passwords left and right.

    Besides, I'm sure that the password is just a misspelt danish word. I mean, c'mon, if you can't pronounce danish properly, don't go and call it something else, like Swedish or Norwegian...

    --
    Blearf. Blearf, I say.
  38. Hypocrisy by FattMattP · · Score: 2, Troll
    So, the Norwegians arrest one of their own for cracking CSS so he can watch DVDs on his home computer, but when they lose the password to their database, they call on all the "hackers" to come and rescue them? The hypocrisy is staggering. I wouldn't lift a finger to help on mere principle.

    This sort of thing works both ways and the powers that be aren't going to learn that if you come to their rescue. They'll eventually figure out the password, but if you let them do it on their own, and you tell them why you aren't going to assist them then maybe, just maybe, they'll learn a lesson. Something about doing to others as you would have them do to you.

    --
    Prevent email address forgery. Publish SPF records for y
    1. Re:Hypocrisy by Ace905 · · Score: 2, Insightful

      That's a great idea, especially since the world is comprised of "hackers" and "regular people", and each group works like an individual, and 'regular people' actually care what, 'hackers' do - and when 'hackers' are mad - 'real people' sometimes catch on and make the world a better place.

      Oh no wait, that's your stupid pre-pubescent 2600 dream world crashing down around you.

      Actually in the real world, there's a team of guys who can do this, and are already working on it - and only you are thinking about the DeCSS case. Way to fight the revolution couch potato.

      You showed em!

      And the idiots that modded this guy up.... whoa.

      --

      Ace
  39. Info desired to crack the password... by gdyas · · Score: 5, Interesting

    The following info would help:

    • All the names of his family & friends.
    • All the birth/death/anniversary/etc dates he'd know, especially children or parents.
    • Prominent words or phrases displayed in his office.
    • A selection of words germane to his profession.

    Combine that with the dictionary, mix well, apply cracking script and, most likely, open sesame.

    As Richard Feynman used to say about safes, 99.9% of what keeps people from getting in is the perception of security, not real security. This from a guy who used to sneak in & out of Los Alamos at will during the Manhattan project.

    --

    The only tool you've got against psychosis is experience.

  40. Re:Important Information? by _Shad0w_ · · Score: 2, Insightful

    Depends on your view of important.

    Those who forget the past are doomed to repeat it -- George Santayana

    --

    Yeah, I had a sig once; I got bored of it.

  41. Jon by Amazing+Quantum+Man · · Score: 2

    I'd say to ask Jon Johannsen, but then the MPAA would just use it to prove that he's an Evil Terrorist Hacker(tm).

    --
    Fascism starts when the efficiency of the government becomes more important than the rights of the people.
  42. Why Hack? by jellomizer · · Score: 2, Insightful

    Ok you lost the password. There are other ways of getting back to the data and changing it then hacking the computer and compromizing security.

    1 You Take the Harddrive out of the PC/Workstation.

    2 Put it on an other working PC/Workstation that you do have a password for.

    3 Mount the drive.

    4 Go in that drive /etc/passwd and whipe out the * in the root password

    5 Put the hard drive back in the old computer.

    6 boot it up.

    7 loogin as root no password asked

    8 change the root password

    This is much simpler then having a person try to hack a password. in case if it is a good one could take a really long time to crack. Unless of course the guy who knew the password is the only guy in the country that knew how to move a harddrive.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Why Hack? by CarlDenny · · Score: 2, Insightful

      Because it's not an OS password.

      It's a DBase file, with a user name and password. The data in the file has been encrypted based on this user name/password.

      I don't know much about DBase security. I suppose it's possible the data hasn't been encrypted, but DBase won't let you access it. In which case an analogous solution would work: knowing the DBase format, write a program to open the file, ignore the password info, and save it out to a new user/add another user to the list/stream the data out. But I doubt DBase is that unsecure.

  43. Re:its sad... by boomer_rehfield · · Score: 2, Interesting

    See...this would be all fine as long as he kept the password locked away in his will so that in the event of his death.... you get the picture...

    --
    Carpe Canem - Seize the Dog
  44. Re:And sometimes... by dadragon · · Score: 3, Funny

    (blinks) Isn't that sort of like "The Germans, not including The French" ?

    No. To a European, "America" == North and South America, including Canada, Mexico, USA, Peru, French Guiana, etc.

    I love it when a European tells me that an average American is so badly schooled that the average European better knows their American history. After asking them who Malcolm Little is, which they never know, and after patiently listening to how some hollywood movie has history all wrong (what a shocker, that), I usually give them an example of classy European geography like this, and send them on their way.

    1) Who is Malcolm Little?
    2) It's a matter of perspective, a European considers all of North and South America to be "America", Americans and Canadians consider the USA to be "America".

    It's like in Canada, somebody from BC would tell you that the "west" is BC and Alberta, somebody from Alberta will tell you it's BC, Alberta, and maybe Saskatchewan. And somebody from SK will tell you that the "East" is Ontario and Quebec, where somebody from Ontario or Quebec will tell you that they're "Central" Canada, when technically they are not, the centre is in Manitoba.

    --
    God save our Queen, and Heaven bless The Maple Leaf Forever!
  45. If only they used... by JFMulder · · Score: 2

    ... some sort combination of Windows, IE, Access, VB Script and IIS, I'm sure they wouldn't have to go public with the annoncement and just hack their way into it. I think that sysadmins should consider insecure data storage in the future in the case of their death.

  46. Hello... by Loki_1929 · · Score: 2

    Distributed.net

    We get a client, we'll have the password in a couple days. No sweat.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
  47. Just a suggestion by sharkey · · Score: 2

    But have they tried "bork-bork-bork" yet?

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  48. Chewbacca Defense In Action by nobody69 · · Score: 2

    INT: Courtroom, Day

    Assistant DA: "The DNA evidence is indisputable!"

    Defense Attorney Han Solo: "I object!"

    Judge: "What grounds?"

    Defense Attorney Chewbacca: "RAWWWWR" (Smashes table over Assistant DA)

    Judge: "Let me suggest a new strategy...Let the wookie win."

    --
    "Bugger this, I want a better world." - Jenny Sparks
  49. Real world solution. by juuri · · Score: 2

    Password, procudures, etc... are *written* down and immediately put in a file which someone in the legal department then puts into your company's secure storage vaults (be they onsite or offsite).

    --
    --- I do not moderate.
    1. Re:Real world solution. by hymie3 · · Score: 2

      Password, procudures, etc... are *written* down and immediately put in a file which someone in the legal department then puts into your company's secure storage vaults (be they onsite or offsite).

      We have all of our important bits written on paper. Paper is enclosed in a sealed envelope. Envelope is locked in the department combination safe. This seems like such an obvious solution to the "got hit by a bus" problem, I'm surprised at the number of IT places that don't have something like this in place.

  50. Should have had a risk management plan for this by fishbowl · · Score: 3, Insightful

    If someone was interested in this data, they should have covered this kind of situation under a risk management plan. Hindsight being 20/20 and all that, they did not, and someone is now holding the bag. Because there is a file that is known to contain the data they want, they hold out hope that it will be salvageable.

    In reality, this situation is almost the same as if a fire had destroyed the building along with the data, or even as if the person responsible for the data intended for it to die with him. There is a chance, however large or small, that the data will be recovered, but from a business perspective, an appropriate response would be to consider it a loss, start collecting the data again, and learn from the experience. Retrieving the data from the encrypted file is an interesting exercise, but one with uncertain results. Push the file into an academic circle and hope for the best.

    In this case, having the file is misleading a management decision, because it appears as if they still have the data. In reality, they do not, unless an unlikely contingency occurs where someone can retrieve it. Since nobody seems to be able to put a delivery date on that retrieval, or even state the degree of cetrainty with which it can be retrieved, the correct business decision would probably be to consider it lost.

    I'm guessing it's a loss not covered by their insurance.

    This is a harsh assessment of the situation, and I'm only making it because I'm not the one with the data that needs to be recovered :-)

    Another thing I notice is that the party responsible for the data seems interested in limiting the number of people who will get the opportunity to try to crack this, as opposed to just posting the thing to the world as a challenge, perhaps with a reward to the first person to break it. Remember the King Arthur legend -- Arthur wasn't authorized to try for Excalibur!

    The details in the article are sketchy. The title of the Slashdot article seems to be pretty misleading. The file in question doesn't contin the historical documents themselves, but an index to them?

    I'm sorry to hear that a researcher has died in Norway.

    --
    -fb Everything not expressly forbidden is now mandatory.
  51. In Still Other News by milo_Gwalthny · · Score: 3, Funny

    UN Peacekeepers were sent in to Scandinavia today to avert the escalation of an increasingly bitter round of invective between representatives of the area's countries. Tensions began to abate, however, as the traditional taunting gave way to the relatively modern sport of "USA-Bashing."

    --
    Milo
  52. On the guy's missal by stere0 · · Score: 2, Funny
    " I have found a miraculous password to this database, but there is not enough space in the margin for me to write it down"
    --
    Trollem mirabilem hanc subnotationis exigiutas non caperet
  53. Re:And sometimes... by Hallow · · Score: 2

    1) Malcolm Little == Malcolm X
    And if you didn't know, why didn't you go hit google or something?

    2) No, most everybody who says America, no matter where they're from, usually mean folks from the USA. Most Europeans actually like Canadians (and probably South Americans and Mexicans too).

    Heh. I actually have some Canadian friends that tried to argue that they're "Americans" too, and us folks from the U.S.A. shouldn't try to hijack the continent. I brought up the fact that the continent is North America, and they are North Americans, but just "Americans" is usually reserved for the USA because what else would we be called (ok, lets leave off the slurs and slanders a'ight?)?

    "Citizen of the United States of America"?
    "USAian"?
    "United Statesian"?

    Gimmie a break!

  54. Another take on this... by SAFH · · Score: 2

    OK, so thousands (maybe millions) of pages of text may be lost to some guy who was a control freak and decided to compress and encrypt a database[0], but the short term benefits of this are not entirely being used. Anti-DMCA and Anti-Euro-DMCA, showing the world that 'hackers' (White, Black, Grey, Blue, etc...) are not the evil bane of existance of the Internet.

    Granted, I'm not a fan of Norgys, particularly due to an IRC channel I'm on that has had to ban *.no because of constant "A/S/L?" and mass-msg "Hi, I am a cute girl from Norway, do you want to cyber?" messages... but the point being... there -is- the chance that the Norgys did something -GOOD- for once. What if this is a spoof, hoax, trick... a Library/Institution that decided that people do actually need hackers in the world to work on all those stupid problems that otherwise would go unaddressed because people are stupid and lazy.

    Erm... maybe... then again, maybe not, and well - that's giving Norgys a lot of credit...

    0. However to the best of my knowledge, dBase passwords are very easy to break

    --

    I cannot confirm nor deny the allegation or allegations you may or may not have just made

  55. If they had been using MS Passport by slickwillie · · Score: 2

    Then it would be alot easier to get the password.

    Too bad the Lone Gunmen aren't available.

  56. Decrypt vs. Rebuild by billstewart · · Score: 2
    Several people have suggested that the database is in dBase4 and that there are $29 utilities for cracking it, which sounds like the obvious right choice. But suppose it had been in a more securely encrypted format, and an initial guess of easy passwords had failed. Do you temporarily divert SETI@HOME to search for signals that aren't in alien languages, just NyNorsk? Or do you go for non-free computing services, and if so, how much do you spend and how long does it take?

    Or do you hire a clerk to rebuild the database by looking through the books? At some point, that probably wins, at least to the extent that the indexing is mostly gruntwork rather than creative thought. That doesn't mean it's not worth posting the file to the web and asking for volunteers to hack it, which would be a fine idea.

    A long long time ago, on an IBM System34 far far away, somebody out in the shop wanted to turn off his welder by flipping circuit breakers, and found the computer room before he found the welder, and the 34's quaint little operating system wasn't designed for that sort of thing; the open file which represented six or seven hours of typing by our accounting clerk got truncated to its last good state. I spent about 5 hours on the phone with IBM tech support doing the hexedit on the disk drive to find the right pointers and patch it so we could recover the file. If it had taken much longer, we'd have been better off retyping the thing.... But of course, sometimes you only know that in hindsight.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  57. Imagine the scenario.. by Ogerman · · Score: 2

    Ah auh ahhh.. You didn't say the magic word..

    Ah auh ahhh..

    Ah auh ahhh...