gmane.comp.security.openwall.announce

[openwall-announce] new Owl on CD; JtR 1.7.6-jumbo-7

Solar Designer — 2010-08-22T18:46:06

Hi,

This is to announce two things at once:

1. The July 29 snapshot of Owl-current is now available for purchase on CD
(both 32- and 64-bit):

http://www.openwall.com/Owl/order

(in fact, it's been available on CD since August 7).

2. The jumbo patch for John the Ripper is now up to revision
1.7.6-jumbo-7 adding MSCHAPv2, several external modes, bugfixes, and
license updates:

http://www.openwall.com/john/#contrib

More detail on the changes:

http://www.openwall.com/lists/john-users/2010/08/22/1

Alexander

[openwall-announce] new Owl ISOs; JtR news; books; another phpass article

Solar Designer — 2010-08-03T01:06:17

Hi,

As usual, this is a cumulative announcement for several things at once.
I'll start with the newest and most important (for us at least):

1. New ISO images and pre-created OpenVZ container templates of
Owl-current for i686 and x86-64 are available on our FTP mirrors.  The
ISOs are also available via direct download links on the Owl homepage:

http://www.openwall.com/Owl/

We have once again updated Owl to use OpenVZ's latest kernel from their
"rhel5" branch, and we've switched to using RPM-packaged kernels, but in
a way allowing for easy non-packaged builds as well.  At the same time,
we've introduced support for the ext4 filesystem (in fact, it is now
offered by default for new installs), and we've improved CD bootup and
the installer ("settle") in numerous ways.  The packages of passwdqc,
strace, lftp, tcb, JtR, and Postfix have been updated to new versions,
and changes have been made to several other packages.  Please refer to
the more detailed announcement on owl-users:

http://www.openwall.com/list

[openwall-announce] JtR 1.7.6 is stable; Solaris packages; GI John; 1.7.6-jumbo-4

Solar Designer — 2010-07-05T05:45:01

Hi,

John the Ripper 1.7.6, originally released as a development version
because of the extent of the changes made, has just been re-labeled the
new stable version.  There hasn't been a single bug report against this
version since it was released over two weeks ago, yet people
successfully built, ran, and some even packaged it on a variety of
operating systems.  Specifically:

Steven M. Christensen of Sunfreeware has produced packages of JtR 1.7.6
for many versions of Solaris, both SPARC and x86, including both 32-bit
and 64-bit builds.  I've mirrored them here:

http://download.openwall.net/pub/projects/john/contrib/solaris/

GI John - Grid Implemented John the Ripper, a curious non-Openwall
project - has been updated to build upon JtR 1.7.6-jumbo-3:

http://gijohn.info

Meanwhile, I've updated the jumbo patch with some fixes to KRB5_*, which
were previously discussed on john-users.  The new revision is
1.7.6-jumbo-4, but that's a very minor update (compared to -jumbo-3):

http://www.openwall.com/john/#cont

[openwall-announce] Owl-current on CD; JtR DES crypt(3) and LM hash speedup

Solar Designer — 2010-07-04T23:11:24

Hi,

As usual, this is a cumulative announcement for several things at once.
These were previously tweeted about - http://twitter.com/openwall - and
posted on the news page - http://www.openwall.com/news

For this announcement, I'll group them into two categories:

1. It is now possible to get Openwall GNU/*/Linux -current snapshots on
CD (with delivery worldwide) - 32-bit and/or 64-bit (your choice).  The
pricing starts at $9.35 (which just covers our costs), but you're
encouraged to pick a more expensive option (which supports our project):

http://www.openwall.com/Owl/order

The intent is to keep recent -current snapshots available for purchase
on CD along with releases, although that will depend on demand or lack
thereof.  Previously, only the last release was available for purchase
on CD.

2. John the Ripper's bitslice DES code is being re-worked much further,
resulting in greater ease of use on multi-core systems, as well as in
major per-core speedups at LM hashes.

This includes optional OpenMP parall

[openwall-announce] passwdqc updates; JtR SHA-crypt/OpenMP tutorials; JtR MPI patch

Solar Designer — 2010-06-23T02:46:12

Hi,

This is to announce several things at once:

0. Besides staying on this mailing list, it is now possible to receive
more timely updates by following us on Twitter:

http://twitter.com/openwall

I've already made a few initial tweets to set the expectations.

1. A new version of our password/passphrase strength checker,
passwdqc 1.2.2, has been released.  This version makes minor Makefile
updates to make the "install" and "uninstall" targets with their default
settings friendlier to Solaris systems:

http://www.openwall.com/passwdqc/

At the same time, a wiki page with detailed Solaris-specific
instructions on setting up passwdqc has been created:

http://openwall.info/wiki/passwdqc/solaris

2. A Python package re-implementing some algorithms from passwdqc has been
created by Alastair Houghton.  It is found on the passwdqc contributed
resources list:

http://www.openwall.com/passwdqc/#contrib
http://alastairs-place.net/pwtools/

3. Detailed tutorials on cracking/auditing SHA-crypt hashed user
passwords o

[openwall-announce] JtR 1.7.6 (and -jumbo-2); tcb 1.0.6; bitslice DES; articles

Solar Designer — 2010-06-15T06:24:06

Hi,

This is to announce several items at once:

1. John the Ripper 1.7.6 is out:

http://www.openwall.com/john/

The additions and changes since 1.7.5 are as follows:

* Generic crypt(3) support (enabled with "--format=crypt") has been
added for auditing password hash types supported by the system but not
yet supported by John's own optimized cryptographic routines (such as
"SHA-crypt" and SunMD5).

* Optional parallelization of the above has been implemented by means of
OpenMP along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C).

* Optional parallelization of John's own optimized code for the
OpenBSD-style Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has
been added.

* A more suitable version of 32-bit x86 assembly code for Blowfish is
now chosen on Core i7 and similar CPUs (when they happen to run a 32-bit
build of John).

* More optimal DES S-box expressions for PowerPC with AltiVec (making
use of the conditional select operation) contributed by Dumplinger Boy
(Dango-Chu) have been integra

[openwall-announce] How to manage a PHP application's users and passwords; JtR & OpenMP

Solar Designer — 2010-05-27T23:45:41

Hi,

This is to announce two items at once:

1. Last month, I wrote and submitted a lengthy article for the Month of
PHP Security (MOPS).  This article, entitled "How to manage a PHP
application's users and passwords", is now published on the MOPS website:

http://php-security.org/2010/05/26/mops-submission-10-how-to-manage-a-php-applications-users-and-passwords/index.html

In this article/tutorial, I will guide you through the steps needed to
introduce proper (in my opinion at least) user/password management into
a new PHP application.  I will start by briefly explaining
password/passphrase hashing and how to access the database safely.  Then
we will proceed through several revisions of the sample program.  We'll
start with a very simple PHP program capable of creating new users only
and having some subtle issues.  We will gradually improve this program
adding functionality (logging in to existing user accounts, changing
user passwords, and enforcing a password policy) and "discovering" and
dealing with the

[openwall-announce] JtR 1.7.5-jumbo-3; phpass 0.3; password recovery updates

Solar Designer — 2010-04-25T09:07:33

Hi,

This is to announce three news items at once.  I'll start with the latest:

1. The jumbo patch for John the Ripper 1.7.5 has been updated to
revision 3.  Most notably, this adds documentation on LM/NTLM
challenge/response authentication cracking (doc/NETNTLM_README),
improves the netntlm.pl script, and adds the "--config" option to
"john".  These changes have been contributed by JoMo-Kun:

http://www.openwall.com/john/#contrib
http://www.openwall.com/lists/john-users/2010/04/14/4

2. There's a new revision of our PHP password hashing framework -
phpass 0.3:

http://www.openwall.com/phpass/

This revision no longer requires the getmypid() PHP function (which a
few shared hosting providers disable) and it recognizes the "$H$" hash
encoding prefix (as used by phpBB3).

Also, the size of an array in the C reimplementation, which is unused by
the framework itself and is meant for testing the correctness of the PHP
implementation only, has been corrected.  (Obviously, I was careless
about that code; I should

[openwall-announce] passwdqc 1.2.1; C/R algorithms

Solar Designer — 2010-03-29T12:52:26

Hi,

This is to announce two minor items at once:

1. passwdqc 1.2.1 is out:

http://www.openwall.com/passwdqc/

In this version, a password strength check has been adjusted to no
longer subject certain passwords that start with a digit and/or end with
a capital letter to an unintentionally stricter policy.

Those interested in more detail about this change may refer to the
verbose commit message and maybe the code changes here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/passwdqc_check.c?only_with_tag=PASSWDQC_1_2_1

2. I've published a couple of enhanced challenge/response authentication
algorithms that I came up with while working on popa3d 10+ years ago:

http://openwall.info/wiki/people/solar/algorithms/challenge-response-authentication

The goal was to address the major drawback of existing simple C/R
schemes such as APOP and CRAM-MD5 (where these would require storage of
plaintext passwords or of plaintext-equivalents on the server, thereby
possibly making the setup less

[openwall-announce] new OpenVZ kernel, new Owl ISOs and OpenVZ container templates

Solar Designer — 2010-03-23T03:51:14

Hi,

Today's ISO images and pre-created OpenVZ container templates of
Owl-current for x86 and x86-64 are currently propagating to our FTP
mirrors.  The ISOs are also available via direct download links right
off the Owl homepage:

http://www.openwall.com/Owl/
http://www.openwall.com/Owl/DOWNLOAD.shtml

We have updated Owl to use OpenVZ's latest kernel from their "rhel5"
branch (released on 03/18), with RHEL5 patches further updated from
Red Hat's latest stable kernel (released on 03/16) and with some minor
changes of our own.  Thus, we're ahead of OpenVZ official kernels in
terms of security fixes right now, and there have been quite a few of
those lately...

The packages of gzip, VIM, tcb, JtR, tcsh, quota, passwdqc, libnids,
pciutils, hdparm, and tar have been updated to new versions or
patchlevels, and changes have been made to several other packages (cpio,
glibc, bash to name a few).

Please refer to the Owl-current change log for more information on some
of the changes:

http://www.openwall.com/Owl/CHAN

[openwall-announce] passwdqc 1.2.0, screenshots, policy considerations, passwdqc-users mailing list

Solar Designer — 2010-03-16T15:24:48

Hi,

passwdqc, our proactive password/passphrase strength checking and policy
enforcement toolset, has been enhanced in many ways, bringing it up to
version 1.2.0:

http://www.openwall.com/passwdqc/

The pwqcheck program is now directly usable as the passwordcheck program
on OpenBSD - that is, to check users' passwords as they're set with the
"passwd" program, much like it is done on systems with PAM.  The man page
for pwqcheck and the PLATFORMS file have been updated to provide brief
instructions on setting this up:

http://www.openwall.com/passwdqc/PLATFORMS.shtml

pwqcheck is now also able to check multiple passwords/passphrases at
once - e.g., for policy testing on large password/passphrase lists.
Simply running "pwqcheck -1 --multi" reads passwords/passphrases to
check from standard input (until EOF) and prints the check status for
each.  This functionality was in fact used on large publicly-available
lists of cracked passwords to see/verify the effect of other changes
made in this version of passwdqc (

[openwall-announce] file archive; wiki pages; JtR MPI patch

Solar Designer — 2010-03-11T22:53:05

Hi,

This is to announce three items at once, mostly related to John the Ripper
password cracker.

1. We've setup the Openwall file archive - a locally-hosted web-based
archive with current and old revisions of Openwall software releases,
user contributions, and other related files.  Previously, this content
was only available via FTP locally and from the mirrors.

The file archive is available at:

http://download.openwall.net

Of specific interest are user contributions and other files related to
John the Ripper (269 files as of this writing):

http://download.openwall.net/pub/projects/john/contrib/

Many directories contain README.txt files, which are automatically
displayed below the file lists.

2. New community wiki pages have been created on topics related to John
the Ripper: "How to retrieve and audit password hashes from remote Linux
servers" and "Sample password hash encoding strings":

http://openwall.info/wiki/john/tutorials/remote-linux
http://openwall.info/wiki/john/sample-hashes

Further contr

[openwall-announce] JtR 1.7.5-jumbo-1 builds; jumbo patch update; passwdqc wiki page

Solar Designer — 2010-03-02T20:32:01

Hi,

This is to announce three items at once:

1. Erik Winkler has contributed Win32 and Mac OS X builds of John the
Ripper 1.7.5 with revision 1 of the jumbo patch.  I've placed these into
the contrib/ directory and updated the links at:

http://www.openwall.com/john/#contrib

The Mac OS X build is usable on a wide range of Mac hardware and
versions of Mac OS X - it is a universal binary with four architectures
and it is statically-linked against Erik's special build of OpenSSL.
Additionally, it uses faster bitslice DES S-box code for PowerPC with
AltiVec by Dumplinger Boy (Dango-Chu).

I posted some further detail on the Mac OS X build to john-users:

http://www.openwall.com/lists/john-users/2010/03/02/3

2. The jumbo patch for JtR 1.7.5 has been updated to revision 2.  It
turned out that I had inadvertently omitted a file from a pre-1.7.5 CVS
commit introducing the "p" numeric variable into the word mangling rules
engine.  I've included this functionality into 1.7.5-jumbo-2 now, and
indeed it will be in t

[openwall-announce] JtR 1.7.5; tcb 1.0.5

Solar Designer — 2010-02-26T03:25:29

Hi,

This is to announce two updates at once:

1. John the Ripper version 1.7.5 is out, along with its corresponding
jumbo patch update.  This is yet another development version.  There was
no specific focus for this update, so a variety of minor enhancements
were implemented (mostly in response to requests made, questions asked,
and issues raised on the john-users mailing list lately).

http://www.openwall.com/john/
http://www.openwall.com/john/#contrib

The changes since 1.7.4.2 are as follows:

* Support for the use of "--format" along with "--show" or "--make-charset"
has been added.

* The choice of .rec and .log filenames for custom session names has been
made more intuitive.

* A new numeric variable has been added to the word mangling rules engine:
"p" for position of the character last found with the "/" or "%" commands.

* Support for "\r" (character lists with repeats) and "\p0" (reference
to the immediately preceding character list/range) has been added to the
word mangling rules preprocessor.

*

[openwall-announce] Linux 2.4.37.9-ow1; tcb 1.0.4; crypt_blowfish 1.0.4; JtR 1.7.4.2-jumbo-3

Solar Designer — 2010-02-24T17:38:25

Hi,

This is to announce four minor updates at once:

1. The Linux 2.4 kernel patch has been updated to Linux 2.4.37.9.  One
of the changes made between 2.4.37.7 and 2.4.37.9 is a security fix for
the e1000 Ethernet driver issue that could have allowed remote attackers
to bypass packet filters (CVE-2009-4536).  The Linux 2.4.37.9-ow1 patch
additionally includes a post-2.4.37.9 fix for FAT filesystems:

http://www.openwall.com/linux/

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.8
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.9
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=940716e5206ebda003fca89b4ac1076b1fff5c99

2. We've released version 1.0.4 of our tcb suite (which implements the
alternative password shadowing scheme on Owl).  In this version, a
non-security buffer overflow bug with more than NGROUPS_MAX groups per
user has been fixed.  We do not treat the bug as a security issue

[openwall-announce] new Owl ISOs, OpenVZ container templates; Debian integrates new passwdqc

Solar Designer — 2010-01-28T22:41:00

Hi,

This is to announce two unrelated items at once: Owl updates and
Debian's integration of new versions of passwdqc.  Let's start with Owl:

Fresh ISO images and pre-created OpenVZ container templates of
Owl-current for x86 and x86-64 (generated a few hours ago) are available
on our FTP mirrors (maybe not on all yet, but should be by tomorrow).
There are also direct download links for the ISOs on the Owl homepage:

http://www.openwall.com/Owl/

Yes, we're now generating not only ISOs, but also OpenVZ container
templates of the Owl userland.  These may be used on Owl and/or on other
Linux systems with OpenVZ.  The templates are found under
/pub/Owl/current/vztemplate on our FTP mirrors.  The size of an Owl
template file is around 120 MB, and a container instantiated from it
occupies around 400 MB of disk space.  This compares favorably with
pre-created templates of other Linux distros found on openvz.org
considering that our template is actually an almost-complete install of
the Owl userland, including all

[openwall-announce] JtR 1.7.4.2 and jumbo patch update

Solar Designer — 2010-01-19T11:07:39

Hi,

John the Ripper version 1.7.4.2 is out, along with its corresponding
jumbo patch update.  This is another development version, and this time
the focus was on performance improvements with very large password files
or sets of files.

http://www.openwall.com/john/
http://www.openwall.com/john/#contrib

The changes since 1.7.4 are as follows:

* Major performance improvements for processing of very large password
files or sets of files, especially with salt-less or same-salt hashes,
achieved primarily through introduction of two additional hash table
sizes (64K and 1M entries), changes to the loader, and smarter
processing of successful guesses (to accommodate getting thousands of
hashes successfully cracked per second).

* Many default buffer and hash table sizes have been increased and
thresholds for the use of hash tables lowered, meaning that John will
now tend to use more memory to achieve better speed (unless it is told
not to with the "--save-memory" option).

* Some previously missed common website

[openwall-announce] JtR 1.7.4 and jumbo patch update

Solar Designer — 2009-12-26T13:42:28

Hi,

John the Ripper 1.7.4 is out, along with its corresponding jumbo patch
update.  This is a development version focusing on many improvements to
the word mangling rules engine.

http://www.openwall.com/john/
http://www.openwall.com/john/#contrib

The changes since 1.7.3.4 are as follows:

* Support for back-references and "parallel" ranges has been added to
the word mangling rules preprocessor.

* The notion of numeric variables (to be used for character positions
and substring lengths along with numeric constants supported previously)
has been introduced into the rules engine.  Two pre-defined variables
("l" for initial or updated word's length and "m" for initial or
memorized word's last character position) and 11 user-defined variables
("a" through "k") have been added.  Additionally, there's a new numeric
constant: "z" for "infinite" position or length.

* New rule commands have been added: "A" (append, insert, or prefix with
a string), "X" (extract a substring from memory and insert), "v"
(subtract a

[openwall-announce] Owl moves to 2.6 kernels, integrates OpenVZ; new ISOs

Solar Designer — 2009-11-23T22:57:19

Hi,

Fresh ISO images of Owl-current for x86 and x86-64 (generated today) are
available on our FTP mirrors (well, maybe not on all yet, but should be
by tomorrow).  There are also direct download links on the Owl homepage
(pointing to a specific already-updated and fast mirror):

http://www.openwall.com/Owl/

These ISOs represent a major development milestone.  We have replaced
the default kernel with a 2.6 OpenVZ one (featuring optional
container-based virtualization), we've integrated OpenVZ tools (vzctl
and vzquota packages needed to create, control, examine, and/or destroy
OpenVZ containers), and we've dropped support for Linux 2.4 kernels
(although they're still supported in the maintained Owl 2.0-stable
branch - until our next release).

Besides various changes related to the new kernel and OpenVZ
integration, we happened to update vsftpd and diffstat to new upstream
versions.

Please refer to the Owl-current change log for more detailed information
on the changes:

http://www.openwall.com/Owl/CHANGES-

[openwall-announce] Linux 2.4.37.7-ow1; passwdqc 1.1.4; new Owl ISO; public domain source code snippets

Solar Designer — 2009-11-19T01:55:15

Hi,

This is to announce several things at once:

1. Linux 2.4.37.7-ow1 is out:

http://www.openwall.com/linux/

This is merely an update of the patch to the new 2.4.37.7 kernel
release, which fixes a number of security-related bugs:

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.7

One of these is documented as "fs: pipe.c null pointer dereference".
Let me use this opportunity to remind you that having vm.mmap_min_addr
set to a non-zero value is a must (e.g., it is set to 98304 on the
system I'm typing this on).  There are way too many NULL pointer
dereference bugs and they are and will be getting discovered too often
for reasonably keeping systems up-to-date with the fixes.  A better
strategy may be to treat possible vm.mmap_min_addr bypass bugs as higher
severity ones, simply because there's an expectation that there are a
lot fewer of these (if any are still left).  This is the strategy we're
going to use for Owl.  vm.mmap_min_addr has defaulted to non-zero
(specifically, 32768) in -ow pat

[openwall-announce] fresh Owl ISOs; Linux 2.4.37.6-ow1; Packetfactory mirror

Solar Designer — 2009-10-26T08:29:29

Hi,

This is to announce three items at once (yes, I will be trying to make
postings to this list less frequent):

1. Fresh ISO images of Owl-current for x86 and x86-64 (generated on
October 25) are available on our FTP mirrors.  There are also direct
download links on the Owl homepage:

http://www.openwall.com/Owl/

These ISOs use Linux 2.4.37.6-ow1 as the kernel, and, compared to last
month's ISO snapshots, they contain updated versions of many packages
(vsftpd, iptables, passwdqc, cpio, e2fsprogs, strace, VIM, and xinetd),
as well as minor changes to some other packages.  As usual, the major
changes are documented:

http://www.openwall.com/Owl/CHANGES-current.shtml

Like last month, these updates are due to work by Dmitry V. Levin,
Michail Litvak, and me.

2. Speaking of the kernel, Linux 2.4.37.6 fixes a number of information
leak vulnerabilities.  One of these was already fixed in 2.4.37.5-ow1
(as used in last month's Owl-current ISOs), and the remaining ones may
or may not affect specific systems depen