- This topic has 4 replies, 4 voices, and was last updated 9 years, 10 months ago by
.
-
Posts
-
Ok I grabbed this a while back and thought I would run it to see some differences in testing hardware. Well what I have found is not so nice……….So do we blindly except things from people because we trust them and then redistribute them because of who we are?
Beware Linux Q Public………. Malware abounds in source. I think the package speaks volumes.
Malware@#gfw78v6cysqv /home/*****/.phoronix-test-suite/installed-tests/pts/john-the-ripper-1.4.1/john-1.7.9-jumbo-7.tar.gz| /home/*****/.phoronix-test-suite/installed-tests/pts/john-the-ripper-1|john-1.7.9-jumbo-7/src/john.com
I understand why this is in there, but there should have been a warning with the package. This is a password ripper, so why is it in a testing suite for graphics and why on install is it creating it’s own links to keepass2john and keychain2john. What is it databasing for?
The more I look the more I don’t like……
This is in the install:
rm -f ../run/unshadow
ln -s john ../run/unshadow
rm -f ../run/unafs
ln -s john ../run/unafs
rm -f ../run/unique
ln -s john ../run/unique
rm -f ../run/undrop
ln -s john ../run/undrop
rm -f ../run/ssh2john
ln -s john ../run/ssh2john
rm -f ../run/pdf2john
ln -s john ../run/pdf2john
rm -f ../run/rar2john
ln -s john ../run/rar2john
rm -f ../run/zip2john
ln -s john ../run/zip2johnI understand this is during the build but what does this need with ssh2, keepass2, and keychain2? I think this collecting information.
John is a bruteforce password cracking tool and measuring the time required to crack a given password can be a metric in a benchmark (PTS is not a graphics benchmarking suite, it tests everything).
The stuff in the install script is nothing to worry about, about would be very disturbing is if the PTS would start peaking at /etc/shadow (but it won’t since you do not run it as root) or maybe even worse you keepass files (which it theoretically could, but is very unlikely since the code is open).My guess is that the John benchmark provides a fake password file with kinda weak passwords and is used as a reference for brute forcing passwords.
It’s very likely that the other utilities (unshadow, ssh2john) are not even used but are part of the John base install (it’s quite common for a program to link itself with different names in order to set different options at runtime based on the filename)
Oizzadude I understand what he says, but on that note if it doesn’t use keepass, keychain, or ssh2 then why are they in the source. I know what bruteforce password crackers are and every one I have ever used don’t use them. They use a dictionary or a list of preset passwords along with scripts to compile a password or crack a hash. I will just have to run it and see what it does in the process as in where it goes. This would be one way to compile one hell of a database on passwords.
- You must be logged in to reply to this topic.
