If You Can't Beat 'Em, Buy 'Em

I don't know Symantec's PR people, but I think I might hire them. Let me explain why.

A long time ago, I was a columnist for a magazine called "Compute!". (No, the exclamation point isn't there because I was excited about it.) I wrote a monthly column about PC hardware and topics such as how mice work, how to buy a SCSI drive, and what's the difference between a hub and a switch.

Someone must've been reading the magazine, because I'm told that it sold pretty well, and I got a lot of email. So, I was surprised when my editor told me that I didn't have to file any more columns. He hastened to add that it wasn't anything personal; I was just one in a long list of people he had to call because the magazine was shutting its doors. Another firm was starting a new magazine aimed at the same audience, and to avoid troublesome competition, the well-funded company was buying Compute! magazine--and then shutting it down. I'm not trying to beat up on the folks who bought Compute!, as it really didn't do me any harm. It seemed a nearly unique event--capitalism in its ultimate expression. So, I was quite surprised to see it happen to another company.

Anyone who's involved with security knows that one of the biggest challenges for a security officer is managing passwords. Good password-auditing tools are a must-have; as the saying goes, "bad passwords always beat good security." If you've never used one of these tools, then you're probably wondering, "What the heck is a password auditing tool?" To be honest, it's just a password *cracking* tool. You log on to a domain controller (DC) as a domain administrator and start a program that pulls out the hashed passwords (obscured versions of the passwords that OSs store instead of actual passwords) from the DC's hard drive, then reverse-engineers the hashed passwords into their original, unhashed form.

I'm not trying to prove that the password-cracking program can crack passwords; by definition it can. If given enough time, any password-cracking program will crack any password hash. What's important is how long it will take the cracker to crack the password hash. A well-chosen password, in theory, requires more time to crack than the Sun's expected lifetime. Poorly chosen passwords--those that include actual words, someone's name, important dates, or fewer than eight characters--can usually be cracked in a matter of minutes.

Over the years, three major password-cracking programs have appeared: Cain and Abel, John the Ripper, and L0phtCrack. The hacker group that wrote L0phtcrack later became security consultants. (I'm giggling at the thought, too.) The group changed the company name to "@stake," prettied up the UI, and renamed the L0phtcrack program as "LC5." LC5 had a very nice feature called "audit mode." You could use audit mode to crack passwords without telling you the actual passwords. Instead, the tool would tell you how long it took to crack the passwords. This was excellent because it countered a large objection to password crackers: privacy violations. If I'm a domain administrator at Boeing and start cracking the vice president's passwords on some DC, a lot of people would be reasonably troubled, and I'd soon be looking for a job or, worse, a defense attorney. But by offering the audit-only option, @stake turned a seemingly sinister tool into one that makes good management sense.

Which brings us to Symantec. Last year, Symantec bought @stake and stated that it would soon announce its plans for LC5. Recently, the company announced those plans: it isn't offering LC5 for sale. That's right; Symantec bought @stake to close it. Huh?

If I recall correctly, this is the company that also bought a neat little utility called Ghost and raised its price. Ghost had a competitor in PowerQuest's DriveImage program, so Symantec bought PowerQuest. Again I say, "Huh?"

If Microsoft did something like that, the US Department of Justice (DOJ) and the European Commission wouldn't sue Microsoft--they'd NUKE it; Redmond would glow green. But no one's ever spanked Symantec for creating a monopoly; instead, in what must be one of the great ironies of the year, Symantec complained to the European Commission last October about Microsoft's allegedly monopolistic practices.

That's why I'm going to hire the Symantec PR people. Heck, we can all use that kind of PR. Unless, of course, it involved a deal with a guy with cloven hooves, horns, and the subtle aroma of brimstone--hmmm, NOW I'm wondering…

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.