Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Putty Proxy login/password discolsure....
From: cardoso <cardosolistas () contraditorium com>
Date: Wed, 25 Oct 2006 15:47:30 -0300

Exactly. If you´ve managed to lost your root password, deal with the
karma, does not make the system insecure by design with a "linux single"
feature. 

Not that a lot of users don´t forget their passwords anyway.


On Wed, 25 Oct 2006 23:57:15 +0530
Raj Mathur <raju () linux-delhi org> wrote:

RM> On Wednesday 25 October 2006 23:14, cardoso wrote:
RM> > Exactly. A few years ago I used to deal with linux fanboys showing
RM> > them the cute trick of "linux single" at boot time. After a few
RM> > hours begging for the admin password, I teached the trick and they
RM> > usually stopped the brag about how security Linux was.
RM> 
RM> Can't do that in most modern distributions today -- they're configured 
RM> to ask for root password before they give a single-user shell.
RM> 
RM> Not that there aren't other ways around that restriction...
RM> 
RM> -- Raju
RM> 
RM> >
RM> >
RM> > On Wed, 25 Oct 2006 12:34:49 -0500
RM> > Paul Schmehl <pauls () utdallas edu> wrote:
RM> >
RM> > PS> --On Wednesday, October 25, 2006 10:24:11 -0400
RM> > mflaschen3 () mail gatech edu PS> wrote:
RM> > PS>
RM> > PS> > Windows offers no security against local users.  It is
RM> > trivial to boot to PS> > a program like ERD Commander and replace
RM> > admin passwords.  On the other PS> > hand, PuTTy is meant to
RM> > protect against everyone; that's why it doesn't PS> > allow saved
RM> > passwords.  Thus, this seems like a vulnerability to me. PS> >
RM> > PS> Unix offers no security against local users either.  If I can
RM> > sit at the PS> console, I can login in single user mode, mount the
RM> > drives rw and edit PS> /etc/passwd all day.
RM> > PS>
RM> > PS> Furthermore, I can take any hard drive, with any file system on
RM> > it, and PS> with the right tools I can read everything on the
RM> > drive, even deleted stuff. PS>
RM> > PS> So what's your point?  That when you own the box you own the
RM> > box? PS>
RM> > PS> If you first have to own the box to get to the information,
RM> > then it's not a PS> vulnerability.  It's not best practice, but
RM> > it's not a vulnerability. PS>
RM> 
RM> -- 
RM> Raj Mathur            raju () kandalaya org   http://kandalaya.org/
RM>        GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
RM>                       It is the mind that moves
RM> 
RM> _______________________________________________
RM> Full-Disclosure - We believe in it.
RM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
RM> Hosted and sponsored by Secunia - http://secunia.com/
RM> 

-------------------------------------------------------------
Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]