lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2006 23:57:15 +0530 From: Raj Mathur <raju@...ux-delhi.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Putty Proxy login/password discolsure.... On Wednesday 25 October 2006 23:14, cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing > them the cute trick of "linux single" at boot time. After a few > hours begging for the admin password, I teached the trick and they > usually stopped the brag about how security Linux was. Can't do that in most modern distributions today -- they're configured to ask for root password before they give a single-user shell. Not that there aren't other ways around that restriction... -- Raju > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <pauls@...allas.edu> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 > mflaschen3@...l.gatech.edu PS> wrote: > PS> > PS> > Windows offers no security against local users. It is > trivial to boot to PS> > a program like ERD Commander and replace > admin passwords. On the other PS> > hand, PuTTy is meant to > protect against everyone; that's why it doesn't PS> > allow saved > passwords. Thus, this seems like a vulnerability to me. PS> > > PS> Unix offers no security against local users either. If I can > sit at the PS> console, I can login in single user mode, mount the > drives rw and edit PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on > it, and PS> with the right tools I can read everything on the > drive, even deleted stuff. PS> > PS> So what's your point? That when you own the box you own the > box? PS> > PS> If you first have to own the box to get to the information, > then it's not a PS> vulnerability. It's not best practice, but > it's not a vulnerability. PS> -- Raj Mathur raju@...dalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists