| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2006 15:36:13 -0400 From: Matthew Flaschen <matthew.flaschen@...ech.edu> To: "North, Quinn" <QNorth@....com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Putty Proxy login/password discolsure.... Sounds cool. Battering ram is easier, though. I said, deal with, not solve. Matthew Flaschen North, Quinn wrote: > Sadly, Not even that will help you anymore ... > > http://www.hackaday.com/2005/08/24/lock-bumping-revisited/ > > > > --=Q=-- > > > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Matthew > Flaschen > Sent: Wednesday, October 25, 2006 3:20 PM > To: cardoso > Cc: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure.... > > I have a dual WinXP/Debian boot, and I deal with that problem by locking > > my door. > > Matt Flaschen > > cardoso wrote: >> Exactly. A few years ago I used to deal with linux fanboys showing > them >> the cute trick of "linux single" at boot time. After a few hours > begging >> for the admin password, I teached the trick and they usually stopped > the >> brag about how security Linux was. >> >> >> On Wed, 25 Oct 2006 12:34:49 -0500 >> Paul Schmehl <pauls@...allas.edu> wrote: >> >> PS> --On Wednesday, October 25, 2006 10:24:11 -0400 > mflaschen3@...l.gatech.edu >> PS> wrote: >> PS> >> PS> > Windows offers no security against local users. It is trivial > to boot to >> PS> > a program like ERD Commander and replace admin passwords. On > the other >> PS> > hand, PuTTy is meant to protect against everyone; that's why it > doesn't >> PS> > allow saved passwords. Thus, this seems like a vulnerability to > me. >> PS> > >> PS> Unix offers no security against local users either. If I can sit > at the >> PS> console, I can login in single user mode, mount the drives rw and > edit >> PS> /etc/passwd all day. >> PS> >> PS> Furthermore, I can take any hard drive, with any file system on > it, and >> PS> with the right tools I can read everything on the drive, even > deleted stuff. >> PS> >> PS> So what's your point? That when you own the box you own the box? >> PS> >> PS> If you first have to own the box to get to the information, then > it's not a >> PS> vulnerability. It's not best practice, but it's not a > vulnerability. >> PS> >> PS> Paul Schmehl (pauls@...allas.edu) >> PS> Senior Information Security Analyst >> PS> The University of Texas at Dallas >> PS> http://www.utdallas.edu/ir/security/ >> >> ------------------------------------------------------------- >> Carlos Cardoso >> http://www.carloscardoso.com <== blog semi-pessoal >> http://www.contraditorium.com <== ProBlogging e cultura digital >> >> "You lost today, kid. But that doesn't mean you have to like it" >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists