lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200306050350.h553oqeE006076@caligula.anu.edu.au>
From: avalon at caligula.anu.edu.au (Darren Reed)
Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

In some mail from Michael Osten, sie said:
> 
> > The reason why IRC servers "IRCD.config" files don't use encryption (see
> > file attachment for example) is because 49 times out of 50 they do not
> come
> > with a GUI program.  Administrators main method of changing the
> > configuration is to manually edit the file using a notepad utility.
> 
> It has nothing to do with having a GUI or not.  You obviously have no
> concept of Unix permissions, so using a unix analogy should be avoided in
> the future.  The config file that you speak of would be set to only be
> readable and/or writable the user running the daemon.  Even the existance of
> that password in the config file woud lend it self a bad design as every
> application in (linux at least) can have hooks to PAM and use the same
> encrypted password.  If the password *was* in the config file, to read this
> file, you would need that users priviledges, or priviledges greater than
> that user.  If you have either, crypting the password would be a bit
> pointless (not to say that people don't do it).

You're fogetting that this IRC server application is being developed
for Windows where people are still mostly unfamiliar with advanced
file permission concepts beyond "read-only/archive" bits.

NTFS (NT4, W2K, XP, ...) supports file ownership by users as well as
read/write/execute "bits".  This is something that many *nix advocates
are blissuflly unaware of.  It's also not often used properly.

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ