lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200310221719.h9MHJpmA000378@ns2.mmicman.com>
From: support at mmicman.com (Edward W. Ray)
Subject: RE: Linux (in)security

There seems to be this tendency in every market the have the product with
the most widgets at the least cost.  Security vendors are out there selling
a "one size fits all" solution to all of your security problems these days.


I have never heard of a Linux vendor saying that Linux is "secure out of the
box."  Maybe Openwall or Engarde Linux, but most distos need to be made
secure by the user.

Linux is the hands of someone with no interest or regard for security is the
same as Windows or any other OS in the hands of the same clueless
individual.  The main difference between the Linux and Unix variants (i.e.
BSD, Solaris, HP-UX) is that they have already learned their lesson regarded
buffer overflows and kernel hardening and allowed the user more control in
securing their systems.  M$ has not, and that is unfortunate.

Edward W. Ray  

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Thomas Binder
Sent: Wednesday, October 22, 2003 8:39 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] RE: Linux (in)security

Hi!

On Wed, Oct 22, 2003 at 09:12:12AM -0500, Schmehl, Paul L wrote:
> Now, lest you get your hopes up and think it's possible to change the 
> world, read this:
> 
> http://www.ukauthority.com/articles/story898.asp
> 
> After reading this, I had a good cry and then took some aspirin.
> :-(

Of course, what they do not (and most likely cannot) mention is how many of
the passwords entered where just random keystrokes instead of a real world
password.

In fact, I tend to advise people not to completely refuse giving their
password / PIN / etc. when asked for by someone, but to reluctantly
"disclose" something completely wrong. This way, the attacker might think
he's won and - depending on the attacked system - effectively locks the
account he wants to break into.


Ciao

Thomas


--
It is better to never have tried anything than to have tried something and
failed.
- motto of jerks, weenies and losers everywhere

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ