lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1094816546.1791.11.camel@banshee.mythic.magic>
From: lists at ktabic.co.uk (ktabic)
Subject: Re: Re: Re: open telnet port

On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:
> > How about, as a service to enable as you are updating SSH remotely
> > from the other side of the country to fix the most recent problem
> > security problem and need a backup system to get into the server in
> > the event that something goes wrong?

> Given that, in the above description, you're basically advocating that
> your *only* use of Telnet would be to send the root password across the
> 'net to troubleshoot SSH :-)
> 
Given that above description, there is no mention of anybody sending
anything that even looks like a password over the net in plain text.
Of course, most people would be, but not everyone.
You are also presuming that the root account even requires logging in,
which is also not nessercary.
There is nothing wrong with plain text at all, in most circumstances.
It's just that *everyone* has presumed that passwords that are a) reused
for the next session, and b) the root one, will be sent in plain text.
Of course, if you know you are sending in plain text, you take steps to
make sure that nothing critical is transmitted in the first place,
which, imho is a better situation than relying totally on the fact you
are encrypted, which may or may not be true.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ