| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2006 12:34:49 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....
--On Wednesday, October 25, 2006 10:24:11 -0400 mflaschen3@...l.gatech.edu
wrote:
> Windows offers no security against local users. It is trivial to boot to
> a program like ERD Commander and replace admin passwords. On the other
> hand, PuTTy is meant to protect against everyone; that's why it doesn't
> allow saved passwords. Thus, this seems like a vulnerability to me.
>
Unix offers no security against local users either. If I can sit at the
console, I can login in single user mode, mount the drives rw and edit
/etc/passwd all day.
Furthermore, I can take any hard drive, with any file system on it, and
with the right tools I can read everything on the drive, even deleted stuff.
So what's your point? That when you own the box you own the box?
If you first have to own the box to get to the information, then it's not a
vulnerability. It's not best practice, but it's not a vulnerability.
Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
Content of type "application/pkcs7-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists