lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200610252357.15981.raju@linux-delhi.org>
Date: Wed, 25 Oct 2006 23:57:15 +0530
From: Raj Mathur <raju@...ux-delhi.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....

On Wednesday 25 October 2006 23:14, cardoso wrote:
> Exactly. A few years ago I used to deal with linux fanboys showing
> them the cute trick of "linux single" at boot time. After a few
> hours begging for the admin password, I teached the trick and they
> usually stopped the brag about how security Linux was.

Can't do that in most modern distributions today -- they're configured 
to ask for root password before they give a single-user shell.

Not that there aren't other ways around that restriction...

-- Raju

>
>
> On Wed, 25 Oct 2006 12:34:49 -0500
> Paul Schmehl <pauls@...allas.edu> wrote:
>
> PS> --On Wednesday, October 25, 2006 10:24:11 -0400
> mflaschen3@...l.gatech.edu PS> wrote:
> PS>
> PS> > Windows offers no security against local users.  It is
> trivial to boot to PS> > a program like ERD Commander and replace
> admin passwords.  On the other PS> > hand, PuTTy is meant to
> protect against everyone; that's why it doesn't PS> > allow saved
> passwords.  Thus, this seems like a vulnerability to me. PS> >
> PS> Unix offers no security against local users either.  If I can
> sit at the PS> console, I can login in single user mode, mount the
> drives rw and edit PS> /etc/passwd all day.
> PS>
> PS> Furthermore, I can take any hard drive, with any file system on
> it, and PS> with the right tools I can read everything on the
> drive, even deleted stuff. PS>
> PS> So what's your point?  That when you own the box you own the
> box? PS>
> PS> If you first have to own the box to get to the information,
> then it's not a PS> vulnerability.  It's not best practice, but
> it's not a vulnerability. PS>

-- 
Raj Mathur            raju@...dalaya.org   http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ