lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <453FBCAD.1000902@gatech.edu>
Date: Wed, 25 Oct 2006 15:36:13 -0400
From: Matthew Flaschen <matthew.flaschen@...ech.edu>
To: "North, Quinn" <QNorth@....com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....

Sounds cool.  Battering ram is easier, though.  I said, deal with, not 
solve.

Matthew Flaschen

North, Quinn wrote:
> Sadly, Not even that will help you anymore ... 
> 
> http://www.hackaday.com/2005/08/24/lock-bumping-revisited/
> 
> 
> 
> --=Q=--
>  
> 
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Matthew
> Flaschen
> Sent: Wednesday, October 25, 2006 3:20 PM
> To: cardoso
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....
> 
> I have a dual WinXP/Debian boot, and I deal with that problem by locking
> 
> my door.
> 
> Matt Flaschen
> 
> cardoso wrote:
>> Exactly. A few years ago I used to deal with linux fanboys showing
> them
>> the cute trick of "linux single" at boot time. After a few hours
> begging
>> for the admin password, I teached the trick and they usually stopped
> the
>> brag about how security Linux was. 
>>
>>
>> On Wed, 25 Oct 2006 12:34:49 -0500
>> Paul Schmehl <pauls@...allas.edu> wrote:
>>
>> PS> --On Wednesday, October 25, 2006 10:24:11 -0400
> mflaschen3@...l.gatech.edu 
>> PS> wrote:
>> PS> 
>> PS> > Windows offers no security against local users.  It is trivial
> to boot to
>> PS> > a program like ERD Commander and replace admin passwords.  On
> the other
>> PS> > hand, PuTTy is meant to protect against everyone; that's why it
> doesn't
>> PS> > allow saved passwords.  Thus, this seems like a vulnerability to
> me.
>> PS> >
>> PS> Unix offers no security against local users either.  If I can sit
> at the 
>> PS> console, I can login in single user mode, mount the drives rw and
> edit 
>> PS> /etc/passwd all day.
>> PS> 
>> PS> Furthermore, I can take any hard drive, with any file system on
> it, and 
>> PS> with the right tools I can read everything on the drive, even
> deleted stuff.
>> PS> 
>> PS> So what's your point?  That when you own the box you own the box?
>> PS> 
>> PS> If you first have to own the box to get to the information, then
> it's not a 
>> PS> vulnerability.  It's not best practice, but it's not a
> vulnerability.
>> PS> 
>> PS> Paul Schmehl (pauls@...allas.edu)
>> PS> Senior Information Security Analyst
>> PS> The University of Texas at Dallas
>> PS> http://www.utdallas.edu/ir/security/
>>
>> -------------------------------------------------------------
>> Carlos Cardoso
>> http://www.carloscardoso.com <== blog semi-pessoal
>> http://www.contraditorium.com <== ProBlogging e cultura digital
>>
>> "You lost today, kid. But that doesn't mean you have to like it"
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ