lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <D57F923F19B89743A8CA3EED3B37713A02C09817@ISOEMAILP3.iso.com>
Date: Wed, 25 Oct 2006 15:32:06 -0400
From: "North, Quinn" <QNorth@....com>
To: "Matthew Flaschen" <matthew.flaschen@...ech.edu>,
	"cardoso" <cardosolistas@...traditorium.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....

Sadly, Not even that will help you anymore ... 

http://www.hackaday.com/2005/08/24/lock-bumping-revisited/



--=Q=--
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Matthew
Flaschen
Sent: Wednesday, October 25, 2006 3:20 PM
To: cardoso
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....

I have a dual WinXP/Debian boot, and I deal with that problem by locking

my door.

Matt Flaschen

cardoso wrote:
> Exactly. A few years ago I used to deal with linux fanboys showing
them
> the cute trick of "linux single" at boot time. After a few hours
begging
> for the admin password, I teached the trick and they usually stopped
the
> brag about how security Linux was. 
> 
> 
> On Wed, 25 Oct 2006 12:34:49 -0500
> Paul Schmehl <pauls@...allas.edu> wrote:
> 
> PS> --On Wednesday, October 25, 2006 10:24:11 -0400
mflaschen3@...l.gatech.edu 
> PS> wrote:
> PS> 
> PS> > Windows offers no security against local users.  It is trivial
to boot to
> PS> > a program like ERD Commander and replace admin passwords.  On
the other
> PS> > hand, PuTTy is meant to protect against everyone; that's why it
doesn't
> PS> > allow saved passwords.  Thus, this seems like a vulnerability to
me.
> PS> >
> PS> Unix offers no security against local users either.  If I can sit
at the 
> PS> console, I can login in single user mode, mount the drives rw and
edit 
> PS> /etc/passwd all day.
> PS> 
> PS> Furthermore, I can take any hard drive, with any file system on
it, and 
> PS> with the right tools I can read everything on the drive, even
deleted stuff.
> PS> 
> PS> So what's your point?  That when you own the box you own the box?
> PS> 
> PS> If you first have to own the box to get to the information, then
it's not a 
> PS> vulnerability.  It's not best practice, but it's not a
vulnerability.
> PS> 
> PS> Paul Schmehl (pauls@...allas.edu)
> PS> Senior Information Security Analyst
> PS> The University of Texas at Dallas
> PS> http://www.utdallas.edu/ir/security/
> 
> -------------------------------------------------------------
> Carlos Cardoso
> http://www.carloscardoso.com <== blog semi-pessoal
> http://www.contraditorium.com <== ProBlogging e cultura digital
> 
> "You lost today, kid. But that doesn't mean you have to like it"
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ