| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2006 15:32:06 -0400 From: "North, Quinn" <QNorth@....com> To: "Matthew Flaschen" <matthew.flaschen@...ech.edu>, "cardoso" <cardosolistas@...traditorium.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Putty Proxy login/password discolsure.... Sadly, Not even that will help you anymore ... http://www.hackaday.com/2005/08/24/lock-bumping-revisited/ --=Q=-- -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Matthew Flaschen Sent: Wednesday, October 25, 2006 3:20 PM To: cardoso Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure.... I have a dual WinXP/Debian boot, and I deal with that problem by locking my door. Matt Flaschen cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing them > the cute trick of "linux single" at boot time. After a few hours begging > for the admin password, I teached the trick and they usually stopped the > brag about how security Linux was. > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <pauls@...allas.edu> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 mflaschen3@...l.gatech.edu > PS> wrote: > PS> > PS> > Windows offers no security against local users. It is trivial to boot to > PS> > a program like ERD Commander and replace admin passwords. On the other > PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't > PS> > allow saved passwords. Thus, this seems like a vulnerability to me. > PS> > > PS> Unix offers no security against local users either. If I can sit at the > PS> console, I can login in single user mode, mount the drives rw and edit > PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on it, and > PS> with the right tools I can read everything on the drive, even deleted stuff. > PS> > PS> So what's your point? That when you own the box you own the box? > PS> > PS> If you first have to own the box to get to the information, then it's not a > PS> vulnerability. It's not best practice, but it's not a vulnerability. > PS> > PS> Paul Schmehl (pauls@...allas.edu) > PS> Senior Information Security Analyst > PS> The University of Texas at Dallas > PS> http://www.utdallas.edu/ir/security/ > > ------------------------------------------------------------- > Carlos Cardoso > http://www.carloscardoso.com <== blog semi-pessoal > http://www.contraditorium.com <== ProBlogging e cultura digital > > "You lost today, kid. But that doesn't mean you have to like it" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists