lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAM2Hf5=oqBPk=yp0fZoybNhKP+cAmCYp-jn6paOFZD_LLV-ecg@mail.gmail.com>
Date: Wed, 7 Dec 2011 01:35:09 -0800
From: Gage Bystrom <themadichib0d@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: distributing passwords to users

I would, except I have no clue what it is he intends to do. Even then
there's no reason to, its already been done for me.

As I explained to the former Isp employee guy, the isp was doing the right
thing to accomplish similar goals(I presume, like I said I have no clue why
the OP wants to do what he wants to do).

Of course the only caveat is that if the central database does not enforce
policy or if it isn't locked down, then all sorts of disaster idioms start
applying.

Maybe torching a man with words doesn't help him, but its good for showing
others a point, but if a few words of advice in the right direction help
him then no words while lighting flares over the right road should be even
better, right?

P.s I lied, I have no clue if the ISPs method is standard. However I do
surmise that it likely worked fine with a risk level they found acceptable,
which is far superior than most standard solutions I've seen stammered out
by many.
On Dec 7, 2011 12:54 AM, "Martijn Broos" <martijn.broos@...xion.com> wrote:

>  Ok, You have been harsh enough on the poor solution the user is going to
> choose. ****
>
> Are you willing to give him some advise or directions where he should go
> to?****
>
> ** **
>
> A textbook sentence I always learned was: You can burn a person with many
> words, it is better to help him with few in the right direction!****
>
> ** **
>
> If he doesn’t know what he is doing wrong, then how do you think he will
> learn to do it right the next time. He is clearly asking for advise.****
>
> ** **
>
> Are there standard solutions for managing passwords which need to be used
> by many users and securing them without telling the real password to the
> user who needs one to impersonate as another user?****
>
> ** **
>
> Kind regards,****
>
> ** **
>
> Martijn****
>
> ** **
>
> ** **
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Gage Bystrom
> *Sent:* woensdag 7 december 2011 9:38
> *To:* full-disclosure@...ts.grok.org.uk
> *Subject:* Re: [Full-disclosure] distributing passwords to users****
>
> ** **
>
> O.o and you act like what he wants is a good thing? Getting /any/ service
> account with that file would be better than pillaging an entire server of
> ssh keys. With ssh keys you know you only got access to a few more servers
> on the network, maybe not even root or admin unless you got lucky and score
> the key used for root/admin for every single box. No, with that you score
> the entire clientele...****
>
> Not to mention what you described is not what he is asking. He wants to
> distribute the passwords to multiple users(idc if they are hashed,
> encrypted or not, just minor details at this point). What you described is
> a centralized database. There's only one copy of the file, only one server
> that holds the goods, the rest can have tidbits and if compromised can do
> minimum damage. Coupled with the right motivations and logging then
> attacking the support group on the internal network gives you almost
> nothing. ****
>
> Conversely attacking a single user holding the password file for the OP is
> end game. You're simply not going to be able to secure multiple copies of
> the same file with different access controls(hey I used a textbook phrase
> :) ).****
>
> The only alternative is to have one access control, or all users have the
> same permission. However that is also absurd, you're only multiplying your
> attack service with each added user.****
>
> Maybe now ya see where I start wondering where the cognitive dissonance
> ought to be coming in for attempting what the OP is trying to do? I was
> wrong for assuming it should be obvious from the get go, but as you can see
> the ISP wasn't in the same boat he wants to board. They would be sitting in
> the crows nest wondering why the loonie on the deserted island was trying
> to paddle it home.****
>
> Alright, I think I've been harsh enough on the poor OP, but I hope he
> understands that this is a classic case of "You're doing it wrong". He
> knows what needs to be done, but his method of doing so actively works
> against his goal.****
>
> On Dec 6, 2011 10:51 PM, "James Condron" <james@...o-internet.org.uk>
> wrote:****
>
> An ISP I worked at stored logins for customer servers where the customer
> required us to be able to login to provide support.
>
> We used a webapp on our internal network with the relevant security
> accoutrements. Its pretty standard; you login, find the server you need
> credentials for and hit a button to either launch a putty session or an RDP
> session. You can also edit passwords or view for non-windows users.
>
> The reason tools exist is because there is a demand for them- hell, its a
> password safe. Perhaps OP should look at this type of solution.
>
> ****
>
> On Wed, Dec 7, 2011 at 6:28 AM, Gage Bystrom <themadichib0d@...il.com>
> wrote:****
>
> I'm disturbed in the first place that you want to distribute password
> lists to multiple users.
> I'm disturbed more so that there is no apparent cognitive dissonance
> preventing you from functioning enough to have sent that email.
>
> Someone please tell me that I'm not the only one disturbed here? And
> if I am, point to me why please?
>
> On Mon, Dec 5, 2011 at 7:30 PM, G V <gvasiliu@...il.com> wrote:
> > Hi,
> >
> > From your experience, what's the best secure and easy way to update a
> > password list and distribute it to 1000 or so unix users? The users
> > would have different privilege levels and different access on network.
> > Throwing ideas, I can think of: pgp (difficult to maintain a separate
> > file for each user), web app (would need to be sucured over ssl,
> > possible password protected), usb disks (difficult to manage changes).
> > Anyone using an enterprise level app (commercial or not) to "share"
> > passwords to users, manage changes and so on? Any other ideas I can
> > use?
> >
> > Thank you,
> > George Vasiliu
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate.  We look at how SSL works, how it benefits your company
> and how your customers can tell if a site is secure. You will find out how
> to test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are highlighted to
> help you ensure efficient ongoing management of your encryption keys and
> digital certificates.
> >
> >
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/****
>
> ** **
>
> ------------------------------
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer.
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ