[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Putty Proxy login/password discolsure....

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....
From: cardoso <cardosolistas@xxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Oct 2006 14:44:16 -0300

Exactly. A few years ago I used to deal with linux fanboys showing them
the cute trick of "linux single" at boot time. After a few hours begging
for the admin password, I teached the trick and they usually stopped the
brag about how security Linux was. 


On Wed, 25 Oct 2006 12:34:49 -0500
Paul Schmehl <pauls@xxxxxxxxxxxx> wrote:

PS> --On Wednesday, October 25, 2006 10:24:11 -0400 mflaschen3@xxxxxxxxxxxxxxx 
PS> wrote:
PS> 
PS> > Windows offers no security against local users.  It is trivial to boot to
PS> > a program like ERD Commander and replace admin passwords.  On the other
PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't
PS> > allow saved passwords.  Thus, this seems like a vulnerability to me.
PS> >
PS> Unix offers no security against local users either.  If I can sit at the 
PS> console, I can login in single user mode, mount the drives rw and edit 
PS> /etc/passwd all day.
PS> 
PS> Furthermore, I can take any hard drive, with any file system on it, and 
PS> with the right tools I can read everything on the drive, even deleted stuff.
PS> 
PS> So what's your point?  That when you own the box you own the box?
PS> 
PS> If you first have to own the box to get to the information, then it's not a 
PS> vulnerability.  It's not best practice, but it's not a vulnerability.
PS> 
PS> Paul Schmehl (pauls@xxxxxxxxxxxx)
PS> Senior Information Security Analyst
PS> The University of Texas at Dallas
PS> http://www.utdallas.edu/ir/security/

-------------------------------------------------------------
Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Putty Proxy login/password discolsure....
  - From: Raj Mathur
- Re: [Full-disclosure] Putty Proxy login/password discolsure....
  - From: Matthew Flaschen
- Re: [Full-disclosure] Putty Proxy login/password discolsure....
  - From: endrazine

References:
- Re: [Full-disclosure] Putty Proxy login/password discolsure....
  - From: mflaschen3
- Re: [Full-disclosure] Putty Proxy login/password discolsure....
  - From: Paul Schmehl

Prev by Date: Re: [Full-disclosure] Putty Proxy login/password discolsure....
Next by Date: Re: [Full-disclosure] Putty Proxy login/password discolsure....
Previous by thread: Re: [Full-disclosure] Putty Proxy login/password discolsure....
Next by thread: Re: [Full-disclosure] Putty Proxy login/password discolsure....
Index(es):
- Date
- Thread