[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Putty Proxy login/password discolsure....
- To: cardoso <cardosolistas@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....
- From: Matthew Flaschen <matthew.flaschen@xxxxxxxxxx>
- Date: Wed, 25 Oct 2006 15:20:20 -0400
I have a dual WinXP/Debian boot, and I deal with that problem by locking
my door.
Matt Flaschen
cardoso wrote:
> Exactly. A few years ago I used to deal with linux fanboys showing them
> the cute trick of "linux single" at boot time. After a few hours begging
> for the admin password, I teached the trick and they usually stopped the
> brag about how security Linux was.
>
>
> On Wed, 25 Oct 2006 12:34:49 -0500
> Paul Schmehl <pauls@xxxxxxxxxxxx> wrote:
>
> PS> --On Wednesday, October 25, 2006 10:24:11 -0400
> mflaschen3@xxxxxxxxxxxxxxx
> PS> wrote:
> PS>
> PS> > Windows offers no security against local users. It is trivial to boot
> to
> PS> > a program like ERD Commander and replace admin passwords. On the other
> PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't
> PS> > allow saved passwords. Thus, this seems like a vulnerability to me.
> PS> >
> PS> Unix offers no security against local users either. If I can sit at the
> PS> console, I can login in single user mode, mount the drives rw and edit
> PS> /etc/passwd all day.
> PS>
> PS> Furthermore, I can take any hard drive, with any file system on it, and
> PS> with the right tools I can read everything on the drive, even deleted
> stuff.
> PS>
> PS> So what's your point? That when you own the box you own the box?
> PS>
> PS> If you first have to own the box to get to the information, then it's not
> a
> PS> vulnerability. It's not best practice, but it's not a vulnerability.
> PS>
> PS> Paul Schmehl (pauls@xxxxxxxxxxxx)
> PS> Senior Information Security Analyst
> PS> The University of Texas at Dallas
> PS> http://www.utdallas.edu/ir/security/
>
> -------------------------------------------------------------
> Carlos Cardoso
> http://www.carloscardoso.com <== blog semi-pessoal
> http://www.contraditorium.com <== ProBlogging e cultura digital
>
> "You lost today, kid. But that doesn't mean you have to like it"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/