Re: Putty Proxy login/password discolsure....

[Matthew Flaschen <matthew.flaschen () gatech edu>]

Sounds cool.  Battering ram is easier, though.  I said, deal with, not 
solve.

Matthew Flaschen

North, Quinn wrote:
> Sadly, Not even that will help you anymore ... 
>
> http://www.hackaday.com/2005/08/24/lock-bumping-revisited/
>
>
>
> --=Q=--
>  
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Matthew
> Flaschen
> Sent: Wednesday, October 25, 2006 3:20 PM
> To: cardoso
> Cc: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....
>
> I have a dual WinXP/Debian boot, and I deal with that problem by locking
>
> my door.
>
> Matt Flaschen
>
> cardoso wrote:
> > Exactly. A few years ago I used to deal with linux fanboys showing
> them
> > the cute trick of "linux single" at boot time. After a few hours
> begging
> > for the admin password, I teached the trick and they usually stopped
> the
> > brag about how security Linux was. 
> >
> >
> > On Wed, 25 Oct 2006 12:34:49 -0500
> > Paul Schmehl <pauls () utdallas edu> wrote:
> >
> > PS> --On Wednesday, October 25, 2006 10:24:11 -0400
> mflaschen3 () mail gatech edu 
> > PS> wrote:
> > PS> 
> > PS> > Windows offers no security against local users.  It is trivial
> to boot to
> > PS> > a program like ERD Commander and replace admin passwords.  On
> the other
> > PS> > hand, PuTTy is meant to protect against everyone; that's why it
> doesn't
> > PS> > allow saved passwords.  Thus, this seems like a vulnerability to
> me.
> > PS> >
> > PS> Unix offers no security against local users either.  If I can sit
> at the 
> > PS> console, I can login in single user mode, mount the drives rw and
> edit 
> > PS> /etc/passwd all day.
> > PS> 
> > PS> Furthermore, I can take any hard drive, with any file system on
> it, and 
> > PS> with the right tools I can read everything on the drive, even
> deleted stuff.
> > PS> 
> > PS> So what's your point?  That when you own the box you own the box?
> > PS> 
> > PS> If you first have to own the box to get to the information, then
> it's not a 
> > PS> vulnerability.  It's not best practice, but it's not a
> vulnerability.
> > PS> 
> > PS> Paul Schmehl (pauls () utdallas edu)
> > PS> Senior Information Security Analyst
> > PS> The University of Texas at Dallas
> > PS> http://www.utdallas.edu/ir/security/
> >
> > -------------------------------------------------------------
> > Carlos Cardoso
> > http://www.carloscardoso.com <== blog semi-pessoal
> > http://www.contraditorium.com <== ProBlogging e cultura digital
> >
> > "You lost today, kid. But that doesn't mean you have to like it"
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/