Sadly, Not even that will help you anymore ... http://www.hackaday.com/2005/08/24/lock-bumping-revisited/
--=Q=-- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Flaschen Sent: Wednesday, October 25, 2006 3:20 PM To: cardoso Cc: [email protected] Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure.... I have a dual WinXP/Debian boot, and I deal with that problem by locking my door. Matt Flaschen cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing them > the cute trick of "linux single" at boot time. After a few hours begging > for the admin password, I teached the trick and they usually stopped the > brag about how security Linux was. > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <[EMAIL PROTECTED]> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 [EMAIL PROTECTED] > PS> wrote: > PS> > PS> > Windows offers no security against local users. It is trivial to boot to > PS> > a program like ERD Commander and replace admin passwords. On the other > PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't > PS> > allow saved passwords. Thus, this seems like a vulnerability to me. > PS> > > PS> Unix offers no security against local users either. If I can sit at the > PS> console, I can login in single user mode, mount the drives rw and edit > PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on it, and > PS> with the right tools I can read everything on the drive, even deleted stuff. > PS> > PS> So what's your point? That when you own the box you own the box? > PS> > PS> If you first have to own the box to get to the information, then it's not a > PS> vulnerability. It's not best practice, but it's not a vulnerability. > PS> > PS> Paul Schmehl ([EMAIL PROTECTED]) > PS> Senior Information Security Analyst > PS> The University of Texas at Dallas > PS> http://www.utdallas.edu/ir/security/ > > ------------------------------------------------------------- > Carlos Cardoso > http://www.carloscardoso.com <== blog semi-pessoal > http://www.contraditorium.com <== ProBlogging e cultura digital > > "You lost today, kid. But that doesn't mean you have to like it" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
