Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 2006-04-21 at 18:01 +1000, Matthew Hannigan wrote: When are you going to set the root password? Are you sure no-one is going to put a key-logger on the keyboard cable? A camera over your shoulder? Trojan /bin/login to mail/store the cleartext? Initially it was setup prior to anyone having access to the machines. Now it's all being done remotely over SSH. I think that's the best that you can do really. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 2006-04-21 at 13:31 +1000, Simon Bowden wrote: Getting the root password itself is quite separate from getting root access (unless you've not cleaned up after that ubuntu bug which leaves it I know. I guess it should be an impossible task since he doesn't want to give away the money but just attract some clientelle, in a sick kind of way. I added in the read a file bit so it sounded more interesting. cleartext). Unless someone is regularly keying in the root password and they're capturing that somehow, then they'll need to break they crypt to get it... (right?). Which seems a little unfair. I agree it sounds unfair but do we really want people to have much of a chance? Anyway, thanks for your comments, Simon. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
Simon Bowden wrote: Getting the root password itself is quite separate from getting root access (unless you've not cleaned up after that ubuntu bug which leaves it cleartext). Unless someone is regularly keying in the root password and they're capturing that somehow, then they'll need to break they crypt to get it... (right?). Which seems a little unfair. Of course, once you've got root access you can change the root password :-) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 2006-04-21 at 15:38 +0930, Glen Turner wrote: Of course, once you've got root access you can change the root password :-) Good point. I guess the Rules are that you have to provide the original password. It's funny how I have this feeling of wanting it to be fair for some strange reason yet that is so obviously not want I want either! -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 2006-04-21 at 15:49 +0930, Glen Turner wrote: It's funny how I have this feeling of wanting it to be fair for some strange reason yet that is so obviously not want I want either! Perhaps not the best thing to admit on a public mailing list :-) Don't worry Glen, there's absolutely no way that I want ANYONE to be able to do this. That's probably the scariest thing personally, it's a public humiliation for myself if someone does it relatively *easily*. That's why i thought I'd try and garner some comments from the brains trust... Have a good weekend, I'll be busy :-) -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, Apr 21, 2006 at 04:49:06PM +1000, Simon Wong wrote: Don't worry Glen, there's absolutely no way that I want ANYONE to be able to do this. That's probably the scariest thing personally, it's a public humiliation for myself if someone does it relatively *easily*. That's why i thought I'd try and garner some comments from the brains trust... As I don't think anyone is actually able to decrypt to get root's password, the only way is social engineering. And when the prize of a $1000 is worth many months average wages in some places... You can imagine someone bribing with hald the prize money or using it to setup blackmail or whatever ... Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 2006-04-21 at 17:11 +1000, Matthew Hannigan wrote: As I don't think anyone is actually able to decrypt to get root's password, the only way is social engineering. I am 99.9% sure but I'm still very cautious. And when the prize of a $1000 is worth many months average wages in some places... You can imagine someone bribing with hald the prize money or using it to setup blackmail or whatever ... Someone already did on the Ubuntu-AU list :-) I can assure you that my rep (and future business) is worth more than that and I am the only one who knows it as well as the contents of the file :-) Blackmail starts becoming illegal and a matter for the police so we're probably safe there...I hope! -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, Apr 21, 2006 at 05:18:34PM +1000, Simon Wong wrote: On Fri, 2006-04-21 at 17:11 +1000, Matthew Hannigan wrote: As I don't think anyone is actually able to decrypt to get root's password, the only way is social engineering. I am 99.9% sure but I'm still very cautious. And when the prize of a $1000 is worth many months average wages in some places... You can imagine someone bribing with hald the prize money ^half or using it to setup blackmail or whatever ... Someone already did on the Ubuntu-AU list :-) I can assure you that my rep (and future business) is worth more than that and I am the only one who knows it as well as the contents of the file :-) Blackmail starts becoming illegal and a matter for the police so we're probably safe there...I hope! When are you going to set the root password? Are you sure no-one is going to put a key-logger on the keyboard cable? A camera over your shoulder? Trojan /bin/login to mail/store the cleartext? These things have a habit of going pear-shaped, but good luck! Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] A Sys Admin's worst nightmare
I have setup an Internet Cafe for a mate of mine in a far away land. In what seems like a nightmare I haven't woken up from yet, he is proposing a crazy marketing stunt to pull in people to the Cafe. A $1000 reward for obtaining the root password off one of the PC terminals! I don't even want to repeat that, I'm just trying to think of it as the ultimate vote of confidence ;-) Outline of the system design is: * The PCs are all running Ubuntu Breezy (as is the server). * The local user accounts are supplied via NIS from a central server (only user accts, all passwords disabled) as all authentication is done via PAM radius, back to the central server. Yes, I know LDAP will be in v2. * IPsec secures communication between each PC and the server * There is an admin account with full root sudo access on each PC and the root password has been set the same (doesn't seem like a lot of point if admin has root sudo access anyway to have it different - correct me if I'm off track here) * The PC admin/root passwords do not match those on the server Rules of engagement * Must be on-site and present (no at/cron jobs) * Cannot boot off anything else (of course) * Cannot change boot parameters * No malicious activity (I know, what does this mean under these circumstances?!) * They have to open a file only readable by root and report back the contents plus the root password plus the method of attack * I am going to push for this to only be for 1-2 weeks tops I'd love some feedback from people on what further preps I should undertake. I know that sounds very open ended but should I really trust the default installation to be safe enough? Of course, a public system like this is always open to naughtiness but legitimising it is really scary. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
isn't this more slug-chat? anyway, i would like to see this, as well as ubuntu vs openbsd Dean Simon Wong wrote: I have setup an Internet Cafe for a mate of mine in a far away land. In what seems like a nightmare I haven't woken up from yet, he is proposing a crazy marketing stunt to pull in people to the Cafe. A $1000 reward for obtaining the root password off one of the PC terminals! I don't even want to repeat that, I'm just trying to think of it as the ultimate vote of confidence ;-) Outline of the system design is: * The PCs are all running Ubuntu Breezy (as is the server). * The local user accounts are supplied via NIS from a central server (only user accts, all passwords disabled) as all authentication is done via PAM radius, back to the central server. Yes, I know LDAP will be in v2. * IPsec secures communication between each PC and the server * There is an admin account with full root sudo access on each PC and the root password has been set the same (doesn't seem like a lot of point if admin has root sudo access anyway to have it different - correct me if I'm off track here) * The PC admin/root passwords do not match those on the server Rules of engagement * Must be on-site and present (no at/cron jobs) * Cannot boot off anything else (of course) * Cannot change boot parameters * No malicious activity (I know, what does this mean under these circumstances?!) * They have to open a file only readable by root and report back the contents plus the root password plus the method of attack * I am going to push for this to only be for 1-2 weeks tops I'd love some feedback from people on what further preps I should undertake. I know that sounds very open ended but should I really trust the default installation to be safe enough? Of course, a public system like this is always open to naughtiness but legitimising it is really scary. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] A Sys Admin's worst nightmare
On Fri, 21 Apr 2006, Simon Wong wrote: * They have to open a file only readable by root and report back the contents plus the root password plus the method of attack Getting the root password itself is quite separate from getting root access (unless you've not cleaned up after that ubuntu bug which leaves it cleartext). Unless someone is regularly keying in the root password and they're capturing that somehow, then they'll need to break they crypt to get it... (right?). Which seems a little unfair. Cheers, - Simon -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html