On Wed, Dec 04, 2002 at 04:57:27PM -0500, Andrew Perrin wrote:
> You might want to reconsider the project, frankly - why not make different
> root passwords for different machines? That would seem to be a more secure
> alternative. You can make them systematically different to save yourself
> memorizing them all, by (for example) using the second letter of the
> hostname as one of the characters of the root password or something along
> those lines.
Because if you have to start writing them down, they become less secure.
And if the adversary knows the trick to your systematic modifications
of the password (which may take only one or two to guess correctly),
you are back to square one.
In general, for convenience there are rhosts, mounts and ssh keys that
will allow you to go from one machine to another. Failing that, the
regular sysops will log in using the password from the machine that
"has fallen". Having root, it is trivial to grab the password as it
is being typed.
Back in '90 I found a remote hole that allowed me root-access to
about 10% of the hosts under consideration (over 2000). My estimate
was that I'd be penetrating some 70% of the "clusters", which would
allow me full access to that cluster, and because of inter-cluster
relationships I'd be able to hack another estimated 25% of the
clusters, for a total of about 95% of the hosts broken into.
For the record: I didn't break into any computers, I stopped at
scanning for the hole, and Emailing the sysops to get it fixed.
(to which one answered within 15 minutes: "Ok, thanks, fixed" on a
saturday afternoon. No other replies were recieved.....)
Roger.
--
** [EMAIL PROTECTED] ** http://www.BitWizard.nl/ ** +31-15-2600998 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* The Worlds Ecosystem is a stable system. Stable systems may experience *
* excursions from the stable situation. We are currently in such an *
* excursion: The stable situation does not include humans. ***************
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
