André Warnier <a...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM: > Ken Bowen wrote: > > If you wanted to go down this path, besides the web page for entering > > the password, you could add sending alerts to the cells of all your > > sysadmins to improve the probability of the password being entered in a > > timely manner. Perhaps Tomcats in clusters could obtain the password > > from their brethren. > > > And to complete the circle and make it all more user-friendly, I > would also add the > password to the SMS being sent. > At least it would avoid having the sysadmins sticking it on a Post- > It on their screens.
So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business...