André Warnier <a...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:

> Ken Bowen wrote:
> > If you wanted to go down this path, besides the web page for entering
> > the password, you could add sending alerts to the cells of all your
> > sysadmins to improve the probability of the password being entered in 
a
> > timely manner.   Perhaps Tomcats in clusters could obtain the password
> > from their brethren.
> >
> And to complete the circle and make it all more user-friendly, I 
> would also add the
> password to the SMS being sent.
> At least it would avoid having the sysadmins sticking it on a Post-
> It on their screens.

So all the hacker with root privileges has to do is temporarily replace 
the sysadmins list with a single a phone number, and then restart Tomcat, 
and (s)he is in business...

Reply via email to