[Beowulf] Re: "hobbyists"
Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.
Robert G. Brown rgb at phy.duke.eduThu Jun 19 19:33:47 PDT 2008
- Previous message: [Beowulf] Re: "hobbyists"
- Next message: [Beowulf] Re: "hobbyists"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 20 Jun 2008, Chris Samuel wrote: > > ----- "Joe Landman" <landman at scalableinformatics.com> wrote: > >> People spend lots of time and effort on security theater. Make up odd >> rules for passwords. Make them hard to guess and crack. Well, is >> that the vector for break-ins? Weak passwords? > > Yeah - sadly.. :-( Do you have an recent contemporary evidence for that? I mean, back in the 80's and 90's, when I could use ypx to grab anybody's encrypted password files and run crack on them and get a dozen hits in a few hours of work, sure, but since MD5 became near-universal and since /etc/shadow was invented and since they fixed the worst of the holes that let "anybody" get at the encrypted password list, since password changing programs no longer let you use a REALLY bad password (or at least bitch about it if they do), since sysadmins started routinely running crack on the encrypted list defensively and forcing the change of particularly weak ones, since most systems can beconfigured with tools that bitch or slow down or flag repeated brute force attacks, I'd have thought that wasn't so true anymore. We run log scanners that count the attacks on our systems in a 24 hour period and break them down by e.g. originating IP number and so on, and truth be told they are nearly continuous, but I haven't heard of any of those attacks SUCCEEDING on any linux box run by any non-complete-idiot for years now. Password TRAPS are a pretty common vector; the only cases I tend to hear of at all commonly anymore for crackings (of linux boxes, not Windows systems that are cracked or infected almost at will) tend to be somebody who goes home for the summer, uses an infected, trojanned, vile spewpot of a Windows box to login back at duke from home via e.g. putty or some other related interface, and has their keystrokes logged as they do. Quite a lot of the Windows viruses install trojan spyware that does full keystroke logging and so on; I got to watch one attempt this on one of my kids boxes when it was infected, and had to change one of my passwords after cleaning it up because (sigh) I had to use it to get Duke to get the site license software I needed to do the cleaning. There are also still -- relatively rarely -- buffer overwrite attacks discovered. Most coders "get it" that one shalt not use the non-n string commands to manipulate buffers these days, although there is still legacy code in existence (I'm sure) that has it. I personally last got nailed by the slammer attack, because I got lazy about updates (this was barely pre-yum) and didn't patch my web software in time. Kernel bugs, and MAYBE a rare race condition, still sometimes allow promotion to root. But weak passwords that are brute force guessed or cracked from the shadow file? Only on a poorly managed network, one where the sysadmin doesn't bother to check and fails to inform the users of how to choose a good one, AND where users manage to gain access to the shadow file in the first place. rgb (of course MY passwd is just rgbbgr -- that's secure enough don't you think...;-) -- Robert G. Brown Phone(cell): 1-919-280-8443 Duke University Physics Dept, Box 90305 Durham, N.C. 27708-0305 Web: http://www.phy.duke.edu/~rgb Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
- Previous message: [Beowulf] Re: "hobbyists"
- Next message: [Beowulf] Re: "hobbyists"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Beowulf mailing list