 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> Well, if you can reinstall linux in the computer, then that's basically
> the same level of insecurity as being able to reset the root password.
Um, no. That's what I'm saying.
> How is the OS going to stop someone from booting from a specially created
> CD which allows you to read the contents of the HDs regardless of what
> the ownership flags of the files are?
Encryption techniques.
> The only way to reduce that risk is to encrypt the files, but in that
> case then even being able to reset the root password is not going to help
> in decrypting them.
Ding ding ding! Yes, that's what I'm saying.
> Accounts are of no use if the malicious person has direct access to
> the computer.
Depends what maliciousness they intend.
>> Again, you're making a boolean description of security. The fact that
>> you can destroy the computer doesn't mean it's "insecure".
>
> Then we disagree.
More specifically, there are levels of security above the level of being
able to destroy the computer.
> If your files are encrypted then the root password is of no use to
> decrypt them. You can only do the same thing as you could do with the
> boot CD: Destroy or modify the files.
Ding ding ding! Give that man a cigar.
> What does this have to do with you being able to reset the root password?
That there are systems more secure than those which can have their root
password reset without losing any data. That security isn't a boolean
property.
> Being able to reset the root password and being able to boot from a CD
> are basically the same thing.
I disagree. If I can reset the root password on the machine on my
desktop, then I can change the password on your account, log in as you,
and access the remote resources that are supposed to be protected by
that account.
--
Darren New / San Diego, CA, USA (PST)
Remember the good old days, when we
used to complain about cryptography
being export-restricted?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
> Unless your particular encryption system works transparently to the user
> for each account automatically (like it does in Win XP).
First, you can't force a reset of a password on XP without already
having the root password. I.e., an admin can reset someone else's
password, but you have to already be logged in as admin. You can't do it
from a regular boot CD.
Second, resetting the password loses the encryption key, so it doesn't
get you encrypted files either.
However, you might be able to change the password on someone's account
and then use that account to get remote access to drive shares. I'm
pretty sure they closed this hole in XP, but I think it was there in 2000.
Certainly on Linux, as root, you can do things with NFS mounts that get
you bypassing security there.
--
Darren New / San Diego, CA, USA (PST)
Remember the good old days, when we
used to complain about cryptography
being export-restricted?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Warp wrote:
>> People who don't know how to use linux shouldn't use it, IMO.
>
> Well, *that* would lead to widespread adoption, wouldn't it?
Yes, if that statement were taken literally there'd be nobody using
Linux anywhere within about 40 years. I've recently installed a linux
flavour on one of my computers because I'd quite like to learn more
about it. Are you recommending that I give up? ;-)
>> Just a couple of days ago someone in irc commented that he needed
>> to reinstall linux because he had forgotten the root password. Well,
>> someone who knew better saved him some hours of useless work.
>
> People who don't know the security holes in Linux shouldn't forget their
> root password? >8)
I quite agree. Somebody absent-minded enough to forget their root
password would probably have even more difficulty with the solution. I
myself wouldn't know what to do, but I can't imagine how I'd forget my
password. Unless a piano fell on me or something.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] san rrcom> wrote:
> > The only way to reduce that risk is to encrypt the files, but in that
> > case then even being able to reset the root password is not going to help
> > in decrypting them.
> Ding ding ding! Yes, that's what I'm saying.
No, it isn't. You hinted in your first post that being able to reset
the root password is a security hole.
What I'm saying is that it's no more of a security hole than being able
to boot from a CD. The only protection against these two things is to
encrypt the files (or not to let anyone access your computer directly,
only remotely).
Besides, linux can probably be configured to disallow booting in
single-user mode (which is the only way to reset the root password
without having to resort to more drastical measures), if you really
want that.
> > Being able to reset the root password and being able to boot from a CD
> > are basically the same thing.
> I disagree. If I can reset the root password on the machine on my
> desktop, then I can change the password on your account, log in as you,
> and access the remote resources that are supposed to be protected by
> that account.
You can do that with a proper boot CD too. So there's no difference.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] sanrrcom> wrote:
> First, you can't force a reset of a password on XP without already
> having the root password.
Of course you can. You just need the proper boot CD.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> First, you can't force a reset of a password on XP without already
>> having the root password.
>
> Of course you can. You just need the proper boot CD.
Where do you get this "proper boot CD" form btw? Or do you mean write one
yourself to modify certain bytes on the harddrive so that the password is
reset to something you know? Is that even possible in practise?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptopcom> wrote:
> Where do you get this "proper boot CD" form btw?
Almost any linux installer CD will do.
> Or do you mean write one
> yourself to modify certain bytes on the harddrive so that the password is
> reset to something you know? Is that even possible in practise?
What do you think Windows does if there's no root password (because it
has been removed using the boot CD)?
Speaking of disk encryption, I just saw this:
http://www.phoronix.com/scan.php?page=article&item=873&num=1
Not that it's really relevant to the discussion, but I found it fitting. :)
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Where do you get this "proper boot CD" form btw?
>
> Almost any linux installer CD will do.
What, to remove the admin password of a WinXP installation? Would be useful
to know how to do that occasionally.
> Speaking of disk encryption, I just saw this:
> http://www.phoronix.com/scan.php?page=article&item=873&num=1
>
> Not that it's really relevant to the discussion, but I found it fitting.
> :)
Interesting. I also always wondered what would happen if you were involved
with some illegal activity (even just piracy) and got your PC taken away by
the police. If it was encrypted then presumably they would try to force you
to tell them how to decrypt it - what if you refused? I guess it depends on
the country.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>>> Where do you get this "proper boot CD" form btw?
>>
>> Almost any linux installer CD will do.
>
> What, to remove the admin password of a WinXP installation? Would be
> useful to know how to do that occasionally.
>
Something like BartPE would let you do the same with a Windows Live CD.
If you like Linux, Knoppix STD comes with password tools.
>> Speaking of disk encryption, I just saw this:
>> http://www.phoronix.com/scan.php?page=article&item=873&num=1
>>
>> Not that it's really relevant to the discussion, but I found it
>> fitting. :)
>
> Interesting. I also always wondered what would happen if you were
> involved with some illegal activity (even just piracy) and got your PC
> taken away by the police. If it was encrypted then presumably they
> would try to force you to tell them how to decrypt it - what if you
> refused? I guess it depends on the country.
>
>
Law enforcement can get a subpoena or warrant for keys to a safe. I
suspect that in many countries they would treat a password the same.
Failing to turn over the password might have worse consequences, since a
contempt of court charge would just leave someone sitting in jail until
they turned over the password.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Sabrina Kilian <"ykgp at vtSPAM.edu"> wrote:
> Law enforcement can get a subpoena or warrant for keys to a safe. I
> suspect that in many countries they would treat a password the same.
> Failing to turn over the password might have worse consequences, since a
> contempt of court charge would just leave someone sitting in jail until
> they turned over the password.
If the suspect simply claims that he forgot it, how can they prove he
didn't?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
