Slashdot Mirror
Debian Locks Out Developers
daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.
That wonderful feeling of making the password hard to guess, but easy to recall.
Marge, get me your address book, 4 beers, and my conversation hat.
I guess this means that there are a lot of ubuntu users out there who are vunerable right now... how long for the patch?
Also, the article seems to be a little out. Shouldn't it be just 2.6.12 -> 2.6.17.4 as this includes 2.6.16 -> 2.6.16.24
Does it go on forever?
Time to enforce a 200 character minimum for passwords.
Hopefully then they will also implement a good set of password rules and enforce them to protect themselves from future problems. Where I work they require 3 out of the 4 rules to be met such as mixed case, numbers and special characters... of course they also make us change our password every 30 days so i've discovered that people have taken to doing things like Asdf1234 and then when the password requires changing changing it to Asdf2345... Doh.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
Why when this happens on a Windows server is "OMG! Windows is insecure! M$ is evil!!!!"
But with this its "Oh just set more difficult passwords"...
Bill G.
Why don't they just have the developers use ssh2 keys? I didn't know anyone actually used passwords on secure systems for authentication...
An investigation? Doesn't it a long time to bruteforce properly encrypted passwords? How did they carry out this 'investigation'?
Can somebody please cure me of my chronic ignorance?
I guess I should be more specific. My point was that people were puting strings of letters and or numbers in sequence as their password because they were forced to change them so frequently. I would argue that any string which is sequential is less secure then a randomized number. Like putting 1234 as your ATM pin... it leads to easy shoulder serfing.
Thus people would pick their first name, Peter123 if I was to use my own name as an example. I'm comparing this to passwords that I had to use at Sandia National Labs which were randomized letters and number strings generated by computer, the user was presented with a screen of 30 passwords and you were allowed to pick any of the 30, or to generate a screen of 30 more passwords... The people would pick things that made sense to them but were completely randomized and were never a dictionary word or even a common short hand for the words etc.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
I had to check the browser location bar that I'm still on Slashdot. That's exceptional from a Slashdot editor. Thank You. (BTW: captcha: renewing)
...but it's Linux!
I have noticed what you talk about though I've seen it go to further extremes. While at work (we run a mainly Windows network with a few hundred users) I've done further education (out side of Uni) at Australian TAFEs (basically vocational collages) in Queensland - the TAFE I went to runs a pure Windows network with around twenty thousand plus users over several sites...Any one who has been to one of these TAFEs understands how much of a raping they have taken from Microsoft, and I say raping because they run the 'perfect Windows network' following all of Microsoft guidelines etc which mean some machines take over fifteen minutes to log in and are laggy as all hell once they are in.
:)
Anyway onto the topic. They also follow the recommended guidelines for passwords which includes at least one capital, two numbers, over six chars, and cannot be any of your previous passwords (with I believe a 80% match so you can't just add a 1 or a 2 to it) and these roll every thirty days. Now as a geek I have my own unique password system where no two are the same, they are long, and they have numbers, and at least one capital - unfortunately there is only five or six possible combinations that meet the password system for each item meaning after five months going to this TAFE (I was there a year part time) I ran out of passwords. This put me on the tred mill that every one else had been on for a few months (they did a fresh roll over to XP from 98 at the start of last year) of forgetting the password (that I made up to get into the system after my old one expired) or where I wrote it down (yes, every one wrote down their passwords in blatant places so they could find them again, which to me makes passwords null anyway) and then starting to use generic passwords that every one else was using that month for example t4f3IsShit or fUkp455words and the like. As you can probably see this just ends up a mockery of the idea.
So basically the point I'm trying to make is you have to be careful with what you mean by a 'good set of password rules' as if you go overboard even to the slightest extent (as I've seen happen time and time again) passwords just become a joke and you may as well not have them.
Personally I've found that if you teach people/users what a secure password is, teach them not to tell it to any one, get them to use firefox to avoid keyloggers, and then enforce a six to twelve month roll over no problems ever come up. That's my happy medium and 2cents anyway.
I ate your fish.
This is a reminder on the more people with access to something the more the risk. Also, passwords aren't meant to be simple.. Get /Rh4d wiF 1t M4Yn3..
;p
;p
When I was just a kiddie people used to crusify me for my 3wh34t|\|3$$.. At least I was fast at it! I even had a cutom script for Procomm Plus to translate all my shit.. By that time I learned how annoying it was though
Wow.. that was like 10 years ago.. Doh!~
Good for passwords!
FYI- If you can't think of a not-so-weak password, use a sentence you know and use the letters you remember..
or..
Hit yo-self wit da clue bat
lol.. too much drinkin today me thinks..
Have you thought this through? The point of regularly changing passwords is so that if a blackhat gets a password then it will only work for a limited time. If a blackhat can find the password "KmcJxusUc822" that was stored on a old broken backup harddrive found in a flee market, it won't be of any use to him if the password is changed monthly, *unless* the user uses incremental passwords. If the backup is one year old then the blackhat only has to guess a password around "KmcJxusUc834".
"Due to this, a number of developers with weak passwords have been locked out of their system accounts."
Wait. How did they know the passwords are weak? You mean they actually store them as plain text instead of a hash? Sounds like there needs to be a major security overhaul.
iforgot /my god, I don't know how many times I saw that password used by my network users...
Sorry, my fault.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Locking them out is totally fair, and imho it's the responsible thing to do.
STRONG passwords should be enforced (hell, mandatory keyed logins would be better) on machines like this (which are fairly attractive targets for abuse)...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
You have a system that you need to protect. You have users that you potentially don't know personally. You don't know whether they're aware of good password practices.
How could you be using anything else than public-key authentication?
You would think that Debian would take some extra steps to secure their systems, or at least make sure their developer's passwords were secure enough. For example, I know that while some websites only have a password security meter, some sites, I think I saw this on gmail, will not let you set a password that registers as weak in their password strength meter.
I think that Debian needs to learn from this mistake and start making some serious changes. There are a lot of people running Debian linux distros that are now vulnerable and this includes businesses depending on Debian's security. You would think that something this serious would be better protected.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
For once it's not a compromised windows based system we're waiting for a bug fix on...
There are plenty of local user exploits aviable for Windows.
90% of the hack was finding a weak password. Once the attacker had access to the system as a user then finding local privilage escalation vunerability is trivially easy.
Compared to physical security:
Getting the password = gaining access to a secure building. Bypassing all locks and alarms.
Executing a local exploit = popping open a cover on a PC and pulling the cmos battery so that you can boot up a knoppix cdrom, reset the administrative password, and then taking all the secure data.
The first part is infinately more difficult/lucky then the second part.
This is similar to the first problem. They got a password and then tried out local root exploits. This indicates a cronic problem.
Probably what they should do is impliment a authentication system that is not wholy dependant on passwords. Something like a PKI.. with signed keys, VPN's, and SSH keys (or whatever) with a certificate authority then backed up with passphrase.
So if a attacker hacks a developer's machine and get the keys then they would still have to get the password. If the hacker gets the password and not the keys then that won't work either.
Doing that would raise the difficulty of getting into a Debian development server by probably a factor of 10.
Goodness, no! This might push them behind schedule!
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Linux can have bugs too?
NT
How the hell could this be modded insightful? The whole point of changing passwords is so that the compromise of one password doesn't lead to unlimited access or the compromise of future passwords.
If a password is so secure that it can't be guessed, then why change it? If it's so weak that it gets guessed monthly, changing just one digit doesn't do shit.
And if the system gets compromised, you reinstall and choose a totally different password.
Seriously, this must be the most stupid advice I've seen and it's currently +2, Insightful. Scary.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Interesting that Debian seems to know that passwords were "weak". Only 1 poster here seems to have picked up on that curiosity. How do they know after the fact that a password was weak?
Unless Debian is doing something very stupid like keeping passwords in clear text, hashing passwords reversibly, hashing passwords to their original length, or something else equally amateurish(sp).... Then the vulnerability is in fact in the Debian system, in their management's soul, & they have some pretty bad techs...
This sounds like a "no excuses" mistake by Debian, that has been followed by an equally damaging admission of their mishandling of passwords. kind of disappointing actually both are very disappointing......
Doesn't that mean that if somebody should somehow get into my desktop, either physically, over the network, an old hard drive, etc, and grabs my key, he will have access to every single machine I can access? And I'd have to make a change on each one of those systems?
I'd really like to switch to keypairs for authentication but that seems inherently dangerous. Am I missing something?
Seriously, this must be the most stupid advice I've seen and it's currently +2, Insightful. Scary.
Even scarier was the training class where the instructor *told* us to trivially rotate passwords!
(The one thing I'd add is that the idea that adding complexity can't hurt is completely misguided. Every new chore you add to password maintenance means that many more passwords on a post-it under the keyboard.)
What I'm listening to now on Pandora...
However, said keys better be passphrase- (NOT password-) protected! After all, if, let's say, $DEVELOPER's laptop gets stolen and it has a non-passphrase-protected ssh key, then going to the effort of using keys for authentication will be for naught.
FWIW, I recently ditched Debian for a completely unrelated reason (see also, CVE-2006-1173).
Oh, no! You have walked into the slavering fangs of a lurking grue!
They're assuming a decay of password security; that a proportion of people will write them down on odd bits of poaper and lose them, that they'll reuse the password in another context and have it spied out, keylogged, etc. Changing the password cleans up these leaks; unless you're just incrementing as above. If I was cracking and a stolen password failed I'd use it as the seed of an attack.
Being that I work on systems which have a government security clearance requirement, passwords on our networks have a few enforced rules..
;) .. Problem is, using passwords such as this can get VERY confusing if you have to keep changing it, especially when you start having 6 passwords like this in use on various systems because some of them make you change at different time schedules. Chances are that the average user is just going to start using stupid crap like "LisaMarie89" which happens to be their daughters name and year of birth because anything else just gets to hard to remember anymore.
As a system admin and user however, I really do not believe that the rule of changing passwords, especially when combined with a rule that says you can not use the same password for the next 10 changes, is really a bad idea. I have always used very hard to guess passwords like hcwlcd3cm28MP (and no, this is not a password I use
IMO, if you setup the rules so that passwords have to be hard to guess, dump the password change requirement, or make it so that it is extremely rare and so that a few passwords can be recycled.
Be interested to hear how other admins feel about this.
+++ATH0 NO CARRIER
Debian locks out developers after server hack
How much more useful would have been the headline Debian closes accounts with weak passwords?
bash$
Some lady has a weak password and her Windows box gets owned, MS sucks, Windows blows (now the fact that she _does_ run as an Administrator doesn't help).
::waking back up to reality::
_developers_ working for one of the most popular open source projects have weak passwords, there is a _kernel_ exploit, and people defend it still.
FYI I run Linux, OSX and Windows on my machines, but common...why can't we all just get along and admit there are problems with software regardless of the company, mdoel etc.
... means everyone gets to see your machine compromised?
Help poke pirates in the eyepatch, arr.
Agreed. Until last week we used out right strings for our sandbox users passwords on servers and test servers (syntax username12345). That was of course before a friendly Windows script kiddie used a dictionary attack against them and in a stroke of luck the username they got was one of the sandbox accounts and their dictionary just had a huge list of username, username1, username12, username1..6. Luckly we had no out standing security flaws and that the sandbox accounts were indeed sandboxed though poor Undernet got an extra 2mbit to the face for half a day while we tracked down the problem and stopped it.
So using strings that are non random are just an out right bad idea because even a dictionary attack that is large enough can get them and then incremental on top of it is even worse because it gives you a false sense of security. If the attacker knows it is company policy to =/- 1 every month they will just try the pw +/- 1 per month old the pw is. So yeah it is just a bad idea all up when put in userland.
I ate your fish.
These tokens that banks give out, they cost less than $20. Type your pass, put the one-time token number in and on you log to your Deb dev box.
I'd be amazed if there's only one compromised distro dev box out there. And I'm not only talking Debian.
Sleepers ahoy...
<before>now</before>
They rely on the slightly more secure method of ssh keys.
In Soviet Washington the swamp drains you.
He's thinking "Hey, how would you know whether the password was insecure or not without looking at it?", and has correctly identified the fact that you shouldn't be able to work backwards from a hash to the password. However, he failed to take into account the fact that you could come up with a list of N bad passwords (say, 40,000 words pulled from a dictionary or something similar) and check them against all the passwords you have in O(N+M) time, where M is the number of accounts you need to check (constant time to hash a password, constant time to mark that hash location as "bad, collides with known bad password foo" in a hash table, constant time to lookup each password hash within your hash table and test for badness).
You could also do an O(M) search by taking any suite of password hacking tools you want, allocating them X amount of processor resources (say, 5 minutes CPU time each), and then letting them loose. Anybody whose password gets broken gets locked. In previous discussions some folks have noted that their organizations perform this check on a routine basis.
Help poke pirates in the eyepatch, arr.
People really need to think about how their product names parse when the words are run together and all one case. This is a particularly bad case, because there is only one way to parse "keepass" into real English words, and it's not the way they wanted. I'm sure they liked the idea of sharing the last letter of the first word with the first of the last, and sometimes it works. Other times, though, you end up naming your project "Keep Ass"
Cracking passwords when you have access to the non-reversible hashed versions of the passwords (aka "/etc/shadow") can be trivially easy on modern hardware, when using a tool such as John the Ripper, or, if you have a lot of spare harddrive space (and RAM), RainbowCrack. If this box was using md5 hashes (most likely), JTR on modern hardware can easily crack 8,000+ passwords a second, which, when combined with advanced password guessing techniques, will most likely find weak passwords within an hour or two.
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
I love it. An operating system distribution was rooted due to a vulnerability in the OS.
i ndex.html
Say what you want about microsoft, but I dont think they have ever had their asses handed to them by hackers.
Of course your rebuttal might be tht they are too busy rooting everyone elses boxes at home.
I love it, in other news, Peter Coors of Coors the brewery, and 2004 Senate candidate was arrested for drunk driving.
The day gets better and better!
http://www.cnn.com/2006/US/07/13/coors.arrest.ap/
Password Safe.
http://passwordsafe.sourceforge.net/
It was only after I installed password safe that I began using strong passwords on more than just a few accounts.
As an ex-Debian user this doesn't surprise me a bit. They used to be so on top of things and I was quite happy using Debian as my only OS for 3 years but a few months after Sarge went "stable" things started breaking for me, and on the powerpc port last time I tried (5 months ago) it was impossible to even compile a linux kernel -- and that was Debian "stable"!
That was the last straw, and I switched to FreeBSD on 1386 and OS X on powerpc. The truth is Debian doesn't have a stable release anymore (but it's easier to install than ever, hey!). Damned consumer-oriented focus...I was happy installing with dselect, personally.
I think many Linux distros are becoming basically consumer-grade OSes unsuitable for production or development use, but in Debian's case it strikes me as a particularly sad state of affairs.
And especially to counter these problems you can easily setup key-based authentication using SSH. In this case its (nearly) impossible to login to a box if you don't own the private key which corresponds with the public key stored in the users ~/.ssh/authorized_keys file. No key, no access and as such also no password guessing.
Surely these kind of ideas can't be that to come up with, especially after this project has experienced compromises more often ?
The story title is a bit misleading; only accounts with bad passwords or those who (for $DEITY knows what reason) appeared to have private keys on gluck were locked out. Everyone who has sane passwords and/or only uses ssh keys to log into their accounts still have access.
Of course, anyone who could actually log in already knows this because they've read d-d-a (or have already logged in.) In any event, rather troubling that the PRCTL bug managed to find its way into the kernel, but good that the intrusion was caught relatively quickly and neutralized.
http://www.donarmstrong.com
I find it interesting that they would know what accounts have weak passwords... does that mean that they are storing them in clear-text somewhere? If not, then how do they know?
The sites we build and administer only store hashes of the password, or something similarly obsfucated.
But yeah, the public-key ssh2 access previously mentioned seems like the only "proper" method for their access.
Oh well... hindsight is 20/20.
$0.02 (CDN)
Dear Mr finiteSet,b ut_!_pr0m!s3_n0t_t0_d0_!t_@g@!n_s0_l0ng_@s_!_l!v3
To punish you for using such a weak password to your Debian developer account we have changed your password to the following:
!_@m_@n_!ns3ns!t!v3_cl0d_wh0_us3s_w3@k_p@ssw0rds_
Enjoy
The Debian team
Only to idiots, are orders laws.
-- Henning von Tresckow
Few and far between.
In Windows? Well, at some point is not even news (MS just stopped support to an estimated 70 million of pre W2K users, talk about a mega insecurity incubator).
WIndows security is a joke that leaves a bad after taste in your mouth. Even their "most secure" rubish relies on putings bit and pieces on machines' registry where it can be easily harvested. And their security model has been broken for years.
IANAL but write like a drunk one.
Software developped by MS has earned its reputation as insecure with steady but sure lack of attention to security issues.
I have witnessed in the last 5 years:
-Complete meltdown of our corporate network due to viruses (we are behnd firewalls, were up to date in MS recommended patches, have fulltime good Windows Systems Administrators and have a corporate virus infrastructure in place. Still no cigar. Why? Because Windows is intrinsically insecure).
-Meltdown of machines due to vulnerabilities related to stuf we don't even use (MS bundles so much rubbish you don't need together that is impossible to remove stuff you don;t need, opening your machine to related vulnerabilities that could have been otherwise easily avoided).
-Hiding of security information on the registry (ask your MS representative where do they store AD private keys).
And so on and so forth.
During the same period our Solaris, Linux (Red Hat), AIX and HP-UX machines have been running happily, some of them with uptimes of 400 or 500 days.
MS got wrong their design, from a security point of view is inferior. Period.
It is high time that MS apologists stop pretending the elephant is not in the room.
It is there, is dead, you can't beat it, and it stinks.
Reduce, reuse, cycle
Guys,
How did they find out it was a user account that was compromised. What tools did they/do they have running that are monitoring there servers?
Seems to me that taping such information to sysadmins' foreheads would be alot like placing a post-it note with password hints on the edge on the monitor.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
A problem shared by Experts-Exchange (previously ExpertSexChange.com) and Powergen Italia (used to be PowerGenitalia.com)...
"Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," wrote Schulze.
"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."
It seems like nothing much really happened. I mean, if this is all a hacker is capable of even with root access to a major Debian server, then what's all the fuss about?
If an attacker has your password, they're not likely to let you know about it. Changing your password regularly (no matter how 'strong' it is) limits your exposure.
How hard is it to make a couple a character alpha-numeric passwords and dedicate them to memory? After maybe a week with it written down in your wallet for reference, you'll have them memorized and have no problems!!! Then you just have to worry about yourself muttering them in your sleep....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
He does one choose users, aka developpers on debian?
If for instances someone wan to be a debian developper, creates his account Bill.Gates@debian.org choose on purpose a weak password (does not matter) and then has been in contact evil@hacker.org who managed to get the password.
In case Bill Gates would obtain a developper status, I wouldn't wonder he would open source his password to any hacker arround.
But seriously, no FUD: How do they work to trust their developpers.
I can't imagine I'm writting a little tiny app, knock on the debian door and they would open it. This is user trust policy.
If you are in need of a strong password, use the following recipe:
Think of a sentence with 6-10 words with a number in it.
- The number can be inside one of the words.
- If you manage to have multiple Capital words in the sentence, your password gets stronger.
Then take the first letter and write the numbers as digit, include the point,
question mark, exclamation point at the end and you got a strong password.
Today i ate two buns for breakfast! -> Tia2bfb!
I have seen six dups on Slashdot this week. -> Ihs6doStw.
Can you memorize all four new passwords? -> Cyma4np?
And today: A new password for my debian account! -> At:1npfmda!
Works fine for me and is fairly easy to memorize.
Well, it's syntactically correct, it cannot be "forged" because if you obtained it it would be identical instead of an imitation.
/NOT/ ENTER THE PIN - in other words, you have to prove your innocence which is obviously much harder and rather convenient for the Credit Card company and/or bank.
/your/ problem proving that it wasn't you who authorised payment.
;-).
From a provider's point of view, the Chip & PIN approach is indeed one to recommend - after all, if the Credit Card companies get away with surrepticious risk transfer, why not someone else?
In case you didn't get it: since a PIN code is required instead of a signature, it's no longer the bank's duty to check if the signature is correct (i.e. thay should not pay until they have confirmed this). Since PIN, *YOU* WILL HAVE TO PROVE YOU DID
So, if someone fucks up in the security department and unleashes yet another database on the world with all the juicy details (or, as in the proposed use by the original poster which in case of clueless admins would be stored in cleartext instead of a hash) it'll be
So, now you know why
(a) the Credit Card companies were so incredibly keen on the Chip & PIN idea. Not "for your safety and to prevent fraud" - no, to protect their revenue. That it marginally decreases fraud until you're invited by knifepoint to share your secret PIN is merely incidental. BTW, it also increases your personal risk as it now needs a conversation with you to get that code. A cloned card with a duplicate signature would only take a covert swipe of your details (or the flimsy from the restaurant bin).
(b) using this for web access would be an incredibly dumb idea. Amusing, but dumb
= Ch =
http://www.sysinternals.com/blog/2006/05/power-i n-power-users.html
Local escalation vulnerabilities have long been a feature of Microsoft Windows!
But seriously, that's a good article about why it's not a good idea to give other users Power User privileges. It might help with securing a system too.
As a long time Debian user I am not so surprised by this - it is just the reality when you operate a system with thousands of user & shell accounts all over the world. It isn't that big of a deal if the debian admins respond correctly, which they always do, but it looks bad.
The issue that gets me is this is the second time the Debian system has been compromised, and in the exact same way - a local kernel exploit from a compromised DD account. As good as the Debian security team is, they are frankly terrible with the kernel. The Linux kernel has continual local security exploits (I am not in denial about that); these don't matter so much for most deployments but for the Debian system they are absolutely critical because of all the shell accounts. The Debian kernel team really needs to work out something better (though I know the issue is more complicated than that); this is the one thing Red Hat does very well. I cannot for the life of me understand why debian servers kernels are not upgraded continually. The downtime is immaterial compared to something like this.
I've really grown to like the pam-usb project. It's very easy to setup, and while I'm no security expert, it seems more secure than just a password/passphrase etc.
Whats going on here. In the "related links" to the left of the article.
/. had a pleasingly shambolic integrity.
I have a couple of links "Compare prices on Linux Software" duh!
Curious as to how they can do a price comparison between free beer "a" and free beer "b"
I clicked the link -- which takes me to a pricegrabber.com site full of adverts for windows PCs.
Why bother! Who is going to by a windows PC when they were looking for cheaper Linux software?
This sort of poorly directed advertising just brings the whole browsing eexperience down a notch in the same way that each spam received makes e-mail that much less useful.
Call me niave but I did expect better of Slashdot. I know the articles can be out of date and/or lame, and, many of the posters (probably including myself) have a warped world view but I always though
Oh well I am too old for a MYSPACE account?
Old COBOL programmers never die. They just code in C.
http://en.wikipedia.org/wiki/Humour
hth.
my password really is 'stinkypants'
Passwords that are infinitely strong against guessing will instead be monitored when even a careful person accidentally uses it for FTP, telnet, or an unencrypted IMAP or POP connection, or when some exploit gets put in place on the servers to report other people's passwords.
If you don't believe that this happens, you don't remember the SSH crack that happened some 5 years ago, where companies all over the world had their SSH daemons replaced with one that logs and reports user's local passwords.
Permutations is the word you were looking for.
You better watch out, there may be dogs about . .
yes, i agree with you,
i don't understand why SSH on OpenBSD is let root to login by default
Linux kernel developers have known for years that their software isn't safe. Why don't they fix it? Seriously, GNU/Linux is not usable as a general purpose shell. Its like Windows. If you can access the system, you can do anything you want.
- leenox.txt
SDF stopped using GNU/Linux years ago because of this very reason. No software is perfect, but damn!
Check out the SDF com log from when they shutdown the GNU/Linux server. A guy gets root while they are in com. Funny stuff.
ftp://sdf.lonestar.org/pub/sdf/historical/bye-bye
Damn I wish I hadn't used up my mod points yesterday still lmao!!
I'm really not a spelling-nazi! No excuses necessary.
You better watch out, there may be dogs about . .
Uh, maybe because I was using sendmail instead of exim?
FWIW, I switched over to CentOS - which had a fix for the sendmail bug the same day it was announced.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Is anyone else wondering why someone would be trying to break into the development server of the Debian distribution?
Maybe someone is trying to "own" every Debian-based machine by slipping their own "minor bug" into it undetected.
This is where distributed, public-key-signed version control (like in monotone) would save the day. No one would be able to sneak something into the version-control archive because all change packets are uniquely identified and signed with a developer's public key.
how did he get root from shelling in as a user?
i was under the impression that exploits that are patched as soon as they are discovered
id hope a debian developer machine wouldn't allow any kind of known exploit
omg debian's source has been stolen!! ... oh wait.. so does everyone else..
the hacker wouldve had access to the complete source of the distro!!
And use it for other sites: People often only change their password at the site where they're forced to, but leave it intact elsewhere, begging to have their accounts invaded on those other machines.
That will be _SO_ helpful when you lock yourself out of your own system.
Will be great if your hard drive fails, keychain with your memory key gets stolen, or you're not at your office computer.
Rat our passwords all you want, but combined with throttling/limiting/detection on the server passwords are about as secure as they come. Note my qualifier here. There are tons of scripts, and I run them on all of my servers, that will parse
These scripts are readily available on the net, and are easy to make as well.
This will protect brute force and easy passwords. Now your users just naming their password after their dog will always be a problem. Requiring complexity (a number or mixed case) will be key to securing those passwords, although I'm sure are directly correlated with an increase in support calls.
-M
when you see the word 'Linux', drink!
My workplace does that lockout after short time-out...it doesn't do much when you have to tape the password on the monitor. It also makes it impossible to gracefully shut down the machine when someone else is logged in. I think the practice is a result of somebody reading Sarbanes-Oxley and freaking out. Can't blame 'em too much; if I had to read SarBox I probably would freak out too.
PAM sucks gonads. Adding huge gaping security holes to please idiots who insist on using horrid crap like PAM would be a political decision. Leaving out security holes because security holes are bad is a technical decision. And if any linux people really wanted nicer PAM integration, they could do it themselves. I hope I don't have to explain the concept of open source to you.
It would help if they required SSH keys plus strong passwords.
This is simply a fact of life. Sure, you can come up with a really long and hard to guess password, but beyond a certain point, you end up with something obnoxious, hard to remeber, or something that simply gets cycled about a bunch of places.
Real (cheap and reasonably strong) security requires a mix of keys. For example, a synchronized pseudorandom number generator, a hashed passfile, followed by the standard text password. Still not perfect because the pseudorandom number sequence can be cracked and the hashed passfile (both stored, stored, say, on a USB drive) can be compromised, but a layered approach provides the best blend of ease-of-use and security.
The problem is (especially on a free project like Debian), how do you pay for the (physical) keys and who issues them? Can it be done without unfairly creating a barrier to participation?
There shouldn't be any passworded accounts on a developer machine at all. It should be SSH access via public key only, period end of story. I stopped using remotely accepted passwords over a decade ago. Passwords are only accepted on the console.
Come on, folks. This is UNIX-101. Don't be stupid.
-Matt
Why am I forced to use weak passwords just because some developper somewhere can't figure out how to allow a " or a \ in a string?
Why would you assume there's a stupid developer who can't figure this out? Isn't it more likely the prototype system didn't use an escape mechanism and the developer had one on his TODO list and his manager told him to FUTURE it?
Occam's Razor if you ask me.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The weak password problem is not that hard to avoid. I have created a program that generates all possible
10 character passwords. Then I let all the password cracking programs I've found on the net try to crack
all these passwords. Of all possible password the hardest one to crack turns out to be "k7HgfS9Db6".
So I always use that password whenever I want be really safe. Everyone should use that one when dealing
with sensitive data.