My dad was a locksmith, so I learned a bit here and there about lock-picking as well as physical security.
It was best expressed to me this way. Most people believe that locks are meant to prevent access. This is incorrect. Locks are there to allow access. After, all, if you want to prevent access, build a wall, not a door with a lock. The lock is there to limit access. Ideally, a standard lock limits access to those people with a key or with knowledge of the combination. But a simple lock only prevents access to honest people or to those without the time or desire to enter. (These days, that is a very small segment of the popluation.) With each group of people that you wish to keep out, the cost of security goes up. Reinforced doors, sturdier frames, multiple locks, higher quality locks, combinations of different types of locks, electronic keys and biometrics are all steps to preventing different groups of people from entering. With each level of security, there is an increased cost, and, with most levels, and increased inconvenience to those who have permission to enter.
I am sure that most people here know the questions to ask when determining computer security, and the same questions apply to physical security. It comes down to How can someone gain access?, and What am I willing to spend to prevent it?
I think it is good that these books are published, because many people are clueless about physical security. "Put an expensive lock on it. We should be okay." I was surprised to learn how much of my prossesions I kept, simply because it wasn't worth someone's time or effort to steal it.
I realize that many people over use XKCD comics. But the above comic
1. was on topic
2. reflected the general sentiment of this thread
3. was one I had not seen before
and
4. was downright funny.
With the way it was rated, I am not surprised that the person chose to post it anonymously.
I am still trying the Steven Wright method. He managed to have his licence photo taken out of focus. That way, when the cops pull him over, they stare at the photo for a second and then say, "Here. You can go."
Despite my best effors, I have not been able to accomplish this... yet.
You may not have experienced them, but many of us have.
The magnet issue happened to my supervisor, but I was there at the time. What made it difficult was that he would bring the disks in to the shop completely trashed. It took over a week and 5 sets of replacement floppies before we figured out the trouble.
Stapling, however, happened to me personally. An office assistant was told to bring the floppy to our shop and was given a paper with our address on it. She was specifically told not to paper clip the address to the floppy so as to prevent bending, so she stapled it. Surprisingly, we were able to gently pry the staple out an recover the data. But it prompted us to have fun with other customers. We took a bad floppy, put it in the protective sleeve, covered it with a piece of paper that said "Important Data. Do NOT erase" and stapled it to the disk and sleeve about 20 times. We then placed it out on the counters next to the demo machines and counted how many people tried to slide the disk out of the sleeve. Several people asked us if we could put it in to see what was on the disk, a few tried to slide it out, and at least four tried to put the disk, sleave, staples and paper into the drive.
My favorite experience happened when someone tried to return a game as defective. He stated that it worked the first time, but he took it to a friends house and it didn't work. When he brought it home, it didn't work. When I asked him if I could see the disk, he took it out of his shirt pocket and unfolded it. It was still in the the sleeve. I put my hands behind my back and asked him to turn the disk over and read the warning on the back of the sleeve. When he got to the "Do Not Bend" warning, he looked up and said, "That's probably why it doesn't work, isn't it?"
As a kid, I loved many of the Fredric Brown short stories. It amazed me that most of them were written in the '50s. He explored concepts such a time travel, alien visitors, imortallity and power in short stories that were amazing. I loved this beginning (and ending) to "Knock."
The last man on Earth sat alone in a room. There was a knock on the door...
One of his more famous stories, Arena, was made into a Star Trek episode, although I liked the story better. My favorite story is a just a few paragraphs about a many who invents a machine to manipulate time.
Fredric Brown helped me to understand how limited my imagination really was and prompted me to expand it. What is more amazing to me is how well these stories still hold up today.
Space Cadet, written in 1948, had a throw-away line about cell phones as well. The protagonist is standing in a line and gets a call from his father. Someone else in the same line notices and asks if it was family calling. When confirmed, the second person claims that he stowed his phone in his luggage to prevent such calls.
When I first read this story as a child, I wondered about how long the phone cord would have to be. It wasn't until several years later, when cell phones did arrive, that I realized how limiting my view was. I assumed that because he used the word "phone" that it was like the old AT&T desk phones that I knew about. Later, when I talked to my brother about this, he claimed that he always pictured a walkie-talkie type of device that happened to be called a "phone."
Heinlein always had some good predictions as well as some strange blind spots about the future. In one book he talks about mag-lev type trains, food dispensers, and space travel, but at the same time, the protagonist cooks on a wood-fire stove, and computers are programmed from a set of paper books by flipping switches.
Poorly implemented?? How can you say that? Is it because when you try to install and older version of their middleware on a newer OS it complains because of the name of the screensaver? Or because they hide their log files in so many different places that you have to play "Where's Waldo" to trouble shoot anything?
But they have gotten better, haven't they? They used to complain when you installed their software that the account wasn't named "root." It didn't matter if the account had the permission that were needed, it just had to have the right name. Now they let you install it if the account has the permissions it needs. I admit that they are still working on running their software on a non-login account, but they will get there...in a few year or so.
I didn't get involved in chemistry until high school where there was a proper lab. I had tons of fun as well. When the teacher was having us heat salt to show the difference between ionic an covalent bonds, I was using the bunson burner as a blow torch to melt the salt into a slag. When we mixed chemicals to make "cold light," I managed to send a pool of fire down the drain just in time for the teacher to see it, but not who did it.
Although I must have had chemistry in lower levels of school, it must not have made much of an impression on me, because I cannot remember it. It didn't turn me off to chemistry, though, because I had so much fun in high school.
My advice? Don't try to do too much this early. Focus on simple chemical reactions and safety. (Rule 1. Hot glass looks exactly the same as cold glass.)
- Women cannot ascend to the "highest level" unless dragged there attached to a man.
You forgot: Men cannot ascend to the "highest level" unless dragged there attached to a woman. Perhaps you should check out The Family: A Proclamation to the World to see what the "LDS 'religion'" really believes rather than what you claim they believe.
Although many women do wait to go through the temple until they get married, it is not a requirement. Many women choose to go through the temple long before they get married. Having children has NEVER been a requirement to become "garmented"
And, for the record, the world's oldest and largest women's organization was founded in 1842 by the LDS church. And Utah granted women full voting rights in 1870 while they were still a territory. Although the US government tried to take away those rights, when Utah was admitted into the union in 1896, women had full voting rights again. Most states east of the Mississippi River did not give voting rights to women until forced to by the 1915 passage of the 19th Amendment. But yeah, those mormons always thought women were second class citizens that shouldn't vote or work. Keep believing that if it makes you feel better.
Just in case you did not know, "begging the question" is a bad translation of the Latin phrase Petitio Principii. A literal translation might be "begging or taking for granted of the beginning of a principle." Another translation might be "demanding the postulate."
We keep harping on people for incorrectly using an incorrect translation because people have been using it incorrectly for years. "Tradition: Just because you've always done it that way doesn't mean it's not incredibly stupid."
There are no virus worries.
Because so few people on the planet use Linux as their desktop that no sane virus writer would even bother. Get yourself any appreciable market share and watch that change in a nanosecond.
Not quite true. You see, Linux has a feature that prevents programs from automatically changing system properties without human interaction. Yes, you can trick someone into running a virus by asking them to run a program that they downloaded, but you can't automatically run a virus just by loading a picture file, or by loading a document. (Actually you can get a kernel mod that will let viruses do that and it is a required feature of most Linux virus scanners. So the people least protected on Linux are the ones running the virus scanner.)
Does market share have anything to do with the fewer viruses for Linux? Yes, it does.
Does the fact that it is much harder for a virus to spread itself around also have something to do with the fewer viruses? Yes, it does.
Which one has the bigger effect? I have no clue.
I recently saw an image of a Pi-Cake with the caption, "It's cake. But it's pi. But it's CAKE. But it's PI. BUT IT'S CAKE!!!"
After a little research, I even found a recipe for pi-cake. Pi-Cake
While an irrational pursuit, it looks to be a tasty one. Anyone thinking about making one?
Maybe he should try Weird Al's "Theme from Rocky XIII(The Rye or the Kaiser)". Not only is it more appropriate, Weird Al might let them use it for free.
I have managed to obtain a copy of the signals and have partially translated them. Some of the concepts are untranslatable and I am not completely sure about the things I was able to translate, but here is what I have so far.
My fellow [untranslatable]. It is [concept of time] for [choosing/electing] supreme [unknown concept]. My [friend/acquaintance/opponent] is a [feeble-minded/stupid] [weak/ineffective] [some sort of insect]. [Reminds me/makes me think] of a [not sure here, might be human]. I [pledge/promise] a [small animal] in [each/all/every] [cooking container]. I will [reduce/lower] [required payments/taxes]. [Elect/vote for] Kodos in [unknown time].
Hmmm.... seems like a political speech. No intelligent life out there after all.
First, I liked the LOTR movies, and I was fine with many of the changes. But Jackson did change the entire premise of the books.
The basic premise, IMHO, was not that little people are better than big, famous ones, or that big, famous people can do great things, but that little, ordinary people can do great things even when great people are doing great things all around them. The hobbits were not the only ones doing essential and great actions. In terms of both character development and world altering actions, many people were involved. The movie concentrated more on Aragorn's actions and his choice to be king. As such, some scenes, like the Arwen and Aragorn discussion in Rivendell were added to the movie to help us see more of Aragorn's character development.
One of the reasons people do not like the fact that "The Scouring of the Shire" was left out was that this scene was the ultimate "we've grown up and can handle problems on our own." The barrow-wights and Tom Bombadill represented their earlier growth and learning that they can grow up even though they still needed help at that time.
One of my minor pet peeves is that, in a couple of cases, the movies were not even consistent with its own story. When Merry and Pippin drank the Ent draughts, they grew both in character and in height. The physical growth was a representation of their character growth. They took matters into their own hands to convince the Ents to fight. The movies, while they did not emphasize the character growth, did mention their growth in stature. But at the end, when the hobbits were all together again, they were exactly the same height as before. A minor and probably a very petty point, but one that bothered me a little.
Again, I liked the movies, and will probably see both Hobbit movies, but I can understand why some people were very disappointed while others were mildly disappointed and others were not disappointed at all.
That does beat (by a whisker) "My floppy doesn't work." "Give it here and I'll see what I can do, then."... User takes floppy out of wallet and unfolds it.
Yep. Had that one. Rounding out the top five include keeping the 5 1/4" floppy safe by putting on the side of the safe and using a magnet to hold it in place, Trying to remove several floppies from one drive because when the instructions said to insert the second floppy, it never said to remove the first one, and prying a staple from a 5 1/4" floppy because one shouldn't use a paper clip to hold a piece of paper next to it.
On a side note, no longer relevant, when one heard the phrase, "you need to clean your disk," that usually meant cleaning the disk drive. One should not slice open the cover of a 5 1/4 floppy, remove the mylar film and wash it with dish soap before carefully replacing it and taping the cover closed. Repeated washings do tend to shorten the life span of the floppy, as well as increase the risk of creasing the mylar film and making the disk unreadable.
There are several ways that this is safer.
1. It removes the known user problem. Since root is a user on all Linux boxes, if I want access, all I have to do is to find a password. I only have to discover one piece of information. If root cannot log in, I must now find three pieces of information, a username, a password for that user, and the root password.
2. It discourages scripting attacks. Since root cannot get in, I would need to modify my script to try common usernames, or try specific usernames for each company or server I am attacking. While this does not block attacks that are targeted directly against me, script writers going after the easy targets are unlikely to spend the time needed to figure out what usernames are valid for my servers.
3. If I do breach a computer with a specific username, I now have two avenues of approach. I can try to exploit another hole that allows privilege escalation, or try to determine a root password. Guessing, using dictionary attacks/ribbon tables, or brute force methods take time. This increases the odds of being detected by Host Integrity Monitors (If they are being used). There is no guarantee that the server has the software with an exploit is deployed on that server, or that the users I have compromised has access to that software.
4. Logging. Instead of one part of a log that might be missed showing that I logged in as root, I now have multiple log entries. At least one showing that I logged in as a normal user, and another showing that the user had escalated privileges. Again, increasing the odds that I will get caught. Hopefully before I can do any damage.
5. Although this does not appear to be common, at least one company I know has monitoring set up to detect root access. A second local account is set up with root privileges. Admins sudo to the second account and only admins have rights to sudo su to it. The root is given a very, very complex password that is hidden. Traps are placed so that all admins are alerted if anyone at all logs in as root. If I get an alert in the day that someone is logging in as root, I can check with other admins to see who is doing what. If I get an alert at night, I can guess that my server has probably been breached and I can take appropriate steps. I don't get alerts for normal occasional root functions, but if someone does breach my servers, I know before they can do much.
These are just a few ways that using a normal user and then forcing su or sudo to root is safer. There might be more that I don't remember at the moment. BTW, this does not prevent all attacks, but it does help.
From the article it appears it had nothing to do with whether or not root login is turned on.
Sorry, but the logs from both servers in the article (second link) do show that they both accepted a password for user=root from a remote IP address. That doesn't happen when sshd_config is set to prevent remote root logins. The sshd logs should show a normal user logging in. The secure logs should then show the su or sudo with privilege escalation.
Even though OpenSSH runs as root, that does not mean that anyone who connects in has root privileges. If the exploit allowed someone to connect in as root when PermitRootLogin is set to no, that would be very, very scary.
BTW, I am not claiming that there is no exploit or that they did not use one. It seems very possible that they could have used the exploit to gain access the first time, changed or found a way to guess the root password and then logged in as root from then on. On server from 2009, it appears that they did not do that since there were several bad password attempts for user=root before they got in. But they could have done it on the other server.
A more proper way to do things is to force a VPN scenario to manage your servers. Try to run known proven VPN hardware from major vendors (such as Juniper and Cisco) where the hardware they use is special purpose (and not running a lot of extra fluff), which limits your attack surface. Then you enable management of your machines via the VPN.
A good VPN is definitely a good idea for the first line of defence. But that should not be all. Some people cannot afford the VPN hardware, and have to make do without it. Even with it, you should still limit remote root access. That makes a breach that much harder to accomplish. At my company, we happen to use both. In addition, we have monitoring set up so that even if someone does access the root user, we get alerts.
4. Change PermitRootLogin to no. If you must have remote root access, make them log in as a normal user and su to root. (Better yet, set up sudo and control who can do what.)
That was my question!! The second one being, "Why wasn't PermitRootLogin turned off?" One of the first things I do when setting up a new server is verify that the root cannot get in remotely. As soon as there is any kind of user authentication set up and a user either set up or can log in, PermitRootLogin is set to no. From then on, admins wanting remote access with root privileges must log in as a user and either use sudo (preferably) or su. I even have the server email a group if someone does an su to root or logs in as root from a console.
I don't expect everyone to be able to set up that kind of monitoring, but allowing remote root logins is just asking for trouble.
Slashdot Mirror
My dad was a locksmith, so I learned a bit here and there about lock-picking as well as physical security.
It was best expressed to me this way. Most people believe that locks are meant to prevent access. This is incorrect. Locks are there to allow access. After, all, if you want to prevent access, build a wall, not a door with a lock. The lock is there to limit access. Ideally, a standard lock limits access to those people with a key or with knowledge of the combination. But a simple lock only prevents access to honest people or to those without the time or desire to enter. (These days, that is a very small segment of the popluation.) With each group of people that you wish to keep out, the cost of security goes up. Reinforced doors, sturdier frames, multiple locks, higher quality locks, combinations of different types of locks, electronic keys and biometrics are all steps to preventing different groups of people from entering. With each level of security, there is an increased cost, and, with most levels, and increased inconvenience to those who have permission to enter.
I am sure that most people here know the questions to ask when determining computer security, and the same questions apply to physical security. It comes down to How can someone gain access?, and What am I willing to spend to prevent it?
I think it is good that these books are published, because many people are clueless about physical security. "Put an expensive lock on it. We should be okay." I was surprised to learn how much of my prossesions I kept, simply because it wasn't worth someone's time or effort to steal it.
That depends. Did you put the words, "Heroin inside. Handle with care." on the outside of the package? Did it still ship with those words on the box?
I realize that many people over use XKCD comics. But the above comic
1. was on topic
2. reflected the general sentiment of this thread
3. was one I had not seen before
and
4. was downright funny.
With the way it was rated, I am not surprised that the person chose to post it anonymously.
Despite my best effors, I have not been able to accomplish this ... yet.
You may not have experienced them, but many of us have.
The magnet issue happened to my supervisor, but I was there at the time. What made it difficult was that he would bring the disks in to the shop completely trashed. It took over a week and 5 sets of replacement floppies before we figured out the trouble.
Stapling, however, happened to me personally. An office assistant was told to bring the floppy to our shop and was given a paper with our address on it. She was specifically told not to paper clip the address to the floppy so as to prevent bending, so she stapled it. Surprisingly, we were able to gently pry the staple out an recover the data. But it prompted us to have fun with other customers. We took a bad floppy, put it in the protective sleeve, covered it with a piece of paper that said "Important Data. Do NOT erase" and stapled it to the disk and sleeve about 20 times. We then placed it out on the counters next to the demo machines and counted how many people tried to slide the disk out of the sleeve. Several people asked us if we could put it in to see what was on the disk, a few tried to slide it out, and at least four tried to put the disk, sleave, staples and paper into the drive.
My favorite experience happened when someone tried to return a game as defective. He stated that it worked the first time, but he took it to a friends house and it didn't work. When he brought it home, it didn't work. When I asked him if I could see the disk, he took it out of his shirt pocket and unfolded it. It was still in the the sleeve. I put my hands behind my back and asked him to turn the disk over and read the warning on the back of the sleeve. When he got to the "Do Not Bend" warning, he looked up and said, "That's probably why it doesn't work, isn't it?"
The last man on Earth sat alone in a room. There was a knock on the door...
One of his more famous stories, Arena, was made into a Star Trek episode, although I liked the story better. My favorite story is a just a few paragraphs about a many who invents a machine to manipulate time.
Fredric Brown helped me to understand how limited my imagination really was and prompted me to expand it. What is more amazing to me is how well these stories still hold up today.
Space Cadet, written in 1948, had a throw-away line about cell phones as well. The protagonist is standing in a line and gets a call from his father. Someone else in the same line notices and asks if it was family calling. When confirmed, the second person claims that he stowed his phone in his luggage to prevent such calls.
When I first read this story as a child, I wondered about how long the phone cord would have to be. It wasn't until several years later, when cell phones did arrive, that I realized how limiting my view was. I assumed that because he used the word "phone" that it was like the old AT&T desk phones that I knew about. Later, when I talked to my brother about this, he claimed that he always pictured a walkie-talkie type of device that happened to be called a "phone."
Heinlein always had some good predictions as well as some strange blind spots about the future. In one book he talks about mag-lev type trains, food dispensers, and space travel, but at the same time, the protagonist cooks on a wood-fire stove, and computers are programmed from a set of paper books by flipping switches.
Poorly implemented?? How can you say that? Is it because when you try to install and older version of their middleware on a newer OS it complains because of the name of the screensaver? Or because they hide their log files in so many different places that you have to play "Where's Waldo" to trouble shoot anything?
But they have gotten better, haven't they? They used to complain when you installed their software that the account wasn't named "root." It didn't matter if the account had the permission that were needed, it just had to have the right name. Now they let you install it if the account has the permissions it needs. I admit that they are still working on running their software on a non-login account, but they will get there...in a few year or so.
Although I must have had chemistry in lower levels of school, it must not have made much of an impression on me, because I cannot remember it. It didn't turn me off to chemistry, though, because I had so much fun in high school.
My advice? Don't try to do too much this early. Focus on simple chemical reactions and safety. (Rule 1. Hot glass looks exactly the same as cold glass.)
- Women cannot ascend to the "highest level" unless dragged there attached to a man.
You forgot: Men cannot ascend to the "highest level" unless dragged there attached to a woman. Perhaps you should check out The Family: A Proclamation to the World to see what the "LDS 'religion'" really believes rather than what you claim they believe.
Although many women do wait to go through the temple until they get married, it is not a requirement. Many women choose to go through the temple long before they get married. Having children has NEVER been a requirement to become "garmented"
And, for the record, the world's oldest and largest women's organization was founded in 1842 by the LDS church. And Utah granted women full voting rights in 1870 while they were still a territory. Although the US government tried to take away those rights, when Utah was admitted into the union in 1896, women had full voting rights again. Most states east of the Mississippi River did not give voting rights to women until forced to by the 1915 passage of the 19th Amendment. But yeah, those mormons always thought women were second class citizens that shouldn't vote or work. Keep believing that if it makes you feel better.
Well, it absolutely does not beg the question
Just in case you did not know, "begging the question" is a bad translation of the Latin phrase Petitio Principii. A literal translation might be "begging or taking for granted of the beginning of a principle." Another translation might be "demanding the postulate."
We keep harping on people for incorrectly using an incorrect translation because people have been using it incorrectly for years. "Tradition: Just because you've always done it that way doesn't mean it's not incredibly stupid."
The WSJ has an updated story here. http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html?mod=WSJ_hp_LEFTTopStories
From the link, Global Pay seems to be the processor, and it appears that only 26,094 VISA cards were affected. It did not mention how many MasterCard cards were affected. While that is a lot, it is nowhere near the 10 million speculated.
There are no virus worries. Because so few people on the planet use Linux as their desktop that no sane virus writer would even bother. Get yourself any appreciable market share and watch that change in a nanosecond.
Not quite true. You see, Linux has a feature that prevents programs from automatically changing system properties without human interaction. Yes, you can trick someone into running a virus by asking them to run a program that they downloaded, but you can't automatically run a virus just by loading a picture file, or by loading a document. (Actually you can get a kernel mod that will let viruses do that and it is a required feature of most Linux virus scanners. So the people least protected on Linux are the ones running the virus scanner.)
Does market share have anything to do with the fewer viruses for Linux? Yes, it does.
Does the fact that it is much harder for a virus to spread itself around also have something to do with the fewer viruses? Yes, it does.
Which one has the bigger effect? I have no clue.
Go for broke and bake a cake shaped like pi. See how many people get confused.
I recently saw an image of a Pi-Cake with the caption, "It's cake. But it's pi. But it's CAKE. But it's PI. BUT IT'S CAKE!!!"
After a little research, I even found a recipe for pi-cake. Pi-Cake
While an irrational pursuit, it looks to be a tasty one. Anyone thinking about making one?
Maybe he should try Weird Al's "Theme from Rocky XIII(The Rye or the Kaiser)". Not only is it more appropriate, Weird Al might let them use it for free.
My fellow [untranslatable]. It is [concept of time] for [choosing/electing] supreme [unknown concept]. My [friend/acquaintance/opponent] is a [feeble-minded/stupid] [weak/ineffective] [some sort of insect]. [Reminds me/makes me think] of a [not sure here, might be human]. I [pledge/promise] a [small animal] in [each/all/every] [cooking container]. I will [reduce/lower] [required payments/taxes]. [Elect/vote for] Kodos in [unknown time].
Hmmm .... seems like a political speech. No intelligent life out there after all.
"An Unexpected Journey" was one of the working titles that Bilbo considered as he was writing all his notes.
The basic premise, IMHO, was not that little people are better than big, famous ones, or that big, famous people can do great things, but that little, ordinary people can do great things even when great people are doing great things all around them. The hobbits were not the only ones doing essential and great actions. In terms of both character development and world altering actions, many people were involved. The movie concentrated more on Aragorn's actions and his choice to be king. As such, some scenes, like the Arwen and Aragorn discussion in Rivendell were added to the movie to help us see more of Aragorn's character development.
One of the reasons people do not like the fact that "The Scouring of the Shire" was left out was that this scene was the ultimate "we've grown up and can handle problems on our own." The barrow-wights and Tom Bombadill represented their earlier growth and learning that they can grow up even though they still needed help at that time.
One of my minor pet peeves is that, in a couple of cases, the movies were not even consistent with its own story. When Merry and Pippin drank the Ent draughts, they grew both in character and in height. The physical growth was a representation of their character growth. They took matters into their own hands to convince the Ents to fight. The movies, while they did not emphasize the character growth, did mention their growth in stature. But at the end, when the hobbits were all together again, they were exactly the same height as before. A minor and probably a very petty point, but one that bothered me a little.
Again, I liked the movies, and will probably see both Hobbit movies, but I can understand why some people were very disappointed while others were mildly disappointed and others were not disappointed at all.
That does beat (by a whisker) "My floppy doesn't work." "Give it here and I'll see what I can do, then." ... User takes floppy out of wallet and unfolds it.
Yep. Had that one. Rounding out the top five include keeping the 5 1/4" floppy safe by putting on the side of the safe and using a magnet to hold it in place, Trying to remove several floppies from one drive because when the instructions said to insert the second floppy, it never said to remove the first one, and prying a staple from a 5 1/4" floppy because one shouldn't use a paper clip to hold a piece of paper next to it.
On a side note, no longer relevant, when one heard the phrase, "you need to clean your disk," that usually meant cleaning the disk drive. One should not slice open the cover of a 5 1/4 floppy, remove the mylar film and wash it with dish soap before carefully replacing it and taping the cover closed. Repeated washings do tend to shorten the life span of the floppy, as well as increase the risk of creasing the mylar film and making the disk unreadable.
There are several ways that this is safer.
1. It removes the known user problem. Since root is a user on all Linux boxes, if I want access, all I have to do is to find a password. I only have to discover one piece of information. If root cannot log in, I must now find three pieces of information, a username, a password for that user, and the root password.
2. It discourages scripting attacks. Since root cannot get in, I would need to modify my script to try common usernames, or try specific usernames for each company or server I am attacking. While this does not block attacks that are targeted directly against me, script writers going after the easy targets are unlikely to spend the time needed to figure out what usernames are valid for my servers.
3. If I do breach a computer with a specific username, I now have two avenues of approach. I can try to exploit another hole that allows privilege escalation, or try to determine a root password. Guessing, using dictionary attacks/ribbon tables, or brute force methods take time. This increases the odds of being detected by Host Integrity Monitors (If they are being used). There is no guarantee that the server has the software with an exploit is deployed on that server, or that the users I have compromised has access to that software.
4. Logging. Instead of one part of a log that might be missed showing that I logged in as root, I now have multiple log entries. At least one showing that I logged in as a normal user, and another showing that the user had escalated privileges. Again, increasing the odds that I will get caught. Hopefully before I can do any damage.
5. Although this does not appear to be common, at least one company I know has monitoring set up to detect root access. A second local account is set up with root privileges. Admins sudo to the second account and only admins have rights to sudo su to it. The root is given a very, very complex password that is hidden. Traps are placed so that all admins are alerted if anyone at all logs in as root. If I get an alert in the day that someone is logging in as root, I can check with other admins to see who is doing what. If I get an alert at night, I can guess that my server has probably been breached and I can take appropriate steps. I don't get alerts for normal occasional root functions, but if someone does breach my servers, I know before they can do much.
These are just a few ways that using a normal user and then forcing su or sudo to root is safer. There might be more that I don't remember at the moment. BTW, this does not prevent all attacks, but it does help.
From the article it appears it had nothing to do with whether or not root login is turned on.
Sorry, but the logs from both servers in the article (second link) do show that they both accepted a password for user=root from a remote IP address. That doesn't happen when sshd_config is set to prevent remote root logins. The sshd logs should show a normal user logging in. The secure logs should then show the su or sudo with privilege escalation.
Even though OpenSSH runs as root, that does not mean that anyone who connects in has root privileges. If the exploit allowed someone to connect in as root when PermitRootLogin is set to no, that would be very, very scary.
BTW, I am not claiming that there is no exploit or that they did not use one. It seems very possible that they could have used the exploit to gain access the first time, changed or found a way to guess the root password and then logged in as root from then on. On server from 2009, it appears that they did not do that since there were several bad password attempts for user=root before they got in. But they could have done it on the other server.
A more proper way to do things is to force a VPN scenario to manage your servers. Try to run known proven VPN hardware from major vendors (such as Juniper and Cisco) where the hardware they use is special purpose (and not running a lot of extra fluff), which limits your attack surface. Then you enable management of your machines via the VPN.
A good VPN is definitely a good idea for the first line of defence. But that should not be all. Some people cannot afford the VPN hardware, and have to make do without it. Even with it, you should still limit remote root access. That makes a breach that much harder to accomplish. At my company, we happen to use both. In addition, we have monitoring set up so that even if someone does access the root user, we get alerts.
4. Change PermitRootLogin to no. If you must have remote root access, make them log in as a normal user and su to root. (Better yet, set up sudo and control who can do what.)
That was my question!! The second one being, "Why wasn't PermitRootLogin turned off?" One of the first things I do when setting up a new server is verify that the root cannot get in remotely. As soon as there is any kind of user authentication set up and a user either set up or can log in, PermitRootLogin is set to no. From then on, admins wanting remote access with root privileges must log in as a user and either use sudo (preferably) or su. I even have the server email a group if someone does an su to root or logs in as root from a console.
I don't expect everyone to be able to set up that kind of monitoring, but allowing remote root logins is just asking for trouble.
What are the 3 scariest things to a SysAdmin?
1. An Electrical Engineer with a software patch.
2. A Programmer with a soldering iron.
3. A user with an idea.