[plug] Is Red hat truly flawed?

Christian christian at amnet.net.au
Wed May 3 10:17:45 WST 2000


On Tue, May 02, 2000 at 02:27:58PM +0800, Leon Brooks wrote:
> Christian wrote:
> > console access is hard to defend
> > against when faced with severe threats.
> 
> chmod 600 /etc/lilo.conf
> ed /etc/lilo.conf <<EOF
> i
> password=g0bbl3dyg00k
> restricted
> .
> w
> q
> EOF
> lilo -v
> 
> End of problem.

Really?  I don't think so and neither do the people I've seen discuss
this on about half a dozen lists over the past six months (when will
people get over this??).  The simple fact of the matter is that physical
access can be very hard to defend against when faced with a severe
threat.  Restricting boot images under LILO does not stop things like
booting off a floppy.  This in turn can be solved by changing the BIOS
and by password-protecting the BIOS.  This can be gotten around any
number of ways from flushing the CMOS to pulling the hard disk out of
the machine.  Still, then you can always stop this by bolting the
machine closed and then someone just finds a pair of bolt cutters.  This
can be solved with an armed guard who can be dealt with by more heavily
armed, better trained mercenaries etc. etc.  As soon as you solve one
problem, another arises.  Most people can accept that their physical
threat is not so severe that they need a platoon of ex Navy SEALs so
they might be happy with bolting a machine shut but, as I've already
said, it all depends on the threats you face.  Securing LILO certainly
helps but it doesn't necessarily protect you against all the threats you
may face.  Therefore most people accept that when an attacker has
physical access, all (technical) protections may be of limited use.  The
only exception possibly being use of strong cryptography.

 
> > It's a pity that bcrypt hasn't been
> MD5 has, and does a wizard job.

Not really.  MD5 is a reasonable, short-term solution but if someone
gets hold of your shadow file then having MD5 will not give you that
much protection against poorly chosen passwords.  It's certainly not in
the same league as bcrypt.

Regards,

Christian.



More information about the plug mailing list