[plug] Is Red hat truly flawed?

Scott, Simon Simon.Scott at SEALCORP.com.au
Wed May 3 10:21:32 WST 2000


And again (someone asked before I believe), what is stopping someone from
'bcrypting' their dictionary and getting the easy passwords? Am I wrong in
assuming that in this circumstance it is as secure as any other
non-reversible hash function?

 "With all the security bugs in JavaScript and all the pages that use
  it, a lot of sites are best viewed with telnet www.something.com 80"
                                                       -- Darren Embry
> ------------------------------------------------------
>  Simon Scott
>  DBA
>  Sealcorp Holdings Limited
>  Perth, WA
>  e-mail:  simon.scott at sealcorp.com.au
>  phone:  08 9265 5648
> ------------------------------------------------------
> 
> 


> -----Original Message-----
> From: Christian [mailto:christian at amnet.net.au]
> Sent: Wednesday, 3 May 2000 10:17
> To: plug at plug.linux.org.au
> Subject: Re: [plug] Is Red hat truly flawed?
> 
> 
> On Tue, May 02, 2000 at 02:27:58PM +0800, Leon Brooks wrote:
> > Christian wrote:
> > > console access is hard to defend
> > > against when faced with severe threats.
> > 
> > chmod 600 /etc/lilo.conf
> > ed /etc/lilo.conf <<EOF
> > i
> > password=g0bbl3dyg00k
> > restricted
> > .
> > w
> > q
> > EOF
> > lilo -v
> > 
> > End of problem.
> 
> Really?  I don't think so and neither do the people I've seen discuss
> this on about half a dozen lists over the past six months (when will
> people get over this??).  The simple fact of the matter is 
> that physical
> access can be very hard to defend against when faced with a severe
> threat.  Restricting boot images under LILO does not stop things like
> booting off a floppy.  This in turn can be solved by changing the BIOS
> and by password-protecting the BIOS.  This can be gotten around any
> number of ways from flushing the CMOS to pulling the hard disk out of
> the machine.  Still, then you can always stop this by bolting the
> machine closed and then someone just finds a pair of bolt 
> cutters.  This
> can be solved with an armed guard who can be dealt with by 
> more heavily
> armed, better trained mercenaries etc. etc.  As soon as you solve one
> problem, another arises.  Most people can accept that their physical
> threat is not so severe that they need a platoon of ex Navy SEALs so
> they might be happy with bolting a machine shut but, as I've already
> said, it all depends on the threats you face.  Securing LILO certainly
> helps but it doesn't necessarily protect you against all the 
> threats you
> may face.  Therefore most people accept that when an attacker has
> physical access, all (technical) protections may be of 
> limited use.  The
> only exception possibly being use of strong cryptography.
> 
>  
> > > It's a pity that bcrypt hasn't been
> > MD5 has, and does a wizard job.
> 
> Not really.  MD5 is a reasonable, short-term solution but if someone
> gets hold of your shadow file then having MD5 will not give you that
> much protection against poorly chosen passwords.  It's 
> certainly not in
> the same league as bcrypt.
> 
> Regards,
> 
> Christian.
> 



More information about the plug mailing list