Re: root password

[Ray Olszewski <ray@comarre.com>]

At 10:55 AM 4/1/2005 -0600, Eric Bambach wrote:
>On Wednesday 30 March 2005 08:36 am, Ray Olszewski wrote:
> > Any other suggestion of how to become root without knowing the root
> > password is a technique for breaking into systems, and I (and I hope
> > everyone else) will not give advice on that publicly, in this forum or
> > anywhere else.
>
>I respectfully disagree. How will sysadmins ever know how to secure their
>systems unless they know HOW break-ins occur. Certainly most hacking doesnt
>come from boot CDs but having a more informed sysadmin is infinitely better
>than one that only discovers how to make their system more secure *AFTER*
>being broken into.
>
>What you are saying is that security through obscurity is good and there have
>been countless rebuttals on just how horrible security though obscurity is in
>99% of the situations. The only reason for S.T.O. is a company that found an
>exploit and is giving lead-time to the vendor to patch their vulnerable
>software.

I wasn't quite saying that, and I apologize if my abbreviated presentation 
led you down that path. My reluctance was specific to this context, in 
which someone was asking not how to secure a system, but how to become root 
without knowing the root password. That it was his own system he wanted to 
break into certainly is relevant, but, on a public list, it is not the only 
consideration.

I do believe that sysadmins need to know how to secure thair systems. There 
are plenty of sites on the Internet, and books and articles in print, that 
offer this sort of help. And one can learn how to secure systems without 
receiving detailed tutorials in how to exploit common holes (buffer 
overflows, overprivileged daemons, weak passwords, and so on).

But I also believe that giving step-by-step instructions for how to break 
into systems, on a list intended for beginners, is not the best way to make 
this information public. That sort of help is a bit more than fighting 
"security through obscurity" by identifying vulnerabilities, in my opinion 
... it amounts to tutoring crackers, something I personally do not care to 
do. Particularly in the context of the actual question, which involved a 
system that the poster (presumably) had physical access to, so could retake 
control of with a rescue disk.

If you (and Tobias, and anyone else) feel differently, then you should act 
on your beliefs and provide this sort of information on request, I suppose. 
So I do apologize for the suggestion that my personal view here should 
restrict what you and others do. Please feel free to provide any 
information of this sort that you have, and be sure I will not criticize 
you for doing so.


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs