Re: Mutt & tmp files

To: Wade Richards <wrichard@direct.ca>
Cc: Craig Dickson <crdic@yahoo.com>, debian-security@lists.debian.org
Subject: Re: Mutt & tmp files
From: martin f krafft <madduck@madduck.net>
Date: Sun, 18 Nov 2001 17:03:07 +0100
Message-id: <[🔎] 20011118170307.C16509@fishbowl.madduck.net>
Mail-followup-to: Wade Richards <wrichard@direct.ca>, Craig Dickson <crdic@yahoo.com>, debian-security@lists.debian.org
In-reply-to: <[🔎] E164cJo-0006od-00@coffee.dyndns.org>
References: <crdic@yahoo.com> <[🔎] 20011115105235.C22221@crdic.ath.cx> <[🔎] E164cJo-0006od-00@coffee.dyndns.org>

* Wade Richards <wrichard@direct.ca> [2001.11.15 22:17:39-0800]:
> This is the sort of absolutist nonsense that gives security experts a
> bad name.  After all, anyone armed with a chainsaw can cut through a
> solid oak door in a matter of hours, so why bother installing a deadbolt
> on your door?

get a steel door. look, the point is not physical console security,
cause as soon as you get physical, there is nothing to stop you. but
from the network or on the machine, there is security, and every step
is necessary. i find that security experts are getting there name
through people who read bugtraq and happily install patches, then call
their system safe because other people think it's safe. if you don't
take everything into account, you aren't a security expert. thoughts
towards modified mutt/gpg, ttysniffers, and other such methods are
necessary if you are a security expert, and they are what
distinguishes you from a pop-security float-along.

> For example, I'm root on my machine.  I'm nosy.  I'd like to know what
> the people who use my machine are saying about me in e-mail.  If I can
> grab the contents of a file from /tmp, I just might do that.

which is very illegal. remind me to never get an account on a system
you have root access to.

> But I'm also lazy.  I'm not going to spend hours or weeks writing code to
> install a tty sniffer, find enough disk space for the logs, and search
> through the log files for something interesting.  I'm a nozy root,
> I'm not a masochistic root.

so? it's possible and therefore should be considered.

> Also, what makes you thing root "knows what he's doing?"  I suspect that 
> many people with the "root" password could not install a tty sniffer or 
> any other spying tool unless they could type "apt-get install ttysniffer".

then you shouldn't be on his/her system. period.

do you even know what a hacker is? a security expert who isn't a
hacker should possibly consider politics...

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
weekend, where are you?

Attachment: pgpgi6qlFCSho.pgp
Description: PGP signature

Reply to:

References:
- Re: Mutt & tmp files
  - From: Craig Dickson <crdic@yahoo.com>
- Re: Mutt & tmp files
  - From: Wade Richards <wrichard@direct.ca>

Prev by Date: Re: Root is God? (was: Mutt & tmp files)
Next by Date: Re: Root is God? (was: Mutt & tmp files)
Previous by thread: Re: Mutt & tmp files
Next by thread: Root is God? (was: Mutt & tmp files)
Index(es):
- Date
- Thread