Re: join us!
> OK, 2 to 5 minutes downtime to disable. Big Whoop. Maybe should be
> done. But, have you ever tried to administer 200 computers? How many
> people know the BIOS password? Do the primary users know it? Can they
> reboot their own machine? Does an administrator have to visit every
> machine every time it needs to be rebooted? Do you write down lists
> of 200 passwords?
I never said it was a great solution, but due to the crapulent management
nature of PC hardware there isn't much choice. Deal with it. Set bios
passwords, and yes, I guess you need to write them down. If a machine needs
to boot from removable media then chances are you need atech to visit and
fix it. Of course there are large lists of default BIOS passwords floating
around to :P. You can't exactly blame me for something the PC industry
decided to do years ago.
> This is actually one of only two reasonable points in the discussion.
> The other point was that better documentation is needed.
Better documentaiton is ALWAYS needed, I should know, I spend a lot of time
writing Linux security documentaiton and publishing it online for free, as
far as I know I'm the only game in town (with a minor exception being a
redhat install/security guide in PDF, url escapes me at the moment).
> I take it then that you have now retracted the version-itis
> (use the latest version no matter how many new holes may have been
> introduced) argument. I see no mention of the "I didn't install
> MD5 because I can't read recommendations during the setup process", so,
> are we down to nothing but the LILO setup? (And the need for more
Actually no, I am still annoyed with debian's versioning (lack of) and
making major software changes without really changing version numbers.
My point on MD5/crypt is crypt is the default, and most users would read the
text and be scared off of MD5. Red Hat for example makes MD5 and shadow the
default, you have to go choose them and disable them if you do not want them
(meaning most redhat users install with shadow and md5).