on Mon, Dec 08, 2003 at 11:13:07PM +0000, Colin Watson (cjwatson@debian.org) wrote:
> On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote:
> > After reading a few more responses, I realize that of course a debian
> > developer's machine could get compromised. I guess I just thought they
> > were infallible *grin*
> >
> > Now, the real question is, what exploit was used to get onto that dev's
> > machine in the first place?
>
> My understanding is that the developer's account on the machine in
> question had been disused for some time, and that the machine wasn't
> very well-maintained. It could have been any one of a dozen local root
> exploits that have been known for some time. I think they investigated,
> but the results weren't particularly earth-shaking.
Any indication of whether or not this was a local system or a remote
system?
I understand that password reuse was part of the problem -- the
developer's password(s) on the initially compromised box matched
password(s) used on other systems.
I strongly recommend the use of password generation tools such as pwgen,
gpw, or the PalmOS Cryptinfo program, and use of an encrypted archive
for password storage -- again, Cryptinfo, which can be used both on
handheld or via JPilot -- or an encrypted textfile for which Joey Hess
posted a cool vim hack some time back.
I've tested output of pwgen for uniqueness (a measure of strength of the
passwords generated).
One such test:
pwgen 8 100000 | sort | uniq -c | wc -l
...which generates 1 million passwords, and checks to see how many are
unique. I typically see 98.7% using pronounceable passwords, far better
when using fully random ones or longer keys. The pronounceable
passwords are relatively memorable.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
"What's so unpleasant about being drunk?"
"You ask a glass of water."
-- HHGTG
Attachment:
pgpdeXJPhgkl9.pgp
Description: PGP signature