on Mon, Dec 08, 2003 at 11:13:07PM +0000, Colin Watson ([EMAIL PROTECTED]) wrote: > On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote: > > After reading a few more responses, I realize that of course a debian > > developer's machine could get compromised. I guess I just thought they > > were infallible *grin* > > > > Now, the real question is, what exploit was used to get onto that dev's > > machine in the first place? > > My understanding is that the developer's account on the machine in > question had been disused for some time, and that the machine wasn't > very well-maintained. It could have been any one of a dozen local root > exploits that have been known for some time. I think they investigated, > but the results weren't particularly earth-shaking.
Any indication of whether or not this was a local system or a remote
system?
I understand that password reuse was part of the problem -- the
developer's password(s) on the initially compromised box matched
password(s) used on other systems.
I strongly recommend the use of password generation tools such as pwgen,
gpw, or the PalmOS Cryptinfo program, and use of an encrypted archive
for password storage -- again, Cryptinfo, which can be used both on
handheld or via JPilot -- or an encrypted textfile for which Joey Hess
posted a cool vim hack some time back.
I've tested output of pwgen for uniqueness (a measure of strength of the
passwords generated).
One such test:
pwgen 8 100000 | sort | uniq -c | wc -l
...which generates 1 million passwords, and checks to see how many are
unique. I typically see 98.7% using pronounceable passwords, far better
when using fully random ones or longer keys. The pronounceable
passwords are relatively memorable.
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
"What's so unpleasant about being drunk?"
"You ask a glass of water."
-- HHGTG
pgp00000.pgp
Description: PGP signature
