Post #43,527
6/26/02 3:45:24 PM
|
On passwords
Any system can be compromised via passwords if you do not have good passwords.
My favoured route is to enforce longer passwords, but reduce the frequency of changing.
This way, it's easier to sell the idea that a good password matters to the users.
Short or non-complex passwords, frequently changed, are often very weak.
How did you go around the firewall? In my company, it's the only way in or out. I imagine that it's like that in lots of other places.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #43,536
6/26/02 4:44:53 PM
|
Passwords
Make sure that it also remembers the last six passwords or more so they don't just repeat the same passwords over and over again.
Most common passwords at the lawfirm I worked at were:
password
passme
passment
Those were the passwords they used to reset the passwords for those who forgot their passwords, then they forgot how to change the password. If forced to change their password, they'd forget it and call the help desk anyway the next logon.
I am free now, to choose my own destiny.
|
Post #43,571
6/26/02 10:22:09 PM
|
We have another way
of forcing new people to change their
passwords, before those loverly tools
did it.
Just change the password to something
like 'barry_is_my_god'. After typing this
once or twice, they get pissed of and
change it.
|
Post #43,586
6/27/02 12:35:42 AM
|
I like!
I remember a net admin who once changed a password for an obnoxious user in his own section: he chose 'pteradactyl' :-).
Some years later when someone else bought us, I was amused to learn their helpdesk generally set password changes to 'changeme'.
Wade.
"Ah. One of the difficult questions."
|
Post #43,588
6/27/02 12:40:38 AM
|
Nick Burns your company's computer guy
Ultimate revenge and a good way to get fired, one DSL helpdesk person set someone's User ID to "ILIKEMEN@**********.NET" when walking the person through the pick your own username and password screen. Needless to say that person was fired soon after. I guess they got tired of doing registrations and installs over the helpdesk? As far as we knew, the customer who got assigned the name was not gay. I'd imagine they weren't too happy with the name they got assigned either?
I am free now, to choose my own destiny.
|
Post #43,631
6/27/02 11:17:03 AM
|
Easy
From the "Dynamic IP Hacks" howto:
It would be nice to be able to get access to my work machine (Sun) from
home, and vice versa, yet telnet is firewalled at work. Here's a way
around it.
For purposes of this explanation I'll give the method for gaining access
to my work machine from my home Linux machine, with a dial-up PPP
connection to my ISP and dynamic IP assignment.
From home, when I want access to my work machine, I dial-in and fire up
X, set "xhost +", determine my dynamic IP, and email my dynamic IP to my
work machine in a mail message with a particular format. On my work
machine I have a procmail recipe/script setup that parses the body of a
message whose subject matches a target, say "X-W". If the body of that
message meets certain requirements then it extracts the IP from the
message and spawns an xterm with the display directed to my home dynamic
IP like this:
xterm -display my.ip.i.sent:0.0 -e login
Voila! In about 30 secs to a minute, an xterm login shell appears on my
home machine! I haven't tried going the other direction yet because my
home machine isn't on full time, but using the other methods of
determining the dynamic IP from a remote machine it should work the same
way.
Now assuming you can sneak in a few VNC servers (corporate security is so braindead that this should be easy) you are on Windows and the games can begin.
You could slip in a UNIX box with a direct crossover connection and the appropriate routing to your Windows work box without anyone suspecting much. Just "accidentally" leave your laptop at work.
-desitter
|
Post #43,650
6/27/02 1:09:46 PM
|
Blimey.
Your company leaves port 6000 open?
Wonders will never cease.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #43,673
6/27/02 3:10:24 PM
|
Not Mine!
But you'd be surprised how porous corporate nets are.
-desitter
|
Post #43,708
6/27/02 9:24:14 PM
|
Depends on the people running them
if they are just learning how to run a network or are former PHBs turned Network Administrators, then the security will be weak. Like the lawfirm I used to work for, someone ran a password cracker, and I noticed the database on a shared drive full of passwords, and apparently nobody seemed to care that it existed or that someone has a list of password from most of the user accounts, including administrators. They also didn't seem concerned with applying the latest patches and kept SP4 on the NT 4.0 Servers when SP6.1 was out. They used a Linux server for a firewall, but I think someone else set it up for them. I'd give out their address and domain name, but I don't want someone to hack them and then point a finger back at my post listing the address to go at.
I am free now, to choose my own destiny.
|
Post #43,730
6/28/02 1:38:03 AM
|
Well if they don't...
It is amazing how many will instead leave outbound on 80 open. Given the knowledge at home of how to create a tunnel (not hard - just look in ssh's documentation) it is trivial to hijack that to send your X display home.
Cheers,
Ben
"... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything."
--Richard Feynman
|
