home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!menudo.uh.edu!sugar!ficc!peter
- From: peter@ferranti.com (peter da silva)
- Subject: Re: Forging E-mail from root to get users to change passwords
- Message-ID: <id.Z9RU.L6K@ferranti.com>
- Organization: Xenix Support, FICC
- References: <82930@ut-emx.uucp> <ratner.720811773@ficus.cs.ucla.edu>
- Date: Fri, 6 Nov 1992 22:14:48 GMT
- Lines: 20
-
- In article <ratner.720811773@ficus.cs.ucla.edu> ratner@ficus.cs.ucla.edu (Dave "Van Damme" Ratner) writes:
- > Yes, it is true that root never needs to know a user's password ---
- > root can always su to the user without knowing the password.
-
- Not if root is trying to debug a problem in login or rlogin where the user's
- password is entered. I had one case where a user's password included a pound
- sign... which worked fine on the Suns but he couldn't login on Xenix for some
- reason.
-
- Generally I get the *user* to type in his password in cases like this, and
- make a point of not watching. If I ask the user his password it's always in
- person and I tell them to change it immediately.
-
- This sort of social engineering attack is hard to foil in the general case.
- See alt.shenanigans for more ideas... :->
- --
- �% Peter da Silva % 77487-5012 % +1 713 274 5180 %
- true(<<VV$@\\$'&O 9$O%'$LT$&$"V6"$&$<4$?'&$ #I&&?$=$<<@)24 24 scale 3 21 moveto
- {dup 36 eq{pop not}{dup 7 and 4 sub exch 56 and 8 div 4 sub 2 index{rlineto}{
- rmoveto}ifelse}ifelse}forall stroke pop showpage % Har du kramat din varg idag?
-
