In article <5v4aeb.dt6.ln[at]vlad.seahaze>,
Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

> flip wrote:
>
> > In article <r6j9eb.jp5.ln[at]vlad.seahaze>,
> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
> >
> >> flip wrote:
> >>
> >> > In article <09bfgvkpel584p89ihlehdr21kd3v8j7jc[at]4ax.com>,
> >> > foo <foo[at]bar.com> wrote:
> >> >
> >> >> http://lists.netsys.com/pipermail/full-disclosure/2003-July/010910.html
> >> >>
> >> >> Comments?
> >> >>
> >> >> Basically, hit keys for 5 minutes or so, hit enter, gain access to the
> >> >> desktop (ie bypass the screensaver).
> >> >>
> >> >>
> >> >
> >> > So if you leave your computer unattended for 5 minutes where anyone can
> >> > get in, they can access your desktop.
> >> >
> >> > Big deal.
> >>
> >> It certainly is. Your unauthorised visitor could install a trojan and
> >> restore the screensaver and you'd be none the wiser.
> >
> >
> > How's he going to install a trojan without my password?
>
> You're logged in, aren't you?

But you can't install software without the admin password.

Do you bother to learn anything about the computers you're criticizing?

>
> Or maybe your unwelcome visitor could read all sorts of confidential
> information, on your machine or the network.

That's possible.

On Mon, 07 Jul 2003 02:27:08 GMT, flip <flippo[at]mac.com> wrote:

>> > How's he going to install a trojan without my password?
>>
>> You're logged in, aren't you?
>
>But you can't install software without the admin password.

IF the installer checks. Some don't. Or he could run the trojan from
a network share - he places the file, then runs the file from the
compromised machine.

>Do you bother to learn anything about the computers you're criticizing?

You really should. Learn up on basic networking while you're at it.

>> Or maybe your unwelcome visitor could read all sorts of confidential
>> information, on your machine or the network.
>
>That's possible.

On Mon, 07 Jul 2003 02:42:50 GMT, flip <flippo[at]mac.com> wrote:

>In article <l5nhgvktlihqnjss0gnoqcu1pvjdb6erd4[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Mon, 07 Jul 2003 02:27:08 GMT, flip <flippo[at]mac.com> wrote:
>>
>> >> > How's he going to install a trojan without my password?
>> >>
>> >> You're logged in, aren't you?
>> >
>> >But you can't install software without the admin password.
>>
>> IF the installer checks. Some don't. Or he could run the trojan from
>> a network share - he places the file, then runs the file from the
>> compromised machine.
>
>I see. So he has to compromise two machines to install a trojan on a Mac?

Not at all. Honestly, do you have even a *basic* clue of what we're
talking about? Oh, why do I ask? Obviously based on your comments
you don't.

On Mon, 07 Jul 2003 02:27:08 +0000, flip wrote:

> In article <5v4aeb.dt6.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> flip wrote:
>>
>> > In article <r6j9eb.jp5.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> flip wrote:
>> >>
>> >> > In article <09bfgvkpel584p89ihlehdr21kd3v8j7jc[at]4ax.com>,
>> >> > foo <foo[at]bar.com> wrote:
>> >> >
>> >> >> http://lists.netsys.com/pipermail/full-disclosure/2003-July/010910.html
>> >> >>
>> >> >> Comments?
>> >> >>
>> >> >> Basically, hit keys for 5 minutes or so, hit enter, gain access to the
>> >> >> desktop (ie bypass the screensaver).
>> >> >>
>> >> >>
>> >> >
>> >> > So if you leave your computer unattended for 5 minutes where anyone can
>> >> > get in, they can access your desktop.
>> >> >
>> >> > Big deal.
>> >>
>> >> It certainly is. Your unauthorised visitor could install a trojan and
>> >> restore the screensaver and you'd be none the wiser.
>> >
>> >
>> > How's he going to install a trojan without my password?
>>
>> You're logged in, aren't you?
>
> But you can't install software without the admin password.

Yes you can... It is true you can not install software in the /Applications
folder without the admin password... however, try this (in a terminal):

echo $PATH

you will probably get something like this:

/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin

This is you execution path for commandline applications.
No problem you say... a non admin user can not write to any of those
folders... OK. However that path variable is editable and extendable. The
cracker can add something like "." or ".cracks" to the path then they can
put all sorts of useful trojans in there. They can even have a leetle
program that starts automatically any time you use the terminal to log all
keystrokes (as an example)... then say... periodically send these logs to
an IRC channel. They can even make their little additions to you home
folder even more invisible than simply putting their trojans in .files and
..folders. A typical tactic is to put a different "ls" command that will
hide their stuff. The real ls is still there as /bin/ls but they prepended
your path with .cracks:/bin:/sbin: and so on so their bogus ls gets
executed before the real one. Do you begin to see the problem?

They don't need a floppy or CD or any kind of drive to do any of this if
the machine is connected to a network. They can simply download the
neccessary stuff... all nicely bundled up in a "rootkit". If they are well
prepared it will only take them a few seconds to install their kit.

Only a matter of time before they get what they want... and you will be
none the wiser. Once your admin password gets logged they will OWN that
machine.

> Do you bother to learn anything about the computers you're criticizing?

I think you need to pay more attention to security issues and perhaps you
need to learn more about the computers we are using. This is potentially a
MUCH bigger issue than it may appear to be. Sure they can do limited
damage to the system as a regular user... the problem is they can
"elevate" their privileges over time... just as the computers admin does
from time to time.

-DU-...etc...

In article <l5nhgvktlihqnjss0gnoqcu1pvjdb6erd4[at]4ax.com>, foo <foo[at]bar.com>
wrote:

> >> > How's he going to install a trojan without my password?
> >>
> >> You're logged in, aren't you?
> >
> >But you can't install software without the admin password.
>
> IF the installer checks. Some don't.

If it's an installer that need admin privilegs to install something, it has to
ask for the password, or it won't be able to install.

--
Sandman[.net]

In article <vyudnZHPp4kGh5OiRTvUqw[at]speakeasy.net>,
Tim Smith <reply_in_group[at]mouse-potato.com> wrote:

> In article <flippo-F56526.21270906072003[at]news.central.cox.net>, flip wrote:
> >> > How's he going to install a trojan without my password?
> >>
> >> You're logged in, aren't you?
> >
> > But you can't install software without the admin password.
> >
> > Do you bother to learn anything about the computers you're criticizing?
>
> An admin password would only be required if the software needs to be
> installed in a place the user doesn't have write access to, such as
> /Applications. However, there would be no need to put the trojan there.
> What you'd do is make a trojan for an app that the user has in the dock.
> Install the trojan in the user's home directory or /tmp, drag the dock icon
> for the real app out of the dock, and drag the trojan icon onto the dock.

And all this while wearing your Invisibility Cloak.

Look, if someone has physical access to your computer, the game is up.
Pop in a system boot disk and do what you want. Compared to the real
possibility of breaking into a Windows server through the Internet,
violating the security of a PowerBook you have physical possession of is
a trivial concern.

--
Woofbert, Chief Rocket Surgeon, Infernosoft
Woofbert's Law on Learning Linux: When attempting to learn Linux,
study it thoroughly before you begin.

Woofbert wrote:

> In article <vyudnZHPp4kGh5OiRTvUqw[at]speakeasy.net>,
> Tim Smith <reply_in_group[at]mouse-potato.com> wrote:
>
>> In article <flippo-F56526.21270906072003[at]news.central.cox.net>, flip wrote:
>> >> > How's he going to install a trojan without my password?
>> >>
>> >> You're logged in, aren't you?
>> >
>> > But you can't install software without the admin password.
>> >
>> > Do you bother to learn anything about the computers you're criticizing?
>>
>> An admin password would only be required if the software needs to be
>> installed in a place the user doesn't have write access to, such as
>> /Applications. However, there would be no need to put the trojan there.
>> What you'd do is make a trojan for an app that the user has in the dock.
>> Install the trojan in the user's home directory or /tmp, drag the dock icon
>> for the real app out of the dock, and drag the trojan icon onto the dock.
>
> And all this while wearing your Invisibility Cloak.
>
> Look, if someone has physical access to your computer, the game is up.
> Pop in a system boot disk and do what you want.

Isn't it possible to password protect the boot process?

--

Peter

Remove NOSPAM. to e-mail

Peter Hayes wrote in <7bsmeb.162.ln[at]vlad.seahaze>:

>Woofbert wrote:
>
>> In article <vyudnZHPp4kGh5OiRTvUqw[at]speakeasy.net>,
>> Tim Smith <reply_in_group[at]mouse-potato.com> wrote:
>>
>>> In article <flippo-F56526.21270906072003[at]news.central.cox.net>, flip wrote:
>>> >> > How's he going to install a trojan without my password?
>>> >>
>>> >> You're logged in, aren't you?
>>> >
>>> > But you can't install software without the admin password.
>>> >
>>> > Do you bother to learn anything about the computers you're criticizing?
>>>
>>> An admin password would only be required if the software needs to be
>>> installed in a place the user doesn't have write access to, such as
>>> /Applications. However, there would be no need to put the trojan there.
>>> What you'd do is make a trojan for an app that the user has in the dock.
>>> Install the trojan in the user's home directory or /tmp, drag the dock icon
>>> for the real app out of the dock, and drag the trojan icon onto the dock.
>>
>> And all this while wearing your Invisibility Cloak.
>>
>> Look, if someone has physical access to your computer, the game is up.
>> Pop in a system boot disk and do what you want.
>
>Isn't it possible to password protect the boot process?

Of course in Windows you can encrypt the file system, making someone's
system boot disk about as useful as Barbra Streisand's birth control
pills. It's totally scandalous that OS X doesn't even have a means
for quickly locking the desktop from access. People who work in real
business environments know this is done all the time to secure
computers while you step away from your desk.

But, that's right, Macs aren't used to a great extent in real business
environments.

Steve Hanson wrote:

> Peter Hayes wrote in <7bsmeb.162.ln[at]vlad.seahaze>:
>
>>Woofbert wrote:
>>
>>> In article <vyudnZHPp4kGh5OiRTvUqw[at]speakeasy.net>,
>>> Tim Smith <reply_in_group[at]mouse-potato.com> wrote:
>>>
>>>> In article <flippo-F56526.21270906072003[at]news.central.cox.net>, flip
>>>> wrote:
>>>> >> > How's he going to install a trojan without my password?
>>>> >>
>>>> >> You're logged in, aren't you?
>>>> >
>>>> > But you can't install software without the admin password.
>>>> >
>>>> > Do you bother to learn anything about the computers you're criticizing?
>>>>
>>>> An admin password would only be required if the software needs to be
>>>> installed in a place the user doesn't have write access to, such as
>>>> /Applications. However, there would be no need to put the trojan there.
>>>> What you'd do is make a trojan for an app that the user has in the dock.
>>>> Install the trojan in the user's home directory or /tmp, drag the dock
>>>> icon for the real app out of the dock, and drag the trojan icon onto the
>>>> dock.
>>>
>>> And all this while wearing your Invisibility Cloak.
>>>
>>> Look, if someone has physical access to your computer, the game is up.
>>> Pop in a system boot disk and do what you want.
>>
>>Isn't it possible to password protect the boot process?
>
> Of course in Windows you can encrypt the file system, making someone's
> system boot disk about as useful as Barbra Streisand's birth control
> pills.

It also means that someone nicking the drive out of your machine won't gain
easy access to your data, which is why encryption tools are available for
virtually every OS on the planet.

> It's totally scandalous that OS X doesn't even have a means
> for quickly locking the desktop from access.

It's fixed now, and a lot faster than Microsoft would have, asuming they saw a
problem in the first place.

> People who work in real
> business environments know this is done all the time to secure
> computers while you step away from your desk.
>
> But, that's right, Macs aren't used to a great extent in real business
> environments.

They're used a lot to impress on the receptionist's desk. Usually iMacs.
They'll be networked so they'll be a point of weakness, until the sysadmin
gets around to patching them, whenever that might be. In a Microsoft shop
that might be quite a while, what with the latest swatch of patches just out
today.

--

Peter

Remove NOSPAM. to e-mail

Peter Hayes wrote in <c8cneb.ea3.ln[at]vlad.seahaze>:

>> It's totally scandalous that OS X doesn't even have a means
>> for quickly locking the desktop from access.
>
>It's fixed now, and a lot faster than Microsoft would have, asuming they saw a
>problem in the first place.

No, you don't get it.

>> People who work in real
>> business environments know this is done all the time to secure
>> computers while you step away from your desk.
>>
>> But, that's right, Macs aren't used to a great extent in real business
>> environments.
>
>They're used a lot to impress on the receptionist's desk. Usually iMacs.

<snicker>

And that's EXACTLY where you want a system that doesn't have a "lock
the desktop" function. Right at the receptionist's desk! Highest
traffic area facing the public!

You guys are pretty funny.