The beatings. The many beatings.

[theweaselking]

What do you mean, you changed the root password on the internet-accessible linux box to "password" so it would be easier to remember?

Comments

[nihil-duce.livejournal.com]

Oh dear...

[kadath.livejournal.com]

That's when you replace the user's machine with a Speak 'n' Spell.

[theweaselking.livejournal.com]

But I don't WANT to support a Mac.

[elffin.livejournal.com]

That's not accurate: Speak n' Spells have more than one mouse button.

[heraldofchaos.livejournal.com]

bwaaaaaahahahahaahahahahahahahaahah

[pyroofone.livejournal.com]

Owwwww. Cola Out my Nose. The follow up comments here didn't help that.
Also I'm getting 5 tomorrow me thinks.

[icedrake.livejournal.com]

Forget that, it's time for the Etch-a-Sketch.

[theweaselking.livejournal.com]

Web "programmer".

[theweaselking.livejournal.com]

Webmonkey is awesome, and so calling someone a web monkey is a great compliment. It's like being the support llama.

This? This is a glorified php-pusher with sudo permissions. Who complained when *his last name all in lowercase* was rejected as insufficiently complex to use as a password.

[unknownpoltroon.livejournal.com]

Kill him. Kill him Now.

[ronebofh.livejournal.com]

Web "programmers" should not ever have root access. To anything.

[drjon.livejournal.com]

I've never heard that one before.

*sigh* FORK IN THE EYE!!!

How bad was it?

[jerril]

n/t

Re: How bad was it?

[theweaselking.livejournal.com]

Not sure.

There's no evidence that anyone got in.
There's no evidence that anything happened.
The rest of the network shows no unusual traffic from the developers' ghetto[1] to the real network.

But right now, "password" doesn't work and nobody knows the root password to the machine.

[1]: Developers cannot be trusted. This machine, specifically, listens to port 22 from the outside *over my objections*[2], and *nothing* gets to go between it and the network without the router logging and sniffing it. Why? Because the devs *have sudo access*.

[2]: My objections are no longer being overruled. The university guys can log in, on a nonstandard port, from campus. All other internet access is going bye-bye. All this, of course, is predicated on my turning it on again without internet access and wiping the thing.

Re: How bad was it?

[mhoye.livejournal.com]

That's the right thing to do, for sure. A bare-metal reinstall is the only way to go, in that situation.

Re: How bad was it?

[quotation.livejournal.com]

Every SSHd I've seen in recent memory has had root logins disabled by default in the sshd.conf. Was that the case here?

Re: How bad was it?

[theweaselking.livejournal.com]

Don't know, didn't have time to look yet. The machine is turned off and unplugged, since I *did* have time to do that.

It's a stock FC9 box that was set up and given to the codemonkeys to throw feces at.

Re: How bad was it?

[quotation.livejournal.com]

Stock FC9, IIRC, allows root SSH by default to allow for network installs or something.

PermitRootLogin should get set to "no" in /etc/ssh/sshd_config

Re: How bad was it?

[theweaselking.livejournal.com]

Uh, yeah, but I didn't think the user was quite that stupid.

Yes, yes, I know, "many system design flaws can be traced to unwarrantedly anthropomorphising the user".

[wyatt1048.livejournal.com]

All else has failed. Use fire.

[anivair.livejournal.com]

Oddly, it was easier for all those Turkish hackers to remember as well. Tell them I said, "Teşekkürler!"

[silmaril.livejournal.com]

Wow, you spelled it correctly.

[theweaselking.livejournal.com]

What's it mean?

[belle-canto.livejournal.com]

Thank you.. I believe

[silmaril.livejournal.com]

"Thanks."

[belle-canto.livejournal.com]

So it is more informal?

[silmaril.livejournal.com]

The more formal version is "Teşekkür ederim"---loosely, "I present thanks." There is no "you" in either sentence; the object is implied.

[anivair.livejournal.com]

I cheated. Mostly because it was easier than looking for all those symbols on my keyboard!

[elffin.livejournal.com]

Some Sixth Sense tells me that this person will not be disciplined for this ... "boo boo".

[jl-williams.livejournal.com]

Oh dear God.

[mrbankies.livejournal.com]

The Stupid is strong with that one.

[scifantasy.livejournal.com]

*wince*

[silmaril.livejournal.com]

Oh, the many beatings with the beautiful ClueBat.

[ashbet]

*breaks out icon*

Other. Fucking. People. *headdesk*

-- A <3

[jsbowden.livejournal.com]

And this idiot had the root password in the first place because?

[theweaselking.livejournal.com]

Because the machine belongs to the developers, does nothing of any importance, and they need to be able to run sudo sometimes without calling me first. So, the head of the team's account can run sudo.

He got *clever* and discovered that sudo lets him change the root password, and if they log in as root, they don't have to type "sudo" in front of things and it stops giving them those silly permissions errors. Meaning, *he* doesn't have to be called any more when one of the other developers needs sudo access!

So he changed the password to something simple that they would all remember and told them all to start using "root" instead of their own usernames when logging in.

[jsbowden.livejournal.com]

Well then, sounds to me like this person volunteered to be responsible for that machine for all eternity.

[metahacker.livejournal.com]

IIRC, this was the solution at MIT on the public machines. Just log in as root. The password was left as something obvious.

Of course, these were public terminals, and they got wiped and reset very frequently. And if you telnetted out from them, a program would automatically snoop you, follow you, log into that machine, and change your password for you (and IIRC send you email congratulating you on your stupidity, for when your admin let you back in).

Re: How bad was it?

[sanityimpaired.livejournal.com]

Ah. So just smart enough to make being really fucking stupid dangerous. I understand.

That said, it's a common practice to give devs dedicated test machines they have root access to. Of course, part is that common practice is to only give them systems nobody cares about, which aren't connected to the network, and which are routinely ghosted back to fresh install because they get fubar'd almost immediately.

[xengar.livejournal.com]

well, I suppose it's a little better than setting username and password to factory default . . . (yeah, I know, not precisely applicable to this situation) But why is it always "password"? Why don't they ever pick some other easy to remember password? "Swordfish" perhaps?

[icedrake.livejournal.com]

Because when you log in, the first question you are faced with *isn't* "what's the swordfish?"

[theweaselking.livejournal.com]

Because the prompt doesn't say "what is your Swordfish?"

[jerril]

I'm almost wondering if it would be comparatively more secure to have, up on the wall (not facing the windows) a poster - saying "The password is SWORDFISH, doofus!"

That's got to be slightly better than "password" anyways.

[heraldofchaos.livejournal.com]

Swordfish isn't better than password because its a regular word, any script kiddy would have that word in his dictionary for BFI attacks.

You would do better with non-regular words like wordfishs.

Sometimes having issues with spelling (like i do) comes in weirdly handy when it comes to security. When I was in School I did a Netware install as a project for the coarse and I misspelled the word administrator. when my teacher went to log in to check my work and grade me, he couldn't. when i went to log in, i could. took us about 20 minutes before he noticed i was spelling administrator differently.

sometimes the simplest things are the most effective.