Installing from the DVD
at the point of entering the user name and password, click ok
Now, something a newbe would probably NOT notice:
Do you want the user password to be the system password?
And it is allready checked, so if you miss it (easy to do if you are not
careful), you are now much closer to the volunerablity of Windows.
That's like attempting to wipe out a solid reputation by making it easy to
hack!

At the Installation Settings screen, under Booting,
Order of Hard Drives: /dev/sda, /dev/sdb

Gee, isn't that very useful and extreamly important to know?
(Being sarcastic!)

John

John Bowling wrote:
> Do you want the user password to be the system password?
> And it is allready checked, so if you miss it (easy to do if you are not
> careful), you are now much closer to the volunerablity of Windows.
> That's like attempting to wipe out a solid reputation by making it easy to
> hack!

Why? As an example I will use http://maord.com/ The 2 passwords it
created are vmvxBn6N and 9dVWYrhQ.

So let us asume the old case where people needed to enter the root
password and the first user password seperately.

I will be looking at just the security. First most people use their
system as a one user system. Secondly most people who use it as a one
user system will use the same password anyway,

Now on to the security part of it.
I select one password for root, which is vmvxBn6N.
This is the standard security. Can you agree with me on that? This is
not about wether or not 8 characters is safe enough, so please do not go
there.

root is vmvxBn6N. This is safe, right?
Now root is a known user, wich people already know exist on my machine.
The users they have to guess. This means that the user dotkomma will be
harder to guess.

Is there a difference between the following in security:
dotkomma vmvxBn6N
dotkomma 9dVWYrhQ
I think both are equaly secure.

Because the user dotkomma is not known, it is in fact MORE secure then
root. So the eweakest point of entry is actualy root. As this is the
weakest point of entry, it doesn't matter if they know that the password
is the same or not.

All they need to do is `su dotkomma` and they are you, altghough why
bother?

Now imagine that they can hack into your account as a user. If they know
your password, your machine has been hacked. Where did they get this
password from? From a postit note? Then you would have written the
second one on there as well.

For the majority of users whio use it as a single user PC, this is not
an issue. Even in a standard family enviroment there is no real issue.

Now if you are in a company enviroment and you are root and you enter
the same password twice, yo are an idiot and a twat.

So please tell me how it is easier to hack the following:
root vmvxBn6N
dotkomma vmvxBn6N
Please come up with more specifics then 'when you know one, you know the
other'. Be as specific as you can be,

I have much greater wories about the fact that 'get system mail' is not
checked by default or that 'automatic login' is eneabled by default.

The first is importand, becausethe system will send you emails that
might be important to get your system running (e.g. the demand to reboot
after a kernel update)

The second is importand, because now yuoru little brotther can watch
your pron without you knowing it. It is turned oof the moment you make a
second user apparently.

These two things have been there since many, many versions. The password
is the same is not a security issue.

houghi
--
You tried, and you failed, so the lesson is, never try. - Homer J. Simpson.

John Bowling <johnlb2002@cox.net> wrote:
>Installing from the DVD
>at the point of entering the user name and password, click ok
>Now, something a newbe would probably NOT notice:
> Do you want the user password to be the system password?
>And it is allready checked, so if you miss it (easy to do if you are not
>careful), you are now much closer to the volunerablity of Windows.
>That's like attempting to wipe out a solid reputation by making it easy to
>hack!

I agree. It is the Ubuntu method. It isn't totally windows-like.
You still have to do a "sudo" to become root, even if it is the
same password.

However, since Ubuntu became popular, everybody knows this technique.
So if your security is compromised as a user and somebody gains your
password, it is the first thing they'll try to get root.

A bad choice. I don't know what they were thinking.

>John






--
--- Paul J. Gans

Paul J Gans wrote:
> I agree. It is the Ubuntu method. It isn't totally windows-like.
> You still have to do a "sudo" to become root, even if it is the
> same password.

I disagree. With Ununtu there is no login for root by default. Here the
password is just the same. Someting the majority of people where doing
anyway.

> However, since Ubuntu became popular, everybody knows this technique.
> So if your security is compromised as a user and somebody gains your
> password, it is the first thing they'll try to get root.

If your security is compromised as a user, your machine is compromised
anyway,

> A bad choice. I don't know what they were thinking.

They were thinking: the majority of people use the same password anyway,
so why would we let them enter it twice? People who are not willing to
do that can still change it.

houghi
--
You tried, and you failed, so the lesson is, never try. - Homer J. Simpson.

On Fri, 11 Jul 2008 21:54:44 -0700, John Bowling wrote:

> Installing from the DVD
> at the point of entering the user name and password, click ok Now,
> something a newbe would probably NOT notice:
> Do you want the user password to be the system password?
> And it is allready checked, so if you miss it (easy to do if you are not
> careful), you are now much closer to the volunerablity of Windows.
> That's like attempting to wipe out a solid reputation by making it easy
> to hack!
Even when you are new one would surely READ whatever it is possible to
read and make sure that you understand it.
>
> At the Installation Settings screen, under Booting, Order of Hard
> Drives: /dev/sda, /dev/sdb
What else would you want it to say?
>
> Gee, isn't that very useful and extreamly important to know? (Being
> sarcastic!)
>
> John

It is useful to know.



--
Neil
reverse ra and delete l
Linux user 335851

Neil Ellwood wrote:
>> careful), you are now much closer to the volunerablity of Windows.
>> That's like attempting to wipe out a solid reputation by making it easy
>> to hack!
> Even when you are new one would surely READ whatever it is possible to
> read and make sure that you understand it.

That and now it is much easier to just have 1234 as my password
everywhere (same as my lugage)

houghi
--
You tried, and you failed, so the lesson is, never try. - Homer J. Simpson.

John Bowling wrote:
> Installing from the DVD
> at the point of entering the user name and password, click ok
> Now, something a newbe would probably NOT notice:
> Do you want the user password to be the system password?
> And it is allready checked, so if you miss it (easy to do if you are not
> careful), you are now much closer to the volunerablity of Windows.
> That's like attempting to wipe out a solid reputation by making it easy to
> hack!
>
> At the Installation Settings screen, under Booting,
> Order of Hard Drives: /dev/sda, /dev/sdb
>
> Gee, isn't that very useful and extreamly important to know?
> (Being sarcastic!)
>
> John
>
>
>
>
>
You can change either to anything you want anytime.

houghi <houghi@houghi.org.invalid> wrote:
>Paul J Gans wrote:
>> I agree. It is the Ubuntu method. It isn't totally windows-like.
>> You still have to do a "sudo" to become root, even if it is the
>> same password.

>I disagree. With Ununtu there is no login for root by default. Here the
>password is just the same. Someting the majority of people where doing
>anyway.

Correct. But the effect is the same. In both cases you
simply do a sudo.


>> However, since Ubuntu became popular, everybody knows this technique.
>> So if your security is compromised as a user and somebody gains your
>> password, it is the first thing they'll try to get root.

>If your security is compromised as a user, your machine is compromised
>anyway,

No. This is not true. The user is compromized, but the machine
isn't.


>> A bad choice. I don't know what they were thinking.

>They were thinking: the majority of people use the same password anyway,
>so why would we let them enter it twice? People who are not willing to
>do that can still change it.

Sure. Most people use trivial passwords. Why not set one for
them so that they don't have to bother. Linksys might be a
good one.

--
--- Paul J. Gans

Paul J Gans wrote:
>>I disagree. With Ununtu there is no login for root by default. Here the
>>password is just the same. Someting the majority of people where doing
>>anyway.
>
> Correct. But the effect is the same. In both cases you
> simply do a sudo.

And how often is the machine compromised by actualy knowing the
password? And again, if they can crack the password of some random user,
they can also get the password of root. With root they at least know the
name of the account they are trying to hack.

>>If your security is compromised as a user, your machine is compromised
>>anyway,
>
> No. This is not true. The user is compromized, but the machine
> isn't.

To me as a single user machine, that is the same.

>>They were thinking: the majority of people use the same password anyway,
>>so why would we let them enter it twice? People who are not willing to
>>do that can still change it.
>
> Sure. Most people use trivial passwords. Why not set one for
> them so that they don't have to bother. Linksys might be a
> good one.

That has NOTHING to do with it and you know it. If they choose a weak
password, they will chooce a weak one for root as well.

houghi
--
Dr. Walter Gibbs: Won't that be grand? Computers and the programs
will start thinking and the people will stop.
-- Tron (1982)

houghi wrote:
> Paul J Gans wrote:
>>> I disagree. With Ununtu there is no login for root by default. Here the
>>> password is just the same. Someting the majority of people where doing
>>> anyway.
>> Correct. But the effect is the same. In both cases you
>> simply do a sudo.
>
> And how often is the machine compromised by actualy knowing the
> password? And again, if they can crack the password of some random user,
> they can also get the password of root. With root they at least know the
> name of the account they are trying to hack.

I guess the rationale here is that home users don't have a security
problem. Setting up a workstation at work or a server on the other hand
means that the person installing it is aware of that setting and will
change it. So I guess the current behavior is OK.