__/ [ Ray Ingles ] on Monday 13 March 2006 17:27 \__
> Ubuntu 5.10 has a security flaw, during installation the answers the
> user gives are logged. A mistake silently broke the process designed to
> clear out the passwords from the log. So, by examining the logs one can
> detect what the passwords were set to at install time.
> A major mistake, but it only affects 5.10 - no prior or later versions.
> Plus, if you upgraded to 5.10 from an earlier version, it doesn't apply
> (my machine is like that). And if the passwords have been changed since
> the install, it's not logged.
> The good news is the fix is already out there - patched in about 7
> hours. I can't resist pointing out that Microsoft took almost exactly a
> full year to sort out a similar bug:
> Yes, bugs happen. I've certainly never pretended that they don't. But I
> find them to be much less common among open-source software, and fixed
> far more quickly.
The hack will only expose the system to malicious access if:
* A privileged user has an account on the system and has intent to vandalise
(* SSH access has been enabled in Ubuntu, which by default it is not.
* A user chooses a bad-password that a dictionary-based script is able to
As I said before (along with the arguments above, but in a different
context), I am yet to hear about 'disasters' that incurred due to this flaw.
Badger is not so prevalent and, even if it *was*, this wouldn't have posed a
great risk. It's merely an embarrassment to Connonical.
As Ray said, Windows has had similar embarrassment and users can recover
administrator passwords using openly-shared workarounds. Since Ray uses Palm
OS (I see him in these newsgroups), he will also know that protected data on
the Palm is not truly protected once the handheld is stolen.
Likewise, access to BIOS or any physical access to a machine gives access to
it, unless its filesystem is properly encrypted and the key is peripheral
There was once a long discussion about this in AOLS and it was stored in:
My humble opinion.