On 2006-03-13, Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> Ubuntu 5.10 has a security flaw, during installation the answers the
>> user gives are logged. A mistake silently broke the process designed to
>> clear out the passwords from the log. So, by examining the logs one can
>> detect what the passwords were set to at install time.
> The hack will only expose the system to malicious access if:
> * A user chooses a bad-password that a dictionary-based script is able to
Nope, this logs the passwords in cleartext. Definitely a Very Bad
Thing. The install routine's been substantially rewritten for the new
release coming up (Dapper Drake, "6.04").
> As I said before (along with the arguments above, but in a different
> context), I am yet to hear about 'disasters' that incurred due to this flaw.
I haven't either, though we wouldn't have, necessarily.
> As Ray said, Windows has had similar embarrassment and users can recover
> administrator passwords using openly-shared workarounds. Since Ray uses Palm
> OS (I see him in these newsgroups), he will also know that protected data on
> the Palm is not truly protected once the handheld is stolen.
I encrypt really private data so it's not quite as bad as all that. The
OS-provided security is, indeed, exceedingly weak, though.
Ray Ingles (313) 227-2317
Microsoft Windows - A mistake carried out to perfection.