Robert Moskowitz wrote: > On 01/23/2013 03:53 PM, Cliff Pratt wrote: >> On Thu, Jan 24, 2013 at 7:52 AM, Robert Moskowitz <rgm at htt-consult.com> >> wrote: >>> On 01/23/2013 01:39 PM, m.roth at 5-cent.us wrote: >>>> Robert Moskowitz wrote: >>>>> On 01/23/2013 06:23 AM, Adekoya Adekunle wrote: <snip> >>> I don't use sudo. If I need root changes, I better have the root >>> password to use su. If I don't have the root password, then it is >>> either not my system to change, or I have a serious problem indeed. >>> >> That's fine unless you have 100s of machines to administer. If you >> have 100 machines do you a) set all the root passwords to the same, or >> b) maintain a manual file of logins. > > I am fortunate this way; this is not my day job. But I do not have an > IT group to manage most of my systems I use to support my day job, so I > am it. Thus I lean on those of you that have this as a day job to > figure out what I have not yet figured out. I do try and help with what > I know, but most of it is theory on things which are still a few years > out. What many of you are working with in security services, I was > working on developing back when they were developed. Like digital certs > and PKI infrastructure as an example. Today my efforts are in what is > called 'the Internet Of Things' and 'Home Area Networks' and 'Medical > Body Area Networks'. Mostly those little tiny things that most are not > bothering to secure. Oh, Ghu, NO!!! You're the one responsible for that horror. You think I exaggerate? Consider the "smart house" when it blue screens. And "not secured"? So that some 16 yr old script kiddie can defrost your refrigerator when you're not home, full of food? Or turn your hot water heater to "lobster boil temp"? Note that it was just a few years ago that some moron in Britrail? One of the privatized British rail services? had their centralized contol on the Net, and some 16 yr old idiot broke it, changed a switch setting, and a train derailled with injuries, maybe some fatalities. So I am *NOT* happy with that idea.... > > Thanks for all the help you people provide me. Hopefully I will be > helping to create technologies that will continue to provide you all > with livelyhoods :) Great. I get to look forward to upgrading the security on your toilet....* > > Oh, years ago I wrote about the importance of writing down important ids > and passwords and putting them in a firebox with someone important > knowing where it is. There are lots of disaster stories out their, > small and large, where the people that knew these were lost and data was > or almost lost as well. And I was talking to Tatu Ylonen, the creator > of SSH (when he was a student in Helsinki), back in November on the > disaster of SSH accounts at many large companies. He has found banks > with thousands of SSH accounts that no one knows whose they are or how > to clean them up. He is working on a set of tools to help out on this. What, you're forgetting, was it LA or SF, that just had that happen very publicly, when that admin left and didn't want to tell the admins the passwords, a couple of years ago? No. A manager should *always* have the written passwords, somewhere, if you quit, or get hit by a car coming back from lunch.... mark