Author Topic: Microsoft Ending Support for WIN2K  (Read 1165 times)

cahult

  • VIP
  • Member
  • ***
  • Posts: 1,186
  • Kudos: 182
Microsoft Ending Support for WIN2K
« Reply #15 on: 2 September 2003, 19:12 »
Can
"The gentleman is dead, the feminists killed him" Anonymous

Faust

  • Member
  • **
  • Posts: 1,223
  • Kudos: 0
Microsoft Ending Support for WIN2K
« Reply #16 on: 2 September 2003, 19:12 »
quote:
Instead they ssh'd into my computer and fixed it there and then

Now that is cool...
Yesterday it worked
Today it is not working
Windows is like that
 -- http://www.gnu.org/fun/jokes/error-haiku.html

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Microsoft Ending Support for WIN2K
« Reply #17 on: 2 September 2003, 20:36 »
quote:
Originally posted by Faust:
they ssh'd into my computer


did you actually give them your root password on the phone?
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

Faust

  • Member
  • **
  • Posts: 1,223
  • Kudos: 0
Microsoft Ending Support for WIN2K
« Reply #18 on: 2 September 2003, 21:13 »
That of course would be the non cool bit...  I dunno, remote assistance for Windows is giving a help desk dude absolute control, at least Red Hat tech support will know what they're doing.  For a server or anything uber important it sounds like a bad idea, but for a one off access if they remind you to change your root password later it's alright IMO...  actually is there a way that could be done cryptographically?

Ie user (U) sends Red Hat Support Dude (RHSD) a key from a pair  (Done from a GUI of course - which has strong prompts warning the user of the security implications.)  RHSD replies with the key and logs in to a special admin account which has piss all power to actually change things.  This account can read the files they'll need to read to get a diagnosis of course.  RHSD looks around, notices the problem then writes a list of commands (bash script) that will fix the problem - this gets stored in some special dir that has lots of limits on size and other security restrictions - this is one of the only dirs RHSD can write to.  (The others being /tmp and other stuff s/he'll need to log in.)  Then at the end of the encrypted communication the key is reset automatically (so RHSD can't re log in unless s/he gets reauthorized.)  The GUI tool on the RH users end then shows the script, and the user gets to see it and go "yeah that's cool theres no rm -rf in there or whatever."  Then they can click on "approve" to run the RHSD's scripted fix, or "deny" to delete the script.  Maybe even a third option, "quarantine" to let the RH user keep the script on ice until s/he gets a mate around to look at it...

IMO that would be cool.  Can anyone think of any obvious security flaws?  The key of course would be non existent if RH user doesnt send a request for help (ie the /etc/passwd login line has the shell set to /bin/nonexistent and the password by default set to a few hundred lines of /dev/random...)

edit:
That is pretty excellent service though...  at the end of the day sshd is not easily exploitable (unlike Windows remote assistance) Red Hat doesnt install a "backdoor tech support" user (use the windows local user manager service to have a look what "extra" users Windows adds if you want...) and if you understand the implications of giving your root password to some dude and change it after the event, hey, it's your machine do what you want.

[ September 02, 2003: Message edited by: Faust ]

Yesterday it worked
Today it is not working
Windows is like that
 -- http://www.gnu.org/fun/jokes/error-haiku.html

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Microsoft Ending Support for WIN2K
« Reply #19 on: 3 September 2003, 00:29 »
well actually it would be pretty easy to just create a user, called something like "helldesk" and have the user just have access to the 3 or 4 files or directories that needed changing (for whatever the problem was) and of course, you could make a backup of those files and directories elsewhere in case the stuff it up. This way, if they do stuff it up, it's only the part they have access to (which is tiny)

but in practice, the user would have to know how to do this. helldesk support guys are not going to talk every user who phones up through this when they can just ask for the root password (and most people will just go "oh well it's...")

of course you can't do any of that on windows due to its shit filesystem. all or nothing there, of course all adds up to nothing anyway so it makes not a lot of difference...
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism