is it so easy to recover root password?

[baltana]

From the tutorials' section I read a how-to on recovering root password.

But then, how do system admins prevent people from misusing public comps (like that in a comp lab)?

[devils casper]

There are a lot of precautionary measures.

1. Don't share root password with anyone.
2. Hide GRUB Menu at startup and set GRUB Password.
3. Do not allow anyone to use LiveCD or reboot system

If anyone has physical access to your machine then you have to take care that he/she don't reboot machine and use LiveCD.

[MikeTbob]

As long as you have physical access to a machine, there will always be a way to "Hack" into it. You just have to trust that the majority of users do not want to trash your system.

[Smothpocket]

Physical Security is actually a whole one of the 10 domains for the CISSP. It seems to me that it's often the weakest part of a security model.

[MikeTbob]

Physical Security is actually a whole one of the 10 domains for the CISSP. It seems to me that it's often the weakest part of a security model.

Well, unless you can lock the machine in a protected environment, this will always be the weakest link, next to "Social Engineering".

[Smothpocket]

Well, unless you can lock the machine in a protected environment, this will always be the weakest link, next to "Social Engineering".

You got that right...
Even if the machine is locked in a protected environment social engineering can ruin it all.

I've heard some crazy stories from some security professionals I know about how they are hired to do a security assessment for a company, and they'll wait for the boss to leave, talk to a secretary and say "my name is joe, i'm here to inspect the HVAC in your server room." The secretary will say that the boss is out at first, but as soon as you start pushing it with phrases like "mr boss said that it's important that I do this immediately because if the servers go down from overheating then business will stop". Sure enough they go get the key and leave you alone with the servers... half the time they don't even ask for ID

[elija]

On a slightly different note.

I had a phone call from my credit card company fraud department. One of the first thing the nice lady asked for was some personal details to "prove that I am the person she needs to speak to"

Apparently, in the six years she has been doing the job, I am the only person who has asked her to prove her identity first.

And that Ladles and Gentlespoons is a truly scary statistic!

[hazel]

On a slightly different note.

I had a phone call from my credit card company fraud department. One of the first thing the nice lady asked for was some personal details to "prove that I am the person she needs to speak to"

Apparently, in the six years she has been doing the job, I am the only person who has asked her to prove her identity first.

And that Ladles and Gentlespoons is a truly scary statistic!

Curious. I had a similar call from a finance house that I have some investments with. As soon as the man started asking these questions, I dug my heels in and said I didn't give this sort of information to unsolicited callers. Then I hung up. They never rang me back. I'm beginning to wonder if there is a new phishing movement using telephone calls because the use of phishing emails has now been so much publicised that even stupid people don't fall for them any more.

[elija]

In my case the caller turned out to be genuine. My card had been found on a fraudsters list, although it hadn't been used and he had been arrested my card was being cancelled for my security and a replacement issued.

Great I thought, I'm being looked out for. Until my inner cynic had an "aha!" moment when I had to call and activate the card. At which point I got a hard sell for their anti-fraud insurance. They didn't want to activate my card without it so I said "fair enough, cancel my card. With my rating your competition will give me a better deal anyway."

Within 24 hours I had a customer service specialist on the phone basically begging for my custom. In three months my special rate is up and I will be changing my credit card company.

It seems the phishing now is being done by the credit card companies.

[Bemk]

At my school they placed the hard disk on the top of the boot device list, and disabled the USB boot, while the CD drives are removed.

Then you cannot live boot and access to the bios is through a password. They are using windohze but if Linux was to be installed on those systems then they would still be able to secure it.