The very first time I tried Linux, after spending an entire day downloading Slackware, copying it to a set of install diskettes, partitioning a hard drive and installing it, I set my root password to "12345".
I was around 10 at the time, 1995 plus or minus a year or two.
After booting for the first time, I dialed up AOL and logged on to a Linux-topic IRC channel. I talked to the strangers there about how excited I was to try Linux for the first time.
I quit my IRC client and typed "ls". Command not found. I tried "uptime". Command not find. "cd". Command not found.
While I was on IRC, someone had telnet'd in, guessed my stupidly simple password, and rm -rf'd the whole hard disk. I cried over breaking the computer and had to be consoled by my parents. I never used a common password again.
I now miss the days when hackers and viruses alike just wanted to delete your files or print messages on your screen. Secretly taking over your still-functioning system is much nastier.
I had a similar experience around the same age and year, except it was with FreeBSD. I got it to boot once, then tried to change the bootloader setup to allow dual booting with the existing MS-DOS 5.x installation. You can imagine how well that went, as a 10 or 11 year old with no previous FreeBSD/Linux experience. My parents were not quite so understanding about why I had broken their $3000+ computer and lost all their files. It took a few days, but I eventually managed to fix the MBR by reinstalling MS-DOS. Imagine my surprise when I booted into MS-DOS and found out that the files were still there!
Nitpick: `cd` would not get command not found because it is a builtin, and must be so since an external program can't update the working directory of its parent process.
sorry for the old post, but I did try it and it refuses to activate swap on a non-swap enabled device. Now I assume that you had done that a while back (judging from the hda device) so there are probably now some extra safety checks (good thing too!) :-D well I'm sorry for your loss long ago :-)
I'm pretty sure, based on that post, that you have a fair bit more system administration experience than I do, which makes the whole thing even more boggling.
I feel like a professional auto mechanic is telling me, all serious-like, that he just learned the hard way why you shouldn't try to drive while running alongside your car, reaching through the window to work the steering wheel, with a brick on the accelerator.
I found a 68K SGI Iris 2400 machine up and running in college in about 2004. It had a sticker with the hostname on it. Later on that week, I went to the department homepage, got the staff roster and tried to guess the usernames.
I telnetted to port 25 and tried RCPT TO hypothesized names, like so
$ telnet host 25
MAIL FROM: a@a.com
250 Sender OK
RCPT TO: afranks
550 Recipient not found
RCPT TO: arty.franks
250 Recipient OK
...
With this list of usernames I logged into the FTP to try to guess trivial passwords:
$ telnet host 21
USER arty.franks
User OK
PASS 1234
Login failed
PASS password
...
Eventually I got a valid username/password combo.
Now I can just telnet <host> and log in. I got a line like this:
Last login April 12, 1992.
$
It had this ancient version of IRIX on it, a hard drive under 100 MB, no X, a version of egcs, some ancient version of perl, no bash, and I think 12MB of RAM?
It was fun, but I didn't know what I wanted to do with it. We executed this attack from the school library. Putz'd around a bit, in amazement of how old it was, and that it was still online, and then logged out - never to return.
We had a presentation given to us by the head of school on the last day of term prior to exams. He walked to the front, turned on the projector, and while chatting entered his username and password. He didn't hit enter or tab - instead he entered his username and password in the username field. Out of an auditorium of a few hundred I did a quick scan. No one appeared to have noticed - I'd have expected a few pens to be out. There was a folder on his desktop called "moderated exam papers" or similar. It was amazing.
Just a joke about the great HN Bitcoin craze in general, and the occasional crazy schemes people come up with to turn small amounts of computing power into pointlessly small amounts of Bitcoin, like the recent JavaScript miner that you hide on your site and run on visitors' computers.
If any of your accounts get compromised, a simple su to the account with a weak password will give them everything. It's a big improvement, but the weak password is still a vulnerability.
That's what I thought. It's always struck me as a limitation of the ssh auth approach. While I can't insist on a good password, I'd like to be able to insist upon password-protected keys (at least as a default -- exceptions for some system processes / activities).
When the password consists of 4 characters, each being 0-9, there are 10,000 possible passwords; 14 bits are required to represent 10,000 possible combinations of anything:
log(10000) / log(2) == 13.28771
With 5 characters, each 0-9, there are 100,000 possible combinations, and that requires 17 bits:
log(100000) / log(2) == 16.60964
Therefore, 12345 offers 3 extra bits of security compared to 1234.
Use key based authentication in SSHd and do away with password authentication scheme, well you should put password on your private key but that should cover just about every password cracking case.
I remember when I got my very first VPS, and within a couple of days I was getting a really long bruteforce where the attacker tried every common name "aaron, adam, alex, etc" and around 120 common passwords for each of them (fortunately my text-based password on that VPS was 41 characters). I think they tried a few thousand usernames total. That's when I realized the internet is a scary place, and now I only use RSA keys.
All our workstations at school had static, publicly routable IP addresses. I never got hacked, thankfully, but I still found out about the pervasive ssh bruteforcing fairly quickly. The brute-forcing bots apparently were rate limited to once per second. Since each failed attempt gets logged to disk, this resulted in a faint, periodic "grrrt" sound. It's hard to describe how incredibly annoying this was while sitting next to the machine; certainly annoying enough to figure out what was causing it :-)
You just reminded me I need to check my VPS, although I am not using a simple password :(
EDIT: It seems that leaving your VPS unattended for a month is a bad idea. I can't login, because the server terminates the connection immediately and the passwords for the host's backend is changed. Great!
How about a password like this? 1|2|3|4 or 1!2!3!4 — probably not nearly as guessable and more secure. But yes, not using 1234 as your default password for anything is sound advice that everyone should know.
The same happened to us when someone added a user 'test123' with the password 'test', just to… test something locally, totally forgetting that it would also permit access via ssh.
More precisely, Bitcoin mining is dominated by specialized hardware (ASICs), so non-specialized computers have almost zero impact or revenue potential in the Bitcoin network. Litecoin and Primecoin are less ASIC-friendly, so ordinary computers stand a better chance at actually finding a block because they don't have the massively overpowered competition.
Or if you're going for something really obscure, why not Junkcoin?
I guess PrimeCoin is in 6th in capitalization... maybe it's in that sweet spot of not overly competitive but still capable of retaining some value:
http://coinmarketcap.com/
I was around 10 at the time, 1995 plus or minus a year or two.
After booting for the first time, I dialed up AOL and logged on to a Linux-topic IRC channel. I talked to the strangers there about how excited I was to try Linux for the first time.
I quit my IRC client and typed "ls". Command not found. I tried "uptime". Command not find. "cd". Command not found.
While I was on IRC, someone had telnet'd in, guessed my stupidly simple password, and rm -rf'd the whole hard disk. I cried over breaking the computer and had to be consoled by my parents. I never used a common password again.
I now miss the days when hackers and viruses alike just wanted to delete your files or print messages on your screen. Secretly taking over your still-functioning system is much nastier.