Searching \ for '[PIC] PIC based login device for PC?' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: techref.massmind.org/techref/microchip/devices.htm?key=pic
Search entire site for: 'PIC based login device for PC?'.

Exact match. Not showing close matches.
PICList Thread
'[PIC] PIC based login device for PC?'
2006\03\03@111317 by KY1K

picon face
Good Day all,

I've been using a cuecat to automate the log in process for each of
the users on the family PC. While a password to log in is a pain in
the rear, it provides an additional tier of protection if a hacker
makes it though the firewall, so I make everyone log in with a REAL
(strong) password.

In my present system, the cuecat (which is connected to the PS2
keyboard connector) reads a barcode on the front panel of the PC,
which is the password for that user. When the barcode is decoded
properly, the text is inserted into the password box on the Welcome
screen, and the log in is done. Works slick and there is no chance
for a hacker to access the hardware to log themselves in.

But, the cuecat is relatively large and bulky.

Has anyone ever programmed a PIC device to do a similar job? The PIC
would only have to output a particular ascii text line when a hidden
switch is activated if the PIC was connected to the PS2 connector
(inside the computer).

Or, a more complicated ap could use a recycled rfid tag and a radio
link to log in.

Has anyone done it, or anything similar?

Art

2006\03\03@114930 by David VanHorn

picon face
So you just want a line of text spit out in PS/2 keyboard speak when a
button is pressed?   Dosen't seem difficult, though things get interesting
if capslock or numlock has been pressed on the real keyboard.

2006\03\03@115623 by olin piclist

face picon face
KY1K wrote:
> In my present system, the cuecat (which is connected to the PS2
> keyboard connector) reads a barcode on the front panel of the PC,
> which is the password for that user. When the barcode is decoded
> properly, the text is inserted into the password box on the Welcome
> screen, and the log in is done. Works slick and there is no chance
> for a hacker to access the hardware to log themselves in.

Sounds like a fancy setup so that in two seconds of messing with a barcode
reader you can avoid taking 1 second to type in a password.


******************************************************************
Embed Inc, Littleton Massachusetts, (978) 742-9014.  #1 PIC
consultant in 2004 program year.  http://www.embedinc.com/products

2006\03\03@115637 by Danny Sauer

flavicon
face
David wrote regarding 'Re: [PIC] PIC based login device for PC?' on Fri, Mar 03 at 10:51:
> So you just want a line of text spit out in PS/2 keyboard speak when a
> button is pressed?   Dosen't seem difficult, though things get interesting
> if capslock or numlock has been pressed on the real keyboard.

No more interesting than if the CueCat did the same thing... :)

--Danny

2006\03\03@123744 by David VanHorn

picon face
>
>
> No more interesting than if the CueCat did the same thing... :)


Some systems monitor the conversation and track what the real keyboard is
doing, but the CC isn't one of them.

2006\03\03@123958 by Philip Pemberton

face picon face
In message <spam_OUT7.0.1.0.0.20060303110117.01b54270TakeThisOuTspampivot.net>>          KY1K <.....ky1kKILLspamspam@spam@pivot.net> wrote:

> But, the cuecat is relatively large and bulky.

And - as Illiad of userfriendly.org put it - "Unfortunate logo design #14:
mistaken for a device in a proctologist's office."
-- <http://ars.userfriendly.org/cartoons/?id=20001008>

I've got two of them here - I like them so much, they've been sitting in a
box since I got them :)
One of them has been declawed and has a switch on the top to select between
ASCII output and encoded output. The other is pretty much raw.

> Has anyone ever programmed a PIC device to do a similar job? The PIC
> would only have to output a particular ascii text line when a hidden
> switch is activated if the PIC was connected to the PS2 connector
> (inside the computer).

If the machine has USB, you could rig up some PIC firmware to do USB HID
(more specifically, the keyboard part of USB-HID) instead of bitbanging the
PS/2 bus.

> Has anyone done it, or anything similar?

I've done two things along these lines - OpenSID, which is basically SecurID
using open algorithms, and an unnamed project that consisted of a keyfob and
a PC interface. You'd point the keyfob at the receiver and it would send the
password over infrared. The receiver would then decode it and feed it over
an RS232 link to the PC.

--
Phil.                         | Kitsune: Acorn RiscPC SA202 64M+6G ViewFinder
philpemspamKILLspamdsl.pipex.com         | Cheetah: Athlon64 3200+ A8VDeluxeV2 512M+100G
http://www.philpem.me.uk/     | Tiger: Toshiba SatPro4600 Celeron700 256M+40G

2006\03\03@125823 by William Chops Westfield

face picon face
On Mar 3, 2006, at 8:57 AM, Olin Lathrop wrote:

> Sounds like a fancy setup so that in two seconds of messing with a
> barcode reader you can avoid taking 1 second to type in a password.
>
That's what I thought originally, but I finally "got it."  The
two seconds of messing with the barcode reader replaces trying
to remember and type a "strong" 30 character fully random password
string.  It's effectively similar to the "post-it note on the screen",
but easier to enter.  Post-it notes on the screen get a lot of
negative comments, but they provide pretty good security from
network based attacks...

BillW

2006\03\03@141506 by KY1K

picon face

>Post-it notes on the screen get a lot of
>negative comments, but they provide pretty good security from
>network based attacks...

OK, I never thought of modifying the welcome screen to show the
password. But, even so, our passwords are all more than 16 characters
and I can assure you all that a sane person doesn't want to have to
type that string every time they go to log on.

qwerty is not a strong password although it's easy to type fast.

1@33,mdhEER poq)({[xx.l takes a hell of alot longer to type than 2
seconds, even if is is committed to memory:>:

I thought of an IR link, short range, within a couple of inches of
the front panel of the computer.

A hidden short range radio link would work too, the relatively large
transmitter could be hidden under the table so it is accessible and
out of the way...and visitors wouldn't know it was there.

I also wondered if a garden variety mp3 player could have a number of
prerecoded sound files in them that could be easily generated and
decoded to look like serial keyboard pulses, but I don't know enough
about the keyboard protocol to know whether it's feasible. .

Art

2006\03\03@151036 by Danny Sauer

flavicon
face
KY1K wrote regarding 'Re: [PIC] PIC based login device for PC?' on Fri, Mar 03 at 13:54:
> OK, I never thought of

You want strong passwords that no one can duplicate without physically
stealing the device?

http://www.maxim-ic.com/products/ibutton/

Everyone gets a serial number iButton, and logs in with that.  Get the
keyfob holders in a few different colors and keep them next to the
monitor on a keyring - or not.  Each one has a 64 bit id that's
globally unique.

Go ahead and replace your house's door locks with iButton-based locks,
too.  Heck, the reason I got into PICs was to replace the door locks
on my cars with an iButton touch reader after I lost the keys to my
'77 El Camino and had been driving aruond with a coat hanger in back
plus a piece of pipe I had machines to replace the ignition lock
cylinder. :)  Replaced the door locks with a button reader (with power
locks) and had that energize the starter pushbutton relay for a few
minutes so you could only start the car after unlocking the doors.  I
still need to shave the doorhandles to complete the all-electronic
entry system.  One day I should market that, but I'm poor and lazy so
someone else will probably beat me to it.

Anyway, this way you have one key and can use it all over the place
with what I would call better security than a traditional key.

The beauty of using that for the computer is that the software's
already written to let you log in to popular operating systems with
those - no screwing with a keyboard interface or whatever.  Maybe
$10-$20 gets you there (most is free as engineering samples, actually,
but that's kinda dishonest IMHO).

--Danny

2006\03\03@182640 by Jan-Erik Soderholm

face picon face
KY1K wrote:

> In my present system, the cuecat (which is connected to the PS2
> keyboard connector) reads a barcode on the front panel of the PC,
> which is the password for that user.

What "that user" ??
How do you know who sits in front of the screen ?

Jan-Erik.



2006\03\03@202626 by Jake Anderson

flavicon
face
if they are in front of the computer then it dosent matter what passwords
your using
the OP said it was for *network* security
ie to stop outsiders getting in

{Original Message removed}

2006\03\03@210734 by KY1K

picon face
At 06:26 PM 3/3/2006, you wrote:
>KY1K wrote:
>
> > In my present system, the cuecat (which is connected to the PS2
> > keyboard connector) reads a barcode on the front panel of the PC,
> > which is the password for that user.
>
>What "that user" ??
>How do you know who sits in front of the screen ?


I know who's sitting in front of the screen because all the users are
family members. We have 5 'users', not including the administrator.
Since all the users are family members, it's ok to have each others
passwords available to sweep with the cuecat....but each family
member has their own customized setup, which is why we have so many users.

The computers only method of determining who's in front of the screen
is by the password they enter.

My original message was not about securing the system from the
keyboard side, it was about securing it from attack from the internet side.

GL.

Art


2006\03\03@213432 by David VanHorn

picon face
>
>
> My original message was not about securing the system from the
> keyboard side, it was about securing it from attack from the internet
> side.


I have a similar situation here, and as far as I'm aware, having a router
between you and the cable modem makes you "invisible".  They can see the
router of course, but I have remote maint turned off, so it won't respond to
anything from the outside world.

Now if you start opening ports to machines, then things get different.

2006\03\03@224507 by KY1K

picon face

>
> >
> >
> > My original message was not about securing the system from the
> > keyboard side, it was about securing it from attack from the internet
> > side.
>
>
>I have a similar situation here, and as far as I'm aware, having a router
>between you and the cable modem makes you "invisible".  They can see the
>router of course, but I have remote maint turned off, so it won't respond to
>anything from the outside world.
>
>Now if you start opening ports to machines, then things get different.

Yes, correct.

If you want your machine to be safe, there are several online servers
that will probe every single port to test your invisibility.
Invisibility and stealthed are 2 different matters however-your goal
is not to be invisible, it is to be stealthed.

My system is 100 percent stealthed (every single port) with just the
router firewall, but you should still use a software firewall at each
computer. The hardware firewall in the router is called a perimeter
firewall, the software firewall in each system is called a 'point' firewall.

If you have malicious software or spyware, the software can invite
intruders in, and your firewall is negated. This is why you need to
run ad-aware, hijackthis and spybot on a regular basis.

Remove Outlook, Outlook Express, MSN Messenger and Windows Messenger
completely from the system. Use Eudora and Firefox instead of
IE/Outlook, which will remove a major point of entry for spyware as
it does not allow activeX to run.

Only one user on the system should have administrative rights, and
the computer should not be connected to the internet while the
administrative account is open. Change the name of the administrator
to something besides the default 'administrator'.

All other users should not have administrative privileges. Use strong
passwords on all accounts, especially the administrative account.

If the hacker makes it through the firewall, and guesses the username
and password, the final line of defense is the file and printer
sharing. Close that door by turning file/printer sharing off. The
hacker cannot access the harddrive.

All these measures do nothing to secure the computer from attack from
the keyboard though.

Of course, nothing can stop the Bush or Bill Gates::>

Regards,

Art


2006\03\04@124545 by Peter

picon face

On Fri, 3 Mar 2006, KY1K wrote:
>
> I also wondered if a garden variety mp3 player could have a number of
> prerecoded sound files in them that could be easily generated and decoded to
> look like serial keyboard pulses, but I don't know enough about the keyboard
> protocol to know whether it's feasible. .

Give everyone a USB dongle (with or without MP3) and put a key file on
each. Or get chipped (RFID).

Peter

2006\03\04@140053 by Geo

flavicon
face
On 3 Mar 2006, at 21:07, KY1K wrote:

> I know who's sitting in front of the screen because all the users are
> family members. We have 5 'users', not including the administrator.
> Since all the users are family members, it's ok to have each others
> passwords available to sweep with the cuecat....but each family
> member has their own customized setup, which is why we have so many users.

Others (with more networking knowledge) have replied with alternatives - it is possible to create a
device to do your long passwords. I modified a Motorola application to use an AVR AT90S2313 to
take a serial input and convert to keyboard characters. It had a function where a certain
combination of keys would take a string of charaters from memory and send them to the pc. You
could add a 12 key keypad to a PIC/AVR and use the Motorola routines to send selected strings
(passwords) depending which key was pressed.

<http://www.freescale.com/files/microcontrollers/doc/app_note/AN1723.pdf>

>From a post I made in 2000:-
"Unfortunately they wrote the pdf so you cannot select the text to copy any of it 
so I cannot reproduce any here.  Anyway it is a circuit (and program for MC68705J1A type) to fit
between PC and keyboard. The circuit uses 2 chips (open collector ttl 7407 and 4066) to switch 
the lines from the PC to either the keyboard or the micro.  There is also a good text description of
the keyboard waveforms etc. I sent them an email to complain that pages 27 to 45 were source code
for the chip but I could not copy and paste into assembler due to their stupid protection. No
response of course. "

luck,

George Smith

2006\03\04@141147 by Philip Pemberton

face picon face
In message <.....14432ab59dacf2d71553a3bcd8d021b8KILLspamspam.....mac.com>>          William "Chops" Westfield <EraseMEwestfwspam_OUTspamTakeThisOuTmac.com> wrote:

> That's what I thought originally, but I finally "got it."  The
> two seconds of messing with the barcode reader replaces trying
> to remember and type a "strong" 30 character fully random password
> string.

30 characters is IMO total overkill. The root password on one of the servers
I admin is 20, but other than that the longest password I use regularly is 12
characters, and pronounceable.

Google for "xyzzy password generator" - it's a little (100k IIRC) exe that
generates pronounceable passwords that tend to be easier to remember than the
usual "ain4309u0vslk" nonsense that phpBB et al seem to throw out...

--
Phil.                         | Kitsune: Acorn RiscPC SA202 64M+6G ViewFinder
philpemspamspam_OUTdsl.pipex.com         | Cheetah: Athlon64 3200+ A8VDeluxeV2 512M+100G
http://www.philpem.me.uk/     | Tiger: Toshiba SatPro4600 Celeron700 256M+40G

2006\03\04@203641 by KY1K

picon face
OK, the problem is solved, or at least the fault is found.

In my google search I discovered a website that sells a 'keyboard
terminator'. In the sales info, they claim this to be a common and
well known problem with wedge devices, they won't run unless the
operating system THINKS there is a keyboard hooked up to the PS2 plug.

Here's the URL (for those interested).

It's a pricey lil' buggar, aint it??!!

http://www.waspbarcode.com/barcode_accessories/keyboard_terminator.asp

Regards,

Art

2006\03\05@083603 by olin piclist

face picon face
KY1K wrote:
> It's a pricey lil' buggar, aint it??!!

So how many yellow sticky notes on the monitor with the passwords on it does
that buy?


******************************************************************
Embed Inc, Littleton Massachusetts, (978) 742-9014.  #1 PIC
consultant in 2004 program year.  http://www.embedinc.com/products

2006\03\06@040629 by Alan B. Pearce

face picon face
>You want strong passwords that no one can duplicate
>without physically stealing the device?
>
> http://www.maxim-ic.com/products/ibutton/
>
>Everyone gets a serial number iButton, and logs in
>with that.

Round here they use those with cash registers to identify the sales person
ringing up the sale.

2006\03\06@054035 by Mike Hord

picon face
> 30 characters is IMO total overkill. The root password on one of the servers
> I admin is 20, but other than that the longest password I use regularly is 12
> characters, and pronounceable.

I forget exactly what the context was, but a local college mailing list where
I used to work recently had a discussion about password lengths.  The gist
was that at a certain length (?14 chars?), the password became exponentially
more secure, as Windows used a different method to store/encode it.

Although, frankly, given the people who were discussing it, it's even money
as to whether they were completely full of hot air or not.

Mike H.

2006\03\06@082014 by Danny Sauer

flavicon
face
Mike wrote regarding 'Re: [PIC] PIC based login device for PC?' on Mon, Mar 06 at 04:43:
> I forget exactly what the context was, but a local college mailing list where
> I used to work recently had a discussion about password lengths.  The gist
> was that at a certain length (?14 chars?), the password became exponentially
> more secure, as Windows used a different method to store/encode it.

Windows Server 2003 and XP allow a maximum password length of 127,
with a maximum minimum of 28 chars.  NT/2000/98 had a maximum of 14
chars, and used the LANManager format which converts all passwords to
uppercase.  It could be that passwords over 14 chars are stored (or
compared, anyway) case-sensitively on XP/Server 2003 for backwards
compatability, but I'd bet that an environment like that would
allow truncating to 14 for backwards compatability too...

*nix systems using old implementations of crypt() (using DES) truncate
to 8 chars though most modern systems (including modern Linuxes) take
advantage of modern crypto (often MD5 or SHA) to generate passwords
which use significantly more chars.  MD5 supports 256 chars on most
systesm.  Mac OS X up to version 10.2 used DES (8 chars), but switched
to MD5 in 10.3/Panther.

--Danny

2006\03\06@132014 by Keith

flavicon
face
Does anyone actually have any hard facts about proven password hacking in
the real world?
Does it actually happen? I have looked for evidence and not found anything
more that lots of would's and coulds. No lists of documented compromised
computers.

And by the way, Kevin Mitnick (the Atr of deception) never ever cracked a
password. He got the user to enter it for him, so a stong password did
nothing.

Having a strong password pasted on the front of your computer is useless
IMHO. Use a decent password and don't tell anyone or write it down.

Keith

{Original Message removed}

2006\03\06@135449 by David VanHorn

picon face
It always comes down to the same thing. You attack the system at it's
weakest point.

So many people are worried about emailing a credit card number, when the
biggest risk is the people on the ends of the link, not the email.

When I did alarms, I used to leave apparent weak points in the system to
draw the attack to that point.  Like a cheap keyswitch next to the front
door. If you pick the lock and turn it (5-10 seconds work) then you just set
off the alarm.

2006\03\06@144227 by Danny Sauer

flavicon
face
Keith wrote regarding 'Re: [PIC] PIC based login device for PC?' on Mon, Mar 06 at 12:27:
> Does anyone actually have any hard facts about proven password hacking in
> the real world?

I have lots of logfiles full of script-based attacks from different
sites who'll constantly try to log in as well known users (things like
root, Admin, guest, anonymous, etc) and who'll run through a
dictionary of names trying passwords like "password" and the user
name.  It happens probably on a bi-monthly basis, at least, on even my
smallest sites.  I have a machine that was r00ted through an ssh
vunurability, actually (through it didn't get very far, and the
machine wasn't doing anything important, and the machine was not
trusted by the rest of the network anyway - which is why it wasn't
patched on time, in 1999).  I know people who are guessing their
friends' passwords for email / cell phone / etc all the time, too,
which is just as much hacking as Joe in finance accidentally
disclosing the location of the Excel file containing all of the
employee records. :)

> And by the way, Kevin Mitnick (the Atr of deception) never ever cracked a
> password. He got the user to enter it for him, so a stong password did
> nothing.

Social engineering is the bane of security professional's existance.
It's also a real good argument for using a pysical key of some sort to
access a computer, rather than a password.  It's a lot harder to get
access to things when you have to be physically present.  Laptops with
fingerprint scanners as the only acceptable remote access device, and
iButtons for all users.  I'd almost be happy at that point - and users
would appreciate not having to change their passwords all the friggin'
time.

> Having a strong password pasted on the front of your computer is useless
> IMHO. Use a decent password and don't tell anyone or write it down.

Useless only if physical security to gain access to the sticky note is
inadequate, and if the password can be used remotely.  In the OP's
case, security is already adequate.  If it wasn't, *then* the note
becomes a problem.  But I'll guarantee that, given physical access to
a computer, I'll get what I want without having to worry about how
strong the "passwords" are. :)  Strong passwords are only part of the
security puzzle.  A potentially critical part, but just a part.

Mitnick's book is alright ("books" now, right?), but I suggest reading
it in a library as opposed to buying it.  Glorifying his activities
isn't exactly a positive message, IMHO.

--Danny

2006\03\06@160355 by alan smith

picon face
have they? Good question...we didnt let it run long enough to find out.  We had a rus sian hacker on one of ours servers, running some sort of cracking program.  Not to crack ours, just using the CPU power.
 ----------------------------------------------------------------------

Keith <@spam@picKILLspamspamcorvettengineering.com> wrote:
 Does anyone actually have any hard facts about proven password hacking in
the real world?
Does it actually happen? I have looked for evidence and not found anything
more that lots of would's and coulds. No lists of documented compromised
computers.

And by the way, Kevin Mitnick (the Atr of deception) never ever cracked a
password. He got the user to enter it for him, so a stong password did
nothing.

Having a strong password pasted on the front of your computer is useless
IMHO. Use a decent password and don't tell anyone or write it down.

Keith

{Original Message removed}

2006\03\06@161312 by Matt Pobursky

flavicon
face
On Mon, 6 Mar 2006 13:42:27 -0600, Danny Sauer wrote:
> I know people who are guessing their friends' passwords for email /
> cell phone / etc all the time, too, which is just as much hacking as
> Joe in finance accidentally disclosing the location of the Excel
> file containing all of the employee records. :)

I've been asked to "break in" to several friend's and client's
computers who've lost/forgotten their passwords. I think in all but one
case I've been successful. I'm not advocating cracking anyone's system,
but a very handy utility for breaking passwords (OS and program/data
file specific ones) is John the Ripper (http://www.openwall.com/john/)

Matt Pobursky
Maximum Performance Systems


2006\03\06@174935 by Nate Duehr

face
flavicon
face
Matt Pobursky wrote:
> On Mon, 6 Mar 2006 13:42:27 -0600, Danny Sauer wrote:
>> I know people who are guessing their friends' passwords for email /
>> cell phone / etc all the time, too, which is just as much hacking as
>> Joe in finance accidentally disclosing the location of the Excel
>> file containing all of the employee records. :)
>
> I've been asked to "break in" to several friend's and client's
> computers who've lost/forgotten their passwords. I think in all but one
> case I've been successful. I'm not advocating cracking anyone's system,
> but a very handy utility for breaking passwords (OS and program/data
> file specific ones) is John the Ripper (http://www.openwall.com/john/)

Were they Windows systems?

Somewhere around here I still have a Linux boot disk on a floppy that
would replace the Windows SAM database's version of the Administrator
login with a new default Administrator username and password.

It took about 30 seconds to run and worked every time.  Boot machine
from floppy, type a password, remove floppy, reboot.

Hardest part these days is finding a Windows machine with a floppy disk
drive... but you can burn the image onto a CD and boot it from that
media also...

Nate

2006\03\06@181930 by andrew kelley

picon face
> Were they Windows systems?
>
> Somewhere around here I still have a Linux boot disk on a floppy that
> would replace the Windows SAM database's version of the Administrator
> login with a new default Administrator username and password.
>
> It took about 30 seconds to run and worked every time.  Boot machine
> from floppy, type a password, remove floppy, reboot.
>
> Hardest part these days is finding a Windows machine with a floppy disk
> drive... but you can burn the image onto a CD and boot it from that
> media also...

Could use a USB key either...  I have a copy of Rainbow Crack which is
used to generate (LARGE=6 cds worth) of tables that can crack SAM
passwords; not replace, but find the password, useful if you need to
decode a Lan Manager (aka Samba/Windows Networking) password.. (Which
was the old version of the password encryption, but is used over
ethernet links).  It's pretty quick if you have 4 gigs of spare HD
room.  Searching over cd is a bit slow.

--
andrew

2006\03\07@001125 by Peter Todd

picon face
On Mon, Mar 06, 2006 at 10:35:46AM -0600, Keith wrote:
> Does anyone actually have any hard facts about proven password hacking in
> the real world?
> Does it actually happen? I have looked for evidence and not found anything
> more that lots of would's and coulds. No lists of documented compromised
> computers.

I do. Happened at work. Someone, quite likely me to be honest, set the
password for the test account too... test. Whoever it was forgot they
had done that and sure enough a few months later we notice someone's
"hacked" into the computer and is using the account via automated
scripts to run a ftp server to distribute mp3s and movies. I'm pretty
sure they never got root access, but I wiped the system and reset all
the passwords all the same.

> And by the way, Kevin Mitnick (the Atr of deception) never ever cracked a
> password. He got the user to enter it for him, so a stong password did
> nothing.
>
> Having a strong password pasted on the front of your computer is useless
> IMHO. Use a decent password and don't tell anyone or write it down.

No more useless then the fact that anyone able to read that password can
probably put a bootdisk into said computer and take the data anyway...

Writing down passwords is perfectly acceptable *network* security. What
is isn't is acceptable *physical* security. In many cases if the
intruder can read the password, you're fscked anyway cause the data is
sitting on a harddrive right next to them.

Personally I encrypt anything that's really important, so that barring
keyloggers and other relatively advanced attacks, neither network nor
physical attacks will do all that much.

--
KILLspampeteKILLspamspampetertodd.ca http://www.petertodd.ca

2006\03\07@043052 by Alan B. Pearce

face picon face
>Does anyone actually have any hard facts about
>proven password hacking in the real world?
>Does it actually happen? I have looked for
>evidence and not found anything more that lots
>of would's and coulds. No lists of documented
>compromised computers.

Have you ever read "The Cuckoos Egg" ? I cannot remember who wrote it, but I
read the condensed form as about 3 parts in a magazine (wasn't Byte, but a
similar one) some time back. That was a true story.

2006\03\07@091306 by KY1K

picon face

>
> >
> > Having a strong password pasted on the front of your computer is useless
> > IMHO. Use a decent password and don't tell anyone or write it down.
>
>No more useless then the fact that anyone able to read that password can
>probably put a bootdisk into said computer and take the data anyway...

ON XP, you don't even need a boot disk IF you have physical access to
the keyboard. Start the system in safe mode, and you can set the
password for any account on the system to a null string, effectively
eliminating it completely. Then, just log off and restart the
computer. Presto, full access to any of the system and/or any part of
the network it is connected to.

The exception is Windoze encrypted folders on the hard drive. The
contents of these folders is protected from harvesting, but the files
become useless once the users password is changed. Hence, the reason
why most users do not use windoze encryption::>

Writing down a password and placing it on the front panel of the
computer is designed to secure the computer from an internet/network
based attack. But, it does noting to protect the computer from an
attack from the keyboard-the strongest password in the world doesn't
protect against keyboard attacks either.

Also, the stand alone hardware log in device (such as a cuecat) does
offer protection from internet based hacking-there is no way for a
hacker to actuate the hardware via the internet, so I deem this as an
acceptable log in method.

Is this correct??

Regards,

Art

PS:Great list all, I'm thinking I need to subscribe to the OT and EE
only....some of these discussions are much more interesting than he
PIC programming issues themselves!!!!

2006\03\07@092020 by KY1K

picon face
At 05:40 AM 3/6/2006, you wrote:
> > 30 characters is IMO total overkill. The root password on one of
> the servers
> > I admin is 20, but other than that the longest password I use
> regularly is 12
> > characters, and pronounceable.
>
>I forget exactly what the context was, but a local college mailing list where
>I used to work recently had a discussion about password lengths.  The gist
>was that at a certain length (?14 chars?), the password became exponentially
>more secure, as Windows used a different method to store/encode it.

If your password contains upper and lower case, punctuation and
numbers, the possible number of combinations is quite large for a
relatively short password. If you limit yourself to numbers only, or
lower case alphabet characters, the password has to be much longer to
achieve the same level of protection.

Keep smilin'

Art

2006\03\07@092427 by Dennis J. Murray

picon face
The Cuckoo's Egg was written (I believe) by Cliff Stohl. It's an
EXCELLENT read!!! And, reputedly, it's true!

And, yes, there ARE problems with password hacking in industry! Before I
retired, I was head of a fairly large local firm with a little over 2000
personal computers. We'd have at least a couple cases a year of what
appeared to be hacking. It usually manifested itself as somebody on the
off shifts (we ran 24/7) using someone else's computer to access porn
sites, etc. These accesses would show up on my Internet Access logs and
my Network Security person would have to check them out. And, yes, in
most cases, I was quite sure these sites weren't visited by the person
responsible for that machine!!

Usually the passwords would be easy to guess if you knew the machine's
owner very well (i.e. husband's name, pet's name, child's name,
birthday, etc.). You can tell them NOT to use such passwords until
you're blue in the face, but they do it anyway! In one particularly
notable case, the password was written on a piece of paper and taped to
the ceiling!!!! I have to admit, I'd have never guessed that password,
but HOW DUMB CAN YOU GET??

Dennis

Alan B. Pearce wrote:

{Quote hidden}

2006\03\07@092623 by KY1K

picon face
At 04:13 PM 3/6/2006, you wrote:
>On Mon, 6 Mar 2006 13:42:27 -0600, Danny Sauer wrote:
> > I know people who are guessing their friends' passwords for email /
> > cell phone / etc all the time, too, which is just as much hacking as
> > Joe in finance accidentally disclosing the location of the Excel
> > file containing all of the employee records. :)
>
>I've been asked to "break in" to several friend's and client's
>computers who've lost/forgotten their passwords. I think in all but one
>case I've been successful. I'm not advocating cracking anyone's system,
>but a very handy utility for breaking passwords (OS and program/data
>file specific ones) is John the Ripper (http://www.openwall.com/john/)

Matt,

Would you really trust the (anonymous) author of a program designed
to circumvent security by installing and running his/her software??? Not me::>

Who knows what the software really does::>

Art

2006\03\07@110127 by Howard Winter

face
flavicon
picon face
On Tue, 07 Mar 2006 09:13:03 -0500, KY1K wrote:

>...
> Also, the stand alone hardware log in device (such as a cuecat) does
> offer protection from internet based hacking-there is no way for a
> hacker to actuate the hardware via the internet, so I deem this as an
> acceptable log in method.
>
> Is this correct??

Unfortunately the Cuecat is just a barcode scanner, which inputs the contents of a barcode as if it was typed
- it's a "keyboard wedge" device, meaning it plugs in between the keyboard and the PC.  In this application
all it does is save the user having to type the password - a malicious key-logger would capture the password
just the same either way, and could then use it remotely.  In the absence of a key-logger, it's as safe as
typing the password from a Post-it note stuck on the screen...

Cheers,


Howard Winter
St.Albans, England


2006\03\07@113648 by William Chops Westfield

face picon face
On Mar 7, 2006, at 6:24 AM, Dennis J. Murray wrote:

> there ARE problems with password hacking in industry!

Password hacking is a different class of attack than most
people are used to.  The cracker pretty much has to be someone
who gets access to the encrypted password base (trying to crack
password by brute force over a network login session is not very
likely to work...)  This usually means employees or recently
ex-employees of some kind, not "strangers."

BillW

2006\03\07@115524 by Danny Sauer

flavicon
face
KY1K wrote regarding 'Re: [PIC] PIC based login device for PC?' on Tue, Mar 07 at 08:29:
> At 04:13 PM 3/6/2006, you wrote:
> >file specific ones) is John the Ripper (http://www.openwall.com/john/)
>
> Matt,
>
> Would you really trust the (anonymous) author of a program designed
> to circumvent security by installing and running his/her software??? Not me::>

In general, this is a good attitude.  In particular, John the Ripper
has been around for a long time, the source code is available, and it
ships with several security-concious Linux distributions (and some
less-safe distros).  So it's specifically pretty trust-worthy, and
anyone can examine the source before building it with a trusted
compiler on a trusted machine if they're feeling paranoid.  I used to
run it nightly against the student accounts in the Unix lab and have
it disable accounts / send a notification email out to people whose
passwords were too weak (this was before we had switched over to a
PAM-enabled system with nice, easy plugins to check new passwords when
they're changed).

We'll ignore the theoretical attack of a compromised compiler which
can compromise a generated compiler as well as compromising binaries,
for the sake of discussion.  Gotta start trust at some point, and I'm
certainly not paranoid enough to build a compiler in assembly and then
audit glibc and gcc's source base. :)

--Danny, who trusts Ruger despite the fact that they almost
exclusively make products designed to kill things...

2006\03\07@125343 by Jan-Erik Soderholm

face picon face
William "Chops" Westfield wrote :

> (trying to crack
> password by brute force over a network login session
> is not very likely to work...)

And shouldn't a proper OS lock the account after 2-3
false attempts anyway ?

B.t.w, my primary OS (VMS, OpenVMS) is told to be the only
OS Mitnick couldn't hack himself into by using technical-only
tools.

Can a Windows account be setup with *two* passwords ?
That is, so there have to be *two* persons (that do not know
the password of other person) at the screen to login to the account ?

Jan-Erik.



2006\03\07@130414 by KY1K

picon face

>
>Unfortunately the Cuecat is just a barcode scanner, which inputs the
>contents of a barcode as if it was typed
>- it's a "keyboard wedge" device, meaning it plugs in between the
>keyboard and the PC.  In this application
>all it does is save the user having to type the password - a
>malicious key-logger would capture the password
>just the same either way, and could then use it remotely.  In the
>absence of a key-logger, it's as safe as
>typing the password from a Post-it note stuck on the screen...

All true and agreed. Key loggers can pick up the password IF they are
activated at boot up. There is some question whether a key logger can
be made to run that early, they are usually installed after the user
types in the password as the user preferences are set up for that
particular user.

Key loggers cannot run before the log in because the OS is protected,
and very few services are actually started until the user types in
his password.

I'm sure someone can figure out a way around this and will do so eventually.

Enjoy.

Art


2006\03\07@132615 by William Couture

face picon face
On 3/7/06, KY1K <RemoveMEky1kTakeThisOuTspampivot.net> wrote:
{Quote hidden}

Just some keylogger info...

http://testing.onlytherightanswers.com/modules.php?name=News&file=article&sid=33

http://www.keelog.com/diy.html

Bill

--
Psst...  Hey, you... Buddy...  Want a kitten?  straycatblues.petfinder.org

2006\03\07@133340 by James Newton, Host

face picon face
I'd love to see some PIC content on this thread...

...or it would be really nice if the topic tag could get changed to [EE].

---
James Newton: PICList webmaster/Admin
spamBeGonejamesnewtonspamBeGonespampiclist.com  1-619-652-0593 phone
http://www.piclist.com/member/JMN-EFP-786
PIC/PICList FAQ: http://www.piclist.com


2006\03\07@133624 by Danny Sauer

flavicon
face
KY1K wrote regarding 'Re: [PIC] PIC based login device for PC?' on Tue, Mar 07 at 12:15:
> Key loggers cannot run before the log in because the OS is protected,
> and very few services are actually started until the user types in
> his password.

It's just the choice of one registry key v/s another as to whether or
not a daemon starts before login or after login (on Windows).  Anyone
competent enough to develop a keylogger will certainly know the
difference. :)

BTW, this is one more plug for the iButtons - no keyboard to sniff. ;)

--Danny

2006\03\07@135615 by Peter

picon face

On Tue, 7 Mar 2006, KY1K wrote:

> Would you really trust the (anonymous) author of a program designed to
> circumvent security by installing and running his/her software??? Not me::>
>
> Who knows what the software really does::>

I hope you are kidding. Your headers indicate that you seem to be
posting this from a Windows PC ?!

Peter

2006\03\07@160115 by KY1K

picon face

>
> > Would you really trust the (anonymous) author of a program designed to
> > circumvent security by installing and running his/her software??? Not me::>
> >
> > Who knows what the software really does::>
>
>I hope you are kidding. Your headers indicate that you seem to be
>posting this from a Windows PC ?!

No, I'm not kidding. But, I know where you're going.

I don't trust Bill and look forward to the day when software is open
sourced and independently reviewable for security issues.

Until then, we're all on hold.


2006\03\07@170307 by Gerhard Fiedler

picon face
Danny Sauer wrote:

>> Key loggers cannot run before the log in because the OS is protected,
>> and very few services are actually started until the user types in his
>> password.
>
> It's just the choice of one registry key v/s another as to whether or
> not a daemon starts before login or after login (on Windows).  Anyone
> competent enough to develop a keylogger will certainly know the
> difference. :)

I'm not a security expert (and I don't know exactly what keys you're
talking about), but I think the difference between the two keys is that the
user has write rights for his own, and needs admin privileges for the
other. Which a non-admin user shouldn't have (but often has).

> BTW, this is one more plug for the iButtons - no keyboard to sniff. ;)

So how do they input the password? Doesn't it go through a HID interface --
just like a USB keyboard or so? Or do they need a custom service at the
computer that reads the iButton?

Gerhard

2006\03\08@133711 by Peter

picon face


On Tue, 7 Mar 2006, James Newton, Host wrote:

> I'd love to see some PIC content on this thread...
>
> ...or it would be really nice if the topic tag could get changed to [EE].

Yeah, time someone posted a PS/2 hardware keylogger implemented with a
12C509 and a 128 SPI eeprom, small enough to build into a PS/2
connector.

Peter

2006\03\08@134657 by Peter

picon face

On Tue, 7 Mar 2006, KY1K wrote:

>> > Would you really trust the (anonymous) author of a program designed to
>> > circumvent security by installing and running his/her software??? Not
>> me::>
>> >
>> > Who knows what the software really does::>
>>
>> I hope you are kidding. Your headers indicate that you seem to be
>> posting this from a Windows PC ?!
>
> No, I'm not kidding. But, I know where you're going.
>
> I don't trust Bill and look forward to the day when software is open sourced
> and independently reviewable for security issues.
>
> Until then, we're all on hold.

*Almost* all ;-) As you said, peer review by many is better than peer
review by a chosen few who can't talk due to NDAs anyway.

Peter

More... (looser matching)
- Last day of these posts
- In 2006 , 2007 only
- Today
- New search...