Fedora Core 3 & Core 4 Password questions

Discussion in 'Computer Security' started by Brandon, Aug 9, 2005.

  1. Brandon

    Brandon Guest

    Is there any length of complex password that can be assigned to the ROOT
    that cannot be hacked if the person hacking has console access? I am selling
    a software product that I do not want the users to have access to. The only
    account on the server will be ROOT. I wanted to use a password 32
    characters/numbers/symbols or higher. Main thing is no one must get in.

    email mature @ hushmail.com

    Thanks.
     
    Brandon, Aug 9, 2005
    #1
    1. Advertising

  2. Brandon

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <xlZJe.153280$5V4.129554@pd7tw3no>, Brandon wrote:

    >Is there any length of complex password that can be assigned to the ROOT
    >that cannot be hacked if the person hacking has console access?


    Console access? Why bother hacking when there are quite obvious ways
    around it from that point.

    >I am selling a software product that I do not want the users to have
    >access to.


    Then don't install it on the users hardware, or hardware that the users
    have access to.

    >The only account on the server will be ROOT. I wanted to use a password
    >32 characters/numbers/symbols or higher.


    With the modern MD-5 hash system, this is easy - after all, you want to be
    the only person with root, so you can set the password as you like. Of
    course, it only takes a few minutes AT MOST to bypass this.

    >Main thing is no one must get in.


    Physical access beats five aces. If you want the system to be totally
    secure, encrypt the drive, and require the password to be entered each
    time the system boots. You can't keep the password on the system, or
    allow it to be entered over the network, as either method can be compromised
    very easily. Not practical, you say? Neither is your desire to prevent
    anyone from accessing the software.

    Old guy
     
    Moe Trin, Aug 9, 2005
    #2
    1. Advertising

  3. Brandon

    Winged Guest

    Moe Trin wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <xlZJe.153280$5V4.129554@pd7tw3no>, Brandon wrote:
    >
    >
    >>Is there any length of complex password that can be assigned to the ROOT
    >>that cannot be hacked if the person hacking has console access?

    >
    >
    > Console access? Why bother hacking when there are quite obvious ways
    > around it from that point.
    >
    >
    >>I am selling a software product that I do not want the users to have
    >>access to.

    >
    >
    > Then don't install it on the users hardware, or hardware that the users
    > have access to.
    >
    >
    >>The only account on the server will be ROOT. I wanted to use a password
    >>32 characters/numbers/symbols or higher.

    >
    >
    > With the modern MD-5 hash system, this is easy - after all, you want to be
    > the only person with root, so you can set the password as you like. Of
    > course, it only takes a few minutes AT MOST to bypass this.
    >
    >
    >>Main thing is no one must get in.

    >
    >
    > Physical access beats five aces. If you want the system to be totally
    > secure, encrypt the drive, and require the password to be entered each
    > time the system boots. You can't keep the password on the system, or
    > allow it to be entered over the network, as either method can be compromised
    > very easily. Not practical, you say? Neither is your desire to prevent
    > anyone from accessing the software.
    >
    > Old guy


    Old guy is right on this one. If you don't control the hardware, the
    software can be retrieved.

    Passwords make no difference, the disk directly accessed and software
    copied as simply as inserting a CD (for example) with the OS that mounts
    the disk where one knows the password.

    One can just dupe the disk and one can hack the copies to their hearts
    content while still using the original copy. The system manager may not
    even be aware this copying has occurred, it takes only a few minutes.

    Even if you use hardware keys (there are several flavors on the market).
    Someone who has enough patience can work their way through the locks.
    You may slow them down, but in the end it will be accessed.

    There are several other viable approaches, but if you are relying on a
    password to lock the OS down, to protect you, forget it.


    Winged
     
    Winged, Aug 10, 2005
    #3
  4. Brandon

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <be67c$42f96b0f$18d6d91e$>, Winged wrote:

    >Even if you use hardware keys (there are several flavors on the market).


    You mean like those old dongles that you used to have to attach to the
    parallel port? Yuck!

    > Someone who has enough patience can work their way through the locks.
    > You may slow them down, but in the end it will be accessed.


    Copy protection schemes have been around since before IBM introduced
    the PC in 1981. This ranged from the above noted hardware dongles, to
    requiring the floppy or tape which used a strange format, to a "hidden"
    disk file in a hidden directory, or even recording exactly where (track,
    sector, and head) some file was put on the disk... you name it, it's
    been tried - maybe even before you were born - and it did not work then.
    Want to put it on a USB or Firewire device? Want to think that differs
    from what has been done before?

    Old guy
     
    Moe Trin, Aug 10, 2005
    #4
  5. Brandon

    David Guest

    Everyone is right on this - if your users have physical access to the
    machine, all it takes is a Linux boot disk and a chroot command to
    change the root password anyway. If you are really hardcore, you need
    to encrypt the harddrive and have people enter a password every time the
    system is booted. That, and make sure the hardware is locked and
    physically secure. If you really want to do this, I would recommend a
    program called loop-aes. It's somewhat difficult to use, but if setup
    properly, can be VERY secure.

    Good luck,
    David

    Brandon wrote:
    > Is there any length of complex password that can be assigned to the ROOT
    > that cannot be hacked if the person hacking has console access? I am selling
    > a software product that I do not want the users to have access to. The only
    > account on the server will be ROOT. I wanted to use a password 32
    > characters/numbers/symbols or higher. Main thing is no one must get in.
    >
    > email mature @ hushmail.com
    >
    > Thanks.
    >
    >
     
    David, Aug 15, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joost68

    fedora core 1 and mozilla 1.4.1

    joost68, May 14, 2004, in forum: Firefox
    Replies:
    1
    Views:
    610
    Randy
    May 14, 2004
  2. Scott Gravenhorst

    Mozilla Browser Won't Run on FC3 (Fedora Core 3)

    Scott Gravenhorst, Apr 12, 2006, in forum: Firefox
    Replies:
    1
    Views:
    737
    Jedi Fans
    Apr 12, 2006
  3. Churchill, Dave

    Linux Installation (Fedora Core 3)

    Churchill, Dave, May 28, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    800
  4. dotcom

    Compiling Squid-2.5.STABLE8 on Fedora Core 3

    dotcom, Jun 6, 2005, in forum: Computer Support
    Replies:
    13
    Views:
    1,239
    dotcom
    Jun 17, 2005
  5. Joe Makowiec

    OT: TheGIMP 2.2 on Fedora Core 2

    Joe Makowiec, Jan 17, 2005, in forum: Digital Photography
    Replies:
    6
    Views:
    288
    Stacey
    Jan 18, 2005
Loading...

Share This Page