Full Disclosure mailing list archives
RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords
From: <tido () hushmail com>
Date: Wed, 4 Jun 2003 13:15:30 -0700
Unless i am missing something, the addition of a "hard-key" would not be any better than a stored password. If you authorize the machine, or a piece of hardware plugged into the machine does not make a difference. What keeps another process/user/root/admin from requesting the password/authorization from the hard-key? (possibly a password that has to be entered by an admin? and the cycle continues) odiT Just because you're paranoid, doesn't mean that they are not out to get you... -----Original Message----- From: Pablo Solé [mailto:pablo_sole () myp net ar] Sent: Wednesday, June 04, 2003 2:19 PM To: full-disclosure () lists netsys com Cc: IRCXpro Support Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords
Many programs need a private key for encryption. Possession of this
key is usually part if not all of the decision for authentication.
The only relatively safe way of maintaining this key on disk is to
encrypt it and require a decryption password from the user when starting the process.
Unfortunately, system admins have a beef with servers that restart
and require an operator to input a password to get the >services up, especially in production environments. An example of this is when you run a https server with a signed cert and non empty passphrase. You need to put the key everytime you restart the service. IMHO, a solution could be some kind of hard-key (EEPROM connected to the parallel port). pablo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords, (continued)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Васил Колев (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Shawn McMahon (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Mads Tansø (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Cushing, David (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Pablo Sol (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords tido (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)