Full Disclosure mailing list archives

RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

From: <tido () hushmail com>
Date: Wed, 4 Jun 2003 13:15:30 -0700


Unless i am missing something, the addition of a "hard-key" would not
be any better than a stored password.

If you authorize the machine, or a piece of hardware plugged into the
machine does not make a difference.

What keeps another process/user/root/admin from requesting the
password/authorization from the hard-key?
(possibly a password that has to be entered by an admin?
 and the cycle continues)

odiT

Just because you're paranoid, doesn't mean that they are not out to get
you...


-----Original Message-----
From: Pablo Solé [mailto:pablo_sole () myp net ar]
Sent: Wednesday, June 04, 2003 2:19 PM
To: full-disclosure () lists netsys com
Cc: IRCXpro Support
Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default
remote admin passwords

Many programs need a private key for encryption.  Possession of this

key is usually part if not all of the decision for authentication.


The only relatively safe way of maintaining this key on disk is to

encrypt it and require a decryption password from the user when starting
the process.


Unfortunately, system admins have a beef with servers that restart

and require an operator to input a password to get the >services up,
especially in production environments.  

An example of this is when you run a https server with a signed cert
and non empty passphrase. You need to put the key everytime you restart
the service.

IMHO, a solution could be some kind of hard-key (EEPROM connected to
the parallel port).

pablo.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords, (continued)
- - - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Васил Колев (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Shawn McMahon (Jun 04)
  - RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Mads Tansø (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Cushing, David (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Pablo Sol� (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords tido (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)