Schneier on Security

A blog covering security and security technology.

« Booby-trapping a PDF File | Main | Two Security Cartoons »

April 23, 2010

The Doghouse: Lock My PC

EDITED TO ADD (4:26): In comments, people are reporting that the master password doesn't work. Near as I can tell, those are all recent downloads. So either they took out the feature, or changed the password.

Posted on April 23, 2010 at 7:43 AM • 41 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

GreenSquirrel • April 23, 2010 8:08 AM

Has anyone tried this yet? Does it really work?

If so, hahahahahahahaha.

BF Skinner • April 23, 2010 8:15 AM

"engineering password"

never heard it called that before. So as long as someone doesn't have anything like a sophisticated CDTray opener, like a straightened paper clip, a bootable linux distro, like backtrack, and sufficient time, like 5 minutes.

This would be a very effective access control as long as there wasn't any backdoors engineered in for support purposes.

snxuev • April 23, 2010 8:19 AM

naah..found it..

Jim • April 23, 2010 8:31 AM

unless it encrypts the drive I'm still getting your data if I have physical access.

foo • April 23, 2010 8:44 AM

who wants to bet that is the developers birthday?

Russ • April 23, 2010 9:01 AM

Just tried it on the free trial, and it didn't work. Maybe that's one of the features you get when you register? ;)

What I did find, though, was that on installation it asks for a password and a password hint. It didn't complain when I entered my password as the password hint.

Jason Falchek • April 23, 2010 9:10 AM

That's amazing! I've got the same combination on my luggage.

Hard drive worker • April 23, 2010 9:12 AM

RE:unless it encrypts the drive I'm still getting your data if I have physical access.

Not necessary IF your computer has full disk encryption. All you need then is for it to lock your OS so that you cannot do anything without turning off the PC. Once the PC is off, FDE 'forgets' the key (stored on the pcba in memory). Once the HDD is powered down, the data is secure, (key stored encrypted with password, so you can either guess the password or brute-force the key I guess).

Olaf • April 23, 2010 9:41 AM

No encryption. That's a separate product.

Dave • April 23, 2010 9:47 AM

Not only does the software *have* a master password, but their support department are happy to give it out to anyone who asks.

Hugh No • April 23, 2010 9:57 AM

According the the web site, the company is Russian.

A Nonny Bunny • April 23, 2010 9:58 AM

I can't find whether it tries to do anything against USB devices. If it doesn't, there's little point to locking the CD tray. You could just have a program auto-start from a USB drive and kill the program.

Bob • April 23, 2010 10:00 AM

I wonder if there's any demand for a product named "Brick My PC"...?

Randy • April 23, 2010 10:31 AM

Without the text of the original message, we can't know if that is a global password that works on every install of the tool, or hardware keyed password. While having a hardware keyed password that can be created by the company leaves one with pretty much worthless "security" I can see how a lot of people would think this is a good thing.

Daniel Franke • April 23, 2010 10:33 AM

Bob, yes there is. Just check McAfee's sales figures :-)

ted • April 23, 2010 10:46 AM

They should run a spell checker on the web site.

Jakob • April 23, 2010 10:55 AM

@Bob
There is. Search for "Darik's Boot And Nuke".

dmc • April 23, 2010 10:56 AM

Anyone want to take a bet that the birthdate of one of those engineers is June 19, 1974?

Mark J. • April 23, 2010 11:12 AM

"Bob, yes there is. Just check McAfee's sales figures :-)"

Rich. :-)

Our Mac OSX users are having a ball with McAfee's snafu. The running joke is that McAfee was not wrong; that Windows is in fact a virus.

Michael T. Babcock • April 23, 2010 11:29 AM

DBAN is a great product. Nice and quick and effective and easy to use too. We use a copy on every old PC we're asked to dispose of.

Grymoire • April 23, 2010 11:35 AM

Before you jump to conclusions, there is no proof that is is the same password for everyone. It might be based on something unique to the account, like - say - the birth date of the account owner.

Go to http://seclists.org/fulldisclosure/2010/Apr/90 and look at the next message by Juha-Matti on the same thread.

yt • April 23, 2010 11:41 AM

BF Skinner: I agree. Once you have physical access to the machine, game over. Even some of the more paranoid OSs (Debian with SELinux extensions, and Open Solaris from my personal experience) are vulnerable.

Mark J: I have long been fond of saying that Windows is a virus with mouse support. It seems like McAfee finally confirmed it.

Daemous • April 23, 2010 11:57 AM

Too funny. A master password that looks to be someone's birth date.

Grymoire • April 23, 2010 12:33 PM

@Daemous - But you have to guess the date!! Thank God for Facebook. :-)

Brian • April 23, 2010 4:50 PM

The followup on that post points out that it looks like a date. Find someone in that company with that birth date, and you know who to fire.

As I've never used it, it may be the person who registered it who belongs to that birth date. Perhaps its coded per machine?

Someone should try this...

Clive Robinson • April 23, 2010 11:52 PM

Assuming it is a birth day (and not just an improbable coincidence), does the format give away the nationality of the programmer?

For instance in the UK we tend to do DDMMYYYY
In the US it's not unknown to do MMDDYYYY.

If you dig around in the standard Country Code information (currency symbol date format thousands separator etc) how many countries match the format...

It's often quite surprising how much info we leak about ourselves (Z's & S's, "that, that/which/what/whot is", "init" etc., etc.).

Mind you just looking at the first few sentences on their web site gives away almost as much...

yt • April 24, 2010 8:38 AM

Clive: I work for a company in Finland. The official business language is US English, but we generally use the YYYYMMDD format for dates because it's harder to misinterpret. Few, if any, locales use YYYYDDMM.

"It's often quite surprising how much info we leak about ourselves"

Speaking of which, I've noticed certain characteristic patterns in your posts that give you away long before I get to the "posted by" line. Also, the fact that your posts tend to take up half a page makes them easy to spot. ;)

Chelloveck • April 24, 2010 10:18 AM

@vt: I'm an American, and I always use YYYYMMDD when I'm coding. Why? It's consistently big-endian. It sorts. I also write YYYY-MM-DD whenever I write a date by hand. That's mostly just to annoy my wife. :-)

If I'm just writing month and day I'll usually do something like 24-Apr. I can't imagine anyone ever using YYYYDDMM, though.

Section9_Bateau • April 24, 2010 4:04 PM

Guys, gals, things of unknown and undecided gender....

YT's handle here is YT, not VT! Conside actually copying and pasting the name if you have trouble with seeing the tail on the y due to underlining.

Joan • April 25, 2010 3:01 AM

The master password may be date/time based. I used to prevent casual closing of applications which were meant to always run by requiring such a password. It was constructed from day, month, year, hour, nearest 5 minutes and then scrambled.

Section9 Aramaki • April 25, 2010 4:02 AM

@Section9
Quite a nitpicker, are we?

curious • April 25, 2010 9:14 PM

19740619 doesnt work on the trial version, and doesnt work on the registered version as well. Either he has removed the masterkey, or the quoted message was out of context?

travs90 • April 25, 2010 10:25 PM

My favorite product that this same company has is their encryption program, FlashCrypt.

Here is a quote from their site: "Password recovery option: As security experts in files and folders protection, we are constantly receiving customer requests to recover lost or forgotten passwords. FlashCrypt has a special option that lets you save the encrypted password along with the protected data. FlashCrypt uses asymmetric cryptography (RSA algorithm) to encrypt your password, which guarantees that nobody but us (FSPro Labs FlashCrypt team) will be able to recover the password."

I can sleep soundly at night knowing that nobody but the FSPro Labs FlashCrypt team can access my data if I lose my password.

Kristian • April 26, 2010 7:54 AM

Well, according to the web site it's "Booletproof" and "settings are groupped by cathegoriies."

Who wouldn't want this?

spaceman spiff • April 26, 2010 11:24 AM

This reminds me of some friends who likewise keep the front door locked all the time, but leave the back door unlocked... at least most of the time.

Nick P • April 27, 2010 12:53 AM

@ yt on Clive's "leakage"

Yeah, I think everyone knows it's Clive before he signs the post. There often exists behavior patterns in people's posts, but they can be eliminated enough to make tracing hard. I have a technique for that which I'm thinking about publishing, but it's easier to do than put into words. It takes two people though: one working at the concept level and one working at the word level. The person at the word level communicates the concepts in their own ways, including different focus on key points. The messages are less effective with regard to content focus, but they leave little from the original person. There's more too it but that's the gist of it and I'm sure Clive could pull it off if he *really* wanted to. Then, he'd forget to use a proxy. It's always the little things. ;)

Clive Robinson • April 27, 2010 6:08 AM

@ Nick P,

"Yeah, I think everyone knows it's Clive before he signs the post"

An authentication system that works 8)

"Then, he'd forget to use a proxy"

First step, use a mobile phone browser with one or two tiny mods (to get rid of browser ID string and IMEI etc) and you are half way there (for those outside of mobile operator) due to the fact the operators so heavily overload IP addresses (often more than 300 mobile phones to a single IP address...).

Then...

But hey I'm not trying to hide from ordinary folks, just those who think I need "improvement" or "medication" ;)

Which reminds me I need to sort out a new e-mail address when I get a new "mobile" (my old Motorola Side Kick is no longer being supported by T-Mobile in the UK). The trouble is what I want (slide out keyboard not touch screen, and proper use of USB both to download/upload files whilst mobile and to use the phone as a dongle to a laptop etc) appears not to be on offer in the UK 8(

Then I'll answer yt's and your questions.

BF Skinner • April 27, 2010 8:07 AM

@Clive - need "improvement" or "medication"

Pretty wide class defined there. Throw in psychosurgery

DaveC • April 28, 2010 12:28 AM

@Clive - I love my HTC Dream, which was the first Android phone here in the USA (sold as a "T-Mobile G1 with Google"). Real keyboard!

DennisG • June 18, 2010 11:21 AM

Well is there a master password or not ??
The question is posed and yet the answer as always never gets covered,just more long winded side questions.

AAAr • October 4, 2010 1:15 AM

Please try engineering password:
19740619
for ver 4.0 all editions
with mu best regards to all

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D