Schneier on Security

A blog covering security and security technology.

« Booby-trapping a PDF File | Main | Two Security Cartoons »

April 23, 2010

The Doghouse: Lock My PC

EDITED TO ADD (4:26): In comments, people are reporting that the master password doesn't work. Near as I can tell, those are all recent downloads. So either they took out the feature, or changed the password.

Posted on April 23, 2010 at 7:43 AM • 41 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Has anyone tried this yet? Does it really work?

If so, hahahahahahahaha.

Posted by: GreenSquirrel at April 23, 2010 8:08 AM

"engineering password"

never heard it called that before. So as long as someone doesn't have anything like a sophisticated CDTray opener, like a straightened paper clip, a bootable linux distro, like backtrack, and sufficient time, like 5 minutes.

This would be a very effective access control as long as there wasn't any backdoors engineered in for support purposes.

Posted by: BF Skinner at April 23, 2010 8:15 AM

naah..found it..

Posted by: snxuev at April 23, 2010 8:19 AM

unless it encrypts the drive I'm still getting your data if I have physical access.

Posted by: Jim at April 23, 2010 8:31 AM

who wants to bet that is the developers birthday?

Posted by: foo at April 23, 2010 8:44 AM

Just tried it on the free trial, and it didn't work. Maybe that's one of the features you get when you register? ;)

What I did find, though, was that on installation it asks for a password and a password hint. It didn't complain when I entered my password as the password hint.

Posted by: Russ at April 23, 2010 9:01 AM

That's amazing! I've got the same combination on my luggage.

Posted by: Jason Falchek at April 23, 2010 9:10 AM

RE:unless it encrypts the drive I'm still getting your data if I have physical access.

Not necessary IF your computer has full disk encryption. All you need then is for it to lock your OS so that you cannot do anything without turning off the PC. Once the PC is off, FDE 'forgets' the key (stored on the pcba in memory). Once the HDD is powered down, the data is secure, (key stored encrypted with password, so you can either guess the password or brute-force the key I guess).

Posted by: Hard drive worker at April 23, 2010 9:12 AM

No encryption. That's a separate product.

Posted by: Olaf at April 23, 2010 9:41 AM

Not only does the software *have* a master password, but their support department are happy to give it out to anyone who asks.

Posted by: Dave at April 23, 2010 9:47 AM

According the the web site, the company is Russian.

Posted by: Hugh No at April 23, 2010 9:57 AM

I can't find whether it tries to do anything against USB devices. If it doesn't, there's little point to locking the CD tray. You could just have a program auto-start from a USB drive and kill the program.

Posted by: A Nonny Bunny at April 23, 2010 9:58 AM

I wonder if there's any demand for a product named "Brick My PC"...?

Posted by: Bob at April 23, 2010 10:00 AM

Without the text of the original message, we can't know if that is a global password that works on every install of the tool, or hardware keyed password. While having a hardware keyed password that can be created by the company leaves one with pretty much worthless "security" I can see how a lot of people would think this is a good thing.

Posted by: Randy at April 23, 2010 10:31 AM

Bob, yes there is. Just check McAfee's sales figures :-)

Posted by: Daniel Franke at April 23, 2010 10:33 AM

They should run a spell checker on the web site.

Posted by: ted at April 23, 2010 10:46 AM

@Bob
There is. Search for "Darik's Boot And Nuke".

Posted by: Jakob at April 23, 2010 10:55 AM

Anyone want to take a bet that the birthdate of one of those engineers is June 19, 1974?

Posted by: dmc at April 23, 2010 10:56 AM

"Bob, yes there is. Just check McAfee's sales figures :-)"

Rich. :-)

Our Mac OSX users are having a ball with McAfee's snafu. The running joke is that McAfee was not wrong; that Windows is in fact a virus.

Posted by: Mark J. at April 23, 2010 11:12 AM

DBAN is a great product. Nice and quick and effective and easy to use too. We use a copy on every old PC we're asked to dispose of.

Posted by: Michael T. Babcock at April 23, 2010 11:29 AM

Before you jump to conclusions, there is no proof that is is the same password for everyone. It might be based on something unique to the account, like - say - the birth date of the account owner.

Go to http://seclists.org/fulldisclosure/2010/Apr/90 and look at the next message by Juha-Matti on the same thread.

Posted by: Grymoire at April 23, 2010 11:35 AM

BF Skinner: I agree. Once you have physical access to the machine, game over. Even some of the more paranoid OSs (Debian with SELinux extensions, and Open Solaris from my personal experience) are vulnerable.

Mark J: I have long been fond of saying that Windows is a virus with mouse support. It seems like McAfee finally confirmed it.

Posted by: yt at April 23, 2010 11:41 AM

Too funny. A master password that looks to be someone's birth date.

Posted by: Daemous at April 23, 2010 11:57 AM

@Daemous - But you have to guess the date!! Thank God for Facebook. :-)

Posted by: Grymoire at April 23, 2010 12:33 PM

The followup on that post points out that it looks like a date. Find someone in that company with that birth date, and you know who to fire.

As I've never used it, it may be the person who registered it who belongs to that birth date. Perhaps its coded per machine?

Someone should try this...

Posted by: Brian at April 23, 2010 4:50 PM

Assuming it is a birth day (and not just an improbable coincidence), does the format give away the nationality of the programmer?

For instance in the UK we tend to do DDMMYYYY
In the US it's not unknown to do MMDDYYYY.

If you dig around in the standard Country Code information (currency symbol date format thousands separator etc) how many countries match the format...

It's often quite surprising how much info we leak about ourselves (Z's & S's, "that, that/which/what/whot is", "init" etc., etc.).

Mind you just looking at the first few sentences on their web site gives away almost as much...

Posted by: Clive Robinson at April 23, 2010 11:52 PM

Clive: I work for a company in Finland. The official business language is US English, but we generally use the YYYYMMDD format for dates because it's harder to misinterpret. Few, if any, locales use YYYYDDMM.

"It's often quite surprising how much info we leak about ourselves"

Speaking of which, I've noticed certain characteristic patterns in your posts that give you away long before I get to the "posted by" line. Also, the fact that your posts tend to take up half a page makes them easy to spot. ;)

Posted by: yt at April 24, 2010 8:38 AM

@vt: I'm an American, and I always use YYYYMMDD when I'm coding. Why? It's consistently big-endian. It sorts. I also write YYYY-MM-DD whenever I write a date by hand. That's mostly just to annoy my wife. :-)

If I'm just writing month and day I'll usually do something like 24-Apr. I can't imagine anyone ever using YYYYDDMM, though.

Posted by: Chelloveck at April 24, 2010 10:18 AM

Guys, gals, things of unknown and undecided gender....

YT's handle here is YT, not VT! Conside actually copying and pasting the name if you have trouble with seeing the tail on the y due to underlining.

Posted by: Section9_Bateau at April 24, 2010 4:04 PM

The master password may be date/time based. I used to prevent casual closing of applications which were meant to always run by requiring such a password. It was constructed from day, month, year, hour, nearest 5 minutes and then scrambled.

Posted by: Joan at April 25, 2010 3:01 AM

@Section9
Quite a nitpicker, are we?

Posted by: Section9 Aramaki at April 25, 2010 4:02 AM

19740619 doesnt work on the trial version, and doesnt work on the registered version as well. Either he has removed the masterkey, or the quoted message was out of context?

Posted by: curious at April 25, 2010 9:14 PM

My favorite product that this same company has is their encryption program, FlashCrypt.

Here is a quote from their site: "Password recovery option: As security experts in files and folders protection, we are constantly receiving customer requests to recover lost or forgotten passwords. FlashCrypt has a special option that lets you save the encrypted password along with the protected data. FlashCrypt uses asymmetric cryptography (RSA algorithm) to encrypt your password, which guarantees that nobody but us (FSPro Labs FlashCrypt team) will be able to recover the password."

I can sleep soundly at night knowing that nobody but the FSPro Labs FlashCrypt team can access my data if I lose my password.

Posted by: travs90 at April 25, 2010 10:25 PM

Well, according to the web site it's "Booletproof" and "settings are groupped by cathegoriies."

Who wouldn't want this?

Posted by: Kristian at April 26, 2010 7:54 AM

This reminds me of some friends who likewise keep the front door locked all the time, but leave the back door unlocked... at least most of the time.

Posted by: spaceman spiff at April 26, 2010 11:24 AM

@ yt on Clive's "leakage"

Yeah, I think everyone knows it's Clive before he signs the post. There often exists behavior patterns in people's posts, but they can be eliminated enough to make tracing hard. I have a technique for that which I'm thinking about publishing, but it's easier to do than put into words. It takes two people though: one working at the concept level and one working at the word level. The person at the word level communicates the concepts in their own ways, including different focus on key points. The messages are less effective with regard to content focus, but they leave little from the original person. There's more too it but that's the gist of it and I'm sure Clive could pull it off if he *really* wanted to. Then, he'd forget to use a proxy. It's always the little things. ;)

Posted by: Nick P at April 27, 2010 12:53 AM

@ Nick P,

"Yeah, I think everyone knows it's Clive before he signs the post"

An authentication system that works 8)

"Then, he'd forget to use a proxy"

First step, use a mobile phone browser with one or two tiny mods (to get rid of browser ID string and IMEI etc) and you are half way there (for those outside of mobile operator) due to the fact the operators so heavily overload IP addresses (often more than 300 mobile phones to a single IP address...).

Then...

But hey I'm not trying to hide from ordinary folks, just those who think I need "improvement" or "medication" ;)

Which reminds me I need to sort out a new e-mail address when I get a new "mobile" (my old Motorola Side Kick is no longer being supported by T-Mobile in the UK). The trouble is what I want (slide out keyboard not touch screen, and proper use of USB both to download/upload files whilst mobile and to use the phone as a dongle to a laptop etc) appears not to be on offer in the UK 8(

Then I'll answer yt's and your questions.

Posted by: Clive Robinson at April 27, 2010 6:08 AM

@Clive - need "improvement" or "medication"

Pretty wide class defined there. Throw in psychosurgery

Posted by: BF Skinner at April 27, 2010 8:07 AM

@Clive - I love my HTC Dream, which was the first Android phone here in the USA (sold as a "T-Mobile G1 with Google"). Real keyboard!

Posted by: DaveC at April 28, 2010 12:28 AM

Well is there a master password or not ??
The question is posed and yet the answer as always never gets covered,just more long winded side questions.

Posted by: DennisG at June 18, 2010 11:21 AM

Please try engineering password:
19740619
for ver 4.0 all editions
with mu best regards to all

Posted by: AAAr at October 4, 2010 1:15 AM

Subscribe to comments on this entry