Schneier on Security
A blog covering security and security technology.
« Booby-trapping a PDF File |
| Two Security Cartoons »
April 23, 2010
The Doghouse: Lock My PC
Lock My PC 4 has a master password.
EDITED TO ADD (4:26): In comments, people are reporting that the master password doesn't work. Near as I can tell, those are all recent downloads. So either they took out the feature, or changed the password.
Posted on April 23, 2010 at 7:43 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Has anyone tried this yet? Does it really work?
If so, hahahahahahahaha.
never heard it called that before. So as long as someone doesn't have anything like a sophisticated CDTray opener, like a straightened paper clip, a bootable linux distro, like backtrack, and sufficient time, like 5 minutes.
This would be a very effective access control as long as there wasn't any backdoors engineered in for support purposes.
unless it encrypts the drive I'm still getting your data if I have physical access.
who wants to bet that is the developers birthday?
Just tried it on the free trial, and it didn't work. Maybe that's one of the features you get when you register? ;)
What I did find, though, was that on installation it asks for a password and a password hint. It didn't complain when I entered my password as the password hint.
That's amazing! I've got the same combination on my luggage.
RE:unless it encrypts the drive I'm still getting your data if I have physical access.
Not necessary IF your computer has full disk encryption. All you need then is for it to lock your OS so that you cannot do anything without turning off the PC. Once the PC is off, FDE 'forgets' the key (stored on the pcba in memory). Once the HDD is powered down, the data is secure, (key stored encrypted with password, so you can either guess the password or brute-force the key I guess).
No encryption. That's a separate product.
Not only does the software *have* a master password, but their support department are happy to give it out to anyone who asks.
According the the web site, the company is Russian.
I can't find whether it tries to do anything against USB devices. If it doesn't, there's little point to locking the CD tray. You could just have a program auto-start from a USB drive and kill the program.
I wonder if there's any demand for a product named "Brick My PC"...?
Without the text of the original message, we can't know if that is a global password that works on every install of the tool, or hardware keyed password. While having a hardware keyed password that can be created by the company leaves one with pretty much worthless "security" I can see how a lot of people would think this is a good thing.
Bob, yes there is. Just check McAfee's sales figures :-)
They should run a spell checker on the web site.
There is. Search for "Darik's Boot And Nuke".
Anyone want to take a bet that the birthdate of one of those engineers is June 19, 1974?
"Bob, yes there is. Just check McAfee's sales figures :-)"
Our Mac OSX users are having a ball with McAfee's snafu. The running joke is that McAfee was not wrong; that Windows is in fact a virus.
DBAN is a great product. Nice and quick and effective and easy to use too. We use a copy on every old PC we're asked to dispose of.
Before you jump to conclusions, there is no proof that is is the same password for everyone. It might be based on something unique to the account, like - say - the birth date of the account owner.
Go to http://seclists.org/fulldisclosure/2010/Apr/90 and look at the next message by Juha-Matti on the same thread.
BF Skinner: I agree. Once you have physical access to the machine, game over. Even some of the more paranoid OSs (Debian with SELinux extensions, and Open Solaris from my personal experience) are vulnerable.
Mark J: I have long been fond of saying that Windows is a virus with mouse support. It seems like McAfee finally confirmed it.
Too funny. A master password that looks to be someone's birth date.
@Daemous - But you have to guess the date!! Thank God for Facebook. :-)
The followup on that post points out that it looks like a date. Find someone in that company with that birth date, and you know who to fire.
As I've never used it, it may be the person who registered it who belongs to that birth date. Perhaps its coded per machine?
Someone should try this...
Assuming it is a birth day (and not just an improbable coincidence), does the format give away the nationality of the programmer?
For instance in the UK we tend to do DDMMYYYY
In the US it's not unknown to do MMDDYYYY.
If you dig around in the standard Country Code information (currency symbol date format thousands separator etc) how many countries match the format...
It's often quite surprising how much info we leak about ourselves (Z's & S's, "that, that/which/what/whot is", "init" etc., etc.).
Mind you just looking at the first few sentences on their web site gives away almost as much...
Clive: I work for a company in Finland. The official business language is US English, but we generally use the YYYYMMDD format for dates because it's harder to misinterpret. Few, if any, locales use YYYYDDMM.
"It's often quite surprising how much info we leak about ourselves"
Speaking of which, I've noticed certain characteristic patterns in your posts that give you away long before I get to the "posted by" line. Also, the fact that your posts tend to take up half a page makes them easy to spot. ;)
@vt: I'm an American, and I always use YYYYMMDD when I'm coding. Why? It's consistently big-endian. It sorts. I also write YYYY-MM-DD whenever I write a date by hand. That's mostly just to annoy my wife. :-)
If I'm just writing month and day I'll usually do something like 24-Apr. I can't imagine anyone ever using YYYYDDMM, though.
Guys, gals, things of unknown and undecided gender....
YT's handle here is YT, not VT! Conside actually copying and pasting the name if you have trouble with seeing the tail on the y due to underlining.
The master password may be date/time based. I used to prevent casual closing of applications which were meant to always run by requiring such a password. It was constructed from day, month, year, hour, nearest 5 minutes and then scrambled.
Quite a nitpicker, are we?
19740619 doesnt work on the trial version, and doesnt work on the registered version as well. Either he has removed the masterkey, or the quoted message was out of context?
My favorite product that this same company has is their encryption program, FlashCrypt.
Here is a quote from their site: "Password recovery option: As security experts in files and folders protection, we are constantly receiving customer requests to recover lost or forgotten passwords. FlashCrypt has a special option that lets you save the encrypted password along with the protected data. FlashCrypt uses asymmetric cryptography (RSA algorithm) to encrypt your password, which guarantees that nobody but us (FSPro Labs FlashCrypt team) will be able to recover the password."
I can sleep soundly at night knowing that nobody but the FSPro Labs FlashCrypt team can access my data if I lose my password.
Well, according to the web site it's "Booletproof" and "settings are groupped by cathegoriies."
Who wouldn't want this?
This reminds me of some friends who likewise keep the front door locked all the time, but leave the back door unlocked... at least most of the time.
@ yt on Clive's "leakage"
Yeah, I think everyone knows it's Clive before he signs the post. There often exists behavior patterns in people's posts, but they can be eliminated enough to make tracing hard. I have a technique for that which I'm thinking about publishing, but it's easier to do than put into words. It takes two people though: one working at the concept level and one working at the word level. The person at the word level communicates the concepts in their own ways, including different focus on key points. The messages are less effective with regard to content focus, but they leave little from the original person. There's more too it but that's the gist of it and I'm sure Clive could pull it off if he *really* wanted to. Then, he'd forget to use a proxy. It's always the little things. ;)
@ Nick P,
"Yeah, I think everyone knows it's Clive before he signs the post"
An authentication system that works 8)
"Then, he'd forget to use a proxy"
First step, use a mobile phone browser with one or two tiny mods (to get rid of browser ID string and IMEI etc) and you are half way there (for those outside of mobile operator) due to the fact the operators so heavily overload IP addresses (often more than 300 mobile phones to a single IP address...).
But hey I'm not trying to hide from ordinary folks, just those who think I need "improvement" or "medication" ;)
Which reminds me I need to sort out a new e-mail address when I get a new "mobile" (my old Motorola Side Kick is no longer being supported by T-Mobile in the UK). The trouble is what I want (slide out keyboard not touch screen, and proper use of USB both to download/upload files whilst mobile and to use the phone as a dongle to a laptop etc) appears not to be on offer in the UK 8(
Then I'll answer yt's and your questions.
@Clive - need "improvement" or "medication"
Pretty wide class defined there. Throw in psychosurgery
@Clive - I love my HTC Dream, which was the first Android phone here in the USA (sold as a "T-Mobile G1 with Google"). Real keyboard!
Well is there a master password or not ??
The question is posed and yet the answer as always never gets covered,just more long winded side questions.
Please try engineering password:
for ver 4.0 all editions
with mu best regards to all
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.