So, I was watching a TV show the other day where it was one of those things where the good guy tries to break into the bad guy's computer and, because of his great investigative skills, guesses that the password is a word a book from the bad guy's favorite author. But, first, the good guy tried a couple of other obvious guesses -- the name of the bad guy's boat, etc.
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text. The boat was an obvious guess, and I would never accidentally type it in."
My answer was "That makes sense, but I have no clue about how to do it."
Now I can't get the idea out of my head. Worse, I've realized that I don't know, at a process level, what happens when one types in a password. Yes, I know about /etc/password and /etc/shadow files, and I know about encryption. But I don't know step by step in terms of what processes do what when a password is entered.
So:
1) What happens at a process level when one hits return after typing in a password? Is everything handled by the kernel? Where is this described?
2) Is it possible to script different responses to different (incorrect) passwords?
Thanks,
billo
On 09/02/2013 09:12 PM, Bill Oliver wrote:
So, I was watching a TV show the other day where it was one of those things where the good guy tries to break into the bad guy's computer and, because of his great investigative skills, guesses that the password is a word a book from the bad guy's favorite author. But, first, the good guy tried a couple of other obvious guesses -- the name of the bad guy's boat, etc.
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text. The boat was an obvious guess, and I would never accidentally type it in."
My answer was "That makes sense, but I have no clue about how to do it."
Now I can't get the idea out of my head. Worse, I've realized that I don't know, at a process level, what happens when one types in a password. Yes, I know about /etc/password and /etc/shadow files, and I know about encryption. But I don't know step by step in terms of what processes do what when a password is entered.
So:
- What happens at a process level when one hits return after typing in
a password? Is everything handled by the kernel? Where is this described?
Only the hash of the password is stored in '/etc/shadow', and the hash algorithms are one way functions. So you cannot 'decrypt' the hash to get the original password. When the password is entered at the login terminal, by default the 'pam_unix.so' PAM module is called, which hashes the given password using the same hash algorithm used for the stored password, and compares the resultant hash with the stored hash. If it matches, the user is authenticated. Since hash values would be the same for a given string across all systems, when the same hash function is used, salted hash is used by default for passwords, to make it not too obvious.
- Is it possible to script different responses to different (incorrect)
passwords?
Theoretically, you could have this done, by using a PAM module designed for this, to be run before the 'pam_unix.so' module, in '/etc/pam.d/login' for terminal login, or for more wider use, in '/etc/pam.d/system-auth'.
Thanks,
billo
On 09/02/2013 04:42 PM, Bill Oliver wrote:
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text. The boat was an obvious guess, and I would never accidentally type it in."
This is pretty close to the concept of a duress code or panic password - a special signal that you only give when under duress to covertly indicate that fact:
http://en.wikipedia.org/wiki/Duress_code
There's a problem with this idea though: anyone who knows or suspects that you are using such a booby trap and has access to the system just has to guess the right term and they can hose your data.
My answer was "That makes sense, but I have no clue about how to do it."
PAM (pluggable authentication modules for Linux) is generally how you slip some new check into the existing login (or other) auth process:
For e.g. there are PAM modules for LDAP directories and fingerprint scanners.
Someone created a pam_confused module a few years back that will check passwords against a duress list and execute some pre-configured script when one is entered. It's not been updated lately but it shows roughly how you might do it:
https://confused.googlecode.com/svn/trunk/pam_confused/readme.txt
- What happens at a process level when one hits return after typing in
a password? Is everything handled by the kernel? Where is this described?
Check out the PAM faq and other documentation.
Regards, Bryn.
On Mon, Sep 2, 2013 at 4:42 PM, Bill Oliver vendor@billoblog.com wrote:
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text. The boat was an obvious guess, and I would never accidentally type it in."
My answer was "That makes sense, but I have no clue about how to do it."
So you want the bad guy to be able to delete all your files by typing in the name of your boat?
poc
On Mon, 2013-09-02 at 15:42 +0000, Bill Oliver wrote:
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text.
In the normal run of things, I think a someone breaking into your place is just going to steal your computer to sell it. So, whatever you did would need to mangle your data when the next person simply tries to use it. So, a few wrong password entries would be a reasonable trigger, making sure that you have enough attempts to retype your own password when you type it wrong. If you want to outsmart the morons, stickytape a false password to the box, use it as your destruct code, because it's a fair bet that they'll try it. A friend of mine does a similar thing with his ATM card, it's got three false PINs written on it, a dumb thief will probably try them all, and the bank will automatically block the card.
Someone who's determined to crack your computer, is probably just going to unplug your hard drive and read it on their own computer, where none of your programs will be run. Drive encryption is the only thing that's going to protect your privacy, here.
Now, if I knew you were a sensible and organised computer user, I'd probably just steal or copy your backup discs. Much easier than prising your hard drive out of the box. Again, encryption would be your only protection of your privacy. But, also, your backup restoration software needs to handle the encryption, or your backups are useless to you.
On 3 September 2013 12:45, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Mon, Sep 2, 2013 at 4:42 PM, Bill Oliver vendor@billoblog.com wrote:
My wife turned to me and said, "If I were the bad guy, I'd just have the computer delete everything if someone entered the boat name, or at least send me a text. The boat was an obvious guess, and I would never accidentally type it in."
My answer was "That makes sense, but I have no clue about how to do it."
So you want the bad guy to be able to delete all your files by typing in the name of your boat?
The final question in security decisions is often, "would I rather this copy of the data was destroyed than exposed?"
-
Bryn M. Reeves -
Ian Malone -
Patrick O'Callaghan -
Rejy M Cyriac -
Tim -
William Oliver