Do we need cyber-locksmiths?Aug 25
By Daniel "Captain Command Line" Turner. (more at http://dannyturner.dyndns.org/ )
Everything today is computerized, your comunications, you finances, many people's enjoyment, travel, even friendships! And all of this is passworded. Imagine, having to recite a secret code just to talk to a friend, it sounds stupid, but millions of people are doing it every day, with MySpace, Instant Messaging and VoIP. But what about the things that hide below, the things that no-one talks about–the OS. Mac, Windows, Linux and BSD, They all now have the capability to require a password to login. Linux, Mac and BSD are the worst here, password this, password that. Root to install this, root to tweak that, root to fix something. What happens when end users use this passwording capability? Windows has it covered, with the "Forgot Password" button, that shows a preset hint. But what of Linux, Mac and BSD? Is their security too strong? Say I give a Ubuntu or PC-BSD desktop to a family, give them all a username and a password, but not root priviledges. I wisper the root password in old dad's ear, tell him it's special, to change it, to remember it well.Fast forward 2 weeks, or a month or what ever, and little Johnny wants to install program xyz for his homework (especially easy for PC-BSD), but keeps getting the dialogue box "Please input root password" What's he to do? He's confused. He goes and asks dear ol' Dad, who by now, having no need for the root password has completely forgotten it, he didn't even change it. Oh dear, they're locked out of their own PC.
They've effectivley lost they keys to their virtual home.Who do they call? Where's a locksmith when you need one. Get a LiveCD you say, change the GRUB kernel arguments you say, use John the Ripper you cry? Sure, this non-techie family is going to know exactly what to do, where to get a live CD, how to find the shadowed password, what program to put it in, how long to wait, what to look for. Yes, they're going to know all of this. Sure. To them, this magic black box that holds all that is dear to them is refusing to play nice.So, pick up the phone they do, phone up the computer support guy and ask "What's the root password, and why do I need it?" Many computer support operations are Windows-only (not the one in my home town, but many that I know of). So they get the answer back "The what password?" Oh dear, now they're in deep doo-doos. They take it to PC World, who last time I checked in Britain, is a Windows only operation. So what to they see? They see PC-BSD or Ubuntu boot. They see a different login window. They have no idea what "root" is, or why it's asking for his password. If you're lucky, a Linux or BSD 'nerd' might work there, and immediately know what to do, pulling a LiveCD from his kit, loading BackTrack, going straight for /etc/passwd and then the shadow, if there is one. Pulling a seemingly random string of characters, and loading it into John the Ripper. Sure, that might happen, but it might not. So you're back to square one, a 'broken' but some how functional PC.
Who do you call when you're locked out of your virtual house? Grab the yellow pages and look under "Cyber Locksmiths"? No, there's no one, unless you are lucky when you walk through the door of PC World, your home-grown computer support shop round the corner, or you have an extremely techie friend. Failing this, you are done for.
Where is the button ?
So where's the reset password button, I ask, When's the password hint going to make it into Linux and BSD, or is this just to stupid, to question the security of the OS, just for the user to actually be able to use the OS? So far, this has been fine (well, almost) for Microsoft. Microsoft have been to busy putting out patches of XP to even get an OS out in 5 Years, where as Linux and BSD have grown by leaps and bounds, grabbing market share in government and school computers. Even in the developing world, Linux is taking hold. Linux has had a hold for years in the hobbyist, enthusiast market since it was born as a terminal emulator that ran off a floppy so that Linus Torvalds could use his university account, and learn to use the 386 instruction set. By it's very nature, it's heavily technical.So, I call unto the gods of the copmuter world (Jobs, Torvlads and Gates) create Cyber-Locksmiths!