Password Changer

OS / Drivers / BIOS
Post Reply
davd_bob
Confused
Posts: 1043
Joined: Fri Feb 13, 2004 2:30 am
Location: Houston, TX

Password Changer

Post by davd_bob »

I click on the adds on BP6.com. This one was there today and got my intrest. Kinda makes ya wonder if ANY network security has any security.
What do ya'all think of this product?

http://www.password-changer.com/ad-google.htm
There are *almost* no bad BP6s. There are mostly bad caps.

No BP6s remaining
Athlon 2800
Sempron 2000
ViaCPU laptop with Vista.(Works great after bumping ram to 2Gig)
P-III 850@100
Atropos
Posts: 27
Joined: Mon Feb 14, 2005 7:14 am
Location: Karlsruhe, Germany

Cheaper way ...

Post by Atropos »

hi there,

it's well known that NT (2000/XP) passwords can be reset
if one has "hardware" access to your box.
All one needs is a boot floppy (or CD) from
[link]http://home.eunet.no/~pnordahl/ntpasswd/[/link]
and a bios allowing to boot from either one.

So if you want to set up a box that is "secure" disable boot from anything
but HDD. Protect bios settings with password and make sure no one can
access the box to remove bios battery.

I had the problem in office when one of our employees hacked the
Admin account to install JRE just to use LimeWire in office. (Well, fast
internet commections make people think about bad things ;-) )
Now he's an ex-employee.

Bye,
Atropos
Specs:
BP6 dual Celeron 433 MHz
Viper V330 graphics
256 MB
3 SCSI2 HDD (1GB, 2GB, 4GB)
W2K / SuSE 9.0 / Zeta RC4 Neo
Note: No scissors any more ;-)
phaedrus
Posts: 75
Joined: Tue Jul 20, 2004 11:27 pm
Location: Seattle, WA
Contact:

Re: Cheaper way ...

Post by phaedrus »

Atropos wrote:hi there,

it's well known that NT (2000/XP) passwords can be reset
if one has "hardware" access to your box.
All one needs is a boot floppy (or CD) from
[link]http://home.eunet.no/~pnordahl/ntpasswd/[/link]
and a bios allowing to boot from either one.
It is possible to do this to a Linux box too. A bootable CD or floppy is the easiest way. Just make sure you have a text editor on there, and you can delete any password in /etc/shadow at will. You can even create a dummy root account called something like r00t with an empty password if you want (you'd do this in /etc/passwd).

You can also do it without the boot disk, but you have to be a little more 1337. From LILO, add "init=/bin/bash" as an option after the image name. Instead of running /sbin/init the kernel will run /bin/bash. Absolutely nothing will be running, so you'll need to mount drives manually (and umount them manually before you reboot). It's more than a little dangerous (and I've left out a couple important details here ;)).

The solution is to lock your case, password protect your BIOS as well as LILO. I would assume grub has a similar gotcha.
Atropos wrote:So if you want to set up a box that is "secure" disable boot from anything
but HDD. Protect bios settings with password and make sure no one can
access the box to remove bios battery.
The other question to ask is, "who am I trying to defend against?" If you're worried about errant employees who have private access to the hardware and console, well, this may be necessary. I've just got my girlfriend to worry about and the h4x0rz on the net. I run with the side of my case off and nothing passworded until the login prompt. I figure it's handy to leave that hole wide open for the cold day in hell when I forget my root password (it hasn't happened in the last 6 years...).

A home computer probably shouldn't need to be secured like an NSA server (I'm just worried about my kids someday... I've sworn off technological solutions to parenting problems to avoid an arms race, hopefully it works).

Jeff
"If it ain't broke, mod it till it is"
They said... and now my BP6 needs new processors... D'oh
Slackware Linux v10.1
Image
Atropos
Posts: 27
Joined: Mon Feb 14, 2005 7:14 am
Location: Karlsruhe, Germany

Absolutely right

Post by Atropos »

the boxes at home usually need no bios password and locked cases.
A home computer probably shouldn't need to be secured like an NSA server (I'm just worried about my kids someday... I've sworn off technological solutions to parenting problems to avoid an arms race, hopefully it works).
I guess you're right at this point. Technical solutions cannot be a substitute
for talking to the kids about "go" and "no-go" while "playing" with the box
and the net. (Guess it's the same for television.... :-? )

Atropos
Specs:
BP6 dual Celeron 433 MHz
Viper V330 graphics
256 MB
3 SCSI2 HDD (1GB, 2GB, 4GB)
W2K / SuSE 9.0 / Zeta RC4 Neo
Note: No scissors any more ;-)
phaedrus
Posts: 75
Joined: Tue Jul 20, 2004 11:27 pm
Location: Seattle, WA
Contact:

Re: Absolutely right

Post by phaedrus »

Atropos wrote:the boxes at home usually need no bios password and locked cases.

I guess you're right at this point. Technical solutions cannot be a substitute
for talking to the kids about "go" and "no-go" while "playing" with the box
and the net. (Guess it's the same for television.... :-? )
I don't have kids yet, but both my girlfriend and I are computer saavy and as such, we know what trouble they could get into. I also know that if my (future) kids are anything like me, they'll find a way to break through any security shield I put in place. I was following bugtrack and figuring out how to write buffer overflow exploits when I was in high school. I'd rather have a diplomatic solution than a long term war on my hands.

As best as I can tell, technology won't ever match good parenting. We'll see what happens in 10 years when I've got kids old enough to cause trouble on the computer[s].

Jeff
"If it ain't broke, mod it till it is"
They said... and now my BP6 needs new processors... D'oh
Slackware Linux v10.1
Image
Post Reply