On Fri, 04 Jul 2008 09:24:49 -0700, Darren New wrote:

> Jim Henderson wrote:
>> If the built-in encryption keys off the login password only (ie, the
>> login password just unlocks the encryption key), then as an admin, you
>> just have to change the user's password.
> 
> If you change the password without knowing the old password, you can't
> decrypt the private key that encrypts the shared secret.  So, basically,
> you lose access to the encrypted files.

That's good to know - I know this can be implemented a number of 
different ways, and not being a Windows user, I wasn't sure which method 
was used.

>>> Or just zip things up with a password.
>> 
>> That's a pain to use, though
> 
> Plus it's trivially easy to crack. Even long passwords hash down to 8
> characters or something. There are plenty of free programs that'll crack
> a zip archive in a matter of minutes or hours just with brute force.

True also.  I tried a few of those, though, on the zip file of my old 
source code (wouldn't you know, one of my coworkers needed to get at my 
code over the summer - this was in college - and when he couldn't figure 
out the password, he got pissed and nuked the program that had the 
mechanism for generating the password.  The only other copy of the code 
was *in the zip file*, of course, encrypted with the password in 
question).

Jim

Post a reply to this message

On Fri, 04 Jul 2008 17:53:07 +0200, Gail Shaw wrote:

> "Jim Henderson" <nos### [at] nospamcom> wrote in message
> news:486deaf7$1@news.povray.org...
>> On Fri, 04 Jul 2008 09:03:49 +0100, Invisible wrote:
>>
>> > Er... like, WTF?
>>
>> That said, there are ways, for example, to prevent a sysadmin from
>> seeing files in a filesystem.
> 
> And there are ways (at least in SQL Server) to keep the windows
> sysadmins out of a database, however you can't stop them shutting down
> the service and taking the data files or changing the passwords of the
> accounts that do have sysadmin rights.

Yep.  That's the thing that really makes me chuckle, too.  Then there's 
auditing systems that have to be enabled by the administrator.

> We've done that as a standard across the organisation, along with
> ensuring that the database administrators don't have administrative
> rights to the OS.

Yeah, that would help somewhat.

Jim

Post a reply to this message

On Fri, 04 Jul 2008 18:00:47 +0300, Eero Ahonen wrote:

> On a sysadmin job (or janitor, or any other really important
> caretaker-job) there exists that little something called "work ethics".

Exactly.  I think that's why I get so angry about unethical behaviour in 
other jobs (and particularly in politics); if I behaved unethical in the 
ways some of these other professions seem to allow, I'd be out of not 
only a job, but a career.

But it's perfectly acceptable, for example, for the co-chair of a 
committee for election for a particular candidate within a state to 
*also* be the person to certify a vote in that same state.  That's just 
mind-blowing to me.

Yet at the same time, one of my employers' ethics policies wouldn't let 
me update a book I wrote because the book would compete with the class I 
was teaching - and doing so, I would have been fired.  I also know of 
situations where a conflict of interest existed like that in a private 
sector job, and the person *was* fired.

Jim

Post a reply to this message

On Fri, 04 Jul 2008 19:02:44 -0400, John VanSickle wrote:

> Jim Henderson wrote:
>> On Thu, 03 Jul 2008 09:43:47 -0700, Darren New wrote:
>> 
>>> You can't even buy a hard drive that won't hold five Commodore Pet
>>> computers worth of memory for every *bit* of memory a Commodore Pet
>>> could address.
>> 
>> I'm trying to remember - what was the addressable space fro the Pet?
>> There were so many models, but the address space was the same on all of
>> them IIRC.
> 
> They were all limited to what the 6502 processor could handle, which was
> as has been said by others here.  Early Pets had only 8K of RAM
> installed, but some machines were bulked out to 32K.  To think that
> those things retailed for $1k in 1979 dollars...

Yep, but the 8K PETs were a luxury; the elementary school I went to had 
2K PETs.

Jim

Post a reply to this message

Invisible wrote:
...
> Now all the sysadmin needs to do is install a keylogger... 
> oh, wait... ;-)
> 
> Anything you can do, the sysadmin can undo. He controls the machine 
> you're using. You can't win.
...

I think you can.

Just boot an OS from a media that he does not control.
E.g. Knoppix from a CD or a memory stick.

Thereafter there are many ways to store information encrypted
on network drives.

And the keys does not have to be visible to the network server.
(Small memory sticks or smart cards are good places to store
the keys.)

-- 
Tor Olav
http://subcube.com

Post a reply to this message

Tor Olav Kristensen wrote:
> Invisible wrote:
> ...
>> Now all the sysadmin needs to do is install a keylogger... oh, wait... 
>> ;-)
>>
>> Anything you can do, the sysadmin can undo. He controls the machine 
>> you're using. You can't win.
> ...
> 
> I think you can.
> 
> Just boot an OS from a media that he does not control.
> E.g. Knoppix from a CD or a memory stick.

Not good enough anymore.  Flash the machines' BIOS with custom code 
that'll load a hypervisor before loading any OS.

Granted, if your OS is sufficiently advanced, it'll notify you of the 
HV, but it won't be able to stop it.

...Chambers

Post a reply to this message

Chambers wrote:
> Tor Olav Kristensen wrote:
>> Invisible wrote:
>> ...
>>> Now all the sysadmin needs to do is install a keylogger... oh, 
>>> wait... ;-)
>>>
>>> Anything you can do, the sysadmin can undo. He controls the machine 
>>> you're using. You can't win.
>> ...
>>
>> I think you can.
>>
>> Just boot an OS from a media that he does not control.
>> E.g. Knoppix from a CD or a memory stick.
> 
> Not good enough anymore.  Flash the machines' BIOS with custom code 
> that'll load a hypervisor before loading any OS.
> 
> Granted, if your OS is sufficiently advanced, it'll notify you of the 
> HV, but it won't be able to stop it.

Ok. Then just use a computer that you know has not been flashed.
(MAC addresses can be faked - AFAIK)

-- 
Tor Olav
http://subcube.com

Post a reply to this message

Jim Henderson wrote:
> I was hoping Andy would answer the question, because I was attempting to 
> make a point about kernel debugging. :-(

Sorry. I'm a nerd too. I'm not always thinking about why someone would 
ask a question. :-)

-- 
Darren New / San Diego, CA, USA (PST)
  Helpful housekeeping hints:
   Check your feather pillows for holes
    before putting them in the washing machine.

Post a reply to this message

On Sat, 05 Jul 2008 19:33:05 -0700, Darren New wrote:

> Jim Henderson wrote:
>> I was hoping Andy would answer the question, because I was attempting
>> to make a point about kernel debugging. :-(
> 
> Sorry. I'm a nerd too. I'm not always thinking about why someone would
> ask a question. :-)

LOL, I do that as well. :-)

Jim

Post a reply to this message

>>>> Anything you can do, the sysadmin can undo. He controls the machine 
>>>> you're using. You can't win.
>>>
>>> I think you can.
>>>
>>> Just boot an OS from a media that he does not control.
>>> E.g. Knoppix from a CD or a memory stick.
>>
>> Not good enough anymore.  Flash the machines' BIOS with custom code 
>> that'll load a hypervisor before loading any OS.
>>
>> Granted, if your OS is sufficiently advanced, it'll notify you of the 
>> HV, but it won't be able to stop it.
> 
> Ok. Then just use a computer that you know has not been flashed.
> (MAC addresses can be faked - AFAIK)

This is rapidly straying outside the relms of what normal clueless users 
are able to comprehend.

I was say this with complete authority: If you are not a computer 
expert, there is nothing you can do to stop your sysadmin reading 
through your stuff if he wants.

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message